Library mcertikos.multithread.lowrefins.E2PBThreadGenLemmaPTRESV

Require Import Coqlib.
Require Import Maps.
Require Import ASTExtra.
Require Import Integers.
Require Import Floats.
Require Import Values.
Require Import Memory.
Require Import Events.
Require Import Stacklayout.
Require Import Globalenvs.
Require Import AsmX.
Require Import Smallstep.
Require Import AuxStateDataType.
Require Import Constant.
Require Import GlobIdent.
Require Import FlatMemory.
Require Import CommonTactic.
Require Import AuxLemma.
Require Import RealParams.
Require Import PrimSemantics.
Require Import LAsm.
Require Import LoadStoreSem3.
Require Import XOmega.

Require Import liblayers.logic.PTreeModules.
Require Import liblayers.logic.LayerLogicImpl.
Require Import liblayers.compat.CompatLayers.
Require Import liblayers.compat.CompatGenSem.
Require Import I64Layer.

Require Import AlgebraicMem.

Require Import Decision.
Require Import FutureTactic.

Require Import GlobalOracleProp.
Require Import AbstractDataType.
Require Import DeviceStateDataType.
Require Import SingleConfiguration.
Require Import ObjPHBFlatMem.
Require Import PHBThread.
Require Import AsmE2L.

Require Import AuxSingleAbstractDataType.
Require Import SingleOracleImpl.
Require Import E2PBThreadComposeData.
Require Import LoadStoreSemPHB.
Require Import ObjPHBThreadDEV.
Require Import ObjPHBThreadINTELVIRT.
Require Import ObjPHBThreadIPC.
Require Import ObjPHBThreadReplayFunction.
Require Import ObjPHBThreadSCHED.
Require Import ObjPHBThreadVMM.
Require Import ObjInterruptManagement.
Require Import ObjConsole.
Require Import ObjInterruptController.
Require Import ObjSerialDevice.
Require Import OracleInstances.
Require Import ObjVMMFun.
Require Import ObjVMMGetSet.
Require Import ObjVMMDef.
Require Import ObjCV.
Require Import ObjCPU.
Require Import ObjVMX.
Require Import ObjVMCS.
Require Import ObjProc.
Require Import ObjBigThread.
Require Import ObjContainer.
Require Import ObjMultiprocessor.
Require Import ObjThread.
Require Import BigLogThreadConfigFunction.
Require Import BigLogThreadConfigFunctionProp.

Require Import StencilImpl.

Require Import E2PBThreadGenDef.

Opaque full_thread_list.

Section E2PBTHREADGENLEMMAPTRESVFILE.

  Context `{real_params : RealParams}.
  Context `{multi_oracle_prop: MultiOracleProp}.

  Context `{Hmem: Mem.MemoryModelX}.
  Context `{Hmwd: UseMemWithData mem}.

  Context `{s_oracle_ops : SingleOracleOps}.
  Context `{s_threads_ops: ThreadsConfigurationOps}.

  Local Instance s_oracle_prf : SingleOracle := SingleOracleImpl.s_oracle_prf.

  Context `{s_threads_prf: !ThreadsConfiguration (s_oracle := s_oracle_prf)}.
  Context `{s_oracle_basic_prop_prf: !SingleOracleBasicProp (single_oracle_prf := s_oracle_prf)
                                      (s_threads_ops := s_threads_ops)}.

  Local Instance s_oracle_prop_prf : SingleOracleProp := SingleOracleImpl.s_oracle_prop_prf.

  Context `{Hstencil : Stencil (stencil := stencil)}.

  Local Instance s_config : SingleConfiguration mem := s_config.

  Context `{s_oracle_basic_link_prop_prf: !SingleOracleBasicLinkProp (single_oracle_prf := s_oracle_prf)
                                           (s_threads_ops := s_threads_ops)}.

  Local Instance s_oracle_link_prop_prf : SingleOracleLinkProp := SingleOracleImpl.s_oracle_link_prop_prf.

  Local Instance s_link_config : SingleLinkConfiguration mem := s_link_config.

  Context `{acc_def: !AccessorsDefined (mem := mem) (stencil := stencil) (stencil_ops := stencil_ops)
                      (memory_model_ops := memory_model_ops)
                      (phbthread (s_config := s_config) ⊕ L64)}.

  Context `{e2pbthread_gen_prop: !E2PBThreadGenProp s_oracle_prf}.

  Opaque PDX Zdivide_dec zle Z.mul Z.add Z.sub Z.div.
  Opaque CalRealPT.real_pt CalRealProcModule.real_syncchpool.
  Opaque compatlayer_ops.
  Opaque update.
  Opaque uRData.
  Opaque proc_id.

  Lemma HGetUsedpreserve:
    ∀ i j res (bl : BigLog) l,
      valid_big_oracle (big_oracle (update init_shared_adt l)) →
      big_log (update init_shared_adt l) = BigDef bl →
      B_GetContainerUsed i (CPU_ID (update init_shared_adt l))
                         ((TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE j res)))
                            :: big_oracle (update init_shared_adt l)
                            (CPU_ID (update init_shared_adt l)) bl ++ bl) =
      B_GetContainerUsed i (CPU_ID (update init_shared_adt l)) bl.
  Proof.
    intros.
    generalize (single_big_oracle_query_preserves_cused i (update init_shared_adt l) bl (CPU_ID (update init_shared_adt l))
                                                        H); intros.
    unfold B_GetContainerUsed in *; simpl; auto.
  Qed.

  Lemma HGetUsedpreserve_double:
    ∀ i j k res res´ (bl : BigLog) l,
      valid_big_oracle (big_oracle (update init_shared_adt l)) →
      big_log (update init_shared_adt l) = BigDef bl →
      B_GetContainerUsed i (CPU_ID (update init_shared_adt l))
                         ((TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE k res´)))
                            :: (big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l))
                                           ((TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE j res)))
                                              :: big_oracle (update init_shared_adt l)
                                              (CPU_ID (update init_shared_adt l)) bl ++ bl)
                                           ++ ((TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE j res)))
                                                 :: big_oracle (update init_shared_adt l)
                                                 (CPU_ID (update init_shared_adt l)) bl ++ bl))) =
      B_GetContainerUsed i (CPU_ID (update init_shared_adt l)) bl.
  Proof.
    intros.
    generalize (HGetUsedpreserve i j res bl l H H0).
    intros.
    rewrite <- H1.
    set (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE j res)) :: big_oracle (update init_shared_adt l)
                 (CPU_ID (update init_shared_adt l)) bl ++ bl).
    clear H1.
    generalize (single_big_oracle_query_preserves_cused i (update init_shared_adt l) l0 (CPU_ID (update init_shared_adt l))
                                                        H); intros.
    rewrite H1; auto.
  Qed.

  Lemma big_ptResv_related_first_fail:
    ∀ (kctxt_pool : KContextPool) (l : Log) ( dp : ZMap.t (option privData)) (a : RData)
           (n : int) (vadr : int) (perm : int) (d : privData)
           (d´ : privData) (ds´ : sharedData) (res : Z)
           (p : PData × Z) (p0 : PData) (z : Z)
           (Hdestruct1 : p = (p0, z))
           (in_event : has_event pt_resv = true)
           (prim_num : prim_id_num pt_resv = 2)
           (H : relate_RData kctxt_pool (update init_shared_adt l) dp a)
           (H0 : ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) dp = Some d)
           (e : Int.unsigned n =
                ZMap.get (CPU_ID (fst (update init_shared_adt l, d))) (cid (fst (update init_shared_adt l, d))))
           (Hdestruct : zeq (Int.unsigned n)
                            (ZMap.get (CPU_ID (fst (update init_shared_adt l, d)))
                                      (cid (fst (update init_shared_adt l, d)))) =
                        left e)
           (Hdestruct0 : single_big_palloc_spec (Int.unsigned n) (update init_shared_adt l, d) = Some (p0, z))
           (e0 : z = 0)
           (Hdestruct2 : zeq z 0 = left e0)
           (H1 : Some (p0, MagicNumber) = Some (ds´, d´, res))
           (H5 : val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil))
           (HGetUsed´ : B_GetContainerUsed´
                          (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                          (CPU_ID (update init_shared_adt l))
                          (big_log (update init_shared_adt l)) = true)
           (Hcused : cused
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                 (AbstractDataType.AC a)) = true)
           (HAC_eq : AC d =
                     ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (AbstractDataType.AC a))
           (Hper_data_rel : relate_RData_per_pd
                              (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                        kctxt_pool) (update init_shared_adt l) d a),
   ∃ (a´ : RData) (res´ : Z),
     match big_palloc_spec (Int.unsigned n) a with
     | Some (abd´, b) ⇒
       if zeq b 0
       then Some (abd´, MagicNumber)
       else big_ptInsert_spec (Int.unsigned n) (Int.unsigned vadr) b (Int.unsigned perm) abd´
     | None ⇒ None
     end = Some (a´, res´) ∧
     relate_RData kctxt_pool
                  (update init_shared_adt
                          (LEvent (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                  (LogPrim pt_resv (Lint n :: Lint vadr :: Lint perm :: nil)
                                           (single_big_ptResv_spec_test (Int.unsigned n)
                                                                        (Int.unsigned vadr) (Int.unsigned perm)
                                                                        (update init_shared_adt l, d)) (snap_func d)) :: l))
                  (ZMap.set (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) (Some d´) dp)
                  a´ ∧
     kctxt a = kctxt a´ ∧
     ds´ =
     update init_shared_adt
            (LEvent (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
          (LogPrim pt_resv (Lint n :: Lint vadr :: Lint perm :: nil)
                   (single_big_ptResv_spec_test (Int.unsigned n)
                                                (Int.unsigned vadr) (Int.unsigned perm)
                                                (update init_shared_adt l, d)) (snap_func d)) :: l) ∧
     res = res´ ∧
     ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a) =
     ZMap.get (AbstractDataType.CPU_ID a´) (AbstractDataType.cid a´).
  Proof.
    intros.
    Transparent uRData proc_id update.
    simpl.
    rewrite prim_num.
    inv H1.
    unfold single_big_palloc_spec in Hdestruct0.
    unfold single_big_palloc_spec_share in Hdestruct0.
    subdestruct.
    +
      subst; simpl in ×.
      inv Hdestruct0.
      generalize dependent a1; clear.
      intros; omega.
    + inv Hdestruct0.
      elim n0; reflexivity.
    + inv Hper_data_rel; simpl in *; rewrite zeq_true in ×.
      rewrite Hdestruct8 in ×.
      inv Hdestruct0.
      unfold single_big_palloc_spec_share, single_big_ptResv_spec_test, single_big_palloc_spec, single_big_palloc_spec_share.
      simpl in ×.
      rewrite Hdestruct9, Hdestruct10, Hdestruct11, Hdestruct12, Hdestruct13, Hdestruct14.
      unfold single_big_palloc_spec_test.
      simpl.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct6, Hdestruct7, Hdestruct8, Hdestruct11, Hdestruct12.
      repeat (rewrite zeq_true; auto).
      rewrite e.
      repeat (rewrite zeq_true; auto).
      unfold big_palloc_spec.
      rewrite Hcused.
      rewritesb.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct7, Hdestruct9, Hdestruct11, Hdestruct10, Hdestruct13, Hdestruct14.
      rewrite zeq_true.
      refine_split; simpl; auto.
      × constructor; simpl; auto.
        { rewrite Hdestruct8; auto. }
        { inv H; auto. }
        { inv H; auto. }
        { rewrite e.
          rewrite CPU_ID_re.
          rewrite <- cid_re.
          rewrite <- CPU_ID_re; auto. }
        { intros.
          exploit (HGetUsedpreserve i (Int.unsigned n) 0 l0); eauto.
          { inv H; inv sh_shared_inv_re; auto. }
          intros HGUsed.
          rewrite e in HGUsed.
          case_eq (zeq i (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))); intros; subst.
          inv H; simpl in ×.
          - rewrite e.
            rewrite ZMap.gss.
            rewrite H0; simpl.
            per_data_auto_simpl; try (rewrite zeq_true; auto); try rewrite Hdestruct8.
            + intros.
              rewrite CPU_ID_re.
              rewrite <- cid_re.
              rewrite <- CPU_ID_re; auto.
            + unfold relate_AC_per_pd in *; simpl.
              rewrite Hdestruct8.
              rewrite HGUsed.
              rewrite HGetUsed´.
              rewrite HAC_eq.
              destruct (zeq (ZMap.get (CPU_ID (update init_shared_adt l))
                                      (cid (update init_shared_adt l))) main_thread); auto.
              destruct (zlt_lt 8 (ZMap.get (CPU_ID (update init_shared_adt l))
                                           (cid (update init_shared_adt l))) 1024); auto.
            + auto.
            + auto.
            + auto.
            + unfold relate_SyncChanPool_per_pd in syncchpool_re; unfold relate_SyncChanPool_per_pd; simpl; auto.
              rewrite Hdestruct8.
              rewrite zeq_true; auto.
            + unfold relate_uctxt_per_pd in *; simpl.
              rewrite Hdestruct8 in ×.
              rewrite HGUsed.
              unfold B_GetContainerUsed´ in uctxt_re.
              rewrite Hdestruct11 in uctxt_re.
              rewrite HGetUsed´ in ×.
              auto.
            + auto.
            + auto.
            + auto.
            + inv inv_re; constructor; simpl; auto.
          - repeat match goal with
                   | [H: context[if _ then _ else _] |- _] ⇒ clear H
                   end.
            rewrite ZMap.gso; [ | rewrite e; auto].
            inv H.
            generalize (per_data_re i); intros; subdestruct; auto.
            inv H; per_data_auto.
            + intros.
              rewrite e.
              rewrite CPU_ID_re.
              rewrite <- cid_re.
              rewrite <- CPU_ID_re; auto.
            + unfold relate_AC_per_pd in *; simpl.
              rewrite Hdestruct0 in AC_re0; rewrite Hdestruct0.
              unfold B_GetContainerUsed´ in AC_re0.
              rewrite Hdestruct11 in AC_re0.
              rewrite e.
              rewrite HGUsed.
              auto.
            + auto.
            + rewrite Hdestruct0 in PT_re0; rewrite Hdestruct0; auto.
            + unfold relate_SyncChanPool_per_pd; simpl.
              rewrite Hdestruct0.
              rewrite zeq_true; auto.
            + unfold relate_uctxt_per_pd in *; simpl.
              rewrite Hdestruct0 in ×.
              rewrite e.
              rewrite HGUsed.
              unfold B_GetContainerUsed´ in uctxt_re0.
              rewrite Hdestruct11 in uctxt_re0.
              auto.
            + simpl; auto.
            + inv inv_re0; constructor; simpl; auto.
            + constructor. }
        { inv H.
          inv sh_shared_inv_re.
          constructor; simpl; auto.
          - rewrite Hdestruct8; intro contra; inv contra.
          - rewrite zeq_true.
            intros.
            unfold B_inLock in syncchpool_inv.
            rewrite Hdestruct11, Hdestruct6 in syncchpool_inv.
            apply syncchpool_inv in H.
            rewrite <- H.
            symmetry.
            apply single_big_oracle_query_preserves_B_GetlastPush_aux; auto.
          - intros.
            apply container_used_inv in H.
            unfold B_GetContainerUsed´ in H.
            rewrite Hdestruct11 in H.
            rewrite <- H.
            eapply HGetUsedpreserve; auto.
          - intros.
            apply uctxt_used_inv.
            unfold B_GetContainerUsed´.
            rewrite Hdestruct11.
            rewrite <- H.
            symmetry.
            eapply HGetUsedpreserve; auto.
          - unfold valid_AT_log_type_B.
            intros; inv Hdef.
            unfold valid_AT_log_B.
            revert Hdestruct13.
            unfold B_CalAT_log_real; simpl.
            intros.
            rewrite Hdestruct13.
            esplit; auto.
          - unfold valid_TCB_log_type_B.
            intros ? Hdef.
            inv Hdef.
            destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
            unfold valid_TCB_oracle_B in Htemp2.
            generalize (valid_TCB_log_inv _ Hdestruct11); intros Hvalid_log.
            generalize (Htemp2 l0 (CPU_ID (update init_shared_adt l)) Hvalid_log); intros Hvalid_oracle_log.
            unfold valid_TCB_log_B in ×.
            revert Hvalid_oracle_log.
            unfold B_CalTCB_log_real.
            unfold B_CalTCB_log.
            simpl.
            clear.
            intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
            subdestruct.
            inv H.
            esplit; auto.
          - intros.
            inv H1.
            destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
            unfold valid_AT_oracle_B in Htemp3.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            generalize (valid_AT_log_inv l0 Hdestruct11); intros Hvalid_AT_log.
            generalize (Htemp3 _ (CPU_ID (update init_shared_adt l)) Hvalid_AT_log);
              intros Hvalid_AT_oracle_res.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            unfold valid_AT_log_B in valid_AT_log_inv.
            destruct Hvalid_AT_log as (at0 & Hvalid_AT_log).
            eapply (valid_B_Cal_AT_log_inv i l0 at0) in H; eauto.
            unfold B_CalAT_log_real in Hvalid_AT_log, H2.
            simpl in H2.
            case_eq (B_CalAT_log (big_oracle (update init_shared_adt l)
                                             (CPU_ID (update init_shared_adt l)) l0 ++ l0)
                                 (real_AT (ZMap.init ATUndef))); intros.
            rewrite H1 in H2.
            inv H2.
            eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ Hvalid_AT_log H1 i H); eauto.
            rewrite H1 in H2.
            inv H2.
            rewrite <- big_log_re; auto. }
        { inv H.
          inv sh_mem_inv_re.
          constructor; simpl; auto.
          intros.
          case_eq (zeq i (Int.unsigned n)); intros; subst.
          { rewrite ZMap.gss in H1.
            inv H1; subst; simpl.
            case_eq (zeq j (Int.unsigned n)); intros; subst.
            { intros; subst; simpl.
              rewrite ZMap.gss in H2.
              inv H2; simpl.
              elim H; reflexivity. }
            { intros; rewrite ZMap.gso in H2; auto.
              eapply pperm_disjoint in H; eauto. } }
          { rewrite ZMap.gso in H1; eauto.
            case_eq (zeq j (Int.unsigned n)); intros; subst.
            { intros; subst; simpl.
              rewrite ZMap.gss in H2.
              inv H2; simpl.
              eapply pperm_disjoint in H; eauto. }
            { intros; rewrite ZMap.gso in H2; auto.
              eapply pperm_disjoint in H; eauto. } } }
      × simpl; rewrite CPU_ID_re; auto.
    + inv Hper_data_rel; simpl in *; rewrite zeq_true in ×.
      unfold single_big_palloc_spec_share, single_big_ptResv_spec_test, single_big_palloc_spec, single_big_palloc_spec_share.
      simpl in *; rewrite Hdestruct1, Hdestruct3, Hdestruct4, Hdestruct5.
      inv Hdestruct0.
      repeat (rewrite zeq_true).
      unfold single_big_palloc_spec_test.
      simpl; rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct7, Hdestruct11, HGetUsed´, Hdestruct8, Hdestruct9, Hdestruct10.
      rewrite zeq_true.
      unfold big_palloc_spec.
      rewrite e.
      rewrite Hcused.
      rewritesb.
      simpl; rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct7, Hdestruct11, Hdestruct9, Hdestruct10.
      rewrite zeq_true.
      esplit; esplit.
      refine_split; simpl; auto.
      × inv H; constructor; simpl; auto.
        { intros.
          rewrite e.
          rewrite Hdestruct8 in cid_re.
          rewrite CPU_ID_re.
          rewrite <- cid_re.
          rewrite <- CPU_ID_re; auto. }
        { intros.
          exploit (HGetUsedpreserve i (Int.unsigned n) 0 l0); eauto.
          { inv sh_shared_inv_re; auto. }
          rewrite e.
          intros HGUsed.
          case_eq (zeq i (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))); intros; subst.
          inv H; simpl in ×.
          - rewrite ZMap.gss.
            rewrite H0.
            per_data_auto_simpl; try (rewrite zeq_true; auto); try rewrite Hdestruct9.
            + intros.
              rewrite Hdestruct8 in cid_re.
              rewrite CPU_ID_re.
              rewrite <- cid_re.
              rewrite <- CPU_ID_re; auto.
            + unfold relate_AC_per_pd in *; simpl.
              rewrite Hdestruct8.
              rewrite HGUsed.
              rewrite HGetUsed´.
              rewrite <- HAC_eq.
              destruct (zeq (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) main_thread);
                auto.
              destruct (zlt_lt 8 (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) 1024);
                auto.
            + auto.
            + rewrite Hdestruct8 in ptp_re; rewrite Hdestruct8.
              auto.
            + unfold relate_SyncChanPool_per_pd in syncchpool_re; unfold relate_SyncChanPool_per_pd; simpl.
              rewrite Hdestruct8; auto.
              rewrite zeq_true; auto.
            + unfold relate_uctxt_per_pd in *; simpl.
              rewrite Hdestruct8; rewrite Hdestruct8 in uctxt_re.
              rewrite HGUsed.
              unfold B_GetContainerUsed´ in uctxt_re; rewrite Hdestruct11 in uctxt_re.
              rewrite HGetUsed´ in uctxt_re; rewrite HGetUsed´.
              auto.
            + auto.
            + auto.
            + auto.
            + inv inv_re; constructor; simpl; auto.
          - repeat match goal with
                   | [H: context[if _ then _ else _] |- _] ⇒ clear H
                   end.
            rewrite ZMap.gso; auto.
            generalize (per_data_re i); intros; subdestruct; auto.
            inv H1; per_data_auto.
            + intros.
              rewrite Hdestruct8 in cid_re.
              rewrite CPU_ID_re.
              rewrite <- cid_re.
              rewrite <- CPU_ID_re; auto.
            + unfold relate_AC_per_pd in *; simpl.
              rewrite Hdestruct8 in AC_re0; rewrite Hdestruct8.
              unfold B_GetContainerUsed´ in AC_re0.
              rewrite Hdestruct11 in AC_re0.
              rewrite HGUsed.
              auto.
            + auto.
            + rewrite Hdestruct8 in PT_re; rewrite Hdestruct8; auto.
            + unfold relate_SyncChanPool_per_pd; simpl.
              rewrite Hdestruct8.
              rewrite zeq_true; auto.
            + unfold relate_uctxt_per_pd in *; simpl.
              rewrite Hdestruct8 in ×.
              rewrite HGUsed.
              unfold B_GetContainerUsed´ in uctxt_re0.
              rewrite Hdestruct11 in uctxt_re0.
              auto.
            + simpl; auto.
            + inv inv_re0; constructor; simpl; auto.
            + constructor. }
        { inv sh_shared_inv_re.
          constructor; simpl; auto.
          - rewrite Hdestruct8; intro contra; inv contra.
          - rewrite zeq_true.
            intros.
            unfold B_inLock in syncchpool_inv.
            rewrite Hdestruct11, Hdestruct6 in syncchpool_inv.
            apply syncchpool_inv in H.
            rewrite <- H.
            symmetry.
            apply single_big_oracle_query_preserves_B_GetlastPush_aux; auto.
          - intros.
            apply container_used_inv in H.
            unfold B_GetContainerUsed´ in H.
            rewrite Hdestruct11 in H.
            rewrite <- H.
            eapply HGetUsedpreserve; auto.
          - intros.
            apply uctxt_used_inv.
            unfold B_GetContainerUsed´.
            rewrite Hdestruct11.
            rewrite <- H.
            symmetry.
            eapply HGetUsedpreserve; auto.
          - unfold valid_AT_log_type_B.
            intros.
            inv Hdef.
            unfold valid_AT_log_B.
            unfold B_CalAT_log_real.
            simpl.
            destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
            unfold valid_AT_oracle_B in Htemp3.
            generalize (valid_AT_log_inv _ Hdestruct11); intros Hvalid_log.
            generalize (Htemp3 l0 (CPU_ID (update init_shared_adt l)) Hvalid_log); intros Hvalid_oracle_log.
            unfold valid_AT_log_B in ×.
            destruct Hvalid_oracle_log as (? & Hvalid_oracle_log).
            unfold B_CalAT_log_real in Hvalid_oracle_log; simpl.
            rewrite Hvalid_oracle_log; auto.
            esplit; auto.
          - unfold valid_TCB_log_type_B.
            intros ? Hdef.
            inv Hdef.
            destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
            unfold valid_TCB_oracle_B in Htemp2.
            generalize (valid_TCB_log_inv _ Hdestruct11); intros Hvalid_log.
            generalize (Htemp2 l0 (CPU_ID (update init_shared_adt l)) Hvalid_log); intros Hvalid_oracle_log.
            unfold valid_TCB_log_B in ×.
            revert Hvalid_oracle_log.
            unfold B_CalTCB_log_real.
            unfold B_CalTCB_log.
            simpl.
            clear.
            intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
            subdestruct.
            inv H.
            esplit; auto.
          - intros.
            inv H1.
            destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
            unfold valid_AT_oracle_B in Htemp3.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            generalize (valid_AT_log_inv l0 Hdestruct11); intros Hvalid_AT_log.
            generalize (Htemp3 _ (CPU_ID (update init_shared_adt l)) Hvalid_AT_log);
              intros Hvalid_AT_oracle_res.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            unfold valid_AT_log_B in valid_AT_log_inv.
            destruct Hvalid_AT_log as (at0 & Hvalid_AT_log).
            eapply (valid_B_Cal_AT_log_inv i l0 at0) in H; eauto.
            unfold B_CalAT_log_real in Hvalid_AT_log, H2.
            simpl in H2.
            case_eq (B_CalAT_log (big_oracle (update init_shared_adt l)
                                             (CPU_ID (update init_shared_adt l)) l0 ++ l0)
                                 (real_AT (ZMap.init ATUndef))); intros.
            rewrite H1 in H2.
            inv H2.
            eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ Hvalid_AT_log H1 i H); eauto.
            rewrite H1 in H2.
            inv H2.
            rewrite <- big_log_re; auto. }
        { inv sh_mem_inv_re.
          constructor; simpl; auto.
          intros.
          case_eq (zeq i (Int.unsigned n)); intros; subst.
          { rewrite ZMap.gss in H1.
            inv H1; subst; simpl.
            case_eq (zeq j (Int.unsigned n)); intros; subst.
            { intros; subst; simpl.
              rewrite ZMap.gss in H2.
              inv H2; simpl.
              elim H; reflexivity. }
            { intros; rewrite ZMap.gso in H2; auto.
              eapply pperm_disjoint in H; eauto. } }
          { rewrite ZMap.gso in H1; eauto.
            case_eq (zeq j (Int.unsigned n)); intros; subst.
            { intros; subst; simpl.
              rewrite ZMap.gss in H2.
              inv H2; simpl.
              eapply pperm_disjoint in H; eauto. }
            { intros; rewrite ZMap.gso in H2; auto.
              eapply pperm_disjoint in H; eauto. } } }
      × simpl; rewrite CPU_ID_re; auto.
  Qed.

  Lemma big_ptResv_related_PTEUnPreSent:
    ∀ (l : Log) (dp : ZMap.t (option privData)) (a : RData)
           (n : int) (vadr : int) (perm : int) (d : privData) (d´ : privData) (ds´ : sharedData)
           (kctxt_pool : KContextPool) (z : Z) (l0 : BigLog)
           (in_event : has_event pt_resv = true)
           (prim_num : prim_id_num pt_resv = 2)
           (H : relate_RData kctxt_pool (update init_shared_adt l) dp a)
           (H0 : ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) dp = Some d)
           (e : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
           (e0 : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
           (Hdestruct1 : zeq (Int.unsigned n)
                             (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
                         left e0)
           (Hdestruct : True)
           (Hdestruct3 : ikern d = true)
           (Hdestruct4 : ihost d = true)
           (Hdestruct5 : ipt d = true)
           (Hdestruct11 : big_log (update init_shared_adt l) = BigDef l0)
           (Hdestruct6 : B_inLock_aux (CPU_ID (update init_shared_adt l)) l0 = false)
           (Hdestruct7 : (cusage (AC d) <? cquota (AC d)) = true)
           (Hdestruct8 : init (update init_shared_adt l) = true)
           (Hdestruct9 : pg (update init_shared_adt l) = true)
           (Hdestruct10 : ZMap.get 0 (lock (update init_shared_adt l)) = LockFalse)
           (Hdestruct12 : B_GetContainerUsed
                            (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                            (CPU_ID (update init_shared_adt l)) l0 = true)
           (a0 : ATable)
           (Hdestruct13 : B_CalAT_log_real
                            (big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                          Some a0)
           (n0 : z ≠ 0)
           (Hdestruct2 : zeq z 0 = right n0)
           (H5 : val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil))
           (HGetUsed´ : B_GetContainerUsed
                          (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                          (CPU_ID (update init_shared_adt l)) l0 = true)
           (Hcused : cused
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                 (AbstractDataType.AC a)) = true)
           (HAC_eq : AC d =
                     ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (AbstractDataType.AC a))
           (Hper_data_rel : relate_RData_per_pd
                              (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                        kctxt_pool) (update init_shared_adt l) d a)
           (a1 : 0 < z < nps (update init_shared_adt l) ∧
                 ZMap.get z a0 = ATValid false ATNorm ∧
                 (∀ x : Z, 0 < x < z → ZMap.get x a0 ≠ ATValid false ATNorm))
           (Hdestruct14 : first_free a0 (nps (update init_shared_adt l)) =
                          inleft
                            (exist
                               (fun n1 : Z ⇒
                                  0 < n1 < nps (update init_shared_adt l) ∧
                                  ZMap.get n1 a0 = ATValid false ATNorm ∧
                                  (∀ x : Z, 0 < x < n1 → ZMap.get x a0 ≠ ATValid false ATNorm)) z a1))
           (n1 : z ≠ 0)
           (Hdestruct16 : zeq z 0 = right n1)
           (Hdestruct0 : pt_Arg (Int.unsigned n) (Int.unsigned vadr) z (nps (update init_shared_adt l)) = true)
           (p : PTPerm)
           (Hdestruct15 : ZtoPerm (Int.unsigned perm) = Some p)
           (pi : Z)
           (pte : PTE)
           (Hdestruct17 : ZMap.get (PDX (Int.unsigned vadr)) (ZMap.get (Int.unsigned n) (ptpool d)) = PDEValid pi pte)
           (Hflag_ikern : ikern d = AbstractDataType.ikern a)
           (Hflag_ihost : ihost d = AbstractDataType.ihost a)
           (Hflag_pg : pg (update init_shared_adt l) = AbstractDataType.pg a)
           (Hflag_ipt : ipt d = AbstractDataType.ipt a)
           (Hflag_CPU_ID : CPU_ID (update init_shared_adt l) = AbstractDataType.CPU_ID a)
           (Hflag_nps : nps (update init_shared_adt l) = AbstractDataType.nps a)
           (Hflag_big_log : big_log (update init_shared_adt l) = AbstractDataType.big_log a)
           (Hflag_big_oracle : big_oracle (update init_shared_adt l) = AbstractDataType.big_oracle a)
           (Hflag_lock : lock (update init_shared_adt l) = AbstractDataType.lock a)
           (Hflag_ptp : ZMap.get (Int.unsigned n) (ptpool d) = ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a))
           (Hdestruct19 : ZMap.get (PTX (Int.unsigned vadr)) pte = PTEUnPresent)
           (Hdestruct18 : Some
                            ((update init_shared_adt l) { sh_big_log
                                                          : BigDef
                                                              (TBEVENT (CPU_ID (update init_shared_adt l))
                                                                       (TBSHARED
                                                                          (BPALLOCE
                                                                             (ZMap.get (CPU_ID (update init_shared_adt l))
                                                                                       (cid (update init_shared_adt l))) z))
                                                                       :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)},
                  ((d { pv_pperm : ZMap.set z PGAlloc (pperm d)}) { pv_AC
                   : {|
                     cquota := cquota (AC d);
                     cusage := cusage (AC d) + 1;
                     cparent := cparent (AC d);
                     cchildren := cchildren (AC d);
                     cused := cused (AC d) |}}) { pv_ptpool
                  : ZMap.set (Int.unsigned n)
                      (ZMap.set (PDX (Int.unsigned vadr))
                         (PDEValid pi (ZMap.set (PTX (Int.unsigned vadr)) (PTEValid z p) pte))
                         (ZMap.get (Int.unsigned n) (ptpool d)))
                      (ptpool d)}) = Some (ds´, d´)),
   ∃ (a´ : RData) (res´ : Z),
     Some
       ((((((a {big_log
             : BigDef
                 (TBEVENT (CPU_ID (update init_shared_adt l))
                    (TBSHARED
                       (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a)) z))
                  :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)})
            {LAT : ZMap.set z (LATCValid nil) (LAT a)}) {pperm
           : ZMap.set z PGAlloc (AbstractDataType.pperm a)}) {AC
          : ZMap.set (Int.unsigned n)
              {|
              cquota := cquota (AC d);
              cusage := cusage (AC d) + 1;
              cparent := cparent (AC d);
              cchildren := cchildren (AC d);
              cused := true |} (AbstractDataType.AC a)}) {LAT
         : ZMap.set z
             (LATCValid (LATO (Int.unsigned n) (PDX (Int.unsigned vadr)) (PTX (Int.unsigned vadr)) :: nil))
             (ZMap.set z (LATCValid nil) (LAT a))}) {ptpool
        : ZMap.set (Int.unsigned n)
            (ZMap.set (PDX (Int.unsigned vadr))
               (PDEValid pi (ZMap.set (PTX (Int.unsigned vadr)) (PTEValid z p) pte))
               (ZMap.get (Int.unsigned n) (ptpool d)))
            (AbstractDataType.ptpool a)}, 0) = Some (a´, res´) ∧
     relate_RData kctxt_pool
       (update init_shared_adt l) { sh_big_log
       : BigDef
           (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
            :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}
       (ZMap.set (Int.unsigned n) (Some d´) dp) a´ ∧
     kctxt a = kctxt a´ ∧
     ds´ =
     (update init_shared_adt l) { sh_big_log
     : BigDef
         (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
          :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)} ∧
     0 = res´ ∧
     ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a) =
     ZMap.get (AbstractDataType.CPU_ID a´) (AbstractDataType.cid a´).
  Proof.
    intros.
    esplit; esplit; refine_split.
    { simpl; reflexivity. }
    { simpl.
      inv Hdestruct18.
      inv H.
      constructor; simpl; auto; intros.
      { intros.
        rewrite e.
        rewrite sh_CPU_ID_re.
        rewrite Hdestruct8 in sh_cid_re.
        rewrite <- sh_cid_re.
        rewrite <- sh_CPU_ID_re; auto. }
      generalize (per_data_re i); intros.
      rewrite e.
      exploit (HGetUsedpreserve i (Int.unsigned n) z l0); eauto.
      { inv sh_shared_inv_re; auto. }
      rewrite e.
      intros HGUsed.
      case_eq (zeq i (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))); intros; subst.
      { rewrite ZMap.gss.
        rewrite H0 in H.
        inv H; rewrite zeq_true in ×.
        simpl in *; rewrite Hdestruct8 in ×.
        per_data_auto_simpl.
        - rewrite Hdestruct8; auto.
        - rewrite Hdestruct8; auto.
        - intros.
          rewrite sh_CPU_ID_re.
          rewrite <- sh_cid_re.
          rewrite <- sh_CPU_ID_re; auto.
        - assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
          { inv sh_shared_inv_re.
            assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                           ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
            { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
              right.
              intro contra.
              inv contra.
              right.
              intro contra.
              inv contra. }
            destruct Htemp; eauto.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            unfold valid_AT_log_B in valid_AT_log_inv.
            destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
            eapply valid_B_Cal_AT_log_inv in H; eauto.
            eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H; auto.
            destruct a1 as (? & a1´ & ?).
            rewrite a1´ in H.
            inv H.
            rewrite <- sh_big_log_re; auto. }
          assert (ZMap.get z (pperm d) = PGUndef).
          { generalize (pperm_re z).
            rewrite H.
            intros.
            repeat match goal with
                   | [H: context[if _ then _ else _] |- _] ⇒ clear H
                   end.
            subdestruct; simpl; try inv H2.
            reflexivity. }
          inv inv_re.
          assert (∀ id, ZMap.get id (HP d) = ZMap.get id (FlatMem.free_page z (HP d))).
          { intros; eapply dirty_page_per_thread_inv; eauto. }
          assert (∀ id, ZMap.get id (AbstractDataType.HP a)
                             = ZMap.get id (FlatMem.free_page z (AbstractDataType.HP a))).
          { inv sh_shared_inv_re.
            intros.
            eapply dirty_page_shared_inv; eauto. }
          revert H4; revert H3.
          intros Hd_init Ha_init v ofs TY Htemp1 Htemp2 Htemp3.
          case_eq (zeq ((v × 4096 + ofs mod 4096) / 4096) z).
          + intros.
            rewrite e1 in Htemp1.
            rewrite <- e1 in Hd_init, Ha_init.
            revert Hd_init Ha_init.
            clear H3 e1 Htemp1.
            revert Htemp2 Htemp3.
            eapply abs_rel_palloc_mem_related_prop; eauto.
          + intros; subst.
            rewrite ZMap.gso in Htemp1; eauto.
        - rewrite zeq_true; auto.
        - rewrite zeq_true; auto.
        - unfold relate_AC_per_pd in *; simpl.
          rewrite Hdestruct8.
          rewrite ZMap.gss.
          rewrite HGUsed, Hdestruct12.
          rewrite <- Hcused.
          rewrite <- HAC_eq.
          destruct (zeq (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) main_thread); auto.
          destruct (zlt_lt 8 (ZMap.get (CPU_ID (update init_shared_adt l))
                                       (cid (update init_shared_adt l))) 1024); auto.
        - rewrite zeq_true; auto.
        - unfold pperm_inject.
          intros.
          generalize (pperm_re i); intros.
          case_eq (zeq i z); intros; subst;
            [rewrite ZMap.gss; rewrite ZMap.gss; auto | rewrite ZMap.gso; auto; rewrite ZMap.gso; auto].
        - rewrite Hdestruct8; auto.
          rewrite zeq_true; auto.
        - rewrite Hdestruct8; auto.
          rewrite ZMap.gss; rewrite ZMap.gss; auto.
        - rewrite zeq_true; auto.
        - rewrite zeq_true; auto.
        - rewrite zeq_true; auto.
        - unfold relate_SyncChanPool_per_pd; simpl.
          rewrite Hdestruct8; auto.
          rewrite zeq_true; auto.
        - unfold relate_uctxt_per_pd in *; simpl.
          rewrite Hdestruct8 in uctxt_re; rewrite Hdestruct8.
          unfold B_GetContainerUsed´ in uctxt_re; rewrite Hdestruct11 in uctxt_re.
          rewrite HGUsed, Hdestruct12.
          rewrite Hdestruct12 in uctxt_re.
          auto.
        - auto.
        - auto.
        - auto.
        - intros.
          inv inv_re; constructor; simpl.
          assert (∀ i : ZIndexed.t,
                     ZMap.get i (pperm d) = PGUndef →
                     ∀ res,
                       ZMap.get res (HP d) =
                       ZMap.get res (FlatMem.free_page i (HP d))).
          { intros; apply dirty_page_per_thread_inv; auto. }
          intros.
          exploit single_dirty_ppage´_gso_alloc.
          { unfold single_dirty_ppage´.
            apply H. }
          { exact H2. }
          { intros.
            apply H3. } }
      
      { rewrite ZMap.gso; auto.
        subdestruct; simpl in *; auto.
        inv H.
        inv H1; simpl in ×.
        per_data_auto_simpl.
        - intros.
          rewrite sh_CPU_ID_re.
          rewrite <- sh_cid_re.
          rewrite <- sh_CPU_ID_re; auto.
        - unfold relate_AC_per_pd in *; simpl.
          rewrite Hdestruct18.
          rewrite ZMap.gso; auto.
          rewrite HGUsed.
          rewrite Hdestruct18 in AC_re.
          unfold B_GetContainerUsed´ in AC_re; rewrite Hdestruct11 in AC_re.
          auto.
        - rewrite zeq_false; auto.
          rewrite zeq_false in ti_re; auto.
        - unfold pperm_inject.
          intros.
          generalize (pperm_re i0); intros.
          case_eq (zeq i0 z); intros; subst.
          { rewrite ZMap.gss.
            assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
            { inv sh_shared_inv_re.
              assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                             ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
              { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                right.
                intro contra.
                inv contra.
                right.
                intro contra.
                inv contra. }
              destruct Htemp; eauto.
              unfold valid_AT_log_type_B in valid_AT_log_inv.
              unfold valid_AT_log_B in valid_AT_log_inv.
              destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
              eapply valid_B_Cal_AT_log_inv in H3; eauto.
              eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H3; auto.
              destruct a1 as (? & a1´ & ?).
              rewrite a1´ in H3.
              inv H3.
              rewrite <- big_log_re; auto. }
            rewrite H3 in H.
            repeat match goal with
                   | [H: context[if _ then _ else _] |- _] ⇒ clear H
                   end.
            subdestruct; eauto. }
          { rewrite ZMap.gso; auto. }
        - rewrite Hdestruct18; auto.
          rewrite Hdestruct18 in PT_re; auto.
        - rewrite Hdestruct18; auto.
          rewrite Hdestruct18 in ptp_re.
          rewrite ZMap.gso; auto.
        - rewrite zeq_false in ipt_re; auto; rewrite zeq_false; auto.
        - rewrite zeq_false in intr_flag_re; auto; rewrite zeq_false; auto.
        - rewrite zeq_false in in_intr_re; auto; rewrite zeq_false; auto.
        - unfold relate_SyncChanPool_per_pd; simpl; rewrite Hdestruct18.
          rewrite zeq_true; auto.
        - unfold relate_uctxt_per_pd in *; simpl.
          rewrite Hdestruct18 in uctxt_re; rewrite Hdestruct18.
          unfold B_GetContainerUsed´ in uctxt_re; rewrite Hdestruct11 in uctxt_re.
          rewrite HGUsed.
          auto.
        - auto.
        - auto.
        - auto.
        - inv inv_re; constructor; simpl; auto.
        - constructor. }
      { inv sh_shared_inv_re.
        constructor; simpl; auto.
        - intros.
          assert (∀ i : ZIndexed.t,
                     ZMap.get i (AbstractDataType.pperm a) = PGUndef →
                     ∀ res,
                       ZMap.get res (AbstractDataType.HP a) =
                       ZMap.get res (FlatMem.free_page i (AbstractDataType.HP a))).
          { intros; apply dirty_page_shared_inv; auto. }
          intros.
          exploit single_dirty_ppage´_gso_alloc.
          { unfold single_dirty_ppage´.
            apply H1. }
          { exact H. }
          { intros.
            apply H2. }
        - rewrite Hdestruct8; intro contra; inv contra.
        - rewrite Hdestruct8; intro contra; inv contra.
        - rewrite zeq_true.
          intros.
          unfold B_inLock in syncchpool_inv.
          rewrite Hdestruct11, Hdestruct6 in syncchpool_inv.
          apply syncchpool_inv in H.
          rewrite <- H.
          symmetry.
          apply single_big_oracle_query_preserves_B_GetlastPush_aux; auto.
        - intros.
          apply container_used_inv in H.
          unfold B_GetContainerUsed´ in H.
          rewrite Hdestruct11 in H.
          erewrite HGetUsedpreserve; auto.
          case_eq (zeq tid (Int.unsigned n)); intros; subst.
          + rewrite ZMap.gss.
            simpl.
            rewrite <- Hdestruct12.
            rewrite e; auto.
          + rewrite ZMap.gso; auto.
        - intros.
          apply uctxt_used_inv.
          unfold B_GetContainerUsed´.
          rewrite Hdestruct11.
          rewrite <- H.
          symmetry.
          eapply HGetUsedpreserve; auto.
        - unfold valid_AT_log_type_B.
          intros; inv Hdef.
          unfold valid_AT_log_B.
          revert Hdestruct13.
          unfold B_CalAT_log_real; simpl.
          intros.
          rewrite Hdestruct13.
          rewrite zeq_false; auto.
          destruct a1 as (? & a1´ & ?); rewrite a1´.
          esplit; auto.
        - unfold valid_TCB_log_type_B.
          intros ? Hdef.
          inv Hdef.
          destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
          unfold valid_TCB_oracle_B in Htemp2.
          generalize (valid_TCB_log_inv _ Hdestruct11); intros Hvalid_log.
          generalize (Htemp2 l0 (CPU_ID (update init_shared_adt l)) Hvalid_log); intros Hvalid_oracle_log.
          unfold valid_TCB_log_B in ×.
          revert Hvalid_oracle_log.
          unfold B_CalTCB_log_real.
          unfold B_CalTCB_log.
          simpl.
          clear.
          intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
          subdestruct.
          inv H.
          esplit; auto.
        - intros.
          case_eq (zeq i z).
          { inv H1.
            unfold B_CalAT_log_real in H2.
            simpl in H2.
            unfold B_CalAT_log_real in Hdestruct13.
            rewrite Hdestruct13 in H2.
            rewrite zeq_false in H2; auto.
            intros; subst.
            rewrite ZMap.gss in H.
            clear Hdestruct13.
            case_eq (ZMap.get z a0).
            { intros.
              rewrite H3 in H2.
              destruct b; inv H2.
              destruct t; inv H6.
              rewrite ZMap.gss.
              auto. }
            { intros.
              rewrite H3 in H2; inv H2. } }
          { intros.
            rewrite ZMap.gso in H; eauto.
            inv H1.
            destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
            unfold valid_AT_oracle_B in Htemp3.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            generalize (valid_AT_log_inv l0 Hdestruct11); intros Hvalid_AT_log.
            generalize (Htemp3 _ (CPU_ID (update init_shared_adt l)) Hvalid_AT_log);
              intros Hvalid_AT_oracle_res.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            unfold valid_AT_log_B in valid_AT_log_inv.
            destruct Hvalid_AT_log as (at0 & Hvalid_AT_log).
            eapply (valid_B_Cal_AT_log_inv i l0 at0) in H; eauto.
            inv H2.
            unfold B_CalAT_log_real in Hvalid_AT_log, H4.
            simpl in H4.
            case_eq (B_CalAT_log (big_oracle (update init_shared_adt l)
                                             (CPU_ID (update init_shared_adt l)) l0 ++ l0)
                                 (real_AT (ZMap.init ATUndef))); intros.
            rewrite H1 in H4.
            rewrite zeq_false in H4; auto.
            subdestruct.
            inv H4.
            rewrite ZMap.gso; auto.
            eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ Hvalid_AT_log H1 i H); eauto.
            rewrite H1 in H4.
            inv H4.
            rewrite <- sh_big_log_re; auto. } }
      { inv sh_mem_inv_re.
        constructor; simpl; auto.
        intros.
        case_eq (zeq i (Int.unsigned n)).
        { intros; subst.
          rewrite ZMap.gss in H1.
          inv H1; subst; simpl.
          simpl in H3.
          case_eq (zeq j (Int.unsigned n)).
          { intros; subst; simpl.
            rewrite ZMap.gss in H2.
            inv H2; simpl.
            elim H; reflexivity. }
          { intros; rewrite ZMap.gso in H2; auto.
            case_eq (zeq j0 z); intros.
            - subst.
              rewrite ZMap.gss in H3.
              assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
              { inv sh_shared_inv_re.
                assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                               ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                  right.
                  intro contra.
                  inv contra. }
                destruct Htemp; eauto.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                eapply valid_B_Cal_AT_log_inv in H7; eauto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H7; eauto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H7.
                inv H7.
                rewrite <- sh_big_log_re; auto. }
              intros.
              generalize (per_data_re j).
              rewrite H2.
              intros.
              inv H8.
              generalize (pperm_re z).
              intros.
              rewrite H7 in H8.
              repeat match goal with
                     | [H: context[if _ then _ else _] |- _] ⇒ clear H
                     end.
              subdestruct; try (inv H8; fail).
              reflexivity.
            - rewrite ZMap.gso in H3; auto.
              eapply pperm_disjoint in H2; eauto.
              rewrite e; eauto. } }
        { intros; subst; rewrite ZMap.gso in H1; auto.
          case_eq (zeq j (Int.unsigned n)); intros; subst.
          - rewrite ZMap.gss in H2.
            inv H2; simpl.
            case_eq (zeq j0 z); intros; subst.
            + rewrite ZMap.gss.
              assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
              { inv sh_shared_inv_re.
                assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                               ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                  right.
                  intro contra.
                  inv contra.
                  right.
                  intro contra.
                  inv contra. }
                destruct Htemp; eauto.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                eapply valid_B_Cal_AT_log_inv in H7; eauto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H7; eauto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H7.
                inv H7.
                rewrite <- sh_big_log_re; auto. }
              intros.
              generalize (per_data_re i).
              rewrite H1.
              intros.
              inv H8.
              generalize (pperm_re z).
              intros.
              rewrite H7 in H8.
              repeat match goal with
                     | [H: context[if _ then _ else _] |- _] ⇒ clear H
                     end.
              subdestruct; try (inv H8; fail).
              elim H3; reflexivity.
            + rewrite ZMap.gso; auto.
              eapply (pperm_disjoint i (Int.unsigned n)) in H3; eauto.
              rewrite e; auto.
          - rewrite ZMap.gso in H2; auto.
            eapply (pperm_disjoint i j); eauto. } } }
    { simpl; auto. }
    { inv Hdestruct18; simpl; auto.
      rewrite e.
      auto. }
    { reflexivity. }
    { simpl.
      rewrite Hflag_CPU_ID; auto. }
  Qed.

  Lemma big_ptResv_related_PTEUndef:
    ∀ (l : Log) (dp : ZMap.t (option privData)) (a : RData)
           (n : int) (vadr : int) (perm : int) (d : privData) (d´ : privData) (ds´ : sharedData)
           (kctxt_pool : KContextPool) (z : Z) (l0 : BigLog)
           (in_event : has_event pt_resv = true)
           (prim_num : prim_id_num pt_resv = 2)
           (H : relate_RData kctxt_pool (update init_shared_adt l) dp a)
           (H0 : ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) dp = Some d)
           (e : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
           (e0 : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
           (Hdestruct1 : zeq (Int.unsigned n)
                             (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
                         left e0)
           (Hdestruct : True)
           (Hdestruct3 : ikern d = true)
           (Hdestruct4 : ihost d = true)
           (Hdestruct5 : ipt d = true)
           (Hdestruct11 : big_log (update init_shared_adt l) = BigDef l0)
           (Hdestruct6 : B_inLock_aux (CPU_ID (update init_shared_adt l)) l0 = false)
           (Hdestruct7 : (cusage (AC d) <? cquota (AC d)) = true)
           (Hdestruct8 : init (update init_shared_adt l) = true)
           (Hdestruct9 : pg (update init_shared_adt l) = true)
           (Hdestruct10 : ZMap.get 0 (lock (update init_shared_adt l)) = LockFalse)
           (Hdestruct12 : B_GetContainerUsed
                            (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                            (CPU_ID (update init_shared_adt l)) l0 = true)
           (a0 : ATable)
           (Hdestruct13 : B_CalAT_log_real
                            (big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                          Some a0)
           (n0 : z ≠ 0)
           (Hdestruct2 : zeq z 0 = right n0)
           (H5 : val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil))
           (HGetUsed´ : B_GetContainerUsed
                          (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                          (CPU_ID (update init_shared_adt l)) l0 = true)
           (Hcused : cused
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                 (AbstractDataType.AC a)) = true)
           (HAC_eq : AC d =
                     ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (AbstractDataType.AC a))
           (Hper_data_rel : relate_RData_per_pd
                              (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                        kctxt_pool) (update init_shared_adt l) d a)
           (a1 : 0 < z < nps (update init_shared_adt l) ∧
                 ZMap.get z a0 = ATValid false ATNorm ∧
                 (∀ x : Z, 0 < x < z → ZMap.get x a0 ≠ ATValid false ATNorm))
           (Hdestruct14 : first_free a0 (nps (update init_shared_adt l)) =
                          inleft
                            (exist
                               (fun n1 : Z ⇒
                                  0 < n1 < nps (update init_shared_adt l) ∧
                                  ZMap.get n1 a0 = ATValid false ATNorm ∧
                                  (∀ x : Z, 0 < x < n1 → ZMap.get x a0 ≠ ATValid false ATNorm)) z a1))
           (n1 : z ≠ 0)
           (Hdestruct16 : zeq z 0 = right n1)
           (Hdestruct0 : pt_Arg (Int.unsigned n) (Int.unsigned vadr) z (nps (update init_shared_adt l)) = true)
           (p : PTPerm)
           (Hdestruct15 : ZtoPerm (Int.unsigned perm) = Some p)
           (pi : Z)
           (pte : PTE)
           (Hdestruct17 : ZMap.get (PDX (Int.unsigned vadr)) (ZMap.get (Int.unsigned n) (ptpool d)) = PDEValid pi pte)
           (Hflag_ikern : ikern d = AbstractDataType.ikern a)
           (Hflag_ihost : ihost d = AbstractDataType.ihost a)
           (Hflag_pg : pg (update init_shared_adt l) = AbstractDataType.pg a)
           (Hflag_ipt : ipt d = AbstractDataType.ipt a)
           (Hflag_CPU_ID : CPU_ID (update init_shared_adt l) = AbstractDataType.CPU_ID a)
           (Hflag_nps : nps (update init_shared_adt l) = AbstractDataType.nps a)
           (Hflag_big_log : big_log (update init_shared_adt l) = AbstractDataType.big_log a)
           (Hflag_big_oracle : big_oracle (update init_shared_adt l) = AbstractDataType.big_oracle a)
           (Hflag_lock : lock (update init_shared_adt l) = AbstractDataType.lock a)
           (Hflag_ptp : ZMap.get (Int.unsigned n) (ptpool d) = ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a))
           (Hdestruct19 : ZMap.get (PTX (Int.unsigned vadr)) pte = PTEUndef)
           (Hdestruct18 : Some
                            ((update init_shared_adt l) { sh_big_log
                                                          : BigDef
                                                              (TBEVENT (CPU_ID (update init_shared_adt l))
                                                                       (TBSHARED
                                                                          (BPALLOCE
                                                                             (ZMap.get (CPU_ID (update init_shared_adt l))
                                                                                       (cid (update init_shared_adt l))) z))
                                                                       :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)},
                  ((d { pv_pperm : ZMap.set z PGAlloc (pperm d)}) { pv_AC
                   : {|
                     cquota := cquota (AC d);
                     cusage := cusage (AC d) + 1;
                     cparent := cparent (AC d);
                     cchildren := cchildren (AC d);
                     cused := cused (AC d) |}}) { pv_ptpool
                  : ZMap.set (Int.unsigned n)
                      (ZMap.set (PDX (Int.unsigned vadr))
                         (PDEValid pi (ZMap.set (PTX (Int.unsigned vadr)) (PTEValid z p) pte))
                         (ZMap.get (Int.unsigned n) (ptpool d)))
                      (ptpool d)}) = Some (ds´, d´)),
   ∃ (a´ : RData) (res´ : Z),
     Some
       ((((((a {big_log
             : BigDef
                 (TBEVENT (CPU_ID (update init_shared_adt l))
                    (TBSHARED
                       (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a)) z))
                  :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)})
            {LAT : ZMap.set z (LATCValid nil) (LAT a)}) {pperm
           : ZMap.set z PGAlloc (AbstractDataType.pperm a)}) {AC
          : ZMap.set (Int.unsigned n)
              {|
              cquota := cquota (AC d);
              cusage := cusage (AC d) + 1;
              cparent := cparent (AC d);
              cchildren := cchildren (AC d);
              cused := true |} (AbstractDataType.AC a)}) {LAT
         : ZMap.set z
             (LATCValid (LATO (Int.unsigned n) (PDX (Int.unsigned vadr)) (PTX (Int.unsigned vadr)) :: nil))
             (ZMap.set z (LATCValid nil) (LAT a))}) {ptpool
        : ZMap.set (Int.unsigned n)
            (ZMap.set (PDX (Int.unsigned vadr))
               (PDEValid pi (ZMap.set (PTX (Int.unsigned vadr)) (PTEValid z p) pte))
               (ZMap.get (Int.unsigned n) (ptpool d)))
            (AbstractDataType.ptpool a)}, 0) = Some (a´, res´) ∧
     relate_RData kctxt_pool
       (update init_shared_adt l) { sh_big_log
       : BigDef
           (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
            :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}
       (ZMap.set (Int.unsigned n) (Some d´) dp) a´ ∧
     kctxt a = kctxt a´ ∧
     ds´ =
     (update init_shared_adt l) { sh_big_log
     : BigDef
         (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
          :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)} ∧
     0 = res´ ∧
     ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a) =
     ZMap.get (AbstractDataType.CPU_ID a´) (AbstractDataType.cid a´).
  Proof.
    intros.
    esplit; esplit; refine_split.
    { simpl; reflexivity. }
    { simpl.
      inv Hdestruct18.
      inv H.
      constructor; simpl; auto; intros.
      { intros.
        rewrite e.
        rewrite sh_CPU_ID_re.
        rewrite Hdestruct8 in sh_cid_re.
        rewrite <- sh_cid_re.
        rewrite <- sh_CPU_ID_re; auto. }
      generalize (per_data_re i); intros.
      rewrite e.
      exploit (HGetUsedpreserve i (Int.unsigned n) z l0); eauto.
      { inv sh_shared_inv_re; auto. }
      rewrite e.
      intros HGUsed.
      case_eq (zeq i (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))); intros; subst.
      { rewrite ZMap.gss.
        rewrite H0 in H.
        inv H; rewrite zeq_true in ×.
        simpl in *; rewrite Hdestruct8 in ×.
        per_data_auto_simpl.
        - rewrite Hdestruct8; auto.
        - rewrite Hdestruct8; auto.
        - intros.
          rewrite sh_CPU_ID_re.
          rewrite <- sh_cid_re.
          rewrite <- sh_CPU_ID_re; auto.
        - assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
          { inv sh_shared_inv_re.
            assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                           ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
            { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
              right.
              intro contra.
              inv contra.
              right.
              intro contra.
              inv contra. }
            destruct Htemp; eauto.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            unfold valid_AT_log_B in valid_AT_log_inv.
            destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
            eapply valid_B_Cal_AT_log_inv in H; eauto.
            eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H; auto.
            destruct a1 as (? & a1´ & ?).
            rewrite a1´ in H.
            inv H.
            rewrite <- sh_big_log_re; auto. }
          assert (ZMap.get z (pperm d) = PGUndef).
          { generalize (pperm_re z).
            rewrite H.
            intros.
            repeat match goal with
                   | [H: context[if _ then _ else _] |- _] ⇒ clear H
                   end.
            subdestruct; simpl; try inv H2.
            reflexivity. }
          inv inv_re.
          assert (∀ id, ZMap.get id (HP d) = ZMap.get id (FlatMem.free_page z (HP d))).
          { intros; eapply dirty_page_per_thread_inv; eauto. }
          assert (∀ id, ZMap.get id (AbstractDataType.HP a)
                             = ZMap.get id (FlatMem.free_page z (AbstractDataType.HP a))).
          { inv sh_shared_inv_re.
            intros.
            eapply dirty_page_shared_inv; eauto. }
          revert H4; revert H3.
          intros Hd_init Ha_init v ofs TY Htemp1 Htemp2 Htemp3.
          case_eq (zeq ((v × 4096 + ofs mod 4096) / 4096) z).
          + intros.
            rewrite e1 in Htemp1.
            rewrite <- e1 in Hd_init, Ha_init.
            revert Hd_init Ha_init.
            clear H3 e1 Htemp1.
            revert Htemp2 Htemp3.
            eapply abs_rel_palloc_mem_related_prop; eauto.
          + intros; subst.
            rewrite ZMap.gso in Htemp1; eauto.
        - rewrite zeq_true; auto.
        - rewrite zeq_true; auto.
        - unfold relate_AC_per_pd in *; simpl.
          rewrite Hdestruct8.
          rewrite ZMap.gss.
          rewrite HGUsed, Hdestruct12.
          rewrite <- Hcused.
          rewrite <- HAC_eq.
          destruct (zeq (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) main_thread); auto.
          destruct (zlt_lt 8 (ZMap.get (CPU_ID (update init_shared_adt l))
                                       (cid (update init_shared_adt l))) 1024); auto.
        - rewrite zeq_true; auto.
        - unfold pperm_inject.
          intros.
          generalize (pperm_re i); intros.
          case_eq (zeq i z); intros; subst;
            [rewrite ZMap.gss; rewrite ZMap.gss; auto | rewrite ZMap.gso; auto; rewrite ZMap.gso; auto].
        - rewrite Hdestruct8; auto.
          rewrite zeq_true; auto.
        - rewrite Hdestruct8; auto.
          rewrite ZMap.gss; rewrite ZMap.gss; auto.
        - rewrite zeq_true; auto.
        - rewrite zeq_true; auto.
        - rewrite zeq_true; auto.
        - unfold relate_SyncChanPool_per_pd; simpl.
          rewrite Hdestruct8; auto.
          rewrite zeq_true; auto.
        - unfold relate_uctxt_per_pd in *; simpl.
          rewrite Hdestruct8 in uctxt_re; rewrite Hdestruct8.
          unfold B_GetContainerUsed´ in uctxt_re; rewrite Hdestruct11 in uctxt_re.
          rewrite HGUsed, Hdestruct12.
          rewrite Hdestruct12 in uctxt_re.
          auto.
        - auto.
        - auto.
        - auto.
        - intros.
          inv inv_re; constructor; simpl.
          assert (∀ i : ZIndexed.t,
                     ZMap.get i (pperm d) = PGUndef →
                     ∀ res,
                       ZMap.get res (HP d) =
                       ZMap.get res (FlatMem.free_page i (HP d))).
          { intros; apply dirty_page_per_thread_inv; auto. }
          intros.
          exploit single_dirty_ppage´_gso_alloc.
          { unfold single_dirty_ppage´.
            apply H. }
          { exact H2. }
          { intros.
            apply H3. } }
      
      { rewrite ZMap.gso; auto.
        subdestruct; simpl in *; auto.
        inv H.
        inv H1; simpl in ×.
        per_data_auto_simpl.
        - intros.
          rewrite sh_CPU_ID_re.
          rewrite <- sh_cid_re.
          rewrite <- sh_CPU_ID_re; auto.
        - unfold relate_AC_per_pd in *; simpl.
          rewrite Hdestruct18.
          rewrite ZMap.gso; auto.
          rewrite HGUsed.
          rewrite Hdestruct18 in AC_re.
          unfold B_GetContainerUsed´ in AC_re; rewrite Hdestruct11 in AC_re.
          auto.
        - rewrite zeq_false; auto.
          rewrite zeq_false in ti_re; auto.
        - unfold pperm_inject.
          intros.
          generalize (pperm_re i0); intros.
          case_eq (zeq i0 z); intros; subst.
          { rewrite ZMap.gss.
            assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
            { inv sh_shared_inv_re.
              assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                             ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
              { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                right.
                intro contra.
                inv contra.
                right.
                intro contra.
                inv contra. }
              destruct Htemp; eauto.
              unfold valid_AT_log_type_B in valid_AT_log_inv.
              unfold valid_AT_log_B in valid_AT_log_inv.
              destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
              eapply valid_B_Cal_AT_log_inv in H3; eauto.
              eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H3; auto.
              destruct a1 as (? & a1´ & ?).
              rewrite a1´ in H3.
              inv H3.
              rewrite <- big_log_re; auto. }
            rewrite H3 in H.
            repeat match goal with
                   | [H: context[if _ then _ else _] |- _] ⇒ clear H
                   end.
            subdestruct; eauto. }
          { rewrite ZMap.gso; auto. }
        - rewrite Hdestruct18; auto.
          rewrite Hdestruct18 in PT_re; auto.
        - rewrite Hdestruct18; auto.
          rewrite Hdestruct18 in ptp_re.
          rewrite ZMap.gso; auto.
        - rewrite zeq_false in ipt_re; auto; rewrite zeq_false; auto.
        - rewrite zeq_false in intr_flag_re; auto; rewrite zeq_false; auto.
        - rewrite zeq_false in in_intr_re; auto; rewrite zeq_false; auto.
        - unfold relate_SyncChanPool_per_pd; simpl; rewrite Hdestruct18.
          rewrite zeq_true; auto.
        - unfold relate_uctxt_per_pd in *; simpl.
          rewrite Hdestruct18 in uctxt_re; rewrite Hdestruct18.
          unfold B_GetContainerUsed´ in uctxt_re; rewrite Hdestruct11 in uctxt_re.
          rewrite HGUsed.
          auto.
        - auto.
        - auto.
        - auto.
        - inv inv_re; constructor; simpl; auto.
        - constructor. }
      { inv sh_shared_inv_re.
        constructor; simpl; auto.
        - intros.
          assert (∀ i : ZIndexed.t,
                     ZMap.get i (AbstractDataType.pperm a) = PGUndef →
                     ∀ res,
                       ZMap.get res (AbstractDataType.HP a) =
                       ZMap.get res (FlatMem.free_page i (AbstractDataType.HP a))).
          { intros; apply dirty_page_shared_inv; auto. }
          intros.
          exploit single_dirty_ppage´_gso_alloc.
          { unfold single_dirty_ppage´.
            apply H1. }
          { exact H. }
          { intros.
            apply H2. }
        - rewrite Hdestruct8; intro contra; inv contra.
        - rewrite Hdestruct8; intro contra; inv contra.
        - rewrite zeq_true.
          intros.
          unfold B_inLock in syncchpool_inv.
          rewrite Hdestruct11, Hdestruct6 in syncchpool_inv.
          apply syncchpool_inv in H.
          rewrite <- H.
          symmetry.
          apply single_big_oracle_query_preserves_B_GetlastPush_aux; auto.
        - intros.
          apply container_used_inv in H.
          unfold B_GetContainerUsed´ in H.
          rewrite Hdestruct11 in H.
          erewrite HGetUsedpreserve; auto.
          case_eq (zeq tid (Int.unsigned n)); intros; subst.
          + rewrite ZMap.gss.
            simpl.
            rewrite <- Hdestruct12.
            rewrite e; auto.
          + rewrite ZMap.gso; auto.
        - intros.
          apply uctxt_used_inv.
          unfold B_GetContainerUsed´.
          rewrite Hdestruct11.
          rewrite <- H.
          symmetry.
          eapply HGetUsedpreserve; auto.
        - unfold valid_AT_log_type_B.
          intros; inv Hdef.
          unfold valid_AT_log_B.
          revert Hdestruct13.
          unfold B_CalAT_log_real; simpl.
          intros.
          rewrite Hdestruct13.
          rewrite zeq_false; auto.
          destruct a1 as (? & a1´ & ?); rewrite a1´.
          esplit; auto.
        - unfold valid_TCB_log_type_B.
          intros ? Hdef.
          inv Hdef.
          destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
          unfold valid_TCB_oracle_B in Htemp2.
          generalize (valid_TCB_log_inv _ Hdestruct11); intros Hvalid_log.
          generalize (Htemp2 l0 (CPU_ID (update init_shared_adt l)) Hvalid_log); intros Hvalid_oracle_log.
          unfold valid_TCB_log_B in ×.
          revert Hvalid_oracle_log.
          unfold B_CalTCB_log_real.
          unfold B_CalTCB_log.
          simpl.
          clear.
          intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
          subdestruct.
          inv H.
          esplit; auto.
        - intros.
          case_eq (zeq i z).
          { inv H1.
            unfold B_CalAT_log_real in H2.
            simpl in H2.
            unfold B_CalAT_log_real in Hdestruct13.
            rewrite Hdestruct13 in H2.
            rewrite zeq_false in H2; auto.
            intros; subst.
            rewrite ZMap.gss in H.
            clear Hdestruct13.
            case_eq (ZMap.get z a0).
            { intros.
              rewrite H3 in H2.
              destruct b; inv H2.
              destruct t; inv H6.
              rewrite ZMap.gss.
              auto. }
            { intros.
              rewrite H3 in H2; inv H2. } }
          { intros.
            rewrite ZMap.gso in H; eauto.
            inv H1.
            destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
            unfold valid_AT_oracle_B in Htemp3.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            generalize (valid_AT_log_inv l0 Hdestruct11); intros Hvalid_AT_log.
            generalize (Htemp3 _ (CPU_ID (update init_shared_adt l)) Hvalid_AT_log);
              intros Hvalid_AT_oracle_res.
            unfold valid_AT_log_type_B in valid_AT_log_inv.
            unfold valid_AT_log_B in valid_AT_log_inv.
            destruct Hvalid_AT_log as (at0 & Hvalid_AT_log).
            eapply (valid_B_Cal_AT_log_inv i l0 at0) in H; eauto.
            inv H2.
            unfold B_CalAT_log_real in Hvalid_AT_log, H4.
            simpl in H4.
            case_eq (B_CalAT_log (big_oracle (update init_shared_adt l)
                                             (CPU_ID (update init_shared_adt l)) l0 ++ l0)
                                 (real_AT (ZMap.init ATUndef))); intros.
            rewrite H1 in H4.
            rewrite zeq_false in H4; auto.
            subdestruct.
            inv H4.
            rewrite ZMap.gso; auto.
            eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ Hvalid_AT_log H1 i H); eauto.
            rewrite H1 in H4.
            inv H4.
            rewrite <- sh_big_log_re; auto. } }
      { inv sh_mem_inv_re.
        constructor; simpl; auto.
        intros.
        case_eq (zeq i (Int.unsigned n)).
        { intros; subst.
          rewrite ZMap.gss in H1.
          inv H1; subst; simpl.
          simpl in H3.
          case_eq (zeq j (Int.unsigned n)).
          { intros; subst; simpl.
            rewrite ZMap.gss in H2.
            inv H2; simpl.
            elim H; reflexivity. }
          { intros; rewrite ZMap.gso in H2; auto.
            case_eq (zeq j0 z); intros.
            - subst.
              rewrite ZMap.gss in H3.
              assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
              { inv sh_shared_inv_re.
                assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                               ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                  right.
                  intro contra.
                  inv contra. }
                destruct Htemp; eauto.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                eapply valid_B_Cal_AT_log_inv in H7; eauto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H7; eauto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H7.
                inv H7.
                rewrite <- sh_big_log_re; auto. }
              intros.
              generalize (per_data_re j).
              rewrite H2.
              intros.
              inv H8.
              generalize (pperm_re z).
              intros.
              rewrite H7 in H8.
              repeat match goal with
                     | [H: context[if _ then _ else _] |- _] ⇒ clear H
                     end.
              subdestruct; try (inv H8; fail).
              reflexivity.
            - rewrite ZMap.gso in H3; auto.
              eapply pperm_disjoint in H2; eauto.
              rewrite e; eauto. } }
        { intros; subst; rewrite ZMap.gso in H1; auto.
          case_eq (zeq j (Int.unsigned n)); intros; subst.
          - rewrite ZMap.gss in H2.
            inv H2; simpl.
            case_eq (zeq j0 z); intros; subst.
            + rewrite ZMap.gss.
              assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
              { inv sh_shared_inv_re.
                assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                               ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                  right.
                  intro contra.
                  inv contra.
                  right.
                  intro contra.
                  inv contra. }
                destruct Htemp; eauto.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                eapply valid_B_Cal_AT_log_inv in H7; eauto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H7; eauto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H7.
                inv H7.
                rewrite <- sh_big_log_re; auto. }
              intros.
              generalize (per_data_re i).
              rewrite H1.
              intros.
              inv H8.
              generalize (pperm_re z).
              intros.
              rewrite H7 in H8.
              repeat match goal with
                     | [H: context[if _ then _ else _] |- _] ⇒ clear H
                     end.
              subdestruct; try (inv H8; fail).
              elim H3; reflexivity.
            + rewrite ZMap.gso; auto.
              eapply (pperm_disjoint i (Int.unsigned n)) in H3; eauto.
              rewrite e; auto.
          - rewrite ZMap.gso in H2; auto.
            eapply (pperm_disjoint i j); eauto. } } }
    { simpl; auto. }
    { inv Hdestruct18; simpl; auto.
      rewrite e.
      auto. }
    { reflexivity. }
    { simpl.
      rewrite Hflag_CPU_ID; auto. }
  Qed.

  Lemma second_PTEUnPreSent:
    ∀ (l : Log) (dp : ZMap.t (option privData)) (a : RData) (n : int) (vadr : int) (perm : int)
           (d : privData) (res : Z) (kctxt_pool : KContextPool) (z : Z) (in_event : has_event pt_resv = true)
           (prim_num : prim_id_num pt_resv = 2)
           (H : relate_RData kctxt_pool (update init_shared_adt l) dp a)
           (H0 : ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) dp = Some d)
           (e : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
           (e0 : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
           (Hdestruct1 : zeq (Int.unsigned n)
                             (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
                         left e0)
           (Hdestruct : True)
           (Hdestruct3 : ikern d = true)
           (Hdestruct4 : ihost d = true)
           (Hdestruct5 : ipt d = true)
           (l0 : BigLog)
           (Hdestruct11 : big_log (update init_shared_adt l) = BigDef l0)
           (Hdestruct6 : B_inLock_aux (CPU_ID (update init_shared_adt l)) l0 = false)
           (Hdestruct7 : (cusage (AC d) <? cquota (AC d)) = true)
           (Hdestruct8 : init (update init_shared_adt l) = true)
           (Hdestruct9 : pg (update init_shared_adt l) = true)
           (Hdestruct10 : ZMap.get 0 (lock (update init_shared_adt l)) = LockFalse)
           (Hdestruct12 : B_GetContainerUsed
                            (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                            (CPU_ID (update init_shared_adt l)) l0 = true)
           (a0 : ATable)
           (Hdestruct13 : B_CalAT_log_real
                            (big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                          Some a0)
           (n0 : z ≠ 0)
           (Hdestruct2 : zeq z 0 = right n0)
           (H5 : val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil))
           (HGetUsed´ : B_GetContainerUsed (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (CPU_ID (update init_shared_adt l)) l0 = true)
           (Hcused : cused
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (AbstractDataType.AC a)) = true)
           (HAC_eq : AC d =
                     ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (AbstractDataType.AC a))
           (Hper_data_rel : relate_RData_per_pd
                    (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                    (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              kctxt_pool) (update init_shared_adt l) d a)
           (a1 : 0 < z < nps (update init_shared_adt l) ∧
                 ZMap.get z a0 = ATValid false ATNorm ∧
                 (∀ x : Z, 0 < x < z → ZMap.get x a0 ≠ ATValid false ATNorm))
           (Hdestruct14 : first_free a0 (nps (update init_shared_adt l)) =
                          inleft
                  (exist
                     (fun n1 : Z ⇒
                        0 < n1 < nps (update init_shared_adt l) ∧
                        ZMap.get n1 a0 = ATValid false ATNorm ∧
                        (∀ x : Z, 0 < x < n1 → ZMap.get x a0 ≠ ATValid false ATNorm)) z a1))
           (n1 : z ≠ 0)
           (Hdestruct16 : zeq z 0 = right n1)
           (Hdestruct0 : pt_Arg (Int.unsigned n) (Int.unsigned vadr) z (nps (update init_shared_adt l)) = true)
           (p : PTPerm)
           (Hdestruct15 : ZtoPerm (Int.unsigned perm) = Some p)
           (Hdestruct17 : ZMap.get (PDX (Int.unsigned vadr)) (ZMap.get (Int.unsigned n) (ptpool d)) = PDEUnPresent)
           (Hdestruct19 : pt_Arg´ (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                  (Int.unsigned vadr) = true)
           (Hdestruct22 : (cusage (AC d) + 1 <? cquota (AC d)) = true)
           (a2 : ATable)
           (Hdestruct23 : B_CalAT_log_real
                            (AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                         (TBEVENT (AbstractDataType.CPU_ID a)
                                                                  (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                                                                  :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
                                                         TBEVENT (AbstractDataType.CPU_ID a)
                                                         (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                                                         :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) =
                          Some a2)
           (Hflag_ikern : ikern d = AbstractDataType.ikern a)
           (Hflag_ihost : ihost d = AbstractDataType.ihost a)
           (Hflag_pg : pg (update init_shared_adt l) = AbstractDataType.pg a)
           (Hflag_ipt : ipt d = AbstractDataType.ipt a)
           (Hflag_CPU_ID : CPU_ID (update init_shared_adt l) = AbstractDataType.CPU_ID a)
           (Hflag_nps : nps (update init_shared_adt l) = AbstractDataType.nps a)
           (Hflag_big_log : big_log (update init_shared_adt l) = AbstractDataType.big_log a)
           (Hflag_big_oracle : big_oracle (update init_shared_adt l) = AbstractDataType.big_oracle a)
           (Hflag_lock : lock (update init_shared_adt l) = AbstractDataType.lock a)
           (Hflag_ptp : ZMap.get (Int.unsigned n) (ptpool d) = ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a))
           (n2 : res ≠ 0)
           (Hdestruct20 : zeq res 0 = right n2)
           (a3 : 0 < res < nps (update init_shared_adt l) ∧
                 ZMap.get res a2 = ATValid false ATNorm ∧
                 (∀ x : Z, 0 < x < res → ZMap.get x a2 ≠ ATValid false ATNorm))
           (Hdestruct24 : first_free a2 (nps (update init_shared_adt l)) =
                          inleft
                            (exist
                               (fun n3 : Z ⇒
                                  0 < n3 < nps (update init_shared_adt l) ∧
                                  ZMap.get n3 a2 = ATValid false ATNorm ∧
                                  (∀ x : Z, 0 < x < n3 → ZMap.get x a2 ≠ ATValid false ATNorm)) res a3))
           (n3 : res ≠ 0)
           (n4 : res ≠ 0)
           (Hdestruct27 : zeq res 0 = right n4)
           (Hdestruct26 : True)
           (Hdestruct18 : ZMap.get (PTX (Int.unsigned vadr)) CalRealInitPTE.real_init_PTE = PTEUnPresent)
           (Hflag_cid : ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)) =
                        ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a))
           (pperm_disjoint : res ≠ z),
  ∃ (a´ : RData) (res´ : Z),
     Some
       (((((((((((((a {big_log
                    : BigDef
                        (TBEVENT (AbstractDataType.CPU_ID a)
                           (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                         :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}) {LAT
                   : ZMap.set z (LATCValid nil) (LAT a)}) {pperm :
                  ZMap.set z PGAlloc (AbstractDataType.pperm a)}) {AC
                 : ZMap.set (Int.unsigned n)
                     {|
                     cquota := cquota (AC d);
                     cusage := cusage (AC d) + 1;
                     cparent := cparent (AC d);
                     cchildren := cchildren (AC d);
                     cused := true |} (AbstractDataType.AC a)}) {big_log
                : BigDef
                    (TBEVENT (AbstractDataType.CPU_ID a)
                       (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) res))
                     :: AbstractDataType.big_oracle a
                          (AbstractDataType.CPU_ID a)
                          (TBEVENT (AbstractDataType.CPU_ID a)
                             (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                           :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
                        TBEVENT (AbstractDataType.CPU_ID a)
                          (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                        :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}) {LAT
               : ZMap.set res (LATCValid nil) (ZMap.set z (LATCValid nil) (LAT a))}) {pperm
              : ZMap.set res PGAlloc (ZMap.set z PGAlloc (AbstractDataType.pperm a))}) {AC
             : ZMap.set (Int.unsigned n)
                 {|
                 cquota := cquota (AC d);
                 cusage := cusage (AC d) + 1 + 1;
                 cparent := cparent (AC d);
                 cchildren := cchildren (AC d);
                 cused := true |} (AbstractDataType.AC a)}) {HP :
            FlatMem.free_page res (AbstractDataType.HP a)}) {pperm
           : ZMap.set res (PGHide (PGPMap (Int.unsigned n) (PDX (Int.unsigned vadr))))
               (ZMap.set res PGAlloc (ZMap.set z PGAlloc (AbstractDataType.pperm a)))}) {ptpool
          : ZMap.set (Int.unsigned n)
              (ZMap.set (PDX (Int.unsigned vadr)) (PDEValid res CalRealInitPTE.real_init_PTE)
                 (ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a)))
              (AbstractDataType.ptpool a)}) {LAT
         : ZMap.set z (LATCValid (LATO (Int.unsigned n) (PDX (Int.unsigned vadr)) (PTX (Int.unsigned vadr)) :: nil))
             (ZMap.set res (LATCValid nil) (ZMap.set z (LATCValid nil) (LAT a)))}) {ptpool
        : ZMap.set (Int.unsigned n)
            (ZMap.set (PDX (Int.unsigned vadr))
               (PDEValid res (ZMap.set (PTX (Int.unsigned vadr)) (PTEValid z p) CalRealInitPTE.real_init_PTE))
               (ZMap.set (PDX (Int.unsigned vadr))
                  (PDEValid res CalRealInitPTE.real_init_PTE)
                  (ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a))))
            (ZMap.set (Int.unsigned n)
               (ZMap.set (PDX (Int.unsigned vadr))
                  (PDEValid res CalRealInitPTE.real_init_PTE)
                  (ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a)))
               (AbstractDataType.ptpool a))}, res) =
     Some (a´, res´) ∧
     relate_RData kctxt_pool
       (update init_shared_adt l) { sh_big_log
       : BigDef
           (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) res))
            :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                 (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                  :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
               TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
               :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}
       (ZMap.set (Int.unsigned n)
          (Some
             ((((d { pv_AC
                 : {|
                   cquota := cquota (AC d);
                   cusage := cusage (AC d) + 1 + 1;
                   cparent := cparent (AC d);
                   cchildren := cchildren (AC d);
                   cused := cused (AC d) |}}) { pv_HP :
                FlatMem.free_page res (HP d)}) { pv_pperm
               : ZMap.set res
                   (PGHide
                      (PGPMap (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                         (PDX (Int.unsigned vadr))))
                   (ZMap.set res PGAlloc (ZMap.set z PGAlloc (pperm d)))}) { pv_ptpool
              : ZMap.set (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                  (ZMap.set (PDX (Int.unsigned vadr))
                     (PDEValid res CalRealInitPTE.real_init_PTE)
                     (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) (ptpool d)))
                  (ptpool d)}) { pv_ptpool
             : ZMap.set (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                 (ZMap.set (PDX (Int.unsigned vadr))
                    (PDEValid res (ZMap.set (PTX (Int.unsigned vadr)) (PTEValid z p) CalRealInitPTE.real_init_PTE))
                    (ZMap.set (PDX (Int.unsigned vadr))
                       (PDEValid res CalRealInitPTE.real_init_PTE)
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) (ptpool d))))
                 (ZMap.set (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                    (ZMap.set (PDX (Int.unsigned vadr))
                       (PDEValid res CalRealInitPTE.real_init_PTE)
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) (ptpool d)))
                    (ptpool d))}) dp) a´ ∧
     kctxt a = kctxt a´ ∧
     (update init_shared_adt l) { sh_big_log
     : BigDef
         (TBEVENT (CPU_ID (update init_shared_adt l))
            (TBSHARED (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) res))
          :: big_oracle (update init_shared_adt l)
               (CPU_ID (update init_shared_adt l))
               (TBEVENT (CPU_ID (update init_shared_adt l))
                  (TBSHARED (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) z))
                :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
             TBEVENT (CPU_ID (update init_shared_adt l))
               (TBSHARED (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) z))
             :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)} =
     (update init_shared_adt l) { sh_big_log
     : BigDef
         (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) res))
          :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
               (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
             TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
             :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)} ∧
     res = res´ ∧
     ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a) = ZMap.get (AbstractDataType.CPU_ID a´) (AbstractDataType.cid a´).
    Proof.
      Transparent update uRData proc_id.
      intros.
          esplit; esplit; eauto.
          refine_split; auto.
          { inv H; simpl; constructor; auto.
            - rewrite e; simpl.
              rewrite Hflag_cid.
              reflexivity.
            - intros.
              generalize (per_data_re i); intros.
              rewrite e.
              case_eq (zeq i (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))); intros; subst.
              { rewrite ZMap.gss.
                rewrite H0 in H.
                inv H; rewrite zeq_true in ×.
                per_data_auto_simpl´.
                - rewrite Hflag_cid.
                  reflexivity.
                - assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H; auto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H.
                    inv H.
                    rewrite <- sh_big_log_re; auto. }
                  assert (ZMap.get z (pperm d) = PGUndef).
                  { generalize (pperm_re z).
                    rewrite H.
                    intros.
                    repeat match goal with
                           | [H: context[if _ then _ else _] |- _] ⇒ clear H
                           end.
                    subdestruct; simpl; try inv H2.
                    reflexivity. }
                  inv inv_re.
                  assert (∀ id, ZMap.get id (HP d) = ZMap.get id (FlatMem.free_page z (HP d))).
                  { intros; eapply dirty_page_per_thread_inv; eauto. }
                  assert (∀ id, ZMap.get id (AbstractDataType.HP a)
                                     = ZMap.get id (FlatMem.free_page z (AbstractDataType.HP a))).
                  { inv sh_shared_inv_re.
                    intros.
                    eapply dirty_page_shared_inv; eauto. }
                  intros v ofs TY Htemp1 Htemp2 Htemp3.
                  case_eq (zeq ((v × 4096 + ofs mod 4096) / 4096) res).
                  { intros; subst.
                    rewrite ZMap.gss in Htemp1.
                    inv Htemp1. }
                  { intros; subst.
                    rewrite ZMap.gso in Htemp1; [ | auto].
                    rewrite ZMap.gso in Htemp1; [ | auto].
                    case_eq (zeq ((v × 4096 + ofs mod 4096) / 4096) z).
                    { intros.
                      rewrite e1 in Htemp1.
                      rewrite <- e1 in H3, H4.
                      clear H7 e1.
                      clear Htemp1.
                      generalize H4; intros Htemp´.
                      eapply abs_rel_palloc_mem_related_prop
                        with (1:= Htemp2) (2:= Htemp3) (3:= H3) in Htemp´.
                      eapply abs_rel_free_page_mem_related_prop1; eauto. }
                    { intros; subst.
                      rewrite ZMap.gso in Htemp1; [ | eauto].
                      generalize Htemp3; intros Htemp´.
                      eapply flatmem_re with (1:= Htemp1) (2:= Htemp2) in Htemp´.
                      eapply abs_rel_free_page_mem_related_prop1; eauto. } }
                - rewrite zeq_true; auto.
                - rewrite zeq_true; auto.
                - unfold relate_AC_per_pd in *; simpl.
                  rewrite ZMap.gss.
                  simpl.
                  rewrite Hdestruct8.
                  rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                  erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                  rewrite Hdestruct12.
                  rewrite <- Hcused.
                  rewrite <- HAC_eq.
                  destruct (zeq (ZMap.get (CPU_ID (update init_shared_adt l))
                                          (cid (update init_shared_adt l))) main_thread); auto.
                  destruct (zlt_lt 8 (ZMap.get (CPU_ID (update init_shared_adt l))
                                               (cid (update init_shared_adt l))) 1024); auto.
                - rewrite zeq_true; auto.
                - unfold pperm_inject.
                  intros.
                  generalize (pperm_re i); intros.
                  rewrite ZMap.set2.
                  rewrite ZMap.set2.
                  case_eq (zeq i res); intros; subst.
                  + rewrite ZMap.gss.
                    rewrite ZMap.gss.
                    auto.
                  + rewrite ZMap.gso; auto.
                    case_eq (zeq i z); intros; subst.
                    × rewrite ZMap.gss; auto.
                      rewrite ZMap.gso; auto.
                      rewrite ZMap.gss; auto.
                    × rewrite ZMap.gso; auto.
                      rewrite ZMap.gso; auto.
                      rewrite ZMap.gso; auto.
                - rewrite Hdestruct8.
                  rewrite Hdestruct8 in PT_re; auto.
                  rewrite zeq_true in *; auto.
                - rewrite Hdestruct8.
                  rewrite ZMap.gss.
                  rewrite ZMap.set2.
                  rewrite ZMap.gss.
                  rewrite ZMap.set2.
                  rewrite Hdestruct8 in ptp_re.
                  rewrite ptp_re.
                  reflexivity.
                - rewrite zeq_true; auto.
                - rewrite zeq_true; auto.
                - rewrite zeq_true; auto.
                - unfold relate_SyncChanPool_per_pd; simpl.
                  rewrite Hdestruct8.
                  rewrite Hflag_CPU_ID; rewrite zeq_true; auto.
                - unfold relate_uctxt_per_pd in *; simpl.
                  simpl.
                  rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                  erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                  rewrite Hdestruct12.
                  rewrite Hdestruct8.
                  unfold B_GetContainerUsed´ in uctxt_re.
                  rewrite Hdestruct8, Hdestruct11, Hdestruct12 in uctxt_re.
                  auto.
                - auto.
                - auto.
                - auto.
                - inv inv_re.
                  constructor; simpl.
                  intros.
                  assert (∀ i : ZIndexed.t,
                             ZMap.get i (pperm d) = PGUndef →
                             ∀ res,
                               ZMap.get res (HP d) =
                               ZMap.get res (FlatMem.free_page i (HP d))).
                  { intros; apply dirty_page_per_thread_inv; auto. }
                  intros.
                  rewrite ZMap.set2 in H.
                  case_eq (zeq i res); intros; subst.
                  + rewrite ZMap.gss in H.
                    inv H.
                  + rewrite ZMap.gso in H; [ | auto ].
                    exploit single_dirty_ppage´_gso_alloc.
                    { unfold single_dirty_ppage´.
                      apply H2. }
                    { exact H. }
                    { intros.
                      instantiate (1:= res0) in H4.
                      apply abs_rel_flatmem_free_page_prop1; auto. } }
              { rewrite ZMap.gso; auto.
                subdestruct; simpl in *; auto.
                inv H; simpl in ×.
                rewrite Hdestruct21 in ×.
                per_data_auto_simpl´.
                - simpl; rewrite Hdestruct21; auto.
                - simpl; rewrite Hdestruct21; auto.
                - rewrite Hflag_cid.
                  reflexivity.
                - simpl.
                  set (a´ := ((((a {big_log
                                    : BigDef(TBEVENT (AbstractDataType.CPU_ID a)
                                                     (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a)
                                                                                   (AbstractDataType.cid a)) z))
                                                     :: AbstractDataType.big_oracle a
                                                     (AbstractDataType.CPU_ID a) l0 ++
                                                     l0)}) {LAT : ZMap.set z (LATCValid nil) (LAT a)})
                                 {pperm : ZMap.set z PGAlloc (AbstractDataType.pperm a)})
                                {AC : ZMap.set (Int.unsigned n)
                                               {| cquota := cquota (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cusage := cusage (ZMap.get (Int.unsigned n) (AbstractDataType.AC a)) + 1;
                                                  cparent := cparent (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cchildren := cchildren (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cused := cused (ZMap.get (Int.unsigned n) (AbstractDataType.AC a))
                                               |}
                                               (AbstractDataType.AC a)})).
                  assert (ZMap.get res (AbstractDataType.pperm a´) = PGUndef).
                  { assert (ZMap.get res (AbstractDataType.pperm a) = PGUndef).
                    { inv sh_shared_inv_re.
                      assert (Htemp: ZMap.get res (AbstractDataType.pperm a) = PGUndef ∨
                                     ZMap.get res (AbstractDataType.pperm a) ≠ PGUndef).
                      { destruct (ZMap.get res (AbstractDataType.pperm a)); eauto.
                        right.
                        intro contra.
                        inv contra.
                        right.
                        intro contra.
                        inv contra. }
                      destruct Htemp; eauto.
                      unfold valid_AT_log_type_B in valid_AT_log_inv.
                      unfold valid_AT_log_B in valid_AT_log_inv.
                      destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                      eapply valid_B_Cal_AT_log_inv in H; eauto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 res) in H; auto.
                      unfold B_CalAT_log_real in Hdestruct23.
                      assert (∃ atable´,
                                 B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                       (TBSHARED
                                                          (BPALLOCE
                                                             (ZMap.get (AbstractDataType.CPU_ID a)
                                                                       (AbstractDataType.cid a)) z))
                                                       :: AbstractDataType.big_oracle a
                                                       (AbstractDataType.CPU_ID a) l0 ++ l0)
                                              (real_AT (ZMap.init ATUndef)) =
                                 Some atable´).
                      { eauto using B_CalAT_log_sub_log_exist. }
                      destruct H2.
                      assert (ZMap.get res x = ATValid true ATNorm).
                      simpl in H2.
                      unfold B_CalAT_log_real in Hdestruct13.
                      rewrite big_oracle_re, CPU_ID_re in Hdestruct13.
                      rewrite Hdestruct13 in H2.
                      rewrite zeq_false in H2; auto.
                      destruct a1 as (? & a1´ & ?).
                      rewrite a1´ in H2.
                      inv H2.
                      rewrite ZMap.gso; auto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H2 Hdestruct23 res) in H3; auto.
                      destruct a3 as (? & a3´ & ?).
                      rewrite a3´ in H3.
                      inv H3.
                      rewrite <- big_log_re; auto. }
                    unfold a´.
                    simpl.
                    rewrite ZMap.gso; auto. }
                  unfold a´ in H.
                  simpl in H.
                  inv inv_re.
                  rewrite ZMap.gso in H; [ | apply pperm_disjoint ].
                  assert (ZMap.get res (pperm p0) = PGUndef).
                  { unfold pperm_inject in pperm_re.
                    generalize (pperm_re res).
                    rewrite H.
                    intros.
                    destruct (ZMap.get res (pperm p0)); auto; try inv H2. }
                  assert (∀ id, ZMap.get id (HP p0) =
                                     ZMap.get id (FlatMem.free_page res (HP p0))).
                  { intros.
                    eapply dirty_page_per_thread_inv; auto. }
                  assert (∀ id, ZMap.get id (AbstractDataType.HP a)
                                     = ZMap.get id (FlatMem.free_page res (AbstractDataType.HP a))).
                  { intros.
                    inv sh_shared_inv_re.
                    eapply dirty_page_shared_inv; eauto. }
                  intros v ofs TY Htemp1 Htemp2 Htemp3.
                  generalize Htemp3; intros Htemp´.
                  eapply flatmem_re with (1:= Htemp1) (2:= Htemp2) in Htemp´.
                  eapply abs_rel_free_page_mem_related_prop2 with
                      (1:= H2) (2:= H3) (3:= H4) (4:= Htemp1) (5:= Htemp2) (6:= Htemp3) in Htemp´; eauto.

                - unfold relate_AC_per_pd in *; simpl.
                  simpl.
                  rewrite Hdestruct21.
                  rewrite Hdestruct21 in AC_re.
                  rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                  erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                  rewrite ZMap.gso; auto.
                  unfold B_GetContainerUsed´ in AC_re; rewrite Hdestruct11 in AC_re.
                  auto.
                - rewrite zeq_false in ti_re; auto.
                  rewrite zeq_false; auto.
                - set (a´ := ((((a {big_log
                                    : BigDef(TBEVENT (AbstractDataType.CPU_ID a)
                                                     (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a)
                                                                                   (AbstractDataType.cid a)) z))
                                                     :: AbstractDataType.big_oracle a
                                                     (AbstractDataType.CPU_ID a) l0 ++
                                                     l0)}) {LAT : ZMap.set z (LATCValid nil) (LAT a)})
                                 {pperm : ZMap.set z PGAlloc (AbstractDataType.pperm a)})
                                {AC : ZMap.set (Int.unsigned n)
                                               {| cquota := cquota (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cusage := cusage (ZMap.get (Int.unsigned n) (AbstractDataType.AC a)) + 1;
                                                  cparent := cparent (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cchildren := cchildren (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cused := cused (ZMap.get (Int.unsigned n) (AbstractDataType.AC a))
                                               |}
                                               (AbstractDataType.AC a)})).
                  assert (ZMap.get res (AbstractDataType.pperm a´) = PGUndef).
                  { assert (ZMap.get res (AbstractDataType.pperm a) = PGUndef).
                    { inv sh_shared_inv_re.
                      assert (Htemp: ZMap.get res (AbstractDataType.pperm a) = PGUndef ∨
                                     ZMap.get res (AbstractDataType.pperm a) ≠ PGUndef).
                      { destruct (ZMap.get res (AbstractDataType.pperm a)); eauto.
                        right.
                        intro contra.
                        inv contra.
                        right.
                        intro contra.
                        inv contra. }
                      destruct Htemp; eauto.
                      unfold valid_AT_log_type_B in valid_AT_log_inv.
                      unfold valid_AT_log_B in valid_AT_log_inv.
                      destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                      eapply valid_B_Cal_AT_log_inv in H; eauto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 res) in H; auto.
                      unfold B_CalAT_log_real in Hdestruct23.
                      assert (∃ atable´,
                                 B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                       (TBSHARED
                                                          (BPALLOCE
                                                             (ZMap.get (AbstractDataType.CPU_ID a)
                                                                       (AbstractDataType.cid a)) z))
                                                       :: AbstractDataType.big_oracle a
                                                       (AbstractDataType.CPU_ID a) l0 ++ l0)
                                              (real_AT (ZMap.init ATUndef)) =
                                 Some atable´).
                      { eauto using B_CalAT_log_sub_log_exist. }
                      destruct H2.
                      assert (ZMap.get res x = ATValid true ATNorm).
                      simpl in H2.
                      unfold B_CalAT_log_real in Hdestruct13.
                      rewrite big_oracle_re, CPU_ID_re in Hdestruct13.
                      rewrite Hdestruct13 in H2.
                      rewrite zeq_false in H2; auto.
                      destruct a1 as (? & a1´ & ?).
                      rewrite a1´ in H2.
                      inv H2.
                      rewrite ZMap.gso; auto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H2 Hdestruct23 res) in H3; auto.
                      destruct a3 as (? & a3´ & ?).
                      rewrite a3´ in H3.
                      inv H3.
                      rewrite <- big_log_re; auto. }
                    unfold a´.
                    simpl.
                    rewrite ZMap.gso; auto. }
                  assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H2; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H2; auto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H2.
                    inv H2.
                    rewrite <- big_log_re; auto. }
                  unfold pperm_inject in ×.
                  intros.
                  generalize (pperm_re i0).
                  intros.
                  case_eq (zeq i0 res); intros.
                  + subst.
                    unfold a´ in H; simpl in H.
                    rewrite ZMap.gso in H; [ | auto ].
                    rewrite H in H3.
                    repeat match goal with
                           | [H: context[if _ then _ else _] |- _] ⇒ clear H
                           end.
                    subdestruct.
                    auto.
                    inv H3.
                    inv H3.
                  + rewrite ZMap.gso; auto.
                    rewrite ZMap.gso; auto.
                    case_eq (zeq i0 z); intros; subst.
                    × rewrite H2 in H3.
                      repeat match goal with
                             | [H: context[if _ then _ else _] |- _] ⇒ clear H
                             end.
                      subdestruct.
                      auto.
                      inv H3.
                      inv H3.
                    × rewrite ZMap.gso; auto.
                - rewrite Hdestruct21.
                  auto.
                - subst; rewrite ZMap.gso.
                  rewrite Hdestruct21.
                  rewrite ZMap.gso.
                  auto.
                  auto.
                  auto.
                - rewrite zeq_false; auto.
                  rewrite zeq_false in ipt_re; auto.
                - auto.
                - auto.
                - unfold relate_SyncChanPool_per_pd.
                  simpl.
                  rewrite Hdestruct21.
                  rewrite Hflag_CPU_ID.
                  rewrite zeq_true; auto.
                - unfold relate_uctxt_per_pd in *; simpl.
                  simpl.
                  rewrite Hdestruct21.
                  rewrite Hdestruct21 in uctxt_re.
                  rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                  erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                  unfold B_GetContainerUsed´ in uctxt_re; rewrite Hdestruct11 in uctxt_re.
                  auto.
                - auto.
                - auto.
                - auto.
                - inv inv_re; constructor; simpl.
                  intros.
                  apply dirty_page_per_thread_inv; auto.
                - constructor. }
            - inv sh_shared_inv_re; constructor; simpl.
              + intros.
                assert (∀ i : ZIndexed.t,
                           ZMap.get i (AbstractDataType.pperm a) = PGUndef →
                           ∀ res,
                             ZMap.get res (AbstractDataType.HP a) =
                             ZMap.get res (FlatMem.free_page i (AbstractDataType.HP a))).
                { intros; apply dirty_page_shared_inv; auto. }
                intros.
                rewrite ZMap.set2 in H.
                case_eq (zeq i res); intros; subst.
                × rewrite ZMap.gss in H.
                  inv H.
                × rewrite ZMap.gso in H; [ | auto ].
                  exploit single_dirty_ppage´_gso_alloc.
                  { unfold single_dirty_ppage´.
                    apply H1. }
                  { exact H. }
                  { intros.
                    instantiate (1:= res0) in H3.
                    apply abs_rel_flatmem_free_page_prop1; auto. }
              + rewrite Hdestruct8; intro contra; inv contra.
              + rewrite Hdestruct8; intro contra; inv contra.
              + rewrite Hdestruct8; intro contra; inv contra.
              + rewrite Hflag_CPU_ID.
                rewrite zeq_true.
                intros.
                unfold B_inLock in syncchpool_inv.
                rewrite Hdestruct11, Hdestruct6 in syncchpool_inv.
                apply syncchpool_inv in H.
                rewrite <- H.
                symmetry.
                rewrite e.
                rewrite <- Hflag_CPU_ID.
                unfold B_GetlastPush.
                erewrite single_big_oracle_query_preserves_B_GetlastPush_aux; eauto.
                assert (B_GetlastPush_aux (CPU_ID (update init_shared_adt l))
                                          (big_oracle (update init_shared_adt l)
                                                      (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                        B_GetlastPush_aux (CPU_ID (update init_shared_adt l))
                                          (TBEVENT (CPU_ID (update init_shared_adt l))
                                                   (TBSHARED
                                                      (BPALLOCE
                                                         (ZMap.get (CPU_ID (update init_shared_adt l))
                                                                   (cid (update init_shared_adt l))) z))
                                                   :: big_oracle (update init_shared_adt l)
                                                   (CPU_ID (update init_shared_adt l)) l0 ++ l0)).
                { simpl; auto. }
                rewrite H1.
                clear H1.
                rewrite <- Hflag_big_oracle.
                eapply single_big_oracle_query_preserves_B_GetlastPush_aux; eauto.
              + intros.
                apply container_used_inv in H.
                unfold B_GetContainerUsed´ in H.
                rewrite Hdestruct11 in H.
                rewrite e.
                rewrite <- Hflag_big_oracle.
                rewrite <- Hflag_CPU_ID.
                erewrite HGetUsedpreserve_double; eauto.
                case_eq (zeq tid (Int.unsigned n)); intros; subst.
                × rewrite e.
                  rewrite ZMap.gss.
                  simpl.
                  rewrite <- Hdestruct12.
                  auto.
                × rewrite <- e.
                  rewrite ZMap.gso; auto.
              + intros.
                apply uctxt_used_inv.
                unfold B_GetContainerUsed´.
                rewrite Hdestruct11.
                rewrite <- H.
                rewrite e.
                rewrite <- Hflag_big_oracle.
                rewrite <- Hflag_CPU_ID.
                symmetry.
                apply HGetUsedpreserve_double; eauto.
              + unfold valid_AT_log_type_B.
                intros; inv Hdef.
                unfold valid_AT_log_B.
                unfold B_CalAT_log_real.
                unfold B_CalAT_log_real in Hdestruct23.
                rewrite e.
                rewrite Hdestruct8 in sh_cid_re.
                rewrite sh_cid_re.
                simpl.
                rewrite Hdestruct23.
                rewrite zeq_false; auto.
                destruct a3 as (a3´ & a3´´ & a3´´´); rewrite a3´´.
                esplit; auto.
              + assert (valid_TCB_log_type_B (BigDef (TBEVENT (AbstractDataType.CPU_ID a)
                                                              (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                              :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                              l0 ++ l0))).
                { unfold valid_TCB_log_type_B.
                  intros ? Hdef.
                  inv Hdef.
                  destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                  unfold valid_TCB_oracle_B in Htemp2.
                  generalize (valid_TCB_log_inv _ Hdestruct11); intros Hvalid_log.
                  generalize (Htemp2 l0 (CPU_ID (update init_shared_adt l)) Hvalid_log); intros Hvalid_oracle_log.
                  unfold valid_TCB_log_B in ×.
                  revert Hvalid_oracle_log.
                  unfold B_CalTCB_log_real.
                  unfold B_CalTCB_log.
                  simpl.
                  rewrite sh_big_oracle_re in ×.
                  rewrite sh_CPU_ID_re in ×.
                  clear.
                  intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
                  subdestruct.
                  inv H.
                  esplit; auto. }
                unfold valid_TCB_log_type_B.
                intros.
                inversion Hdef; substx.
                destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                clear Hdef.
                rewrite sh_big_oracle_re in ×.
                rewrite sh_CPU_ID_re in ×.
                replace (AbstractDataType.big_oracle a) with
                    (AbstractDataType.big_oracle a
                                                 {big_log: BigDef
                                                             (TBEVENT (AbstractDataType.CPU_ID a)
                                                                      (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                                      :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                                      l0 ++ l0)}) in H, Htemp2.
                unfold valid_TCB_oracle_B in Htemp2.
                unfold valid_TCB_log_type_B in H.
                exploit H; intros.
                reflexivity.
                generalize (Htemp2 _ (AbstractDataType.CPU_ID a) H1); intros Hvalid_oracle_log.
                unfold valid_TCB_log_B in ×.
                revert Hvalid_oracle_log.
                unfold B_CalTCB_log_real.
                unfold B_CalTCB_log.
                simpl.
                clear.
                intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
                subdestruct.
                esplit; auto.
              + auto.
              + intros.
                case_eq (zeq i res); intros; subst.
                { inv H1.
                  unfold B_CalAT_log_real in H2.
                  simpl in H2.
                  unfold B_CalAT_log_real in Hdestruct23.
                  rewrite Hdestruct23 in H2.
                  rewrite zeq_false in H2; auto.
                  intros; subst.
                  rewrite ZMap.gss in H.
                  clear Hdestruct23.
                  case_eq (ZMap.get res a2).
                  { intros.
                    rewrite H1 in H2.
                    destruct b; inv H2.
                    destruct t; inv H6.
                    rewrite ZMap.gss.
                    auto. }
                  { intros.
                    rewrite H1 in H2; inv H2. } }
                { rewrite ZMap.gso in H; auto.
                  rewrite ZMap.gso in H; auto.
                  case_eq (zeq i z); intros; subst.
                  { inv H1.
                    unfold B_CalAT_log_real in H2.
                    simpl in H2.
                    unfold B_CalAT_log_real in Hdestruct23.
                    rewrite Hdestruct23 in H2.
                    rewrite zeq_false in H2; auto.
                    intros; subst.
                    rewrite ZMap.gss in H.
                    case_eq (ZMap.get res a2).
                    { intros.
                      rewrite H1 in H2.
                      destruct b; inv H2.
                      destruct t; inv H7.
                      rewrite ZMap.gso; auto.
                      assert (∃ atable´,
                                 B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                       (TBSHARED
                                                          (BPALLOCE
                                                             (ZMap.get (AbstractDataType.CPU_ID a)
                                                                       (AbstractDataType.cid a)) z))
                                                       :: AbstractDataType.big_oracle a
                                                       (AbstractDataType.CPU_ID a) l0 ++ l0)
                                              (real_AT (ZMap.init ATUndef)) =
                                 Some atable´).
                      { eauto using B_CalAT_log_sub_log_exist. }
                      destruct H2.
                      assert (ZMap.get z x = ATValid true ATNorm).
                      simpl in H2.
                      unfold B_CalAT_log_real in Hdestruct13.
                      rewrite <- sh_CPU_ID_re in H2.
                      rewrite <- sh_big_oracle_re in H2.
                      rewrite Hdestruct13 in H2.
                      rewrite zeq_false in H2; auto.
                      destruct a1 as (? & a1´ & ?).
                      rewrite a1´ in H2.
                      inv H2.
                      rewrite ZMap.gss; auto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H2 Hdestruct23 z) in H6; auto. }
                    intros.
                    rewrite H1 in H2.
                    inv H2. }
                  { intros.
                    rewrite ZMap.gso in H; eauto.
                    inv H1.
                    destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                    unfold valid_AT_oracle_B in Htemp3.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    generalize (valid_AT_log_inv l0 Hdestruct11); intros Hvalid_AT_log.
                    generalize (Htemp3 _ (CPU_ID (update init_shared_adt l)) Hvalid_AT_log);
                      intros Hvalid_AT_oracle_res.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct Hvalid_AT_log as (at0 & Hvalid_AT_log).
                    eapply (valid_B_Cal_AT_log_inv i l0 at0) in H; eauto.
                    assert (∃ atable´,
                               B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                     (TBSHARED
                                                        (BPALLOCE
                                                           (ZMap.get (AbstractDataType.CPU_ID a)
                                                                     (AbstractDataType.cid a)) z))
                                                     :: AbstractDataType.big_oracle a
                                                     (AbstractDataType.CPU_ID a) l0 ++ l0)
                                            (real_AT (ZMap.init ATUndef)) =
                               Some atable´).
                    { eauto using B_CalAT_log_sub_log_exist. }
                    destruct H1.
                    assert (ZMap.get i x = ATValid true ATNorm).
                    simpl in H1.
                    unfold B_CalAT_log_real in Hdestruct13.
                    case_eq (B_CalAT_log (AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                                      l0 ++ l0)
                                         (real_AT (ZMap.init ATUndef))); intros.
                    rewrite H6 in H1.
                    rewrite zeq_false in H1; auto.
                    subdestruct.
                    inv H1.
                    rewrite ZMap.gso; auto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ Hvalid_AT_log H6 i H); eauto.
                    rewrite H6 in H1.
                    inv H1.
                    unfold B_CalAT_log_real in H2, Hdestruct23.
                    simpl in H2, Hdestruct23.
                    rewrite Hdestruct23 in H2.
                    rewrite zeq_false in H2; eauto.
                    destruct a3 as (? & a3´ & ?).
                    rewrite a3´ in H2.
                    inv H2.
                    rewrite ZMap.gso; auto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H1 Hdestruct23 i) in H6; auto.
                    rewrite <- sh_big_log_re.
                    auto. } }
            - assert (Hres_undef: ZMap.get res (AbstractDataType.pperm a) = PGUndef).
              { inv sh_shared_inv_re.
                assert (Htemp: ZMap.get res (AbstractDataType.pperm a) = PGUndef ∨
                               ZMap.get res (AbstractDataType.pperm a) ≠ PGUndef).
                { destruct (ZMap.get res (AbstractDataType.pperm a)); eauto.
                  right.
                  intro contra.
                  inv contra.
                  right.
                  intro contra.
                  inv contra. }
                destruct Htemp; eauto.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                eapply valid_B_Cal_AT_log_inv in H; eauto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 res) in H; auto.
                unfold B_CalAT_log_real in Hdestruct23.
                assert (∃ atable´,
                           B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                 (TBSHARED
                                                    (BPALLOCE
                                                       (ZMap.get (AbstractDataType.CPU_ID a)
                                                                 (AbstractDataType.cid a)) z))
                                                 :: AbstractDataType.big_oracle a
                                                 (AbstractDataType.CPU_ID a) l0 ++ l0)
                                        (real_AT (ZMap.init ATUndef)) =
                           Some atable´).
                { eauto using B_CalAT_log_sub_log_exist. }
                destruct H1.
                assert (ZMap.get res x = ATValid true ATNorm).
                simpl in H1.
                unfold B_CalAT_log_real in Hdestruct13.
                rewrite sh_big_oracle_re, sh_CPU_ID_re in Hdestruct13.
                rewrite Hdestruct13 in H1.
                rewrite zeq_false in H1; auto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H1.
                inv H1.
                rewrite ZMap.gso; auto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H1 Hdestruct23 res) in H2; auto.
                destruct a3 as (? & a3´ & ?).
                rewrite a3´ in H2.
                inv H2.
                rewrite <- sh_big_log_re; auto. }
              assert (Hz_undef: ZMap.get z (AbstractDataType.pperm a) = PGUndef).
              { inv sh_shared_inv_re.
                assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                               ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                  right.
                  intro contra.
                  inv contra.
                  right.
                  intro contra.
                  inv contra. }
                destruct Htemp; eauto.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                eapply valid_B_Cal_AT_log_inv in H; eauto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H; auto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H.
                inv H.
                rewrite <- sh_big_log_re; auto. }
              inv sh_mem_inv_re.
              constructor; simpl; auto.
              intros.
              case_eq (zeq i (Int.unsigned n)).
              { intros; subst.
                rewrite ZMap.gss in H1.
                inv H1; subst; simpl.
                simpl in H3.
                case_eq (zeq j (Int.unsigned n)).
                { intros; subst; simpl.
                  rewrite ZMap.gss in H2.
                  inv H2; simpl.
                  elim H; reflexivity. }
                { intros; rewrite ZMap.gso in H2; auto.
                  case_eq (zeq j0 res); intros.
                  - subst.
                    rewrite ZMap.gss in H3.
                    generalize (per_data_re j).
                    rewrite H2.
                    intros.
                    inv H7.
                    generalize (pperm_re res).
                    intros.
                    rewrite Hres_undef in H7.
                    repeat match goal with
                           | [H: context[if _ then _ else _] |- _] ⇒ clear H
                           end.
                    subdestruct; try (inv H7; fail).
                    reflexivity.
                  - case_eq (zeq j0 z); intros.
                    + subst.
                      rewrite ZMap.gso in H3; auto.
                      rewrite ZMap.gso in H3; auto.
                      rewrite ZMap.gss in H3.
                      generalize (per_data_re j).
                      rewrite H2.
                      intros.
                      inv H8.
                      generalize (pperm_re z).
                      intros.
                      rewrite Hz_undef in H8.
                      repeat match goal with
                             | [H: context[if _ then _ else _] |- _] ⇒ clear H
                             end.
                      subdestruct; try (inv H8; fail).
                      reflexivity.
                    + rewrite ZMap.gso in H3; auto.
                      rewrite ZMap.gso in H3; auto.
                      rewrite ZMap.gso in H3; auto.
                      eapply pperm_disjoint0 in H2; eauto.
                      rewrite e; eauto. } }
              { intros; subst; rewrite ZMap.gso in H1; auto.
                case_eq (zeq j (Int.unsigned n)); intros; subst.
                - rewrite ZMap.gss in H2.
                  inv H2; simpl.
                  case_eq (zeq j0 res); intros.
                  + subst.
                    generalize (per_data_re i).
                    rewrite H1.
                    intros.
                    inv H7.
                    generalize (pperm_re res).
                    intros.
                    rewrite Hres_undef in H7.
                    repeat match goal with
                           | [H: context[if _ then _ else _] |- _] ⇒ clear H
                           end.
                    subdestruct; try (inv H7; fail).
                    elim H3; reflexivity.
                  + case_eq (zeq j0 z); intros.
                    × subst.
                      generalize (per_data_re i).
                      rewrite H1.
                      intros.
                      inv H8.
                      generalize (pperm_re z).
                      intros.
                      rewrite Hz_undef in H8.
                      repeat match goal with
                             | [H: context[if _ then _ else _] |- _] ⇒ clear H
                             end.
                      subdestruct; try (inv H8; fail).
                      elim H3; reflexivity.
                    × rewrite ZMap.gso; auto.
                      rewrite ZMap.gso; auto.
                      rewrite ZMap.gso; auto.
                      eapply pperm_disjoint0 in H; eauto.
                      rewrite e; eauto.
                - rewrite ZMap.gso in H2; auto.
                  eapply (pperm_disjoint0 i j); eauto. } }
          { simpl.
            rewrite <- e.
            rewrite Hflag_big_oracle.
            rewrite Hflag_CPU_ID.
            reflexivity. }
           Qed.

  Lemma second_PTEUndef:
    ∀ (l : Log) (dp : ZMap.t (option privData)) (a : RData) (n : int) (vadr : int) (perm : int)
           (d : privData) (res : Z) (kctxt_pool : KContextPool) (z : Z) (in_event : has_event pt_resv = true)
           (prim_num : prim_id_num pt_resv = 2)
           (H : relate_RData kctxt_pool (update init_shared_adt l) dp a)
           (H0 : ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) dp = Some d)
           (e : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
           (e0 : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
           (Hdestruct1 : zeq (Int.unsigned n)
                             (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
                         left e0)
           (Hdestruct : True)
           (Hdestruct3 : ikern d = true)
           (Hdestruct4 : ihost d = true)
           (Hdestruct5 : ipt d = true)
           (l0 : BigLog)
           (Hdestruct11 : big_log (update init_shared_adt l) = BigDef l0)
           (Hdestruct6 : B_inLock_aux (CPU_ID (update init_shared_adt l)) l0 = false)
           (Hdestruct7 : (cusage (AC d) <? cquota (AC d)) = true)
           (Hdestruct8 : init (update init_shared_adt l) = true)
           (Hdestruct9 : pg (update init_shared_adt l) = true)
           (Hdestruct10 : ZMap.get 0 (lock (update init_shared_adt l)) = LockFalse)
           (Hdestruct12 : B_GetContainerUsed
                            (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                            (CPU_ID (update init_shared_adt l)) l0 = true)
           (a0 : ATable)
           (Hdestruct13 : B_CalAT_log_real
                            (big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                          Some a0)
           (n0 : z ≠ 0)
           (Hdestruct2 : zeq z 0 = right n0)
           (H5 : val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil))
           (HGetUsed´ : B_GetContainerUsed (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (CPU_ID (update init_shared_adt l)) l0 = true)
           (Hcused : cused
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (AbstractDataType.AC a)) = true)
           (HAC_eq : AC d =
                     ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (AbstractDataType.AC a))
           (Hper_data_rel : relate_RData_per_pd
                    (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                    (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              kctxt_pool) (update init_shared_adt l) d a)
           (a1 : 0 < z < nps (update init_shared_adt l) ∧
                 ZMap.get z a0 = ATValid false ATNorm ∧
                 (∀ x : Z, 0 < x < z → ZMap.get x a0 ≠ ATValid false ATNorm))
           (Hdestruct14 : first_free a0 (nps (update init_shared_adt l)) =
                          inleft
                  (exist
                     (fun n1 : Z ⇒
                        0 < n1 < nps (update init_shared_adt l) ∧
                        ZMap.get n1 a0 = ATValid false ATNorm ∧
                        (∀ x : Z, 0 < x < n1 → ZMap.get x a0 ≠ ATValid false ATNorm)) z a1))
           (n1 : z ≠ 0)
           (Hdestruct16 : zeq z 0 = right n1)
           (Hdestruct0 : pt_Arg (Int.unsigned n) (Int.unsigned vadr) z (nps (update init_shared_adt l)) = true)
           (p : PTPerm)
           (Hdestruct15 : ZtoPerm (Int.unsigned perm) = Some p)
           (Hdestruct17 : ZMap.get (PDX (Int.unsigned vadr)) (ZMap.get (Int.unsigned n) (ptpool d)) = PDEUnPresent)
           (Hdestruct19 : pt_Arg´ (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                  (Int.unsigned vadr) = true)
           (Hdestruct22 : (cusage (AC d) + 1 <? cquota (AC d)) = true)
           (a2 : ATable)
           (Hdestruct23 : B_CalAT_log_real
                            (AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                         (TBEVENT (AbstractDataType.CPU_ID a)
                                                                  (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                                                                  :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
                                                         TBEVENT (AbstractDataType.CPU_ID a)
                                                         (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                                                         :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) =
                          Some a2)
           (Hflag_ikern : ikern d = AbstractDataType.ikern a)
           (Hflag_ihost : ihost d = AbstractDataType.ihost a)
           (Hflag_pg : pg (update init_shared_adt l) = AbstractDataType.pg a)
           (Hflag_ipt : ipt d = AbstractDataType.ipt a)
           (Hflag_CPU_ID : CPU_ID (update init_shared_adt l) = AbstractDataType.CPU_ID a)
           (Hflag_nps : nps (update init_shared_adt l) = AbstractDataType.nps a)
           (Hflag_big_log : big_log (update init_shared_adt l) = AbstractDataType.big_log a)
           (Hflag_big_oracle : big_oracle (update init_shared_adt l) = AbstractDataType.big_oracle a)
           (Hflag_lock : lock (update init_shared_adt l) = AbstractDataType.lock a)
           (Hflag_ptp : ZMap.get (Int.unsigned n) (ptpool d) = ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a))
           (n2 : res ≠ 0)
           (Hdestruct20 : zeq res 0 = right n2)
           (a3 : 0 < res < nps (update init_shared_adt l) ∧
                 ZMap.get res a2 = ATValid false ATNorm ∧
                 (∀ x : Z, 0 < x < res → ZMap.get x a2 ≠ ATValid false ATNorm))
           (Hdestruct24 : first_free a2 (nps (update init_shared_adt l)) =
                          inleft
                            (exist
                               (fun n3 : Z ⇒
                                  0 < n3 < nps (update init_shared_adt l) ∧
                                  ZMap.get n3 a2 = ATValid false ATNorm ∧
                                  (∀ x : Z, 0 < x < n3 → ZMap.get x a2 ≠ ATValid false ATNorm)) res a3))
           (n3 : res ≠ 0)
           (n4 : res ≠ 0)
           (Hdestruct27 : zeq res 0 = right n4)
           (Hdestruct26 : True)
           (Hdestruct18 : ZMap.get (PTX (Int.unsigned vadr)) CalRealInitPTE.real_init_PTE = PTEUndef)
           (Hflag_cid : ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)) =
                        ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a))
           (pperm_disjoint : res ≠ z),
  ∃ (a´ : RData) (res´ : Z),
     Some
       (((((((((((((a {big_log
                    : BigDef
                        (TBEVENT (AbstractDataType.CPU_ID a)
                           (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                         :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}) {LAT
                   : ZMap.set z (LATCValid nil) (LAT a)}) {pperm :
                  ZMap.set z PGAlloc (AbstractDataType.pperm a)}) {AC
                 : ZMap.set (Int.unsigned n)
                     {|
                     cquota := cquota (AC d);
                     cusage := cusage (AC d) + 1;
                     cparent := cparent (AC d);
                     cchildren := cchildren (AC d);
                     cused := true |} (AbstractDataType.AC a)}) {big_log
                : BigDef
                    (TBEVENT (AbstractDataType.CPU_ID a)
                       (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) res))
                     :: AbstractDataType.big_oracle a
                          (AbstractDataType.CPU_ID a)
                          (TBEVENT (AbstractDataType.CPU_ID a)
                             (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                           :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
                        TBEVENT (AbstractDataType.CPU_ID a)
                          (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                        :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}) {LAT
               : ZMap.set res (LATCValid nil) (ZMap.set z (LATCValid nil) (LAT a))}) {pperm
              : ZMap.set res PGAlloc (ZMap.set z PGAlloc (AbstractDataType.pperm a))}) {AC
             : ZMap.set (Int.unsigned n)
                 {|
                 cquota := cquota (AC d);
                 cusage := cusage (AC d) + 1 + 1;
                 cparent := cparent (AC d);
                 cchildren := cchildren (AC d);
                 cused := true |} (AbstractDataType.AC a)}) {HP :
            FlatMem.free_page res (AbstractDataType.HP a)}) {pperm
           : ZMap.set res (PGHide (PGPMap (Int.unsigned n) (PDX (Int.unsigned vadr))))
               (ZMap.set res PGAlloc (ZMap.set z PGAlloc (AbstractDataType.pperm a)))}) {ptpool
          : ZMap.set (Int.unsigned n)
              (ZMap.set (PDX (Int.unsigned vadr)) (PDEValid res CalRealInitPTE.real_init_PTE)
                 (ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a)))
              (AbstractDataType.ptpool a)}) {LAT
         : ZMap.set z (LATCValid (LATO (Int.unsigned n) (PDX (Int.unsigned vadr)) (PTX (Int.unsigned vadr)) :: nil))
             (ZMap.set res (LATCValid nil) (ZMap.set z (LATCValid nil) (LAT a)))}) {ptpool
        : ZMap.set (Int.unsigned n)
            (ZMap.set (PDX (Int.unsigned vadr))
               (PDEValid res (ZMap.set (PTX (Int.unsigned vadr)) (PTEValid z p) CalRealInitPTE.real_init_PTE))
               (ZMap.set (PDX (Int.unsigned vadr))
                  (PDEValid res CalRealInitPTE.real_init_PTE)
                  (ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a))))
            (ZMap.set (Int.unsigned n)
               (ZMap.set (PDX (Int.unsigned vadr))
                  (PDEValid res CalRealInitPTE.real_init_PTE)
                  (ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a)))
               (AbstractDataType.ptpool a))}, res) =
     Some (a´, res´) ∧
     relate_RData kctxt_pool
       (update init_shared_adt l) { sh_big_log
       : BigDef
           (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) res))
            :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                 (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                  :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
               TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
               :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}
       (ZMap.set (Int.unsigned n)
          (Some
             ((((d { pv_AC
                 : {|
                   cquota := cquota (AC d);
                   cusage := cusage (AC d) + 1 + 1;
                   cparent := cparent (AC d);
                   cchildren := cchildren (AC d);
                   cused := cused (AC d) |}}) { pv_HP :
                FlatMem.free_page res (HP d)}) { pv_pperm
               : ZMap.set res
                   (PGHide
                      (PGPMap (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                         (PDX (Int.unsigned vadr))))
                   (ZMap.set res PGAlloc (ZMap.set z PGAlloc (pperm d)))}) { pv_ptpool
              : ZMap.set (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                  (ZMap.set (PDX (Int.unsigned vadr))
                     (PDEValid res CalRealInitPTE.real_init_PTE)
                     (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) (ptpool d)))
                  (ptpool d)}) { pv_ptpool
             : ZMap.set (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                 (ZMap.set (PDX (Int.unsigned vadr))
                    (PDEValid res (ZMap.set (PTX (Int.unsigned vadr)) (PTEValid z p) CalRealInitPTE.real_init_PTE))
                    (ZMap.set (PDX (Int.unsigned vadr))
                       (PDEValid res CalRealInitPTE.real_init_PTE)
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) (ptpool d))))
                 (ZMap.set (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                    (ZMap.set (PDX (Int.unsigned vadr))
                       (PDEValid res CalRealInitPTE.real_init_PTE)
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) (ptpool d)))
                    (ptpool d))}) dp) a´ ∧
     kctxt a = kctxt a´ ∧
     (update init_shared_adt l) { sh_big_log
     : BigDef
         (TBEVENT (CPU_ID (update init_shared_adt l))
            (TBSHARED (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) res))
          :: big_oracle (update init_shared_adt l)
               (CPU_ID (update init_shared_adt l))
               (TBEVENT (CPU_ID (update init_shared_adt l))
                  (TBSHARED (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) z))
                :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
             TBEVENT (CPU_ID (update init_shared_adt l))
               (TBSHARED (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) z))
             :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)} =
     (update init_shared_adt l) { sh_big_log
     : BigDef
         (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) res))
          :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
               (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
             TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
             :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)} ∧
     res = res´ ∧
     ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a) = ZMap.get (AbstractDataType.CPU_ID a´) (AbstractDataType.cid a´).
    Proof.
      Transparent update uRData proc_id.
      intros.
          esplit; esplit; eauto.
          refine_split; auto.
          { inv H; simpl; constructor; auto.
            - rewrite e; simpl.
              rewrite Hflag_cid.
              reflexivity.
            - intros.
              generalize (per_data_re i); intros.
              rewrite e.
              case_eq (zeq i (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))); intros; subst.
              { rewrite ZMap.gss.
                rewrite H0 in H.
                inv H; rewrite zeq_true in ×.
                per_data_auto_simpl´.
                - rewrite Hflag_cid.
                  reflexivity.
                - assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H; auto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H.
                    inv H.
                    rewrite <- sh_big_log_re; auto. }
                  assert (ZMap.get z (pperm d) = PGUndef).
                  { generalize (pperm_re z).
                    rewrite H.
                    intros.
                    repeat match goal with
                           | [H: context[if _ then _ else _] |- _] ⇒ clear H
                           end.
                    subdestruct; simpl; try inv H2.
                    reflexivity. }
                  inv inv_re.
                  assert (∀ id, ZMap.get id (HP d) = ZMap.get id (FlatMem.free_page z (HP d))).
                  { intros; eapply dirty_page_per_thread_inv; eauto. }
                  assert (∀ id, ZMap.get id (AbstractDataType.HP a)
                                     = ZMap.get id (FlatMem.free_page z (AbstractDataType.HP a))).
                  { inv sh_shared_inv_re.
                    intros.
                    eapply dirty_page_shared_inv; eauto. }
                  intros v ofs TY Htemp1 Htemp2 Htemp3.
                  case_eq (zeq ((v × 4096 + ofs mod 4096) / 4096) res).
                  { intros; subst.
                    rewrite ZMap.gss in Htemp1.
                    inv Htemp1. }
                  { intros; subst.
                    rewrite ZMap.gso in Htemp1; [ | auto].
                    rewrite ZMap.gso in Htemp1; [ | auto].
                    case_eq (zeq ((v × 4096 + ofs mod 4096) / 4096) z).
                    { intros.
                      rewrite e1 in Htemp1.
                      rewrite <- e1 in H3, H4.
                      clear H7 e1.
                      clear Htemp1.
                      generalize H4; intros Htemp´.
                      eapply abs_rel_palloc_mem_related_prop
                        with (1:= Htemp2) (2:= Htemp3) (3:= H3) in Htemp´.
                      eapply abs_rel_free_page_mem_related_prop1; eauto. }
                    { intros; subst.
                      rewrite ZMap.gso in Htemp1; [ | eauto].
                      generalize Htemp3; intros Htemp´.
                      eapply flatmem_re with (1:= Htemp1) (2:= Htemp2) in Htemp´.
                      eapply abs_rel_free_page_mem_related_prop1; eauto. } }
                - rewrite zeq_true; auto.
                - rewrite zeq_true; auto.
                - unfold relate_AC_per_pd in *; simpl.
                  rewrite ZMap.gss.
                  simpl.
                  rewrite Hdestruct8.
                  rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                  erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                  rewrite Hdestruct12.
                  rewrite <- Hcused.
                  rewrite <- HAC_eq.
                  destruct (zeq (ZMap.get (CPU_ID (update init_shared_adt l))
                                          (cid (update init_shared_adt l))) main_thread); auto.
                  destruct (zlt_lt 8 (ZMap.get (CPU_ID (update init_shared_adt l))
                                               (cid (update init_shared_adt l))) 1024); auto.
                - rewrite zeq_true; auto.
                - unfold pperm_inject.
                  intros.
                  generalize (pperm_re i); intros.
                  rewrite ZMap.set2.
                  rewrite ZMap.set2.
                  case_eq (zeq i res); intros; subst.
                  + rewrite ZMap.gss.
                    rewrite ZMap.gss.
                    auto.
                  + rewrite ZMap.gso; auto.
                    case_eq (zeq i z); intros; subst.
                    × rewrite ZMap.gss; auto.
                      rewrite ZMap.gso; auto.
                      rewrite ZMap.gss; auto.
                    × rewrite ZMap.gso; auto.
                      rewrite ZMap.gso; auto.
                      rewrite ZMap.gso; auto.
                - rewrite Hdestruct8.
                  rewrite Hdestruct8 in PT_re; auto.
                  rewrite zeq_true in *; auto.
                - rewrite Hdestruct8.
                  rewrite ZMap.gss.
                  rewrite ZMap.set2.
                  rewrite ZMap.gss.
                  rewrite ZMap.set2.
                  rewrite Hdestruct8 in ptp_re.
                  rewrite ptp_re.
                  reflexivity.
                - rewrite zeq_true; auto.
                - rewrite zeq_true; auto.
                - rewrite zeq_true; auto.
                - unfold relate_SyncChanPool_per_pd; simpl.
                  rewrite Hdestruct8.
                  rewrite Hflag_CPU_ID; rewrite zeq_true; auto.
                - unfold relate_uctxt_per_pd in *; simpl.
                  simpl.
                  rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                  erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                  rewrite Hdestruct12.
                  rewrite Hdestruct8.
                  unfold B_GetContainerUsed´ in uctxt_re.
                  rewrite Hdestruct8, Hdestruct11, Hdestruct12 in uctxt_re.
                  auto.
                - auto.
                - auto.
                - auto.
                - inv inv_re.
                  constructor; simpl.
                  intros.
                  assert (∀ i : ZIndexed.t,
                             ZMap.get i (pperm d) = PGUndef →
                             ∀ res,
                               ZMap.get res (HP d) =
                               ZMap.get res (FlatMem.free_page i (HP d))).
                  { intros; apply dirty_page_per_thread_inv; auto. }
                  intros.
                  rewrite ZMap.set2 in H.
                  case_eq (zeq i res); intros; subst.
                  + rewrite ZMap.gss in H.
                    inv H.
                  + rewrite ZMap.gso in H; [ | auto ].
                    exploit single_dirty_ppage´_gso_alloc.
                    { unfold single_dirty_ppage´.
                      apply H2. }
                    { exact H. }
                    { intros.
                      instantiate (1:= res0) in H4.
                      apply abs_rel_flatmem_free_page_prop1; auto. } }
              { rewrite ZMap.gso; auto.
                subdestruct; simpl in *; auto.
                inv H; simpl in ×.
                rewrite Hdestruct21 in ×.
                per_data_auto_simpl´.
                - simpl; rewrite Hdestruct21; auto.
                - simpl; rewrite Hdestruct21; auto.
                - rewrite Hflag_cid.
                  reflexivity.
                - simpl.
                  set (a´ := ((((a {big_log
                                    : BigDef(TBEVENT (AbstractDataType.CPU_ID a)
                                                     (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a)
                                                                                   (AbstractDataType.cid a)) z))
                                                     :: AbstractDataType.big_oracle a
                                                     (AbstractDataType.CPU_ID a) l0 ++
                                                     l0)}) {LAT : ZMap.set z (LATCValid nil) (LAT a)})
                                 {pperm : ZMap.set z PGAlloc (AbstractDataType.pperm a)})
                                {AC : ZMap.set (Int.unsigned n)
                                               {| cquota := cquota (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cusage := cusage (ZMap.get (Int.unsigned n) (AbstractDataType.AC a)) + 1;
                                                  cparent := cparent (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cchildren := cchildren (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cused := cused (ZMap.get (Int.unsigned n) (AbstractDataType.AC a))
                                               |}
                                               (AbstractDataType.AC a)})).
                  assert (ZMap.get res (AbstractDataType.pperm a´) = PGUndef).
                  { assert (ZMap.get res (AbstractDataType.pperm a) = PGUndef).
                    { inv sh_shared_inv_re.
                      assert (Htemp: ZMap.get res (AbstractDataType.pperm a) = PGUndef ∨
                                     ZMap.get res (AbstractDataType.pperm a) ≠ PGUndef).
                      { destruct (ZMap.get res (AbstractDataType.pperm a)); eauto.
                        right.
                        intro contra.
                        inv contra.
                        right.
                        intro contra.
                        inv contra. }
                      destruct Htemp; eauto.
                      unfold valid_AT_log_type_B in valid_AT_log_inv.
                      unfold valid_AT_log_B in valid_AT_log_inv.
                      destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                      eapply valid_B_Cal_AT_log_inv in H; eauto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 res) in H; auto.
                      unfold B_CalAT_log_real in Hdestruct23.
                      assert (∃ atable´,
                                 B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                       (TBSHARED
                                                          (BPALLOCE
                                                             (ZMap.get (AbstractDataType.CPU_ID a)
                                                                       (AbstractDataType.cid a)) z))
                                                       :: AbstractDataType.big_oracle a
                                                       (AbstractDataType.CPU_ID a) l0 ++ l0)
                                              (real_AT (ZMap.init ATUndef)) =
                                 Some atable´).
                      { eauto using B_CalAT_log_sub_log_exist. }
                      destruct H2.
                      assert (ZMap.get res x = ATValid true ATNorm).
                      simpl in H2.
                      unfold B_CalAT_log_real in Hdestruct13.
                      rewrite big_oracle_re, CPU_ID_re in Hdestruct13.
                      rewrite Hdestruct13 in H2.
                      rewrite zeq_false in H2; auto.
                      destruct a1 as (? & a1´ & ?).
                      rewrite a1´ in H2.
                      inv H2.
                      rewrite ZMap.gso; auto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H2 Hdestruct23 res) in H3; auto.
                      destruct a3 as (? & a3´ & ?).
                      rewrite a3´ in H3.
                      inv H3.
                      rewrite <- big_log_re; auto. }
                    unfold a´.
                    simpl.
                    rewrite ZMap.gso; auto. }
                  unfold a´ in H.
                  simpl in H.
                  inv inv_re.
                  rewrite ZMap.gso in H; [ | apply pperm_disjoint ].
                  assert (ZMap.get res (pperm p0) = PGUndef).
                  { unfold pperm_inject in pperm_re.
                    generalize (pperm_re res).
                    rewrite H.
                    intros.
                    destruct (ZMap.get res (pperm p0)); auto; try inv H2. }
                  assert (∀ id, ZMap.get id (HP p0) =
                                     ZMap.get id (FlatMem.free_page res (HP p0))).
                  { intros.
                    eapply dirty_page_per_thread_inv; auto. }
                  assert (∀ id, ZMap.get id (AbstractDataType.HP a)
                                     = ZMap.get id (FlatMem.free_page res (AbstractDataType.HP a))).
                  { intros.
                    inv sh_shared_inv_re.
                    eapply dirty_page_shared_inv; eauto. }
                  intros v ofs TY Htemp1 Htemp2 Htemp3.
                  generalize Htemp3; intros Htemp´.
                  eapply flatmem_re with (1:= Htemp1) (2:= Htemp2) in Htemp´.
                  eapply abs_rel_free_page_mem_related_prop2 with
                      (1:= H2) (2:= H3) (3:= H4) (4:= Htemp1) (5:= Htemp2) (6:= Htemp3) in Htemp´; eauto.

                - unfold relate_AC_per_pd in *; simpl.
                  simpl.
                  rewrite Hdestruct21.
                  rewrite Hdestruct21 in AC_re.
                  rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                  erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                  rewrite ZMap.gso; auto.
                  unfold B_GetContainerUsed´ in AC_re; rewrite Hdestruct11 in AC_re.
                  auto.
                - rewrite zeq_false in ti_re; auto.
                  rewrite zeq_false; auto.
                - set (a´ := ((((a {big_log
                                    : BigDef(TBEVENT (AbstractDataType.CPU_ID a)
                                                     (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a)
                                                                                   (AbstractDataType.cid a)) z))
                                                     :: AbstractDataType.big_oracle a
                                                     (AbstractDataType.CPU_ID a) l0 ++
                                                     l0)}) {LAT : ZMap.set z (LATCValid nil) (LAT a)})
                                 {pperm : ZMap.set z PGAlloc (AbstractDataType.pperm a)})
                                {AC : ZMap.set (Int.unsigned n)
                                               {| cquota := cquota (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cusage := cusage (ZMap.get (Int.unsigned n) (AbstractDataType.AC a)) + 1;
                                                  cparent := cparent (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cchildren := cchildren (ZMap.get (Int.unsigned n) (AbstractDataType.AC a));
                                                  cused := cused (ZMap.get (Int.unsigned n) (AbstractDataType.AC a))
                                               |}
                                               (AbstractDataType.AC a)})).
                  assert (ZMap.get res (AbstractDataType.pperm a´) = PGUndef).
                  { assert (ZMap.get res (AbstractDataType.pperm a) = PGUndef).
                    { inv sh_shared_inv_re.
                      assert (Htemp: ZMap.get res (AbstractDataType.pperm a) = PGUndef ∨
                                     ZMap.get res (AbstractDataType.pperm a) ≠ PGUndef).
                      { destruct (ZMap.get res (AbstractDataType.pperm a)); eauto.
                        right.
                        intro contra.
                        inv contra.
                        right.
                        intro contra.
                        inv contra. }
                      destruct Htemp; eauto.
                      unfold valid_AT_log_type_B in valid_AT_log_inv.
                      unfold valid_AT_log_B in valid_AT_log_inv.
                      destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                      eapply valid_B_Cal_AT_log_inv in H; eauto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 res) in H; auto.
                      unfold B_CalAT_log_real in Hdestruct23.
                      assert (∃ atable´,
                                 B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                       (TBSHARED
                                                          (BPALLOCE
                                                             (ZMap.get (AbstractDataType.CPU_ID a)
                                                                       (AbstractDataType.cid a)) z))
                                                       :: AbstractDataType.big_oracle a
                                                       (AbstractDataType.CPU_ID a) l0 ++ l0)
                                              (real_AT (ZMap.init ATUndef)) =
                                 Some atable´).
                      { eauto using B_CalAT_log_sub_log_exist. }
                      destruct H2.
                      assert (ZMap.get res x = ATValid true ATNorm).
                      simpl in H2.
                      unfold B_CalAT_log_real in Hdestruct13.
                      rewrite big_oracle_re, CPU_ID_re in Hdestruct13.
                      rewrite Hdestruct13 in H2.
                      rewrite zeq_false in H2; auto.
                      destruct a1 as (? & a1´ & ?).
                      rewrite a1´ in H2.
                      inv H2.
                      rewrite ZMap.gso; auto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H2 Hdestruct23 res) in H3; auto.
                      destruct a3 as (? & a3´ & ?).
                      rewrite a3´ in H3.
                      inv H3.
                      rewrite <- big_log_re; auto. }
                    unfold a´.
                    simpl.
                    rewrite ZMap.gso; auto. }
                  assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H2; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H2; auto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H2.
                    inv H2.
                    rewrite <- big_log_re; auto. }
                  unfold pperm_inject in ×.
                  intros.
                  generalize (pperm_re i0).
                  intros.
                  case_eq (zeq i0 res); intros.
                  + subst.
                    unfold a´ in H; simpl in H.
                    rewrite ZMap.gso in H; [ | auto ].
                    rewrite H in H3.
                    repeat match goal with
                           | [H: context[if _ then _ else _] |- _] ⇒ clear H
                           end.
                    subdestruct.
                    auto.
                    inv H3.
                    inv H3.
                  + rewrite ZMap.gso; auto.
                    rewrite ZMap.gso; auto.
                    case_eq (zeq i0 z); intros; subst.
                    × rewrite H2 in H3.
                      repeat match goal with
                             | [H: context[if _ then _ else _] |- _] ⇒ clear H
                             end.
                      subdestruct.
                      auto.
                      inv H3.
                      inv H3.
                    × rewrite ZMap.gso; auto.
                - rewrite Hdestruct21.
                  auto.
                - subst; rewrite ZMap.gso.
                  rewrite Hdestruct21.
                  rewrite ZMap.gso.
                  auto.
                  auto.
                  auto.
                - rewrite zeq_false; auto.
                  rewrite zeq_false in ipt_re; auto.
                - auto.
                - auto.
                - unfold relate_SyncChanPool_per_pd.
                  simpl.
                  rewrite Hdestruct21.
                  rewrite Hflag_CPU_ID.
                  rewrite zeq_true; auto.
                - unfold relate_uctxt_per_pd in *; simpl.
                  simpl.
                  rewrite Hdestruct21.
                  rewrite Hdestruct21 in uctxt_re.
                  rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                  erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                  unfold B_GetContainerUsed´ in uctxt_re; rewrite Hdestruct11 in uctxt_re.
                  auto.
                - auto.
                - auto.
                - auto.
                - inv inv_re; constructor; simpl.
                  intros.
                  apply dirty_page_per_thread_inv; auto.
                - constructor. }
            - inv sh_shared_inv_re; constructor; simpl.
              + intros.
                assert (∀ i : ZIndexed.t,
                           ZMap.get i (AbstractDataType.pperm a) = PGUndef →
                           ∀ res,
                             ZMap.get res (AbstractDataType.HP a) =
                             ZMap.get res (FlatMem.free_page i (AbstractDataType.HP a))).
                { intros; apply dirty_page_shared_inv; auto. }
                intros.
                rewrite ZMap.set2 in H.
                case_eq (zeq i res); intros; subst.
                × rewrite ZMap.gss in H.
                  inv H.
                × rewrite ZMap.gso in H; [ | auto ].
                  exploit single_dirty_ppage´_gso_alloc.
                  { unfold single_dirty_ppage´.
                    apply H1. }
                  { exact H. }
                  { intros.
                    instantiate (1:= res0) in H3.
                    apply abs_rel_flatmem_free_page_prop1; auto. }
              + rewrite Hdestruct8; intro contra; inv contra.
              + rewrite Hdestruct8; intro contra; inv contra.
              + rewrite Hdestruct8; intro contra; inv contra.
              + rewrite Hflag_CPU_ID.
                rewrite zeq_true.
                intros.
                unfold B_inLock in syncchpool_inv.
                rewrite Hdestruct11, Hdestruct6 in syncchpool_inv.
                apply syncchpool_inv in H.
                rewrite <- H.
                symmetry.
                rewrite e.
                rewrite <- Hflag_CPU_ID.
                unfold B_GetlastPush.
                erewrite single_big_oracle_query_preserves_B_GetlastPush_aux; eauto.
                assert (B_GetlastPush_aux (CPU_ID (update init_shared_adt l))
                                          (big_oracle (update init_shared_adt l)
                                                      (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                        B_GetlastPush_aux (CPU_ID (update init_shared_adt l))
                                          (TBEVENT (CPU_ID (update init_shared_adt l))
                                                   (TBSHARED
                                                      (BPALLOCE
                                                         (ZMap.get (CPU_ID (update init_shared_adt l))
                                                                   (cid (update init_shared_adt l))) z))
                                                   :: big_oracle (update init_shared_adt l)
                                                   (CPU_ID (update init_shared_adt l)) l0 ++ l0)).
                { simpl; auto. }
                rewrite H1.
                clear H1.
                rewrite <- Hflag_big_oracle.
                eapply single_big_oracle_query_preserves_B_GetlastPush_aux; eauto.
              + intros.
                apply container_used_inv in H.
                unfold B_GetContainerUsed´ in H.
                rewrite Hdestruct11 in H.
                rewrite e.
                rewrite <- Hflag_big_oracle.
                rewrite <- Hflag_CPU_ID.
                erewrite HGetUsedpreserve_double; eauto.
                case_eq (zeq tid (Int.unsigned n)); intros; subst.
                × rewrite e.
                  rewrite ZMap.gss.
                  simpl.
                  rewrite <- Hdestruct12.
                  auto.
                × rewrite <- e.
                  rewrite ZMap.gso; auto.
              + intros.
                apply uctxt_used_inv.
                unfold B_GetContainerUsed´.
                rewrite Hdestruct11.
                rewrite <- H.
                rewrite e.
                rewrite <- Hflag_big_oracle.
                rewrite <- Hflag_CPU_ID.
                symmetry.
                apply HGetUsedpreserve_double; eauto.
              + unfold valid_AT_log_type_B.
                intros; inv Hdef.
                unfold valid_AT_log_B.
                unfold B_CalAT_log_real.
                unfold B_CalAT_log_real in Hdestruct23.
                rewrite e.
                rewrite Hdestruct8 in sh_cid_re.
                rewrite sh_cid_re.
                simpl.
                rewrite Hdestruct23.
                rewrite zeq_false; auto.
                destruct a3 as (a3´ & a3´´ & a3´´´); rewrite a3´´.
                esplit; auto.
              + assert (valid_TCB_log_type_B (BigDef (TBEVENT (AbstractDataType.CPU_ID a)
                                                              (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                              :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                              l0 ++ l0))).
                { unfold valid_TCB_log_type_B.
                  intros ? Hdef.
                  inv Hdef.
                  destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                  unfold valid_TCB_oracle_B in Htemp2.
                  generalize (valid_TCB_log_inv _ Hdestruct11); intros Hvalid_log.
                  generalize (Htemp2 l0 (CPU_ID (update init_shared_adt l)) Hvalid_log); intros Hvalid_oracle_log.
                  unfold valid_TCB_log_B in ×.
                  revert Hvalid_oracle_log.
                  unfold B_CalTCB_log_real.
                  unfold B_CalTCB_log.
                  simpl.
                  rewrite sh_big_oracle_re in ×.
                  rewrite sh_CPU_ID_re in ×.
                  clear.
                  intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
                  subdestruct.
                  inv H.
                  esplit; auto. }
                unfold valid_TCB_log_type_B.
                intros.
                inversion Hdef; substx.
                destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                clear Hdef.
                rewrite sh_big_oracle_re in ×.
                rewrite sh_CPU_ID_re in ×.
                replace (AbstractDataType.big_oracle a) with
                    (AbstractDataType.big_oracle a
                                                 {big_log: BigDef
                                                             (TBEVENT (AbstractDataType.CPU_ID a)
                                                                      (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                                      :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                                      l0 ++ l0)}) in H, Htemp2.
                unfold valid_TCB_oracle_B in Htemp2.
                unfold valid_TCB_log_type_B in H.
                exploit H; intros.
                reflexivity.
                generalize (Htemp2 _ (AbstractDataType.CPU_ID a) H1); intros Hvalid_oracle_log.
                unfold valid_TCB_log_B in ×.
                revert Hvalid_oracle_log.
                unfold B_CalTCB_log_real.
                unfold B_CalTCB_log.
                simpl.
                clear.
                intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
                subdestruct.
                esplit; auto.
              + auto.
              + intros.
                case_eq (zeq i res); intros; subst.
                { inv H1.
                  unfold B_CalAT_log_real in H2.
                  simpl in H2.
                  unfold B_CalAT_log_real in Hdestruct23.
                  rewrite Hdestruct23 in H2.
                  rewrite zeq_false in H2; auto.
                  intros; subst.
                  rewrite ZMap.gss in H.
                  clear Hdestruct23.
                  case_eq (ZMap.get res a2).
                  { intros.
                    rewrite H1 in H2.
                    destruct b; inv H2.
                    destruct t; inv H6.
                    rewrite ZMap.gss.
                    auto. }
                  { intros.
                    rewrite H1 in H2; inv H2. } }
                { rewrite ZMap.gso in H; auto.
                  rewrite ZMap.gso in H; auto.
                  case_eq (zeq i z); intros; subst.
                  { inv H1.
                    unfold B_CalAT_log_real in H2.
                    simpl in H2.
                    unfold B_CalAT_log_real in Hdestruct23.
                    rewrite Hdestruct23 in H2.
                    rewrite zeq_false in H2; auto.
                    intros; subst.
                    rewrite ZMap.gss in H.
                    case_eq (ZMap.get res a2).
                    { intros.
                      rewrite H1 in H2.
                      destruct b; inv H2.
                      destruct t; inv H7.
                      rewrite ZMap.gso; auto.
                      assert (∃ atable´,
                                 B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                       (TBSHARED
                                                          (BPALLOCE
                                                             (ZMap.get (AbstractDataType.CPU_ID a)
                                                                       (AbstractDataType.cid a)) z))
                                                       :: AbstractDataType.big_oracle a
                                                       (AbstractDataType.CPU_ID a) l0 ++ l0)
                                              (real_AT (ZMap.init ATUndef)) =
                                 Some atable´).
                      { eauto using B_CalAT_log_sub_log_exist. }
                      destruct H2.
                      assert (ZMap.get z x = ATValid true ATNorm).
                      simpl in H2.
                      unfold B_CalAT_log_real in Hdestruct13.
                      rewrite <- sh_CPU_ID_re in H2.
                      rewrite <- sh_big_oracle_re in H2.
                      rewrite Hdestruct13 in H2.
                      rewrite zeq_false in H2; auto.
                      destruct a1 as (? & a1´ & ?).
                      rewrite a1´ in H2.
                      inv H2.
                      rewrite ZMap.gss; auto.
                      eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H2 Hdestruct23 z) in H6; auto. }
                    intros.
                    rewrite H1 in H2.
                    inv H2. }
                  { intros.
                    rewrite ZMap.gso in H; eauto.
                    inv H1.
                    destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                    unfold valid_AT_oracle_B in Htemp3.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    generalize (valid_AT_log_inv l0 Hdestruct11); intros Hvalid_AT_log.
                    generalize (Htemp3 _ (CPU_ID (update init_shared_adt l)) Hvalid_AT_log);
                      intros Hvalid_AT_oracle_res.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct Hvalid_AT_log as (at0 & Hvalid_AT_log).
                    eapply (valid_B_Cal_AT_log_inv i l0 at0) in H; eauto.
                    assert (∃ atable´,
                               B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                     (TBSHARED
                                                        (BPALLOCE
                                                           (ZMap.get (AbstractDataType.CPU_ID a)
                                                                     (AbstractDataType.cid a)) z))
                                                     :: AbstractDataType.big_oracle a
                                                     (AbstractDataType.CPU_ID a) l0 ++ l0)
                                            (real_AT (ZMap.init ATUndef)) =
                               Some atable´).
                    { eauto using B_CalAT_log_sub_log_exist. }
                    destruct H1.
                    assert (ZMap.get i x = ATValid true ATNorm).
                    simpl in H1.
                    unfold B_CalAT_log_real in Hdestruct13.
                    case_eq (B_CalAT_log (AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                                      l0 ++ l0)
                                         (real_AT (ZMap.init ATUndef))); intros.
                    rewrite H6 in H1.
                    rewrite zeq_false in H1; auto.
                    subdestruct.
                    inv H1.
                    rewrite ZMap.gso; auto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ Hvalid_AT_log H6 i H); eauto.
                    rewrite H6 in H1.
                    inv H1.
                    unfold B_CalAT_log_real in H2, Hdestruct23.
                    simpl in H2, Hdestruct23.
                    rewrite Hdestruct23 in H2.
                    rewrite zeq_false in H2; eauto.
                    destruct a3 as (? & a3´ & ?).
                    rewrite a3´ in H2.
                    inv H2.
                    rewrite ZMap.gso; auto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H1 Hdestruct23 i) in H6; auto.
                    rewrite <- sh_big_log_re.
                    auto. } }
            - assert (Hres_undef: ZMap.get res (AbstractDataType.pperm a) = PGUndef).
              { inv sh_shared_inv_re.
                assert (Htemp: ZMap.get res (AbstractDataType.pperm a) = PGUndef ∨
                               ZMap.get res (AbstractDataType.pperm a) ≠ PGUndef).
                { destruct (ZMap.get res (AbstractDataType.pperm a)); eauto.
                  right.
                  intro contra.
                  inv contra.
                  right.
                  intro contra.
                  inv contra. }
                destruct Htemp; eauto.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                eapply valid_B_Cal_AT_log_inv in H; eauto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 res) in H; auto.
                unfold B_CalAT_log_real in Hdestruct23.
                assert (∃ atable´,
                           B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                 (TBSHARED
                                                    (BPALLOCE
                                                       (ZMap.get (AbstractDataType.CPU_ID a)
                                                                 (AbstractDataType.cid a)) z))
                                                 :: AbstractDataType.big_oracle a
                                                 (AbstractDataType.CPU_ID a) l0 ++ l0)
                                        (real_AT (ZMap.init ATUndef)) =
                           Some atable´).
                { eauto using B_CalAT_log_sub_log_exist. }
                destruct H1.
                assert (ZMap.get res x = ATValid true ATNorm).
                simpl in H1.
                unfold B_CalAT_log_real in Hdestruct13.
                rewrite sh_big_oracle_re, sh_CPU_ID_re in Hdestruct13.
                rewrite Hdestruct13 in H1.
                rewrite zeq_false in H1; auto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H1.
                inv H1.
                rewrite ZMap.gso; auto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H1 Hdestruct23 res) in H2; auto.
                destruct a3 as (? & a3´ & ?).
                rewrite a3´ in H2.
                inv H2.
                rewrite <- sh_big_log_re; auto. }
              assert (Hz_undef: ZMap.get z (AbstractDataType.pperm a) = PGUndef).
              { inv sh_shared_inv_re.
                assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                               ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                  right.
                  intro contra.
                  inv contra.
                  right.
                  intro contra.
                  inv contra. }
                destruct Htemp; eauto.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                eapply valid_B_Cal_AT_log_inv in H; eauto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H; auto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H.
                inv H.
                rewrite <- sh_big_log_re; auto. }
              inv sh_mem_inv_re.
              constructor; simpl; auto.
              intros.
              case_eq (zeq i (Int.unsigned n)).
              { intros; subst.
                rewrite ZMap.gss in H1.
                inv H1; subst; simpl.
                simpl in H3.
                case_eq (zeq j (Int.unsigned n)).
                { intros; subst; simpl.
                  rewrite ZMap.gss in H2.
                  inv H2; simpl.
                  elim H; reflexivity. }
                { intros; rewrite ZMap.gso in H2; auto.
                  case_eq (zeq j0 res); intros.
                  - subst.
                    rewrite ZMap.gss in H3.
                    generalize (per_data_re j).
                    rewrite H2.
                    intros.
                    inv H7.
                    generalize (pperm_re res).
                    intros.
                    rewrite Hres_undef in H7.
                    repeat match goal with
                           | [H: context[if _ then _ else _] |- _] ⇒ clear H
                           end.
                    subdestruct; try (inv H7; fail).
                    reflexivity.
                  - case_eq (zeq j0 z); intros.
                    + subst.
                      rewrite ZMap.gso in H3; auto.
                      rewrite ZMap.gso in H3; auto.
                      rewrite ZMap.gss in H3.
                      generalize (per_data_re j).
                      rewrite H2.
                      intros.
                      inv H8.
                      generalize (pperm_re z).
                      intros.
                      rewrite Hz_undef in H8.
                      repeat match goal with
                             | [H: context[if _ then _ else _] |- _] ⇒ clear H
                             end.
                      subdestruct; try (inv H8; fail).
                      reflexivity.
                    + rewrite ZMap.gso in H3; auto.
                      rewrite ZMap.gso in H3; auto.
                      rewrite ZMap.gso in H3; auto.
                      eapply pperm_disjoint0 in H2; eauto.
                      rewrite e; eauto. } }
              { intros; subst; rewrite ZMap.gso in H1; auto.
                case_eq (zeq j (Int.unsigned n)); intros; subst.
                - rewrite ZMap.gss in H2.
                  inv H2; simpl.
                  case_eq (zeq j0 res); intros.
                  + subst.
                    generalize (per_data_re i).
                    rewrite H1.
                    intros.
                    inv H7.
                    generalize (pperm_re res).
                    intros.
                    rewrite Hres_undef in H7.
                    repeat match goal with
                           | [H: context[if _ then _ else _] |- _] ⇒ clear H
                           end.
                    subdestruct; try (inv H7; fail).
                    elim H3; reflexivity.
                  + case_eq (zeq j0 z); intros.
                    × subst.
                      generalize (per_data_re i).
                      rewrite H1.
                      intros.
                      inv H8.
                      generalize (pperm_re z).
                      intros.
                      rewrite Hz_undef in H8.
                      repeat match goal with
                             | [H: context[if _ then _ else _] |- _] ⇒ clear H
                             end.
                      subdestruct; try (inv H8; fail).
                      elim H3; reflexivity.
                    × rewrite ZMap.gso; auto.
                      rewrite ZMap.gso; auto.
                      rewrite ZMap.gso; auto.
                      eapply pperm_disjoint0 in H; eauto.
                      rewrite e; eauto.
                - rewrite ZMap.gso in H2; auto.
                  eapply (pperm_disjoint0 i j); eauto. } }
          { simpl.
            rewrite <- e.
            rewrite Hflag_big_oracle.
            rewrite Hflag_CPU_ID.
            reflexivity. }
           Qed.

  Lemma first_success_match:
    ∀
      (l : Log)
  (dp : ZMap.t (option privData))
  (a : RData)
  (n : int)
  (vadr : int)
  (perm : int)
  (d : privData)
  (kctxt_pool : KContextPool)
  (z : Z)
  (in_event : has_event pt_resv = true)
  (prim_num : prim_id_num pt_resv = 2)
  (H : relate_RData kctxt_pool (update init_shared_adt l) dp a)
  (H0 : ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) dp = Some d)
  (e : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
  (e0 : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
  (Hdestruct1 : zeq (Int.unsigned n)
                 (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
               left e0)
  (Hdestruct : True)
  (Hdestruct3 : ikern d = true)
  (Hdestruct4 : ihost d = true)
  (Hdestruct5 : ipt d = true)
  (l0 : BigLog)
  (Hdestruct11 : big_log (update init_shared_adt l) = BigDef l0)
  (Hdestruct6 : B_inLock_aux (CPU_ID (update init_shared_adt l)) l0 = false)
  (Hdestruct7 : (cusage (AC d) <? cquota (AC d)) = true)
  (Hdestruct8 : init (update init_shared_adt l) = true)
  (Hdestruct9 : pg (update init_shared_adt l) = true)
  (Hdestruct10 : ZMap.get 0 (lock (update init_shared_adt l)) = LockFalse)
  (Hdestruct12 : B_GetContainerUsed
                  (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                  (CPU_ID (update init_shared_adt l)) l0 = true)
  (a0 : ATable)
  (Hdestruct13 : B_CalAT_log_real
                  (big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                Some a0)
  (n0 : z ≠ 0)
  (Hdestruct2 : zeq z 0 = right n0)
  (H5 : val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil))
  (HGetUsed´ : B_GetContainerUsed
                (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (CPU_ID (update init_shared_adt l)) l0 = true)
  (Hcused : cused
             (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (AbstractDataType.AC a)) = true)
  (HAC_eq : AC d =
           ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
             (AbstractDataType.AC a))
  (Hper_data_rel : relate_RData_per_pd
                    (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                    (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                       kctxt_pool) (update init_shared_adt l) d a)
  (a1 : 0 < z < nps (update init_shared_adt l) ∧
       ZMap.get z a0 = ATValid false ATNorm ∧
       (∀ x : Z, 0 < x < z → ZMap.get x a0 ≠ ATValid false ATNorm))
  (Hdestruct14 : first_free a0 (nps (update init_shared_adt l)) =
                inleft
                  (exist
                     (fun n1 : Z ⇒
                      0 < n1 < nps (update init_shared_adt l) ∧
                      ZMap.get n1 a0 = ATValid false ATNorm ∧
                      (∀ x : Z, 0 < x < n1 → ZMap.get x a0 ≠ ATValid false ATNorm)) z a1))
  (n1 : z ≠ 0)
  (Hdestruct16 : zeq z 0 = right n1)
  (Hdestruct0 : pt_Arg (Int.unsigned n) (Int.unsigned vadr) z (nps (update init_shared_adt l)) = true)
  (p : PTPerm)
  (Hdestruct15 : ZtoPerm (Int.unsigned perm) = Some p)
  (Hdestruct17 : ZMap.get (PDX (Int.unsigned vadr)) (ZMap.get (Int.unsigned n) (ptpool d)) = PDEUnPresent)
  (Hflag_ikern : ikern d = AbstractDataType.ikern a)
  (Hflag_ihost : ihost d = AbstractDataType.ihost a)
  (Hflag_pg : pg (update init_shared_adt l) = AbstractDataType.pg a)
  (Hflag_ipt : ipt d = AbstractDataType.ipt a)
  (Hflag_CPU_ID : CPU_ID (update init_shared_adt l) = AbstractDataType.CPU_ID a)
  (Hflag_nps : nps (update init_shared_adt l) = AbstractDataType.nps a)
  (Hflag_big_log : big_log (update init_shared_adt l) = AbstractDataType.big_log a)
  (Hflag_big_oracle : big_oracle (update init_shared_adt l) = AbstractDataType.big_oracle a)
  (Hflag_lock : lock (update init_shared_adt l) = AbstractDataType.lock a)
  (Hflag_ptp : ZMap.get (Int.unsigned n) (ptpool d) = ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a))
  (Hdestruct19 : pt_Arg´ (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                  (Int.unsigned vadr) = true)
  (Hdestruct21 : (cusage (AC d) + 1 <? cquota (AC d)) = true)
  (a2 : ATable)
  (Hdestruct22 : B_CalAT_log_real
                  (AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                     (TBEVENT (AbstractDataType.CPU_ID a)
                        (TBSHARED
                           (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                      :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
                   TBEVENT (AbstractDataType.CPU_ID a)
                     (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                   :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) =
                Some a2)
  (n2 : ∀ x : Z, 0 < x < nps (update init_shared_adt l) → ZMap.get x a2 ≠ ATValid false ATNorm)
  (Hdestruct23 : first_free a2 (nps (update init_shared_adt l)) = inright n2)
  (Hdestruct20 : True)
  (Hflag_cid : ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)) =
              ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)),
   relate_RData kctxt_pool
     ((update init_shared_adt l) { sh_big_log
      : BigDef
          (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
           :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}) { sh_big_log
     : BigDef
         (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) 0))
          :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
               (TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
             TBEVENT (AbstractDataType.CPU_ID a) (TBSHARED (BPALLOCE (Int.unsigned n) z))
             :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}
     (ZMap.set (Int.unsigned n)
        (Some
           (d { pv_pperm : ZMap.set z PGAlloc (pperm d)}) { pv_AC
           : {|
             cquota := cquota (AC d);
             cusage := cusage (AC d) + 1;
             cparent := cparent (AC d);
             cchildren := cchildren (AC d);
             cused := cused (AC d) |}}) dp)
     ((((a {big_log
         : BigDef
             (TBEVENT (AbstractDataType.CPU_ID a)
                (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
              :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}) {LAT
        : ZMap.set z (LATCValid nil) (LAT a)}) {pperm :
       ZMap.set z PGAlloc (AbstractDataType.pperm a)}) {AC
      : ZMap.set (Int.unsigned n)
          {|
          cquota := cquota (AC d);
          cusage := cusage (AC d) + 1;
          cparent := cparent (AC d);
          cchildren := cchildren (AC d);
          cused := true |} (AbstractDataType.AC a)}) {big_log
     : BigDef
         (TBEVENT (AbstractDataType.CPU_ID a)
            (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) 0))
          :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
               (TBEVENT (AbstractDataType.CPU_ID a)
                  (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
                :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0) ++
             TBEVENT (AbstractDataType.CPU_ID a)
               (TBSHARED (BPALLOCE (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)) z))
             :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a) l0 ++ l0)}.
    Proof.
      intros.
          inv H; simpl; constructor; auto; simpl in ×.
          - rewrite e.
            rewrite <- Hflag_cid.
            reflexivity.
          - intros.
            generalize (per_data_re i); intros.
            rewrite e.
            case_eq (zeq i (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))); intros; subst.
            { rewrite ZMap.gss.
              rewrite H0 in H.
              inv H; rewrite zeq_true in ×.
              per_data_auto_simpl.
              - rewrite <- Hflag_cid.
                reflexivity.
              - assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                { inv sh_shared_inv_re.
                  assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                 ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                  { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                    right.
                    intro contra.
                    inv contra.
                    right.
                    intro contra.
                    inv contra. }
                  destruct Htemp; eauto.
                  unfold valid_AT_log_type_B in valid_AT_log_inv.
                  unfold valid_AT_log_B in valid_AT_log_inv.
                  destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                  eapply valid_B_Cal_AT_log_inv in H; eauto.
                  eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H; auto.
                  destruct a1 as (? & a1´ & ?).
                  rewrite a1´ in H.
                  inv H.
                  rewrite <- sh_big_log_re; auto. }
                assert (ZMap.get z (pperm d) = PGUndef).
                { generalize (pperm_re z).
                  rewrite H.
                  intros.
                  repeat match goal with
                         | [H: context[if _ then _ else _] |- _] ⇒ clear H
                         end.
                  subdestruct; simpl; try inv H2.
                  reflexivity. }
                inv inv_re.
                assert (∀ id, ZMap.get id (HP d) = ZMap.get id (FlatMem.free_page z (HP d))).
                { intros; eapply dirty_page_per_thread_inv; eauto. }
                assert (∀ id, ZMap.get id (AbstractDataType.HP a)
                                   = ZMap.get id (FlatMem.free_page z (AbstractDataType.HP a))).
                { inv sh_shared_inv_re.
                  intros.
                  eapply dirty_page_shared_inv; eauto. }
                revert H4; revert H3.
                intros Hd_init Ha_init v ofs TY Htemp1 Htemp2 Htemp3.
                case_eq (zeq ((v × 4096 + ofs mod 4096) / 4096) z).
                + intros.
                  rewrite e1 in Htemp1.
                  rewrite <- e1 in Hd_init, Ha_init.
                  revert Hd_init Ha_init.
                  clear H3 e1 Htemp1.
                  revert Htemp2 Htemp3.
                  eapply abs_rel_palloc_mem_related_prop; eauto.
                + intros; subst.
                  rewrite ZMap.gso in Htemp1; eauto.
              - rewrite zeq_true; auto.
              - rewrite zeq_true; auto.
              - unfold relate_AC_per_pd in *; simpl.
                rewrite ZMap.gss.
                simpl.
                rewrite Hdestruct8.
                rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                rewrite Hdestruct12.
                rewrite <- Hcused.
                rewrite <- HAC_eq.
                destruct (zeq (ZMap.get (CPU_ID (update init_shared_adt l))
                                        (cid (update init_shared_adt l))) main_thread); auto.
                destruct (zlt_lt 8 (ZMap.get (CPU_ID (update init_shared_adt l))
                                             (cid (update init_shared_adt l))) 1024); auto.
              - rewrite zeq_true; auto.
              - unfold pperm_inject.
                intros.
                generalize (pperm_re i); intros.
                case_eq (zeq i z); intros; subst;
                  [rewrite ZMap.gss; rewrite ZMap.gss; auto | rewrite ZMap.gso; auto; rewrite ZMap.gso; auto].
              - rewrite Hdestruct8; rewrite zeq_true; auto.
                rewrite Hdestruct8 in PT_re; auto.
              - rewrite Hdestruct8.
                rewrite Hdestruct8 in ptp_re; auto.
              - rewrite zeq_true; auto.
              - rewrite zeq_true; auto.
              - rewrite zeq_true; auto.
              - unfold relate_SyncChanPool_per_pd; simpl.
                rewrite Hdestruct8.
                rewrite Hflag_CPU_ID; rewrite zeq_true; auto.
              - unfold relate_uctxt_per_pd in *; simpl.
                simpl.
                rewrite Hdestruct8.
                rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                rewrite Hdestruct12.
                unfold B_GetContainerUsed´ in uctxt_re.
                rewrite Hdestruct8, Hdestruct11, Hdestruct12 in uctxt_re.
                auto.
              - auto.
              - auto.
              - auto.
              - inv inv_re.
                constructor; simpl.
                assert (∀ i : ZIndexed.t,
                           ZMap.get i (pperm d) = PGUndef →
                           ∀ res,
                             ZMap.get res (HP d) =
                             ZMap.get res (FlatMem.free_page i (HP d))).
                { intros; apply dirty_page_per_thread_inv; auto. }
                intros.
                exploit single_dirty_ppage´_gso_alloc.
                { unfold single_dirty_ppage´.
                  apply H. }
                { exact H2. }
                { intros.
                  apply H3. } }
            { rewrite ZMap.gso; auto.
              subdestruct; simpl in *; auto.
              inv H; simpl in ×.
              per_data_auto_simpl.
              - rewrite <- Hflag_cid.
                reflexivity.
              - unfold relate_AC_per_pd in *; simpl.
                simpl; rewrite Hdestruct18.
                rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                rewrite ZMap.gso; auto.
                unfold B_GetContainerUsed´ in AC_re.
                rewrite Hdestruct11 in AC_re.
                rewrite Hdestruct18 in AC_re.
                auto.
              - rewrite zeq_false; auto.
                rewrite zeq_false in ti_re; auto.
              - unfold pperm_inject.
                intros.
                generalize (pperm_re i0); intros.
                case_eq (zeq i0 z); intros; subst.
                { rewrite ZMap.gss.
                  assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H3; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H3; auto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H3.
                    inv H3.
                    rewrite <- big_log_re; auto. }
                  rewrite H3 in H.
                  repeat match goal with
                         | [H: context[if _ then _ else _] |- _] ⇒ clear H
                         end.
                  subdestruct; eauto. }
                { rewrite ZMap.gso; auto. }
              - rewrite Hdestruct18; auto.
                rewrite Hdestruct18 in PT_re; auto.
              - rewrite Hdestruct18; auto.
                rewrite Hdestruct18 in ptp_re; auto.
              - rewrite zeq_false in ipt_re; auto; rewrite zeq_false; auto.
              - rewrite zeq_false in intr_flag_re; auto; rewrite zeq_false; auto.
              - rewrite zeq_false in in_intr_re; auto; rewrite zeq_false; auto.
              - unfold relate_SyncChanPool_per_pd; simpl; rewrite Hdestruct18.
                rewrite Hflag_CPU_ID; rewrite zeq_true; auto.
              - unfold relate_uctxt_per_pd in *; simpl.
                simpl; rewrite Hdestruct18.
                rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
                erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                unfold B_GetContainerUsed´ in uctxt_re; rewrite Hdestruct11 in uctxt_re.
                rewrite Hdestruct18 in uctxt_re.
                auto.
              - auto.
              - auto.
              - auto.
              - inv inv_re; constructor; simpl; auto.
              - constructor. }
          - inv sh_shared_inv_re.
            constructor; simpl; auto.
            + assert (∀ i : ZIndexed.t,
                         ZMap.get i (AbstractDataType.pperm a) = PGUndef →
                         ∀ res,
                           ZMap.get res (AbstractDataType.HP a) =
                           ZMap.get res (FlatMem.free_page i (AbstractDataType.HP a))).
              { intros; apply dirty_page_shared_inv; auto. }
              intros.
              exploit single_dirty_ppage´_gso_alloc.
              { unfold single_dirty_ppage´.
                apply H. }
              { exact H1. }
              { intros.
                apply H2. }
            + rewrite Hdestruct8; intro contra; inv contra.
            + rewrite Hdestruct8; intro contra; inv contra.
            + rewrite Hflag_CPU_ID.
              rewrite zeq_true.
              intros.
              unfold B_inLock in syncchpool_inv.
              rewrite Hdestruct11, Hdestruct6 in syncchpool_inv.
              apply syncchpool_inv in H.
              rewrite <- H.
              symmetry.
              rewrite e.
              rewrite <- Hflag_CPU_ID.
              rewrite <- Hflag_big_oracle.
              unfold B_GetlastPush.
              erewrite single_big_oracle_query_preserves_B_GetlastPush_aux; eauto.
              assert (B_GetlastPush_aux (CPU_ID (update init_shared_adt l))
                                        (big_oracle (update init_shared_adt l)
                                                    (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                      B_GetlastPush_aux (CPU_ID (update init_shared_adt l))
                                        (TBEVENT (CPU_ID (update init_shared_adt l))
                                                 (TBSHARED
                                                    (BPALLOCE
                                                       (ZMap.get (CPU_ID (update init_shared_adt l))
                                                                 (cid (update init_shared_adt l))) z))
                                                 :: big_oracle (update init_shared_adt l)
                                                 (CPU_ID (update init_shared_adt l)) l0 ++ l0)).
              { simpl; auto. }
              rewrite H1.
              clear H1.
              eapply single_big_oracle_query_preserves_B_GetlastPush_aux; eauto.
            + intros.
              apply container_used_inv in H.
              unfold B_GetContainerUsed´ in H.
              rewrite Hdestruct11 in H.
              rewrite e.
              rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
              erewrite HGetUsedpreserve_double; eauto.
              case_eq (zeq tid (Int.unsigned n)); intros; subst.
              × rewrite e.
                rewrite ZMap.gss.
                simpl.
                rewrite <- Hdestruct12.
                auto.
              × rewrite <- e.
                rewrite ZMap.gso; auto.
            + intros.
              apply uctxt_used_inv.
              unfold B_GetContainerUsed´.
              rewrite Hdestruct11.
              rewrite <- H.
              rewrite e.
              rewrite <- Hflag_big_oracle, <- Hflag_CPU_ID.
              symmetry.
              apply HGetUsedpreserve_double; eauto.
            + unfold valid_AT_log_type_B.
              simpl.
              intros.
              inv Hdef.
              unfold valid_AT_log_B in Hdestruct22.
              unfold valid_AT_log_B.
              simpl.
              revert Hdestruct22.
              rewrite Hdestruct8 in sh_cid_re.
              intros.
              rewrite <- sh_cid_re in Hdestruct22.
              rewrite <- e in Hdestruct22.
              unfold B_CalAT_log_real in Hdestruct22.
              unfold B_CalAT_log_real.
              simpl.
              rewrite Hdestruct22.
              esplit; auto.
            + assert (valid_TCB_log_type_B (BigDef (TBEVENT (AbstractDataType.CPU_ID a)
                                                            (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                            :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                            l0 ++ l0))).
              { unfold valid_TCB_log_type_B.
                intros ? Hdef.
                inv Hdef.
                destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                unfold valid_TCB_oracle_B in Htemp2.
                generalize (valid_TCB_log_inv _ Hdestruct11); intros Hvalid_log.
                generalize (Htemp2 l0 (CPU_ID (update init_shared_adt l)) Hvalid_log); intros Hvalid_oracle_log.
                unfold valid_TCB_log_B in ×.
                revert Hvalid_oracle_log.
                unfold B_CalTCB_log_real.
                unfold B_CalTCB_log.
                simpl.
                rewrite <- sh_big_oracle_re.
                rewrite <- sh_CPU_ID_re.
                clear.
                intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
                subdestruct.
                inv H.
                esplit; auto. }
              unfold valid_TCB_log_type_B.
              intros.
              inversion Hdef; substx.
              destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
              clear Hdef.
              replace (AbstractDataType.big_oracle a) with
                  (AbstractDataType.big_oracle a
                                               {big_log: BigDef
                                                           (TBEVENT (AbstractDataType.CPU_ID a)
                                                                    (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                                    :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                                    l0 ++ l0)}) in H, Htemp2; [ | simpl; reflexivity].
              unfold valid_TCB_oracle_B in Htemp2.
              unfold valid_TCB_log_type_B in H.
              exploit H; intros.
              reflexivity.
              generalize (Htemp2 _ (AbstractDataType.CPU_ID a) H1); intros Hvalid_oracle_log.
              unfold valid_TCB_log_B in ×.
              revert Hvalid_oracle_log.
              unfold B_CalTCB_log_real.
              unfold B_CalTCB_log.
              rewrite sh_big_oracle_re.
              simpl.
              clear.
              intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
              subdestruct.
              esplit; auto.
            + intros.
              case_eq (zeq i z); intros; subst.
              { inv H1.
                unfold B_CalAT_log_real in H2.
                simpl in H2.
                unfold B_CalAT_log_real in Hdestruct22.
                rewrite Hdestruct22 in H2.
                inv H2.
                assert (∃ atable´,
                           B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                 (TBSHARED
                                                    (BPALLOCE
                                                       (ZMap.get (AbstractDataType.CPU_ID a)
                                                                 (AbstractDataType.cid a)) z))
                                                 :: AbstractDataType.big_oracle a
                                                 (AbstractDataType.CPU_ID a) l0 ++ l0)
                                        (real_AT (ZMap.init ATUndef)) =
                           Some atable´).
                { eauto using B_CalAT_log_sub_log_exist. }
                destruct H1.
                assert (ZMap.get z x = ATValid true ATNorm).
                simpl in H1.
                unfold B_CalAT_log_real in Hdestruct13.
                rewrite <- sh_CPU_ID_re in H1.
                rewrite <- sh_big_oracle_re in H1.
                rewrite Hdestruct13 in H1.
                rewrite zeq_false in H1; auto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H1.
                inv H1.
                rewrite ZMap.gss; auto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H1 Hdestruct22 z) in H2; auto. }
              { intros.
                rewrite ZMap.gso in H; eauto.
                inv H1.
                destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                unfold valid_AT_oracle_B in Htemp3.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                generalize (valid_AT_log_inv l0 Hdestruct11); intros Hvalid_AT_log.
                generalize (Htemp3 _ (CPU_ID (update init_shared_adt l)) Hvalid_AT_log);
                  intros Hvalid_AT_oracle_res.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct Hvalid_AT_log as (at0 & Hvalid_AT_log).
                eapply (valid_B_Cal_AT_log_inv i l0 at0) in H; eauto.
                assert (∃ atable´,
                           B_CalAT_log (TBEVENT (AbstractDataType.CPU_ID a)
                                                 (TBSHARED
                                                    (BPALLOCE
                                                       (ZMap.get (AbstractDataType.CPU_ID a)
                                                                 (AbstractDataType.cid a)) z))
                                                 :: AbstractDataType.big_oracle a
                                                 (AbstractDataType.CPU_ID a) l0 ++ l0)
                                        (real_AT (ZMap.init ATUndef)) =
                           Some atable´).
                { eauto using B_CalAT_log_sub_log_exist. }
                destruct H1.
                assert (ZMap.get i x = ATValid true ATNorm).
                simpl in H1.
                unfold B_CalAT_log_real in Hdestruct13.
                case_eq (B_CalAT_log (AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                                  l0 ++ l0)
                                     (real_AT (ZMap.init ATUndef))); intros.
                rewrite H4 in H1.
                rewrite zeq_false in H1; auto.
                subdestruct.
                inv H1.
                rewrite ZMap.gso; auto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ Hvalid_AT_log H4 i H); eauto.
                rewrite H4 in H1.
                inv H1.
                unfold B_CalAT_log_real in H2, Hdestruct22.
                simpl in H2, Hdestruct22.
                rewrite Hdestruct22 in H2.
                inv H2.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H1 Hdestruct22 i) in H4; auto.
                rewrite <- sh_big_log_re.
                auto. }
          - inv sh_mem_inv_re.
            constructor; simpl; auto.
            intros.
            case_eq (zeq i (Int.unsigned n)).
            { intros; subst.
              rewrite ZMap.gss in H1.
              inv H1; subst; simpl.
              simpl in H3.
              case_eq (zeq j (Int.unsigned n)).
              { intros; subst; simpl.
                rewrite ZMap.gss in H2.
                inv H2; simpl.
                elim H; reflexivity. }
              { intros; rewrite ZMap.gso in H2; auto.
                case_eq (zeq j0 z); intros.
                - subst.
                  rewrite ZMap.gss in H3.
                  assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H7; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H7; eauto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H7.
                    inv H7.
                    rewrite <- sh_big_log_re; auto. }
                  intros.
                  generalize (per_data_re j).
                  rewrite H2.
                  intros.
                  inv H8.
                  generalize (pperm_re z).
                  intros.
                  rewrite H7 in H8.
                  repeat match goal with
                         | [H: context[if _ then _ else _] |- _] ⇒ clear H
                         end.
                  subdestruct; try (inv H8; fail).
                  reflexivity.
                - rewrite ZMap.gso in H3; auto.
                  eapply pperm_disjoint in H2; eauto.
                  rewrite e; eauto. } }
            { intros; subst; rewrite ZMap.gso in H1; auto.
              case_eq (zeq j (Int.unsigned n)); intros; subst.
              - rewrite ZMap.gss in H2.
                inv H2; simpl.
                case_eq (zeq j0 z); intros; subst.
                + rewrite ZMap.gss.
                  assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H7; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H7; eauto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H7.
                    inv H7.
                    rewrite <- sh_big_log_re; auto. }
                  intros.
                  generalize (per_data_re i).
                  rewrite H1.
                  intros.
                  inv H8.
                  generalize (pperm_re z).
                  intros.
                  rewrite H7 in H8.
                  repeat match goal with
                         | [H: context[if _ then _ else _] |- _] ⇒ clear H
                         end.
                  subdestruct; try (inv H8; fail).
                  elim H3; reflexivity.
                + rewrite ZMap.gso; auto.
                  eapply (pperm_disjoint i (Int.unsigned n)) in H3; eauto.
                  rewrite e; auto.
              - rewrite ZMap.gso in H2; auto.
                eapply (pperm_disjoint i j); eauto. }
            Qed.

Lemma second_success_match:
  ∀
  (l : Log)
  (dp : ZMap.t (option privData))
  (a : RData)
  (n : int)
  (vadr : int)
  (perm : int)
  (d : privData)
  (kctxt_pool : KContextPool)
  (z : Z)
  (in_event : has_event pt_resv = true)
  (prim_num : prim_id_num pt_resv = 2)
  (H : relate_RData kctxt_pool (update init_shared_adt l) dp a)
  (H0 : ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) dp = Some d)
  (e : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
  (e0 : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
  (Hdestruct1 : zeq (Int.unsigned n)
                 (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
               left e0)
  (Hdestruct : True)
  (Hdestruct3 : ikern d = true)
  (Hdestruct4 : ihost d = true)
  (Hdestruct5 : ipt d = true)
  (l0 : BigLog)
  (Hdestruct11 : big_log (update init_shared_adt l) = BigDef l0)
  (Hdestruct6 : B_inLock_aux (CPU_ID (update init_shared_adt l)) l0 = false)
  (Hdestruct7 : (cusage (AC d) <? cquota (AC d)) = true)
  (Hdestruct8 : init (update init_shared_adt l) = true)
  (Hdestruct9 : pg (update init_shared_adt l) = true)
  (Hdestruct10 : ZMap.get 0 (lock (update init_shared_adt l)) = LockFalse)
  (Hdestruct12 : B_GetContainerUsed
                  (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                  (CPU_ID (update init_shared_adt l)) l0 = true)
  (a0 : ATable)
  (Hdestruct13 : B_CalAT_log_real
                  (big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                Some a0)
  (n0 : z ≠ 0)
  (Hdestruct2 : zeq z 0 = right n0)
  (H5 : val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil))
  (HGetUsed´ : B_GetContainerUsed
                (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (CPU_ID (update init_shared_adt l)) l0 = true)
  (Hcused : cused
             (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (AbstractDataType.AC a)) = true)
  (HAC_eq : AC d =
           ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
             (AbstractDataType.AC a))
  (Hper_data_rel : relate_RData_per_pd
                    (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                    (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                       kctxt_pool) (update init_shared_adt l) d a)
  (a1 : 0 < z < nps (update init_shared_adt l) ∧
       ZMap.get z a0 = ATValid false ATNorm ∧
       (∀ x : Z, 0 < x < z → ZMap.get x a0 ≠ ATValid false ATNorm))
  (Hdestruct14 : first_free a0 (nps (update init_shared_adt l)) =
                inleft
                  (exist
                     (fun n1 : Z ⇒
                      0 < n1 < nps (update init_shared_adt l) ∧
                      ZMap.get n1 a0 = ATValid false ATNorm ∧
                      (∀ x : Z, 0 < x < n1 → ZMap.get x a0 ≠ ATValid false ATNorm)) z a1))
  (n1 : z ≠ 0)
  (Hdestruct16 : zeq z 0 = right n1)
  (Hdestruct0 : pt_Arg (Int.unsigned n) (Int.unsigned vadr) z (nps (update init_shared_adt l)) = true)
  (p : PTPerm)
  (Hdestruct15 : ZtoPerm (Int.unsigned perm) = Some p)
  (Hdestruct17 : ZMap.get (PDX (Int.unsigned vadr)) (ZMap.get (Int.unsigned n) (ptpool d)) = PDEUnPresent)
  (Hflag_ikern : ikern d = AbstractDataType.ikern a)
  (Hflag_ihost : ihost d = AbstractDataType.ihost a)
  (Hflag_pg : pg (update init_shared_adt l) = AbstractDataType.pg a)
  (Hflag_ipt : ipt d = AbstractDataType.ipt a)
  (Hflag_CPU_ID : CPU_ID (update init_shared_adt l) = AbstractDataType.CPU_ID a)
  (Hflag_nps : nps (update init_shared_adt l) = AbstractDataType.nps a)
  (Hflag_big_log : big_log (update init_shared_adt l) = AbstractDataType.big_log a)
  (Hflag_big_oracle : big_oracle (update init_shared_adt l) = AbstractDataType.big_oracle a)
  (Hflag_lock : lock (update init_shared_adt l) = AbstractDataType.lock a)
  (Hflag_ptp : ZMap.get (Int.unsigned n) (ptpool d) = ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a))
  (Hdestruct19 : pt_Arg´ (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                  (Int.unsigned vadr) = true)
  (Hdestruct21 : (cusage (AC d) + 1 <? cquota (AC d)) = false)
  (Hdestruct20 : True)
  (Hflag_cid : ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)) =
               ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a)),
    relate_RData kctxt_pool
                            ((update init_shared_adt l) { sh_big_log
      : BigDef
          (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
           :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}) {
     sh_big_log
     : BigDef
         (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) 0))
          :: big_oracle (update init_shared_adt l)
               (CPU_ID (update init_shared_adt l))
               (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
             TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
             :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}
     (ZMap.set (Int.unsigned n)
        (Some
           (d { pv_pperm : ZMap.set z PGAlloc (pperm d)}) { pv_AC
           : {|
             cquota := cquota (AC d);
             cusage := cusage (AC d) + 1;
             cparent := cparent (AC d);
             cchildren := cchildren (AC d);
             cused := cused (AC d) |}}) dp)
     ((((a {big_log
         : BigDef
             (TBEVENT (CPU_ID (update init_shared_adt l))
                (TBSHARED
                   (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a)) z))
              :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}) {LAT
        : ZMap.set z (LATCValid nil) (LAT a)}) {pperm :
       ZMap.set z PGAlloc (AbstractDataType.pperm a)}) {AC
      : ZMap.set (Int.unsigned n)
          {|
          cquota := cquota (AC d);
          cusage := cusage (AC d) + 1;
          cparent := cparent (AC d);
          cchildren := cchildren (AC d);
          cused := true |} (AbstractDataType.AC a)}) {big_log
     : BigDef
         (TBEVENT (CPU_ID (update init_shared_adt l))
            (TBSHARED (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a)) 0))
          :: AbstractDataType.big_oracle a (CPU_ID (update init_shared_adt l))
               (TBEVENT (CPU_ID (update init_shared_adt l))
                  (TBSHARED
                     (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a)) z))
                :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
             TBEVENT (CPU_ID (update init_shared_adt l))
               (TBSHARED (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a)) z))
             :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}.
  Proof.
    intros.
    inv H; simpl; constructor; auto; simpl in ×.
          - rewrite e.
            rewrite Hflag_cid.
            rewrite Hflag_CPU_ID.
            rewrite Hflag_big_oracle.
            reflexivity.
          - intros.
            generalize (per_data_re i); intros.
            rewrite e.
            case_eq (zeq i (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))); intros; subst.
            { rewrite ZMap.gss.
              rewrite H0 in H.
              inv H; rewrite zeq_true in ×.
              per_data_auto_simpl.
              - rewrite Hflag_cid.
                rewrite Hflag_CPU_ID.
                rewrite Hflag_big_oracle.
                reflexivity.
              - assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                { inv sh_shared_inv_re.
                  assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                 ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                  { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                    right.
                    intro contra.
                    inv contra.
                    right.
                    intro contra.
                    inv contra. }
                  destruct Htemp; eauto.
                  unfold valid_AT_log_type_B in valid_AT_log_inv.
                  unfold valid_AT_log_B in valid_AT_log_inv.
                  destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                  eapply valid_B_Cal_AT_log_inv in H; eauto.
                  eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H; auto.
                  destruct a1 as (? & a1´ & ?).
                  rewrite a1´ in H.
                  inv H.
                  rewrite <- sh_big_log_re; auto. }
                assert (ZMap.get z (pperm d) = PGUndef).
                { generalize (pperm_re z).
                  rewrite H.
                  intros.
                  repeat match goal with
                         | [H: context[if _ then _ else _] |- _] ⇒ clear H
                         end.
                  subdestruct; simpl; try inv H2.
                  reflexivity. }
                inv inv_re.
                assert (∀ id, ZMap.get id (HP d) = ZMap.get id (FlatMem.free_page z (HP d))).
                { intros; eapply dirty_page_per_thread_inv; eauto. }
                assert (∀ id, ZMap.get id (AbstractDataType.HP a)
                                   = ZMap.get id (FlatMem.free_page z (AbstractDataType.HP a))).
                { inv sh_shared_inv_re.
                  intros.
                  eapply dirty_page_shared_inv; eauto. }
                revert H4; revert H3.
                intros Hd_init Ha_init v ofs TY Htemp1 Htemp2 Htemp3.
                case_eq (zeq ((v × 4096 + ofs mod 4096) / 4096) z).
                + intros.
                  rewrite e1 in Htemp1.
                  rewrite <- e1 in Hd_init, Ha_init.
                  revert Hd_init Ha_init.
                  clear H3 e1 Htemp1.
                  revert Htemp2 Htemp3.
                  eapply abs_rel_palloc_mem_related_prop; eauto.
                + intros; subst.
                  rewrite ZMap.gso in Htemp1; eauto.
              - rewrite zeq_true; auto.
              - rewrite zeq_true; auto.
              - unfold relate_AC_per_pd in *; simpl.
                rewrite ZMap.gss.
                simpl.
                rewrite Hdestruct8.
                erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                rewrite Hdestruct12.
                rewrite <- Hcused.
                rewrite <- HAC_eq.
                destruct (zeq (ZMap.get (CPU_ID (update init_shared_adt l))
                                        (cid (update init_shared_adt l))) main_thread); auto.
                destruct (zlt_lt 8 (ZMap.get (CPU_ID (update init_shared_adt l))
                                             (cid (update init_shared_adt l))) 1024); auto.
              - rewrite zeq_true; auto.
              - unfold pperm_inject.
                intros.
                generalize (pperm_re i); intros.
                case_eq (zeq i z); intros; subst;
                  [rewrite ZMap.gss; rewrite ZMap.gss; auto | rewrite ZMap.gso; auto; rewrite ZMap.gso; auto].
              - rewrite Hdestruct8; rewrite zeq_true; auto.
                rewrite Hdestruct8 in PT_re; auto.
              - rewrite Hdestruct8.
                rewrite Hdestruct8 in ptp_re; auto.
              - rewrite zeq_true; auto.
              - rewrite zeq_true; auto.
              - rewrite zeq_true; auto.
              - unfold relate_SyncChanPool_per_pd; simpl.
                rewrite Hdestruct8.
                rewrite Hflag_CPU_ID; rewrite zeq_true; auto.
              - unfold relate_uctxt_per_pd in *; simpl.
                simpl.
                rewrite Hdestruct8.
                erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                rewrite Hdestruct12.
                unfold B_GetContainerUsed´ in uctxt_re.
                rewrite Hdestruct8, Hdestruct11, Hdestruct12 in uctxt_re.
                auto.
              - auto.
              - auto.
              - auto.
              - inv inv_re.
                constructor; simpl.
                assert (∀ i : ZIndexed.t,
                           ZMap.get i (pperm d) = PGUndef →
                           ∀ res,
                             ZMap.get res (HP d) =
                             ZMap.get res (FlatMem.free_page i (HP d))).
                { intros; apply dirty_page_per_thread_inv; auto. }
                intros.
                exploit single_dirty_ppage´_gso_alloc.
                { unfold single_dirty_ppage´.
                  apply H. }
                { exact H2. }
                { intros.
                  apply H3. } }
            { rewrite ZMap.gso; auto.
              subdestruct; simpl in *; auto.
              inv H; simpl in ×.
              rewrite Hdestruct18 in ×.
              per_data_auto_simpl.
              - simpl; rewrite Hdestruct18; auto.
              - simpl; rewrite Hdestruct18; auto.
              - rewrite Hflag_cid.
                rewrite Hflag_CPU_ID.
                rewrite Hflag_big_oracle.
                reflexivity.
              - unfold relate_AC_per_pd in *; simpl.
                simpl; rewrite Hdestruct18.
                erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                rewrite ZMap.gso; auto.
                unfold B_GetContainerUsed´ in AC_re.
                rewrite Hdestruct11 in AC_re.
                rewrite Hdestruct18 in AC_re.
                auto.
              - rewrite zeq_false; auto.
                rewrite zeq_false in ti_re; auto.
              - unfold pperm_inject.
                intros.
                generalize (pperm_re i0); intros.
                case_eq (zeq i0 z); intros; subst.
                { rewrite ZMap.gss.
                  assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H3; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H3; auto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H3.
                    inv H3.
                    rewrite <- big_log_re; auto. }
                  rewrite H3 in H.
                  repeat match goal with
                         | [H: context[if _ then _ else _] |- _] ⇒ clear H
                         end.
                  subdestruct; eauto. }
                { rewrite ZMap.gso; auto. }
              - rewrite Hdestruct18; auto.
              - rewrite Hdestruct18; auto.
              - rewrite zeq_false in ipt_re; auto; rewrite zeq_false; auto.
              - rewrite zeq_false in intr_flag_re; auto; rewrite zeq_false; auto.
              - rewrite zeq_false in in_intr_re; auto; rewrite zeq_false; auto.
              - unfold relate_SyncChanPool_per_pd; simpl; rewrite Hdestruct18.
                rewrite Hflag_CPU_ID; rewrite zeq_true; auto.
              - unfold relate_uctxt_per_pd in *; simpl.
                simpl; rewrite Hdestruct18.
                erewrite HGetUsedpreserve_double; eauto; [ | inv sh_shared_inv_re; auto].
                unfold B_GetContainerUsed´ in uctxt_re; rewrite Hdestruct11 in uctxt_re.
                rewrite Hdestruct18 in uctxt_re.
                auto.
              - auto.
              - auto.
              - auto.
              - inv inv_re; constructor; simpl; auto.
              - constructor. }
          - inv sh_shared_inv_re.
            constructor; simpl; auto.
            + assert (∀ i : ZIndexed.t,
                         ZMap.get i (AbstractDataType.pperm a) = PGUndef →
                         ∀ res,
                           ZMap.get res (AbstractDataType.HP a) =
                           ZMap.get res (FlatMem.free_page i (AbstractDataType.HP a))).
              { intros; apply dirty_page_shared_inv; auto. }
              intros.
              exploit single_dirty_ppage´_gso_alloc.
              { unfold single_dirty_ppage´.
                apply H. }
              { exact H1. }
              { intros.
                apply H2. }
            + rewrite Hdestruct8; intro contra; inv contra.
            + rewrite Hdestruct8; intro contra; inv contra.
            + rewrite Hflag_CPU_ID.
              rewrite zeq_true.
              intros.
              unfold B_inLock in syncchpool_inv.
              rewrite Hdestruct11, Hdestruct6 in syncchpool_inv.
              apply syncchpool_inv in H.
              rewrite <- H.
              symmetry.
              rewrite e.
              rewrite <- Hflag_CPU_ID.
              unfold B_GetlastPush.
              erewrite single_big_oracle_query_preserves_B_GetlastPush_aux; eauto.
              assert (B_GetlastPush_aux (CPU_ID (update init_shared_adt l))
                                        (big_oracle (update init_shared_adt l)
                                                    (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                      B_GetlastPush_aux (CPU_ID (update init_shared_adt l))
                                        (TBEVENT (CPU_ID (update init_shared_adt l))
                                                 (TBSHARED
                                                    (BPALLOCE
                                                       (ZMap.get (CPU_ID (update init_shared_adt l))
                                                                 (cid (update init_shared_adt l))) z))
                                                 :: big_oracle (update init_shared_adt l)
                                                 (CPU_ID (update init_shared_adt l)) l0 ++ l0)).
              { simpl; auto. }
              rewrite H1.
              clear H1.
              eapply single_big_oracle_query_preserves_B_GetlastPush_aux; eauto.
            + intros.
              apply container_used_inv in H.
              unfold B_GetContainerUsed´ in H.
              rewrite Hdestruct11 in H.
              rewrite e.
              erewrite HGetUsedpreserve_double; eauto.
              case_eq (zeq tid (Int.unsigned n)); intros; subst.
              × rewrite e.
                rewrite ZMap.gss.
                simpl.
                rewrite <- Hdestruct12.
                auto.
              × rewrite <- e.
                rewrite ZMap.gso; auto.
            + intros.
              apply uctxt_used_inv.
              unfold B_GetContainerUsed´.
              rewrite Hdestruct11.
              rewrite <- H.
              rewrite e.
              symmetry.
              apply HGetUsedpreserve_double; eauto.
            + assert (valid_AT_log_type_B (BigDef (TBEVENT (CPU_ID (update init_shared_adt l))
                                                           (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                           :: big_oracle (update init_shared_adt l)
                                                           (CPU_ID (update init_shared_adt l)) l0 ++ l0))).
              { unfold valid_AT_log_type_B.
                intros; inv Hdef.
                unfold valid_AT_log_B.
                unfold B_CalAT_log_real.
                unfold B_CalAT_log_real in Hdestruct13.
                simpl.
                rewrite Hdestruct13.
                rewrite zeq_false; auto.
                destruct a1 as (a1´ & a1´´ & a1´´´).
                rewrite a1´´.
                esplit; auto. }
              unfold valid_AT_log_type_B.
              intros.
              inversion Hdef; substx.
              destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
              clear Hdef.
              rewrite sh_big_oracle_re in ×.
              rewrite sh_CPU_ID_re in ×.
              replace (AbstractDataType.big_oracle a) with
                  (AbstractDataType.big_oracle a
                                               {big_log: BigDef
                                                           (TBEVENT (AbstractDataType.CPU_ID a)
                                                                    (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                                    :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                                    l0 ++ l0)}) in H, Htemp3.
              unfold valid_AT_oracle_B in Htemp3.
              unfold valid_AT_log_type_B in H.
              exploit H; intros.
              reflexivity.
              generalize (Htemp3 _ (AbstractDataType.CPU_ID a) H1); intros Hvalid_oracle_log.
              unfold valid_AT_log_B in ×.
              revert Hvalid_oracle_log.
              unfold B_CalAT_log_real.
              simpl.
              intros.
              destruct Hvalid_oracle_log.
              rewrite H2.
              esplit; auto.
            + assert (valid_TCB_log_type_B (BigDef (TBEVENT (AbstractDataType.CPU_ID a)
                                                            (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                            :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                            l0 ++ l0))).
              { unfold valid_TCB_log_type_B.
                intros ? Hdef.
                inv Hdef.
                destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                unfold valid_TCB_oracle_B in Htemp2.
                generalize (valid_TCB_log_inv _ Hdestruct11); intros Hvalid_log.
                generalize (Htemp2 l0 (CPU_ID (update init_shared_adt l)) Hvalid_log); intros Hvalid_oracle_log.
                unfold valid_TCB_log_B in ×.
                revert Hvalid_oracle_log.
                unfold B_CalTCB_log_real.
                unfold B_CalTCB_log.
                simpl.
                rewrite sh_big_oracle_re in ×.
                rewrite sh_CPU_ID_re in ×.
                clear.
                intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
                subdestruct.
                inv H.
                esplit; auto. }
              unfold valid_TCB_log_type_B.
              intros.
              inversion Hdef; substx.
              destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
              clear Hdef.
              rewrite sh_big_oracle_re in ×.
              rewrite sh_CPU_ID_re in ×.
              replace (AbstractDataType.big_oracle a) with
                  (AbstractDataType.big_oracle a
                                               {big_log: BigDef
                                                           (TBEVENT (AbstractDataType.CPU_ID a)
                                                                    (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                                                    :: AbstractDataType.big_oracle a (AbstractDataType.CPU_ID a)
                                                                    l0 ++ l0)}) in H, Htemp2.
              unfold valid_TCB_oracle_B in Htemp2.
              unfold valid_TCB_log_type_B in H.
              exploit H; intros.
              reflexivity.
              generalize (Htemp2 _ (AbstractDataType.CPU_ID a) H1); intros Hvalid_oracle_log.
              unfold valid_TCB_log_B in ×.
              revert Hvalid_oracle_log.
              unfold B_CalTCB_log_real.
              unfold B_CalTCB_log.
              simpl.
              clear.
              intros Hvalid_oracle_log; destruct Hvalid_oracle_log.
              subdestruct.
              esplit; auto.
            + intros.
              inv H1.
              unfold B_CalAT_log_real in H2.
              simpl in H2.
              subdestruct.
              inv H2.
              case_eq (zeq i z); intros; subst.
              { inv H1.
                assert (∃ atable´,
                           B_CalAT_log (TBEVENT (CPU_ID (update init_shared_adt l))
                                                (TBSHARED
                                                   (BPALLOCE
                                                      (ZMap.get (CPU_ID (update init_shared_adt l))
                                                                (AbstractDataType.cid a)) z))
                                                :: big_oracle (update init_shared_adt l)
                                                (CPU_ID (update init_shared_adt l)) l0 ++ l0)
                                       (real_AT (ZMap.init ATUndef)) =
                           Some atable´).
                { eauto using B_CalAT_log_sub_log_exist. }
                destruct H1.
                assert (ZMap.get z x = ATValid true ATNorm).
                simpl in H1.
                unfold B_CalAT_log_real in Hdestruct13.
                rewrite Hdestruct13 in H1.
                rewrite zeq_false in H1; auto.
                destruct a1 as (? & a1´ & ?).
                rewrite a1´ in H1.
                inv H1.
                rewrite ZMap.gss; auto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H1 Hdestruct22 z) in H2; auto. }
              { intros.
                rewrite ZMap.gso in H; eauto.
                inv H1.
                destruct big_oracle_inv as (Htemp1 & Htemp2 & Htemp3 & Htemp4).
                unfold valid_AT_oracle_B in Htemp3.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                generalize (valid_AT_log_inv l0 Hdestruct11); intros Hvalid_AT_log.
                generalize (Htemp3 _ (CPU_ID (update init_shared_adt l)) Hvalid_AT_log);
                  intros Hvalid_AT_oracle_res.
                unfold valid_AT_log_type_B in valid_AT_log_inv.
                unfold valid_AT_log_B in valid_AT_log_inv.
                destruct Hvalid_AT_log as (at0 & Hvalid_AT_log).
                eapply (valid_B_Cal_AT_log_inv i l0 at0) in H; eauto.
                assert (∃ atable´,
                           B_CalAT_log (TBEVENT (CPU_ID (update init_shared_adt l))
                                                (TBSHARED
                                                   (BPALLOCE
                                                      (ZMap.get (CPU_ID (update init_shared_adt l))
                                                                (AbstractDataType.cid a)) z))
                                                :: big_oracle (update init_shared_adt l)
                                                (CPU_ID (update init_shared_adt l)) l0 ++ l0)
                                       (real_AT (ZMap.init ATUndef)) =
                           Some atable´).
                { eauto using B_CalAT_log_sub_log_exist. }
                destruct H1.
                assert (ZMap.get i x = ATValid true ATNorm).
                simpl in H1.
                unfold B_CalAT_log_real in Hdestruct13.
                case_eq (B_CalAT_log (big_oracle (update init_shared_adt l)
                                                 (CPU_ID (update init_shared_adt l)) l0 ++ l0)
                                     (real_AT (ZMap.init ATUndef))); intros.
                rewrite H2 in H1.
                rewrite zeq_false in H1; auto.
                subdestruct.
                inv H1.
                rewrite ZMap.gso; auto.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ Hvalid_AT_log H2 i H); eauto.
                rewrite H2 in H1.
                inv H1.
                unfold B_CalAT_log_real in H2, Hdestruct18.
                simpl in H2, Hdestruct18.
                eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H1 Hdestruct22 i) in H2; auto.
                rewrite <- sh_big_log_re.
                auto. }
          - inv sh_mem_inv_re.
            constructor; simpl; auto.
            intros.
            case_eq (zeq i (Int.unsigned n)).
            { intros; subst.
              rewrite ZMap.gss in H1.
              inv H1; subst; simpl.
              simpl in H3.
              case_eq (zeq j (Int.unsigned n)).
              { intros; subst; simpl.
                rewrite ZMap.gss in H2.
                inv H2; simpl.
                elim H; reflexivity. }
              { intros; rewrite ZMap.gso in H2; auto.
                case_eq (zeq j0 z); intros.
                - subst.
                  rewrite ZMap.gss in H3.
                  assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H7; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H7; eauto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H7.
                    inv H7.
                    rewrite <- sh_big_log_re; auto. }
                  intros.
                  generalize (per_data_re j).
                  rewrite H2.
                  intros.
                  inv H8.
                  generalize (pperm_re z).
                  intros.
                  rewrite H7 in H8.
                  repeat match goal with
                         | [H: context[if _ then _ else _] |- _] ⇒ clear H
                         end.
                  subdestruct; try (inv H8; fail).
                  reflexivity.
                - rewrite ZMap.gso in H3; auto.
                  eapply pperm_disjoint in H2; eauto.
                  rewrite e; eauto. } }
            { intros; subst; rewrite ZMap.gso in H1; auto.
              case_eq (zeq j (Int.unsigned n)); intros; subst.
              - rewrite ZMap.gss in H2.
                inv H2; simpl.
                case_eq (zeq j0 z); intros; subst.
                + rewrite ZMap.gss.
                  assert (ZMap.get z (AbstractDataType.pperm a) = PGUndef).
                  { inv sh_shared_inv_re.
                    assert (Htemp: ZMap.get z (AbstractDataType.pperm a) = PGUndef ∨
                                   ZMap.get z (AbstractDataType.pperm a) ≠ PGUndef).
                    { destruct (ZMap.get z (AbstractDataType.pperm a)); eauto.
                      right.
                      intro contra.
                      inv contra.
                      right.
                      intro contra.
                      inv contra. }
                    destruct Htemp; eauto.
                    unfold valid_AT_log_type_B in valid_AT_log_inv.
                    unfold valid_AT_log_B in valid_AT_log_inv.
                    destruct (valid_AT_log_inv l0 Hdestruct11) as (at´ & H8).
                    eapply valid_B_Cal_AT_log_inv in H7; eauto.
                    eapply (B_CalAT_log_keeps_allocated_pages _ _ _ _ _ H8 Hdestruct13 z) in H7; eauto.
                    destruct a1 as (? & a1´ & ?).
                    rewrite a1´ in H7.
                    inv H7.
                    rewrite <- sh_big_log_re; auto. }
                  intros.
                  generalize (per_data_re i).
                  rewrite H1.
                  intros.
                  inv H8.
                  generalize (pperm_re z).
                  intros.
                  rewrite H7 in H8.
                  repeat match goal with
                         | [H: context[if _ then _ else _] |- _] ⇒ clear H
                         end.
                  subdestruct; try (inv H8; fail).
                  elim H3; reflexivity.
                + rewrite ZMap.gso; auto.
                  eapply (pperm_disjoint i (Int.unsigned n)) in H3; eauto.
                  rewrite e; auto.
              - rewrite ZMap.gso in H2; auto.
                eapply (pperm_disjoint i j); eauto. }
    Qed.

  Lemma eq_shared_data :
    ∀ sd l l´, (sd { sh_big_log:l}) { sh_big_log: l´} = (sd {sh_big_log : l´}).
  Proof.
    intros.
    unfold sh_update_big_log; simpl.
    auto.
  Qed.

  Lemma eq_priv_data:
    ∀ d pperm1 ac1 pperm2 ac2 hp1 pperm3 ptpool1,
     ((((((d {pv_pperm: pperm1}) {pv_AC : ac1}) {pv_pperm : pperm2})
          {pv_AC : ac2}) {pv_HP: hp1}) {pv_pperm: pperm3}) {pv_ptpool : ptpool1} =
     (((d {pv_AC: ac2}) {pv_HP: hp1}) {pv_pperm: pperm3}) {pv_ptpool : ptpool1}.
  Proof.
    intros.
    destruct d.
    simpl.
    unfold pv_update_ptpool.
    simpl.
    auto.
  Qed.


  Lemma second_step_palloc_ok:
    ∀
      (l : Log)
      (dp : ZMap.t (option privData))
  (a : RData)
  (n : int)
  (vadr : int)
  (perm : int)
  (d : privData)
  (d´ : privData)
  (ds´ : sharedData)
  (res : Z)
  (kctxt_pool : KContextPool)
  (z : Z)
  (in_event : has_event pt_resv = true)
  (prim_num : prim_id_num pt_resv = 2)
  (H : relate_RData kctxt_pool (update init_shared_adt l) dp a)
  (H0 : ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) dp = Some d)
  (e : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
  (e0 : Int.unsigned n = ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
  (Hdestruct1 : zeq (Int.unsigned n)
                 (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
               left e0)
  (Hdestruct : True)
  (Hdestruct3 : ikern d = true)
  (Hdestruct4 : ihost d = true)
  (Hdestruct5 : ipt d = true)
  (l0 : BigLog)
  (Hdestruct11 : big_log (update init_shared_adt l) = BigDef l0)
  (Hdestruct6 : B_inLock_aux (CPU_ID (update init_shared_adt l)) l0 = false)
  (Hdestruct7 : (cusage (AC d) <? cquota (AC d)) = true)
  (Hdestruct8 : init (update init_shared_adt l) = true)
  (Hdestruct9 : pg (update init_shared_adt l) = true)
  (Hdestruct10 : ZMap.get 0 (lock (update init_shared_adt l)) = LockFalse)
  (Hdestruct12 : B_GetContainerUsed
                  (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                  (CPU_ID (update init_shared_adt l)) l0 = true)
  (a0 : ATable)
  (Hdestruct13 : B_CalAT_log_real
                  (big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) =
                Some a0)
  (n0 : z ≠ 0)
  (Hdestruct2 : zeq z 0 = right n0)
  (H5 : val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil))
  (HGetUsed´ : B_GetContainerUsed (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (CPU_ID (update init_shared_adt l)) l0 = true)
  (Hcused : cused
             (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                (AbstractDataType.AC a)) = true)
  (HAC_eq : AC d =
           ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
             (AbstractDataType.AC a))
  (Hper_data_rel : relate_RData_per_pd
                    (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                    (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                       kctxt_pool) (update init_shared_adt l) d a)
  (a1 : 0 < z < nps (update init_shared_adt l) ∧
       ZMap.get z a0 = ATValid false ATNorm ∧
       (∀ x : Z, 0 < x < z → ZMap.get x a0 ≠ ATValid false ATNorm))
  (Hdestruct14 : first_free a0 (nps (update init_shared_adt l)) =
                inleft
                  (exist
                     (fun n1 : Z ⇒
                      0 < n1 < nps (update init_shared_adt l) ∧
                      ZMap.get n1 a0 = ATValid false ATNorm ∧
                      (∀ x : Z, 0 < x < n1 → ZMap.get x a0 ≠ ATValid false ATNorm)) z a1))
  (n1 : z ≠ 0)
  (Hdestruct16 : zeq z 0 = right n1)
  (Hdestruct0 : pt_Arg (Int.unsigned n) (Int.unsigned vadr) z (nps (update init_shared_adt l)) = true)
  (p : PTPerm)
  (Hdestruct15 : ZtoPerm (Int.unsigned perm) = Some p)
  (Hdestruct17 : ZMap.get (PDX (Int.unsigned vadr)) (ZMap.get (Int.unsigned n) (ptpool d)) = PDEUnPresent)
  (p0 : PData × Z)
  (p1 : PData)
  (z0 : Z)
  (Hdestruct19 : p0 = (p1, z0))
  (Hdestruct18 : single_big_ptAllocPDE_spec (Int.unsigned n)
                  (Int.unsigned vadr)
                  ((update init_shared_adt l) { sh_big_log
                   : BigDef
                       (TBEVENT (CPU_ID (update init_shared_adt l))
                          (TBSHARED
                             (BPALLOCE
                                (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                z))
                        :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)},
                  (d { pv_pperm : ZMap.set z PGAlloc (pperm d)}) { pv_AC
                  : {|
                    cquota := cquota (AC d);
                    cusage := cusage (AC d) + 1;
                    cparent := cparent (AC d);
                    cchildren := cchildren (AC d);
                    cused := cused (AC d) |}}) = Some (p1, z0))
  (n2 : z0 ≠ 0)
  (Hdestruct20 : zeq z0 0 = right n2)
  (p2 : PData)
  (Hdestruct21 : single_ptInsertPTE0_spec (Int.unsigned n) (Int.unsigned vadr) z p p1 = Some p2)
  (H1 : Some (p2, z0) = Some (ds´, d´, res))
  (Hflag_ikern : ikern d = AbstractDataType.ikern a)
  (Hflag_ihost : ihost d = AbstractDataType.ihost a)
  (Hflag_pg : pg (update init_shared_adt l) = AbstractDataType.pg a)
  (Hflag_ipt : ipt d = AbstractDataType.ipt a)
  (Hflag_CPU_ID : CPU_ID (update init_shared_adt l) = AbstractDataType.CPU_ID a)
  (Hflag_nps : nps (update init_shared_adt l) = AbstractDataType.nps a)
  (Hflag_big_log : big_log (update init_shared_adt l) = AbstractDataType.big_log a)
  (Hflag_big_oracle : big_oracle (update init_shared_adt l) = AbstractDataType.big_oracle a)
  (Hflag_lock : lock (update init_shared_adt l) = AbstractDataType.lock a)
  (Hflag_ptp : ZMap.get (Int.unsigned n) (ptpool d) = ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a)),
   ∃ (a´ : RData) (res´ : Z),
     match
       big_ptAllocPDE_spec (Int.unsigned n) (Int.unsigned vadr)
         (((a {big_log
            : BigDef
                (TBEVENT (CPU_ID (update init_shared_adt l))
                   (TBSHARED
                      (BPALLOCE (ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a)) z))
                 :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}) {LAT
           : ZMap.set z (LATCValid nil) (LAT a)}) {pperm :
          ZMap.set z PGAlloc (AbstractDataType.pperm a)}) {AC
         : ZMap.set (Int.unsigned n)
             {|
             cquota := cquota (AC d);
             cusage := cusage (AC d) + 1;
             cparent := cparent (AC d);
             cchildren := cchildren (AC d);
             cused := true |} (AbstractDataType.AC a)}
     with
     | Some (adt´, v) ⇒
         if zeq v 0
         then Some (adt´, MagicNumber)
         else
          match ptInsertPTE0_spec (Int.unsigned n) (Int.unsigned vadr) z p adt´ with
          | Some adt´´ ⇒ Some (adt´´, v)
          | None ⇒ None
          end
     | None ⇒ None
     end = Some (a´, res´) ∧
     relate_RData kctxt_pool
       match
         match
           match
             single_big_palloc_spec_test (Int.unsigned n)
               ((update init_shared_adt l) { sh_big_log
                : BigDef
                    (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                     :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)},
               (d { pv_pperm : ZMap.set z PGAlloc (pperm d)}) { pv_AC
               : {|
                 cquota := cquota (AC d);
                 cusage := cusage (AC d) + 1;
                 cparent := cparent (AC d);
                 cchildren := cchildren (AC d);
                 cused := cused (AC d) |}})
           with
           | 0 ⇒ 3
           | Z.pos _~1 ⇒ 42
           | Z.pos _~1~0 ⇒ 42
           | Z.pos _~0~0 ⇒ 42
           | 2 ⇒ 2
           | 1 ⇒ 4
           | Z.neg _ ⇒ 42
           end
         with
         | 0 ⇒
             Some
               (update init_shared_adt l) { sh_big_log
               : BigDef
                   (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) 0))
                    :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}
         | Z.pos _~1~1 ⇒ None
         | Z.pos _~0~1 ⇒ None
         | 3 ⇒
             Some
               ((update init_shared_adt l) { sh_big_log
                : BigDef
                    (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                     :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}) {
               sh_big_log
               : BigDef
                   (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) 0))
                    :: big_oracle (update init_shared_adt l)
                         (CPU_ID (update init_shared_adt l))
                         (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                          :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
                       TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                       :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}
         | Z.pos _~1~0 ⇒ None
         | Z.pos _~1~0~0 ⇒ None
         | Z.pos _~0~0~0 ⇒ None
         | 4 ⇒
             match
               match
                 B_CalAT_log_real
                   (big_oracle (update init_shared_adt l)
                      (CPU_ID (update init_shared_adt l))
                      (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                       :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
                    TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                    :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)
               with
               | Some a2 ⇒
                   match first_free a2 (nps (update init_shared_adt l)) with
                   | inleft (exist i _) ⇒
                       Some
                         (((update init_shared_adt l) { sh_big_log
                           : BigDef
                               (TBEVENT (CPU_ID (update init_shared_adt l))
                                  (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++
                                   l0)}) { sh_big_log
                          : BigDef
                              (TBEVENT (CPU_ID (update init_shared_adt l))
                                 (TBSHARED (BPALLOCE (Int.unsigned n) i))
                               :: big_oracle (update init_shared_adt l)
                                    (CPU_ID (update init_shared_adt l))
                                    (TBEVENT (CPU_ID (update init_shared_adt l))
                                       (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                     :: big_oracle
                                          (update init_shared_adt l)
                                          (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
                                  TBEVENT (CPU_ID (update init_shared_adt l))
                                    (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                  :: big_oracle (update init_shared_adt l)
                                       (CPU_ID (update init_shared_adt l)) l0 ++ l0)}, i)
                   | inright _ ⇒
                       Some
                         (((update init_shared_adt l) { sh_big_log
                           : BigDef
                               (TBEVENT (CPU_ID (update init_shared_adt l))
                                  (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++
                                   l0)}) { sh_big_log
                          : BigDef
                              (TBEVENT (CPU_ID (update init_shared_adt l))
                                 (TBSHARED (BPALLOCE (Int.unsigned n) 0))
                               :: big_oracle (update init_shared_adt l)
                                    (CPU_ID (update init_shared_adt l))
                                    (TBEVENT (CPU_ID (update init_shared_adt l))
                                       (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                     :: big_oracle
                                          (update init_shared_adt l)
                                          (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
                                  TBEVENT (CPU_ID (update init_shared_adt l))
                                    (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                  :: big_oracle (update init_shared_adt l)
                                       (CPU_ID (update init_shared_adt l)) l0 ++ l0)}, 0)
                   end
               | None ⇒ None
               end
             with
             | Some (adt´´, _) ⇒ Some adt´´
             | None ⇒ None
             end
         | 2 ⇒
             Some
               (update init_shared_adt l) { sh_big_log
               : BigDef
                   (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                    :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}
         | 1 ⇒ None
         | Z.neg _ ⇒ None
         end
       with
       | Some adt´´ ⇒ adt´´
       | None ⇒ update init_shared_adt l
       end (ZMap.set (Int.unsigned n) (Some d´) dp) a´ ∧
     kctxt a = kctxt a´ ∧
     ds´ =
     match
       match
         match
           single_big_palloc_spec_test (Int.unsigned n)
             ((update init_shared_adt l) { sh_big_log
              : BigDef
                  (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                   :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)},
             (d { pv_pperm : ZMap.set z PGAlloc (pperm d)}) { pv_AC
             : {|
               cquota := cquota (AC d);
               cusage := cusage (AC d) + 1;
               cparent := cparent (AC d);
               cchildren := cchildren (AC d);
               cused := cused (AC d) |}})
         with
         | 0 ⇒ 3
         | Z.pos _~1 ⇒ 42
         | Z.pos _~1~0 ⇒ 42
         | Z.pos _~0~0 ⇒ 42
         | 2 ⇒ 2
         | 1 ⇒ 4
         | Z.neg _ ⇒ 42
         end
       with
       | 0 ⇒
           Some
             (update init_shared_adt l) { sh_big_log
             : BigDef
                 (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) 0))
                  :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}
       | Z.pos _~1~1 ⇒ None
       | Z.pos _~0~1 ⇒ None
       | 3 ⇒
           Some
             ((update init_shared_adt l) { sh_big_log
              : BigDef
                  (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                   :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}) {
             sh_big_log
             : BigDef
                 (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) 0))
                  :: big_oracle (update init_shared_adt l)
                       (CPU_ID (update init_shared_adt l))
                       (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                        :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
                     TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                     :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}
       | Z.pos _~1~0 ⇒ None
       | Z.pos _~1~0~0 ⇒ None
       | Z.pos _~0~0~0 ⇒ None
       | 4 ⇒
           match
             match
               B_CalAT_log_real
                 (big_oracle (update init_shared_adt l)
                    (CPU_ID (update init_shared_adt l))
                    (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                     :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
                  TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                  :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)
             with
             | Some a2 ⇒
                 match first_free a2 (nps (update init_shared_adt l)) with
                 | inleft (exist i _) ⇒
                     Some
                       (((update init_shared_adt l) { sh_big_log
                         : BigDef
                             (TBEVENT (CPU_ID (update init_shared_adt l))
                                (TBSHARED (BPALLOCE (Int.unsigned n) z))
                              :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++
                                 l0)}) { sh_big_log
                        : BigDef
                            (TBEVENT (CPU_ID (update init_shared_adt l))
                               (TBSHARED (BPALLOCE (Int.unsigned n) i))
                             :: big_oracle (update init_shared_adt l)
                                  (CPU_ID (update init_shared_adt l))
                                  (TBEVENT (CPU_ID (update init_shared_adt l))
                                     (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                   :: big_oracle (update init_shared_adt l)
                                        (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
                                TBEVENT (CPU_ID (update init_shared_adt l))
                                  (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++
                                   l0)}, i)
                 | inright _ ⇒
                     Some
                       (((update init_shared_adt l) { sh_big_log
                         : BigDef
                             (TBEVENT (CPU_ID (update init_shared_adt l))
                                (TBSHARED (BPALLOCE (Int.unsigned n) z))
                              :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++
                                 l0)}) { sh_big_log
                        : BigDef
                            (TBEVENT (CPU_ID (update init_shared_adt l))
                               (TBSHARED (BPALLOCE (Int.unsigned n) 0))
                             :: big_oracle (update init_shared_adt l)
                                  (CPU_ID (update init_shared_adt l))
                                  (TBEVENT (CPU_ID (update init_shared_adt l))
                                     (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                   :: big_oracle (update init_shared_adt l)
                                        (CPU_ID (update init_shared_adt l)) l0 ++ l0) ++
                                TBEVENT (CPU_ID (update init_shared_adt l))
                                  (TBSHARED (BPALLOCE (Int.unsigned n) z))
                                :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++
                                   l0)}, 0)
                 end
             | None ⇒ None
             end
           with
           | Some (adt´´, _) ⇒ Some adt´´
           | None ⇒ None
           end
       | 2 ⇒
           Some
             (update init_shared_adt l) { sh_big_log
             : BigDef
                 (TBEVENT (CPU_ID (update init_shared_adt l)) (TBSHARED (BPALLOCE (Int.unsigned n) z))
                  :: big_oracle (update init_shared_adt l) (CPU_ID (update init_shared_adt l)) l0 ++ l0)}
       | 1 ⇒ None
       | Z.neg _ ⇒ None
       end
     with
     | Some adt´´ ⇒ adt´´
     | None ⇒ update init_shared_adt l
     end ∧
     res = res´ ∧
     ZMap.get (CPU_ID (update init_shared_adt l)) (AbstractDataType.cid a) =
     ZMap.get (AbstractDataType.CPU_ID a´) (AbstractDataType.cid a´).
  Proof.
    intros.
      unfold big_ptAllocPDE_spec; simpl.
      unfold ptInsertPTE0_spec; simpl.
      unfold single_big_ptAllocPDE_spec in Hdestruct18.
      rewrite <- Hflag_ikern, <- Hflag_ihost, <- Hflag_pg, <- Hflag_ipt.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct9.
      rewrite ZMap.gss; simpl; auto.
      rewrite <- Hflag_ptp.
      rewrite Hdestruct17.
      inv Hdestruct19.
      unfold single_big_ptAllocPDE_spec in Hdestruct18; simpl in Hdestruct18.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct8, Hdestruct9, Hdestruct17 in Hdestruct18.
      unfold single_big_palloc_spec in *; simpl in ×.
      rewrite e in Hdestruct18; rewrite zeq_true in Hdestruct18.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5 in Hdestruct18.
      rewrite zeq_true in Hdestruct18.
      erewrite HGetUsedpreserve in Hdestruct18; eauto; [ | inv H; inv sh_shared_inv_re; auto].
      rewrite Hdestruct12 in Hdestruct18.
      unfold single_big_palloc_spec_share in Hdestruct18; simpl in Hdestruct18.
      rewrite Hdestruct8, Hdestruct9, Hdestruct10 in Hdestruct18.
      unfold big_palloc_spec; simpl.
      unfold single_big_palloc_spec_test; simpl.
      rewrite <- Hflag_ikern, <- Hflag_ihost, <- Hflag_pg, <- Hflag_ipt, <- Hflag_lock.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct9, Hdestruct10.
      rewrite ZMap.gss.
      simpl.
      rewrite e.
      erewrite HGetUsedpreserve; eauto; [ | inv H; inv sh_shared_inv_re; auto].
      rewrite Hdestruct12.
      subdestruct.
      { inv Hdestruct18; simpl; subst.
        omega. }
      { inv Hdestruct18; subst.
        inv H1.
        rewrite <- e.
        rewrite Hflag_CPU_ID.
        rewrite Hflag_big_oracle in Hdestruct23.
        assert (Hflag_cid: (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
                           (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a))).
        { inv H.
          rewrite Hdestruct8 in sh_cid_re.
          auto. }
        rewrite <- Hflag_CPU_ID.
        rewrite Hflag_cid in Hdestruct23.
        rewrite Hflag_CPU_ID in Hdestruct23.
        rewrite Hflag_big_oracle.
        rewrite <- Hflag_nps.
        rewrite Hflag_CPU_ID.
        rewrite Hdestruct23, Hdestruct24.
        rewrite zeq_false; auto.
        rewrite ZMap.set2; auto.
        simpl.
        rewrite <- Hflag_nps, <- Hflag_pg, <- Hflag_ikern, <- Hflag_ihost, <- Hflag_ipt.
        rewrite Hdestruct3, Hdestruct4, Hdestruct5.
        rewrite zeq_false; auto.
        rewrite Hdestruct0, Hdestruct9.
        rewrite ZMap.gss.
        rewrite ZMap.gss.
        assert (pperm_disjoint: res ≠ z).
        { assert (z ≠ 0) by omega.
          assert (res ≠ 0) by omega.
          eapply (single_big_palloc_inv_disjoint_prop (Int.unsigned n) ((update init_shared_adt l), d));
            eauto.
          unfold single_big_palloc_spec.
          simpl.
          rewrite e; rewrite zeq_true.
          rewrite Hdestruct3, Hdestruct4, Hdestruct5.
          unfold B_inLock; rewrite Hdestruct11; rewrite Hdestruct6, Hdestruct12, Hdestruct7.
          unfold single_big_palloc_spec_share.
          rewrite Hdestruct8, Hdestruct9, Hdestruct10, Hdestruct11.
          rewrite zeq_true.
          rewrite Hdestruct13, Hdestruct14.
          rewrite zeq_false; auto.
          unfold single_big_palloc_spec.
          simpl.
          rewrite e; rewrite zeq_true.
          rewrite Hdestruct3, Hdestruct4, Hdestruct5.
          rewrite zeq_true; auto.
          rewrite HGetUsedpreserve.
          rewrite Hdestruct12, Hdestruct22.
          unfold single_big_palloc_spec_share; simpl.
          rewrite Hdestruct8, Hdestruct9, Hdestruct10.
          rewrite Hflag_cid, Hflag_CPU_ID, Hflag_big_oracle.
          rewrite Hdestruct23, Hdestruct24.
          rewrite zeq_false; auto.
          inv H; inv sh_shared_inv_re; auto.
          auto. }


        
        rewrite ZMap.gso; auto.
        rewrite ZMap.gss.
        rewrite ZMap.gso; auto.
        rewrite ZMap.gso; auto.
        rewrite ZMap.gss.
        rewrite eq_shared_data in Hdestruct21.
        rewrite eq_shared_data.
        rewrite eq_priv_data in Hdestruct21.

        unfold single_ptInsertPTE0_spec in Hdestruct21.


        Opaque CalRealInitPTE.real_init_PTE.
        Opaque FlatMem.free_page.
        simpl in Hdestruct21.
        rewrite Hdestruct3, Hdestruct4, Hdestruct5 in Hdestruct21.
        rewrite Hdestruct8, Hdestruct9 in Hdestruct21.
        rewrite Hdestruct0 in Hdestruct21.
        rewrite e in Hdestruct21; rewrite ZMap.gss in Hdestruct21.
        rewrite ZMap.gss in Hdestruct21.
        rewrite ZMap.gso in Hdestruct21; auto.
        rewrite ZMap.gso in Hdestruct21; auto.
        rewrite ZMap.gss in Hdestruct21.
        simpl.
        rewrite zle_lt_true; [ | rewrite int_max; omega].
        subdestruct; inv Hdestruct21.


        -
          intros.
          eapply second_PTEUnPreSent; eauto.

        -
          intros.
          eapply second_PTEUndef; eauto. }

        
       { inv Hdestruct18; simpl; subst; omega. }
      { inv Hdestruct18; simpl; subst; omega. }
  Qed.

  Lemma big_ptResv_related_first_success:
    ∀ (l : Log) (dp : ZMap.t (option privData)) (a : RData) (n : int) (vadr : int)
           (perm : int) (d : privData) (d´ : privData) (ds´ : sharedData) (res : Z)
           (kctxt_pool : KContextPool) (p : PData × Z) (p0 : PData) (z : Z)
           (in_event : has_event pt_resv = true)
           (prim_num : prim_id_num pt_resv = 2)
           (H : relate_RData kctxt_pool (update init_shared_adt l) dp a)
           (H0 : ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) dp = Some d)
           (e : Int.unsigned n =
                ZMap.get (CPU_ID (fst (update init_shared_adt l, d))) (cid (fst (update init_shared_adt l, d))))
           (Hdestruct : zeq (Int.unsigned n)
                            (ZMap.get (CPU_ID (fst (update init_shared_adt l, d)))
                                      (cid (fst (update init_shared_adt l, d)))) =
                        left e)
           (Hdestruct1 : p = (p0, z))
           (Hdestruct0 : single_big_palloc_spec (Int.unsigned n) (update init_shared_adt l, d) = Some (p0, z))
           (n0 : z ≠ 0)
           (Hdestruct2 : zeq z 0 = right n0)
           (H1 : single_big_ptInsert_spec (Int.unsigned n) (Int.unsigned vadr) z (Int.unsigned perm) p0 =
                 Some (ds´, d´, res))
           (H5 : val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil))
           (HGetUsed´ : B_GetContainerUsed´
                          (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                          (CPU_ID (update init_shared_adt l))
                          (big_log (update init_shared_adt l)) = true)
           (Hcused : cused
                       (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                 (AbstractDataType.AC a)) = true)
           (HAC_eq : AC d =
                     ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (AbstractDataType.AC a))
           (Hper_data_rel : relate_RData_per_pd
                              (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                              (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                        kctxt_pool) (update init_shared_adt l) d a),
    ∃ (a´ : RData) (res´ : Z),
      match big_palloc_spec (Int.unsigned n) a with
      | Some (abd´, b) ⇒
        if zeq b 0
        then Some (abd´, MagicNumber)
        else big_ptInsert_spec (Int.unsigned n) (Int.unsigned vadr) b (Int.unsigned perm) abd´
      | None ⇒ None
      end = Some (a´, res´) ∧
      relate_RData kctxt_pool
                   (update init_shared_adt
                           (LEvent (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                   (LogPrim pt_resv (Lint n :: Lint vadr :: Lint perm :: nil)
                                            (single_big_ptResv_spec_test (Int.unsigned n)
                                                                         (Int.unsigned vadr) (Int.unsigned perm)
                                                                         (update init_shared_adt l, d)) (snap_func d)) :: l))
                   (ZMap.set (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) (Some d´) dp)
                   a´ ∧
      kctxt a = kctxt a´ ∧
      ds´ =
      update init_shared_adt
             (LEvent (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                     (LogPrim pt_resv (Lint n :: Lint vadr :: Lint perm :: nil)
                              (single_big_ptResv_spec_test (Int.unsigned n)
                (Int.unsigned vadr) (Int.unsigned perm)
                (update init_shared_adt l, d)) (snap_func d)) :: l) ∧
      res = res´ ∧
      ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a) =
      ZMap.get (AbstractDataType.CPU_ID a´) (AbstractDataType.cid a´).
  Proof.
    Transparent update uRData proc_id.
    intros; simpl.
    rewrite prim_num.
    simpl in ×.
    inv Hdestruct1.
    unfold single_big_palloc_spec in Hdestruct0.
    unfold single_big_palloc_spec_share in Hdestruct0; simpl in ×.
    subdestruct; [ omega | | inv Hdestruct0; omega | inv Hdestruct0; omega].
    inv Hdestruct0.
    subst.
    unfold big_palloc_spec.
    assert (Hflag: ikern d = AbstractDataType.ikern a ∧
                   ihost d = AbstractDataType.ihost a ∧
                   pg (update init_shared_adt l) = AbstractDataType.pg a ∧
                   ipt d = AbstractDataType.ipt a ∧
                   CPU_ID (update init_shared_adt l) = AbstractDataType.CPU_ID a ∧
                   nps (update init_shared_adt l) = AbstractDataType.nps a ∧
                   big_log (update init_shared_adt l) = AbstractDataType.big_log a ∧
                   big_oracle (update init_shared_adt l) = AbstractDataType.big_oracle a ∧
                   lock (update init_shared_adt l) = AbstractDataType.lock a ∧
                   ZMap.get (Int.unsigned n) (ptpool d) = ZMap.get (Int.unsigned n) (AbstractDataType.ptpool a)).
    { inv Hper_data_rel; simpl; auto.
      refine_split; try (rewrite zeq_true in *; auto).
      rewrite e.
      rewrite Hdestruct8 in ptp_re.
      auto. }
    destruct Hflag as (Hflag_ikern & Hflag_ihost & Hflag_pg & Hflag_ipt & Hflag_CPU_ID & Hflag_nps &
                       Hflag_big_log & Hflag_big_oracle & Hflag_lock & Hflag_ptp).
    rewrite e.
    rewrite Hcused.
    rewrite <- HAC_eq.
    rewrite <- e.
    rewrite <- Hflag_ikern, <- Hflag_ihost, <- Hflag_pg, <- Hflag_ipt,
    <- Hflag_nps, <- Hflag_big_oracle, <- Hflag_big_log, <- Hflag_lock, <- Hflag_CPU_ID.
    rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct11, Hdestruct9, Hdestruct10, Hdestruct13, Hdestruct14, Hdestruct7.
    rewrite zeq_false; auto.
    unfold single_big_ptResv_spec_test.
    unfold single_big_palloc_spec_share; simpl.
    unfold single_big_palloc_spec_test; simpl.
    unfold single_big_palloc_spec; simpl.
    rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct11, Hdestruct8, Hdestruct9, Hdestruct10, Hdestruct13, Hdestruct14, Hdestruct7, Hdestruct12.
    rewrite e; rewrite zeq_true; simpl.
    unfold B_inLock in Hdestruct6; rewrite Hdestruct6.
    unfold single_big_palloc_spec_share.
    rewrite Hdestruct8, Hdestruct9, Hdestruct10, Hdestruct11.
    rewrite zeq_true.
    rewrite Hdestruct13, Hdestruct14.
    rewrite zeq_false; auto.
    rewrite zeq_false; auto.
    rewrite zeq_false; auto.
    rewrite zeq_true.
    rewrite zeq_false; auto.
    rewrite zeq_false; auto.
    rewrite zeq_false; auto.
    unfold single_big_ptInsert_spec in H1; simpl in ×.
    rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct8, Hdestruct9 in H1.
    subdestruct;
      (unfold big_ptInsert_spec; unfold single_big_ptInsert_spec_test; simpl;
       rewrite <- Hflag_ikern, <- Hflag_ihost, <- Hflag_ipt, <- Hflag_pg;
       rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct9;
       rewrite <- Hflag_nps;
       rewrite <- e; rewrite Hdestruct0, Hdestruct17;
       rewrite <- Hflag_ptp; rewrite Hdestruct17, Hdestruct8, Hdestruct15).
    +
      inv H1.
      unfold single_ptInsertPTE0_spec in Hdestruct18; simpl in ×.
      rewrite Hdestruct0, Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct8, Hdestruct9, Hdestruct17 in Hdestruct18.
      rewrite ZMap.gss in Hdestruct18.
      unfold ptInsertPTE0_spec; simpl.
      rewrite <- Hflag_ikern, <- Hflag_ihost, <- Hflag_ipt, <- Hflag_pg.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct9.
      rewrite <- Hflag_nps.
      rewrite Hdestruct0.
      rewrite <- Hflag_ptp; rewrite Hdestruct17.
      rewrite ZMap.gss.
      rewrite ZMap.gss.
      simpl.
      assert (Htemp: 0 ≤ 0 < Int.max_unsigned).
      { rewrite int_max.
        omega. }
      rewrite zle_lt_true; auto.
      clear Htemp.
      subdestruct.

      ×
        eapply big_ptResv_related_PTEUnPreSent; eauto.

      ×
        eapply big_ptResv_related_PTEUndef; eauto.

    +
      unfold big_ptAllocPDE_spec; simpl.
      rewrite <- Hflag_ikern, <- Hflag_ihost, <- Hflag_pg, <- Hflag_ipt.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct9.

      rewrite ZMap.gss; simpl; auto.
      rewrite <- Hflag_ptp.
      rewrite Hdestruct17.
      inv Hdestruct19.
      unfold single_big_ptAllocPDE_spec in Hdestruct18; simpl in Hdestruct18.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct8, Hdestruct9, Hdestruct17 in Hdestruct18.
      unfold single_big_palloc_spec in *; simpl in ×.
      rewrite e in Hdestruct18; rewrite zeq_true in Hdestruct18.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5 in Hdestruct18.
      rewrite zeq_true in Hdestruct18.
      erewrite HGetUsedpreserve in Hdestruct18; eauto; [ | inv H; inv sh_shared_inv_re; auto].
      rewrite Hdestruct12 in Hdestruct18.
      unfold single_big_palloc_spec_share in Hdestruct18; simpl in Hdestruct18.
      rewrite Hdestruct8, Hdestruct9, Hdestruct10 in Hdestruct18.
      unfold big_palloc_spec; simpl.
      unfold single_big_palloc_spec_test; simpl.
      rewrite <- Hflag_ikern, <- Hflag_ihost, <- Hflag_pg, <- Hflag_ipt, <- Hflag_lock.
      rewrite Hdestruct3, Hdestruct4, Hdestruct5, Hdestruct9, Hdestruct10.
      rewrite ZMap.gss.
      simpl.
      rewrite e.
      erewrite HGetUsedpreserve; eauto; [ | inv H; inv sh_shared_inv_re; auto].
      rewrite Hdestruct12.

      subdestruct; subst.
      × destruct a3.
        omega.
      × inv Hdestruct18.
        destruct a3; omega.
      × simpl in *; inv Hdestruct18.
        inv H1.
        rewrite <- e.
        rewrite Hflag_CPU_ID.
        rewrite Hflag_big_oracle in Hdestruct22.
        assert (Hflag_cid: (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
                           (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a))).
        { inv H.
          rewrite Hdestruct8 in sh_cid_re.
          auto. }
        rewrite <- Hflag_CPU_ID.
        rewrite Hflag_cid in Hdestruct22.
        rewrite Hflag_CPU_ID in Hdestruct22.
        rewrite Hflag_big_oracle.
        rewrite <- Hflag_nps.
        rewrite Hflag_CPU_ID.
        rewrite Hdestruct22, Hdestruct23.
        rewrite zeq_true.
        rewrite zeq_true.

        esplit; esplit.
        refine_split; auto.
        { eapply first_success_match; eauto. }

      × simpl in *; inv Hdestruct18.
        inv H1.
        rewrite <- e.
        rewrite Hflag_CPU_ID.
        assert (Hflag_cid: (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) =
                           (ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a))).
        { inv H. rewrite Hdestruct8 in sh_cid_re. auto. }
        rewrite <- Hflag_CPU_ID.
        esplit; esplit.
        refine_split; auto.
        { eapply second_success_match; eauto. }
        { simpl.
          rewrite Hflag_CPU_ID; auto. }

    +
      eapply second_step_palloc_ok; eauto.
  Qed.


  Lemma big_ptResv_related:
    ∀ kctxt_pool l dp a n vadr perm d d´ ds´ choice optSync l´ res,
      relate_RData kctxt_pool (uRData l) dp a →
      ZMap.get (proc_id (uRData l)) dp = Some d →
      single_big_ptResv_spec (Int.unsigned n) (Int.unsigned vadr) (Int.unsigned perm) (uRData l, d) = Some (ds´, d´, res) →
      choice_check pt_resv (Lint n :: Lint vadr :: Lint perm :: nil) (uRData l) d = choice →
      sync_chpool_check pt_resv (Lint n :: Lint vadr :: Lint perm :: nil) (uRData l) d = optSync →
      l´ = LEvent (proc_id (uRData l)) (LogPrim pt_resv (Lint n :: Lint vadr :: Lint perm :: nil) choice
                                       (snap_func d)) :: l →
      val2Lval_list (Vint n :: Vint vadr :: Vint perm :: nil) (Lint n :: Lint vadr :: Lint perm :: nil) →
      ∃ (a´ : RData) res´,
        big_ptResv_spec (Int.unsigned n) (Int.unsigned vadr) (Int.unsigned perm) a = Some (a´, res´) ∧
        relate_RData kctxt_pool (uRData l´) (ZMap.set (proc_id (uRData l)) (Some d´) dp) a´ ∧
        kctxt a = kctxt a´ ∧ ds´ = uRData l´ ∧ res = res´ ∧
        ZMap.get (AbstractDataType.CPU_ID a) (AbstractDataType.cid a) =
        ZMap.get (AbstractDataType.CPU_ID a´) (AbstractDataType.cid a´).
  Proof.
    assert (in_event: has_event pt_resv = true) by (unfold has_event; auto).
    assert (prim_num: prim_id_num pt_resv = 2) by (unfold prim_id_num; simpl; auto).
    intros.

    assert (Hprops:init (update init_shared_adt l) = true ∧
                   B_GetContainerUsed´ (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l)))
                                       (CPU_ID (update init_shared_adt l))
                                       (big_log (update init_shared_adt l)) = true ∧
                   cused (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l))
                                             (cid (update init_shared_adt l))) (AbstractDataType.AC a)) = true ∧
                   AC d = ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l))
                                             (cid (update init_shared_adt l))) (AbstractDataType.AC a)).
    { assert (valid_procid: proc_id (uRData l) = main_thread ∨ TOTAL_CPU < proc_id (uRData l) < num_proc).
      { generalize (all_cid_in_full_thread_list l); intros.
        generalize (valid_thread_list (proc_id (uRData l))); intros.
        eapply H7 in H6.
        tauto. }
      generalize (per_data_re _ _ _ _ H (proc_id (uRData l))); intros Hper_data_rel.
      Transparent uRData proc_id update.
      simpl in Hper_data_rel, H0.
      assert (∃ a´ d´ res´, single_big_palloc_spec (Int.unsigned n) (uRData l, d) = Some ((a´, d´), res´)).
      { unfold single_big_ptResv_spec in H1; subdestruct; inv H1; inv H0; subst.
         ∃ ds´, d´, 0; auto.
         destruct p1.
         ∃ d0, d1, z; auto. }
      clear H1.
      destruct H6 as (a´& d´´&res´&H6).
      assert (init (update init_shared_adt l) = true).
      { unfold single_big_palloc_spec in H6; unfold single_big_palloc_spec_share in H6; subdestruct; simpl in *; auto. }
      split; auto.
      rewrite H0 in Hper_data_rel.
      assert (HgetUsed´: B_GetContainerUsed´ (ZMap.get (CPU_ID (update init_shared_adt l))
                                                       (cid (update init_shared_adt l)))
                                             (CPU_ID (update init_shared_adt l)) (big_log (update init_shared_adt l)) = true).
      { unfold B_GetContainerUsed´; unfold single_big_palloc_spec in H6; subdestruct; simpl; auto. }
      assert (AC_cused: cused (ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l))
                                                  (cid (update init_shared_adt l))) (AbstractDataType.AC a)) = true).
      { inv H.
        inv sh_shared_inv_re.
        generalize (container_used_inv (ZMap.get (CPU_ID (update init_shared_adt l))
                                                 (cid (update init_shared_adt l)))); intros.
        assert (In (ZMap.get (CPU_ID (update init_shared_adt l))
                             (cid (update init_shared_adt l))) full_thread_list).
        { generalize (all_cid_in_full_thread_list l).
          intros.
          simpl in H2; auto. }
        apply H in H2.
        simpl in H2.
        rewrite HgetUsed´ in H2.
        symmetry in H2; auto. }
      assert (AC_re´ : AC d = ZMap.get (ZMap.get (CPU_ID (update init_shared_adt l))
                                                 (cid (update init_shared_adt l))) (AbstractDataType.AC a)).
      { inv Hper_data_rel.
        repeat match goal with
                 | [H: context[if _ then _ else _] |- _] ⇒ clear H
               end.
        unfold relate_AC_per_pd in AC_re.
        rewrite HgetUsed´ in AC_re.
        rewrite H1 in AC_re.
        destruct valid_procid as [ valid_proc | valid_proc].
        × rewrite <- valid_proc in AC_re.
          rewrite zeq_true in AC_re.
          rewrite AC_re; auto.
        × destruct (zeq (ZMap.get (CPU_ID (update init_shared_adt l)) (cid (update init_shared_adt l))) main_thread); auto.
          rewrite zlt_lt_true in AC_re; auto. }
      tauto. }
    destruct Hprops as (_ & HGetUsed´ & Hcused & HAC_eq).

    unfold choice_check in H2.
    unfold sync_chpool_check in H3; simpl in ×.
    Transparent uRData proc_id update.
    unfold big_ptResv_spec.
    Opaque update.
    simpl; subst; simpl; rewrite prim_num.
    generalize (per_data_re _ _ _ _ H (proc_id (uRData l))); intros Hper_data_rel.
    unfold single_big_ptResv_spec in H1.
    simpl in Hper_data_rel.
    rewrite H0 in Hper_data_rel.
    subdestruct.
    -
      eapply big_ptResv_related_first_fail; eauto.

    -
      eapply big_ptResv_related_first_success; eauto.
   Qed.

End E2PBTHREADGENLEMMAPTRESVFILE.