Library mcertikos.layerlib.AuxStateDataType

Require Import Coqlib.
Require Import Constant.
Require Import Maps.
Require Import Values.
Require Import Integers.
Require Import AST.
Require Import AsmX.
Require Export AuxFunctions.

Section MemoryManagement.


  Definition PDX (i:Z) := i/(PgSize × one_k).
  Definition PTX (i:Z) := (i/PgSize) mod one_k.
  Definition PTADDR (i:Z) (ofs:Z) := (i × PgSize) + (ofs mod PgSize).
  Definition PageI (i: Z) := i / PgSize.

  Lemma size_chunk_range:
    ∀ chunk,
      0≤ size_chunk chunk ≤ 8.
  Proof.
    induction chunk; simpl; omega.
  Qed.

  Lemma mod_chunk´:
    ∀ i,
      0 ≤ i < 1024 →
      i × 4 ≤ 4096 - size_chunk Mint32.
  Proof.
    simpl. intros.
    omega.
  Qed.

  Lemma mod_chunk:
    ∀ i,
      (i mod 1024) × 4 ≤ PgSize - size_chunk Mint32.
  Proof.
    intros.
    exploit (Z.mod_pos_bound i 1024).
    omega. intros Hrange.
    eapply mod_chunk´.
    assumption.
  Qed.

  Lemma HPS: PgSize > 0.
  Proof. omega. Qed.

  Inductive MMPerm:=
  | MMUsable
  | MMResv.

  Inductive MMInfo:=
  | MMValid (s l:Z) (p: MMPerm)
  | MMUndef.

  Definition MMTable := ZMap.t MMInfo.

  Definition VMXInfo := ZMap.t Z.

  Class RealParamsOps : Type :=
    {
      real_mm: MMTable;
      real_size: Z;
      real_vmxinfo: VMXInfo
    }.

  Section MMTable_Property.

    Remark MM_dec (mm: MMTable) (i:Z):
      { ∃ s l p, ZMap.get i mm = MMValid s l p ∧ s ≥ 0 ∧ l > 0 ∧ s + l < Int.max_unsigned}
      +{¬∃ s l p, ZMap.get i mm = MMValid s l p ∧ s ≥ 0 ∧ l > 0 ∧ s + l < Int.max_unsigned}.
    Proof.
      induction (ZMap.get i mm); [|right; red; intros [s´[l´[p´ [HT _]]]]; discriminate].
      destruct (zle 0 s); [|right; red; intros [s´[l´[p´ [HT [HF _]]]]]; inv HT; omega].
      destruct (zlt 0 l); [|right; red; intros [s´[l´[p´ [HT [_[HF _]]]]]]; inv HT; omega].
      destruct (zlt (s + l) Int.max_unsigned); [|right; red; intros [s´[l´[p´ [HT [_[_ HF]]]]]]; inv HT; omega].
      left.
      ∃ s, l, p.
      split; trivial.
      split; omega.
    Qed.

    Definition MM_range (mm: MMTable) (lo high: Z) :=
      ∀ i , lo ≤ i < high → ∃ s l p, (ZMap.get i mm = MMValid s l p ∧ s ≥ 0 ∧ l > 0 ∧ s + l < Int.max_unsigned).

    Lemma general_range_dec:
      ∀ P,
        (∀ i, {P i} + {¬P i}) →
        ∀ lo hi, {∀ i, lo ≤ i < hi → P i} + {¬ ∀ i, lo ≤ i < hi → P i}.
    Proof.
      intros.
      assert(HP: ∀ n, 0 ≤ n
                           → {∀ i, lo ≤ i < (lo+n) → P i} + {¬ ∀ i, lo ≤ i < (lo+n) → P i}).
      {
        apply natlike_rec2.
        - left; intros. omegaContradiction.
        - destruct 2.
          + destruct (H (lo+z)).
            × left; intros.
              destruct (zeq i (lo + z)); subst; trivial.
              apply p; omega.
            × right; red; intro.
              assert (lo ≤ (lo+z) < lo + Z.succ z) by omega.
              elim n; auto.
          + right; red; intro; elim n; clear n. intros.
            assert (lo ≤ i < lo + Z.succ z) by omega.
            auto.
      }
      destruct (zlt lo hi).
      replace hi with (lo + (hi - lo)) by omega. apply HP. omega.
      left; intros. omegaContradiction.
    Qed.

    Remark MM_range_dec:
      ∀ mm lo high, {MM_range mm lo high} + {¬MM_range mm lo high}.
    Proof.
      intros. unfold MM_range.
      eapply general_range_dec. intros.
      apply MM_dec.
    Qed.

    Definition MM_valid (mm: MMTable) (size: Z) := MM_range mm 0 size.

    Remark MM_valid_dec (mm: MMTable) (size: Z) :
      {MM_valid mm size} +{¬MM_valid mm size}.
    Proof.
      unfold MM_valid.
      apply (MM_range_dec mm 0 size).
    Qed.

    Definition perm_consist (s1 s2 l1 l2 :Z) (p1 p2: MMPerm):=
      s1 < s2 + l2 → s2 < s1 + l1 → p1 = p2.

    Remark perm_consist_dec (s1 s2 l1 l2 :Z) (p1 p2: MMPerm) :
      {perm_consist s1 s2 l1 l2 p1 p2} + {¬perm_consist s1 s2 l1 l2 p1 p2}.
    Proof.
      unfold perm_consist.
      destruct(Z_lt_dec s1 (s2+l2)).
      destruct(Z_lt_dec s2 (s1+l1)).
      assert(HP1: {p1 = p2} + {¬p1 = p2}) by decide equality.
      destruct HP1; [left; auto| right; red; auto].
      left; intros; omegaContradiction.
      left; intros; omega.
    Qed.

    Remark MMPerm_dec (p1 p2: MMPerm) :
      { p1 = p2} + { p1 ≠ p2}.
    Proof.
      decide equality.
    Qed.

    Definition MM_correct_pos (mm: MMTable) (i j: Z) :=
      ∀ s1 s2 l1 l2 p1 p2,
        ZMap.get i mm = MMValid s1 l1 p1
        → ZMap.get j mm = MMValid s2 l2 p2
        → perm_consist s1 s2 l1 l2 p1 p2.

    Remark MM_correct_pos_dec (mm: MMTable) (i j:Z) :
      {MM_correct_pos mm i j} + {¬ MM_correct_pos mm i j}.
    Proof.
      unfold MM_correct_pos.
      destruct (ZMap.get i mm); [| left; intros; discriminate].
      destruct (ZMap.get j mm); [| left; intros; discriminate].
      unfold perm_consist.
      destruct (MMPerm_dec p p0).
      left; intros; inv H; inv H0; trivial.
      destruct (zlt s (s0 + l0)).
      destruct (zlt s0 (s + l)).

      right; red; intros. elim n; eauto.

      left; intros; inv H; inv H0; omega.
      left; intros; inv H; inv H0; omega.
    Qed.

    Definition MM_correct1 (mm: MMTable) (i size: Z) :=
      ∀ j, 0≤ j < size → MM_correct_pos mm i j.

    Remark MM_correct1_dec (mm: MMTable) (i size:Z) :
      {MM_correct1 mm i size} + {¬ MM_correct1 mm i size}.
    Proof.
      unfold MM_correct1.
      eapply general_range_dec. intros.
      apply MM_correct_pos_dec.
    Qed.

    Definition MM_correct2 (mm: MMTable) (size size2: Z) :=
      ∀ i, 0≤ i < size → MM_correct1 mm i size2.

    Remark MM_correct2_dec (mm: MMTable) (size size2:Z) :
      {MM_correct2 mm size size2} + {¬ MM_correct2 mm size size2}.
    Proof.
      unfold MM_correct2.
      eapply general_range_dec. intros.
      apply MM_correct1_dec.
    Qed.

    Definition MM_correct (mm: MMTable) (size: Z) :=
      ∀ i j s1 s2 l1 l2 p1 p2,
        0≤ i < size → 0≤ j < size
        → ZMap.get i mm = MMValid s1 l1 p1
        → ZMap.get j mm = MMValid s2 l2 p2
        → perm_consist s1 s2 l1 l2 p1 p2.

    Remark MM_correct_dec (mm: MMTable) (size:Z) :
      {MM_correct mm size} + {¬ MM_correct mm size}.
    Proof.
      destruct (MM_correct2_dec mm size size).
      left; unfold MM_correct, MM_correct2, MM_correct1, MM_correct_pos in *; eauto.
      right;red;intro; apply n.
      unfold MM_correct2, MM_correct1, MM_correct_pos; eauto.
    Qed.

    Definition MM_kern_valid (mm: MMTable)(n size:Z):=
      ∃ i s l,
        0≤ i < size ∧ ZMap.get i mm = MMValid s l MMUsable ∧ s≤ n × PgSize ∧ l + s ≥ ((n+1)* PgSize).

    Remark MM_kern_valid_dec (mm:MMTable) (n size:Z) :
      {MM_kern_valid mm n size} +{¬MM_kern_valid mm n size}.
    Proof.
      assert(HQ: ∀ k, 0≤ k → {MM_kern_valid mm n k} +{¬MM_kern_valid mm n k}).
      unfold MM_kern_valid; apply natlike_rec2.
      right; red; intros; destruct H as [i[_[_[HI _]]]]; omega.

      destruct 2.
      left.
      destruct e as [i [s[l[HI[HM[HS HL]]]]]].
      ∃ i, s, l; repeat (split;trivial); omega.

      Ltac right_simpl H0 H1 z n0:=
        right; red; intros; destruct H1 as [i´[s´[l´ HM]]]; destruct (zeq i´ z);
        [subst; destruct HM as [_ [HM [HM1 HF]]]; rewrite H0 in HM; inv HM; try omega
        | elim n0; ∃ i´, s´, l´; destruct HM as [HM1 HM2]; split; trivial; omega].

      caseEq (ZMap.get z mm); intros; [|right_simpl H0 H1 z n0].
      destruct (MMPerm_dec p MMUsable); [|right_simpl H0 H1 z n0; elim n1; trivial].
      destruct (zle s (n × PgSize)); [|right_simpl H0 H1 z n0].
      destruct (zle ((n+1)*PgSize) (l + s)); [|right_simpl H0 H1 z n0].

      left; ∃ z, s, l.
      rewrite e in H0.
      repeat(split;trivial);
        omega.

      destruct (Z_le_dec size 0).
      right; red; unfold MM_kern_valid; intro.
      destruct H as [i[_[_[HI _]]]]; omega.

      apply HQ; omega.
    Qed.

    Definition MM_kern_range (mm:MMTable) (n size: Z):=
      ∀ i, 0≤ i < n → MM_kern_valid mm i size.

    Definition MM_kern (mm:MMTable) (size: Z):=
      MM_kern_range mm kern_low size.

  End MMTable_Property.

  Definition trapinfo := prod int val.

  Definition init_trap_info : trapinfo := (Int.zero, Vzero).

  Inductive globalpointer :=
  | GLOBP (b: ident) (ofs: int)
  | GLOBUndef.

  Section CR3_Property.

    Definition CR3_valid (pt: globalpointer) := ∃ b ofs, pt = GLOBP b ofs.

    Remark CR3_valid_dec (pt: globalpointer) :
      {CR3_valid pt } + { ¬ CR3_valid pt}.
    Proof.
      unfold CR3_valid.
      destruct pt.
      left.
      eauto.
      right.
      red; intros.
      destruct H as [b0 [ofs0 HG]].
      inv HG.
    Qed.

  End CR3_Property.

  Section CONTAINER.

    Inductive Container : Type :=
      mkContainer {
          cquota : Z;
          cusage : Z;
          cparent : Z;
          cchildren : list Z;
          cused : bool
        }.

    Definition ContainerPool : Type := ZMap.t Container.

    Definition Container_unused := mkContainer 0 0 0 nil false.

    Section Container_Property.

      Inductive child_quotas_bounded : ContainerPool → list Z → Z → Prop :=
      | cqb_nil : ∀ C n, 0 ≤ n → child_quotas_bounded C nil n
      | cqb_cons : ∀ C c cs n m, 0 ≤ cquota (ZMap.get c C) ≤ m →
                                      child_quotas_bounded C cs n →
                                      child_quotas_bounded C (c::cs) (n+m).

      Lemma cqb_nonneg : ∀ cs C n, child_quotas_bounded C cs n → 0 ≤ n.
      Proof.
        induction cs; simpl; intros.
        inv H; auto.
        inv H.
        apply Z.add_nonneg_nonneg; try omega.
        apply (IHcs C); auto.
      Qed.

      Lemma cqb_bound : ∀ cs C n1 n2, child_quotas_bounded C cs n1 →
                                           n1 ≤ n2 → child_quotas_bounded C cs n2.
      Proof.
        induction cs; simpl; intros.
        inv H; constructor; omega.
        inv H.
        apply (IHcs _ _ (n2-m)) in H6; try omega.
        replace n2 with (n2 - m + m); try omega.
        constructor; auto.
      Qed.

      Lemma cqb_notin : ∀ cs C c n con,
                          child_quotas_bounded C cs n → ¬ In c cs →
                          child_quotas_bounded (ZMap.set c con C) cs n.
      Proof.
        induction cs; simpl; intros.
        inv H; constructor; auto.
        inv H; constructor; auto.
        rewrite ZMap.gso; auto.
      Qed.

      Lemma cqb_weaken : ∀ cs C c n con,
                           child_quotas_bounded C cs n → 0 ≤ cquota con ≤ cquota (ZMap.get c C) →
                           child_quotas_bounded (ZMap.set c con C) cs n.
      Proof.
        induction cs; simpl; intros.
        inv H; constructor; auto.
        inv H; constructor; auto.
        destruct (zeq a c); subst.
        rewrite ZMap.gss; omega.
        rewrite ZMap.gso; auto.
      Qed.

      Fact remove_notin {A} : ∀ (l : list A) a eq, ¬ In a l → remove eq a l = l.
      Proof.
        induction l; simpl; intros; auto.
        destruct (eq a0 a); subst.
        contradict H; auto.
        rewrite IHl; auto.
      Qed.

      Lemma cqb_remove : ∀ cs C c n,
                           child_quotas_bounded C cs n → In c cs →
                           child_quotas_bounded C (remove zeq c cs) (n - cquota (ZMap.get c C)).
      Proof.
        induction cs; simpl; intros.
        inv H0.
        inv H.
        destruct (in_dec zeq c cs) as [Hin|Hnin].
        destruct (zeq c a); subst.
        apply (IHcs _ a) in H6; auto.
        apply cqb_bound with (n1 := n0 - cquota (ZMap.get a C)); auto; try omega.
        replace (n0 + m - cquota (ZMap.get c C)) with (n0 - cquota (ZMap.get c C) + m); try omega.
        constructor; auto.
        destruct H0; subst; try contradiction.
        destruct (zeq c c).
        apply cqb_bound with (n1 := n0); try omega.
        rewrite remove_notin; auto.
        contradict n; auto.
      Qed.

      Inductive Container_valid (C : ContainerPool) : Prop :=
        mkContainer_valid {
            cvalid_id : ∀ i, cused (ZMap.get i C) = true → 0 ≤ i < num_proc;
            cvalid_root : ∀ i, cused (ZMap.get i C) = true →
                                    (i = cparent (ZMap.get i C) ↔ i = 0);
            cvalid_quota : ∀ i, cused (ZMap.get i C) = true →
                                     cquota (ZMap.get i C) ≤ Int.max_unsigned;
            cvalid_usage : ∀ i, cused (ZMap.get i C) = true →
                                     0 ≤ cusage (ZMap.get i C) ≤ cquota (ZMap.get i C);
            cvalid_parent_used : ∀ i, cused (ZMap.get i C) = true →
                                           cused (ZMap.get (cparent (ZMap.get i C)) C) = true;
            cvalid_children_used : ∀ i, cused (ZMap.get i C) = true →
                                             Forall (fun j ⇒ cused (ZMap.get j C) = true) (cchildren (ZMap.get i C));
            cvalid_parents_child : ∀ i, cused (ZMap.get i C) = true → (i ≠ 0)%Z →
                                             In i (cchildren (ZMap.get (cparent (ZMap.get i C)) C));
            cvalid_childrens_parent : ∀ i, cused (ZMap.get i C) = true →
                                                Forall (fun j ⇒ cparent (ZMap.get j C) = i) (cchildren (ZMap.get i C));
            cvalid_cqb : ∀ i, cused (ZMap.get i C) = true →
                                   child_quotas_bounded C (cchildren (ZMap.get i C)) (cusage (ZMap.get i C));
            cvalid_nodup : ∀ i, cused (ZMap.get i C) = true →
                                     NoDup (cchildren (ZMap.get i C))
          }.

    End Container_Property.


    Fixpoint init_container_children (i : nat) (lst : list Z) : list Z :=
      match i with
      | O ⇒ (1::nil)
      | S k ⇒ let prev := init_container_children k nil in
               (Z.of_nat (S k) + 1)::prev
      end.

    Definition init_container : Container := (mkContainer (root_quota/TOTAL_CPU) 0 0 nil true).

    Fixpoint init_cal_container (i : nat) (ACPool : ContainerPool) : ContainerPool :=
      match i with
      | O ⇒ ZMap.set 1 init_container ACPool
      | S k ⇒ ZMap.set (Z.of_nat (S k) + 1) init_container (init_cal_container k ACPool)
      end.

    Definition init_real_container : ContainerPool :=
      init_cal_container (Z.to_nat (TOTAL_CPU - 1))
                         (ZMap.set 0 (mkContainer root_quota root_quota 0
                                                  (init_container_children (Z.to_nat (TOTAL_CPU - 1)) nil)
                                                  true) (ZMap.init Container_unused)).

    Definition AC_init := init_real_container.

  End CONTAINER.

  Inductive ATType: Type :=
  | ATKern
  | ATResv
  | ATNorm.

  Remark ATType_dec:
    ∀ x y: ATType,
      {x = y} + {x ≠ y}.
  Proof.
    intros. repeat progress (decide equality).
  Qed.

  Inductive ATInfo :=
  | ATValid (b: bool) (t: ATType)
  | ATUndef.

  Definition ATable := ZMap.t ATInfo.

  Inductive ATCInfo :=
  | ATCValid (n: Z)
  | ATCUndef.

  Definition ATCTable := ZMap.t ATCInfo.

  Function ZtoATType (i: Z) : option ATType :=
    match i with
      | 0 ⇒ Some ATResv
      | 1 ⇒ Some ATKern
      | 2 ⇒ Some ATNorm
      | _ ⇒ None
    end.

  Definition IntToBoolZ (n: int) : Z :=
    if Int.eq n Int.zero then 0
    else 1.

  Definition ZToATTypeZ (n: Z) : Z :=
    if zeq n 0 then 0
    else if zeq n 1 then 0
         else 1.

  Section AT_Property.

    Definition AT_kern (AT: ATable) (nps: Z) :=
      ∀ i, 0≤ i < kern_low ∨ kern_high ≤ i < nps
                → ZMap.get i AT = ATValid false ATKern.

    Definition AT_usr (AT: ATable) (nps: Z):=
      ∀ i, kern_low ≤ i < Z.min kern_high nps
                 → ∃ b, (ZMap.get i AT = ATValid b ATNorm)
                              ∨ ZMap.get i AT = ATValid b ATResv.

    Remark AT_dec (info: ATInfo) (b: bool) (t: ATType):
      {info = ATValid b t} + {¬info = ATValid b t}.
    Proof.
      repeat progress (decide equality).
    Qed.

    Lemma min_ex: ∀ (P: Z → Prop) lo hi,
                    (∀ n, {P n} + {¬ P n}) →
                    {n : Z | lo < n < hi ∧ P n ∧ ∀ n´, lo < n´ < n → ¬ P n´} +
                    {∀ n, lo < n < hi → ¬ P n}.
    Proof.
      intros.
      assert(HP: ∀ k,
                   0 ≤ k → {n : Z | lo < n < lo + k + 1 ∧ P n ∧ (∀ n´ : Z, lo < n´ < n → ¬ P n´)} +
                             {(∀ n : Z, lo < n < lo + k + 1 → ¬ P n)}).
      {
        apply natlike_rec2.
        - right; intros; omega.
        - intros z HR HT.
          destruct HT.
          + left; destruct s as [n[HT HM]].
            ∃ n; split; trivial; omega.
          + specialize (H (lo + z + 1)).
            destruct H.
            × left; ∃ (lo + z + 1); split; auto; omega.
            × right; intros; destruct (zeq n1 (lo + z + 1)); subst; trivial; apply n; omega.
      }
      destruct (zlt lo hi).
      - replace hi with (lo + (hi - lo - 1) + 1) by omega. apply HP. omega.
      - right; intros. omegaContradiction.
    Qed.

    Definition first_free (At: ATable) (size: Z) :
      {n| 0 < n < size ∧ ZMap.get n At = ATValid false ATNorm ∧
          (∀ x, 0 < x < n → ¬ ZMap.get x At = ATValid false ATNorm)}
      + {∀ x, 0 < x < size → ¬ ZMap.get x At = ATValid false ATNorm}.
    Proof.
      eapply min_ex. intros.
      destruct (ZMap.get n At).
      - destruct b.
        + right. red; intros. inv H.
        + destruct t.
          × right. red; intros. inv H.
          × right. red; intros. inv H.
          × left. eauto.
      - right. red; intros. inv H.
    Defined.

  End AT_Property.

  Inductive LATOwner :=
    | LATO (n pdi pti: Z).

  Inductive LATCInfo :=
  | LATCValid (l: list LATOwner)
  | LATCUndef.

  Remark LATOwner_dec:
    ∀ x y: LATOwner,
      {x = y} + {x ≠ y}.
  Proof.
    intros. repeat progress (decide equality).
  Qed.

  Definition LATCTable := ZMap.t LATCInfo.

  Section LAT_Property.


    Inductive relate_LATCInfo : ATCInfo → LATCInfo → Prop :=
    | RELATE_Undef: relate_LATCInfo ATCUndef LATCUndef
    | RELATE_VALID:
        ∀ n l,
          n = Z_of_nat (length l) →
          relate_LATCInfo (ATCValid n) (LATCValid l).

    Definition relate_LATCTable (a1 : ATCTable) (a2 : LATCTable) :=
      ∀ i, relate_LATCInfo (ZMap.get i a1) (ZMap.get i a2).

    Lemma relate_LATable_gss:
      ∀ a1 a2,
        relate_LATCTable a1 a2 →
        ∀ s1 s2,
          relate_LATCInfo s1 s2 →
          ∀ i,
            relate_LATCTable (ZMap.set i s1 a1) (ZMap.set i s2 a2).
    Proof.
      unfold relate_LATCTable; intros.
      destruct (zeq i i0); subst.
      - repeat rewrite ZMap.gss. trivial.
      - repeat rewrite ZMap.gso; auto.
    Qed.

  Definition LATCTable_nil (lat: LATCTable) (a: ATable):=
    ∀ i l, ZMap.get i a = ATValid false ATNorm →
                ZMap.get i lat = LATCValid l →
                l = nil.

  Section LATABLE_NIL.

    Lemma LATCTable_nil_int:
      LATCTable_nil (ZMap.init LATCUndef) (ZMap.init ATUndef).
    Proof.
      intros i. intros.
      repeat rewrite ZMap.gi in ×. inv H.
    Qed.

    Lemma LATCTable_nil_gss_nil:
      ∀ la n a,
        LATCTable_nil la a→
        LATCTable_nil (ZMap.set n (LATCValid nil) la) a.
    Proof.
      unfold LATCTable_nil; intros.
      destruct (zeq i n); subst.
      - rewrite ZMap.gss in H1. inv H1. trivial.
      - rewrite ZMap.gso in H1; eauto.
    Qed.

    Lemma LATCTable_nil_gso_true:
      ∀ la n l a t,
        LATCTable_nil la a →
        LATCTable_nil (ZMap.set n (LATCValid l) la) (ZMap.set n (ATValid true t) a).
    Proof.
      unfold LATCTable_nil; intros.
      destruct (zeq i n); subst.
      - rewrite ZMap.gss in ×. inv H0.
      - rewrite ZMap.gso in *; eauto.
    Qed.

  End LATABLE_NIL.

  End LAT_Property.

  Inductive PPgOnwer :=
  | PGPMap (n i: Z).

  Inductive PPgInfo :=
  | PGUndef
  | PGAlloc
  | PGHide (o: PPgOnwer).

  Definition PPermT := ZMap.t PPgInfo.

  Section PPgInfo_Property.

    Inductive PPgInfo_leq: PPgInfo → PPgInfo → Prop :=
    | PGLE_REFL: ∀ i, PPgInfo_leq i i
    | PGLE_ALLOC_BUSY: ∀ o, PPgInfo_leq (PGHide o) (PGAlloc )
    .

    Definition PPermT_les (c1 c2: PPermT) :=
      ∀ i, PPgInfo_leq (ZMap.get i c1) (ZMap.get i c2).

    Definition consistent_ppage (att: ATable) (ppt: PPermT) (nps: Z): Prop :=
      ∀ i,
        0≤ i < nps →
        (¬ (ZMap.get i ppt = PGUndef)
         →
         ZMap.get i att = ATValid true ATNorm)
        ∧ (ZMap.get i att = ATValid true ATNorm
            → ¬ (ZMap.get i ppt = PGUndef)).

    Lemma consistent_ppage_init:
      ∀ nps,
      consistent_ppage (ZMap.init ATUndef) (ZMap.init PGUndef) nps.
    Proof.
      split; repeat rewrite ZMap.gi; intros.
      - elim H0. reflexivity.
      - discriminate.
    Qed.


    Remark PPgOwner_dec (o o1: PPgOnwer):
      { o = o1 } + {¬ o = o1 }.
    Proof.
      decide equality; apply zeq.
    Qed.


    Remark PPgInfo_dec (pperm pperm1: PPgInfo):
      {pperm = pperm1} + {¬ pperm = pperm1}.
    Proof.
      decide equality.
      eapply PPgOwner_dec.
    Qed.

  End PPgInfo_Property.

  Inductive PTPerm: Type :=
  | PTP
  | PTU
  | PTK (b: bool).

  Function ZtoPerm (i:Z): option PTPerm:=
    match i with
      | PT_PERM_P ⇒ Some PTP
      | PT_PERM_PTKF ⇒ Some (PTK false)
      | PT_PERM_PTKT ⇒ Some (PTK true)
      | PT_PERM_PTU ⇒ Some PTU
      | _ ⇒ None
    end.

  Function PermtoZ (p: PTPerm): Z :=
    match p with
      | PTP ⇒ PT_PERM_P
      | PTU ⇒ PT_PERM_PTU
      | PTK false ⇒ PT_PERM_PTKF
      | PTK true ⇒ PT_PERM_PTKT
    end.

  Lemma PermZ_eq:
    ∀ v p, ZtoPerm v = Some p → v = PermtoZ p.
  Proof.
    functional inversion 1; trivial.
  Qed.

  Lemma PermZ_eq_r: ∀ p, ZtoPerm (PermtoZ p) = Some p.
  Proof.
    intros.
    destruct p; trivial.
    destruct b; trivial.
  Qed.

  Lemma ZtoPerm_range: ∀ i p, ZtoPerm (i) = Some p → 0≤ i < 260.
  Proof.
    functional inversion 1; omega.
  Qed.

  Inductive PTEInfo:=
  | PTEValid (v: Z) (p: PTPerm)
  | PTEUnPresent
  | PTEUndef.

  Definition PTE := ZMap.t PTEInfo.

  Inductive PDE :=
  | PDEValid (pi: Z) (pte: PTE)
  | PDEID
  | PDEUnPresent
  | PDEUndef.

  Inductive IDPTEInfo:=
  | IDPTEValid (p: PTPerm)
  | IDPTEUndef.

  Definition IDPTE := ZMap.t IDPTEInfo.
  Definition IDPDE := ZMap.t IDPTE.


  Definition PMap := ZMap.t PDE.

  Section PT_Property.

    Definition PDE_kern (pmap: PMap) (i: Z):=
      ZMap.get (PDX (i × PgSize)) pmap = PDEID.

    Definition PDE_kern_range (pmap: PMap) (lo high: Z) :=
      ∀ i , lo ≤ i < high → PDE_kern pmap i.

    Definition PMap_common (pmap: PMap) :=
      ∀ i, 0≤ i < kern_low ∨ kern_high ≤ i < maxpage
                → PDE_kern pmap i.

    Definition PMap_kern (pmap: PMap) :=
      ∀ i, kern_low ≤ i < kern_high
                → PDE_kern pmap i.

    Remark PDE_kern_dec:
      ∀ pt i, {PDE_kern pt i} + {¬ PDE_kern pt i}.
    Proof.
      intros; unfold PDE_kern.
      destruct (ZMap.get (PDX (i × PgSize)) pt) eqn: HPDX.
      + right; red; intros. discriminate.
      + left; trivial.
      + right; red; intros. discriminate.
      + right; red; intros. discriminate.
    Qed.

    Remark PDE_kern_range_dec:
      ∀ pt lo high, {PDE_kern_range pt lo high} + {¬PDE_kern_range pt lo high}.
    Proof.
      intros. unfold PDE_kern_range.
      eapply general_range_dec. intros.
      apply PDE_kern_dec.
    Qed.

    Remark PMap_common_dec:
      ∀ pt, {PMap_common pt } + { ¬ PMap_common pt}.
    Proof.
      intros; unfold PMap_common.
      destruct (PDE_kern_range_dec pt 0 kern_low).
      + destruct (PDE_kern_range_dec pt kern_high maxpage).
        × left; unfold PDE_kern_range in *; intros.
          destruct H; auto.
        × right; red; intros.
          unfold PDE_kern_range in *; auto.
      + right; red; intros.
        apply n; unfold PDE_kern_range; auto.
    Qed.

    Remark PMap_kern_dec:
      ∀ pt, {PMap_kern pt } + { ¬ PMap_kern pt}.
    Proof.
      intros. apply (PDE_kern_range_dec pt kern_low kern_high).
    Qed.

    Definition PDE_usr (pmap: PMap) (i: Z):=
      ZMap.get (PDX (i × PgSize)) pmap = PDEUnPresent
      ∨ ZMap.get (PDX (i × PgSize)) pmap = PDEID
      ∨ (∃ pte pi, ZMap.get (PDX (i × PgSize)) pmap = PDEValid pi pte
                         ∧ ¬ (ZMap.get (PTX (i × PgSize)) pte = PTEUndef)).

    Definition PDE_usr_range (pmap: PMap) (lo high: Z) :=
      ∀ i , lo ≤ i < high → PDE_usr pmap i.

    Definition PMap_usr (pmap: PMap) :=
      ∀ i, kern_low ≤ i < kern_high
                → PDE_usr pmap i.

    Remark PDE_usr_dec:
      ∀ pt i, {PDE_usr pt i} + {¬ PDE_usr pt i}.
    Proof.
      intros; unfold PDE_usr.
      destruct (ZMap.get (PDX (i × PgSize)) pt) eqn: HPDX.
      - destruct (ZMap.get (PTX (i × 4096)) pte) eqn: HPTX.
        + left; intros. right. right.
          esplit; esplit. split; trivial.
          rewrite HPTX. red; intros HF; inv HF.
        + left; intros. right. right.
          esplit; esplit. split; trivial.
          rewrite HPTX. red; intros HF; inv HF.
        + right; red; intros. destruct H.
          × discriminate.
          × destruct H; try discriminate.
            destruct H as (? & ? & HW & HF).
            inv HW. elim HF; assumption.
      - left. right. left. reflexivity.
      - left. left. reflexivity.
      - right; red; intros. destruct H.
        + discriminate.
        + destruct H; try discriminate.
          destruct H as (? & ? & HW & HF). inv HW.
    Qed.

    Remark PDE_usr_range_dec:
      ∀ pt lo high, {PDE_usr_range pt lo high} + {¬PDE_usr_range pt lo high}.
    Proof.
      intros. unfold PDE_usr_range.
      eapply general_range_dec. intros.
      apply PDE_usr_dec.
    Qed.

    Remark PMap_usr_dec:
      ∀ pt, {PMap_usr pt } + { ¬ PMap_usr pt}.
    Proof.
      intros; unfold PMap_usr.
      destruct (PDE_usr_range_dec pt kern_low kern_high ).
      - left; unfold PDE_usr_range in *; intros. eauto.
      - right; red; intros.
        apply n; unfold PDE_usr_range; auto.
    Qed.

    Definition PMap_valid (pmap: PMap) :=
      PMap_common pmap ∧ PMap_usr pmap.

    Remark PMap_valid_dec:
      ∀ pt, {PMap_valid pt } + { ¬ PMap_valid pt}.
    Proof.
      intros; unfold PMap_valid.
      destruct (PMap_common_dec pt).
      destruct (PMap_usr_dec pt).
      - left. eauto.
      - right; red; intros.
        apply n. apply H.
      - right; red; intros.
        apply n. apply H.
    Qed.

  End PT_Property.

  Function pt_Arg´ (n vadr: Z) : bool :=
    if zlt_lt 0 n num_proc then
      if zle_lt adr_low vadr adr_high then
        true
      else false
    else false.

  Function pt_Arg (n vadr padr np: Z) : bool :=
    if pt_Arg´ n vadr then
      if zlt_lt 0 padr np then
        true
      else false
    else false.

  Section IDPMap_Property.

    Definition IDPTE_valid (pte: IDPTE) (i: Z) (b: bool):=
      ZMap.get i pte = IDPTEValid (PTK b).

    Definition IDPTE_valid_range (pte: IDPTE) (lo high: Z) (b: bool):=
      ∀ i , lo ≤ i < high → IDPTE_valid pte i b.

    Definition IDPTE_valid_page (pte: IDPTE) (b: bool):=
      ∀ i , 0 ≤ i < one_k → IDPTE_valid pte i b.

    Definition IDPDE_range (pde: IDPDE) (lo high: Z) (b: bool):=
      ∀ i , lo ≤ i < high → IDPTE_valid_page (ZMap.get (PDX (i × PgSize)) pde) b.

    Definition IDPDE_common (pde: IDPDE) :=
      ∀ i, 0≤ i < kern_low ∨ kern_high ≤ i < maxpage
                → IDPTE_valid_page (ZMap.get (PDX (i × PgSize)) pde) true.

    Definition IDPDE_kern (pde: IDPDE) :=
      ∀ i, kern_low ≤ i < kern_high
                → IDPTE_valid_page (ZMap.get (PDX (i × PgSize)) pde) false.

    Definition IDPDE_init (pde: IDPDE) :=
      IDPDE_common pde ∧ IDPDE_kern pde.

    Remark IDPTE_valid_dec:
      ∀ pte i b, {IDPTE_valid pte i b} + {¬ IDPTE_valid pte i b}.
    Proof.
      intros; unfold IDPTE_valid.
      repeat (decide equality).
    Qed.

    Remark IDPTE_valid_range_dec:
      ∀ pte lo high b, {IDPTE_valid_range pte lo high b} + {¬ IDPTE_valid_range pte lo high b}.
    Proof.
      intros. unfold IDPTE_valid_range.
      eapply general_range_dec. intros.
      apply IDPTE_valid_dec.
    Qed.

    Remark IDPTE_valid_page_dec:
      ∀ pte b, {IDPTE_valid_page pte b} + {¬ IDPTE_valid_page pte b}.
    Proof.
      intros. eapply IDPTE_valid_range_dec.
    Qed.

    Remark IDPDE_range_dec:
      ∀ pde lo high b, {IDPDE_range pde lo high b} + {¬ IDPDE_range pde lo high b}.
    Proof.
      intros. unfold IDPDE_range.
      eapply general_range_dec. intros.
      apply IDPTE_valid_page_dec.
    Qed.

    Remark IDPDE_common_dec:
      ∀ pde, {IDPDE_common pde } + { ¬ IDPDE_common pde}.
    Proof.
      intros; unfold IDPDE_common.
      destruct (IDPDE_range_dec pde 0 kern_low true).
      destruct (IDPDE_range_dec pde kern_high maxpage true).
      - left; unfold IDPDE_range in *; intros.
        destruct H; auto.
      - right; red; intros.
        unfold IDPDE_range in *; auto.
      - right; red; intros.
        apply n; unfold IDPDE_range; auto.
    Qed.

    Remark IDPDE_kern_dec:
      ∀ pde, {IDPDE_kern pde } + { ¬ IDPDE_kern pde}.
    Proof.
      intros. apply IDPDE_range_dec.
    Qed.

    Remark IDPDE_init_dec:
      ∀ pde, {IDPDE_init pde } + { ¬ IDPDE_init pde}.
    Proof.
      intros.
      destruct (IDPDE_common_dec pde).
      destruct (IDPDE_kern_dec pde).
      - left; split; assumption.
      - right; red; intros; elim n. apply H.
      - right; red; intros; elim n. apply H.
    Qed.

  End IDPMap_Property.

  Definition PMapPool := ZMap.t PMap.

  Section PTP_Property.

    Definition consistent_pmap (ptp: PMapPool) (ppt: PPermT) (At: ATable) (lat: LATCTable) (nps: Z): Prop :=
      ∀ i,
        0 ≤ i < num_proc →
        ∀ j,
          0≤ j < adr_max →
          ∀ pte pi,
            ZMap.get (PDX j) (ZMap.get i ptp) = PDEValid pi pte →
            0 < pi < nps
            ∧ ZMap.get pi ppt = PGHide (PGPMap i (PDX j))
            ∧ ZMap.get pi At = ATValid true ATNorm
            ∧ ZMap.get pi lat = LATCValid nil.

    Lemma consistent_pmap_init:
      ∀ pg a la nps,
      consistent_pmap (ZMap.init (ZMap.init PDEUndef)) pg a la nps.
    Proof.
      unfold consistent_pmap.
      intros. repeat rewrite ZMap.gi in H1. inv H1.
    Qed.

    Definition consistent_pmap_domain (ptp: PMapPool) (ppt: PPermT) (lat: LATCTable) (nps: Z): Prop :=
      ∀ i,
        0 ≤ i < num_proc →
        ∀ j,
          0≤ j < adr_max →
          ∀ pte pi,
            ZMap.get (PDX j) (ZMap.get i ptp) = PDEValid pi pte →
            ∀ v p,
              ZMap.get (PTX j) pte = PTEValid v p →
              0 < v < nps
              ∧ ZMap.get v ppt = PGAlloc
              ∧ ∃ l, ZMap.get v lat = LATCValid l
                           ∧ count_occ LATOwner_dec l (LATO i (PDX j) (PTX j)) = 1%nat.

    Lemma consistent_pmap_domain_init:
      ∀ pg la nps,
        consistent_pmap_domain (ZMap.init (ZMap.init PDEUndef)) pg la nps.
    Proof.
      unfold consistent_pmap_domain.
      intros. repeat rewrite ZMap.gi in H1. inv H1.
    Qed.

    Definition consistent_at_lat (At: ATable) (lat: LATCTable) (nps: Z): Prop :=
      ∀ v,
        0 < v < nps →
        ∀ l,
          ZMap.get v lat = LATCValid l →
          l ≠ nil →
          ZMap.get v At = ATValid true ATNorm.

    Lemma consistent_at_lat_init:
      ∀ a nps,
        consistent_at_lat a (ZMap.init LATCUndef) nps.
    Proof.
      unfold consistent_at_lat.
      intros. repeat rewrite ZMap.gi in H0. inv H0.
    Qed.

    Definition consistent_lat_domain (ptp: PMapPool) (lat: LATCTable) (nps: Z): Prop :=
      ∀ v,
        0 < v < nps →
        ∀ l,
          ZMap.get v lat = LATCValid l →
          ∀ n pdi pti,
            In (LATO n pdi pti) l →
            0 ≤ pti ≤ PTX (Int.max_unsigned)
            ∧ ∃ pi pte,
                 ZMap.get pdi (ZMap.get n ptp) = PDEValid pi pte
                 ∧ ∃ p,
                      ZMap.get pti pte = PTEValid v p.

    Lemma consistent_lat_domain_init:
      ∀ ptp nps,
        consistent_lat_domain ptp (ZMap.init LATCUndef) nps.
    Proof.
      unfold consistent_lat_domain.
      intros. repeat rewrite ZMap.gi in H0. inv H0.
    Qed.

    Definition PDE_unp (pmap: PMap) (i: Z) :=
      ZMap.get (PDX (i × PgSize)) pmap = PDEUnPresent.

    Definition PDE_unp_range (pmap: PMap) (lo high: Z) :=
      ∀ i , lo ≤ i < high → PDE_unp pmap i.

    Definition PMap_init (pmap: PMap) :=
      PMap_common pmap
      ∧ PDE_unp_range pmap kern_low kern_high.



    Lemma PMap_init_common_usr:
      ∀ pmap,
        PMap_init pmap → PMap_valid pmap.
    Proof.
      unfold PMap_valid, PMap_init, PMap_usr, PDE_unp_range. intros.
      destruct H as [HT1 HT2].
      split; [assumption|].
      intros. exploit HT2; eauto.
      unfold PDE_unp, PDE_usr.
      left; assumption.
    Qed.

  End PTP_Property.

  Function ZtoBool (i:Z): option bool :=
    match i with
      | 0 ⇒ Some false
      | 1 ⇒ Some true
      | _ ⇒ None
    end.

  Function BooltoZ (b:bool): Z :=
    match b with
      | true ⇒ 1
      | _ ⇒ 0
    end.

End MemoryManagement.

Section ProcessManagement.

  Definition KContext := regset.
  Definition KContextPool := ZMap.t KContext.

  Lemma register_type_load:
    ∀ (rs: regset) r v f,
      Val.has_type (rs r) Tint
      → val_inject f (Val.load_result Mint32 (rs r)) v
      → val_inject f (rs r) v.
  Proof.
    intros.
    unfold Val.has_type in ×.
    destruct (rs r); inv H; inv H0; try econstructor; eauto.
  Qed.

  Definition PregtoZ (r: preg) : option Z :=
    match r with
      | ESP ⇒ Some 0
      | EDI ⇒ Some 1
      | ESI ⇒ Some 2
      | EBX ⇒ Some 3
      | EBP ⇒ Some 4
      | RA ⇒ Some 5
      | _ ⇒ None
    end.

  Function ZtoPreg (i: Z) : option preg :=
    match i with
      | 0 ⇒ Some (IR ESP)
      | 1 ⇒ Some (IR EDI)
      | 2 ⇒ Some (IR ESI)
      | 3 ⇒ Some (IR EBX)
      | 4 ⇒ Some (IR EBP)
      | 5 ⇒ Some RA
      | _ ⇒ None
    end.

  Definition kctxt_inj (f:meminj) (range:Z) (kctxtp kctxtp´: KContextPool) :=
    ∀ i n r,
      0≤ n < range
      → ZtoPreg i = Some r
      → val_inject f (Pregmap.get r (ZMap.get n kctxtp)) (Pregmap.get r (ZMap.get n kctxtp´)).

  Definition kctxt_inject_neutral (kp: KContextPool) (n: block) :=
    ∀ ofs,
      0 ≤ ofs < num_proc →
      let rs := ZMap.get ofs kp in
      ∀ v r, ZtoPreg v = Some r →
                  Val.has_type (rs r) Tint
                  ∧ val_inject (Mem.flat_inj n) (rs r) (rs r).

  Lemma PregToZ_correct:
    ∀ r i, PregtoZ r = Some i → ZtoPreg i = Some r.
  Proof.
    intros.
    induction r; inv H; auto.
    induction i0; inv H1; auto.
  Qed.

  Lemma ZtoPreg_correct:
    ∀ r i, ZtoPreg i = Some r → PregtoZ r = Some i.
  Proof.
    functional inversion 1; trivial.
  Qed.

  Lemma ZtoPreg_range:
    ∀ n r,
      ZtoPreg n = Some r → 0≤ n ≤ 5.
  Proof.
    functional inversion 1; omega.
  Qed.

  Lemma ZtoPreg_range_correct:
    ∀ n,
      0≤ n ≤ 5 → ∃ r, ZtoPreg n = Some r.
  Proof.
    intros.
    destruct (zeq n 0). subst; simpl; eauto.
    destruct (zeq n 1). subst; simpl; eauto.
    destruct (zeq n 2). subst; simpl; eauto.
    destruct (zeq n 3). subst; simpl; eauto.
    destruct (zeq n 4). subst; simpl; eauto.
    destruct (zeq n 5). subst; simpl; eauto.
    omega.
  Qed.

  Lemma ZtoPreg_type:
    ∀ v r,
      ZtoPreg v = Some r → Tint = typ_of_preg r.
  Proof.
    functional inversion 1; trivial.
  Qed.

  Definition is_valid_context_reg (v: val) :=
    match v with
      | Vfloat _ ⇒ false
      | _ ⇒ true
    end.

  Inductive ThreadState :=
  | READY
  | RUN
  | SLEEP
  | DEAD
  | PENDING.

  Remark ThreadState_dec: ∀ ts ts´: ThreadState, {ts = ts´} + {¬ ts = ts´}.
  Proof.
    intros; decide equality.
  Qed.

  Function ZtoThreadState (i:Z) :=
    match i with
      | 0 ⇒ Some READY
      | 1 ⇒ Some RUN
      | 2 ⇒ Some SLEEP
      | 3 ⇒ Some DEAD
      | 4 ⇒ Some PENDING
      | _ ⇒ None
    end.

  Definition ThreadStatetoZ (tds: ThreadState) :=
    match tds with
      | READY ⇒ 0
      | RUN ⇒ 1
      | SLEEP ⇒ 2
      | DEAD ⇒ 3
      | PENDING ⇒ 4
    end.

  Lemma ZtoThreadState_correct:
    ∀ i tds, ZtoThreadState i = Some tds → ThreadStatetoZ tds = i.
  Proof.
    functional inversion 1; trivial.
  Qed.

  Lemma ThreadStatetoZ_correct:
    ∀ tds, ZtoThreadState (ThreadStatetoZ tds) = Some tds.
  Proof.
    destruct tds; trivial.
  Qed.

  Lemma ZtoThreadState_range:
    ∀ i tds, ZtoThreadState i = Some tds → 0 ≤ i ≤ 4.
  Proof.
    functional inversion 1; omega.
  Qed.

  Lemma ZtoThreadState_range_correct:
    ∀ i, 0≤ i ≤ 4 → ∃ tds, ZtoThreadState i = Some tds.
  Proof.
    intros.
    destruct (zeq i 0). subst; simpl; eauto.
    destruct (zeq i 1). subst; simpl; eauto.
    destruct (zeq i 2). subst; simpl; eauto.
    destruct (zeq i 3). subst; simpl; eauto.
    destruct (zeq i 4). subst; simpl; eauto.
    omega.
  Qed.

  Inductive TCB :=
  | TCBUndef
  | TCBValid (tds: ThreadState) (cpu_id: Z) (prev: Z) (next: Z).

  Remark TCB_dec: ∀ tcb tcb´: TCB, {tcb = tcb´} + {¬ tcb = tcb´}.
  Proof.
    intros.
    decide equality; try apply Z_eq_dec.
    apply ThreadState_dec.
  Qed.

  Definition TCBPool := ZMap.t TCB.

  Definition TCBCorrect (tcb: TCB) (high:Z) :=
    ∃ s cpid prev next, tcb = TCBValid s cpid prev next ∧ 0≤ prev ≤ high ∧ 0≤ next ≤ high.

  Definition TCBCorrect_range´ (tcb: TCBPool) (lo high num_proc: Z) :=
    ∀ i , lo ≤ i < high → TCBCorrect (ZMap.get i tcb) num_proc.

  Definition TCBCorrect_range (tcb: TCBPool) :=
    ∀ i , 0 ≤ i < num_proc → TCBCorrect (ZMap.get i tcb) num_proc.

  Definition TCBInit´ (tcb: TCBPool) (lo high num_proc: Z) :=
    ∀ i , lo ≤ i < high → ZMap.get i tcb = TCBValid DEAD 0 num_proc num_proc.

  Definition TCBInit (tcb: TCBPool) :=
    ∀ i , 0 ≤ i < num_proc → ZMap.get i tcb = TCBValid DEAD 0 num_proc num_proc.

  Inductive TDQueue :=
  | TDQUndef
  | TDQValid (head tail: Z).

  Definition TDQueuePool := ZMap.t TDQueue.

  Definition TDQCorrect (tdq: TDQueue) (high:Z) :=
    ∃ head tail, tdq = TDQValid head tail ∧ 0≤ head ≤ high ∧ 0≤ tail ≤ high.

  Definition TDQCorrect_range (tdq: TDQueuePool) :=
    ∀ i , 0 ≤ i < num_chan → TDQCorrect (ZMap.get i tdq) num_proc.

  Definition TDQInit (tdq: TDQueuePool) :=
    ∀ i , 0 ≤ i < num_chan → ZMap.get i tdq = TDQValid num_proc num_proc.

  Inductive AbQueue :=
  | AbQUndef
  | AbQValid (l: list Z).

  Definition AbQueuePool := ZMap.t AbQueue.

  Inductive AbTCB :=
  | AbTCBUndef
  | AbTCBValid (tds: ThreadState) (cpuid: Z) (inQ: Z).

  Definition AbTCBPool := ZMap.t AbTCB.

  Function rdy_q_id (cpu: Z): Z := READ_Q_START + cpu.
  Function msg_q_id (cpu: Z): Z := MSG_Q_START + cpu.
  Function slp_q_id (cv: Z) (curid: Z) : Z := SLEEP_Q_START + cv.

  Definition AbTCBCorrect (tcb: AbTCB):=
    ∃ s c b, tcb = AbTCBValid s c b ∧ (-1 ≤ b < TDQ_SIZE).

  Definition AbTCBStrong (tcb: AbTCB):=
    ∃ s c b, tcb = AbTCBValid s c b ∧ ((s = RUN ∨ s = DEAD) → b = -1)
                  ∧ (s = SLEEP ∨ s = PENDING → 0 ≤ b < num_proc)
                  ∧ (s = READY → b = num_proc).

  Definition AbQCorrect (tdq: AbQueue) :=
    ∃ l, tdq = AbQValid l ∧ (∀ x, In x l → 0 ≤ x < num_proc).

  Definition AbTCBInit (tcb: AbTCBPool) :=
    ∀ i , 0 ≤ i < num_proc → ZMap.get i tcb = AbTCBValid DEAD 0 (-1).

  Definition AbQInit (tdq: AbQueuePool) :=
    ∀ i , 0 ≤ i < num_chan → ZMap.get i tdq = AbQValid nil.

  Definition AbTCBCorrect_range t :=
    ∀ i, 0 ≤ i < num_proc → AbTCBCorrect (ZMap.get i t).

  Definition AbTCBStrong_range t:=
    ∀ i, 0 ≤ i < num_proc →
              AbTCBStrong (ZMap.get i t).

  Definition AbQCorrect_range q :=
    ∀ i, 0 ≤ i < num_chan → AbQCorrect (ZMap.get i q).

  Definition NotInQ c t :=
    ∀ i s j b,
      0 ≤ i < num_proc
      → cused (ZMap.get i c) = false
      → ZMap.get i t = AbTCBValid s j b
      → b = -1.

  Definition QCount t q :=
    ∀ i s c b,
      0 ≤ i < num_proc
      → ZMap.get i t = AbTCBValid s c b
      → 0 ≤ b < num_chan
      → ∃ l,
           ZMap.get b q = AbQValid l
           ∧ count_occ zeq l i = 1%nat.

  Definition InQ t q :=
    ∀ i j l,
      0 ≤ i < num_proc
      → 0 ≤ j < num_chan
      → ZMap.get j q = AbQValid l
      → In i l
      → ∃ s c, ZMap.get i t = AbTCBValid s c j.

  Definition CurIDValid j i c t :=
    cused (ZMap.get i c) = true
    ∧ (ZMap.get i t = AbTCBValid RUN j (-1)).


  Function Queue_arg (n i: Z) :=
    if zle_lt 0 n num_chan then
      if zle_lt 0 i num_proc then
        true
      else false
    else false.

  Section AbTCB_TDQ_Property.

    Lemma AbTCBInit_valid:
      ∀ tcbp,
        AbTCBInit tcbp
        → (∀ i, 0 ≤ i < num_proc →
                      AbTCBCorrect (ZMap.get i tcbp)).
    Proof.
      unfold AbTCBInit, AbTCBCorrect; intros.
      esplit; esplit; esplit. split.
      eapply H; eauto. omega.
    Qed.

    Lemma AbTCBInit_notInQ:
      ∀ tcbp,
        AbTCBInit tcbp →
        (∀ i s c b, 0 ≤ i < num_proc →
                       ZMap.get i tcbp = AbTCBValid s c b →
                       b = -1).
    Proof.
      unfold AbTCBInit; intros.
      specialize (H _ H0). rewrite H1 in H; inv H. trivial.
    Qed.

    Lemma AbTDQInit_valid:
      ∀ tdqp,
        AbQInit tdqp
        → (∀ i, 0 ≤ i < num_chan →
                      AbQCorrect (ZMap.get i tdqp)).
    Proof.
      unfold AbQInit, AbQCorrect; intros.
      esplit. split.
      eapply H; eauto. intros. inv H1.
    Qed.

  End AbTCB_TDQ_Property.

  Definition UContext := ZMap.t val.

  Definition UContextPool := ZMap.t UContext.

  Definition uctxt_inj (f:meminj) (uctxtp uctxtp´: UContextPool) :=
    ∀ i j,
      0≤ i < num_proc →
      0≤ j < UCTXT_SIZE →
      val_inject f (ZMap.get j (ZMap.get i uctxtp))
                 (ZMap.get j (ZMap.get i uctxtp´)).

  Definition uctxt_inject_neutral (up: UContextPool) (n: block) :=
    ∀ ii ii´,
      0≤ ii < num_proc →
      0≤ ii´ < UCTXT_SIZE →
      let v:= (ZMap.get ii´ (ZMap.get ii up)) in
      Val.has_type v AST.Tint
      ∧ val_inject (Mem.flat_inj n) v v.


  Function is_UCTXT_ptr (ofs : Z): bool :=
    match ofs with
      | U_EDI ⇒ false
      | U_ESI ⇒ false
      | U_EBX ⇒ false
      | U_EDX ⇒ false
      | U_ECX ⇒ false
      | U_EAX ⇒ false
      | U_ES ⇒ false
      | U_DS ⇒ false
      | U_ERR ⇒ false
      | U_TRAPNO ⇒ false
      | U_CS ⇒ false
      | U_EFLAGS ⇒ false
      | U_ESP ⇒ false
      | U_SS ⇒ false
      | _ ⇒ true
    end.

  Lemma is_UCTXT_ptr_range:
    ∀ i, is_UCTXT_ptr i = false → 0≤ i < UCTXT_SIZE.
  Proof.
    intros.
    functional inversion H; omega.
  Qed.

  Function UCtxt_Reg (r: preg) : bool :=
    match r with
      | IR _ ⇒ true
      | RA ⇒ true
      | _ ⇒ false
    end.

  Inductive SyncChannel :=
  | SyncChanUndef
  | SyncChanValid (to senderpaddr count busy: int).

  Definition SyncChanPool := ZMap.t SyncChannel.

  Definition SyncChannel_Valid (ch: SyncChannel) :=
    ∃ t p c b, ch = SyncChanValid t p c b.

  Definition SyncChanPool_Valid (chp: SyncChanPool) :=
    ∀ i, 0 ≤ i < num_chan → SyncChannel_Valid (ZMap.get i chp).

  Definition SyncChannel_Init (ch: SyncChannel) :=
    ch = SyncChanValid (Int.repr num_chan) Int.zero Int.zero Int.zero.

  Definition SyncChanPool_Init (chp: SyncChanPool) :=
    ∀ i, 0 ≤ i < num_chan → SyncChannel_Init (ZMap.get i chp).

  Lemma SyncChannel_Init_Correct:
    ∀ chp,
      SyncChanPool_Init chp → SyncChanPool_Valid chp.
  Proof.
    unfold SyncChanPool_Init, SyncChanPool_Valid.
    unfold SyncChannel_Init, SyncChannel_Valid.
    intros. erewrite H; eauto.
  Qed.


  Inductive SharedMemInfo :=
  | SHRDREADY | SHRDPEND | SHRDDEAD.

  Remark SharedMemInfo_dec:
    ∀ x y: SharedMemInfo,
      {x = y} + {x ≠ y}.
  Proof.
    intros. repeat progress (decide equality).
  Qed.

  Inductive SharedMemState :=
  | SHRDValid (info: SharedMemInfo) (seen: bool) (vadr: Z)
  | SHRDUndef.

  Definition SharedMemSTPool :=
    ZMap.t (ZMap.t SharedMemState).

  Function SharedMemInfo2Z (i: SharedMemInfo) :=
    match i with
      | SHRDREADY ⇒ SHARED_MEM_READY
      | SHRDPEND ⇒ SHARED_MEM_PEND
      | SHRDDEAD ⇒ SHARED_MEM_DEAD
    end.

  Function Z2SharedMemInfo (i: Z) :=
    match i with
      | SHARED_MEM_READY ⇒ Some SHRDREADY
      | SHARED_MEM_PEND ⇒ Some SHRDPEND
      | SHARED_MEM_DEAD ⇒ Some SHRDDEAD
      | _ ⇒ None
    end.

  Lemma Z2SharedMemInfo_correct:
    ∀ st i,
      Z2SharedMemInfo st = Some i →
      SharedMemInfo2Z i = st.
  Proof.
    functional inversion 1; reflexivity.
  Qed.

  Lemma SharedMemInfo2Z_correct:
    ∀ st i,
      SharedMemInfo2Z i = st →
      Z2SharedMemInfo st = Some i.
  Proof.
    functional inversion 1; reflexivity.
  Qed.

  Lemma SharedMemInfo2Z_range:
    ∀ st i,
      SharedMemInfo2Z i = st →
      SHARED_MEM_READY ≤ st ≤ SHARED_MEM_DEAD.
  Proof.
    functional inversion 1; omega.
  Qed.

  Definition SharedMemST_Valid (st: SharedMemState) :=
    ∃ i s vadr, st = SHRDValid i s vadr.

  Definition SharedMemSTPool_Init (smsp: SharedMemSTPool) :=
    ∀ i,
      0 ≤ i < num_proc →
      ∀ j, 0 ≤ j < num_proc →
                SharedMemST_Valid (ZMap.get j (ZMap.get i smsp)).

End ProcessManagement.

Section VirtManagement.

  Inductive NPTPerm :=
  | ALL_PERM.

  Definition NPTPerm2Z (perm : NPTPerm) : Z :=
    match perm with
      | ALL_PERM ⇒ 39
    end.

  Inductive NPTE:=
  | NPTEValid (hpa: Z)
  | NPTEUndef.

  Definition NPTab := ZMap.t NPTE.

  Inductive NPDE :=
  | NPDEValid (nptab : NPTab)
  | NPDEUndef.

  Definition NPT := ZMap.t NPDE.

  Definition NPDE_valid (npt: NPT) (i:Z) :=
    ∃ npte, ZMap.get (PDX i) npt = NPDEValid npte.


  Definition NPT_valid (npt: NPT) (lo high: Z):=
    ∀ i , lo ≤ i < high → NPDE_valid npt i.


  Definition PregtoZ_Host (r: preg) : option Z :=
    match r with
      | ECX ⇒ Some 0
      | EDI ⇒ Some 1
      | ESI ⇒ Some 2
      | EBX ⇒ Some 3
      | EBP ⇒ Some 4
      | EDX ⇒ Some 5
      | ESP ⇒ Some 6
      | RA ⇒ Some 7
      | _ ⇒ None
    end.

  Function ZtoPreg_Host (i: Z) : option preg :=
    match i with
      | 0 ⇒ Some (IR ECX)
      | 1 ⇒ Some (IR EDI)
      | 2 ⇒ Some (IR ESI)
      | 3 ⇒ Some (IR EBX)
      | 4 ⇒ Some (IR EBP)
      | 5 ⇒ Some (IR EDX)
      | 6 ⇒ Some (IR ESP)
      | 7 ⇒ Some RA
      | _ ⇒ None
    end.

  Lemma PregToZ_Host_correct:
    ∀ r i, PregtoZ_Host r = Some i → ZtoPreg_Host i = Some r.
  Proof.
    intros. destruct r; inv H.
    destruct i0; inv H1; reflexivity.
    reflexivity.
  Qed.

  Lemma ZtoPreg_Host_correct:
    ∀ r i, ZtoPreg_Host i = Some r → PregtoZ_Host r = Some i.
  Proof.
    intros. functional inversion H; reflexivity.
  Qed.

  Lemma ZtoPreg_Host_range:
    ∀ n r,
      ZtoPreg_Host n = Some r → 0≤ n ≤ 7.
  Proof.
    intros. functional inversion H; omega.
  Qed.

  Lemma ZtoPreg_range_Host_correct:
    ∀ n,
      0≤ n ≤ 7 → ∃ r, ZtoPreg_Host n = Some r.
  Proof.
    intros.
    destruct (zeq n 0); subst. simpl; eauto.
    destruct (zeq n 1); subst. simpl; eauto.
    destruct (zeq n 2); subst. simpl; eauto.
    destruct (zeq n 3); subst. simpl; eauto.
    destruct (zeq n 4); subst. simpl; eauto.
    destruct (zeq n 5); subst. simpl; eauto.
    destruct (zeq n 6); subst. simpl; eauto.
    destruct (zeq n 7); subst. simpl; eauto.
    omega.
  Qed.

  Lemma ZtoPreg_Host_type:
    ∀ n r,
      ZtoPreg_Host n = Some r →
      typ_of_preg r = Tint.
  Proof.
    intros. functional inversion H; reflexivity.
  Qed.

  Definition hctx_inj (f:meminj)(hctxt hctxt´: regset) :=
    ∀ i r,
      ZtoPreg_Host i = Some r
      → val_inject f (Pregmap.get r hctxt) (Pregmap.get r hctxt´).

  Definition addr_valid (addr : Z) :=
    if zle_le 0 addr (Int.max_unsigned + 1 - PgSize) then
      if Zdivide_dec PgSize addr HPS then
        true
      else
        false
    else
      false.

  Function is_VMCB_Z_ofs (v:Z) : bool :=
    if zle_lt 0 v 16 then
      true
    else
      if zle_lt 18 v 44 then
        true
      else
        if zle_lt 46 v 338 then
          true
        else
          if zle_lt 344 v 348 then
            true
          else
            if zle_lt 352 v 374 then
              true
            else
              if zle_lt 376 v 382 then
                true
              else
                if zle_lt 384 v 400 then
                  true
                else
                  if zle_lt 402 v 1024 then
                    true
                  else
                    false.

  Lemma VMCB_Z_ofs_range:
    ∀ v, is_VMCB_Z_ofs v = true → 0 ≤ v ≤ 1023.
  Proof.
    intros.
    functional inversion H; omega.
  Qed.

  Function is_VMCB_V_ofs (v:Z) : bool :=
    match v with
      | VMCB_V_CR4_LO_OFFSET ⇒ true
      | VMCB_V_CR3_LO_OFFSET ⇒ true
      | VMCB_V_CR0_LO_OFFSET ⇒ true
      | VMCB_V_RFLAGS_LO_OFFSET ⇒ true
      | VMCB_V_RIP_LO_OFFSET ⇒ true
      | VMCB_V_RSP_LO_OFFSET ⇒ true
      | VMCB_V_RAX_LO_OFFSET ⇒ true
      | VMCB_V_CR2_LO_OFFSET ⇒ true
      | _ ⇒ false
    end.

  Lemma VMCB_V_ofs_range:
    ∀ v, is_VMCB_V_ofs v = true → VMCB_V_CR4_LO_OFFSET ≤ v ≤ VMCB_V_CR2_LO_OFFSET.
  Proof.
    intros.
    functional inversion H; omega.
  Qed.

  Lemma VMCB_V_ofs_correct:
    ∀ v, is_VMCB_V_ofs v = true → is_VMCB_Z_ofs v = false.
  Proof.
    intros.
    functional inversion H; trivial.
  Qed.

  Lemma VMCB_Z_ofs_correct:
    ∀ v, is_VMCB_Z_ofs v = true → is_VMCB_V_ofs v = false.
  Proof.
    intros.
    functional induction (is_VMCB_V_ofs v); trivial; inv H.
  Qed.

  Inductive valid_val: val → Prop :=
  | valid_val_int: ∀ n, valid_val (Vint n)
  | valid_val_vptr: ∀ b ofs, valid_val (Vptr b ofs)
  | valid_val_undef: valid_val Vundef.

  Definition VMCB_Val := ZMap.t val.

  Inductive VMCB_Entry_Z :=
  | VMCBEntryZValid (v : Z)
  | VMCBEntryZUndef.

  Definition VMCB_Z := ZMap.t VMCB_Entry_Z.

  Definition VMCB_Entry_Z_Valid (vmcb_z : VMCB_Z) (ofs : Z) : Prop :=
    ∃ v, ZMap.get ofs vmcb_z = VMCBEntryZValid v ∧ 0 ≤ v ≤ Int.max_unsigned.


  Definition VMCB_Z_Range_Valid (vmcb_z : VMCB_Z) (lo high: Z):=
    ∀ i , lo ≤ i < high → VMCB_Entry_Z_Valid vmcb_z i.


  Definition VMCB_Z_Valid (vmcb_z : VMCB_Z) :=
    ∀ ofs, is_VMCB_Z_ofs ofs = true → VMCB_Entry_Z_Valid vmcb_z ofs.

  Ltac simpl_if :=
    repeat match goal with
             | [ |- context [if ?a then _ else _]] ⇒ destruct a
           end; trivial; try omega.


  Definition XVMState := ZMap.t val.

  Definition bit_not (n : Z) : Z := Z.lxor n (Int.unsigned Int.mone).

  Lemma Z_lxor_range :
    ∀ x y,
      0 ≤ x ≤ Int.max_unsigned → 0 ≤ y ≤ Int.max_unsigned →
      0 ≤ Z.lxor x y ≤ Int.max_unsigned.
  Proof.
    unfold Int.max_unsigned. simpl.
    intros.
    split.
    rewrite Z.lxor_nonneg.
    split; omega.
    assert(Z.lxor x y < 4294967296).
    apply Z.log2_lt_cancel.
    assert(Z.log2 (Z.lxor x y) ≤ Z.max (Z.log2 x) (Z.log2 y)).
    apply Z.log2_lxor.
    omega.
    omega.
    apply Z.le_lt_trans with (m := Z.max (Z.log2 x) (Z.log2 y)); auto.
    rewrite Zmax_spec in ×.
    destruct (zlt (Z.log2 y) (Z.log2 x)).
    assert(Z.log2 x ≤ Z.log2 4294967295).
    apply Z.log2_le_mono.
    omega.
    simpl in ×.
    omega.
    assert(Z.log2 y ≤ Z.log2 4294967295).
    apply Z.log2_le_mono.
    omega.
    simpl in ×.
    omega.
    omega.
  Qed.

  Lemma bit_not_range :
    ∀ n,
      0 ≤ n ≤ Int.max_unsigned →
      0 ≤ bit_not n ≤ Int.max_unsigned.
  Proof.
    unfold bit_not. intros.
    apply Z_lxor_range; auto.
    unfold Int.mone.
    destruct (Int.repr (-1)).
    simpl.
    unfold Int.max_unsigned in ×.
    omega.
  Qed.