Library mathlib

Require Export include.
Require Export memory.
Require Export memdata.
Require Export assertion.
Require Export absop.
Require Export simulation.
Require Export language.
Require Export opsem.
Require Export os_program.
Require Export os_spec.
Require Export inferules.
Require Export os_code_notations.
Require Export os_code_defs.
Require Export os_ucos_h.
Require Export os_time.
Require Export baseTac.
Require Export auxdef.
Require Export seplog_lemmas.
Require Export seplog_tactics.
Require Export derivedrules.
Require Export hoare_conseq.
Require Export symbolic_execution.
Require Export hoare_assign.
Require Export hoare_lemmas.
Require Export BaseAsrtDef.
Require Export inv_prop.
Require Export InternalFunSpec.
Require Export IntLib.
Require Export List.
Require Export can_change_aop_proof.
Require Export cancel_absdata.
Require Export hoare_tactics.
Require Export type_val_match.
Require Export init_spec.
Require Export sep_pure.
Require Export mathsolver.
Require Export absop_rules.
Require Import Coq.Logic.FunctionalExtensionality.
Require Export common.
Require Export mathlib_join.
Set Implicit Arguments.

Close Scope nat_scope.
Open Scope Z_scope.
Open Scope code_scope.

Module ht.
  Lemma a_div_b_multi_b_plus_b_ge_a: forall a b, 0<=a -> 0<b -> a/b*b +b >= a.

  Ltac revs := match goal with
                | |- ?a < ?b => cut (b > a); [intro; omega| idtac]
                | |- ?a > ?b => cut (b < a); [intro; omega| idtac]
                | |- ?a >= ?b => cut (b <= a); [intro; omega| idtac]
                | |- ?a <= ?b => cut (b >= a); [intro; omega| idtac]
               end.
  Ltac revs´ H := match type of H with
                | ?a < ?b => assert (b > a) by omega
                | ?a > ?b => assert (b < a) by omega
                | ?a >= ?b => assert (b <= a) by omega
                | ?a <= ?b => assert (b >= a) by omega
               end.

  Lemma div_lt_lt: forall a b c, c > 0 -> a/c < b/c -> a<b.

  Ltac bfunc_invert´ H :=
    match type of H with
     | (if ?e then true else false) = false => destruct (e); [inversion H|idtac]
    end.

  Ltac get_int_max := unfold Int.max_unsigned, Int.modulus; simpl.
  Ltac rewrite_un_repr := rewrite Int.unsigned_repr;[ idtac| ht.get_int_max; omega].
  Ltac rewrite_un_repr_in l := rewrite Int.unsigned_repr in l;[ idtac| ht.get_int_max; omega].

Ltac intrange x tac :=let xval := fresh in let xrange := fresh in destruct x as [xval xrange]; unfold Int.modulus, two_power_nat, shift_nat in xrange; simpl in xrange; simpl; tac.

  Ltac handle_z2n_compare_nat rel z2nat_rule :=
    let H0 := fresh in
    match goal with
      | |- rel ( Z.to_nat _ ) ?x => assert (Z.to_nat (Z.of_nat x) = x)%nat as H0 by (apply Nat2Z.id);rewrite <- H0; rewrite <- z2nat_rule;simpl; int auto
    end.

  Ltac handle_z2n_lt_nat := handle_z2n_compare_nat lt Z2Nat.inj_lt.

  Ltac get_unsigned_sup_pow x p := let H := fresh in assert (Int.unsigned x < (two_p p)) by (unfold two_p; unfold two_power_pos; unfold shift_pos; simpl; omega).

  Ltac get_unsigned_sz_sup´ x p := let H:= fresh in let H0 := fresh in let H1 := fresh in assert (0<=p) as H1 by omega; assert (0<=Int.unsigned x < two_p p ) as H by (split; [int auto| auto]); set (Int.size_interval_2 x _ H1 H) as H0.

  Ltac get_unsigned_sz_sup x p:= get_unsigned_sup_pow x p; get_unsigned_sz_sup´ x p.

  Ltac get_unsigned_sz_inf x := let H := fresh in assert (0<= Int.size x) by (set (Int.size_range x) as H; inversion H;auto).

  Lemma int_not_0_sz_not_0 : forall n, Int.unsigned n = 0 <-> Int.size n = 0.

  Lemma and_xy_x: forall x y, (forall n, 0<=n -> Z.testbit x n = true -> Z.testbit y n = true) -> Z.land x y = x.

  Lemma lt_imply_le : forall n m: Z, n<m -> n<=m.

  Lemma lt_is_gt : forall n m: Z, n<m <-> m>n.

  Lemma le_is_ge : forall n m:Z, n<=m <-> m>=n.

  Ltac bfunction_invert :=
    let H := fresh in
    match goal with
      | Htmp: (if ?e then true else false) = true|-_ => assert (e = true) by (apply Classical_Prop.NNPP; intros H; apply not_true_is_false in H; rewrite H in Htmp; inversion Htmp)
    end.

  Lemma if_eq_true_cond_is_true: forall x:bool, (if x then true else false) = true <-> x =true.

  Ltac tidspec_dec_true := try (rewrite TcbMod.set_a_get_a in *; [idtac | apply tidspec.eq_beq_true; auto]).
  Ltac tidspec_dec_false := try (rewrite TcbMod.set_a_get_a´ in *; [idtac | apply tidspec.neq_beq_false; auto]).


  Ltac tidspec_dec x y :=let t := fresh
                                  with t1 := fresh
                                             with t2 := fresh
                                    in remember (Classical_Prop.classic (x=y)) as t; destruct t as [t1| t2]; [rewrite t1 in * ; tidspec_dec_true | tidspec_dec_false].

                                  Ltac ecbspec_dec_true x := let H := fresh in let H0 := fresh in remember (EcbMod.beq_refl x) as H eqn: H0; clear H0; try rewrite (EcbMod.get_a_sig_a _ H); try rewrite H; try rewrite EcbMod.set_a_get_a; auto.

                                  Ltac ecbspec_dec_false v Hneq := let H := fresh in let H0 := fresh in remember (tidspec.neq_beq_false Hneq) as H eqn:H0; clear H0; try rewrite (EcbMod.get_a_sig_a´ _ H); rewrite (EcbMod.set_a_get_a´ v _ H).

                                  Ltac ecbspec_dec v x a := let H0 := fresh in let H0´ := fresh in remember (Classical_Prop.classic (x=a)) as H0 eqn: H0´; clear H0´; destruct H0;[ rewrite -> H0 in *; ecbspec_dec_true a | ecbspec_dec_false v H0].

                                  Lemma nthval´_has_value : forall l len n, array_type_vallist_match Tint8 l -> length l = len -> (n < len)%nat ->exists x, nth_val´ n l = Vint32 x /\ true = rule_type_val_match Tint8 (Vint32 x).

                                  Lemma disj_star_elim´´
                                  : forall p q x y r: asrt, (( p\\//q\\//x\\//y) ** r) ==> (p**r) \\// (q**r) \\// (x**r) \\// (y**r).

  Lemma mod_0_div_eq_eq: forall a b c, c>0 -> a mod c = b mod c -> a / c = b / c -> a =b.

  Ltac solve_int_range i:= repeat ht.rewrite_un_repr; split; [try omega| ht.get_int_max;try ht.intrange i omega; try omega]; try ht.intrange i omega.
  Ltac simpl_int_repr H := match type of (H) with
                            | $ (?x) = $ (?y) => let H´ := fresh in assert ( Int.unsigned ($ x) =Int.unsigned ($ y)) as H´ by (rewrite H; trivial);try rewrite Int.unsigned_repr in H´; repeat ht.rewrite_un_repr_in H´
                            end.
  Ltac solve_mod_range tac := match goal with
                          | |- _ <= ?a mod ?x <= _ => let H:= fresh in assert (0<x) as H by omega;set (Z.mod_pos_bound a x H); tac; clear H
                                                                                                        end.
  Ltac copy H := let copy_of_H := fresh in let e:= fresh in remember H as copy_of_H eqn: e; clear e.

  Ltac simpl_mod_in H := try rewrite Zminus_mod in H; try rewrite Z_mod_same_full in H; try rewrite <- Zminus_0_l_reverse in H; try rewrite <- Zmod_div_mod in H;[idtac| try omega ..| try (apply Zdivide_intro with 1; auto)].

Ltac clear_useless_int32 :=
  match goal with
      | a : int32 |- _ => clear dependent a
end.

Ltac clear_all_useless_int32 := repeat clear_useless_int32.

Lemma a_mult_b_ge_b : forall a b, 0<a -> 0<=b -> a*b >= b.

Lemma div_in_intrange: forall x a mx, 0<=x <=mx -> a>0 -> 0<=x/a<=mx.
  Ltac solve_int_range´ :=
match goal with
    | i : int32 |- _ => let xval := fresh in let xrange := fresh in destruct i as [xval xrange]; unfold Int.modulus, two_power_nat, shift_nat in xrange; simpl in xrange; simpl in *; solve_int_range´
    | _ => subst; try rewrite max_unsigned_val; solve [ omega | apply div_in_intrange; omega ]
end.
  Ltac rangesolver :=clear_all_useless_int32; try solve_int_range´; repeat (rewrite Int.unsigned_repr; try solve_int_range´).
  Ltac ur_rewriter := rewrite Int.unsigned_repr; [idtac| try solve[rangesolver] ].
  Ltac ur_rewriter_in H := rewrite Int.unsigned_repr in H; [idtac|clear H; try solve[rangesolver] ].
End ht.

Module kz.

  Ltac trivial_ur_rewriterH H := repeat (rewrite Int.unsigned_repr in H; [idtac |solve [split;[omega| rewrite max_unsigned_val; omega]]]).
  Ltac bfunc_invertH H := let HH := fresh in
    match type of H with
     | (if ?e then true else false) = false => rename H into HH; destruct e as [H|H]; [inversion HH|idtac]; clear HH
     | (if ?e then true else false) = true => rename H into HH; destruct e as [H|H]; [idtac| inversion HH]; clear HH
    end.
  Ltac Iltu_simplerH H := unfold Int.ltu in H; bfunc_invertH H; try trivial_ur_rewriterH H.
  Ltac Irepr_simplerH H := match type of (H) with
                            | $ (?x) = $ (?y) => let H´ := fresh in rename H into H´; assert ( Int.unsigned ($ x) =Int.unsigned ($ y)) as H by (rewrite H´; trivial);try rewrite Int.unsigned_repr in H; repeat ht.rewrite_un_repr_in H;clear H´
                            end.
  Ltac trivial_mod_range := match goal with
                          | |- _ <= ?a mod ?x <= _ => let H:= fresh in assert (0<x) as H by omega;set (Z.mod_pos_bound a x H); omega; clear H
                                                                                                        end.
  Ltac Imod_simplerH H :=let H´ := fresh in unfold Int.modu in H; repeat trivial_ur_rewriterH H; try (Irepr_simplerH H;[idtac| rewrite max_unsigned_val; trivial_mod_range]).

  Ltac Zmod_simplerH H k newval := match type of H with
                                | ?a mod ?n = ?b =>
                                  let H´ := fresh in
                                  rewrite <- (Z_mod_plus _ k) in H;[idtac|omega]; assert ( a + k * n = newval) as H´ by omega ; rewrite H´ in H; clear H´
                                   end.
  Lemma unsigned_ge0 : forall x, Int.unsigned x >=0.

  Lemma Zplus_minus : forall z x, z+x-x=z.

  Ltac ge0_solver := solve [omega| apply unsigned_ge0| apply Z_div_ge0; [omega| ge0_solver] ].
  Ltac le0_solver := ht.revs; ge0_solver.
  Ltac revsH H := let H´ := fresh in
               match type of H with
                | ?a < ?b => assert (a < b -> b > a) as H´ by omega; apply H´ in H; clear H´
                | ?a > ?b => assert (a > b -> b < a) as H´ by omega; apply H´ in H; clear H´
                | ?a >= ?b => assert (a>=b -> b <= a) as H´ by omega; apply H´ in H; clear H´
                | ?a <= ?b => assert (a<=b -> b >= a) as H´ by omega; apply H´ in H; clear H´
               end.

  Ltac Zdivsup_simplerH H := match type of H with
                              | ?a / ?b < ?c =>
                                let H´´ := fresh in let H´ := fresh in let e := fresh in rewrite (Z.mul_lt_mono_pos_r b) in H; [idtac | omega]; rewrite (Z.add_lt_mono_r _ _ b ) in H; assert ( a / b * b + b >= a ) as H´´ by (apply (@ht.a_div_b_multi_b_plus_b_ge_a a b); omega); revsH H´´; remember (Z.le_lt_trans _ _ _ H´´ H) as H´ eqn: e; simpl in H´; clear e; clear H´´
                              end.

  Ltac revs := match goal with
                | |- ?a < ?b => cut (b > a); [intro; omega| idtac]
                | |- ?a > ?b => cut (b < a); [intro; omega| idtac]
                | |- ?a >= ?b => cut (b <= a); [intro; omega| idtac]
                | |- ?a <= ?b => cut (b >= a); [intro; omega| idtac]
                | |- (?a < ?b)%nat => cut (b > a)%nat; [intro; omega| idtac]
                | |- (?a > ?b)%nat => cut (b < a)%nat; [intro; omega| idtac]
                | |- (?a >= ?b)%nat => cut (b <= a)%nat; [intro; omega| idtac]
                | |- (?a <= ?b)%nat => cut (b >= a)%nat; [intro; omega| idtac]
               end.
End kz.


Lemma int_not_leq : forall i j, i>=0 -> j >=0 -> ~i + j < i.

Lemma Z_prop : forall x y a, 0<a -> (x + a * y - x) / a = y.

Lemma prio_destruct1 :
  forall x, 0 <= x < 17 <->
             x = 0 \/ x = 1 \/ x = 2 \/ x = 3 \/ x = 4 \/ x = 5 \/ x = 6 \/ x = 7 \/
             x = 8 \/ x = 9 \/ x = 10 \/ x = 11 \/ x = 12 \/ x = 13 \/ x = 14 \/ x = 15 \/
             x = 16.

Lemma int_aux :Int.unsigned ($ (0 + (4 + 0) - (0 + (4 + 0)))) / Int.unsigned ($ 4) =0.

Lemma prio_destruct2 :
  forall x, 17 <= x < 32 <->
             x = 17 \/ x = 18 \/ x = 19\/ x = 20 \/ x = 21 \/ x = 22 \/ x = 23 \/
             x = 24 \/ x = 25 \/ x = 26 \/ x = 27 \/ x = 28 \/ x = 29 \/ x = 30 \/ x = 31.

Lemma prio_destruct3 :
  forall x, 32 <= x < 48 <->
             x = 32 \/ x = 33 \/ x = 34 \/ x = 35 \/ x = 36 \/ x = 37 \/ x = 38 \/ x = 39 \/
             x = 40 \/ x = 41 \/ x = 42 \/ x = 43 \/ x = 44 \/ x = 45 \/ x = 46 \/ x = 47.

Lemma prio_destruct4 :
  forall x, 48 <= x < 64 <->
             x = 48 \/ x = 49 \/ x = 50 \/ x = 51 \/ x = 52 \/ x = 53 \/ x = 54 \/ x = 55 \/
             x = 56 \/ x = 57 \/ x = 58 \/ x = 59 \/ x = 60 \/ x = 61 \/ x = 62 \/ x = 63.

Lemma prio_range_com :
  forall x, 0 <= x < 17 \/ 17 <= x < 32 \/ 32 <= x < 48 \/ 48 <= x < 64 <->
             0 <= x < 64.

Lemma prio_destruct :
  forall x, 0 <= x < 64 <->
             x = 0 \/ x = 1 \/ x = 2 \/ x = 3 \/ x = 4 \/ x = 5 \/ x = 6 \/ x = 7 \/
             x = 8 \/ x = 9 \/ x = 10 \/ x = 11 \/ x = 12 \/ x = 13 \/ x = 14 \/ x = 15 \/
             x = 16 \/ x = 17 \/ x = 18 \/ x = 19 \/ x = 20 \/ x = 21 \/ x = 22 \/ x = 23 \/
             x = 24 \/ x = 25 \/ x = 26 \/ x = 27 \/ x = 28 \/ x = 29 \/ x = 30 \/ x = 31 \/
             x = 32 \/ x = 33 \/ x = 34 \/ x = 35 \/ x = 36 \/ x = 37 \/ x = 38 \/ x = 39 \/
             x = 40 \/ x = 41 \/ x = 42 \/ x = 43 \/ x = 44 \/ x = 45 \/ x = 46 \/ x = 47 \/
             x = 48 \/ x = 49 \/ x = 50 \/ x = 51 \/ x = 52 \/ x = 53 \/ x = 54 \/ x = 55 \/
             x = 56 \/ x = 57 \/ x = 58 \/ x = 59 \/ x = 60 \/ x = 61 \/ x = 62 \/ x = 63.

Lemma prio_prop :
  forall prio,
    0 <= prio ->
    prio < 64 ->
    Int.unsigned (Int.shru ($ prio) ($ 3)) < 8.

Lemma Z_le_nat :
  forall x, (0<= x < 8)%Z-> ( ∘x < 8) %nat.

Lemma val_inj_1 :
  val_inj
    (if Int.ltu Int.zero (Int.notbool Int.one) &&Int.ltu Int.zero (Int.notbool Int.one)
     then Some (Vint32 Int.one)
     else Some (Vint32 Int.zero)) = Vint32 Int.zero.

Lemma isptr_vundef2:
  forall x,
    isptr x -> val_inj
                 (bool_and (val_inj (notint (val_inj (val_eq x Vnull))))
                           (Vint32 (Int.notbool Int.one))) <> Vundef.

Lemma val_inj_12 :
  forall x , val_inj
               (bool_and
                  (val_inj
                     (notint (val_inj (val_eq (Vptr (x, Int.zero)) Vnull))))
                  (Vint32 (Int.notbool Int.one))) = Vint32 Int.zero.

Lemma val_inj_12´ :
  forall x , isptr x -> val_inj
                          (bool_and
                             (val_inj
                                (notint (val_inj (val_eq x Vnull))))
                             (Vint32 (Int.notbool Int.one))) = Vint32 Int.zero.

Lemma isptr_vundef_not :
  forall x, isptr x -> val_inj
                          match val_inj (notint (val_inj (val_eq x Vnull))) with
                            | Vundef => None
                            | Vnull => None
                            | Vint32 n2 =>
                              if Int.ltu Int.zero (Int.notbool Int.one) && Int.ltu Int.zero n2
                              then Some (Vint32 Int.one)
                              else Some (Vint32 Int.zero)
                            | Vptr _ => None
                          end <> Vundef.

Lemma val_inj_122 :
  forall x , isptr x ->val_inj
                          match val_inj (notint (val_inj (val_eq x Vnull))) with
                            | Vundef => None
                            | Vnull => None
                            | Vint32 n2 =>
                              if Int.ltu Int.zero (Int.notbool Int.one) &&
                                         Int.ltu Int.zero n2
                              then Some (Vint32 Int.one)
                              else Some (Vint32 Int.zero)
                            | Vptr _ => None
                          end = Vint32 Int.zero.

Lemma val_eq_vundef:
  forall i0,
    val_inj
      (if Int.eq i0 ($ OS_EVENT_TYPE_Q)
       then Some (Vint32 Int.one)
       else Some (Vint32 Int.zero)) <> Vundef.

Lemma val_eq_vundef´:
  forall i0,
    val_inj
      (notint
         (val_inj
            (if Int.eq i0 ($ OS_EVENT_TYPE_Q)
             then Some (Vint32 Int.one)
             else Some (Vint32 Int.zero)))) <> Vundef.

Lemma val_inj_eq_q:
  forall i0,
    val_inj
      (notint
         (val_inj
            (if Int.eq i0 ($ OS_EVENT_TYPE_Q)
             then Some (Vint32 Int.one)
             else Some (Vint32 Int.zero)))) = Vint32 Int.zero \/
    val_inj
      (notint
         (val_inj
            (if Int.eq i0 ($ OS_EVENT_TYPE_Q)
             then Some (Vint32 Int.one)
             else Some (Vint32 Int.zero)))) = Vnull ->
    i0 = ($ OS_EVENT_TYPE_Q).

Lemma int_land_zero:
  forall x, Int.zero&(Int.one<<(x &$ 7)) <> Int.one<<(x &$ 7).

Lemma nat8_des:
  forall x2 Heq ,
    (Heq < 8) %nat ->
    match Heq with
      | 0%nat => Some (Vint32 Int.zero)
      | 1%nat => Some (Vint32 Int.zero)
      | 2%nat => Some (Vint32 Int.zero)
      | 3%nat => Some (Vint32 Int.zero)
      | 4%nat => Some (Vint32 Int.zero)
      | 5%nat => Some (Vint32 Int.zero)
      | 6%nat => Some (Vint32 Int.zero)
      | 7%nat => Some (Vint32 Int.zero)
      | S (S (S (S (S (S (S (S _))))))) => None
    end = Some (Vint32 x2) -> x2 = Int.zero.

Lemma ecbmod_get_sig_set:
  forall v x y,
    EcbMod.get v x = None ->
    EcbMod.joinsig x y v (EcbMod.set v x y).

Lemma ecbmod_join_get :
  forall x x0 x1 v´37 eid,
    x <> eid -> EcbMod.joinsig x x0 x1 v´37 ->
    EcbMod.get x1 eid = None -> EcbMod.get v´37 eid = None.


Lemma leftmoven:
  forall n,
    (0 <= n < 8)%nat ->
    $ 1<<$ Z.of_nat n <> $ 0.

Lemma abs_disj_get_merge:
  forall O´ O x y,
    OSAbstMod.disj O´ O ->
    OSAbstMod.get O x = Some y ->
    OSAbstMod.get (OSAbstMod.merge O´ O) x = Some y.


Lemma disj_star_elim: forall p q r, ( p \\// q )** r ==> (p ** r) \\// (q ** r).

Lemma math_prop_l1: val_inj
            (notint
               (val_inj
                  (if Int.eq ($ OS_EVENT_TYPE_Q) ($ OS_EVENT_TYPE_Q)
                   then Some (Vint32 Int.one)
                   else Some (Vint32 Int.zero)))) = Vint32 Int.zero.

Lemma math_prop_l2 : val_inj
             (if Int.eq ($ 1) ($ 0)
              then Some (Vint32 Int.one)
              else Some (Vint32 Int.zero)) = Vint32 Int.zero.

Lemma math_prop_l3 : val_inj
             (notint
                (val_inj
                   (if Int.eq ($1) ($ 0)
                    then Some (Vint32 Int.one)
                    else Some (Vint32 Int.zero)))) <> Vint32 Int.zero.

Ltac solve_disj:=
  match goal with
    | H : _ \/ _ |- _ =>
      let Hx := fresh in
      let Hy := fresh in
      (destruct H as [Hx | Hy]; [subst; eexists; simpl; splits; eauto| idtac])
    | _ => try (subst; eexists; simpl; splits; eauto)
  end.

Lemma int8_neq0_ex:
  forall i ,
    Int.unsigned i <= 255 ->
    Int.eq i ($ 0) = false ->
    exists n, (0 <= n < 8)%nat /\ i &($ 1<<$ Z.of_nat n) = $ 1<<$ Z.of_nat n.

Lemma length8_ex:
  forall v´40 :vallist,
    length v´40 = ∘OS_EVENT_TBL_SIZE ->
    exists v1 v2 v3 v4 v5 v6 v7 v8,
      v´40 = v1::v2::v3::v4::v5::v6::v7::v8::nil.

Lemma int_true_le255:
  forall x,
    (if Int.unsigned x <=? Byte.max_unsigned then true else false) = true ->
    Int.unsigned x <= 255.

Lemma n07_arr_len_ex:
  forall n v´40,
    (0 <= n < 8)%nat ->
    array_type_vallist_match Int8u v´40 ->
    length v´40 = ∘OS_EVENT_TBL_SIZE ->
    exists v, nth_val n v´40 = Some (Vint32 v) /\ Int.unsigned v <= 255.

Lemma nat8_ex_shift3:
  forall n,
    (0 <= n < 8) %nat ->
    exists y, $ Z.of_nat n = Int.shru ($ y) ( $ 3) /\ 0 <= y < 64.

Lemma math_des88:
  forall n xx,
    (0 <= n < 8)%nat ->
    (xx = $ 0 \/
     xx = $ 1 \/
     xx = $ 2 \/ xx = $ 3 \/ xx = $ 4 \/ xx = $ 5 \/ xx = $ 6 \/ xx = $ 7) ->
    exists y, 0 <= y < 64 /\ xx = $ y & $ 7 /\ ($ Z.of_nat n = Int.shru ($ y) ( $ 3)).

Lemma ltu_ex_and :
  forall vv,
    Int.ltu ($ 0) vv = true->
    Int.unsigned vv <= 255 ->
    exists x,
      vv&(Int.one<< x) = Int.one<< x /\
         (x = $0 \/ x = $1 \/ x = $2 \/ x = $3 \/
          x = $4 \/ x = $5 \/ x = $6 \/ x = $7).
  Lemma eight_destruct: forall x, 0<=x<8 <-> x=0 \/ x=1 \/ x=2\/x=3\/x=4\/x=5\/x=6\/x=7.


Qed.

Lemma prio_inq:
  forall vv n v´40,
    (0 <= n < 8)%nat ->
    Int.ltu ($ 0) vv = true ->
    Int.unsigned vv <= 255 ->
    nth_val n v´40 = Some (Vint32 vv) ->
    exists prio,
      PrioWaitInQ prio v´40.

Lemma inlist_ex :
  forall x4 (x:tidspec.A),
    In x x4 -> exists y z, x4 = y :: z.

Lemma l4 : forall i, val_inj
                        (notint
                           (val_inj
                              (if Int.eq i ($ 0)
                               then Some (Vint32 Int.one)
                               else Some (Vint32 Int.zero)))) <>
                      Vint32 Int.zero -> Int.eq i ($ 0) = false.

Lemma list_prop1 : forall (t: Type) (a:t) (l1 l2: list t), l1 ++ ((a::nil) ++ l2) = l1 ++ (a::l2).

Lemma l5 : forall i , val_inj
                         (notint
                            (val_inj
                               (if Int.eq i ($ 0)
                                then Some (Vint32 Int.one)
                                else Some (Vint32 Int.zero)))) = Vint32 Int.zero \/
                       val_inj
                         (notint
                            (val_inj
                               (if Int.eq i ($ 0)
                                then Some (Vint32 Int.one)
                                else Some (Vint32 Int.zero)))) = Vnull -> i = $ 0.

Lemma ecblistp_length_eq_1 : forall x y l1 l2 t1 t2,
                                ECBList_P x y l1 l2 t1 t2 -> length l1 = length l2.

Lemma ecblistp_length_eq : forall x l1 z l2 l1´ z´ l2´ t1 t2,
                             ECBList_P x Vnull (l1 ++ (z::nil) ++ l2) (l1´ ++ (z´::nil) ++ l2´) t1 t2-> length l1 = length l1´ -> length l2 = length l2´.

Lemma ECBList_last_val :
  forall x y v1 v2 v3 v4,
    v1 <> nil ->
    ECBList_P x y v1 v2 v3 v4 ->
    exists a b, last v1 (nil,nil) = (a,b)
                /\ nth_val 5 a = Some y.

Lemma get_eidls_inlist: forall x ls,
                          In x (get_eidls x ls).

Inductive listsub (T : Type) : list T -> list T -> Prop :=
| listsub1:forall x, listsub nil x
| listsubrec: forall x y lsx lsy, x = y ->
                                   listsub lsx lsy ->
                                   listsub (x :: lsx) (y :: lsy).

Lemma list_sub_prop1 :
  forall v1 (z:EventCtr) v1´, listsub (v1++(z::nil)) (v1 ++(z::v1´)).

Lemma list_sub_prop2 :
  forall x y, listsub x y -> listsub (get_eid_ecbls x) (get_eid_ecbls y).
Lemma removelast_prop:
  forall (t: Type) (a : t) x , x <> nil -> removelast (a::x) = a :: removelast x.
Lemma list_sub_prop3 :
  forall (x : val) y z , listsub y z -> In x y -> In x z.

Lemma list_sub_prop4 :
  forall (x :vallist) y, listsub x y -> listsub (removelast x) (removelast y).

Lemma nil_get_eid_nil:
  forall x, x <> nil -> get_eid_ecbls x <> nil.

Lemma in_get_eidls :
  forall v1 y x z vl´,
    In y (get_eidls x (v1 ++ (z :: nil)))
    ->In y (get_eidls x (v1 ++ (z :: vl´))).

Lemma get_remove_exchange:
  forall x, removelast (get_eid_ecbls x) = get_eid_ecbls (removelast x).

Ltac usimpl H := unfolds in H; simpl in H; inverts H.

Lemma ecbmod_joinsig_get :
  forall x y mqls mqls´,
    EcbMod.joinsig x y mqls mqls´ ->
    EcbMod.get mqls´ x = Some y.

Lemma qwaitset_notnil_ex:
  forall qwaitset : waitset ,
    qwaitset <> nil ->
    exists tid, In tid qwaitset.

Lemma prioinq_exists:
  forall prio v´58,
    PrioWaitInQ prio v´58 ->
    exists n,
      (0 <= n < 8)%nat /\ nth_val n v´58 <> Some (V$0).

Lemma int_usign_eq :
  forall m,
    0 <= m -> m <= Int.max_unsigned ->
    (Int.unsigned ($ m)) = m.

Lemma ecbmod_joinsig_sig:
  forall x y mqls mqls´,
    EcbMod.joinsig x y mqls mqls´ ->
    EcbMod.join mqls (EcbMod.sig x y) mqls´.

Lemma ecbmod_get_join_get:
  forall eid y m x z t,
    eid <> y ->
    EcbMod.get m eid = Some t ->
    EcbMod.join x (EcbMod.sig y z) m ->
    EcbMod.get x eid = Some t.

Lemma ecbjoin_sig_join : forall x x1 v´35 x0 v´61 v3 i5,
                           EcbMod.join x x1 v´35 ->
                           EcbMod.join x0
                                       (EcbMod.sig (v´61, Int.zero) (absmsgq v3 i5, nil))
                                       x1 -> exists y, EcbMod.join x0 x y /\ EcbMod.join y
                                                                                          (EcbMod.sig (v´61, Int.zero) (absmsgq v3 i5, nil)) v´35.


Lemma length_zero_nil : forall (t : Type) (x : list t), length x = 0%nat -> x = nil.

Lemma nil_simp : forall (t : Type) (x : list t), nil ++ x = x.

Lemma ge_0_minus_1_in_range:
  forall i2,
    Int.unsigned i2 <= 65535 ->
    Int.ltu ($ 0) i2 = true ->
    Int.unsigned (i2 -ᵢ $ 1) <=? Int16.max_unsigned = true.


Lemma qacc_dl_vl_match:
  forall vl, true = dl_vl_match ((dcons pevent (Tptr OS_EVENT) ) dnil) (rev vl) -> (exists v,vl = (Vptr v)::nil\/ vl =Vnull::nil) .



Lemma notint_neq_zero_eq:
  forall x y,
    val_inj
      (notint
         (val_inj
            (if Int.eq x y
             then Some (Vint32 Int.one)
             else Some (Vint32 Int.zero)))) <>
    Vint32 Int.zero -> Int.eq x y = false.


Lemma ecb_get_set_join_join:
  forall ml a b ml1 ml2 ml1´ b´,
    EcbMod.get ml a = Some b ->
    EcbMod.joinsig a
                   b ml1´ ml1 ->
    EcbMod.join ml2 ml1 ml ->
    exists ml1n, EcbMod.joinsig a b´ ml1´ ml1n /\ EcbMod.join ml2 ml1n (EcbMod.set ml a b´).


Fixpoint all_elem_p {X:Type} p (l: @list X) :=
  match l with
    | nil => True
    | h :: t => p h = true /\ all_elem_p p t
  end.

Lemma array_type_vallist_match_is_all_elem_p: forall t l, array_type_vallist_match t l <-> all_elem_p (rule_type_val_match t) l.

Lemma all_elem_hold_for_upd: forall n x l p, all_elem_p p l -> p x = true -> all_elem_p p (update_nth_val n l x).

Lemma not_and_p: forall v´41 v´12, Int.unsigned v´12 <= 255 ->Int.unsigned v´41 <= 128 -> Int.unsigned (v´12&Int.not v´41) <= 255.

Lemma not_and_p´: forall v´41 v´12, Int.unsigned v´12 <= 255 ->Int.unsigned v´41 <= 255 -> Int.unsigned (v´12&Int.not v´41) <= 255.

Lemma array_type_vallist_match_int8u_update_hold:
  forall v´38 v´69 v´40 v´13,
    length v´13 = ∘OS_EVENT_TBL_SIZE ->
    Int.unsigned v´38 <= 7 ->
    Int.unsigned v´69 <= 255 ->
    Int.unsigned v´40 <= 128 ->
    array_type_vallist_match Int8u v´13 ->
    array_type_vallist_match Int8u
                             (update_nth_val (Z.to_nat (Int.unsigned v´38)) v´13
                                             (Vint32 (v´69&Int.not v´40))).

Lemma array_type_vallist_match_int8u_update_hold_255:
  forall v´38 v´69 v´40 v´13,
    length v´13 = ∘OS_EVENT_TBL_SIZE ->
    Int.unsigned v´38 <= 7 ->
    Int.unsigned v´69 <= 255 ->
    Int.unsigned v´40 <= 255 ->
    array_type_vallist_match Int8u v´13 ->
    array_type_vallist_match Int8u
                             (update_nth_val (Z.to_nat (Int.unsigned v´38)) v´13
                                             (Vint32 (v´69&Int.not v´40))).

Lemma int_unsigned_or_prop:
  forall v´57 v´41,
    Int.unsigned v´57 <= 255 ->
    Int.unsigned v´41 <= 128 ->
    Int.unsigned (Int.or v´57 v´41) <= 255.

Lemma array_type_vallist_match_int8u_update_hold´:
  forall v´37 ( v´38 v´40 : int32) (v´13 : list val),
    length v´37 = nat_of_Z OS_RDY_TBL_SIZE ->
    array_type_vallist_match Tint8 v´37 ->
    length v´13 = nat_of_Z OS_EVENT_TBL_SIZE ->
    Int.unsigned v´38 <= 7 ->
    Int.unsigned v´40 <= 128 ->
    array_type_vallist_match Tint8 v´13 ->
    array_type_vallist_match Tint8
                             (update_nth_val (Z.to_nat (Int.unsigned v´38)) v´13
                                             (val_inj
                                                (or (nth_val´ (Z.to_nat (Int.unsigned v´38)) v´37) (Vint32 v´40)))).

Lemma length_n_change:
  forall v´38 v´37 v´40,
    length v´37 = nat_of_Z OS_RDY_TBL_SIZE ->
    Int.unsigned v´38 <= 7 ->
    length
      (update_nth_val (Z.to_nat (Int.unsigned v´38)) v´37
                      (val_inj
                         (or (nth_val´ (Z.to_nat (Int.unsigned v´38)) v´37) (Vint32 v´40)))) =
    nat_of_Z OS_RDY_TBL_SIZE.

Lemma disj_star_elim´
: forall p q x y r z: asrt, ((p \\// q \\// x \\// y)** z) ** r ==> (p ** z ** r) \\// (q ** z ** r) \\// (x** z** r) \\// (y** z ** r).

Lemma ltu_eq_false: forall i1 i2, Int.ltu i2 i1 = true -> Int.eq i1 i2 = false.

Lemma val_inj_i1_i2_lt:
  forall i1 i2,
    val_inj
      (bool_or
         (val_inj
            (if Int.ltu i2 i1
             then Some (Vint32 Int.one)
             else Some (Vint32 Int.zero)))
         (val_inj
            (if Int.eq i1 i2
             then Some (Vint32 Int.one)
             else Some (Vint32 Int.zero)))) = Vint32 Int.zero \/
    val_inj
      (bool_or
         (val_inj
            (if Int.ltu i2 i1
             then Some (Vint32 Int.one)
             else Some (Vint32 Int.zero)))
         (val_inj
            (if Int.eq i1 i2
             then Some (Vint32 Int.one)
             else Some (Vint32 Int.zero)))) = Vnull -> Int.ltu i1 i2 = true.

Lemma val_inj_eq_p:
  forall x6 v´49 x,
    isptr x6 ->
    val_inj
      match x6 with
        | Vundef => None
        | Vnull => Some (Vint32 Int.zero)
        | Vint32 _ => None
        | Vptr (b2, ofs2) =>
          if peq v´49 b2
          then
            if Int.eq (x+ᵢInt.mul ($ 1) ($ 4)) ofs2
            then Some (Vint32 Int.one)
            else Some (Vint32 Int.zero)
          else Some (Vint32 Int.zero)
      end <> Vint32 Int.zero -> x6 = Vptr (v´49, (x+ᵢInt.mul ($ 1) ($ 4)) ).

Lemma val_inj_eq_elim:
  forall x6 v´49 x,
    val_inj
      match x6 with
        | Vundef => None
        | Vnull => Some (Vint32 Int.zero)
        | Vint32 _ => None
        | Vptr (b2, ofs2) =>
          if peq v´49 b2
          then
            if Int.eq (x+ᵢInt.mul ($ 1) ($ 4)) ofs2
            then Some (Vint32 Int.one)
            else Some (Vint32 Int.zero)
          else Some (Vint32 Int.zero)
      end = Vint32 Int.zero \/
    val_inj
      match x6 with
        | Vundef => None
        | Vnull => Some (Vint32 Int.zero)
        | Vint32 _ => None
        | Vptr (b2, ofs2) =>
          if peq v´49 b2
          then
            if Int.eq (x+ᵢInt.mul ($ 1) ($ 4)) ofs2
            then Some (Vint32 Int.one)
            else Some (Vint32 Int.zero)
          else Some (Vint32 Int.zero)
      end = Vnull -> x6 <> Vptr (v´49, (x+ᵢInt.mul ($ 1) ($ 4))).

Lemma isptr_val_inj_false: forall x0, isptr x0 -> val_inj (val_eq x0 Vnull) = Vnull -> False.

Definition myAnd := Logic.and.

Lemma array_int8u_nth_lt_len :
  forall vl m,
    array_type_vallist_match Int8u vl ->
    (m < length vl)%nat ->
    exists i, nth_val´ m vl = Vint32 i /\ Int.unsigned i <= 255.
Lemma int_lemma1:
  forall i1 i2,
    Int.unsigned i1 <= 255 ->
    Int.unsigned i2 <= 255 ->
    Int.unsigned (i1 & Int.not i2) <= 255.

Lemma array_type_vallist_match_hold :
  forall vl n t v,
    array_type_vallist_match t vl ->
    (n < length vl)%nat ->
    rule_type_val_match t v = true ->
    array_type_vallist_match t (update_nth_val n vl v).

Lemma tcbmod_neq_set_get:
  forall x y b tcbls,
    x <> y ->
    TcbMod.get (TcbMod.set tcbls y b) x = TcbMod.get tcbls x.

Lemma ltu_zero_eq_zero:
  forall i, Int.unsigned i <= 65535 -> false = Int.ltu ($ 0) i -> i = Int.zero.

Lemma bool_and_true_1 : forall {v1 v2 x},
                          istrue x = Some true -> bool_and v1 v2 = Some x ->
                          exists n1, v1 = Vint32 n1 /\ Int.ltu Int.zero n1 = true.

Lemma ltu_zero_notbool_true : forall {i2},
                                Int.ltu Int.zero (Int.notbool i2) = true -> Int.eq i2 Int.zero = true.

Lemma val_eq_zero_neq : forall {v1 v2 i},
                          val_eq v1 v2 = Some (Vint32 i) -> Int.eq i Int.zero = true -> v1 <> v2.

Lemma bool_and_true_gt: forall {v1 v2 x},
                          bool_and v1 v2 = Some x -> istrue x = Some true ->
                          exists n1 n2, v1 = Vint32 n1 /\ v2 = Vint32 n2 /\ Int.ltu Int.zero n1 = true /\ Int.ltu Int.zero n2 = true.

Lemma list_cons_assoc : forall {A} l1 l2 (n:A),
                          l1 ++ n :: l2 = (l1 ++ n::nil) ++ l2.

Lemma upd_vallist_eq_length: forall vl n v´,
                               length vl = length (update_nth_val n vl v´).

Lemma vallist_destru:
  forall vl:vallist , length vl = ∘OS_EVENT_TBL_SIZE ->
                      exists v1 v2 v3 v4,
                        exists v5 v6 v7 v8,
                          vl = v1 ::v2 ::v3 ::v4 ::v5 ::v6::v7::v8 :: nil.

Lemma eq_1 :Int.zero+ᵢ($ 4+ᵢ($ 2+ᵢ($ 1+ᵢ$ 1))) = $ 8.

Lemma eq_2 : $ 8+ᵢ ($ 1) = $ 9.

Lemma eq_3 : $ 9+ᵢ ($ 1) = $10.

Lemma eq_4 : $ 10+ᵢ($ 1) = $11.

Lemma eq_5 : $11+ᵢ ($ 1) = $ 12.

Lemma eq_6 : $ 12+ᵢ ($ 1) = $ 13.

Lemma eq_7 : $ 13+ᵢ($ 1) = $ 14.

Lemma eq_8 : $ 14+ᵢ ($ 1) = $ 15.

Lemma eq_9 : $0+ᵢ$ 1 = $1.

Lemma eq_10 :$1+ᵢ$ 1 = $2.

Lemma eq_11 :$2+ᵢ$2 = $4.

Lemma eq_12 :$4+ᵢ$4 = $8.

Lemma eq_13 :$8+ᵢ$8 = $16.

Lemma xx:forall P Q R, (P \\// Q) ** R ==> (P ** R) \\// (Q ** R).

Lemma is_length_neq_zero_elim:
  forall v´1, val_inj (val_eq (is_length (0%nat :: v´1)) (V$1)) <> Vint32 Int.zero -> v´1=nil.


Lemma true_if_else_true: forall x, x =true -> (if x then true else false) = true.

Ltac rtmatch_solve:=
  apply true_if_else_true;
  apply Zle_is_le_bool;
  try rewrite byte_max_unsigned_val; try rewrite max_unsigned_val;
  try omega.

Lemma z_le_7_imp_n: forall x, Int.unsigned x <= 7 -> (Z.to_nat (Int.unsigned x) < 8)%nat.

Lemma z_le_255_imp_n: forall x, Int.unsigned x <= 255 -> (Z.to_nat (Int.unsigned x) < 256)%nat.

Lemma OSUnMapVallist_type_vallist_match: array_type_vallist_match Tint8 OSUnMapVallist.

Lemma pos_to_nat_range_0_255:
  forall z, 0<=z -> z<=255 -> (0<=Z.to_nat z<=255)%nat.

Lemma sn_le_n_le_minus1:
  forall (n x:nat), (S n <= x -> n <= x-1)%nat.

Lemma osunmapvallist_prop:
  forall i, (Int.unsigned i <= 255) -> exists x, nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x /\ Int.unsigned x <=?7 = true.

Lemma int_iwordsize_gt_3:
  Int.ltu ($ 3) Int.iwordsize = true.

Lemma shl3_add_range:
  forall x x0,
    (Int.unsigned x <=? 7) = true ->
    (Int.unsigned x0 <=? 7) = true ->
    Int.unsigned ((x<<$ 3) +ᵢ x0) <=? 63 =true.
  Ltac auto_shiftl := unfold Z.shiftl; unfold Pos.iter; int auto.


Lemma int_unsigned_le_z2nat_lt:
  forall x z,Int.unsigned x <= z ->
             (Z.to_nat (Int.unsigned x) < Z.to_nat (z+1))%nat.