From VLSM.Lib Require Import Itauto.[Loading ML file ring_plugin.cmxs (using legacy method) ... done]
[Loading ML file zify_plugin.cmxs (using legacy method) ... done]
[Loading ML file micromega_plugin.cmxs (using legacy method) ... done]
[Loading ML file btauto_plugin.cmxs (using legacy method) ... done]
[Loading ML file coq-itauto.plugin ... done]
From Coq Require Import Streams Rdefinitions.
From stdpp Require Import prelude finite.
From VLSM.Lib Require Import Preamble ListExtras StdppListSet StdppExtras.
From VLSM.Lib Require Import ListSetExtras Measurable.
From VLSM.Core Require Import VLSM VLSMProjections Composition ProjectionTraces Validator.
From VLSM.Core Require Export PreloadedVLSM ConstrainedVLSM ReachableThreshold.

Core: VLSM Equivocation Definitions

This module is dedicated to building the vocabulary for discussing equivocation. Equivocation occurs on the receipt of a message which has not been previously sent. The designated sender (validator) of the message is then said to be equivocating. Our main purpose is to keep track of equivocating senders in a composite context and limit equivocation by means of a composition constraint.

Basic equivocation

Assuming a set of states, and a set of validators, which is Measurable and has a ReachableThreshold, we can define BasicEquivocation starting from an is_equivocating relation deciding whether a validator is equivocating in a state.

To avoid a Finite constraint on the entire set of validators, we will assume that there is a finite set of validators for each state, which can be retrieved through the state_validators function. This can be taken to be entire set of validators when that is finite, or the set of senders for all messages in the state for state_encapsulating_messages.

This allows us to determine the equivocating_validators for a given state as those equivocating in that state.

The equivocation_fault is determined the as the sum of weights of the equivocating_validators.

We call a state not_heavy if its corresponding equivocation_fault is lower than the threshold set for the validators type.

Class BasicEquivocation
  (state validator Cv : Type)
  (threshold : R)
  {measurable_V : Measurable validator}
  `{ReachableThreshold validator Cv threshold}
  : Type :=
{
  is_equivocating (s : state) (v : validator) : Prop;
  is_equivocating_dec : RelDecision is_equivocating;
  (** retrieves a set containing all possible validators for a state *)
  state_validators (s : state) : Cv;
  (** all validators which are equivocating in a given composite state *)
  equivocating_validators (s : state) : Cv :=
    filter (fun v => is_equivocating s v) (state_validators s);
  (** equivocation fault sum: the sum of the weights of equivocating validators *)
  equivocation_fault (s : state) : R :=
    sum_weights (equivocating_validators s);
  not_heavy (s : state) : Prop := (equivocation_fault s <= threshold)%R
}.

Lemma eq_equivocating_validators_equivocation_fault
   `{BasicEquivocation st validator Cv}
   : forall s1 s2,
    equivocating_validators s1 ≡@{Cv} equivocating_validators s2 ->
    equivocation_fault s1 = equivocation_fault s2.st, validator, Cv: Type
threshold: R
measurable_V, Hm: Measurable validator
H: ElemOf validator Cv
H0: Empty Cv
H1: Singleton validator Cv
H2: Union Cv
H3: Intersection Cv
H4: Difference Cv
H5: Elements validator Cv
EqDecision0: EqDecision validator
H6: FinSet validator Cv
H7: ReachableThreshold validator Cv threshold
H8: BasicEquivocation st validator Cv threshold
∀ s1 s2 : st,
  equivocating_validators s1
  ≡ equivocating_validators s2
  → equivocation_fault s1 = equivocation_fault s2
Proof.st, validator, Cv: Type
threshold: R
measurable_V, Hm: Measurable validator
H: ElemOf validator Cv
H0: Empty Cv
H1: Singleton validator Cv
H2: Union Cv
H3: Intersection Cv
H4: Difference Cv
H5: Elements validator Cv
EqDecision0: EqDecision validator
H6: FinSet validator Cv
H7: ReachableThreshold validator Cv threshold
H8: BasicEquivocation st validator Cv threshold
∀ s1 s2 : st,
  equivocating_validators s1
  ≡ equivocating_validators s2
  → equivocation_fault s1 = equivocation_fault s2
  by intros; apply sum_weights_proper.
Qed.

Lemma incl_equivocating_validators_equivocation_fault
  `{Heqv : BasicEquivocation st validator }
  `{EqDecision validator}
  : forall s1 s2,
    equivocating_validators s1 ⊆ equivocating_validators s2 ->
    (equivocation_fault s1 <= equivocation_fault s2)%R.st, validator, Cv: Type
threshold: R
measurable_V, Hm: Measurable validator
H: ElemOf validator Cv
H0: Empty Cv
H1: Singleton validator Cv
H2: Union Cv
H3: Intersection Cv
H4: Difference Cv
H5: Elements validator Cv
EqDecision0: EqDecision validator
H6: FinSet validator Cv
H7: ReachableThreshold validator Cv threshold
Heqv: BasicEquivocation st validator Cv threshold
EqDecision1: EqDecision validator
∀ s1 s2 : st,
  equivocating_validators s1
  ⊆ equivocating_validators s2
  → (equivocation_fault s1 <= equivocation_fault s2)%R
Proof.st, validator, Cv: Type
threshold: R
measurable_V, Hm: Measurable validator
H: ElemOf validator Cv
H0: Empty Cv
H1: Singleton validator Cv
H2: Union Cv
H3: Intersection Cv
H4: Difference Cv
H5: Elements validator Cv
EqDecision0: EqDecision validator
H6: FinSet validator Cv
H7: ReachableThreshold validator Cv threshold
Heqv: BasicEquivocation st validator Cv threshold
EqDecision1: EqDecision validator
∀ s1 s2 : st,
  equivocating_validators s1
  ⊆ equivocating_validators s2
  → (equivocation_fault s1 <= equivocation_fault s2)%R
  intros s1 s2 H_incl.st, validator, Cv: Type
threshold: R
measurable_V, Hm: Measurable validator
H: ElemOf validator Cv
H0: Empty Cv
H1: Singleton validator Cv
H2: Union Cv
H3: Intersection Cv
H4: Difference Cv
H5: Elements validator Cv
EqDecision0: EqDecision validator
H6: FinSet validator Cv
H7: ReachableThreshold validator Cv threshold
Heqv: BasicEquivocation st validator Cv threshold
EqDecision1: EqDecision validator
s1, s2: st
H_incl: equivocating_validators s1
⊆ equivocating_validators s2
(equivocation_fault s1 <= equivocation_fault s2)%R
  by apply sum_weights_subseteq.
Qed.

State-message oracles and endowing states with history

Our first step is to define some useful concepts in the context of a single VLSM.

Apart from basic definitions of equivocation, we introduce the concept of a state_message_oracle. Such an oracle can, given a state and a message, decide whether the message has been sent (or received) in the history leading to the current state. Formally, we say that a message <m> has_been_sent if we're in state <s> iff every valid trace which produces <s> contains <m> as a sent message somewhere along the way.

The existence of such oracles, which practically imply endowing states with history, is necessary if we are to detect equivocation using a composition constraint, as these constraints act upon states, not traces.

Section sec_simple.

Context
  {message : Type}
  (vlsm : VLSM message)
  (pre_vlsm := preloaded_with_all_messages_vlsm vlsm)
  .

The following property detects equivocation in a given trace for a given message.

Definition equivocation_in_trace
  (msg : message)
  (tr : list (transition_item vlsm))
  : Prop
  :=
  exists
    (prefix : list transition_item)
    (item : transition_item)
    (suffix : list transition_item),
    tr = prefix ++ item :: suffix
    /\ input item = Some msg
    /\ ~ trace_has_message (field_selector output) msg prefix.

#[export] Instance equivocation_in_trace_dec
  `{EqDecision message}
  : RelDecision equivocation_in_trace.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
RelDecision equivocation_in_trace
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
RelDecision equivocation_in_trace
  intros msg tr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
Decision (equivocation_in_trace msg tr)
  apply @Decision_iff with
    (List.Exists (fun d => match d with (prefix, item, _) =>
      input item = Some msg /\ ~ trace_has_message (field_selector output) msg prefix
    end) (one_element_decompositions tr)).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
Exists
  (λ d : list transition_item * transition_item *
         list transition_item,
     let (y, _) := d in
     let (prefix, item) := y in
     input item = Some msg
     ∧ ¬ trace_has_message (field_selector output) msg
           prefix) (one_element_decompositions tr)
↔ equivocation_in_trace msg tr
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
Decision
  (Exists
     (λ d : list transition_item * transition_item *
            list transition_item,
        let (y, _) := d in
        let (prefix, item) := y in
        input item = Some msg
        ∧ ¬ trace_has_message 
              (field_selector output) msg prefix)
     (one_element_decompositions tr))
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
Exists
  (λ d : list transition_item * transition_item *
         list transition_item,
     let (y, _) := d in
     let (prefix, item) := y in
     input item = Some msg
     ∧ ¬ trace_has_message (field_selector output) msg
           prefix) (one_element_decompositions tr)
↔ equivocation_in_trace msg tr rewrite Exists_exists.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
(∃ x : list transition_item * transition_item *
       list transition_item,
   x ∈ one_element_decompositions tr
   ∧ (let (y, _) := x in
      let (prefix, item) := y in
      input item = Some msg
      ∧ ¬ trace_has_message (field_selector output)
            msg prefix))
↔ equivocation_in_trace msg tr  split.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
(∃ x : list transition_item * transition_item *
       list transition_item,
   x ∈ one_element_decompositions tr
   ∧ (let (y, _) := x in
      let (prefix, item) := y in
      input item = Some msg
      ∧ ¬ trace_has_message (field_selector output)
            msg prefix))
→ equivocation_in_trace msg tr
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
equivocation_in_trace msg tr
→ ∃ x : list transition_item * transition_item *
        list transition_item,
    x ∈ one_element_decompositions tr
    ∧ (let (y, _) := x in
       let (prefix, item) := y in
       input item = Some msg
       ∧ ¬ trace_has_message 
             (field_selector output) msg prefix)
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
(∃ x : list transition_item * transition_item *
       list transition_item,
   x ∈ one_element_decompositions tr
   ∧ (let (y, _) := x in
      let (prefix, item) := y in
      input item = Some msg
      ∧ ¬ trace_has_message (field_selector output)
            msg prefix))
→ equivocation_in_trace msg tr intros [((prefix, item), suffix) [Hitem Heqv]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Hitem: (prefix, item, suffix)
∈ one_element_decompositions tr
Heqv: input item = Some msg
∧ ¬ trace_has_message (field_selector output)
      msg prefix
equivocation_in_trace msg tr
      exists prefix, item, suffix.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Hitem: (prefix, item, suffix)
∈ one_element_decompositions tr
Heqv: input item = Some msg
∧ ¬ trace_has_message (field_selector output)
      msg prefix
tr = prefix ++ item :: suffix
∧ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg
        prefix
      by apply elem_of_one_element_decompositions in Hitem.
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
equivocation_in_trace msg tr
→ ∃ x : list transition_item * transition_item *
        list transition_item,
    x ∈ one_element_decompositions tr
    ∧ (let (y, _) := x in
       let (prefix, item) := y in
       input item = Some msg
       ∧ ¬ trace_has_message (field_selector output)
             msg prefix) intros [prefix [item [suffix [Hitem Heqv]]]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Hitem: tr = prefix ++ item :: suffix
Heqv: input item = Some msg
∧ ¬ trace_has_message (field_selector output)
      msg prefix
∃ x : list transition_item * transition_item *
      list transition_item,
  x ∈ one_element_decompositions tr
  ∧ (let (y, _) := x in
     let (prefix, item) := y in
     input item = Some msg
     ∧ ¬ trace_has_message (field_selector output) msg
           prefix)
      exists ((prefix, item), suffix).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Hitem: tr = prefix ++ item :: suffix
Heqv: input item = Some msg
∧ ¬ trace_has_message (field_selector output)
      msg prefix
(prefix, item, suffix) ∈ one_element_decompositions tr
∧ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg
        prefix
      by rewrite elem_of_one_element_decompositions.
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
Decision
  (Exists
     (λ d : list transition_item * transition_item *
            list transition_item,
        let (y, _) := d in
        let (prefix, item) := y in
        input item = Some msg
        ∧ ¬ trace_has_message (field_selector output)
              msg prefix)
     (one_element_decompositions tr)) apply Exists_dec.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr: list transition_item
∀ x : list transition_item * transition_item *
      list transition_item,
  Decision
    (let (y, _) := x in
     let (prefix, item) := y in
     input item = Some msg
     ∧ ¬ trace_has_message (field_selector output) msg
           prefix) intros ((prefix, item), suffix).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Decision
  (input item = Some msg
   ∧ ¬ trace_has_message (field_selector output) msg
         prefix)
    apply and_dec.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Decision (input item = Some msg)
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Decision
  (¬ trace_has_message 
       (field_selector output) msg prefix)
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Decision (input item = Some msg) by apply option_eq_dec.
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Decision
  (¬ trace_has_message (field_selector output) msg
       prefix) apply not_dec.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
Decision
  (trace_has_message (field_selector output) msg
     prefix) apply Exists_dec.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
∀ x : transition_item,
  Decision (field_selector output msg x) intros pitem.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
EqDecision0: EqDecision message
msg: message
tr, prefix: list transition_item
item: transition_item
suffix: list transition_item
pitem: transition_item
Decision (field_selector output msg pitem)
      by apply option_eq_dec.
Qed.

Lemma no_equivocation_in_empty_trace m
  : ~ equivocation_in_trace m [].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
m: message
¬ equivocation_in_trace m []
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
m: message
¬ equivocation_in_trace m []
  intros [prefix [suffix [item [Hitem _]]]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
m: message
prefix: list transition_item
suffix: transition_item
item: list transition_item
Hitem: [] = prefix ++ suffix :: item
False
  by destruct prefix; inversion Hitem.
Qed.

Lemma equivocation_in_trace_prefix
  (msg : message)
  (prefix : list (transition_item vlsm))
  (suffix : list (transition_item vlsm))
  : equivocation_in_trace msg prefix -> equivocation_in_trace msg (prefix ++ suffix).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
prefix, suffix: list transition_item
equivocation_in_trace msg prefix
→ equivocation_in_trace msg (prefix ++ suffix)
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
prefix, suffix: list transition_item
equivocation_in_trace msg prefix
→ equivocation_in_trace msg (prefix ++ suffix)
  intros (pre & item & suf & -> & Hinput & Hnoutput).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
suffix, pre: list transition_item
item: transition_item
suf: list transition_item
Hinput: input item = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg pre
equivocation_in_trace msg
  ((pre ++ item :: suf) ++ suffix)
  exists pre, item, (suf ++ suffix).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
suffix, pre: list transition_item
item: transition_item
suf: list transition_item
Hinput: input item = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg pre
(pre ++ item :: suf) ++ suffix =
pre ++ item :: suf ++ suffix
∧ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg
        pre
  by rewrite app_comm_cons, <- !app_assoc.
Qed.

Lemma equivocation_in_trace_last_char
  (msg : message)
  (tr : list (transition_item vlsm))
  (item : transition_item vlsm)
  : equivocation_in_trace msg (tr ++ [item]) <->
    equivocation_in_trace msg tr \/
    input item = Some msg /\ ~ trace_has_message (field_selector output) msg tr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
equivocation_in_trace msg (tr ++ [item])
↔ equivocation_in_trace msg tr
  ∨ input item = Some msg
    ∧ ¬ trace_has_message (field_selector output) msg
          tr
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
equivocation_in_trace msg (tr ++ [item])
↔ equivocation_in_trace msg tr
  ∨ input item = Some msg
    ∧ ¬ trace_has_message (field_selector output) msg
          tr
  split.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
equivocation_in_trace msg (tr ++ [item])
→ equivocation_in_trace msg tr
  ∨ input item = Some msg
    ∧ ¬ trace_has_message (field_selector output) msg
          tr
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
equivocation_in_trace msg tr
∨ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg tr
→ equivocation_in_trace msg (tr ++ [item])
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
equivocation_in_trace msg (tr ++ [item])
→ equivocation_in_trace msg tr
  ∨ input item = Some msg
    ∧ ¬ trace_has_message (field_selector output) msg
          tr intros [prefix [item' [suffix [Heq_tr_item' [Hinput Hnoutput]]]]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
prefix: list transition_item
item': transition_item
suffix: list transition_item
Heq_tr_item': tr ++ [item] =
prefix ++ item' :: suffix
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
equivocation_in_trace msg tr
∨ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg tr
    destruct_list_last suffix suffix' _item Heq_suffix.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
prefix: list transition_item
item': transition_item
suffix: list transition_item
Heq_tr_item': tr ++ [item] = prefix ++ [item']
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
Heq_suffix: suffix = []
equivocation_in_trace msg tr
∨ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg tr
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
prefix: list transition_item
item': transition_item
suffix, suffix': list transition_item
_item: transition_item
Heq_tr_item': tr ++ [item] =
prefix ++ item' :: suffix' ++ [_item]
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
Heq_suffix: suffix = suffix' ++ [_item]
equivocation_in_trace msg tr
∨ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg tr
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
prefix: list transition_item
item': transition_item
suffix: list transition_item
Heq_tr_item': tr ++ [item] = prefix ++ [item']
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
Heq_suffix: suffix = []
equivocation_in_trace msg tr
∨ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg tr by apply app_inj_tail in Heq_tr_item' as [-> ->]; right.
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
prefix: list transition_item
item': transition_item
suffix, suffix': list transition_item
_item: transition_item
Heq_tr_item': tr ++ [item] =
prefix ++ item' :: suffix' ++ [_item]
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
Heq_suffix: suffix = suffix' ++ [_item]
equivocation_in_trace msg tr
∨ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg tr rewrite app_comm_cons, !app_assoc in Heq_tr_item'.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
prefix: list transition_item
item': transition_item
suffix, suffix': list transition_item
_item: transition_item
Heq_tr_item': tr ++ [item] =
(prefix ++ item' :: suffix') ++ [_item]
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
Heq_suffix: suffix = suffix' ++ [_item]
equivocation_in_trace msg tr
∨ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg tr
      apply app_inj_tail in Heq_tr_item' as [-> ->].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
prefix: list transition_item
item': transition_item
suffix, suffix': list transition_item
_item: transition_item
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
Heq_suffix: suffix = suffix' ++ [_item]
equivocation_in_trace msg (prefix ++ item' :: suffix')
∨ input _item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg
        (prefix ++ item' :: suffix')
      by left; exists prefix, item', suffix'.
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
equivocation_in_trace msg tr
∨ input item = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg tr
→ equivocation_in_trace msg (tr ++ [item]) intros
      [[prefix [item' [suffix [-> [Hinput Hnoutput]]]]]
      | [Hinput Hnoutput]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
item: transition_item
prefix: list transition_item
item': transition_item
suffix: list transition_item
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
equivocation_in_trace msg
  ((prefix ++ item' :: suffix) ++ [item])
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
Hinput: input item = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg tr
equivocation_in_trace msg (tr ++ [item])
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
item: transition_item
prefix: list transition_item
item': transition_item
suffix: list transition_item
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
equivocation_in_trace msg
  ((prefix ++ item' :: suffix) ++ [item]) exists prefix, item', (suffix ++ [item]).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
item: transition_item
prefix: list transition_item
item': transition_item
suffix: list transition_item
Hinput: input item' = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg prefix
(prefix ++ item' :: suffix) ++ [item] =
prefix ++ item' :: suffix ++ [item]
∧ input item' = Some msg
  ∧ ¬ trace_has_message (field_selector output) msg
        prefix
      by rewrite <- app_assoc.
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
msg: message
tr: list transition_item
item: transition_item
Hinput: input item = Some msg
Hnoutput: ¬ trace_has_message (field_selector output)
    msg tr
equivocation_in_trace msg (tr ++ [item]) by exists tr, item, [].
Qed.

We intend to give define several message oracles: has_been_sent, has_not_been_sent, has_been_received and has_not_been_received. To avoid repetition, we give build some generic definitions first.

General signature of a message oracle

Definition state_message_oracle
  := state vlsm -> message -> Prop.

Definition negate_oracle (o : state_message_oracle) : state_message_oracle :=
  fun s m => ~ o s m.

Definition specialized_selected_message_exists_in_all_traces
  (X : VLSM message)
  (message_selector : message -> transition_item -> Prop)
  (s : state X)
  (m : message)
  : Prop
  :=
  forall
  (start : state X)
  (tr : list transition_item)
  (Htr : finite_valid_trace_init_to X start s tr),
  trace_has_message message_selector m tr.

Definition selected_message_exists_in_all_preloaded_traces
  := specialized_selected_message_exists_in_all_traces pre_vlsm.

Definition specialized_selected_message_exists_in_some_traces
  (X : VLSM message)
  (message_selector : message -> transition_item -> Prop)
  (s : state X)
  (m : message)
  : Prop
  :=
  exists
  (start : state X)
  (tr : list transition_item)
  (Htr : finite_valid_trace_init_to X start s tr),
  trace_has_message message_selector m tr.

Definition selected_message_exists_in_some_preloaded_traces : forall
  (message_selector : message -> transition_item -> Prop)
  (s : state pre_vlsm)
  (m : message),
    Prop
  := specialized_selected_message_exists_in_some_traces pre_vlsm.

Definition specialized_selected_message_exists_in_no_trace
  (X : VLSM message)
  (message_selector : message -> transition_item -> Prop)
  (s : state X)
  (m : message)
  : Prop
  :=
  forall
  (start : state X)
  (tr : list transition_item)
  (Htr : finite_valid_trace_init_to X start s tr),
  ~ trace_has_message message_selector m tr.

Definition selected_message_exists_in_no_preloaded_trace :=
  specialized_selected_message_exists_in_no_trace pre_vlsm.

Lemma selected_message_exists_not_some_iff_no
  (X : VLSM message)
  (message_selector : message -> transition_item -> Prop)
  (s : state X)
  (m : message)
  : ~ specialized_selected_message_exists_in_some_traces X message_selector s m
    <-> specialized_selected_message_exists_in_no_trace X message_selector s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
¬ specialized_selected_message_exists_in_some_traces X
    message_selector s m
↔ specialized_selected_message_exists_in_no_trace X
    message_selector s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
¬ specialized_selected_message_exists_in_some_traces X
    message_selector s m
↔ specialized_selected_message_exists_in_no_trace X
    message_selector s m
  split.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
¬ specialized_selected_message_exists_in_some_traces X
    message_selector s m
→ specialized_selected_message_exists_in_no_trace X
    message_selector s m
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
specialized_selected_message_exists_in_no_trace X
  message_selector s m
→ ¬ specialized_selected_message_exists_in_some_traces
      X message_selector s m
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
¬ specialized_selected_message_exists_in_some_traces X
    message_selector s m
→ specialized_selected_message_exists_in_no_trace X
    message_selector s m by intros Hnot is tr Htr Hsend; apply Hnot; exists is, tr, Htr.
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
specialized_selected_message_exists_in_no_trace X
  message_selector s m
→ ¬ specialized_selected_message_exists_in_some_traces
      X message_selector s m by intros Hno (is & tr & Htr & Hsend); eapply Hno.
Qed.

Lemma selected_message_exists_preloaded_not_some_iff_no
  (message_selector : message -> transition_item -> Prop)
  (s : state pre_vlsm)
  (m : message)
  : ~ selected_message_exists_in_some_preloaded_traces message_selector s m
    <-> selected_message_exists_in_no_preloaded_trace message_selector s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
message_selector: message → transition_item → Prop
s: state pre_vlsm
m: message
¬ selected_message_exists_in_some_preloaded_traces
    message_selector s m
↔ selected_message_exists_in_no_preloaded_trace
    message_selector s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
message_selector: message → transition_item → Prop
s: state pre_vlsm
m: message
¬ selected_message_exists_in_some_preloaded_traces
    message_selector s m
↔ selected_message_exists_in_no_preloaded_trace
    message_selector s m
  by apply selected_message_exists_not_some_iff_no.
Qed.

Sufficient condition for specialized_selected_message_exists_in_some_traces.

Lemma specialized_selected_message_exists_in_some_traces_from
  (X : VLSM message)
  (message_selector : message -> transition_item -> Prop)
  (s : state X)
  (m : message)
  (start : state X)
  (tr : list transition_item)
  (Htr : finite_valid_trace_from_to X start s tr)
  (Hsome : trace_has_message message_selector m tr)
  : specialized_selected_message_exists_in_some_traces X message_selector s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
specialized_selected_message_exists_in_some_traces X
  message_selector s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
specialized_selected_message_exists_in_some_traces X
  message_selector s m
  assert (valid_state_prop X start) as Hstart
    by (apply valid_trace_first_pstate in Htr; done).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
Hstart: valid_state_prop X start
specialized_selected_message_exists_in_some_traces X
  message_selector s m
  apply valid_state_has_trace in Hstart.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
Hstart: ∃ (is : state X) (tr : list transition_item),
  finite_valid_trace_init_to X is start tr
specialized_selected_message_exists_in_some_traces X
  message_selector s m
  destruct Hstart as [is [tr' Htr']].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
is: state X
tr': list transition_item
Htr': finite_valid_trace_init_to X is start tr'
specialized_selected_message_exists_in_some_traces X
  message_selector s m
  assert (finite_valid_trace_init_to X is s (tr'++tr)).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
is: state X
tr': list transition_item
Htr': finite_valid_trace_init_to X is start tr'
finite_valid_trace_init_to X is s (tr' ++ tr)
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
is: state X
tr': list transition_item
Htr': finite_valid_trace_init_to X is start tr'
H: finite_valid_trace_init_to X is s (tr' ++ tr)
specialized_selected_message_exists_in_some_traces X
  message_selector s m
  {message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
is: state X
tr': list transition_item
Htr': finite_valid_trace_init_to X is start tr'
finite_valid_trace_init_to X is s (tr' ++ tr)
    destruct Htr'.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
is: state X
tr': list transition_item
H: finite_valid_trace_from_to X is start tr'
H0: initial_state_prop is
finite_valid_trace_init_to X is s (tr' ++ tr)
    by split; [apply finite_valid_trace_from_to_app with start |].
  }message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
is: state X
tr': list transition_item
Htr': finite_valid_trace_init_to X is start tr'
H: finite_valid_trace_init_to X is s (tr' ++ tr)
specialized_selected_message_exists_in_some_traces X
  message_selector s m
  exists _, _, H.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
X: VLSM message
message_selector: message → transition_item → Prop
s: state X
m: message
start: state X
tr: list transition_item
Htr: finite_valid_trace_from_to X start s tr
Hsome: trace_has_message message_selector m tr
is: state X
tr': list transition_item
Htr': finite_valid_trace_init_to X is start tr'
H: finite_valid_trace_init_to X is s (tr' ++ tr)
trace_has_message message_selector m (tr' ++ tr)
  by apply Exists_app; right.
Qed.

Definition selected_messages_consistency_prop
  (message_selector : message -> transition_item -> Prop)
  (s : state vlsm)
  (m : message)
  : Prop
  :=
  selected_message_exists_in_some_preloaded_traces message_selector s m
  <-> selected_message_exists_in_all_preloaded_traces message_selector s m.

Lemma selected_message_exists_in_all_traces_initial_state
  (s : state vlsm)
  (Hs : initial_state_prop vlsm s)
  (message_selector : message -> transition_item -> Prop)
  (m : message)
  : ~ selected_message_exists_in_all_preloaded_traces message_selector s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state vlsm
Hs: initial_state_prop s
message_selector: message → transition_item → Prop
m: message
¬ selected_message_exists_in_all_preloaded_traces
    message_selector s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state vlsm
Hs: initial_state_prop s
message_selector: message → transition_item → Prop
m: message
¬ selected_message_exists_in_all_preloaded_traces
    message_selector s m
  intro Hselected.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state vlsm
Hs: initial_state_prop s
message_selector: message → transition_item → Prop
m: message
Hselected: selected_message_exists_in_all_preloaded_traces
  message_selector s m
False
  assert (Hps : constrained_state_prop vlsm s) by (apply initial_state_is_valid; done).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state vlsm
Hs: initial_state_prop s
message_selector: message → transition_item → Prop
m: message
Hselected: selected_message_exists_in_all_preloaded_traces
  message_selector s m
Hps: constrained_state_prop vlsm s
False
  assert (Htr : finite_constrained_trace_init_to vlsm s s []) by (split; [constructor |]; done).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state vlsm
Hs: initial_state_prop s
message_selector: message → transition_item → Prop
m: message
Hselected: selected_message_exists_in_all_preloaded_traces
  message_selector s m
Hps: constrained_state_prop vlsm s
Htr: finite_constrained_trace_init_to vlsm s s []
False
  specialize (Hselected s [] Htr).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state vlsm
Hs: initial_state_prop s
message_selector: message → transition_item → Prop
m: message
Hselected: trace_has_message message_selector m []
Hps: constrained_state_prop vlsm s
Htr: finite_constrained_trace_init_to vlsm s s []
False
  unfold trace_has_message in Hselected.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state vlsm
Hs: initial_state_prop s
message_selector: message → transition_item → Prop
m: message
Hselected: Exists (message_selector m) []
Hps: constrained_state_prop vlsm s
Htr: finite_constrained_trace_init_to vlsm s s []
False
  by rewrite Exists_nil in Hselected.
Qed.

The oracle should check if all valid traces leading to the state contain the given message. The message_selector argument checks whether a single transition contains the message, and can be used to check for received messages or sent messages.

Notably, the traces we are considering are any traces valid in the preloaded version of the target VLSM. This is because we want VLSMs to have oracles which are valid irrespective of the composition they take part in. As we know, the behaviors of the projection of a VLSM from a composition are all included in the behaviors of the preloaded version of the VLSM.

It is impossible to define a correct oracle for a message_selector if there is some valid state that has multiple histories, and some message that is in some of those histories but not in others (according to the selector).

Definition all_traces_have_message_prop
  (message_selector : message -> transition_item -> Prop)
  (oracle : state_message_oracle)
  (s : state vlsm)
  (m : message)
  : Prop
  :=
  oracle s m <-> selected_message_exists_in_all_preloaded_traces message_selector s m.

Definition no_traces_have_message_prop
  (message_selector : message -> transition_item -> Prop)
  (oracle : state_message_oracle)
  (s : state vlsm)
  (m : message)
  : Prop
  :=
  oracle s m <-> selected_message_exists_in_no_preloaded_trace message_selector s m.

Record oracle_tracewise_props
  (message_selector : message -> transition_item -> Prop)
  (oracle : state_message_oracle) : Prop :=
{
  proper_oracle_holds :
    forall (s : state pre_vlsm) (Hs : constrained_state_prop vlsm s) (m : message),
      all_traces_have_message_prop message_selector oracle s m;
  proper_not_oracle_holds :
    forall (s : state pre_vlsm) (Hs : constrained_state_prop vlsm s) (m : message),
      no_traces_have_message_prop message_selector (negate_oracle oracle) s m;
}.

Stepwise consistency properties for state_message_oracle

The above definitions like all_traces_have_message_prop connect a state_message_oracle to a message selector predicate on transition_item by requiring the oracle to hold (or not hold) for a state and message iff all traces (resp. no trace) reaching the state have a transition satisfying the message selector with the given message.

We will prove that this is equivalent to two more local properties:

oracle_no_inits is that the oracle cannot hold for any message in any initial state.
oracle_step_update is that the oracle is coherent around a single input_valid_transition:
- If the oracle holds for a message in the starting state, it must also hold for that message in the destination state.
- If the message_selector finds a message in the transition, the oracle must hold for that message in the destination state.
- If the oracle holds for a message in the destination, at least one of the above cases hold.

These conditions are defined in the record oracle_stepwise_props. We prove these conditions hold iff oracle_tracewise_props holds.

Record oracle_stepwise_props
  (message_selector : message -> transition_item -> Prop)
  (oracle : state_message_oracle)
  : Prop :=
{
  oracle_no_inits :
    forall (s : state vlsm),
      initial_state_prop vlsm s ->
      forall (m : message), ~ oracle s m;
  oracle_step_update :
    forall (l : label _) (s : state _) (im : option message) (s' : state _) (om : option message),
      input_constrained_transition vlsm l (s, im) (s', om) ->
      forall (msg : message),
      oracle s' msg
        <->
      message_selector msg
        {| l := l; input := im; destination := s'; output := om |} \/ oracle s msg;
}.

Lemma oracle_partial_trace_update
  [selector : message -> transition_item -> Prop]
  [oracle : state_message_oracle]
  (Horacle : oracle_stepwise_props selector oracle)
  s0 s tr
  (Htr : finite_constrained_trace_from_to vlsm s0 s tr) :
    forall (m : message),
      oracle s m <-> (trace_has_message selector m tr \/ oracle s0 m).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s0, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_from_to vlsm s0 s tr
∀ m : message,
  oracle s m
  ↔ trace_has_message selector m tr ∨ oracle s0 m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s0, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_from_to vlsm s0 s tr
∀ m : message,
  oracle s m
  ↔ trace_has_message selector m tr ∨ oracle s0 m
  induction Htr; intros m; unfold trace_has_message.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm vlsm) s
m: message
oracle s m ↔ Exists (selector m) [] ∨ oracle s m
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s, f: state (preloaded_with_all_messages_vlsm vlsm)
tl: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) s f tl
s': state (preloaded_with_all_messages_vlsm vlsm)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s', iom) (s, oom)
IHHtr: ∀ m : message,
  oracle f m
  ↔ trace_has_message selector m tl
    ∨ oracle s m
m: message
oracle f m
↔ Exists (selector m)
    ({|
       l := l;
       input := iom;
       destination := s;
       output := oom
     |} :: tl) ∨ oracle s' m
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm vlsm) s
m: message
oracle s m ↔ Exists (selector m) [] ∨ oracle s m rewrite Exists_nil.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm vlsm) s
m: message
oracle s m ↔ False ∨ oracle s m
    by itauto.
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s, f: state (preloaded_with_all_messages_vlsm vlsm)
tl: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) s f tl
s': state (preloaded_with_all_messages_vlsm vlsm)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s', iom) (s, oom)
IHHtr: ∀ m : message,
  oracle f m
  ↔ trace_has_message selector m tl
    ∨ oracle s m
m: message
oracle f m
↔ Exists (selector m)
    ({|
       l := l;
       input := iom;
       destination := s;
       output := oom
     |} :: tl) ∨ oracle s' m rewrite Exists_cons, IHHtr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s, f: state (preloaded_with_all_messages_vlsm vlsm)
tl: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) s f tl
s': state (preloaded_with_all_messages_vlsm vlsm)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s', iom) (s, oom)
IHHtr: ∀ m : message,
  oracle f m
  ↔ trace_has_message selector m tl
    ∨ oracle s m
m: message
trace_has_message selector m tl ∨ oracle s m
↔ (selector m
     {|
       l := l;
       input := iom;
       destination := s;
       output := oom
     |} ∨ Exists (selector m) tl) ∨ oracle s' m
    apply (Horacle.(oracle_step_update _ _)) with (msg := m) in Ht.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s, f: state (preloaded_with_all_messages_vlsm vlsm)
tl: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) s f tl
s': state (preloaded_with_all_messages_vlsm vlsm)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm vlsm)
m: message
Ht: oracle s m
↔ selector m
    {|
      l := l;
      input := iom;
      destination := s;
      output := oom
    |} ∨ oracle s' m
IHHtr: ∀ m : message,
  oracle f m
  ↔ trace_has_message selector m tl
    ∨ oracle s m
trace_has_message selector m tl ∨ oracle s m
↔ (selector m
     {|
       l := l;
       input := iom;
       destination := s;
       output := oom
     |} ∨ Exists (selector m) tl) ∨ oracle s' m
    by itauto.
Qed.

(*
  It would seem more flexible to take [m] after the other parameters,
  but [Htr] is placed last so that <<apply in>> an existing
  [finite_valid_trace_init_to] hypothesis works.
*)
Lemma oracle_initial_trace_update
  [selector]
  [oracle : state_message_oracle]
  (Horacle : oracle_stepwise_props selector oracle)
  s m
  [s0 tr]
  (Htr : finite_constrained_trace_init_to vlsm s0 s tr) :
    oracle s m <-> trace_has_message selector m tr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
m: message
s0: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm s0 s tr
oracle s m ↔ trace_has_message selector m tr
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
m: message
s0: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm s0 s tr
oracle s m ↔ trace_has_message selector m tr
  rewrite (oracle_partial_trace_update Horacle) by apply Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
m: message
s0: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm s0 s tr
trace_has_message selector m tr ∨ oracle s0 m
↔ trace_has_message selector m tr
  assert (~ oracle s0 m) by (eapply oracle_no_inits, Htr; done).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
m: message
s0: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm s0 s tr
H: ¬ oracle s0 m
trace_has_message selector m tr ∨ oracle s0 m
↔ trace_has_message selector m tr
  by itauto.
Qed.

(* TODO(wkolowski): make notation uniform accross the file. *)
Lemma oracle_stepwise_props_change_selector
  [selector : message -> transition_item -> Prop]
  [oracle : state_message_oracle]
  (Horacle : oracle_stepwise_props selector oracle)
  (selector' : message -> transition_item -> Prop)
  (Heqv :
    forall s item,
      input_constrained_transition_item vlsm s item ->
      forall m, selector m item <-> selector' m item)
  : oracle_stepwise_props selector' oracle.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
selector': message → transition_item → Prop
Heqv: ∀ (s : state
         (preloaded_with_all_messages_vlsm vlsm)) 
  (item : transition_item),
  input_constrained_transition_item vlsm s item
  → ∀ m : message,
      selector m item ↔ selector' m item
oracle_stepwise_props selector' oracle
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
selector': message → transition_item → Prop
Heqv: ∀ (s : state
         (preloaded_with_all_messages_vlsm vlsm)) 
  (item : transition_item),
  input_constrained_transition_item vlsm s item
  → ∀ m : message,
      selector m item ↔ selector' m item
oracle_stepwise_props selector' oracle
  destruct Horacle as [Hinits Hupdate].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Hinits: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message, ¬ oracle s m
Hupdate: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            vlsm)) (s : 
                    state
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (om : option message),
  input_constrained_transition vlsm l
    (s, im) (s', om)
  → ∀ msg : message,
      oracle s' msg
      ↔ selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ oracle s msg
selector': message → transition_item → Prop
Heqv: ∀ (s : state
         (preloaded_with_all_messages_vlsm vlsm)) 
  (item : transition_item),
  input_constrained_transition_item vlsm s item
  → ∀ m : message,
      selector m item ↔ selector' m item
oracle_stepwise_props selector' oracle
  constructor; [done |].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Hinits: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message, ¬ oracle s m
Hupdate: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            vlsm)) (s : 
                    state
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (om : option message),
  input_constrained_transition vlsm l
    (s, im) (s', om)
  → ∀ msg : message,
      oracle s' msg
      ↔ selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ oracle s msg
selector': message → transition_item → Prop
Heqv: ∀ (s : state
         (preloaded_with_all_messages_vlsm vlsm)) 
  (item : transition_item),
  input_constrained_transition_item vlsm s item
  → ∀ m : message,
      selector m item ↔ selector' m item
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      oracle s' msg
      ↔ selector' msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ oracle s msg
  by intros; rewrite Hupdate, Heqv.
Qed.

Lemma oracle_trace_props_from_stepwise
  [selector : message -> transition_item -> Prop]
  [oracle : state_message_oracle]
  (Horacle : oracle_stepwise_props selector oracle) :
  oracle_tracewise_props selector oracle.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
oracle_tracewise_props selector oracle
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
oracle_tracewise_props selector oracle
  constructor; intros s Hs m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
all_traces_have_message_prop selector oracle s m
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
no_traces_have_message_prop selector
  (negate_oracle oracle) s m
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
all_traces_have_message_prop selector oracle s m red; unfold selected_message_exists_in_all_preloaded_traces,
      specialized_selected_message_exists_in_all_traces.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
oracle s m
↔ (∀ (start : state pre_vlsm) (tr : list
                                      transition_item),
     finite_valid_trace_init_to pre_vlsm start s tr
     → trace_has_message selector m tr)
    split.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
oracle s m
→ ∀ (start : state pre_vlsm) (tr : list
                                     transition_item),
    finite_valid_trace_init_to pre_vlsm start s tr
    → trace_has_message selector m tr
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
(∀ (start : state pre_vlsm) 
   (tr : list transition_item),
   finite_valid_trace_init_to pre_vlsm start s tr
   → trace_has_message selector m tr) → 
oracle s m
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
oracle s m
→ ∀ (start : state pre_vlsm) (tr : list
                                     transition_item),
    finite_valid_trace_init_to pre_vlsm start s tr
    → trace_has_message selector m tr intros Hholds s0 tr Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hholds: oracle s m
s0: state pre_vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to pre_vlsm s0 s tr
trace_has_message selector m tr
      by eapply (oracle_initial_trace_update Horacle).
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
(∀ (start : state pre_vlsm) (tr : list transition_item),
   finite_valid_trace_init_to pre_vlsm start s tr
   → trace_has_message selector m tr) → oracle s m apply valid_state_has_trace in Hs as (start & tr & Htr).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
start: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) start
  s tr
m: message
(∀ (start : state pre_vlsm) (tr : list transition_item),
   finite_valid_trace_init_to pre_vlsm start s tr
   → trace_has_message selector m tr) → oracle s m
      intro H; specialize (H start tr Htr).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
start: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) start
  s tr
m: message
H: trace_has_message selector m tr
oracle s m
      by eapply oracle_initial_trace_update.
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
no_traces_have_message_prop selector
  (negate_oracle oracle) s m red; unfold negate_oracle, selected_message_exists_in_no_preloaded_trace,
      specialized_selected_message_exists_in_no_trace.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
¬ oracle s m
↔ (∀ (start : state pre_vlsm) (tr : list
                                      transition_item),
     finite_valid_trace_init_to pre_vlsm start s tr
     → ¬ trace_has_message selector m tr)
    split.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
¬ oracle s m
→ ∀ (start : state pre_vlsm) (tr : list
                                     transition_item),
    finite_valid_trace_init_to pre_vlsm start s tr
    → ¬ trace_has_message selector m tr
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
(∀ (start : state pre_vlsm) 
   (tr : list transition_item),
   finite_valid_trace_init_to pre_vlsm start s tr
   → ¬ trace_has_message selector m tr) → ¬ 
oracle s m
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
¬ oracle s m
→ ∀ (start : state pre_vlsm) (tr : list
                                     transition_item),
    finite_valid_trace_init_to pre_vlsm start s tr
    → ¬ trace_has_message selector m tr intros Hclaim start tr Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hclaim: ¬ oracle s m
start: state pre_vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to pre_vlsm start s tr
¬ trace_has_message selector m tr
      contradict Hclaim.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
start: state pre_vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to pre_vlsm start s tr
Hclaim: trace_has_message selector m tr
oracle s m
      by eapply oracle_initial_trace_update.
    +message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
(∀ (start : state pre_vlsm) (tr : list transition_item),
   finite_valid_trace_init_to pre_vlsm start s tr
   → ¬ trace_has_message selector m tr) → ¬ oracle s m apply valid_state_has_trace in Hs as (start & tr & Htr).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
start: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) start
  s tr
m: message
(∀ (start : state pre_vlsm) (tr : list transition_item),
   finite_valid_trace_init_to pre_vlsm start s tr
   → ¬ trace_has_message selector m tr) → ¬ oracle s m
      intro H; specialize (H start tr Htr); contradict H.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle
Horacle: oracle_stepwise_props selector oracle
s: state pre_vlsm
start: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) start
  s tr
m: message
H: oracle s m
trace_has_message selector m tr
      by eapply (oracle_initial_trace_update Horacle).
Qed.

The most basic state_message_oracles just check whether the message is

*sent* - is the output of the transition
*received* - is the output of the transition
*observed* - is either sent or received in the transition.

Definition has_been_sent_prop : state_message_oracle -> state vlsm -> message -> Prop :=
  all_traces_have_message_prop (field_selector output).

Definition has_not_been_sent_prop : state_message_oracle -> state vlsm -> message -> Prop :=
  no_traces_have_message_prop (field_selector output).

Definition has_been_received_prop : state_message_oracle -> state vlsm -> message -> Prop :=
  all_traces_have_message_prop (field_selector input).

Definition has_not_been_received_prop
  : state_message_oracle -> state vlsm -> message -> Prop :=
  no_traces_have_message_prop (field_selector input).

Per the vocabulary of the official VLSM document, we say that VLSMs endowed with a state_message_oracle for sent messages have the has_been_sent capability. Capabilities for receiving messages are treated analogously, so we omit mentioning them explicitly.

Notably, we also define the has_not_been_sent oracle, which decides if a message has definitely not been sent, on any of the traces producing a current state.

Furthermore, we require a sent_excluded_middle property, which stipulates that any argument to the oracle should return true in exactly one of has_been_sent and has_not_been_sent.

Definition has_been_sent_stepwise_prop
    (has_been_sent_pred : state_message_oracle) : Prop :=
  oracle_stepwise_props (field_selector output) has_been_sent_pred.

Class HasBeenSentCapability : Type :=
{
  has_been_sent : state_message_oracle;
  has_been_sent_dec :> RelDecision has_been_sent;
  has_been_sent_stepwise_props : has_been_sent_stepwise_prop has_been_sent;
}.A coercion will be introduced instead of an instance
in future versions when using ':>' in 'Class'
declarations. Replace ':>' with '::' (or use
'#[global] Existing Instance field.' for compatibility
with Coq < 8.18). Beware that the default locality for
'::' is #[export], as opposed to #[global] for ':>'
currently. Add an explicit #[global] attribute to the
field if you need to keep the current behavior. For
example: "Class foo := { #[global] field :: bar }."
[future-coercion-class-field,deprecated-since-8.17,deprecated,default]

Definition has_not_been_sent `{HasBeenSentCapability} : state_message_oracle :=
  negate_oracle has_been_sent.

Lemma has_been_sent_no_inits `{HasBeenSentCapability} :
  forall s : state vlsm,
    initial_state_prop vlsm s -> forall m : message, ~ has_been_sent s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message, ¬ has_been_sent s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message, ¬ has_been_sent s m
  exact (oracle_no_inits _ _ (has_been_sent_stepwise_props)).
Qed.

Lemma has_been_sent_step_update `{HasBeenSentCapability} :
  forall (l : label _) (s : state _) (im : option message) (s' : state _) (om : option message),
    input_constrained_transition vlsm l (s, im) (s', om) ->
  forall msg : message,
    has_been_sent s' msg <-> (om = Some msg \/ has_been_sent s msg).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent s' msg
      ↔ om = Some msg ∨ has_been_sent s msg
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent s' msg
      ↔ om = Some msg ∨ has_been_sent s msg
  exact (oracle_step_update _ _ has_been_sent_stepwise_props).
Qed.

Definition has_been_sent_tracewise_prop
    (has_been_sent_pred : state_message_oracle) : Prop :=
  oracle_tracewise_props (field_selector output) has_been_sent_pred.

Lemma has_been_sent_tracewise_props `{HasBeenSentCapability} :
  has_been_sent_tracewise_prop has_been_sent.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
has_been_sent_tracewise_prop has_been_sent
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
has_been_sent_tracewise_prop has_been_sent
  by exact (oracle_trace_props_from_stepwise has_been_sent_stepwise_props).
Qed.

Lemma proper_sent `{HasBeenSentCapability} :
  forall (s : state pre_vlsm) (Hs : constrained_state_prop vlsm s) (m : message),
    has_been_sent_prop has_been_sent s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
∀ s : state pre_vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      has_been_sent_prop has_been_sent s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
∀ s : state pre_vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      has_been_sent_prop has_been_sent s m
  by intros; apply has_been_sent_tracewise_props.
Qed.

Lemma proper_not_sent `{HasBeenSentCapability} :
  forall (s : state pre_vlsm) (Hs : constrained_state_prop vlsm s) (m : message),
    has_not_been_sent_prop has_not_been_sent s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
∀ s : state pre_vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      has_not_been_sent_prop has_not_been_sent s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
∀ s : state pre_vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      has_not_been_sent_prop has_not_been_sent s m
  by intros; apply has_been_sent_tracewise_props.
Qed.

Reverse implication for 'selected_messages_consistency_prop' always holds.

Lemma consistency_from_valid_state_proj2
  (s : state pre_vlsm)
  (Hs : constrained_state_prop vlsm s)
  (m : message)
  (selector : message -> transition_item -> Prop)
  (Hall : selected_message_exists_in_all_preloaded_traces selector s m)
  : selected_message_exists_in_some_preloaded_traces selector s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
selector: message → transition_item → Prop
Hall: selected_message_exists_in_all_preloaded_traces
  selector s m
selected_message_exists_in_some_preloaded_traces
  selector s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
selector: message → transition_item → Prop
Hall: selected_message_exists_in_all_preloaded_traces
  selector s m
selected_message_exists_in_some_preloaded_traces
  selector s m
  apply valid_state_has_trace in Hs.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state pre_vlsm
Hs: ∃ (is : state
          (preloaded_with_all_messages_vlsm vlsm)) 
  (tr : list transition_item),
  finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm vlsm) is s
    tr
m: message
selector: message → transition_item → Prop
Hall: selected_message_exists_in_all_preloaded_traces
  selector s m
selected_message_exists_in_some_preloaded_traces
  selector s m
  destruct Hs as [is [tr Htr]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state pre_vlsm
is: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) is s
  tr
m: message
selector: message → transition_item → Prop
Hall: selected_message_exists_in_all_preloaded_traces
  selector s m
selected_message_exists_in_some_preloaded_traces
  selector s m
  exists _, _, Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
s: state pre_vlsm
is: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) is s
  tr
m: message
selector: message → transition_item → Prop
Hall: selected_message_exists_in_all_preloaded_traces
  selector s m
trace_has_message selector m tr
  by apply (Hall _ _ Htr).
Qed.

Lemma has_been_sent_consistency
  `{HasBeenSentCapability}
  (s : state pre_vlsm)
  (Hs : constrained_state_prop vlsm s)
  (m : message)
  : selected_messages_consistency_prop (field_selector output) s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
selected_messages_consistency_prop
  (field_selector output) s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
selected_messages_consistency_prop
  (field_selector output) s m
  split; [| by apply consistency_from_valid_state_proj2].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
→ selected_message_exists_in_all_preloaded_traces
    (field_selector output) s m
  intro Hsome.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
  destruct (decide (has_been_sent s m)) as [Hsm | Hsm].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
Hsm: has_been_sent s m
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
Hsm: ¬ has_been_sent s m
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
Hsm: has_been_sent s m
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m by apply proper_sent in Hsm.
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
Hsm: ¬ has_been_sent s m
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m apply proper_not_sent in Hsm; [| done].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
Hsm: selected_message_exists_in_no_preloaded_trace
  (field_selector output) s m
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
    destruct Hsome as [is [tr [Htr Hmsg]]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
is: state pre_vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to pre_vlsm is s tr
Hmsg: trace_has_message (field_selector output) m tr
Hsm: selected_message_exists_in_no_preloaded_trace
  (field_selector output) s m
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
    by elim (Hsm _ _ Htr).
Qed.

Lemma can_produce_has_been_sent
  `{HasBeenSentCapability}
  (s : state pre_vlsm)
  (m : message)
  (Hsm : can_produce pre_vlsm s m)
  : has_been_sent s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
Hsm: can_produce pre_vlsm s m
has_been_sent s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
Hsm: can_produce pre_vlsm s m
has_been_sent s m
  assert (constrained_state_prop vlsm s) by (apply can_produce_valid in Hsm; eexists; done).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
Hsm: can_produce pre_vlsm s m
H0: constrained_state_prop vlsm s
has_been_sent s m
  apply proper_sent; [done |].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
Hsm: can_produce pre_vlsm s m
H0: constrained_state_prop vlsm s
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
  apply has_been_sent_consistency; [done |].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
Hsm: can_produce pre_vlsm s m
H0: constrained_state_prop vlsm s
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  apply non_empty_valid_trace_from_can_produce in Hsm.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
Hsm: ∃ (is : state pre_vlsm) 
  (tr : list transition_item) 
  (item : transition_item),
  finite_valid_trace pre_vlsm is tr
  ∧ last_error tr = Some item
    ∧ destination item = s
      ∧ output item = Some m
H0: constrained_state_prop vlsm s
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  destruct Hsm as [is [tr [lst_tr [Htr [Hlst [Hs Hm]]]]]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
is: state pre_vlsm
tr: list transition_item
lst_tr: transition_item
Htr: finite_valid_trace pre_vlsm is tr
Hlst: last_error tr = Some lst_tr
Hs: destination lst_tr = s
Hm: output lst_tr = Some m
H0: constrained_state_prop vlsm s
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  destruct_list_last tr tr' _lst_tr Heqtr; [by inversion Hlst |].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
is: state pre_vlsm
tr: list transition_item
lst_tr: transition_item
tr': list transition_item
_lst_tr: transition_item
Htr: finite_valid_trace pre_vlsm is
  (tr' ++ [_lst_tr])
Hlst: last_error (tr' ++ [_lst_tr]) = Some lst_tr
Hs: destination lst_tr = s
Hm: output lst_tr = Some m
H0: constrained_state_prop vlsm s
Heqtr: tr = tr' ++ [_lst_tr]
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  rewrite last_error_is_last in Hlst.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
is: state pre_vlsm
tr: list transition_item
lst_tr: transition_item
tr': list transition_item
_lst_tr: transition_item
Htr: finite_valid_trace pre_vlsm is
  (tr' ++ [_lst_tr])
Hlst: Some _lst_tr = Some lst_tr
Hs: destination lst_tr = s
Hm: output lst_tr = Some m
H0: constrained_state_prop vlsm s
Heqtr: tr = tr' ++ [_lst_tr]
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  inversion Hlst; subst _lst_tr; clear Hlst.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
is: state pre_vlsm
tr: list transition_item
lst_tr: transition_item
tr': list transition_item
Htr: finite_valid_trace pre_vlsm is (tr' ++ [lst_tr])
Hs: destination lst_tr = s
Hm: output lst_tr = Some m
H0: constrained_state_prop vlsm s
Heqtr: tr = tr' ++ [lst_tr]
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  apply valid_trace_add_default_last in Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
is: state pre_vlsm
tr: list transition_item
lst_tr: transition_item
tr': list transition_item
Htr: finite_valid_trace_init_to pre_vlsm is
  (finite_trace_last is (tr' ++ [lst_tr]))
  (tr' ++ [lst_tr])
Hs: destination lst_tr = s
Hm: output lst_tr = Some m
H0: constrained_state_prop vlsm s
Heqtr: tr = tr' ++ [lst_tr]
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  rewrite finite_trace_last_is_last, Hs in Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
is: state pre_vlsm
tr: list transition_item
lst_tr: transition_item
tr': list transition_item
Htr: finite_valid_trace_init_to pre_vlsm is s
  (tr' ++ [lst_tr])
Hs: destination lst_tr = s
Hm: output lst_tr = Some m
H0: constrained_state_prop vlsm s
Heqtr: tr = tr' ++ [lst_tr]
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  eexists _, _, Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state pre_vlsm
m: message
is: state pre_vlsm
tr: list transition_item
lst_tr: transition_item
tr': list transition_item
Htr: finite_valid_trace_init_to pre_vlsm is s
  (tr' ++ [lst_tr])
Hs: destination lst_tr = s
Hm: output lst_tr = Some m
H0: constrained_state_prop vlsm s
Heqtr: tr = tr' ++ [lst_tr]
trace_has_message (field_selector output) m
  (tr' ++ [lst_tr])
  by apply Exists_app; right; left.
Qed.

Sufficient condition for proper_sent avoiding the preloaded_with_all_messages_vlsm.

Lemma specialized_proper_sent
  `{HasBeenSentCapability}
  (s : state vlsm)
  (Hs : valid_state_prop vlsm s)
  (m : message)
  (Hsome : specialized_selected_message_exists_in_some_traces vlsm (field_selector output) s m)
  : has_been_sent s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: valid_state_prop vlsm s
m: message
Hsome: specialized_selected_message_exists_in_some_traces
  vlsm (field_selector output) s m
has_been_sent s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: valid_state_prop vlsm s
m: message
Hsome: specialized_selected_message_exists_in_some_traces
  vlsm (field_selector output) s m
has_been_sent s m
  destruct Hs as [_om Hs].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
Hsome: specialized_selected_message_exists_in_some_traces
  vlsm (field_selector output) s m
has_been_sent s m
  assert (Hpres : constrained_state_prop vlsm s)
    by (exists _om; apply preloaded_with_all_messages_valid_state_message_preservation; done).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
Hsome: specialized_selected_message_exists_in_some_traces
  vlsm (field_selector output) s m
Hpres: constrained_state_prop vlsm s
has_been_sent s m
  apply proper_sent; [done |].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
Hsome: specialized_selected_message_exists_in_some_traces
  vlsm (field_selector output) s m
Hpres: constrained_state_prop vlsm s
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
  specialize (has_been_sent_consistency s Hpres m) as Hcons.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
Hsome: specialized_selected_message_exists_in_some_traces
  vlsm (field_selector output) s m
Hpres: constrained_state_prop vlsm s
Hcons: selected_messages_consistency_prop
  (field_selector output) s m
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
  apply Hcons.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
Hsome: specialized_selected_message_exists_in_some_traces
  vlsm (field_selector output) s m
Hpres: constrained_state_prop vlsm s
Hcons: selected_messages_consistency_prop
  (field_selector output) s m
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  destruct Hsome as [is [tr [Htr Hsome]]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
is: state vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to vlsm is s tr
Hsome: trace_has_message (field_selector output) m tr
Hpres: constrained_state_prop vlsm s
Hcons: selected_messages_consistency_prop
  (field_selector output) s m
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
  exists is, tr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
is: state vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to vlsm is s tr
Hsome: trace_has_message (field_selector output) m tr
Hpres: constrained_state_prop vlsm s
Hcons: selected_messages_consistency_prop
  (field_selector output) s m
∃ _ : finite_valid_trace_init_to pre_vlsm is s tr,
  trace_has_message (field_selector output) m tr
  split; [| done].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
is: state vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to vlsm is s tr
Hsome: trace_has_message (field_selector output) m tr
Hpres: constrained_state_prop vlsm s
Hcons: selected_messages_consistency_prop
  (field_selector output) s m
finite_valid_trace_init_to pre_vlsm is s tr
  revert Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
is: state vlsm
tr: list transition_item
Hsome: trace_has_message (field_selector output) m tr
Hpres: constrained_state_prop vlsm s
Hcons: selected_messages_consistency_prop
  (field_selector output) s m
finite_valid_trace_init_to vlsm is s tr
→ finite_valid_trace_init_to pre_vlsm is s tr
  unfold pre_vlsm; clear.message: Type
vlsm: VLSM message
s, is: state vlsm
tr: list transition_item
finite_valid_trace_init_to vlsm is s tr
→ finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm vlsm) is s tr
  destruct vlsm as (T, M).message: Type
vlsm: VLSM message
T: VLSMType message
M: VLSMMachine T
s, is: state {| vlsm_type := T; vlsm_machine := M |}
tr: list transition_item
finite_valid_trace_init_to
  {| vlsm_type := T; vlsm_machine := M |} is s tr
→ finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm
       {| vlsm_type := T; vlsm_machine := M |}) is s
    tr
  by apply VLSM_incl_finite_valid_trace_init_to, vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

proper_sent condition specialized to regular VLSM traces (avoiding preloaded_with_all_messages_vlsm).

Lemma specialized_proper_sent_rev
  `{HasBeenSentCapability}
  (s : state vlsm)
  (Hs : valid_state_prop vlsm s)
  (m : message)
  (Hsm : has_been_sent s m)
  : specialized_selected_message_exists_in_all_traces vlsm (field_selector output) s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: valid_state_prop vlsm s
m: message
Hsm: has_been_sent s m
specialized_selected_message_exists_in_all_traces vlsm
  (field_selector output) s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: valid_state_prop vlsm s
m: message
Hsm: has_been_sent s m
specialized_selected_message_exists_in_all_traces vlsm
  (field_selector output) s m
  destruct Hs as [_om Hs].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
Hsm: has_been_sent s m
specialized_selected_message_exists_in_all_traces vlsm
  (field_selector output) s m
  assert (Hpres : constrained_state_prop vlsm s)
    by (exists _om; apply preloaded_with_all_messages_valid_state_message_preservation; done).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
Hsm: has_been_sent s m
Hpres: constrained_state_prop vlsm s
specialized_selected_message_exists_in_all_traces vlsm
  (field_selector output) s m
  apply proper_sent in Hsm; [| done].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
Hsm: selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
Hpres: constrained_state_prop vlsm s
specialized_selected_message_exists_in_all_traces vlsm
  (field_selector output) s m
  intros is tr Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
Hsm: selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
Hpres: constrained_state_prop vlsm s
is: state vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to vlsm is s tr
trace_has_message (field_selector output) m tr
  specialize (Hsm is tr).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
is: state vlsm
tr: list transition_item
Hsm: finite_valid_trace_init_to pre_vlsm is s tr
→ trace_has_message (field_selector output) m tr
Hpres: constrained_state_prop vlsm s
Htr: finite_valid_trace_init_to vlsm is s tr
trace_has_message (field_selector output) m tr
  spec Hsm; [| done].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
is: state vlsm
tr: list transition_item
Hsm: finite_valid_trace_init_to pre_vlsm is s tr
→ trace_has_message (field_selector output) m tr
Hpres: constrained_state_prop vlsm s
Htr: finite_valid_trace_init_to vlsm is s tr
finite_valid_trace_init_to pre_vlsm is s tr
  revert Htr.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
_om: option message
Hs: valid_state_message_prop vlsm s _om
m: message
is: state vlsm
tr: list transition_item
Hsm: finite_valid_trace_init_to pre_vlsm is s tr
→ trace_has_message (field_selector output) m tr
Hpres: constrained_state_prop vlsm s
finite_valid_trace_init_to vlsm is s tr
→ finite_valid_trace_init_to pre_vlsm is s tr
  unfold pre_vlsm; clear.message: Type
vlsm: VLSM message
s, is: state vlsm
tr: list transition_item
finite_valid_trace_init_to vlsm is s tr
→ finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm vlsm) is s tr
  destruct vlsm as (T, M).message: Type
vlsm: VLSM message
T: VLSMType message
M: VLSMMachine T
s, is: state {| vlsm_type := T; vlsm_machine := M |}
tr: list transition_item
finite_valid_trace_init_to
  {| vlsm_type := T; vlsm_machine := M |} is s tr
→ finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm
       {| vlsm_type := T; vlsm_machine := M |}) is s
    tr
  by apply VLSM_incl_finite_valid_trace_init_to, vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Lemma has_been_sent_consistency_proper_not_sent
  (has_been_sent : state_message_oracle)
  (has_been_sent_dec : RelDecision has_been_sent)
  (s : state vlsm)
  (m : message)
  (proper_sent : has_been_sent_prop has_been_sent s m)
  (has_not_been_sent
    := fun (s : state vlsm) (m : message) => ~ has_been_sent s m)
  (Hconsistency : selected_messages_consistency_prop (field_selector output) s m)
  : has_not_been_sent_prop has_not_been_sent s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_sent: state_message_oracle
has_been_sent_dec: RelDecision has_been_sent
s: state vlsm
m: message
proper_sent: has_been_sent_prop has_been_sent s m
has_not_been_sent:= λ (s : state vlsm) (m : message),
  ¬ has_been_sent s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector output) s m
has_not_been_sent_prop has_not_been_sent s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_sent: state_message_oracle
has_been_sent_dec: RelDecision has_been_sent
s: state vlsm
m: message
proper_sent: has_been_sent_prop has_been_sent s m
has_not_been_sent:= λ (s : state vlsm) (m : message),
  ¬ has_been_sent s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector output) s m
has_not_been_sent_prop has_not_been_sent s m
  unfold has_not_been_sent_prop.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_sent: state_message_oracle
has_been_sent_dec: RelDecision has_been_sent
s: state vlsm
m: message
proper_sent: has_been_sent_prop has_been_sent s m
has_not_been_sent:= λ (s : state vlsm) (m : message),
  ¬ has_been_sent s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector output) s m
no_traces_have_message_prop (field_selector output)
  has_not_been_sent s m
  unfold no_traces_have_message_prop.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_sent: state_message_oracle
has_been_sent_dec: RelDecision has_been_sent
s: state vlsm
m: message
proper_sent: has_been_sent_prop has_been_sent s m
has_not_been_sent:= λ (s : state vlsm) (m : message),
  ¬ has_been_sent s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector output) s m
has_not_been_sent s m
↔ selected_message_exists_in_no_preloaded_trace
    (field_selector output) s m
  unfold has_not_been_sent.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_sent: state_message_oracle
has_been_sent_dec: RelDecision has_been_sent
s: state vlsm
m: message
proper_sent: has_been_sent_prop has_been_sent s m
has_not_been_sent:= λ (s : state vlsm) (m : message),
  ¬ has_been_sent s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector output) s m
¬ has_been_sent s m
↔ selected_message_exists_in_no_preloaded_trace
    (field_selector output) s m
  rewrite <- selected_message_exists_preloaded_not_some_iff_no.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_sent: state_message_oracle
has_been_sent_dec: RelDecision has_been_sent
s: state vlsm
m: message
proper_sent: has_been_sent_prop has_been_sent s m
has_not_been_sent:= λ (s : state vlsm) (m : message),
  ¬ has_been_sent s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector output) s m
¬ has_been_sent s m
↔ ¬ selected_message_exists_in_some_preloaded_traces
      (field_selector output) s m
  by apply not_iff_compat, (iff_trans proper_sent).
Qed.

Lemma from_send_to_from_sent_argument
  `{HasBeenSentCapability}
  (P : state vlsm -> Prop)
  (P_stable : forall s l oim s' oom,
    input_constrained_transition vlsm l (s, oim) (s', oom) ->
    P s -> P s')
  (msg : message)
  (send_establishes_P : forall s l oim s',
    input_constrained_transition vlsm l (s, oim) (s', Some msg) ->
    P s') :
  forall s,
    constrained_state_prop vlsm s ->
    has_been_sent s msg ->
    P s.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
P: state vlsm → Prop
P_stable: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (oom : option message),
  input_constrained_transition vlsm l
    (s, oim) (s', oom) → 
  P s → P s'
msg: message
send_establishes_P: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)),
  input_constrained_transition
    vlsm l (s, oim)
    (s', Some msg) → P s'
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → has_been_sent s msg → P s
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
P: state vlsm → Prop
P_stable: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (oom : option message),
  input_constrained_transition vlsm l
    (s, oim) (s', oom) → 
  P s → P s'
msg: message
send_establishes_P: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)),
  input_constrained_transition
    vlsm l (s, oim)
    (s', Some msg) → P s'
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → has_been_sent s msg → P s
  intros s Hs.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
P: state vlsm → Prop
P_stable: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (oom : option message),
  input_constrained_transition vlsm l
    (s, oim) (s', oom) → 
  P s → P s'
msg: message
send_establishes_P: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)),
  input_constrained_transition
    vlsm l (s, oim)
    (s', Some msg) → P s'
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
has_been_sent s msg → P s
  induction Hs using valid_state_prop_ind;
    [by intros []%has_been_sent_no_inits |].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
P: state vlsm → Prop
P_stable: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (oom : option message),
  input_constrained_transition vlsm l
    (s, oim) (s', oom) → 
  P s → P s'
msg: message
send_establishes_P: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)),
  input_constrained_transition
    vlsm l (s, oim)
    (s', Some msg) → P s'
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om, om': option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', om')
IHHs: has_been_sent s msg → P s
has_been_sent s' msg → P s'
  rewrite has_been_sent_step_update; [| done].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
P: state vlsm → Prop
P_stable: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (oom : option message),
  input_constrained_transition vlsm l
    (s, oim) (s', oom) → 
  P s → P s'
msg: message
send_establishes_P: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)),
  input_constrained_transition
    vlsm l (s, oim)
    (s', Some msg) → P s'
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om, om': option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', om')
IHHs: has_been_sent s msg → P s
om' = Some msg ∨ has_been_sent s msg → P s'
  intros [-> | H_sent].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
P: state vlsm → Prop
P_stable: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (oom : option message),
  input_constrained_transition vlsm l
    (s, oim) (s', oom) → 
  P s → P s'
msg: message
send_establishes_P: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)),
  input_constrained_transition
    vlsm l (s, oim)
    (s', Some msg) → P s'
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om: option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', Some msg)
IHHs: has_been_sent s msg → P s
P s'
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
P: state vlsm → Prop
P_stable: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (oom : option message),
  input_constrained_transition vlsm l
    (s, oim) (s', oom) → 
  P s → P s'
msg: message
send_establishes_P: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)),
  input_constrained_transition
    vlsm l (s, oim)
    (s', Some msg) → P s'
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om, om': option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', om')
IHHs: has_been_sent s msg → P s
H_sent: has_been_sent s msg
P s'
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
P: state vlsm → Prop
P_stable: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (oom : option message),
  input_constrained_transition vlsm l
    (s, oim) (s', oom) → 
  P s → P s'
msg: message
send_establishes_P: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)),
  input_constrained_transition
    vlsm l (s, oim)
    (s', Some msg) → P s'
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om: option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', Some msg)
IHHs: has_been_sent s msg → P s
P s' by eapply send_establishes_P.
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
P: state vlsm → Prop
P_stable: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)) (oom : option message),
  input_constrained_transition vlsm l
    (s, oim) (s', oom) → 
  P s → P s'
msg: message
send_establishes_P: ∀ (s : state
         (preloaded_with_all_messages_vlsm
            vlsm)) (l : 
                    label
                      (preloaded_with_all_messages_vlsm
                      vlsm)) 
  (oim : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             vlsm)),
  input_constrained_transition
    vlsm l (s, oim)
    (s', Some msg) → P s'
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om, om': option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', om')
IHHs: has_been_sent s msg → P s
H_sent: has_been_sent s msg
P s' by eapply P_stable, IHHs.
Qed.

Definition has_been_received_stepwise_prop
  (has_been_received_pred : state_message_oracle) : Prop :=
    oracle_stepwise_props (field_selector input) has_been_received_pred.

Class HasBeenReceivedCapability : Type :=
{
  has_been_received : state_message_oracle;
  has_been_received_dec :> RelDecision has_been_received;
  has_been_received_stepwise_props :
    has_been_received_stepwise_prop has_been_received;
}.A coercion will be introduced instead of an instance
in future versions when using ':>' in 'Class'
declarations. Replace ':>' with '::' (or use
'#[global] Existing Instance field.' for compatibility
with Coq < 8.18). Beware that the default locality for
'::' is #[export], as opposed to #[global] for ':>'
currently. Add an explicit #[global] attribute to the
field if you need to keep the current behavior. For
example: "Class foo := { #[global] field :: bar }."
[future-coercion-class-field,deprecated-since-8.17,deprecated,default]

Definition has_not_been_received `{HasBeenReceivedCapability} : state_message_oracle :=
  negate_oracle has_been_received.

Lemma has_been_received_no_inits `{HasBeenReceivedCapability} :
  forall s : state vlsm,
    initial_state_prop vlsm s -> forall m : message, ~ has_been_received s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message, ¬ has_been_received s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message, ¬ has_been_received s m
  exact (oracle_no_inits _ _ has_been_received_stepwise_props).
Qed.

Lemma has_been_received_step_update `{HasBeenReceivedCapability} :
  forall [l : label _] [s : state _] [im : option message] [s' : state _] [om : option message],
    input_constrained_transition vlsm l (s, im) (s', om) ->
  forall msg : message,
    has_been_received s' msg <-> (im = Some msg \/ has_been_received s msg).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received s' msg
      ↔ im = Some msg ∨ has_been_received s msg
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received s' msg
      ↔ im = Some msg ∨ has_been_received s msg
  exact (oracle_step_update _ _ has_been_received_stepwise_props).
Qed.

Definition has_been_received_tracewise_prop
  (has_been_received_pred : state_message_oracle) : Prop :=
    oracle_tracewise_props (field_selector input) has_been_received_pred.

Lemma has_been_received_tracewise_props `{HasBeenReceivedCapability} :
  has_been_received_tracewise_prop has_been_received.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
has_been_received_tracewise_prop has_been_received
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
has_been_received_tracewise_prop has_been_received
  by apply oracle_trace_props_from_stepwise, has_been_received_stepwise_props.
Qed.

Lemma proper_received `{HasBeenReceivedCapability} :
  forall (s : state pre_vlsm) (Hs : constrained_state_prop vlsm s) (m : message),
    has_been_received_prop has_been_received s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
∀ s : state pre_vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      has_been_received_prop has_been_received s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
∀ s : state pre_vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      has_been_received_prop has_been_received s m
  by apply proper_oracle_holds, has_been_received_tracewise_props.
Qed.

Lemma proper_not_received `{HasBeenReceivedCapability} :
  forall (s : state pre_vlsm) (Hs : constrained_state_prop vlsm s) (m : message),
    has_not_been_received_prop has_not_been_received s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
∀ s : state pre_vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      has_not_been_received_prop has_not_been_received
        s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
∀ s : state pre_vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      has_not_been_received_prop has_not_been_received
        s m
  by apply proper_not_oracle_holds, has_been_received_tracewise_props.
Qed.

Lemma has_been_received_consistency
  `{HasBeenReceivedCapability}
  (s : state pre_vlsm)
  (Hs : constrained_state_prop vlsm s)
  (m : message)
  : selected_messages_consistency_prop (field_selector input) s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
selected_messages_consistency_prop
  (field_selector input) s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
selected_messages_consistency_prop
  (field_selector input) s m
  split; [| by apply consistency_from_valid_state_proj2].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
selected_message_exists_in_some_preloaded_traces
  (field_selector input) s m
→ selected_message_exists_in_all_preloaded_traces
    (field_selector input) s m
  intro Hsome.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  (field_selector input) s m
selected_message_exists_in_all_preloaded_traces
  (field_selector input) s m
  destruct (decide (has_been_received s m)) as [Hsm | Hsm];
    [by apply proper_received in Hsm |].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  (field_selector input) s m
Hsm: ¬ has_been_received s m
selected_message_exists_in_all_preloaded_traces
  (field_selector input) s m
  apply proper_not_received in Hsm; [| done].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  (field_selector input) s m
Hsm: selected_message_exists_in_no_preloaded_trace
  (field_selector input) s m
selected_message_exists_in_all_preloaded_traces
  (field_selector input) s m
  destruct Hsome as [is [tr [Htr Hsome]]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state pre_vlsm
Hs: constrained_state_prop vlsm s
m: message
is: state pre_vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to pre_vlsm is s tr
Hsome: trace_has_message (field_selector input) m tr
Hsm: selected_message_exists_in_no_preloaded_trace
  (field_selector input) s m
selected_message_exists_in_all_preloaded_traces
  (field_selector input) s m
  by elim (Hsm _ _ Htr).
Qed.

Lemma has_been_received_consistency_proper_not_received
  (has_been_received : state_message_oracle)
  (has_been_received_dec : RelDecision has_been_received)
  (s : state vlsm)
  (m : message)
  (proper_received : has_been_received_prop has_been_received s m)
  (has_not_been_received
    := fun (s : state vlsm) (m : message) => ~ has_been_received s m)
  (Hconsistency : selected_messages_consistency_prop (field_selector input) s m)
  : has_not_been_received_prop has_not_been_received s m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
has_not_been_received_prop has_not_been_received s m
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
has_not_been_received_prop has_not_been_received s m
  unfold has_not_been_received_prop.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
no_traces_have_message_prop (field_selector input)
  has_not_been_received s m
  unfold no_traces_have_message_prop.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
has_not_been_received s m
↔ selected_message_exists_in_no_preloaded_trace
    (field_selector input) s m
  unfold has_not_been_received.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
¬ has_been_received s m
↔ selected_message_exists_in_no_preloaded_trace
    (field_selector input) s m
  split.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
¬ has_been_received s m
→ selected_message_exists_in_no_preloaded_trace
    (field_selector input) s m
message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
selected_message_exists_in_no_preloaded_trace
  (field_selector input) s m → ¬ 
has_been_received s m
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
¬ has_been_received s m
→ selected_message_exists_in_no_preloaded_trace
    (field_selector input) s m intros Hsm is tr Htr Hsome.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
Hsm: ¬ has_been_received s m
is: state pre_vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to pre_vlsm is s tr
Hsome: trace_has_message (field_selector input) m tr
False
    assert (Hsm' : selected_message_exists_in_some_preloaded_traces (field_selector input) s m)
      by (exists is; exists tr; exists Htr; done).message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
Hsm: ¬ has_been_received s m
is: state pre_vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to pre_vlsm is s tr
Hsome: trace_has_message (field_selector input) m tr
Hsm': selected_message_exists_in_some_preloaded_traces
  (field_selector input) s m
False
    apply Hconsistency in Hsm'.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
Hsm: ¬ has_been_received s m
is: state pre_vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to pre_vlsm is s tr
Hsome: trace_has_message (field_selector input) m tr
Hsm': selected_message_exists_in_all_preloaded_traces
  (field_selector input) s m
False
    by apply proper_received in Hsm'.
  -message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
selected_message_exists_in_no_preloaded_trace
  (field_selector input) s m → ¬ has_been_received s m intro Hnone.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
Hnone: selected_message_exists_in_no_preloaded_trace
  (field_selector input) s m
¬ has_been_received s m destruct (decide (has_been_received s m)) as [Hsm | Hsm]; [| done].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
Hnone: selected_message_exists_in_no_preloaded_trace
  (field_selector input) s m
Hsm: has_been_received s m
¬ has_been_received s m
    apply proper_received in Hsm.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
Hnone: selected_message_exists_in_no_preloaded_trace
  (field_selector input) s m
Hsm: selected_message_exists_in_all_preloaded_traces
  (field_selector input) s m
¬ has_been_received s m apply Hconsistency in Hsm.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
Hnone: selected_message_exists_in_no_preloaded_trace
  (field_selector input) s m
Hsm: selected_message_exists_in_some_preloaded_traces
  (field_selector input) s m
¬ has_been_received s m
    destruct Hsm as [is [tr [Htr Hsm]]].message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
has_been_received: state_message_oracle
has_been_received_dec: RelDecision has_been_received
s: state vlsm
m: message
proper_received: has_been_received_prop
  has_been_received s m
has_not_been_received:= λ (s : state vlsm) (m : message),
  ¬ has_been_received s m: state vlsm → message → Prop
Hconsistency: selected_messages_consistency_prop
  (field_selector input) s m
Hnone: selected_message_exists_in_no_preloaded_trace
  (field_selector input) s m
is: state pre_vlsm
tr: list transition_item
Htr: finite_valid_trace_init_to pre_vlsm is s tr
Hsm: trace_has_message (field_selector input) m tr
¬ has_been_received s m
    by elim (Hnone is tr Htr).
Qed.

Definition sent_messages
  (s : state vlsm)
  : Type
  :=
  sig (fun m => selected_message_exists_in_some_preloaded_traces (field_selector output) s m).

Lemma sent_messages_proper
  `{HasBeenSentCapability}
  (s : state vlsm)
  (Hs : constrained_state_prop vlsm s)
  (m : message)
  : has_been_sent s m <-> exists (m' : sent_messages s), proj1_sig m' = m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
has_been_sent s m ↔ (∃ m' : sent_messages s, `m' = m)
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
has_been_sent s m ↔ (∃ m' : sent_messages s, `m' = m)
  unfold sent_messages.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
has_been_sent s m
↔ (∃ m' : {m : message
          | selected_message_exists_in_some_preloaded_traces
              (field_selector output) s m}, `m' = m) rewrite exists_proj1_sig.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
has_been_sent s m
↔ selected_message_exists_in_some_preloaded_traces
    (field_selector output) s m
  specialize (proper_sent s Hs m) as Hbs.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
Hbs: has_been_sent_prop has_been_sent s m
has_been_sent s m
↔ selected_message_exists_in_some_preloaded_traces
    (field_selector output) s m
  unfold has_been_sent_prop, all_traces_have_message_prop in Hbs.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
Hbs: has_been_sent s m
↔ selected_message_exists_in_all_preloaded_traces
    (field_selector output) s m
has_been_sent s m
↔ selected_message_exists_in_some_preloaded_traces
    (field_selector output) s m
  rewrite Hbs.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
Hbs: has_been_sent s m
↔ selected_message_exists_in_all_preloaded_traces
    (field_selector output) s m
selected_message_exists_in_all_preloaded_traces
  (field_selector output) s m
↔ selected_message_exists_in_some_preloaded_traces
    (field_selector output) s m
  symmetry.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenSentCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
Hbs: has_been_sent s m
↔ selected_message_exists_in_all_preloaded_traces
    (field_selector output) s m
selected_message_exists_in_some_preloaded_traces
  (field_selector output) s m
↔ selected_message_exists_in_all_preloaded_traces
    (field_selector output) s m
  by apply has_been_sent_consistency.
Qed.

Definition received_messages
  (s : state vlsm)
  : Type
  :=
  sig (fun m => selected_message_exists_in_some_preloaded_traces (field_selector input) s m).

Lemma received_messages_proper
  `{HasBeenReceivedCapability}
  (s : state vlsm)
  (Hs : constrained_state_prop vlsm s)
  (m : message)
  : has_been_received s m <-> exists (m' : received_messages s), proj1_sig m' = m.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
has_been_received s m
↔ (∃ m' : received_messages s, `m' = m)
Proof.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
has_been_received s m
↔ (∃ m' : received_messages s, `m' = m)
  unfold received_messages.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
has_been_received s m
↔ (∃ m' : {m : message
          | selected_message_exists_in_some_preloaded_traces
              (field_selector input) s m}, `m' = m) rewrite exists_proj1_sig.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
has_been_received s m
↔ selected_message_exists_in_some_preloaded_traces
    (field_selector input) s m
  specialize (proper_received s Hs m) as Hbs.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
Hbs: has_been_received_prop has_been_received s m
has_been_received s m
↔ selected_message_exists_in_some_preloaded_traces
    (field_selector input) s m
  unfold has_been_received_prop, all_traces_have_message_prop in Hbs.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
Hbs: has_been_received s m
↔ selected_message_exists_in_all_preloaded_traces
    (field_selector input) s m
has_been_received s m
↔ selected_message_exists_in_some_preloaded_traces
    (field_selector input) s m
  rewrite Hbs.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
Hbs: has_been_received s m
↔ selected_message_exists_in_all_preloaded_traces
    (field_selector input) s m
selected_message_exists_in_all_preloaded_traces
  (field_selector input) s m
↔ selected_message_exists_in_some_preloaded_traces
    (field_selector input) s m
  symmetry.message: Type
vlsm: VLSM message
pre_vlsm:= preloaded_with_all_messages_vlsm vlsm: VLSM message
H: HasBeenReceivedCapability
s: state vlsm
Hs: constrained_state_prop vlsm s
m: message
Hbs: has_been_received s m
↔ selected_message_exists_in_all_preloaded_traces
    (field_selector input) s m
selected_message_exists_in_some_preloaded_traces
  (field_selector input) s m
↔ selected_message_exists_in_all_preloaded_traces
    (field_selector input) s m
  by apply has_been_received_consistency.
Qed.

End sec_simple.

Arguments oracle_stepwise_props {message} {vlsm} message_selector oracle.
Arguments oracle_no_inits       {message} {vlsm} {message_selector} {oracle}.
Arguments oracle_step_update    {message} {vlsm} {message_selector} {oracle}.

Arguments has_been_sent_stepwise_prop     {message} {vlsm} _.
Arguments has_been_received_stepwise_prop {message} {vlsm} _.

#[global] Hint Mode HasBeenSentCapability - ! : typeclass_instances.
#[global] Hint Mode HasBeenReceivedCapability - ! : typeclass_instances.

Arguments has_been_sent_stepwise_props     {message} vlsm {_}.
Arguments has_been_received_stepwise_props {message} vlsm {_}.

Arguments has_been_sent_step_update     {message} {vlsm H} [l s im s' om] _ msg.
Arguments has_been_received_step_update {message} {vlsm H} [l s im s' om] _ msg.

Proving the trace properties from the stepwise properties is based on oracle_initial_trace_update. The theorems for all_traces_have_message_prop and no_traces_have_message_prop are mostly rearranging quantifiers to use this lemma, also using valid_state_has_trace to choose a trace reaching the state when one is not given.

Section sec_trace_from_stepwise.

Context
  (message : Type)
  (vlsm : VLSM message)
  (selector : message -> transition_item -> Prop)
  (oracle : state_message_oracle vlsm)
  (oracle_props : oracle_stepwise_props selector oracle)
  .

Lemma prove_all_have_message_from_stepwise :
  forall (s : state _)
         (Hs : constrained_state_prop vlsm s)
         (m : message),
    all_traces_have_message_prop vlsm selector oracle s m.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm selector
        oracle s m
Proof.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm selector
        oracle s m
  intros s Hproto m.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
all_traces_have_message_prop vlsm selector oracle s m
  unfold all_traces_have_message_prop.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
oracle s m
↔ selected_message_exists_in_all_preloaded_traces vlsm
    selector s m
  split.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
oracle s m
→ selected_message_exists_in_all_preloaded_traces vlsm
    selector s m
message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
selected_message_exists_in_all_preloaded_traces vlsm
  selector s m → oracle s m
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
oracle s m
→ selected_message_exists_in_all_preloaded_traces vlsm
    selector s m intros Hholds s0 tr Htr; revert Htr Hholds.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
s0: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) s0 s tr
→ oracle s m → trace_has_message selector m tr
    by apply oracle_initial_trace_update.
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
selected_message_exists_in_all_preloaded_traces vlsm
  selector s m → oracle s m intro H_all_traces.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
H_all_traces: selected_message_exists_in_all_preloaded_traces
  vlsm selector s m
oracle s m
    apply valid_state_has_trace in Hproto as (s0 & tr & Htr).message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s, s0: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) s0 s
  tr
m: message
H_all_traces: selected_message_exists_in_all_preloaded_traces
  vlsm selector s m
oracle s m
    rewrite oracle_initial_trace_update; [| done..].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s, s0: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) s0 s
  tr
m: message
H_all_traces: selected_message_exists_in_all_preloaded_traces
  vlsm selector s m
trace_has_message selector m tr
    by apply H_all_traces in Htr.
Qed.

Lemma prove_none_have_message_from_stepwise :
  forall (s : state (preloaded_with_all_messages_vlsm vlsm))
         (Hs : constrained_state_prop vlsm s)
         (m : message),
    no_traces_have_message_prop vlsm selector (fun s m => ~ oracle s m) s m.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm selector
        (λ (s0 : state vlsm) (m0 : message),
           ¬ oracle s0 m0) s m
Proof.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm selector
        (λ (s0 : state vlsm) (m0 : message),
           ¬ oracle s0 m0) s m
  intros s Hproto m.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
no_traces_have_message_prop vlsm selector
  (λ (s : state vlsm) (m : message), ¬ oracle s m) s m
  split.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
¬ oracle s m
→ selected_message_exists_in_no_preloaded_trace vlsm
    selector s m
message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
selected_message_exists_in_no_preloaded_trace vlsm
  selector s m → ¬ oracle s m
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
¬ oracle s m
→ selected_message_exists_in_no_preloaded_trace vlsm
    selector s m intros H_not_holds start tr Htr.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
H_not_holds: ¬ oracle s m
start: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) start
  s tr
¬ trace_has_message selector m tr
    contradict H_not_holds.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
start: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) start
  s tr
H_not_holds: trace_has_message selector m tr
oracle s m
    by eapply oracle_initial_trace_update.
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
selected_message_exists_in_no_preloaded_trace vlsm
  selector s m → ¬ oracle s m intros H_no_traces H_oracle.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hproto: constrained_state_prop vlsm s
m: message
H_no_traces: selected_message_exists_in_no_preloaded_trace
  vlsm selector s m
H_oracle: oracle s m
False
    apply valid_state_has_trace in Hproto as (s0 & tr & Htr).message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s, s0: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) s0 s
  tr
m: message
H_no_traces: selected_message_exists_in_no_preloaded_trace
  vlsm selector s m
H_oracle: oracle s m
False
    destruct (H_no_traces s0 tr Htr).message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s, s0: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) s0 s
  tr
m: message
H_no_traces: selected_message_exists_in_no_preloaded_trace
  vlsm selector s m
H_oracle: oracle s m
trace_has_message selector m tr
    by rewrite <- oracle_initial_trace_update.
Qed.

Lemma selected_messages_consistency_prop_from_stepwise
    (oracle_dec : RelDecision oracle)
    (s : state (preloaded_with_all_messages_vlsm vlsm))
    (Hs : constrained_state_prop vlsm s)
    (m : message)
    : selected_messages_consistency_prop vlsm selector s m.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
selected_messages_consistency_prop vlsm selector s m
Proof.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
selected_messages_consistency_prop vlsm selector s m
  split; [| by apply consistency_from_valid_state_proj2].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
selected_message_exists_in_some_preloaded_traces vlsm
  selector s m
→ selected_message_exists_in_all_preloaded_traces vlsm
    selector s m
  intro Hsome.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm selector s m
selected_message_exists_in_all_preloaded_traces vlsm
  selector s m
  destruct (decide (oracle s m)) as [Hsm | Hsm].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm selector s m
Hsm: oracle s m
selected_message_exists_in_all_preloaded_traces vlsm
  selector s m
message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm selector s m
Hsm: ¬ oracle s m
selected_message_exists_in_all_preloaded_traces vlsm
  selector s m
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm selector s m
Hsm: oracle s m
selected_message_exists_in_all_preloaded_traces vlsm
  selector s m by apply prove_all_have_message_from_stepwise in Hsm.
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm selector s m
Hsm: ¬ oracle s m
selected_message_exists_in_all_preloaded_traces vlsm
  selector s m apply prove_none_have_message_from_stepwise in Hsm; [| done].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm selector s m
Hsm: selected_message_exists_in_no_preloaded_trace
  vlsm selector s m
selected_message_exists_in_all_preloaded_traces vlsm
  selector s m
    destruct Hsome as [is [tr [Htr Hmsg]]].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
oracle_dec: RelDecision oracle
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
is: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) is s
  tr
Hmsg: trace_has_message selector m tr
Hsm: selected_message_exists_in_no_preloaded_trace
  vlsm selector s m
selected_message_exists_in_all_preloaded_traces vlsm
  selector s m
    by elim (Hsm _ _ Htr).
Qed.

Lemma in_futures_preserving_oracle_from_stepwise :
  forall (s1 s2 : state (preloaded_with_all_messages_vlsm vlsm))
    (Hfutures : in_futures (preloaded_with_all_messages_vlsm vlsm) s1 s2)
    (m : message),
    oracle s1 m -> oracle  s2 m.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
∀ s1
   s2 : state (preloaded_with_all_messages_vlsm vlsm),
  in_futures (preloaded_with_all_messages_vlsm vlsm)
    s1 s2 → ∀ m : message, oracle s1 m → oracle s2 m
Proof.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
∀ s1
   s2 : state (preloaded_with_all_messages_vlsm vlsm),
  in_futures (preloaded_with_all_messages_vlsm vlsm)
    s1 s2 → ∀ m : message, oracle s1 m → oracle s2 m
  intros s1 s2 [tr Htr] m Hs1m.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_props: oracle_stepwise_props selector oracle
s1, s2: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) s1 s2
  tr
m: message
Hs1m: oracle s1 m
oracle s2 m
  by eapply oracle_partial_trace_update; [| | right].
Qed.

End sec_trace_from_stepwise.

The stepwise properties are proven from the trace properties by considering the empty trace to prove the oracle_no_inits property, and by considering a trace that ends with the given input_valid_transition to prove the oracle_step_update property.

Section sec_stepwise_from_trace.

Context
  (message : Type)
  (vlsm : VLSM message)
  (selector : message -> transition_item -> Prop)
  (oracle : state_message_oracle vlsm)
  (oracle_dec : RelDecision oracle)
  (Horacle_all_have :
     forall s (Hs : constrained_state_prop vlsm s) m,
      all_traces_have_message_prop vlsm selector oracle s m)
  (Hnot_oracle_none_have :
     forall s (Hs : constrained_state_prop vlsm s) m,
       no_traces_have_message_prop vlsm selector (fun m s => ~ oracle m s) s m).

Lemma oracle_no_inits_from_trace :
  forall (s : state vlsm), initial_state_prop vlsm s ->
                           forall m, ~ oracle s m.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ s : state vlsm,
  initial_state_prop s → ∀ m : message, ¬ oracle s m
Proof.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ s : state vlsm,
  initial_state_prop s → ∀ m : message, ¬ oracle s m
  intros s Hinit m Horacle.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
s: state vlsm
Hinit: initial_state_prop s
m: message
Horacle: oracle s m
False
  assert (Hproto : constrained_state_prop vlsm s)
    by (apply initial_state_is_valid; done).message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
s: state vlsm
Hinit: initial_state_prop s
m: message
Horacle: oracle s m
Hproto: constrained_state_prop vlsm s
False
  apply Horacle_all_have in Horacle; [| done].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
s: state vlsm
Hinit: initial_state_prop s
m: message
Horacle: selected_message_exists_in_all_preloaded_traces
  vlsm selector s m
Hproto: constrained_state_prop vlsm s
False
  specialize (Horacle s nil).message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
s: state vlsm
Hinit: initial_state_prop s
m: message
Horacle: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) s
  s [] → trace_has_message selector m []
Hproto: constrained_state_prop vlsm s
False
  eapply Exists_nil; apply Horacle; clear Horacle.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
s: state vlsm
Hinit: initial_state_prop s
m: message
Hproto: constrained_state_prop vlsm s
finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) s s []
  by split; [constructor |].
Qed.

Lemma examine_one_trace :
  forall is s tr,
    finite_constrained_trace_init_to vlsm is s tr ->
  forall m,
    oracle s m <->
    trace_has_message selector m tr.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ (is
   s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to vlsm is s tr
  → ∀ m : message,
      oracle s m ↔ trace_has_message selector m tr
Proof.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ (is
   s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to vlsm is s tr
  → ∀ m : message,
      oracle s m ↔ trace_has_message selector m tr
  intros is s tr Htr m.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
oracle s m ↔ trace_has_message selector m tr
  assert (constrained_state_prop vlsm s)
    by (red in Htr; apply valid_trace_last_pstate in Htr; done).message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
oracle s m ↔ trace_has_message selector m tr
  split.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
oracle s m → trace_has_message selector m tr
message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
trace_has_message selector m tr → oracle s m
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
oracle s m → trace_has_message selector m tr intros Horacle.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
Horacle: oracle s m
trace_has_message selector m tr
    apply Horacle_all_have in Horacle; [| done].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
Horacle: selected_message_exists_in_all_preloaded_traces
  vlsm selector s m
trace_has_message selector m tr
    by specialize (Horacle is tr Htr).
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
trace_has_message selector m tr → oracle s m intro Hexists.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
Hexists: trace_has_message selector m tr
oracle s m
    apply dec_stable.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
Hexists: trace_has_message selector m tr
¬ ¬ oracle s m
    intro Hnot.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
Hexists: trace_has_message selector m tr
Hnot: ¬ oracle s m
False
    apply Hnot_oracle_none_have in Hnot; [| done].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
Hexists: trace_has_message selector m tr
Hnot: selected_message_exists_in_no_preloaded_trace
  vlsm selector s m
False
    rewrite <- selected_message_exists_preloaded_not_some_iff_no in Hnot.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
Hexists: trace_has_message selector m tr
Hnot: ¬ selected_message_exists_in_some_preloaded_traces
    vlsm selector s m
False
    apply Hnot.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
m: message
H: constrained_state_prop vlsm s
Hexists: trace_has_message selector m tr
Hnot: ¬ selected_message_exists_in_some_preloaded_traces
    vlsm selector s m
selected_message_exists_in_some_preloaded_traces vlsm
  selector s m
    by exists is, tr, Htr.
Qed.

Lemma oracle_step_property_from_trace :
     forall l s im s' om,
       input_constrained_transition vlsm l (s, im) (s', om) ->
       forall msg, oracle s' msg
                   <-> (selector msg {| l := l; input := im; destination := s'; output := om |}
                        \/ oracle s msg).message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      oracle s' msg
      ↔ selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ oracle s msg
Proof.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      oracle s' msg
      ↔ selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ oracle s msg
  intros l s im s' om Htrans msg.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Htrans: input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
oracle s' msg
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ oracle s msg
  rename Htrans into Htrans'.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Htrans': input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
oracle s' msg
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ oracle s msg
  pose proof Htrans' as [[Hproto_s [Hproto_m Hvalid]] Htrans].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Htrans': input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
Hproto_s: valid_state_prop
  (preloaded_with_all_messages_vlsm vlsm) s
Hproto_m: option_valid_message_prop
  (preloaded_with_all_messages_vlsm vlsm)
  im
Hvalid: valid l (s, im)
Htrans: transition l (s, im) = (s', om)
oracle s' msg
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ oracle s msg
  pose proof (valid_state_has_trace _ _ Hproto_s)
    as [is [tr [Htr Hinit]]].message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Htrans': input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
Hproto_s: valid_state_prop
  (preloaded_with_all_messages_vlsm vlsm) s
Hproto_m: option_valid_message_prop
  (preloaded_with_all_messages_vlsm vlsm)
  im
Hvalid: valid l (s, im)
Htrans: transition l (s, im) = (s', om)
is: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) is s
  tr
Hinit: initial_state_prop is
oracle s' msg
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ oracle s msg
  pose proof (Htr' := extend_right_finite_trace_from_to _ Htr Htrans').message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Htrans': input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
Hproto_s: valid_state_prop
  (preloaded_with_all_messages_vlsm vlsm) s
Hproto_m: option_valid_message_prop
  (preloaded_with_all_messages_vlsm vlsm)
  im
Hvalid: valid l (s, im)
Htrans: transition l (s, im) = (s', om)
is: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) is s
  tr
Hinit: initial_state_prop is
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) is s'
  (tr ++
   [{|
      l := l;
      input := im;
      destination := s';
      output := om
    |}])
oracle s' msg
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ oracle s msg
  rewrite (examine_one_trace _ _ _ (conj Htr Hinit) msg).message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Htrans': input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
Hproto_s: valid_state_prop
  (preloaded_with_all_messages_vlsm vlsm) s
Hproto_m: option_valid_message_prop
  (preloaded_with_all_messages_vlsm vlsm)
  im
Hvalid: valid l (s, im)
Htrans: transition l (s, im) = (s', om)
is: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) is s
  tr
Hinit: initial_state_prop is
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) is s'
  (tr ++
   [{|
      l := l;
      input := im;
      destination := s';
      output := om
    |}])
oracle s' msg
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ trace_has_message selector msg tr
  rewrite (examine_one_trace _ _ _ (conj Htr' Hinit) msg).message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Htrans': input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
Hproto_s: valid_state_prop
  (preloaded_with_all_messages_vlsm vlsm) s
Hproto_m: option_valid_message_prop
  (preloaded_with_all_messages_vlsm vlsm)
  im
Hvalid: valid l (s, im)
Htrans: transition l (s, im) = (s', om)
is: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) is s
  tr
Hinit: initial_state_prop is
Htr': finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm vlsm) is s'
  (tr ++
   [{|
      l := l;
      input := im;
      destination := s';
      output := om
    |}])
trace_has_message selector msg
  (tr ++
   [{|
      l := l;
      input := im;
      destination := s';
      output := om
    |}])
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ trace_has_message selector msg tr
  clear.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
l: label (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
msg: message
tr: list transition_item
trace_has_message selector msg
  (tr ++
   [{|
      l := l;
      input := im;
      destination := s';
      output := om
    |}])
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ trace_has_message selector msg tr
  progress cbn.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
l: label (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
msg: message
tr: list transition_item
trace_has_message selector msg
  (tr ++
   [{|
      l := l;
      input := im;
      destination := s';
      output := om
    |}])
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ trace_has_message selector msg tr unfold trace_has_message.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
l: label (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
msg: message
tr: list transition_item
Exists (selector msg)
  (tr ++
   [{|
      l := l;
      input := im;
      destination := s';
      output := om
    |}])
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ Exists (selector msg) tr
  rewrite Exists_app, Exists_cons, Exists_nil.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
l: label (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
msg: message
tr: list transition_item
Exists (selector msg) tr
∨ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ False
↔ selector msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ Exists (selector msg) tr
  by itauto.
Qed.

Lemma stepwise_props_from_trace : oracle_stepwise_props selector oracle.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
oracle_stepwise_props selector oracle
Proof.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
oracle_stepwise_props selector oracle
  constructor.message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ s : state vlsm,
  initial_state_prop s → ∀ m : message, ¬ oracle s m
message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) 
  (s' : state (preloaded_with_all_messages_vlsm vlsm)) 
  (om : option message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      oracle s' msg
      ↔ selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ oracle s msg
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ s : state vlsm,
  initial_state_prop s → ∀ m : message, ¬ oracle s m by apply oracle_no_inits_from_trace.
  -message: Type
vlsm: VLSM message
selector: message → transition_item → Prop
oracle: state_message_oracle vlsm
oracle_dec: RelDecision oracle
Horacle_all_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop
        vlsm selector oracle s m
Hnot_oracle_none_have: ∀ s : state
        (preloaded_with_all_messages_vlsm
           vlsm),
  constrained_state_prop vlsm
    s
  → ∀ m : message,
      no_traces_have_message_prop
        vlsm selector
        (λ (m0 : state vlsm) 
           (s0 : message),
           ¬ oracle m0 s0) s m
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      oracle s' msg
      ↔ selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ oracle s msg by apply oracle_step_property_from_trace.
Defined.

End sec_stepwise_from_trace.

Stepwise view of HasBeenSentCapability

This reduces the proof obligations in HasBeenSentCapability to proving the stepwise properties of oracle_stepwise_props. has_been_step_stepwise_props is a specialization of oracle_stepwise_props to the right message_selector.

There are also lemmas for accessing the stepwise properties about a has_been_sent predicate given an instance of HasBeenSentCapability, to allow using HasBeenSentCapability_from_stepwise to define a HasBeenSentCapability for composite VLSMs, or for proofs (e.g, about invariants) where these are more convenient.

(* TODO - move up with HasBeenSent *)

Lemma preloaded_has_been_sent_stepwise_props
      [message : Type]
      (vlsm : VLSM message)
      `{HasBeenSentCapability message vlsm}
      (seed : message -> Prop)
      (X := preloaded_vlsm vlsm seed) :
  has_been_sent_stepwise_prop (vlsm := X) (has_been_sent vlsm).message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
has_been_sent_stepwise_prop (has_been_sent vlsm)
Proof.message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
has_been_sent_stepwise_prop (has_been_sent vlsm)
  destruct (has_been_sent_stepwise_props vlsm); cbn in *.message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
oracle_no_inits0: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_sent vlsm s m
oracle_step_update0: ∀ (l : label vlsm) (s : 
                    state vlsm) 
  (im : option message) 
  (s' : state vlsm) (om : 
                     option
                      message),
  input_constrained_transition
    vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent vlsm s' msg
      ↔ om = Some msg
        ∨ has_been_sent vlsm s
            msg
has_been_sent_stepwise_prop (has_been_sent vlsm)
  split; [done |].message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
oracle_no_inits0: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_sent vlsm s m
oracle_step_update0: ∀ (l : label vlsm) (s : 
                    state vlsm) 
  (im : option message) 
  (s' : state vlsm) (om : 
                     option
                      message),
  input_constrained_transition
    vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent vlsm s' msg
      ↔ om = Some msg
        ∨ has_been_sent vlsm s
            msg
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent vlsm s' msg
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ has_been_sent vlsm s msg
  cbn; intros.message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
oracle_no_inits0: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_sent vlsm s m
oracle_step_update0: ∀ (l : label vlsm) (s : 
                    state vlsm) 
  (im : option message) 
  (s' : state vlsm) (om : 
                     option
                      message),
  input_constrained_transition
    vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent vlsm s' msg
      ↔ om = Some msg
        ∨ has_been_sent vlsm s
            msg
l: label vlsm
s: state vlsm
im: option message
s': state vlsm
om: option message
H0: input_constrained_transition X l (s, im) (s', om)
msg: message
has_been_sent vlsm s' msg
↔ om = Some msg ∨ has_been_sent vlsm s msg
  eapply oracle_step_update0, VLSM_incl_input_valid_transition; [| done].message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
oracle_no_inits0: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_sent vlsm s m
oracle_step_update0: ∀ (l : label vlsm) (s : 
                    state vlsm) 
  (im : option message) 
  (s' : state vlsm) (om : 
                     option
                      message),
  input_constrained_transition
    vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent vlsm s' msg
      ↔ om = Some msg
        ∨ has_been_sent vlsm s
            msg
l: label vlsm
s: state vlsm
im: option message
s': state vlsm
om: option message
H0: input_constrained_transition X l (s, im) (s', om)
msg: message
VLSM_incl_part
  (preloaded_vlsm_machine X (λ _ : message, True))
  (preloaded_vlsm_machine vlsm (λ _ : message, True))
  by apply basic_VLSM_strong_incl; do 2 red; cbn; itauto.
Qed.

#[export] Instance preloaded_HasBeenSentCapability
      [message : Type]
      (vlsm : VLSM message)
      `{HasBeenSentCapability message vlsm}
      (seed : message -> Prop) :
  HasBeenSentCapability (preloaded_vlsm vlsm seed).message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
HasBeenSentCapability (preloaded_vlsm vlsm seed)
Proof.message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
HasBeenSentCapability (preloaded_vlsm vlsm seed)
  econstructor.message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
RelDecision ?has_been_sent
message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
has_been_sent_stepwise_prop ?has_been_sent
  -message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
RelDecision ?has_been_sent by apply (has_been_sent_dec vlsm).
  -message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
seed: message → Prop
has_been_sent_stepwise_prop (has_been_sent vlsm) by apply preloaded_has_been_sent_stepwise_props.
Defined.

Lemma constrained_has_been_sent_stepwise_props
  `(X : VLSM message)
  `{HasBeenSentCapability message X}
  (constraint : label X -> state X * option message -> Prop) :
  has_been_sent_stepwise_prop (vlsm := constrained_vlsm X constraint) (has_been_sent X).message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
has_been_sent_stepwise_prop (has_been_sent X)
Proof.message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
has_been_sent_stepwise_prop (has_been_sent X)
  destruct (has_been_sent_stepwise_props X); cbn in *.message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
oracle_no_inits0: ∀ s : state X,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_sent X s m
oracle_step_update0: ∀ (l : label X) (s : state X) 
  (im : option message) 
  (s' : state X) (om : 
                  option message),
  input_constrained_transition X
    l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent X s' msg
      ↔ om = Some msg
        ∨ has_been_sent X s msg
has_been_sent_stepwise_prop (has_been_sent X)
  split; [done |].message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
oracle_no_inits0: ∀ s : state X,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_sent X s m
oracle_step_update0: ∀ (l : label X) (s : state X) 
  (im : option message) 
  (s' : state X) (om : 
                  option message),
  input_constrained_transition X
    l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent X s' msg
      ↔ om = Some msg
        ∨ has_been_sent X s msg
∀ (l : label
         (preloaded_with_all_messages_vlsm
            (constrained_vlsm X constraint))) (s : 
                                               state
                                                 (preloaded_with_all_messages_vlsm
                                                 (constrained_vlsm
                                                 X
                                                 constraint))) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   (constrained_vlsm X
                                      constraint))) 
  (om : option message),
  input_constrained_transition
    (constrained_vlsm X constraint) l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent X s' msg
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ has_been_sent X s msg
  cbn; intros.message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
oracle_no_inits0: ∀ s : state X,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_sent X s m
oracle_step_update0: ∀ (l : label X) (s : state X) 
  (im : option message) 
  (s' : state X) (om : 
                  option message),
  input_constrained_transition X
    l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent X s' msg
      ↔ om = Some msg
        ∨ has_been_sent X s msg
l: label X
s: state X
im: option message
s': state X
om: option message
H0: input_constrained_transition
  (constrained_vlsm X constraint) l (
  s, im) (s', om)
msg: message
has_been_sent X s' msg
↔ om = Some msg ∨ has_been_sent X s msg
  eapply oracle_step_update0, VLSM_incl_input_valid_transition; [| done].message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
oracle_no_inits0: ∀ s : state X,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_sent X s m
oracle_step_update0: ∀ (l : label X) (s : state X) 
  (im : option message) 
  (s' : state X) (om : 
                  option message),
  input_constrained_transition X
    l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent X s' msg
      ↔ om = Some msg
        ∨ has_been_sent X s msg
l: label X
s: state X
im: option message
s': state X
om: option message
H0: input_constrained_transition
  (constrained_vlsm X constraint) l (
  s, im) (s', om)
msg: message
VLSM_incl_part
  (preloaded_vlsm_machine
     (constrained_vlsm X constraint)
     (λ _ : message, True))
  (preloaded_vlsm_machine X (λ _ : message, True))
  by apply basic_VLSM_strong_incl; do 2 red; cbn; itauto.
Qed.

#[export] Instance constrained_vlsm_HasBeenSentCapability
  `(X : VLSM message) `{HasBeenSentCapability message X}
  (constraint : label X -> state X * option message -> Prop)
  : HasBeenSentCapability (constrained_vlsm X constraint).message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
HasBeenSentCapability (constrained_vlsm X constraint)
Proof.message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
HasBeenSentCapability (constrained_vlsm X constraint)
  econstructor.message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
RelDecision ?has_been_sent
message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
has_been_sent_stepwise_prop ?has_been_sent
  -message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
RelDecision ?has_been_sent by apply (has_been_sent_dec X).
  -message: Type
X: VLSM message
H: HasBeenSentCapability X
constraint: label X → state X * option message → Prop
has_been_sent_stepwise_prop (has_been_sent X) by apply constrained_has_been_sent_stepwise_props.
Defined.

Lemma has_been_sent_examine_one_trace
  `{HasBeenSentCapability message vlsm} :
  forall is s tr,
    finite_constrained_trace_init_to vlsm is s tr ->
  forall m,
    has_been_sent vlsm s m <->
    trace_has_message (field_selector output) m tr.message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
∀ (is
   s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to vlsm is s tr
  → ∀ m : message,
      has_been_sent vlsm s m
      ↔ trace_has_message (field_selector output) m tr
Proof.message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
∀ (is
   s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to vlsm is s tr
  → ∀ m : message,
      has_been_sent vlsm s m
      ↔ trace_has_message (field_selector output) m tr
  apply examine_one_trace.message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
RelDecision (has_been_sent vlsm)
message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm
        (field_selector output) 
        (has_been_sent vlsm) s m
message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm
        (field_selector output)
        (λ (m0 : state vlsm) (s0 : message),
           ¬ has_been_sent vlsm m0 s0) s m
  -message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
RelDecision (has_been_sent vlsm) by apply has_been_sent_dec.
  -message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm
        (field_selector output) (has_been_sent vlsm) s
        m by apply proper_sent.
  -message: Type
vlsm: VLSM message
H: HasBeenSentCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm
        (field_selector output)
        (λ (m0 : state vlsm) (s0 : message),
           ¬ has_been_sent vlsm m0 s0) s m by apply proper_not_sent.
Qed.

Lemma preloaded_has_been_received_stepwise_props
      {message : Type}
      (vlsm : VLSM message)
      `{HasBeenReceivedCapability message vlsm}
      (seed : message -> Prop)
      (X := preloaded_vlsm vlsm seed) :
  has_been_received_stepwise_prop (vlsm := X) (has_been_received vlsm).message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
has_been_received_stepwise_prop
  (has_been_received vlsm)
Proof.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
has_been_received_stepwise_prop
  (has_been_received vlsm)
  destruct (has_been_received_stepwise_props vlsm); cbn in *.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
oracle_no_inits0: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_received vlsm s m
oracle_step_update0: ∀ (l : label vlsm) (s : 
                    state vlsm) 
  (im : option message) 
  (s' : state vlsm) (om : 
                     option
                      message),
  input_constrained_transition
    vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received vlsm s'
        msg
      ↔ im = Some msg
        ∨ has_been_received vlsm
            s msg
has_been_received_stepwise_prop
  (has_been_received vlsm)
  split; [done |].message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
oracle_no_inits0: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_received vlsm s m
oracle_step_update0: ∀ (l : label vlsm) (s : 
                    state vlsm) 
  (im : option message) 
  (s' : state vlsm) (om : 
                     option
                      message),
  input_constrained_transition
    vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received vlsm s'
        msg
      ↔ im = Some msg
        ∨ has_been_received vlsm
            s msg
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received vlsm s' msg
      ↔ field_selector input msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ has_been_received vlsm s msg
  cbn; intros.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
oracle_no_inits0: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_received vlsm s m
oracle_step_update0: ∀ (l : label vlsm) (s : 
                    state vlsm) 
  (im : option message) 
  (s' : state vlsm) (om : 
                     option
                      message),
  input_constrained_transition
    vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received vlsm s'
        msg
      ↔ im = Some msg
        ∨ has_been_received vlsm
            s msg
l: label vlsm
s: state vlsm
im: option message
s': state vlsm
om: option message
H0: input_constrained_transition X l (s, im) (s', om)
msg: message
has_been_received vlsm s' msg
↔ im = Some msg ∨ has_been_received vlsm s msg
  eapply oracle_step_update0, VLSM_incl_input_valid_transition; [| done].message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
X:= preloaded_vlsm vlsm seed: VLSM message
oracle_no_inits0: ∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_received vlsm s m
oracle_step_update0: ∀ (l : label vlsm) (s : 
                    state vlsm) 
  (im : option message) 
  (s' : state vlsm) (om : 
                     option
                      message),
  input_constrained_transition
    vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received vlsm s'
        msg
      ↔ im = Some msg
        ∨ has_been_received vlsm
            s msg
l: label vlsm
s: state vlsm
im: option message
s': state vlsm
om: option message
H0: input_constrained_transition X l (s, im) (s', om)
msg: message
VLSM_incl_part
  (preloaded_vlsm_machine X (λ _ : message, True))
  (preloaded_vlsm_machine vlsm (λ _ : message, True))
  by apply basic_VLSM_strong_incl; do 2 red; cbn; itauto.
Qed.

#[export] Instance preloaded_HasBeenReceivedCapability
      {message : Type}
      (vlsm : VLSM message)
      `{HasBeenReceivedCapability message vlsm}
      (seed : message -> Prop) :
  HasBeenReceivedCapability (preloaded_vlsm vlsm seed).message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
HasBeenReceivedCapability (preloaded_vlsm vlsm seed)
Proof.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
HasBeenReceivedCapability (preloaded_vlsm vlsm seed)
  econstructor.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
RelDecision ?has_been_received
message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
has_been_received_stepwise_prop ?has_been_received
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
RelDecision ?has_been_received by apply (has_been_received_dec vlsm).
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
seed: message → Prop
has_been_received_stepwise_prop
  (has_been_received vlsm) by apply preloaded_has_been_received_stepwise_props.
Defined.

Lemma constrained_has_been_received_stepwise_props
  `(X : VLSM message)
  `{HasBeenReceivedCapability message X}
  (constraint : label X -> state X * option message -> Prop) :
  has_been_received_stepwise_prop (vlsm := constrained_vlsm X constraint) (has_been_received X).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
has_been_received_stepwise_prop (has_been_received X)
Proof.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
has_been_received_stepwise_prop (has_been_received X)
  destruct (has_been_received_stepwise_props X); cbn in *.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
oracle_no_inits0: ∀ s : state X,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_received X s m
oracle_step_update0: ∀ (l : label X) (s : state X) 
  (im : option message) 
  (s' : state X) (om : 
                  option message),
  input_constrained_transition X
    l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received X s' msg
      ↔ im = Some msg
        ∨ has_been_received X s
            msg
has_been_received_stepwise_prop (has_been_received X)
  split; [done |].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
oracle_no_inits0: ∀ s : state X,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_received X s m
oracle_step_update0: ∀ (l : label X) (s : state X) 
  (im : option message) 
  (s' : state X) (om : 
                  option message),
  input_constrained_transition X
    l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received X s' msg
      ↔ im = Some msg
        ∨ has_been_received X s
            msg
∀ (l : label
         (preloaded_with_all_messages_vlsm
            (constrained_vlsm X constraint))) (s : 
                                               state
                                                 (preloaded_with_all_messages_vlsm
                                                 (constrained_vlsm
                                                 X
                                                 constraint))) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   (constrained_vlsm X
                                      constraint))) 
  (om : option message),
  input_constrained_transition
    (constrained_vlsm X constraint) l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received X s' msg
      ↔ field_selector input msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ has_been_received X s msg
  cbn; intros.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
oracle_no_inits0: ∀ s : state X,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_received X s m
oracle_step_update0: ∀ (l : label X) (s : state X) 
  (im : option message) 
  (s' : state X) (om : 
                  option message),
  input_constrained_transition X
    l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received X s' msg
      ↔ im = Some msg
        ∨ has_been_received X s
            msg
l: label X
s: state X
im: option message
s': state X
om: option message
H0: input_constrained_transition
  (constrained_vlsm X constraint) l (
  s, im) (s', om)
msg: message
has_been_received X s' msg
↔ im = Some msg ∨ has_been_received X s msg
  eapply oracle_step_update0, VLSM_incl_input_valid_transition; [| done].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
oracle_no_inits0: ∀ s : state X,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_received X s m
oracle_step_update0: ∀ (l : label X) (s : state X) 
  (im : option message) 
  (s' : state X) (om : 
                  option message),
  input_constrained_transition X
    l (s, im) (s', om)
  → ∀ msg : message,
      has_been_received X s' msg
      ↔ im = Some msg
        ∨ has_been_received X s
            msg
l: label X
s: state X
im: option message
s': state X
om: option message
H0: input_constrained_transition
  (constrained_vlsm X constraint) l (
  s, im) (s', om)
msg: message
VLSM_incl_part
  (preloaded_vlsm_machine
     (constrained_vlsm X constraint)
     (λ _ : message, True))
  (preloaded_vlsm_machine X (λ _ : message, True))
  by apply basic_VLSM_strong_incl; do 2 red; cbn; itauto.
Qed.

#[export] Instance constrained_vlsm_HasBeenReceivedCapability
  `(X : VLSM message) `{HasBeenReceivedCapability message X}
  (constraint : label X -> state X * option message -> Prop)
  : HasBeenReceivedCapability (constrained_vlsm X constraint).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
HasBeenReceivedCapability
  (constrained_vlsm X constraint)
Proof.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
HasBeenReceivedCapability
  (constrained_vlsm X constraint)
  econstructor.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
RelDecision ?has_been_received
message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
has_been_received_stepwise_prop ?has_been_received
  -message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
RelDecision ?has_been_received by apply (has_been_received_dec X).
  -message: Type
X: VLSM message
H: HasBeenReceivedCapability X
constraint: label X → state X * option message → Prop
has_been_received_stepwise_prop (has_been_received X) by apply constrained_has_been_received_stepwise_props.
Defined.

Lemma has_been_received_examine_one_trace
  `{HasBeenReceivedCapability message vlsm} :
  forall is s tr,
    finite_constrained_trace_init_to vlsm is s tr ->
  forall m,
    has_been_received vlsm s m <->
    trace_has_message (field_selector input) m tr.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
∀ (is
   s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to vlsm is s tr
  → ∀ m : message,
      has_been_received vlsm s m
      ↔ trace_has_message (field_selector input) m tr
Proof.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
∀ (is
   s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to vlsm is s tr
  → ∀ m : message,
      has_been_received vlsm s m
      ↔ trace_has_message (field_selector input) m tr
  apply examine_one_trace.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
RelDecision (has_been_received vlsm)
message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm
        (field_selector input)
        (has_been_received vlsm) s m
message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm
        (field_selector input)
        (λ (m0 : state vlsm) (s0 : message),
           ¬ has_been_received vlsm m0 s0) s m
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
RelDecision (has_been_received vlsm) by apply has_been_received_dec.
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm
        (field_selector input)
        (has_been_received vlsm) s m by apply proper_received.
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm
        (field_selector input)
        (λ (m0 : state vlsm) (s0 : message),
           ¬ has_been_received vlsm m0 s0) s m by apply proper_not_received.
Qed.

Lemma trace_to_initial_state_has_no_inputs
  {message} vlsm
  `{HasBeenReceivedCapability message vlsm}
  is s tr
  (Htr : finite_constrained_trace_init_to vlsm is s tr)
  (Hs : initial_state_prop vlsm s)
  : forall item, item ∈ tr -> input item = None.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
Hs: initial_state_prop s
∀ item : transition_item,
  item ∈ tr → input item = None
Proof.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
Hs: initial_state_prop s
∀ item : transition_item,
  item ∈ tr → input item = None
  intros item Hitem.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
Hs: initial_state_prop s
item: transition_item
Hitem: item ∈ tr
input item = None
  destruct (input item) as [m |] eqn: Heqm; [| done].message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
Hs: initial_state_prop s
item: transition_item
Hitem: item ∈ tr
m: message
Heqm: input item = Some m
Some m = None
  elim (selected_message_exists_in_all_traces_initial_state _ _ Hs (field_selector input) m).message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
Hs: initial_state_prop s
item: transition_item
Hitem: item ∈ tr
m: message
Heqm: input item = Some m
selected_message_exists_in_all_preloaded_traces vlsm
  (field_selector input) s m
  apply has_been_received_consistency; [done | by apply initial_state_is_valid |].message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
Hs: initial_state_prop s
item: transition_item
Hitem: item ∈ tr
m: message
Heqm: input item = Some m
selected_message_exists_in_some_preloaded_traces vlsm
  (field_selector input) s m
  eexists _, _, Htr.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
Hs: initial_state_prop s
item: transition_item
Hitem: item ∈ tr
m: message
Heqm: input item = Some m
trace_has_message (field_selector input) m tr
  apply Exists_exists.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
is, s: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_constrained_trace_init_to vlsm is s tr
Hs: initial_state_prop s
item: transition_item
Hitem: item ∈ tr
m: message
Heqm: input item = Some m
∃ x : transition_item,
  x ∈ tr ∧ field_selector input m x
  by exists item.
Qed.

A state message oracle for messages sent or received

In protocols like the CBC full node protocol, validators often work with the set of all messages they have directly observed, which includes the messages the component sent itself along with messages that were received. The has_been_directly_observed oracle tells whether the given message was sent or received during any trace leading to the given state.

Class HasBeenDirectlyObservedCapability {message} (vlsm : VLSM message) : Type :=
{
  has_been_directly_observed : state_message_oracle vlsm;
  has_been_directly_observed_dec :> RelDecision has_been_directly_observed;
  has_been_directly_observed_stepwise_props :
    oracle_stepwise_props item_sends_or_receives has_been_directly_observed;
}.A coercion will be introduced instead of an instance
in future versions when using ':>' in 'Class'
declarations. Replace ':>' with '::' (or use
'#[global] Existing Instance field.' for compatibility
with Coq < 8.18). Beware that the default locality for
'::' is #[export], as opposed to #[global] for ':>'
currently. Add an explicit #[global] attribute to the
field if you need to keep the current behavior. For
example: "Class foo := { #[global] field :: bar }."
[future-coercion-class-field,deprecated-since-8.17,deprecated,default]

Arguments has_been_directly_observed {message} vlsm {_}.
Arguments has_been_directly_observed_dec {message} vlsm {_}.
Arguments has_been_directly_observed_stepwise_props {message} vlsm {_}.

#[global] Hint Mode HasBeenDirectlyObservedCapability - ! : typeclass_instances.

Lemma has_been_directly_observed_no_inits `[HasBeenDirectlyObservedCapability message vlsm] :
  forall (s : state vlsm),
    initial_state_prop vlsm s ->
  forall m : message,
    ~ has_been_directly_observed vlsm s m.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_directly_observed vlsm s m
Proof.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ has_been_directly_observed vlsm s m
  exact (oracle_no_inits (has_been_directly_observed_stepwise_props vlsm)).
Qed.

Lemma has_been_directly_observed_step_update `{HasBeenDirectlyObservedCapability message vlsm} :
  forall l s im s' om,
    input_constrained_transition vlsm l (s, im) (s', om) ->
  forall msg : message,
    has_been_directly_observed vlsm s' msg <->
    (im = Some msg \/ om = Some msg) \/ has_been_directly_observed vlsm s msg.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_directly_observed vlsm s' msg
      ↔ (im = Some msg ∨ om = Some msg)
        ∨ has_been_directly_observed vlsm s msg
Proof.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_directly_observed vlsm s' msg
      ↔ (im = Some msg ∨ om = Some msg)
        ∨ has_been_directly_observed vlsm s msg
  exact (oracle_step_update (has_been_directly_observed_stepwise_props vlsm)).
Qed.

Lemma proper_directly_observed
  {message} (vlsm : VLSM message) `{HasBeenDirectlyObservedCapability message vlsm} :
  forall (s : state (preloaded_with_all_messages_vlsm vlsm)),
    constrained_state_prop vlsm s ->
    forall m,
      all_traces_have_message_prop vlsm item_sends_or_receives (has_been_directly_observed vlsm) s m.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm
        item_sends_or_receives
        (has_been_directly_observed vlsm) s m
Proof.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm
        item_sends_or_receives
        (has_been_directly_observed vlsm) s m
  by apply proper_oracle_holds, oracle_trace_props_from_stepwise,
    has_been_directly_observed_stepwise_props.
Qed.

Lemma proper_not_directly_observed
  `(vlsm : VLSM message) `{HasBeenDirectlyObservedCapability message vlsm} :
  forall (s : state (preloaded_with_all_messages_vlsm vlsm)),
    constrained_state_prop vlsm s ->
    forall m,
      no_traces_have_message_prop vlsm item_sends_or_receives
                                  (fun s m => ~ has_been_directly_observed vlsm s m) s m.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm
        item_sends_or_receives
        (λ (s0 : state vlsm) (m0 : message),
           ¬ has_been_directly_observed vlsm s0 m0) s
        m
Proof.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm
        item_sends_or_receives
        (λ (s0 : state vlsm) (m0 : message),
           ¬ has_been_directly_observed vlsm s0 m0) s
        m
  by apply proper_not_oracle_holds, oracle_trace_props_from_stepwise,
    has_been_directly_observed_stepwise_props.
Qed.

Lemma has_been_directly_observed_examine_one_trace
  {message} (vlsm : VLSM message) `{HasBeenDirectlyObservedCapability message vlsm} :
  forall is s tr,
    finite_constrained_trace_init_to vlsm is s tr ->
  forall m,
    has_been_directly_observed vlsm s m <->
    trace_has_message item_sends_or_receives m tr.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ (is
   s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to vlsm is s tr
  → ∀ m : message,
      has_been_directly_observed vlsm s m
      ↔ trace_has_message item_sends_or_receives m tr
Proof.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ (is
   s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (tr : list transition_item),
  finite_constrained_trace_init_to vlsm is s tr
  → ∀ m : message,
      has_been_directly_observed vlsm s m
      ↔ trace_has_message item_sends_or_receives m tr
  apply examine_one_trace.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
RelDecision (has_been_directly_observed vlsm)
message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm
        item_sends_or_receives
        (has_been_directly_observed vlsm) s m
message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm
        item_sends_or_receives
        (λ (m0 : state vlsm) (s0 : message),
           ¬ has_been_directly_observed vlsm m0 s0) s
        m
  -message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
RelDecision (has_been_directly_observed vlsm) by apply has_been_directly_observed_dec.
  -message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      all_traces_have_message_prop vlsm
        item_sends_or_receives
        (has_been_directly_observed vlsm) s m by apply proper_directly_observed.
  -message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
∀ s : state (preloaded_with_all_messages_vlsm vlsm),
  constrained_state_prop vlsm s
  → ∀ m : message,
      no_traces_have_message_prop vlsm
        item_sends_or_receives
        (λ (m0 : state vlsm) (s0 : message),
           ¬ has_been_directly_observed vlsm m0 s0) s
        m by apply proper_not_directly_observed.
Qed.

A received message introduces no additional equivocations to a state if it has already been observed in s.

Definition no_additional_equivocations
  {message : Type}
  (vlsm : VLSM message)
  `{HasBeenDirectlyObservedCapability message vlsm}
  (s : state vlsm)
  (m : message)
  : Prop
  :=
  has_been_directly_observed vlsm s m.

no_additional_equivocations is decidable.

Lemma no_additional_equivocations_dec
  {message : Type}
  (vlsm : VLSM message)
  `{HasBeenDirectlyObservedCapability message vlsm}
  : RelDecision (no_additional_equivocations vlsm).message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
RelDecision (no_additional_equivocations vlsm)
Proof.message: Type
vlsm: VLSM message
H: HasBeenDirectlyObservedCapability vlsm
RelDecision (no_additional_equivocations vlsm)
  by apply has_been_directly_observed_dec.
Qed.

Definition no_additional_equivocations_constraint
  {message : Type}
  (vlsm : VLSM message)
  `{HasBeenDirectlyObservedCapability message vlsm}
  (l : label vlsm)
  (som : state vlsm * option message)
  : Prop
  :=
  let (s, om) := som in
  from_option (no_additional_equivocations vlsm s) True om.

Section sec_sent_received_observed_capabilities.

Context
  {message : Type}
  (vlsm : VLSM message)
  `{HasBeenReceivedCapability message vlsm}
  `{HasBeenSentCapability message vlsm}
  .

Lemma has_been_directly_observed_sent_received_iff
  `{HasBeenDirectlyObservedCapability message vlsm}
  (s : state (preloaded_with_all_messages_vlsm vlsm))
  (Hs : constrained_state_prop vlsm s)
  (m : message)
  : has_been_directly_observed vlsm s m <-> has_been_received vlsm s m \/ has_been_sent vlsm s m.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
has_been_directly_observed vlsm s m
↔ has_been_received vlsm s m ∨ has_been_sent vlsm s m
Proof.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
has_been_directly_observed vlsm s m
↔ has_been_received vlsm s m ∨ has_been_sent vlsm s m
  induction Hs using valid_state_prop_ind.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: initial_state_prop s
m: message
has_been_directly_observed vlsm s m
↔ has_been_received vlsm s m ∨ has_been_sent vlsm s m
message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om, om': option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', om')
m: message
IHHs: has_been_directly_observed vlsm s m
↔ has_been_received vlsm s m
  ∨ has_been_sent vlsm s m
has_been_directly_observed vlsm s' m
↔ has_been_received vlsm s' m
  ∨ has_been_sent vlsm s' m
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: initial_state_prop s
m: message
has_been_directly_observed vlsm s m
↔ has_been_received vlsm s m ∨ has_been_sent vlsm s m split.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: initial_state_prop s
m: message
has_been_directly_observed vlsm s m
→ has_been_received vlsm s m ∨ has_been_sent vlsm s m
message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: initial_state_prop s
m: message
has_been_received vlsm s m ∨ has_been_sent vlsm s m
→ has_been_directly_observed vlsm s m
    +message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: initial_state_prop s
m: message
has_been_directly_observed vlsm s m
→ has_been_received vlsm s m ∨ has_been_sent vlsm s m by intros ?%has_been_directly_observed_no_inits.
    +message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: initial_state_prop s
m: message
has_been_received vlsm s m ∨ has_been_sent vlsm s m
→ has_been_directly_observed vlsm s m by intros [?%has_been_received_no_inits | ?%has_been_sent_no_inits].
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om, om': option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', om')
m: message
IHHs: has_been_directly_observed vlsm s m
↔ has_been_received vlsm s m
  ∨ has_been_sent vlsm s m
has_been_directly_observed vlsm s' m
↔ has_been_received vlsm s' m
  ∨ has_been_sent vlsm s' m rewrite has_been_directly_observed_step_update by done.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om, om': option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', om')
m: message
IHHs: has_been_directly_observed vlsm s m
↔ has_been_received vlsm s m
  ∨ has_been_sent vlsm s m
(om = Some m ∨ om' = Some m)
∨ has_been_directly_observed vlsm s m
↔ has_been_received vlsm s' m
  ∨ has_been_sent vlsm s' m
    rewrite has_been_received_step_update by done.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om, om': option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', om')
m: message
IHHs: has_been_directly_observed vlsm s m
↔ has_been_received vlsm s m
  ∨ has_been_sent vlsm s m
(om = Some m ∨ om' = Some m)
∨ has_been_directly_observed vlsm s m
↔ (om = Some m ∨ has_been_received vlsm s m)
  ∨ has_been_sent vlsm s' m
    rewrite has_been_sent_step_update by done.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s': state (preloaded_with_all_messages_vlsm vlsm)
l: label (preloaded_with_all_messages_vlsm vlsm)
om, om': option message
s: state (preloaded_with_all_messages_vlsm vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm vlsm) l
  (s, om) (s', om')
m: message
IHHs: has_been_directly_observed vlsm s m
↔ has_been_received vlsm s m
  ∨ has_been_sent vlsm s m
(om = Some m ∨ om' = Some m)
∨ has_been_directly_observed vlsm s m
↔ (om = Some m ∨ has_been_received vlsm s m)
  ∨ om' = Some m ∨ has_been_sent vlsm s m
    by itauto.
Qed.

Definition has_been_directly_observed_from_sent_received
  (s : state vlsm)
  (m : message)
  : Prop
  := has_been_sent vlsm s m \/ has_been_received vlsm s m.

Lemma has_been_directly_observed_from_sent_received_dec
  : RelDecision has_been_directly_observed_from_sent_received.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
RelDecision
  has_been_directly_observed_from_sent_received
Proof.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
RelDecision
  has_been_directly_observed_from_sent_received
  intros s m.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
s: state vlsm
m: message
Decision
  (has_been_directly_observed_from_sent_received s m)
  apply or_dec.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
s: state vlsm
m: message
Decision (has_been_sent vlsm s m)
message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
s: state vlsm
m: message
Decision (has_been_received vlsm s m)
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
s: state vlsm
m: message
Decision (has_been_sent vlsm s m) by apply has_been_sent_dec.
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
s: state vlsm
m: message
Decision (has_been_received vlsm s m) by apply has_been_received_dec.
Qed.

Lemma has_been_directly_observed_from_sent_received_stepwise_props
  : oracle_stepwise_props item_sends_or_receives has_been_directly_observed_from_sent_received.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
oracle_stepwise_props item_sends_or_receives
  has_been_directly_observed_from_sent_received
Proof.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
oracle_stepwise_props item_sends_or_receives
  has_been_directly_observed_from_sent_received
  unfold has_been_directly_observed_from_sent_received.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
oracle_stepwise_props item_sends_or_receives
  (λ (s : state vlsm) (m : message),
     has_been_sent vlsm s m
     ∨ has_been_received vlsm s m)
  split.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ (has_been_sent vlsm s m
         ∨ has_been_received vlsm s m)
message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) 
  (s' : state (preloaded_with_all_messages_vlsm vlsm)) 
  (om : option message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent vlsm s' msg
      ∨ has_been_received vlsm s' msg
      ↔ item_sends_or_receives msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ has_been_sent vlsm s msg
          ∨ has_been_received vlsm s msg
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
∀ s : state vlsm,
  initial_state_prop s
  → ∀ m : message,
      ¬ (has_been_sent vlsm s m
         ∨ has_been_received vlsm s m) intros s Hs m [Hsent | Hrecv].message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
s: state vlsm
Hs: initial_state_prop s
m: message
Hsent: has_been_sent vlsm s m
False
message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
s: state vlsm
Hs: initial_state_prop s
m: message
Hrecv: has_been_received vlsm s m
False
    +message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
s: state vlsm
Hs: initial_state_prop s
m: message
Hsent: has_been_sent vlsm s m
False by apply has_been_sent_no_inits in Hsent.
    +message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
s: state vlsm
Hs: initial_state_prop s
m: message
Hrecv: has_been_received vlsm s m
False by apply has_been_received_no_inits in Hrecv.
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
∀ (l : label (preloaded_with_all_messages_vlsm vlsm)) 
  (s : state (preloaded_with_all_messages_vlsm vlsm)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   vlsm)) (om : option
                                                 message),
  input_constrained_transition vlsm l (s, im) (s', om)
  → ∀ msg : message,
      has_been_sent vlsm s' msg
      ∨ has_been_received vlsm s' msg
      ↔ item_sends_or_receives msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ has_been_sent vlsm s msg
          ∨ has_been_received vlsm s msg intros l s im s' om Ht m.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Ht: input_constrained_transition vlsm l (
  s, im) (s', om)
m: message
has_been_sent vlsm s' m ∨ has_been_received vlsm s' m
↔ item_sends_or_receives m
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |}
  ∨ has_been_sent vlsm s m
    ∨ has_been_received vlsm s m cbn.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Ht: input_constrained_transition vlsm l (
  s, im) (s', om)
m: message
has_been_sent vlsm s' m ∨ has_been_received vlsm s' m
↔ (im = Some m ∨ om = Some m)
  ∨ has_been_sent vlsm s m
    ∨ has_been_received vlsm s m
    rewrite has_been_sent_step_update by done.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Ht: input_constrained_transition vlsm l (
  s, im) (s', om)
m: message
(om = Some m ∨ has_been_sent vlsm s m)
∨ has_been_received vlsm s' m
↔ (im = Some m ∨ om = Some m)
  ∨ has_been_sent vlsm s m
    ∨ has_been_received vlsm s m
    rewrite has_been_received_step_update by done.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
Ht: input_constrained_transition vlsm l (
  s, im) (s', om)
m: message
(om = Some m ∨ has_been_sent vlsm s m)
∨ im = Some m ∨ has_been_received vlsm s m
↔ (im = Some m ∨ om = Some m)
  ∨ has_been_sent vlsm s m
    ∨ has_been_received vlsm s m
    by itauto.
Qed.

#[export] Program Instance HasBeenDirectlyObservedCapability_from_sent_received
  : HasBeenDirectlyObservedCapability vlsm
  :=
  { has_been_directly_observed := has_been_directly_observed_from_sent_received;
    has_been_directly_observed_dec := has_been_directly_observed_from_sent_received_dec;
    has_been_directly_observed_stepwise_props :=
      has_been_directly_observed_from_sent_received_stepwise_props
  }.

Lemma has_been_directly_observed_consistency
  `{HasBeenDirectlyObservedCapability message vlsm}
  (s : state (preloaded_with_all_messages_vlsm vlsm))
  (Hs : constrained_state_prop vlsm s)
  (m : message)
  : selected_messages_consistency_prop vlsm item_sends_or_receives s m.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
selected_messages_consistency_prop vlsm
  item_sends_or_receives s m
Proof.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
selected_messages_consistency_prop vlsm
  item_sends_or_receives s m
  split; [| by apply consistency_from_valid_state_proj2].message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
selected_message_exists_in_some_preloaded_traces vlsm
  item_sends_or_receives s m
→ selected_message_exists_in_all_preloaded_traces vlsm
    item_sends_or_receives s m
  intro Hsome.message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm item_sends_or_receives s m
selected_message_exists_in_all_preloaded_traces vlsm
  item_sends_or_receives s m
  destruct (decide (has_been_directly_observed vlsm s m)) as [Hsm | Hsm].message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm item_sends_or_receives s m
Hsm: has_been_directly_observed vlsm s m
selected_message_exists_in_all_preloaded_traces vlsm
  item_sends_or_receives s m
message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm item_sends_or_receives s m
Hsm: ¬ has_been_directly_observed vlsm s m
selected_message_exists_in_all_preloaded_traces vlsm
  item_sends_or_receives s m
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm item_sends_or_receives s m
Hsm: has_been_directly_observed vlsm s m
selected_message_exists_in_all_preloaded_traces vlsm
  item_sends_or_receives s m by apply proper_directly_observed in Hsm.
  -message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm item_sends_or_receives s m
Hsm: ¬ has_been_directly_observed vlsm s m
selected_message_exists_in_all_preloaded_traces vlsm
  item_sends_or_receives s m apply proper_not_directly_observed in Hsm; [| done].message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
Hsome: selected_message_exists_in_some_preloaded_traces
  vlsm item_sends_or_receives s m
Hsm: selected_message_exists_in_no_preloaded_trace
  vlsm item_sends_or_receives s m
selected_message_exists_in_all_preloaded_traces vlsm
  item_sends_or_receives s m
    destruct Hsome as [is [tr [Htr Hmsg]]].message: Type
vlsm: VLSM message
H: HasBeenReceivedCapability vlsm
H0: HasBeenSentCapability vlsm
H1: HasBeenDirectlyObservedCapability vlsm
s: state (preloaded_with_all_messages_vlsm vlsm)
Hs: constrained_state_prop vlsm s
m: message
is: state (preloaded_with_all_messages_vlsm vlsm)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm vlsm) is s
  tr
Hmsg: trace_has_message item_sends_or_receives m tr
Hsm: selected_message_exists_in_no_preloaded_trace
  vlsm item_sends_or_receives s m
selected_message_exists_in_all_preloaded_traces vlsm
  item_sends_or_receives s m
    by elim (Hsm _ _ Htr).
Qed.

End sec_sent_received_observed_capabilities.

Definition computable_messages_oracle
  `(vlsm : VLSM message)
  (oracle_set : state vlsm -> set message)
  (message_selector : message -> transition_item -> Prop) : Prop :=
    oracle_stepwise_props message_selector (fun s m => m ∈ oracle_set s).

Class ComputableSentMessages `(vlsm : VLSM message) : Type :=
{
  sent_messages_set : state vlsm -> list message;
  csm_computable_oracle :
    computable_messages_oracle vlsm sent_messages_set (field_selector output);
}.

Global Hint Mode ComputableSentMessages - ! : typeclass_instances.

Class ComputableReceivedMessages `(vlsm : VLSM message) : Type :=
{
  received_messages_set : state vlsm -> list message;
  crm_computable_oracle :
    computable_messages_oracle vlsm received_messages_set (field_selector input);
}.

Global Hint Mode ComputableReceivedMessages - ! : typeclass_instances.

Properties of Computable Message Oracles

In this section we prove several generic results about computable_messages_oracles, derive HasBeenSentCapability and HasBeenReceivedCapability from ComputableSentMessages and ComputableReceivedMessages and some basic results about computable (directly) observed messages.

Section sec_computable_sent_received_observed.

Context
  `(vlsm : VLSM message)
  .

Lemma computable_messages_oracle_initial_state_empty
  `(Hrm : computable_messages_oracle vlsm oracle_set message_selector)
  (s : state vlsm)
  (Hs : initial_state_prop vlsm s)
  : oracle_set s = [].message: Type
vlsm: VLSM message
oracle_set: state vlsm → set message
message_selector: message → transition_item → Prop
Hrm: computable_messages_oracle vlsm oracle_set
  message_selector
s: state vlsm
Hs: initial_state_prop s
oracle_set s = []
Proof.message: Type
vlsm: VLSM message
oracle_set: state vlsm → set message
message_selector: message → transition_item → Prop
Hrm: computable_messages_oracle vlsm oracle_set
  message_selector
s: state vlsm
Hs: initial_state_prop s
oracle_set s = []
  apply elem_of_nil_inv; intro.message: Type
vlsm: VLSM message
oracle_set: state vlsm → set message
message_selector: message → transition_item → Prop
Hrm: computable_messages_oracle vlsm oracle_set
  message_selector
s: state vlsm
Hs: initial_state_prop s
x: message
x ∉ oracle_set s
  by eapply oracle_no_inits in Hs; [| apply Hrm]; cbn in Hs.
Qed.

Definition computable_messages_oracle_rel
  `(Hrm : computable_messages_oracle vlsm oracle_set message_selector)
  (s : state vlsm)
  (m : message)
  : Prop :=
  m ∈ oracle_set s.

Definition computable_messages_oracle_rel_dec
  `(Hrm : computable_messages_oracle vlsm oracle_set message_selector)
  `{EqDecision message}
  : RelDecision (computable_messages_oracle_rel Hrm) :=
  fun s m => decide_rel _ _ (oracle_set s).

Lemma ComputableSentMessages_initial_state_empty
  `{!ComputableSentMessages vlsm}
  (s : initial_state vlsm)
  : sent_messages_set (proj1_sig s) = [].message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
s: initial_state vlsm
sent_messages_set (`s) = []
Proof.message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
s: initial_state vlsm
sent_messages_set (`s) = []
  by eapply computable_messages_oracle_initial_state_empty;
    [apply csm_computable_oracle | destruct s].
Qed.

Definition ComputableSentMessages_has_been_sent
  `{!ComputableSentMessages vlsm}
  : state vlsm -> message -> Prop :=
  computable_messages_oracle_rel csm_computable_oracle.

#[export] Instance computable_sent_message_has_been_sent_dec
  `{!ComputableSentMessages vlsm}
  `{EqDecision message}
  : RelDecision ComputableSentMessages_has_been_sent :=
  computable_messages_oracle_rel_dec csm_computable_oracle.

#[export] Instance ComputableSentMessages_HasBeenSentCapability
  `{!ComputableSentMessages vlsm}
  `{EqDecision message}
  : HasBeenSentCapability vlsm.message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
EqDecision0: EqDecision message
HasBeenSentCapability vlsm
Proof.message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
EqDecision0: EqDecision message
HasBeenSentCapability vlsm
  econstructor; cycle 1.message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
EqDecision0: EqDecision message
has_been_sent_stepwise_prop ?has_been_sent
message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
EqDecision0: EqDecision message
RelDecision ?has_been_sent
  -message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
EqDecision0: EqDecision message
has_been_sent_stepwise_prop ?has_been_sent by apply csm_computable_oracle.
  -message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
EqDecision0: EqDecision message
RelDecision
  (λ (s : state vlsm) (m : message),
     m ∈ sent_messages_set s) by typeclasses eauto.
Defined.

Lemma elem_of_sent_messages_set
  `{!ComputableSentMessages vlsm}
  `{EqDecision message}
  : forall (s : state vlsm) (m : message),
      m ∈ sent_messages_set s
        <->
      has_been_sent vlsm s m.message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
EqDecision0: EqDecision message
∀ (s : state vlsm) (m : message),
  m ∈ sent_messages_set s ↔ has_been_sent vlsm s m
Proof.message: Type
vlsm: VLSM message
ComputableSentMessages0: ComputableSentMessages vlsm
EqDecision0: EqDecision message
∀ (s : state vlsm) (m : message),
  m ∈ sent_messages_set s ↔ has_been_sent vlsm s m done. Qed.

Lemma ComputableReceivedMessages_initial_state_empty
  `{!ComputableReceivedMessages vlsm}
  (s : initial_state vlsm)
  : received_messages_set (proj1_sig s) = [].message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
s: initial_state vlsm
received_messages_set (`s) = []
Proof.message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
s: initial_state vlsm
received_messages_set (`s) = []
  by eapply computable_messages_oracle_initial_state_empty;
    [apply crm_computable_oracle | destruct s].
Qed.

Definition ComputableReceivedMessages_has_been_sent
  `{!ComputableReceivedMessages vlsm}
  : state vlsm -> message -> Prop
  := computable_messages_oracle_rel crm_computable_oracle.

#[export] Instance computable_received_message_has_been_sent_dec
  `{!ComputableReceivedMessages vlsm}
  `{EqDecision message}
  : RelDecision ComputableReceivedMessages_has_been_sent :=
  computable_messages_oracle_rel_dec crm_computable_oracle.

#[export] Instance ComputableReceivedMessages_HasBeenReceivedCapability
  `{!ComputableReceivedMessages vlsm}
  `{EqDecision message}
  : HasBeenReceivedCapability vlsm.message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
EqDecision0: EqDecision message
HasBeenReceivedCapability vlsm
Proof.message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
EqDecision0: EqDecision message
HasBeenReceivedCapability vlsm
  econstructor; cycle 1.message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
EqDecision0: EqDecision message
has_been_received_stepwise_prop ?has_been_received
message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
EqDecision0: EqDecision message
RelDecision ?has_been_received
  -message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
EqDecision0: EqDecision message
has_been_received_stepwise_prop ?has_been_received by apply crm_computable_oracle.
  -message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
EqDecision0: EqDecision message
RelDecision
  (λ (s : state vlsm) (m : message),
     m ∈ received_messages_set s) by typeclasses eauto.
Defined.

Lemma has_been_received_messages_set_iff
  `{!ComputableReceivedMessages vlsm}
  `{EqDecision message}
  : forall (s : state vlsm) (m : message),
      m ∈ received_messages_set s
        <->
      has_been_received vlsm s m.message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
EqDecision0: EqDecision message
∀ (s : state vlsm) (m : message),
  m ∈ received_messages_set s
  ↔ has_been_received vlsm s m
Proof.message: Type
vlsm: VLSM message
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
EqDecision0: EqDecision message
∀ (s : state vlsm) (m : message),
  m ∈ received_messages_set s
  ↔ has_been_received vlsm s m done. Qed.

Computable (Directly) Observed Messages

We here derive directly_observed_messages_set from ComputableSentMessages and ComputableReceivedMessages and relate it to the has_been_directly_observed predicate.

Section sec_computable_observed.

Context
  `{EqDecision message}
  `{!ComputableSentMessages vlsm}
  `{!ComputableReceivedMessages vlsm}
  .

Definition directly_observed_messages_set (s : state vlsm) : list message :=
  sent_messages_set s ++ received_messages_set s.

Lemma directly_observed_messages_set_iff :
  forall (s : state vlsm), constrained_state_prop vlsm s ->
  forall (m : message),
    m ∈ directly_observed_messages_set s
      <->
    has_been_directly_observed vlsm s m.message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
∀ s : state vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      m ∈ directly_observed_messages_set s
      ↔ has_been_directly_observed vlsm s m
Proof.message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
∀ s : state vlsm,
  constrained_state_prop vlsm s
  → ∀ m : message,
      m ∈ directly_observed_messages_set s
      ↔ has_been_directly_observed vlsm s m
  by intros; split; setoid_rewrite elem_of_app;
    rewrite has_been_received_messages_set_iff, elem_of_sent_messages_set.
Qed.

Lemma com_computable_oracle :
  computable_messages_oracle vlsm directly_observed_messages_set item_sends_or_receives.message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
computable_messages_oracle vlsm
  directly_observed_messages_set
  item_sends_or_receives
Proof.message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
computable_messages_oracle vlsm
  directly_observed_messages_set
  item_sends_or_receives
  constructor; intros.message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
s: state vlsm
H: initial_state_prop s
m: message
m ∉ directly_observed_messages_set s
message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
H: input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
msg ∈ directly_observed_messages_set s'
↔ item_sends_or_receives msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ msg ∈ directly_observed_messages_set s
  -message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
s: state vlsm
H: initial_state_prop s
m: message
m ∉ directly_observed_messages_set s setoid_rewrite directly_observed_messages_set_iff.message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
s: state vlsm
H: initial_state_prop s
m: message
¬ has_been_directly_observed vlsm s m
message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
s: state vlsm
H: initial_state_prop s
m: message
constrained_state_prop vlsm s
    +message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
s: state vlsm
H: initial_state_prop s
m: message
¬ has_been_directly_observed vlsm s m by apply has_been_directly_observed_stepwise_props.
    +message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
s: state vlsm
H: initial_state_prop s
m: message
constrained_state_prop vlsm s by apply initial_state_is_valid.
  -message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
H: input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
msg ∈ directly_observed_messages_set s'
↔ item_sends_or_receives msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ msg ∈ directly_observed_messages_set s setoid_rewrite directly_observed_messages_set_iff.message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
H: input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
has_been_directly_observed vlsm s' msg
↔ item_sends_or_receives msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ has_been_directly_observed vlsm s msg
message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
H: input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
constrained_state_prop vlsm s'
message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
H: input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
constrained_state_prop vlsm s
    +message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
H: input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
has_been_directly_observed vlsm s' msg
↔ item_sends_or_receives msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ has_been_directly_observed vlsm s msg by apply has_been_directly_observed_stepwise_props.
    +message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
H: input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
constrained_state_prop vlsm s' by eapply input_valid_transition_destination.
    +message: Type
vlsm: VLSM message
EqDecision0: EqDecision message
ComputableSentMessages0: ComputableSentMessages vlsm
ComputableReceivedMessages0: ComputableReceivedMessages
  vlsm
l: label (preloaded_with_all_messages_vlsm vlsm)
s: state (preloaded_with_all_messages_vlsm vlsm)
im: option message
s': state (preloaded_with_all_messages_vlsm vlsm)
om: option message
H: input_constrained_transition vlsm l (
  s, im) (s', om)
msg: message
constrained_state_prop vlsm s by eapply input_valid_transition_origin.
Qed.

End sec_computable_observed.

End sec_computable_sent_received_observed.

Lemma sent_can_emit
  [message]
  (X : VLSM message)
  `{HasBeenSentCapability message X}
  (s : state X)
  (Hs : valid_state_prop X s)
  (m : message)
  (Hsent : has_been_sent X s m) :
  can_emit X m.message: Type
X: VLSM message
H: HasBeenSentCapability X
s: state X
Hs: valid_state_prop X s
m: message
Hsent: has_been_sent X s m
can_emit X m
Proof.message: Type
X: VLSM message
H: HasBeenSentCapability X
s: state X
Hs: valid_state_prop X s
m: message
Hsent: has_been_sent X s m
can_emit X m
  apply valid_state_has_trace in Hs as (is & tr & Htr).message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
m: message
Hsent: has_been_sent X s m
can_emit X m
  assert (Hpre_tr : finite_constrained_trace_init_to X is s tr).message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
m: message
Hsent: has_been_sent X s m
finite_constrained_trace_init_to X is s tr
message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
m: message
Hsent: has_been_sent X s m
Hpre_tr: finite_constrained_trace_init_to X is s tr
can_emit X m
  {message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
m: message
Hsent: has_been_sent X s m
finite_constrained_trace_init_to X is s tr
    by clear -Htr; destruct X;
      eapply VLSM_incl_finite_valid_trace_init_to;
      [apply vlsm_incl_preloaded_with_all_messages_vlsm |].
  }message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
m: message
Hsent: has_been_sent X s m
Hpre_tr: finite_constrained_trace_init_to X is s tr
can_emit X m
  unfold can_emit.message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
m: message
Hsent: has_been_sent X s m
Hpre_tr: finite_constrained_trace_init_to X is s tr
∃ (som : state X * option message) (l : label X) (s : 
                                                 state
                                                 X),
  input_valid_transition X l som (s, Some m)
  eapply has_been_sent_examine_one_trace, Exists_exists in Hsent
    as (item_z & Hitem_z & Hz); [| done].message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
m: message
Hpre_tr: finite_constrained_trace_init_to X is s tr
item_z: transition_item
Hitem_z: item_z ∈ tr
Hz: field_selector output m item_z
∃ (som : state X * option message) (l : label X) (s : 
                                                 state
                                                 X),
  input_valid_transition X l som (s, Some m)
  apply elem_of_list_split in Hitem_z as (pre_z & suf_z & ->).message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
item_z: transition_item
pre_z, suf_z: list transition_item
Htr: finite_valid_trace_init_to X is s
  (pre_z ++ item_z :: suf_z)
m: message
Hpre_tr: finite_constrained_trace_init_to X is s
  (pre_z ++ item_z :: suf_z)
Hz: field_selector output m item_z
∃ (som : state X * option message) (l : label X) (s : 
                                                 state
                                                 X),
  input_valid_transition X l som (s, Some m)
  destruct Htr as [Htr _].message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
item_z: transition_item
pre_z, suf_z: list transition_item
Htr: finite_valid_trace_from_to X is s
  (pre_z ++ item_z :: suf_z)
m: message
Hpre_tr: finite_constrained_trace_init_to X is s
  (pre_z ++ item_z :: suf_z)
Hz: field_selector output m item_z
∃ (som : state X * option message) (l : label X) (s : 
                                                 state
                                                 X),
  input_valid_transition X l som (s, Some m)
  eapply valid_trace_forget_last, input_valid_transition_to in Htr; [| done].message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
item_z: transition_item
pre_z, suf_z: list transition_item
m: message
Hpre_tr: finite_constrained_trace_init_to X is s
  (pre_z ++ item_z :: suf_z)
Hz: field_selector output m item_z
Htr: input_valid_transition X 
  (l item_z)
  (finite_trace_last is pre_z, input item_z)
  (destination item_z, output item_z)
∃ (som : state X * option message) (l : label X) (s : 
                                                 state
                                                 X),
  input_valid_transition X l som (s, Some m)
  cbn in Hz; rewrite Hz in Htr.message: Type
X: VLSM message
H: HasBeenSentCapability X
s, is: state X
item_z: transition_item
pre_z, suf_z: list transition_item
m: message
Hpre_tr: finite_constrained_trace_init_to X is s
  (pre_z ++ item_z :: suf_z)
Hz: output item_z = Some m
Htr: input_valid_transition X 
  (l item_z)
  (finite_trace_last is pre_z, input item_z)
  (destination item_z, Some m)
∃ (som : state X * option message) (l : label X) (s : 
                                                 state
                                                 X),
  input_valid_transition X l som (s, Some m)
  by eexists _, _, _.
Qed.

Lemma preloaded_sent_can_emit
  [message]
  (X : VLSM message)
  `{HasBeenSentCapability message X}
  (s : state (preloaded_with_all_messages_vlsm X))
  (Hs : constrained_state_prop X s)
  (m : message)
  (Hsent : has_been_sent X s m) :
  can_emit (preloaded_with_all_messages_vlsm X) m.message: Type
X: VLSM message
H: HasBeenSentCapability X
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
m: message
Hsent: has_been_sent X s m
can_emit (preloaded_with_all_messages_vlsm X) m
Proof.message: Type
X: VLSM message
H: HasBeenSentCapability X
s: state (preloaded_with_all_messages_vlsm X)
Hs: constrained_state_prop X s
m: message
Hsent: has_been_sent X s m
can_emit (preloaded_with_all_messages_vlsm X) m
  by eapply sent_can_emit.
Qed.

Lemma sent_valid
    [message]
    (X : VLSM message)
    `{HasBeenSentCapability message X}
    (s : state X)
    (Hs : valid_state_prop X s)
    (m : message)
    (Hsent : has_been_sent X s m) :
    valid_message_prop X m.message: Type
X: VLSM message
H: HasBeenSentCapability X
s: state X
Hs: valid_state_prop X s
m: message
Hsent: has_been_sent X s m
valid_message_prop X m
Proof.message: Type
X: VLSM message
H: HasBeenSentCapability X
s: state X
Hs: valid_state_prop X s
m: message
Hsent: has_been_sent X s m
valid_message_prop X m
  by apply emitted_messages_are_valid_iff; right; eapply sent_can_emit.
Qed.

Lemma received_valid
    [message]
    (X : VLSM message)
    `{HasBeenReceivedCapability message X}
    (s : state X)
    (Hs : valid_state_prop X s)
    (m : message)
    (Hreceived : has_been_received X s m) :
    valid_message_prop X m.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s: state X
Hs: valid_state_prop X s
m: message
Hreceived: has_been_received X s m
valid_message_prop X m
Proof.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s: state X
Hs: valid_state_prop X s
m: message
Hreceived: has_been_received X s m
valid_message_prop X m
  induction Hs using valid_state_prop_ind.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s: state X
Hs: initial_state_prop s
m: message
Hreceived: has_been_received X s m
valid_message_prop X m
message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s': state X
l: label X
om, om': option message
s: state X
Ht: input_valid_transition X l (s, om) (s', om')
m: message
Hreceived: has_been_received X s' m
IHHs: has_been_received X s m
→ valid_message_prop X m
valid_message_prop X m
  -message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s: state X
Hs: initial_state_prop s
m: message
Hreceived: has_been_received X s m
valid_message_prop X m by apply has_been_received_no_inits in Hreceived.
  -message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s': state X
l: label X
om, om': option message
s: state X
Ht: input_valid_transition X l (s, om) (s', om')
m: message
Hreceived: has_been_received X s' m
IHHs: has_been_received X s m
→ valid_message_prop X m
valid_message_prop X m apply input_valid_transition_in in Ht as Hom'.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s': state X
l: label X
om, om': option message
s: state X
Ht: input_valid_transition X l (s, om) (s', om')
m: message
Hreceived: has_been_received X s' m
IHHs: has_been_received X s m
→ valid_message_prop X m
Hom': option_valid_message_prop X om
valid_message_prop X m
    apply preloaded_weaken_input_valid_transition in Ht.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s': state X
l: label X
om, om': option message
s: state X
Ht: input_constrained_transition X l (
  s, om) (s', om')
m: message
Hreceived: has_been_received X s' m
IHHs: has_been_received X s m
→ valid_message_prop X m
Hom': option_valid_message_prop X om
valid_message_prop X m
    erewrite has_been_received_step_update in Hreceived by done.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s': state X
l: label X
om, om': option message
s: state X
Ht: input_constrained_transition X l (
  s, om) (s', om')
m: message
IHHs: has_been_received X s m
→ valid_message_prop X m
Hom': option_valid_message_prop X om
Hreceived: om = Some m ∨ has_been_received X s m
valid_message_prop X m
    by destruct Hreceived as [[= ->] |]; auto.
Qed.

Lemma directly_observed_valid
    [message]
    (X : VLSM message)
    `{HasBeenSentCapability message X}
    `{HasBeenReceivedCapability message X}
    (s : state X)
    (Hs : valid_state_prop X s)
    (m : message)
    (Hobserved : has_been_directly_observed X s m) :
    valid_message_prop X m.message: Type
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
s: state X
Hs: valid_state_prop X s
m: message
Hobserved: has_been_directly_observed X s m
valid_message_prop X m
Proof.message: Type
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
s: state X
Hs: valid_state_prop X s
m: message
Hobserved: has_been_directly_observed X s m
valid_message_prop X m
  destruct Hobserved.message: Type
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
s: state X
Hs: valid_state_prop X s
m: message
H1: has_been_sent X s m
valid_message_prop X m
message: Type
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
s: state X
Hs: valid_state_prop X s
m: message
H1: has_been_received X s m
valid_message_prop X m
  -message: Type
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
s: state X
Hs: valid_state_prop X s
m: message
H1: has_been_sent X s m
valid_message_prop X m by eapply sent_valid.
  -message: Type
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
s: state X
Hs: valid_state_prop X s
m: message
H1: has_been_received X s m
valid_message_prop X m by eapply received_valid.
Qed.

Equivocation in compositions

We now move on to a composite context. Each component of our composition will have has_been_sent and has_been_received capabilities.

We introduce validators along with their respective weights, the A function which maps validators to indices of component VLSMs and the sender function which maps messages to their (unique) designated sender (if any).

For the equivocation fault sum to be computable, we also require that the number of validators and the number of machines in the composition are both finite. See finite_index, finite_validator.

Section sec_composite.

Context
  {message : Type}
  `{finite.Finite index}
  (IM : index -> VLSM message)
  (Free := free_composite_vlsm IM)
  `{forall i : index, (HasBeenSentCapability (IM i))}
  `{forall i : index, (HasBeenReceivedCapability (IM i))}
  .

Section sec_stepwise_props.

Context
  [message_selectors : forall i : index, message -> transition_item (IM i) -> Prop]
  [oracles : forall i, state_message_oracle (IM i)]
  (stepwise_props : forall i, oracle_stepwise_props (message_selectors i) (oracles i))
  .

Definition composite_message_selector : message -> composite_transition_item IM -> Prop.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
message → composite_transition_item IM → Prop
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
message → composite_transition_item IM → Prop
  intros msg [[i li] input s output].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
msg: message
i: index
li: label (IM i)
input: option message
s: state (composite_type IM)
output: option message
Prop
  apply (message_selectors i msg).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
msg: message
i: index
li: label (IM i)
input: option message
s: state (composite_type IM)
output: option message
transition_item
  exact {| l := li; input := input; destination := s i; output := output |}.
Defined.

Definition composite_oracle : composite_state IM -> message -> Prop :=
  fun s msg => exists i, oracles i (s i) msg.

Lemma free_composite_stepwise_props :
  oracle_stepwise_props (vlsm := free_composite_vlsm IM) composite_message_selector composite_oracle.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
oracle_stepwise_props composite_message_selector
  composite_oracle
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
oracle_stepwise_props composite_message_selector
  composite_oracle
  split; [by intros s Hs m []; eapply oracle_no_inits |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) (s : state
                                              (preloaded_with_all_messages_vlsm
                                                 (free_composite_vlsm
                                                 IM))) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   (free_composite_vlsm
                                      IM))) (om : 
                                             option
                                               message),
  input_constrained_transition
    (free_composite_vlsm IM) l (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
  intros [i li] s im s' om Hproto msg; cbn.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
Hproto: input_constrained_transition
  (free_composite_vlsm IM) 
  (existT i li) (s, im) (
  s', om)
msg: message
composite_oracle s' msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ composite_oracle s msg
  assert (Hsj : forall j : index, s j = s' j \/ j = i).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
Hproto: input_constrained_transition
  (free_composite_vlsm IM) 
  (existT i li) (s, im) (
  s', om)
msg: message
∀ j : index, s j = s' j ∨ j = i
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
Hproto: input_constrained_transition
  (free_composite_vlsm IM) 
  (existT i li) (s, im) (
  s', om)
msg: message
Hsj: ∀ j : index, s j = s' j ∨ j = i
composite_oracle s' msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ composite_oracle s msg
  {message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
Hproto: input_constrained_transition
  (free_composite_vlsm IM) 
  (existT i li) (s, im) (
  s', om)
msg: message
∀ j : index, s j = s' j ∨ j = i
    intro j.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
Hproto: input_constrained_transition
  (free_composite_vlsm IM) 
  (existT i li) (s, im) (
  s', om)
msg: message
j: index
s j = s' j ∨ j = i
    apply (input_valid_transition_preloaded_project_any_free j) in Hproto.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
j: index
Hproto: s j = s' j
∨ (∃ li0 : label (IM j),
     existT i li = existT j li0
     ∧ input_constrained_transition 
         (IM j) li0 (s j, im) (
         s' j, om))
msg: message
s j = s' j ∨ j = i
    by destruct Hproto as [| (lj & Hlj & _)]; [left | right; congruence].
  }message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
Hproto: input_constrained_transition
  (free_composite_vlsm IM) 
  (existT i li) (s, im) (
  s', om)
msg: message
Hsj: ∀ j : index, s j = s' j ∨ j = i
composite_oracle s' msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ composite_oracle s msg
  apply input_valid_transition_preloaded_project_active_free in Hproto; simpl in Hproto.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
Hproto: input_constrained_transition 
  (IM i) li (s i, im) (
  s' i, om)
msg: message
Hsj: ∀ j : index, s j = s' j ∨ j = i
composite_oracle s' msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ composite_oracle s msg
  apply (oracle_step_update (stepwise_props i)) with (msg := msg) in Hproto.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
composite_oracle s' msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ composite_oracle s msg
  split.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
composite_oracle s' msg
→ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ composite_oracle s msg
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |} ∨ composite_oracle s msg
→ composite_oracle s' msg
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
composite_oracle s' msg
→ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ composite_oracle s msg intros [j Hj].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
j: index
Hj: oracles j (s' j) msg
message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |} ∨ composite_oracle s msg
    destruct (Hsj j) as [Hunchanged | ->].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
j: index
Hj: oracles j (s' j) msg
Hunchanged: s j = s' j
message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |} ∨ composite_oracle s msg
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
Hj: oracles i (s' i) msg
message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |} ∨ composite_oracle s msg
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
j: index
Hj: oracles j (s' j) msg
Hunchanged: s j = s' j
message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |} ∨ composite_oracle s msg by right; exists j; rewrite Hunchanged.
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
Hj: oracles i (s' i) msg
message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |} ∨ composite_oracle s msg apply Hproto in Hj.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
Hj: message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |} ∨ oracles i (s i) msg
message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |} ∨ composite_oracle s msg
      by destruct Hj; [left | right; exists i].
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |} ∨ composite_oracle s msg
→ composite_oracle s' msg intros [Hnow | [j Hbefore]].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
Hnow: message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |}
composite_oracle s' msg
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
j: index
Hbefore: oracles j (s j) msg
composite_oracle s' msg
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
Hnow: message_selectors i msg
  {|
    l := li;
    input := im;
    destination := s' i;
    output := om
  |}
composite_oracle s' msg by exists i; apply Hproto; left.
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
j: index
Hbefore: oracles j (s j) msg
composite_oracle s' msg exists j.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
j: index
Hbefore: oracles j (s j) msg
oracles j (s' j) msg
      destruct (Hsj j) as [<- | ->]; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
i: index
li: label (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
im: option message
s': state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
om: option message
msg: message
Hproto: oracles i (s' i) msg
↔ message_selectors i msg
    {|
      l := li;
      input := im;
      destination := s' i;
      output := om
    |} ∨ oracles i (s i) msg
Hsj: ∀ j : index, s j = s' j ∨ j = i
Hbefore: oracles i (s i) msg
oracles i (s' i) msg
      by apply Hproto; right.
Qed.

Lemma composite_stepwise_props
  (constraint : composite_label IM -> composite_state IM * option message -> Prop)
  (X := composite_vlsm IM constraint)
  : oracle_stepwise_props (vlsm := X) composite_message_selector composite_oracle.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_stepwise_props composite_message_selector
  composite_oracle
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_stepwise_props composite_message_selector
  composite_oracle
  destruct free_composite_stepwise_props.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_no_inits0: ∀ s : state
        (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_oracle s m
oracle_step_update0: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_oracle s msg
oracle_stepwise_props composite_message_selector
  composite_oracle
  split.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_no_inits0: ∀ s : state
        (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_oracle s m
oracle_step_update0: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_oracle s msg
∀ s : state X,
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_no_inits0: ∀ s : state
        (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_oracle s m
oracle_step_update0: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_oracle s msg
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) 
  (s' : state (preloaded_with_all_messages_vlsm X)) 
  (om : option message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_no_inits0: ∀ s : state
        (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_oracle s m
oracle_step_update0: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_oracle s msg
∀ s : state X,
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m by apply oracle_no_inits0.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_no_inits0: ∀ s : state
        (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_oracle s m
oracle_step_update0: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_oracle s msg
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg intros; apply oracle_step_update0.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_no_inits0: ∀ s : state
        (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_oracle s m
oracle_step_update0: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_oracle s msg
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
H2: input_constrained_transition X l (s, im) (s', om)
msg: message
input_constrained_transition (free_composite_vlsm IM)
  l (s, im) (s', om)
    apply (@VLSM_incl_input_valid_transition _ _ (preloaded_with_all_messages_vlsm X)); [| done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_no_inits0: ∀ s : state
        (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message,
      ¬ composite_oracle s m
oracle_step_update0: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm
               IM))) (s : 
                      state
                      (preloaded_with_all_messages_vlsm
                      (free_composite_vlsm
                      IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm
                IM))) (om : 
                      option
                      message),
  input_constrained_transition
    (free_composite_vlsm IM) l
    (s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector
          msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_oracle s msg
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
im: option message
s': state (preloaded_with_all_messages_vlsm X)
om: option message
H2: input_constrained_transition X l (s, im) (s', om)
msg: message
VLSM_incl_part (preloaded_with_all_messages_vlsm X)
  (preloaded_vlsm_machine (free_composite_vlsm IM)
     (λ _ : message, True))
    by apply preloaded_constraint_subsumption_incl_free.
Qed.

Lemma oracle_component_selected_previously
  [constraint : composite_label IM -> composite_state IM * option message -> Prop]
  (X := composite_vlsm IM constraint)
  [s : composite_state IM]
  (Hs : valid_state_prop X s)
  [i : index]
  [m : message]
  (Horacle : oracles i (s i) m) :
  exists s_item item,
    input_valid_transition_item X s_item item /\
    in_futures X (destination item) s /\
    projT1 (l item) = i /\
    composite_message_selector m item.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: oracles i (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: oracles i (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
  apply valid_state_has_trace in Hs as (is & tr & Htr).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
Horacle: oracles i (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
  eapply VLSM_incl_finite_valid_trace_init_to in Htr as Hpre_tr
  ; [| by apply constrained_preloaded_incl].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
Horacle: oracles i (s i) m
Hpre_tr: finite_valid_trace_init_to
  {|
    vlsm_type := free_composite_vlsm IM;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm
        (free_composite_vlsm IM)
  |} is s tr
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
  apply (VLSM_projection_finite_valid_trace_init_to
          (preloaded_component_projection IM i))
     in Hpre_tr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
Horacle: oracles i (s i) m
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i))
  (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i)
     tr)
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
  eapply prove_all_have_message_from_stepwise in Horacle
  ; [| by apply stepwise_props | by eapply finite_valid_trace_from_to_last_pstate, Hpre_tr].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i))
  (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i)
     tr)
Horacle: selected_message_exists_in_all_preloaded_traces
  (IM i) (message_selectors i) 
  (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
  specialize (Horacle _ _ Hpre_tr); clear Hpre_tr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
Horacle: trace_has_message (message_selectors i) m
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i)
     tr)
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
  apply Exists_exists in Horacle as (item & Hitem & Hout).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
item: transition_item
Hitem: item
∈ VLSM_projection_finite_trace_project
    (preloaded_component_projection IM i) tr
Hout: message_selectors i m item
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
  apply elem_of_list_omap in Hitem as (itemX & HitemX & HitemX_pr).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
item, itemX: transition_item
HitemX: itemX ∈ tr
HitemX_pr: pre_VLSM_projection_transition_item_project
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (preloaded_with_all_messages_vlsm (IM i))
  (composite_project_label IM i)
  (λ s : state
           (preloaded_with_all_messages_vlsm
              (free_composite_vlsm IM)),
     s i) itemX = Some item
Hout: message_selectors i m item
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
  apply elem_of_list_split in HitemX as (pre & suf & Htr_pr).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
item, itemX: transition_item
pre, suf: list transition_item
Htr_pr: tr = pre ++ itemX :: suf
HitemX_pr: pre_VLSM_projection_transition_item_project
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (preloaded_with_all_messages_vlsm (IM i))
  (composite_project_label IM i)
  (λ s : state
           (preloaded_with_all_messages_vlsm
              (free_composite_vlsm IM)),
     s i) itemX = Some item
Hout: message_selectors i m item
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i
      ∧ composite_message_selector m item
  exists (finite_trace_last is pre), itemX.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
item, itemX: transition_item
pre, suf: list transition_item
Htr_pr: tr = pre ++ itemX :: suf
HitemX_pr: pre_VLSM_projection_transition_item_project
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (preloaded_with_all_messages_vlsm (IM i))
  (composite_project_label IM i)
  (λ s : state
           (preloaded_with_all_messages_vlsm
              (free_composite_vlsm IM)),
     s i) itemX = Some item
Hout: message_selectors i m item
input_valid_transition_item X
  (finite_trace_last is pre) itemX
∧ in_futures X (destination itemX) s
  ∧ projT1 (l itemX) = i
    ∧ composite_message_selector m itemX
  rewrite cons_middle in Htr_pr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
item, itemX: transition_item
pre, suf: list transition_item
Htr_pr: tr = pre ++ [itemX] ++ suf
HitemX_pr: pre_VLSM_projection_transition_item_project
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (preloaded_with_all_messages_vlsm (IM i))
  (composite_project_label IM i)
  (λ s : state
           (preloaded_with_all_messages_vlsm
              (free_composite_vlsm IM)),
     s i) itemX = Some item
Hout: message_selectors i m item
input_valid_transition_item X
  (finite_trace_last is pre) itemX
∧ in_futures X (destination itemX) s
  ∧ projT1 (l itemX) = i
    ∧ composite_message_selector m itemX
  eapply (input_valid_transition_to X) in Htr_pr as Ht
  ; [cbn in Ht | by apply valid_trace_forget_last in Htr; apply Htr].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
item, itemX: transition_item
pre, suf: list transition_item
Htr_pr: tr = pre ++ [itemX] ++ suf
HitemX_pr: pre_VLSM_projection_transition_item_project
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (preloaded_with_all_messages_vlsm (IM i))
  (composite_project_label IM i)
  (λ s : state
           (preloaded_with_all_messages_vlsm
              (free_composite_vlsm IM)),
     s i) itemX = Some item
Hout: message_selectors i m item
Ht: input_valid_transition X 
  (l itemX)
  (finite_trace_last is pre, input itemX)
  (destination itemX, output itemX)
input_valid_transition_item X
  (finite_trace_last is pre) itemX
∧ in_futures X (destination itemX) s
  ∧ projT1 (l itemX) = i
    ∧ composite_message_selector m itemX
  unfold pre_VLSM_projection_transition_item_project,
         composite_project_label in HitemX_pr; cbn in HitemX_pr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
item, itemX: transition_item
pre, suf: list transition_item
Htr_pr: tr = pre ++ [itemX] ++ suf
HitemX_pr: match
  match decide (i = projT1 (l itemX)) with
  | left e =>
      Some
        (eq_rect_r
           (λ n : index, label (IM n))
           (projT2 (l itemX)) e)
  | right _ => None
  end
with
| Some lY =>
    Some
      {|
        l := lY;
        input := input itemX;
        destination := destination itemX i;
        output := output itemX
      |}
| None => None
end = Some item
Hout: message_selectors i m item
Ht: input_valid_transition X 
  (l itemX)
  (finite_trace_last is pre, input itemX)
  (destination itemX, output itemX)
input_valid_transition_item X
  (finite_trace_last is pre) itemX
∧ in_futures X (destination itemX) s
  ∧ projT1 (l itemX) = i
    ∧ composite_message_selector m itemX
  rewrite app_assoc in Htr_pr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
is: state X
tr: list transition_item
Htr: finite_valid_trace_init_to X is s tr
i: index
m: message
item, itemX: transition_item
pre, suf: list transition_item
Htr_pr: tr = (pre ++ [itemX]) ++ suf
HitemX_pr: match
  match decide (i = projT1 (l itemX)) with
  | left e =>
      Some
        (eq_rect_r
           (λ n : index, label (IM n))
           (projT2 (l itemX)) e)
  | right _ => None
  end
with
| Some lY =>
    Some
      {|
        l := lY;
        input := input itemX;
        destination := destination itemX i;
        output := output itemX
      |}
| None => None
end = Some item
Hout: message_selectors i m item
Ht: input_valid_transition X 
  (l itemX)
  (finite_trace_last is pre, input itemX)
  (destination itemX, output itemX)
input_valid_transition_item X
  (finite_trace_last is pre) itemX
∧ in_futures X (destination itemX) s
  ∧ projT1 (l itemX) = i
    ∧ composite_message_selector m itemX
  case_decide as Hi; [| by congruence]; apply Some_inj in HitemX_pr
  ; subst i item tr; cbn in *.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s, is: composite_state IM
itemX: transition_item
pre, suf: list transition_item
Htr: finite_valid_trace_init_to X is s
  ((pre ++ [itemX]) ++ suf)
m: message
Hout: message_selectors (projT1 (l itemX)) m
  {|
    l := projT2 (l itemX);
    input := input itemX;
    destination :=
      destination itemX (projT1 (l itemX));
    output := output itemX
  |}
Ht: input_valid_transition X 
  (l itemX)
  (finite_trace_last is pre, input itemX)
  (destination itemX, output itemX)
input_valid_transition_item X
  (finite_trace_last is pre) itemX
∧ in_futures X (destination itemX) s
  ∧ projT1 (l itemX) = projT1 (l itemX)
    ∧ composite_message_selector m itemX
  apply proj1, finite_valid_trace_from_to_app_split, proj2 in Htr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s, is: composite_state IM
itemX: transition_item
pre, suf: list transition_item
Htr: finite_valid_trace_from_to X
  (finite_trace_last is (pre ++ [itemX])) s suf
m: message
Hout: message_selectors (projT1 (l itemX)) m
  {|
    l := projT2 (l itemX);
    input := input itemX;
    destination :=
      destination itemX (projT1 (l itemX));
    output := output itemX
  |}
Ht: input_valid_transition X 
  (l itemX)
  (finite_trace_last is pre, input itemX)
  (destination itemX, output itemX)
input_valid_transition_item X
  (finite_trace_last is pre) itemX
∧ in_futures X (destination itemX) s
  ∧ projT1 (l itemX) = projT1 (l itemX)
    ∧ composite_message_selector m itemX
  rewrite finite_trace_last_is_last in Htr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s, is: composite_state IM
itemX: transition_item
pre, suf: list transition_item
Htr: finite_valid_trace_from_to X 
  (destination itemX) s suf
m: message
Hout: message_selectors (projT1 (l itemX)) m
  {|
    l := projT2 (l itemX);
    input := input itemX;
    destination :=
      destination itemX (projT1 (l itemX));
    output := output itemX
  |}
Ht: input_valid_transition X 
  (l itemX)
  (finite_trace_last is pre, input itemX)
  (destination itemX, output itemX)
input_valid_transition_item X
  (finite_trace_last is pre) itemX
∧ in_futures X (destination itemX) s
  ∧ projT1 (l itemX) = projT1 (l itemX)
    ∧ composite_message_selector m itemX
  destruct itemX, l; cbn in *.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
message_selectors: ∀ i : index,
  message → transition_item → Prop
oracles: ∀ i : index, state_message_oracle (IM i)
stepwise_props: ∀ i : index,
  oracle_stepwise_props
    (message_selectors i) 
    (oracles i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s, is: composite_state IM
x: index
l: label (IM x)
input: option message
destination: composite_state IM
output: option message
pre, suf: list transition_item
Htr: finite_valid_trace_from_to X destination s suf
m: message
Hout: message_selectors x m
  {|
    l := l;
    input := input;
    destination := destination x;
    output := output
  |}
Ht: input_valid_transition X 
  (existT x l) (finite_trace_last is pre, input)
  (destination, output)
input_valid_transition_item X
  (finite_trace_last is pre)
  {|
    l := existT x l;
    input := input;
    destination := destination;
    output := output
  |}
∧ in_futures X destination s
  ∧ x = x
    ∧ message_selectors x m
        {|
          l := l;
          input := input;
          destination := destination x;
          output := output
        |}
  by split_and!; [| exists suf | ..].
Qed.

End sec_stepwise_props.

A message has_been_sent for a composite state if it has_been_sent for any of its components.

Definition composite_has_been_sent
  (s : composite_state IM)
  (m : message)
  : Prop
  := exists (i : index), has_been_sent (IM i) (s i) m.

composite_has_been_sent is decidable.

Lemma composite_has_been_sent_dec : RelDecision composite_has_been_sent.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
RelDecision composite_has_been_sent
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
RelDecision composite_has_been_sent
  intros s m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Decision (composite_has_been_sent s m)
  apply (Decision_iff (P := List.Exists (fun i => has_been_sent (IM i) (s i) m) (enum index))).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Exists (λ i : index, has_been_sent (IM i) (s i) m)
  (enum index) ↔ composite_has_been_sent s m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Decision
  (Exists (λ i : index, has_been_sent (IM i) (s i) m)
     (enum index))
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Exists (λ i : index, has_been_sent (IM i) (s i) m)
  (enum index) ↔ composite_has_been_sent s m by rewrite Exists_finite.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Decision
  (Exists (λ i : index, has_been_sent (IM i) (s i) m)
     (enum index)) by typeclasses eauto.
Qed.

Lemma free_composite_has_been_sent_stepwise_props
  (X := free_composite_vlsm IM)
  : has_been_sent_stepwise_prop (vlsm := X) composite_has_been_sent.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
has_been_sent_stepwise_prop composite_has_been_sent
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
has_been_sent_stepwise_prop composite_has_been_sent
  unfold has_been_sent_stepwise_props.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
has_been_sent_stepwise_prop composite_has_been_sent
  pose proof (free_composite_stepwise_props (fun i => has_been_sent_stepwise_props (IM i)))
    as [Hinits Hstep].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
Hinits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m
Hstep: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm IM))) 
  (om : option message),
  input_constrained_transition
    (free_composite_vlsm IM) l (
    s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
has_been_sent_stepwise_prop composite_has_been_sent
  split; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
Hinits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m
Hstep: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm IM))) 
  (om : option message),
  input_constrained_transition
    (free_composite_vlsm IM) l (
    s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_sent s' msg
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_has_been_sent s msg
  by intros l; specialize (Hstep l); destruct l.
Qed.

#[export] Instance free_composite_HasBeenSentCapability
  (X := free_composite_vlsm IM)
  : HasBeenSentCapability X :=
  Build_HasBeenSentCapability X
    composite_has_been_sent
    composite_has_been_sent_dec
    free_composite_has_been_sent_stepwise_props.

Lemma composite_proper_sent
  (s : state (preloaded_with_all_messages_vlsm (free_composite_vlsm IM)))
  (Hs : constrained_state_prop (free_composite_vlsm IM) s)
  (m : message)
  : has_been_sent_prop (free_composite_vlsm IM) composite_has_been_sent s m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
Hs: constrained_state_prop (free_composite_vlsm IM) s
m: message
has_been_sent_prop (free_composite_vlsm IM)
  composite_has_been_sent s m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
Hs: constrained_state_prop (free_composite_vlsm IM) s
m: message
has_been_sent_prop (free_composite_vlsm IM)
  composite_has_been_sent s m
  specialize (proper_sent (free_composite_vlsm IM)) as Hproper_sent.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
Hs: constrained_state_prop (free_composite_vlsm IM) s
m: message
Hproper_sent: ∀ s : state
        (preloaded_with_all_messages_vlsm
           (free_composite_vlsm IM)),
  constrained_state_prop
    (free_composite_vlsm IM) s
  → ∀ m : message,
      has_been_sent_prop
        (free_composite_vlsm IM)
        (has_been_sent
           (free_composite_vlsm IM)) s
        m
has_been_sent_prop (free_composite_vlsm IM)
  composite_has_been_sent s m
  by apply Hproper_sent.
Qed.

Section sec_composite_has_been_received.

A message has_been_received for a composite state if it has_been_received for any of its components.

Definition composite_has_been_received
  (s : composite_state IM)
  (m : message)
  : Prop
  := exists (i : index), has_been_received (IM i) (s i) m.

composite_has_been_received is decidable.

Lemma composite_has_been_received_dec : RelDecision composite_has_been_received.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
RelDecision composite_has_been_received
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
RelDecision composite_has_been_received
  intros s m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Decision (composite_has_been_received s m)
  apply (Decision_iff (P := List.Exists (fun i => has_been_received (IM i) (s i) m) (enum index))).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Exists (λ i : index, has_been_received (IM i) (s i) m)
  (enum index) ↔ composite_has_been_received s m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Decision
  (Exists
     (λ i : index, has_been_received (IM i) (s i) m)
     (enum index))
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Exists (λ i : index, has_been_received (IM i) (s i) m)
  (enum index) ↔ composite_has_been_received s m by rewrite Exists_finite.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Decision
  (Exists
     (λ i : index, has_been_received (IM i) (s i) m)
     (enum index)) by typeclasses eauto.
Qed.

Lemma free_composite_has_been_received_stepwise_props
  (X := free_composite_vlsm IM)
  : has_been_received_stepwise_prop (vlsm := X) composite_has_been_received.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
has_been_received_stepwise_prop
  composite_has_been_received
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
has_been_received_stepwise_prop
  composite_has_been_received
  unfold has_been_received_stepwise_props.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
has_been_received_stepwise_prop
  composite_has_been_received
  pose proof (free_composite_stepwise_props (fun i => has_been_received_stepwise_props (IM i)))
    as [Hinits Hstep].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
Hinits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m
Hstep: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm IM))) 
  (om : option message),
  input_constrained_transition
    (free_composite_vlsm IM) l (
    s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
has_been_received_stepwise_prop
  composite_has_been_received
  split; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
X:= free_composite_vlsm IM: VLSM message
Hinits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m
Hstep: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm IM))) 
  (om : option message),
  input_constrained_transition
    (free_composite_vlsm IM) l (
    s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_received s' msg
      ↔ field_selector input msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_has_been_received s msg
  by intros l; specialize (Hstep l); destruct l.
Qed.

#[export] Instance free_composite_HasBeenReceivedCapability
  (X := free_composite_vlsm IM)
  : HasBeenReceivedCapability X :=
  Build_HasBeenReceivedCapability X
    composite_has_been_received
    composite_has_been_received_dec
    free_composite_has_been_received_stepwise_props.

#[export] Instance free_composite_HasBeenDirectlyObservedCapability
  (X := free_composite_vlsm IM)
  : HasBeenDirectlyObservedCapability X :=
  HasBeenDirectlyObservedCapability_from_sent_received X.

#[export] Instance constrained_vlsm_HasBeenDirectlyObservedCapability
  `(X : VLSM message) `{HasBeenSentCapability message X} `{HasBeenReceivedCapability message X}
  (constraint : label X -> state X * option message -> Prop)
  : HasBeenDirectlyObservedCapability X :=
  HasBeenDirectlyObservedCapability_from_sent_received X.

End sec_composite_has_been_received.

A message has_been_directly_observed in a composite state if it has_been_directly_observed in any of its components.

Definition composite_has_been_directly_observed
  (s : composite_state IM)
  (m : message)
  : Prop
  := exists (i : index), has_been_directly_observed (IM i) (s i) m.

composite_has_been_directly_observed is decidable.

Lemma composite_has_been_directly_observed_dec : RelDecision composite_has_been_directly_observed.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
RelDecision composite_has_been_directly_observed
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
RelDecision composite_has_been_directly_observed
  intros s m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Decision (composite_has_been_directly_observed s m)
  apply (Decision_iff
    (P := List.Exists (fun i => has_been_directly_observed (IM i) (s i) m) (enum index))).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Exists
  (λ i : index,
     has_been_directly_observed (IM i) (s i) m)
  (enum index)
↔ composite_has_been_directly_observed s m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Decision
  (Exists
     (λ i : index,
        has_been_directly_observed (IM i) (s i) m)
     (enum index))
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Exists
  (λ i : index,
     has_been_directly_observed (IM i) (s i) m)
  (enum index)
↔ composite_has_been_directly_observed s m by rewrite Exists_finite.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
Decision
  (Exists
     (λ i : index,
        has_been_directly_observed (IM i) (s i) m)
     (enum index)) by typeclasses eauto.
Qed.

Lemma composite_has_been_directly_observed_stepwise_props
  (constraint : composite_label IM -> composite_state IM * option message -> Prop)
  (X := composite_vlsm IM constraint)
  : oracle_stepwise_props (vlsm := X) item_sends_or_receives composite_has_been_directly_observed.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_stepwise_props item_sends_or_receives
  composite_has_been_directly_observed
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
oracle_stepwise_props item_sends_or_receives
  composite_has_been_directly_observed
  pose proof
    (composite_stepwise_props
       (fun i => (has_been_directly_observed_stepwise_props (IM i))) constraint)
       as [Hinits Hstep].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Hinits: ∀ s : state (composite_vlsm IM constraint),
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m
Hstep: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (composite_vlsm IM constraint))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (composite_vlsm IM constraint))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (composite_vlsm IM constraint))) 
  (om : option message),
  input_constrained_transition
    (composite_vlsm IM constraint) l (
    s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
oracle_stepwise_props item_sends_or_receives
  composite_has_been_directly_observed
  split; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Hinits: ∀ s : state (composite_vlsm IM constraint),
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m
Hstep: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (composite_vlsm IM constraint))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (composite_vlsm IM constraint))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (composite_vlsm IM constraint))) 
  (om : option message),
  input_constrained_transition
    (composite_vlsm IM constraint) l (
    s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
∀ (l : label (preloaded_with_all_messages_vlsm X)) 
  (s : state (preloaded_with_all_messages_vlsm X)) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   X)) (om : option
                                               message),
  input_constrained_transition X l (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed s' msg
      ↔ item_sends_or_receives msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed s msg
  by intros l; specialize (Hstep l); destruct l.
Qed.

Lemma free_composite_has_been_directly_observed_stepwise_props :
  oracle_stepwise_props (vlsm := free_composite_vlsm IM) item_sends_or_receives
    composite_has_been_directly_observed.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
oracle_stepwise_props item_sends_or_receives
  composite_has_been_directly_observed
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
oracle_stepwise_props item_sends_or_receives
  composite_has_been_directly_observed
  destruct (free_composite_stepwise_props (fun i =>
    has_been_directly_observed_stepwise_props (IM i))) as [Hinits Hstep].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
Hinits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m
Hstep: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm IM))) 
  (om : option message),
  input_constrained_transition
    (free_composite_vlsm IM) l (
    s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
oracle_stepwise_props item_sends_or_receives
  composite_has_been_directly_observed
  split; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
Hinits: ∀ s : state (free_composite_vlsm IM),
  initial_state_prop s
  → ∀ m : message, ¬ composite_oracle s m
Hstep: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) 
  (im : option message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (free_composite_vlsm IM))) 
  (om : option message),
  input_constrained_transition
    (free_composite_vlsm IM) l (
    s, im) (s', om)
  → ∀ msg : message,
      composite_oracle s' msg
      ↔ composite_message_selector msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ composite_oracle s msg
∀ (l : label
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) (s : state
                                              (preloaded_with_all_messages_vlsm
                                                 (free_composite_vlsm
                                                 IM))) 
  (im : option message) (s' : state
                                (preloaded_with_all_messages_vlsm
                                   (free_composite_vlsm
                                      IM))) (om : 
                                             option
                                               message),
  input_constrained_transition
    (free_composite_vlsm IM) l (s, im) (s', om)
  → ∀ msg : message,
      composite_has_been_directly_observed s' msg
      ↔ item_sends_or_receives msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |}
        ∨ composite_has_been_directly_observed s msg
  by intros l; specialize (Hstep l); destruct l.
Qed.

Context
  {validator : Type}
  `{finite.Finite validator}
  {measurable_V : Measurable validator}
  (threshold : R)
  `{FinSet validator Cv}
  `{!ReachableThreshold validator Cv threshold}
  (A : validator -> index)
  (sender : message -> option validator)
  .

Definition component_signed_message (component_idx : index) (m : message) : Prop :=
  option_map A (sender m) = Some component_idx.

Definitions for safety and nontriviality of the sender function. Safety means that if we designate a validator as the sender of a certain message, then it is impossible for other components to produce that message

Weak/strong nontriviality say that each validator should be designated sender for at least one/all its valid messages.

Definition sender_safety_prop : Prop :=
  forall
  (m : message)
  (v : validator)
  (Hsender : sender m = Some v),
  forall (j : index)
         (Hdif : j <> A v),
         ~ can_emit (preloaded_with_all_messages_vlsm (IM j)) m.

An alternative, possibly friendlier, formulation. Note that it is slightly weaker, in that it does not require that the sender is able to send the message.

Definition sender_safety_alt_prop : Prop :=
  forall
  (m : message)
  (v : validator)
  (Hsender : sender m = Some v),
  forall (i : index),
  can_emit (preloaded_with_all_messages_vlsm (IM i)) m ->
  A v = i.

Lemma sender_safety_alt_iff
  : sender_safety_prop <-> sender_safety_alt_prop.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
sender_safety_prop ↔ sender_safety_alt_prop
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
sender_safety_prop ↔ sender_safety_alt_prop
  split; intros Hsender_safety m; intros.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_prop
m: message
v: validator
Hsender: sender m = Some v
i: index
H11: can_emit
  (preloaded_with_all_messages_vlsm (IM i)) m
A v = i
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
m: message
v: validator
Hsender: sender m = Some v
j: index
Hdif: j ≠ A v
¬ can_emit (preloaded_with_all_messages_vlsm (IM j)) m
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_prop
m: message
v: validator
Hsender: sender m = Some v
i: index
H11: can_emit
  (preloaded_with_all_messages_vlsm (IM i)) m
A v = i specialize (Hsender_safety m v Hsender).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
m: message
v: validator
Hsender_safety: ∀ j : index,
  j ≠ A v
  → ¬ can_emit
        (preloaded_with_all_messages_vlsm
           (IM j)) m
Hsender: sender m = Some v
i: index
H11: can_emit
  (preloaded_with_all_messages_vlsm (IM i)) m
A v = i
    destruct (decide (i = A v)); [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
m: message
v: validator
Hsender_safety: ∀ j : index,
  j ≠ A v
  → ¬ can_emit
        (preloaded_with_all_messages_vlsm
           (IM j)) m
Hsender: sender m = Some v
i: index
H11: can_emit
  (preloaded_with_all_messages_vlsm (IM i)) m
n: i ≠ A v
A v = i
    by elim (Hsender_safety _ n).
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
m: message
v: validator
Hsender: sender m = Some v
j: index
Hdif: j ≠ A v
¬ can_emit (preloaded_with_all_messages_vlsm (IM j)) m intro Hemit.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
m: message
v: validator
Hsender: sender m = Some v
j: index
Hdif: j ≠ A v
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM j)) m
False elim Hdif.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
m: message
v: validator
Hsender: sender m = Some v
j: index
Hdif: j ≠ A v
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM j)) m
j = A v
    by specialize (Hsender_safety m v Hsender _ Hemit).
Qed.

Definition channel_authenticated_message (component_idx : index) (m : message) : Prop :=
  option_map A (sender m) = Some component_idx.

The channel_authentication_property requires that any sent message must be originating with its sender. Note that we don't require that sender is total, but rather that it is defined for all messages which can be emitted.

Definition channel_authentication_prop : Prop :=
  forall i m,
  can_emit (preloaded_with_all_messages_vlsm (IM i)) m ->
  channel_authenticated_message i m.

Channel authentication guarantees sender safety

Lemma channel_authentication_sender_safety
  : channel_authentication_prop -> sender_safety_alt_prop.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
channel_authentication_prop → sender_safety_alt_prop
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
channel_authentication_prop → sender_safety_alt_prop
  intros Hsigned m v Hsender i Hemit.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsigned: channel_authentication_prop
m: message
v: validator
Hsender: sender m = Some v
i: index
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM i)) m
A v = i
  apply Some_inj.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsigned: channel_authentication_prop
m: message
v: validator
Hsender: sender m = Some v
i: index
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM i)) m
Some (A v) = Some i
  change (Some (A v)) with (option_map A (Some v)).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsigned: channel_authentication_prop
m: message
v: validator
Hsender: sender m = Some v
i: index
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM i)) m
option_map A (Some v) = Some i
  rewrite <- Hsender.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsigned: channel_authentication_prop
m: message
v: validator
Hsender: sender m = Some v
i: index
Hemit: can_emit
  (preloaded_with_all_messages_vlsm (IM i)) m
option_map A (sender m) = Some i
  by apply Hsigned.
Qed.

Definition sender_nontriviality_prop : Prop :=
  forall (v : validator),
  exists (m : message),
  can_emit (preloaded_with_all_messages_vlsm (IM (A v))) m /\
  sender m = Some v.

Definition no_initial_messages_in_IM_prop : Prop :=
  forall i m, ~ initial_message_prop (IM i) m.

Lemma free_composite_no_initial_valid_messages_emitted_by_sender
  (can_emit_signed : channel_authentication_prop)
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop)
  (X := free_composite_vlsm IM)
  : forall (m : message), valid_message_prop X m ->
    exists v, sender m = Some v /\
      can_emit (preloaded_with_all_messages_vlsm (IM (A v))) m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
∀ m : message,
  valid_message_prop X m
  → ∃ v : validator,
      sender m = Some v
      ∧ can_emit
          (preloaded_with_all_messages_vlsm (IM (A v)))
          m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
∀ m : message,
  valid_message_prop X m
  → ∃ v : validator,
      sender m = Some v
      ∧ can_emit
          (preloaded_with_all_messages_vlsm (IM (A v)))
          m
  intro m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
m: message
valid_message_prop X m
→ ∃ v : validator,
    sender m = Some v
    ∧ can_emit
        (preloaded_with_all_messages_vlsm (IM (A v)))
        m
  rewrite emitted_messages_are_valid_iff.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
m: message
initial_message_prop m ∨ can_emit X m
→ ∃ v : validator,
    sender m = Some v
    ∧ can_emit
        (preloaded_with_all_messages_vlsm (IM (A v)))
        m
  intros [[i [[mi Hmi] _]] | [(s, om) [(i, l) [s' Ht]]]]
  ; [by contradict Hmi; apply no_initial_messages_in_IM |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
m: message
s: state X
om: option message
i: index
l: label (IM i)
s': state X
Ht: input_valid_transition X 
  (existT i l) (s, om) (
  s', Some m)
∃ v : validator,
  sender m = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) m
  eapply VLSM_incl_input_valid_transition in Ht;
    [| by eapply (vlsm_incl_preloaded_with_all_messages_vlsm (free_composite_vlsm IM))].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
m: message
s: state X
om: option message
i: index
l: label (IM i)
s': state X
Ht: input_valid_transition
  {|
    vlsm_type := composite_type IM;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm
        (free_composite_vlsm IM)
  |} (existT i l) (s, om) (
  s', Some m)
∃ v : validator,
  sender m = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) m
  apply preloaded_with_all_messages_projection_input_valid_transition_eq
    with (j := i) in Ht; [| done]; cbn in Ht.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
m: message
s: state X
om: option message
i: index
l: label (IM i)
s': state X
Ht: input_constrained_transition 
  (IM i) l (s i, om) (s' i, Some m)
∃ v : validator,
  sender m = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) m
  specialize (can_emit_signed i m).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
m: message
i: index
can_emit_signed: can_emit
  (preloaded_with_all_messages_vlsm
     (IM i)) m
→ channel_authenticated_message i m
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
s: state X
om: option message
l: label (IM i)
s': state X
Ht: input_constrained_transition 
  (IM i) l (s i, om) (s' i, Some m)
∃ v : validator,
  sender m = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) m
  spec can_emit_signed; [by eexists _, _, _ |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
m: message
i: index
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
s: state X
om: option message
l: label (IM i)
s': state X
Ht: input_constrained_transition 
  (IM i) l (s i, om) (s' i, Some m)
can_emit_signed: channel_authenticated_message i m
∃ v : validator,
  sender m = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) m
  unfold channel_authenticated_message in can_emit_signed.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
m: message
i: index
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
s: state X
om: option message
l: label (IM i)
s': state X
Ht: input_constrained_transition 
  (IM i) l (s i, om) (s' i, Some m)
can_emit_signed: option_map A (sender m) = Some i
∃ v : validator,
  sender m = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) m
  destruct (sender m) as [v |] eqn: Hsender; [| by inversion can_emit_signed].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
m: message
i: index
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
s: state X
om: option message
l: label (IM i)
s': state X
Ht: input_constrained_transition 
  (IM i) l (s i, om) (s' i, Some m)
v: validator
Hsender: sender m = Some v
can_emit_signed: option_map A (Some v) = Some i
∃ v0 : validator,
  Some v = Some v0
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v0))) m
  apply Some_inj in can_emit_signed.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
m: message
i: index
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
X:= free_composite_vlsm IM: VLSM message
s: state X
om: option message
l: label (IM i)
s': state X
Ht: input_constrained_transition 
  (IM i) l (s i, om) (s' i, Some m)
v: validator
Hsender: sender m = Some v
can_emit_signed: A v = i
∃ v0 : validator,
  Some v = Some v0
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v0))) m
  by exists v; subst; unfold can_emit; eauto.
Qed.

Lemma composite_no_initial_valid_messages_emitted_by_sender
    (can_emit_signed : channel_authentication_prop)
    (no_initial_messages_in_IM : no_initial_messages_in_IM_prop)
    (constraint : composite_label IM -> composite_state IM * option message -> Prop)
    (X := composite_vlsm IM constraint)
    : forall (m : message), valid_message_prop X m ->
      exists v, sender m = Some v /\
        can_emit (preloaded_with_all_messages_vlsm (IM (A v))) m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
∀ m : message,
  valid_message_prop X m
  → ∃ v : validator,
      sender m = Some v
      ∧ can_emit
          (preloaded_with_all_messages_vlsm (IM (A v)))
          m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
∀ m : message,
  valid_message_prop X m
  → ∃ v : validator,
      sender m = Some v
      ∧ can_emit
          (preloaded_with_all_messages_vlsm (IM (A v)))
          m
  intros.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
m: message
H11: valid_message_prop X m
∃ v : validator,
  sender m = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) m
  apply free_composite_no_initial_valid_messages_emitted_by_sender; [done.. |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
m: message
H11: valid_message_prop X m
valid_message_prop (free_composite_vlsm IM) m
  eapply VLSM_incl_valid_message with X; [| by do 2 red | done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
m: message
H11: valid_message_prop X m
VLSM_incl_part X (free_composite_vlsm_machine IM)
  by apply VLSM_incl_constrained_vlsm.
Qed.

Lemma free_composite_no_initial_valid_messages_have_sender
  (can_emit_signed : channel_authentication_prop)
  (no_initial_messages_in_IM : no_initial_messages_in_IM_prop) :
  forall (m : message),
    valid_message_prop (free_composite_vlsm IM) m -> sender m <> None.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
∀ m : message,
  valid_message_prop (free_composite_vlsm IM) m
  → sender m ≠ None
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
∀ m : message,
  valid_message_prop (free_composite_vlsm IM) m
  → sender m ≠ None
  intros m Hm.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
m: message
Hm: valid_message_prop (free_composite_vlsm IM) m
sender m ≠ None
  cut (exists v : validator, sender m = Some v /\
    can_emit (preloaded_with_all_messages_vlsm (IM (A v))) m).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
m: message
Hm: valid_message_prop (free_composite_vlsm IM) m
(∃ v : validator,
   sender m = Some v
   ∧ can_emit
       (preloaded_with_all_messages_vlsm (IM (A v))) m)
→ sender m ≠ None
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
m: message
Hm: valid_message_prop (free_composite_vlsm IM) m
∃ v : validator,
  sender m = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) m
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
m: message
Hm: valid_message_prop (free_composite_vlsm IM) m
(∃ v : validator,
   sender m = Some v
   ∧ can_emit
       (preloaded_with_all_messages_vlsm (IM (A v))) m)
→ sender m ≠ None by intros (v & -> & _); congruence.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
m: message
Hm: valid_message_prop (free_composite_vlsm IM) m
∃ v : validator,
  sender m = Some v
  ∧ can_emit
      (preloaded_with_all_messages_vlsm (IM (A v))) m by apply free_composite_no_initial_valid_messages_emitted_by_sender.
Qed.

Lemma composite_no_initial_valid_messages_have_sender
    (can_emit_signed : channel_authentication_prop)
    (no_initial_messages_in_IM : no_initial_messages_in_IM_prop)
    (constraint : composite_label IM -> composite_state IM * option message -> Prop)
    (X := composite_vlsm IM constraint)
    : forall (m : message) (Hm : valid_message_prop X m), sender m <> None.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
∀ m : message,
  valid_message_prop X m → sender m ≠ None
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
∀ m : message,
  valid_message_prop X m → sender m ≠ None
  intros m Hm.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
m: message
Hm: valid_message_prop X m
sender m ≠ None
  apply free_composite_no_initial_valid_messages_have_sender; [done.. |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
m: message
Hm: valid_message_prop X m
valid_message_prop (free_composite_vlsm IM) m
  eapply VLSM_incl_valid_message with X; [| by do 2 red | done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
no_initial_messages_in_IM: no_initial_messages_in_IM_prop
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
m: message
Hm: valid_message_prop X m
VLSM_incl_part X (free_composite_vlsm_machine IM)
  by apply VLSM_incl_constrained_vlsm.
Qed.

Lemma composite_emitted_by_validator_have_sender
    (can_emit_signed : channel_authentication_prop)
    (A_inj : forall v1 v2, A v1 = A v2 -> v1 = v2)
  : forall s item,
      input_constrained_transition_item (free_composite_vlsm IM) s item ->
    forall v, A v = projT1 (l item) ->
    forall (m : message), output item = Some m ->
    sender m = Some v.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
A_inj: ∀ v1 v2 : validator, A v1 = A v2 → v1 = v2
∀ (s : state
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) (item : transition_item),
  input_constrained_transition_item
    (free_composite_vlsm IM) s item
  → ∀ v : validator,
      A v = projT1 (l item)
      → ∀ m : message,
          output item = Some m → sender m = Some v
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
A_inj: ∀ v1 v2 : validator, A v1 = A v2 → v1 = v2
∀ (s : state
         (preloaded_with_all_messages_vlsm
            (free_composite_vlsm IM))) (item : transition_item),
  input_constrained_transition_item
    (free_composite_vlsm IM) s item
  → ∀ v : validator,
      A v = projT1 (l item)
      → ∀ m : message,
          output item = Some m → sender m = Some v
  intros s item Ht v HAv m Houtput.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
A_inj: ∀ v1 v2 : validator, A v1 = A v2 → v1 = v2
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
item: transition_item
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
v: validator
HAv: A v = projT1 (l item)
m: message
Houtput: output item = Some m
sender m = Some v
  cut (channel_authenticated_message (A v) m).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
A_inj: ∀ v1 v2 : validator, A v1 = A v2 → v1 = v2
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
item: transition_item
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
v: validator
HAv: A v = projT1 (l item)
m: message
Houtput: output item = Some m
channel_authenticated_message (A v) m
→ sender m = Some v
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
A_inj: ∀ v1 v2 : validator, A v1 = A v2 → v1 = v2
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
item: transition_item
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
v: validator
HAv: A v = projT1 (l item)
m: message
Houtput: output item = Some m
channel_authenticated_message (A v) m
  {message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
A_inj: ∀ v1 v2 : validator, A v1 = A v2 → v1 = v2
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
item: transition_item
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
v: validator
HAv: A v = projT1 (l item)
m: message
Houtput: output item = Some m
channel_authenticated_message (A v) m
→ sender m = Some v
    unfold channel_authenticated_message; destruct (sender m) as [v' |]; [| done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
A_inj: ∀ v1 v2 : validator, A v1 = A v2 → v1 = v2
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
item: transition_item
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
v: validator
HAv: A v = projT1 (l item)
m: message
Houtput: output item = Some m
v': validator
option_map A (Some v') = Some (A v) → Some v' = Some v
    by cbn; intros Hvv'; apply Some_inj, A_inj in Hvv'; subst.
  }message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
A_inj: ∀ v1 v2 : validator, A v1 = A v2 → v1 = v2
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
item: transition_item
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
v: validator
HAv: A v = projT1 (l item)
m: message
Houtput: output item = Some m
channel_authenticated_message (A v) m
  apply input_valid_transition_preloaded_project_active_free in Ht as Hti.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
can_emit_signed: channel_authentication_prop
A_inj: ∀ v1 v2 : validator, A v1 = A v2 → v1 = v2
s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
item: transition_item
Ht: input_constrained_transition_item
  (free_composite_vlsm IM) s item
v: validator
HAv: A v = projT1 (l item)
m: message
Houtput: output item = Some m
Hti: input_constrained_transition
  (IM (projT1 (l item))) 
  (projT2 (l item))
  (s (projT1 (l item)), input item)
  (destination item (projT1 (l item)),
   output item)
channel_authenticated_message (A v) m
  by rewrite Houtput in Hti; apply can_emit_signed; rewrite HAv; eexists _, _, _.
Qed.

Lemma has_been_sent_iff_by_sender
  (Hsender_safety : sender_safety_alt_prop) [is s tr]
  (Htr : finite_constrained_trace_init_to (free_composite_vlsm IM) is s tr)
  [m v] (Hsender : sender m = Some v) :
  composite_has_been_sent s m <-> has_been_sent (IM (A v)) (s (A v)) m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
composite_has_been_sent s m
↔ has_been_sent (IM (A v)) (s (A v)) m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
composite_has_been_sent s m
↔ has_been_sent (IM (A v)) (s (A v)) m
  split; [| by exists (A v)].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
composite_has_been_sent s m
→ has_been_sent (IM (A v)) (s (A v)) m
  intros [i Hi].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
has_been_sent (IM (A v)) (s (A v)) m
  erewrite Hsender_safety; [done | done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
can_emit (preloaded_with_all_messages_vlsm (IM i)) m
  assert (Htr_pr : finite_constrained_trace_init_to (IM i) (is i) (s i)
    (VLSM_projection_finite_trace_project (preloaded_component_projection IM i) tr)).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
finite_constrained_trace_init_to (IM i) (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr)
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
Htr_pr: finite_constrained_trace_init_to 
  (IM i) (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr)
can_emit (preloaded_with_all_messages_vlsm (IM i)) m
  {message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
finite_constrained_trace_init_to (IM i) (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr)
    by apply (VLSM_projection_finite_valid_trace_init_to (preloaded_component_projection IM i)).
  }message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
Htr_pr: finite_constrained_trace_init_to 
  (IM i) (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr)
can_emit (preloaded_with_all_messages_vlsm (IM i)) m
  eapply can_emit_from_valid_trace.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
Htr_pr: finite_constrained_trace_init_to 
  (IM i) (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr)
finite_valid_trace
  (preloaded_with_all_messages_vlsm (IM i)) ?si ?tr
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
Htr_pr: finite_constrained_trace_init_to 
  (IM i) (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr)
trace_has_message (field_selector output) m ?tr
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
Htr_pr: finite_constrained_trace_init_to 
  (IM i) (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr)
finite_valid_trace
  (preloaded_with_all_messages_vlsm (IM i)) ?si ?tr by eapply valid_trace_forget_last.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
Htr_pr: finite_constrained_trace_init_to 
  (IM i) (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr)
trace_has_message (field_selector output) m
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr) eapply proper_sent; [| done | done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
Hsender_safety: sender_safety_alt_prop
is, s: state
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
tr: list transition_item
Htr: finite_constrained_trace_init_to
  (free_composite_vlsm IM) is s tr
m: message
v: validator
Hsender: sender m = Some v
i: index
Hi: has_been_sent (IM i) (s i) m
Htr_pr: finite_constrained_trace_init_to 
  (IM i) (is i) (s i)
  (VLSM_projection_finite_trace_project
     (preloaded_component_projection IM i) tr)
constrained_state_prop (IM i) (s i)
    by red in Htr_pr; apply valid_trace_last_pstate in Htr_pr.
Qed.

Lemma no_additional_equivocations_constraint_dec
  : RelDecision (no_additional_equivocations_constraint Free).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
RelDecision
  (no_additional_equivocations_constraint Free)
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
RelDecision
  (no_additional_equivocations_constraint Free)
  intros l (s, om).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
l: label Free
s: state Free
om: option message
Decision
  (no_additional_equivocations_constraint Free l
     (s, om))
  destruct om; [| by left].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
l: label Free
s: state Free
m: message
Decision
  (no_additional_equivocations_constraint Free l
     (s, Some m))
  by apply no_additional_equivocations_dec.
Qed.

We say that a validator <v> (with associated component <i>) is equivocating wrt. to another component <j>, if there exists a message which has_been_received by <j> but has_not_been_sent by <i>.

Definition equivocating_wrt
  (v : validator)
  (j : index)
  (sv : state (IM (A v)))
  (sj : state (IM j))
  (i := A v)
  : Prop
  :=
  exists (m : message),
  sender(m) = Some v /\
  has_not_been_sent  (IM i) sv m /\
  has_been_received  (IM j) sj m.

We can now decide whether a validator is equivocating in a certain state.

Definition is_equivocating_statewise
  (s : composite_state IM)
  (v : validator)
  : Prop
  :=
  exists (j : index),
  equivocating_wrt v j (s (A v)) (s j).

Lemma initial_state_is_not_equivocating_statewise
  (s : composite_state IM)
  (Hs : composite_initial_state_prop IM s)
  (v : validator)
  : ~ is_equivocating_statewise s v.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
¬ is_equivocating_statewise s v
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
¬ is_equivocating_statewise s v
  unfold is_equivocating_statewise, equivocating_wrt.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
¬ (∃ (j : index) (m : message),
     sender m = Some v
     ∧ has_not_been_sent (IM (A v)) (s (A v)) m
       ∧ has_been_received (IM j) (s j) m)
  intros (j & m & Hsender & Hnbs & Hrcv).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
s: composite_state IM
Hs: composite_initial_state_prop IM s
v: validator
j: index
m: message
Hsender: sender m = Some v
Hnbs: has_not_been_sent (IM (A v)) (s (A v)) m
Hrcv: has_been_received (IM j) (s j) m
False
  by revert Hrcv; apply has_been_received_stepwise_props, Hs.
Qed.

For the equivocation sum fault to be computable, we require that our is_equivocating property is decidable. The current implementation refers to is_equivocating_statewise, but this might change in the future.

Definition equivocation_dec_statewise
   (Hdec : RelDecision is_equivocating_statewise)
    : BasicEquivocation (composite_state IM) validator Cv threshold
  :=
  {|
    state_validators := fun _ => list_to_set (enum validator);
    is_equivocating := is_equivocating_statewise;
    is_equivocating_dec := Hdec
  |}.

Definition equivocation_fault_constraint
  (Dec : BasicEquivocation (composite_state IM) validator Cv threshold)
  (l : composite_label IM)
  (som : composite_state IM * option message)
  : Prop
  :=
  let (s', om') := (composite_transition IM l som) in
  not_heavy s'.

Lemma sent_component_sent_previously
  [constraint : composite_label IM -> composite_state IM * option message -> Prop]
  (X := composite_vlsm IM constraint)
  [s : composite_state IM]
  (Hs : valid_state_prop X s)
  [i : index]
  [m : message]
  (Horacle : has_been_sent (IM i) (s i) m) :
  exists s_item item,
    input_valid_transition_item X s_item item /\
    in_futures X (destination item) s /\
    projT1 (l item) = i /\
    output item = Some m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: has_been_sent (IM i) (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i ∧ output item = Some m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: has_been_sent (IM i) (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i ∧ output item = Some m
  clear -Hs Horacle.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: has_been_sent (IM i) (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i ∧ output item = Some m
  specialize
    (oracle_component_selected_previously
      (fun i => has_been_sent_stepwise_props (IM i))
      Hs Horacle)
    as (s_item & [[] ?] & Ht & Hfutures & Hi & Hselected).message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: has_been_sent (IM i) (s i) m
s_item: state (composite_vlsm IM constraint)
x: index
l: label (IM x)
input: option message
destination: state (composite_vlsm IM constraint)
output: option message
Ht: input_valid_transition_item
  (composite_vlsm IM constraint) s_item
  {|
    l := existT x l;
    input := input;
    destination := destination;
    output := output
  |}
Hfutures: in_futures (composite_vlsm IM constraint)
  (VLSM.destination
     {|
       l := existT x l;
       input := input;
       destination := destination;
       output := output
     |}) s
Hi: projT1
  (VLSM.l
     {|
       l := existT x l;
       input := input;
       destination := destination;
       output := output
     |}) = i
Hselected: composite_message_selector m
  {|
    l := existT x l;
    input := input;
    destination := destination;
    output := output
  |}
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (VLSM.destination item) s
    ∧ projT1 (VLSM.l item) = i
      ∧ VLSM.output item = Some m
  by eexists _, _.
Qed.

Lemma received_component_received_previously
  [constraint : composite_label IM -> composite_state IM * option message -> Prop]
  (X := composite_vlsm IM constraint)
  [s : composite_state IM]
  (Hs : valid_state_prop X s)
  [i : index]
  [m : message]
  (Horacle : has_been_received (IM i) (s i) m) :
  exists s_item item,
    input_valid_transition_item X s_item item /\
    in_futures X (destination item) s /\
    projT1 (l item) = i /\
    input item = Some m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: has_been_received (IM i) (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i ∧ input item = Some m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: has_been_received (IM i) (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i ∧ input item = Some m
  clear -Hs Horacle.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: has_been_received (IM i) (s i) m
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (destination item) s
    ∧ projT1 (l item) = i ∧ input item = Some m
  specialize
    (oracle_component_selected_previously
      (fun i => has_been_received_stepwise_props (IM i))
      Hs Horacle)
    as (s_item & [[] ?] & Ht & Hfutures & Hi & Hselected).message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Horacle: has_been_received (IM i) (s i) m
s_item: state (composite_vlsm IM constraint)
x: index
l: label (IM x)
input: option message
destination: state (composite_vlsm IM constraint)
output: option message
Ht: input_valid_transition_item
  (composite_vlsm IM constraint) s_item
  {|
    l := existT x l;
    input := input;
    destination := destination;
    output := output
  |}
Hfutures: in_futures (composite_vlsm IM constraint)
  (VLSM.destination
     {|
       l := existT x l;
       input := input;
       destination := destination;
       output := output
     |}) s
Hi: projT1
  (VLSM.l
     {|
       l := existT x l;
       input := input;
       destination := destination;
       output := output
     |}) = i
Hselected: composite_message_selector m
  {|
    l := existT x l;
    input := input;
    destination := destination;
    output := output
  |}
∃ (s_item : state X) (item : transition_item),
  input_valid_transition_item X s_item item
  ∧ in_futures X (VLSM.destination item) s
    ∧ projT1 (VLSM.l item) = i
      ∧ VLSM.input item = Some m
  by eexists _, _.
Qed.

Lemma messages_sent_from_component_produced_previously
  [constraint : composite_label IM -> composite_state IM * option message -> Prop]
  (X := composite_vlsm IM constraint)
  [s : composite_state IM]
  (Hs : valid_state_prop X s)
  [i : index]
  [m : message]
  (Hsent : has_been_sent (IM i) (s i) m) :
  exists s_m,
    in_futures X s_m s /\
    can_produce (preloaded_with_all_messages_vlsm (IM i)) (s_m i) m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hsent: has_been_sent (IM i) (s i) m
∃ s_m : state X,
  in_futures X s_m s
  ∧ can_produce
      (preloaded_with_all_messages_vlsm (IM i))
      (s_m i) m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hsent: has_been_sent (IM i) (s i) m
∃ s_m : state X,
  in_futures X s_m s
  ∧ can_produce
      (preloaded_with_all_messages_vlsm (IM i))
      (s_m i) m
  specialize (sent_component_sent_previously Hs Hsent)
    as (s_item & [] & Ht & Hfutures & <- & Houtput)
  ; destruct l as [i li]; cbn in *; subst output.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
li: label (IM i)
input: option message
destination: composite_state IM
Hsent: has_been_sent (IM i) (s i) m
s_item: composite_state IM
Ht: input_valid_transition_item
  (composite_vlsm IM constraint) s_item
  {|
    l := existT i li;
    input := input;
    destination := destination;
    output := Some m
  |}
Hfutures: in_futures (composite_vlsm IM constraint)
  destination s
∃ s_m : composite_state IM,
  in_futures X s_m s
  ∧ can_produce
      (preloaded_with_all_messages_vlsm (IM i))
      (s_m i) m
  exists destination; split; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
li: label (IM i)
input: option message
destination: composite_state IM
Hsent: has_been_sent (IM i) (s i) m
s_item: composite_state IM
Ht: input_valid_transition_item
  (composite_vlsm IM constraint) s_item
  {|
    l := existT i li;
    input := input;
    destination := destination;
    output := Some m
  |}
Hfutures: in_futures (composite_vlsm IM constraint)
  destination s
can_produce (preloaded_with_all_messages_vlsm (IM i))
  (destination i) m
  eapply VLSM_incl_input_valid_transition in Ht; cbn in Ht;
    [| by apply constrained_preloaded_incl].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
li: label (IM i)
input: option message
destination: composite_state IM
Hsent: has_been_sent (IM i) (s i) m
s_item: composite_state IM
Hfutures: in_futures (composite_vlsm IM constraint)
  destination s
Ht: input_valid_transition
  {|
    vlsm_type := composite_type IM;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm
        (free_composite_vlsm IM)
  |} (existT i li) (s_item, input)
  (destination, Some m)
can_produce (preloaded_with_all_messages_vlsm (IM i))
  (destination i) m
  eapply (VLSM_projection_input_valid_transition (preloaded_component_projection IM i))
    in Ht; [by eexists _, _ |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
li: label (IM i)
input: option message
destination: composite_state IM
Hsent: has_been_sent (IM i) (s i) m
s_item: composite_state IM
Hfutures: in_futures (composite_vlsm IM constraint)
  destination s
Ht: input_valid_transition
  {|
    vlsm_type := composite_type IM;
    vlsm_machine :=
      preloaded_with_all_messages_vlsm
        (free_composite_vlsm IM)
  |} (existT i li) (s_item, input)
  (destination, Some m)
composite_project_label IM i (existT i li) =
Some ?Goal0
  by apply (composite_project_label_eq IM).
Qed.

Lemma messages_sent_from_component_of_valid_state_are_valid
  (constraint : composite_label IM -> composite_state IM * option message -> Prop)
  (X := composite_vlsm IM constraint)
  (s : composite_state IM)
  (Hs : valid_state_prop X s)
  (i : index)
  (m : message)
  (Hsent : has_been_sent (IM i) (s i) m) :
  valid_message_prop X m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hsent: has_been_sent (IM i) (s i) m
valid_message_prop X m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hsent: has_been_sent (IM i) (s i) m
valid_message_prop X m
  by apply (sent_valid X s); [| exists i].
Qed.

Lemma preloaded_messages_sent_from_component_of_valid_state_are_valid_free
  (seed : message -> Prop)
  (X := preloaded_vlsm (free_composite_vlsm IM) seed)
  (s : composite_state IM)
  (Hs : valid_state_prop X s)
  (i : index)
  (m : message)
  (Hsent : has_been_sent (IM i) (s i) m) :
  valid_message_prop X m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hsent: has_been_sent (IM i) (s i) m
valid_message_prop X m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hsent: has_been_sent (IM i) (s i) m
valid_message_prop X m
  by eapply sent_valid; [| exists i].
Qed.

Lemma messages_received_from_component_of_valid_state_are_valid
  (constraint : composite_label IM -> composite_state IM * option message -> Prop)
  (X := composite_vlsm IM constraint)
  (s : composite_state IM)
  (Hs : valid_state_prop X s)
  (i : index)
  (m : message)
  (Hreceived : has_been_received (IM i) (s i) m)
  : valid_message_prop X m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hreceived: has_been_received (IM i) (s i) m
valid_message_prop X m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hreceived: has_been_received (IM i) (s i) m
valid_message_prop X m
  by eapply received_valid; [| exists i].
Qed.

Lemma preloaded_messages_received_from_component_of_valid_state_are_valid_free
  (seed : message -> Prop)
  (X := preloaded_vlsm (free_composite_vlsm IM) seed)
  (s : composite_state IM)
  (Hs : valid_state_prop X s)
  (i : index)
  (m : message)
  (Hreceived : has_been_received (IM i) (s i) m)
  : valid_message_prop X m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hreceived: has_been_received (IM i) (s i) m
valid_message_prop X m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
i: index
m: message
Hreceived: has_been_received (IM i) (s i) m
valid_message_prop X m
  by eapply received_valid; [| exists i].
Qed.

Lemma composite_sent_valid
  (constraint : composite_label IM -> composite_state IM * option message -> Prop)
  (X := composite_vlsm IM constraint)
  (s : composite_state IM)
  (Hs : valid_state_prop X s)
  (m : message)
  (Hsent : composite_has_been_sent s m)
  : valid_message_prop X m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hsent: composite_has_been_sent s m
valid_message_prop X m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hsent: composite_has_been_sent s m
valid_message_prop X m
  destruct Hsent as [i Hsent].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hsent: has_been_sent (IM i) (s i) m
valid_message_prop X m
  by apply messages_sent_from_component_of_valid_state_are_valid with s i.
Qed.

Lemma preloaded_composite_sent_valid
  (constraint : composite_label IM -> composite_state IM * option message -> Prop)
  (seed : message -> Prop)
  (X := preloaded_vlsm (composite_vlsm IM constraint) seed)
  (s : composite_state IM)
  (Hs : valid_state_prop X s)
  (m : message)
  (Hsent : composite_has_been_sent s m)
  : valid_message_prop X m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
seed: message → Prop
X:= preloaded_vlsm (composite_vlsm IM constraint) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hsent: composite_has_been_sent s m
valid_message_prop X m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
seed: message → Prop
X:= preloaded_vlsm (composite_vlsm IM constraint) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hsent: composite_has_been_sent s m
valid_message_prop X m
  by eapply sent_valid.
Qed.

Lemma preloaded_composite_received_valid
  (constraint : composite_label IM -> composite_state IM * option message -> Prop)
  (seed : message -> Prop)
  (X := preloaded_vlsm (composite_vlsm IM constraint) seed)
  (s : composite_state IM)
  (Hs : valid_state_prop X s)
  (m : message)
  (Hreceived : composite_has_been_received s m)
  : valid_message_prop X m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
seed: message → Prop
X:= preloaded_vlsm (composite_vlsm IM constraint) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hreceived: composite_has_been_received s m
valid_message_prop X m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
seed: message → Prop
X:= preloaded_vlsm (composite_vlsm IM constraint) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hreceived: composite_has_been_received s m
valid_message_prop X m
  by eapply received_valid.
Qed.

Lemma composite_directly_observed_valid
  (constraint : composite_label IM -> composite_state IM * option message -> Prop)
  (X := composite_vlsm IM constraint)
  (s : composite_state IM)
  (Hs : valid_state_prop X s)
  (m : message)
  (Hobserved : composite_has_been_directly_observed s m)
  : valid_message_prop X m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hobserved: composite_has_been_directly_observed s m
valid_message_prop X m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hobserved: composite_has_been_directly_observed s m
valid_message_prop X m
  destruct Hobserved as [i Hobserved].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_directly_observed (IM i) (s i) m
valid_message_prop X m
  apply (has_been_directly_observed_sent_received_iff (IM i)) in Hobserved.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_received (IM i) (s i) m
∨ has_been_sent (IM i) (s i) m
valid_message_prop X m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_directly_observed (IM i) (s i) m
H11: ∀ s : state
        (preloaded_with_all_messages_vlsm (IM i)),
  constrained_state_prop (IM i) s
  → ∀ m : message,
      has_been_directly_observed (IM i) s m
      → has_been_received (IM i) s m
        ∨ has_been_sent (IM i) s m
constrained_state_prop (IM i) (s i)
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_received (IM i) (s i) m
∨ has_been_sent (IM i) (s i) m
valid_message_prop X m destruct Hobserved as [Hreceived | Hsent].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hreceived: has_been_received (IM i) (s i) m
valid_message_prop X m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hsent: has_been_sent (IM i) (s i) m
valid_message_prop X m
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hreceived: has_been_received (IM i) (s i) m
valid_message_prop X m by eapply messages_received_from_component_of_valid_state_are_valid.
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hsent: has_been_sent (IM i) (s i) m
valid_message_prop X m by eapply messages_sent_from_component_of_valid_state_are_valid.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_directly_observed (IM i) (s i) m
H11: ∀ s : state
        (preloaded_with_all_messages_vlsm (IM i)),
  constrained_state_prop (IM i) s
  → ∀ m : message,
      has_been_directly_observed (IM i) s m
      → has_been_received (IM i) s m
        ∨ has_been_sent (IM i) s m
constrained_state_prop (IM i) (s i) by eapply valid_state_project_preloaded.
Qed.

Lemma preloaded_free_composite_directly_observed_valid
  (seed : message -> Prop)
  (X := preloaded_vlsm (free_composite_vlsm IM) seed)
  (s : composite_state IM)
  (Hs : valid_state_prop X s)
  (m : message)
  (Hobserved : composite_has_been_directly_observed s m)
  : valid_message_prop X m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hobserved: composite_has_been_directly_observed s m
valid_message_prop X m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
Hobserved: composite_has_been_directly_observed s m
valid_message_prop X m
  destruct Hobserved as [i Hobserved].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_directly_observed (IM i) (s i) m
valid_message_prop X m
  apply (has_been_directly_observed_sent_received_iff (IM i)) in Hobserved.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_received (IM i) (s i) m
∨ has_been_sent (IM i) (s i) m
valid_message_prop X m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_directly_observed (IM i) (s i) m
H11: ∀ s : state
        (preloaded_with_all_messages_vlsm (IM i)),
  constrained_state_prop (IM i) s
  → ∀ m : message,
      has_been_directly_observed (IM i) s m
      → has_been_received (IM i) s m
        ∨ has_been_sent (IM i) s m
constrained_state_prop (IM i) (s i)
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_received (IM i) (s i) m
∨ has_been_sent (IM i) (s i) m
valid_message_prop X m destruct Hobserved as [Hreceived | Hsent].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hreceived: has_been_received (IM i) (s i) m
valid_message_prop X m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hsent: has_been_sent (IM i) (s i) m
valid_message_prop X m
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hreceived: has_been_received (IM i) (s i) m
valid_message_prop X m by eapply preloaded_messages_received_from_component_of_valid_state_are_valid_free.
    +message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hsent: has_been_sent (IM i) (s i) m
valid_message_prop X m by eapply preloaded_messages_sent_from_component_of_valid_state_are_valid_free.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_directly_observed (IM i) (s i) m
H11: ∀ s : state
        (preloaded_with_all_messages_vlsm (IM i)),
  constrained_state_prop (IM i) s
  → ∀ m : message,
      has_been_directly_observed (IM i) s m
      → has_been_received (IM i) s m
        ∨ has_been_sent (IM i) s m
constrained_state_prop (IM i) (s i) eapply composite_constrained_state_project.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_directly_observed (IM i) (s i) m
H11: ∀ s : state
        (preloaded_with_all_messages_vlsm (IM i)),
  constrained_state_prop (IM i) s
  → ∀ m : message,
      has_been_directly_observed (IM i) s m
      → has_been_received (IM i) s m
        ∨ has_been_sent (IM i) s m
composite_constrained_state_prop IM s
    eapply VLSM_incl_valid_state; [| done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
Free:= free_composite_vlsm IM: VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
validator: Type
EqDecision1: EqDecision validator
H2: finite.Finite validator
measurable_V: Measurable validator
threshold: R
Cv: Type
H3: ElemOf validator Cv
H4: Empty Cv
H5: Singleton validator Cv
H6: Union Cv
H7: Intersection Cv
H8: Difference Cv
H9: Elements validator Cv
EqDecision2: EqDecision validator
H10: FinSet validator Cv
ReachableThreshold0: ReachableThreshold validator Cv
  threshold
A: validator → index
sender: message → option validator
seed: message → Prop
X:= preloaded_vlsm (free_composite_vlsm IM) seed: VLSM message
s: composite_state IM
Hs: valid_state_prop X s
m: message
i: index
Hobserved: has_been_directly_observed (IM i) (s i) m
H11: ∀ s : state
        (preloaded_with_all_messages_vlsm (IM i)),
  constrained_state_prop (IM i) s
  → ∀ m : message,
      has_been_directly_observed (IM i) s m
      → has_been_received (IM i) s m
        ∨ has_been_sent (IM i) s m
VLSM_incl_part
  (preloaded_vlsm_machine (free_composite_vlsm IM)
     seed)
  (preloaded_vlsm_machine (free_composite_vlsm IM)
     (λ _ : message, True))
    by apply preloaded_vlsm_incl_preloaded_with_all_messages.
Qed.

End sec_composite.

Lemma composite_has_been_directly_observed_sent_received_iff
  {message}
  `{EqDecision index}
  (IM : index -> VLSM message)
  `{forall i : index, HasBeenSentCapability (IM i)}
  `{forall i : index, HasBeenReceivedCapability (IM i)}
  (s : composite_state IM)
  (m : message)
  : composite_has_been_directly_observed IM s m <->
    composite_has_been_sent IM s m \/ composite_has_been_received IM s m.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
composite_has_been_directly_observed IM s m
↔ composite_has_been_sent IM s m
  ∨ composite_has_been_received IM s m
Proof.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
composite_has_been_directly_observed IM s m
↔ composite_has_been_sent IM s m
  ∨ composite_has_been_received IM s m
  split.message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
composite_has_been_directly_observed IM s m
→ composite_has_been_sent IM s m
  ∨ composite_has_been_received IM s m
message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
composite_has_been_sent IM s m
∨ composite_has_been_received IM s m
→ composite_has_been_directly_observed IM s m
  -message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
composite_has_been_directly_observed IM s m
→ composite_has_been_sent IM s m
  ∨ composite_has_been_received IM s m by intros [i [Hs | Hr]]; [left | right]; exists i.
  -message, index: Type
EqDecision0: EqDecision index
IM: index → VLSM message
H: ∀ i : index, HasBeenSentCapability (IM i)
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
m: message
composite_has_been_sent IM s m
∨ composite_has_been_received IM s m
→ composite_has_been_directly_observed IM s m by intros [[i Hs] | [i Hr]]; exists i; [left | right].
Qed.

Lemma composite_has_been_directly_observed_free_iff
  {message}
  `{finite.Finite index}
  (IM : index -> VLSM message)
  `{forall i : index, HasBeenSentCapability (IM i)}
  `{forall i : index, HasBeenReceivedCapability (IM i)}
  (s : state (free_composite_vlsm IM))
  (m : message)
  : composite_has_been_directly_observed IM s m
      <->
    has_been_directly_observed (free_composite_vlsm IM) s m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: state (free_composite_vlsm IM)
m: message
composite_has_been_directly_observed IM s m
↔ has_been_directly_observed (free_composite_vlsm IM)
    s m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: state (free_composite_vlsm IM)
m: message
composite_has_been_directly_observed IM s m
↔ has_been_directly_observed (free_composite_vlsm IM)
    s m
  unfold has_been_directly_observed; cbn; unfold has_been_directly_observed_from_sent_received; cbn.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: state (free_composite_vlsm IM)
m: message
composite_has_been_directly_observed IM s m
↔ composite_has_been_sent IM s m
  ∨ composite_has_been_received IM s m
  by apply composite_has_been_directly_observed_sent_received_iff.
Qed.

Lemma composite_has_been_directly_observed_from_component
  {message}
  `{finite.Finite index}
  (IM : index -> VLSM message)
  `{forall i : index, HasBeenSentCapability (IM i)}
  `{forall i : index, HasBeenReceivedCapability (IM i)}
  (s : composite_state IM)
  (i : index)
  (m : message)
  : has_been_directly_observed (IM i) (s i) m -> composite_has_been_directly_observed IM s m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
i: index
m: message
has_been_directly_observed (IM i) (s i) m
→ composite_has_been_directly_observed IM s m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
s: composite_state IM
i: index
m: message
has_been_directly_observed (IM i) (s i) m
→ composite_has_been_directly_observed IM s m by exists i. Qed.

Lemma composite_has_been_directly_observed_lift
  {message}
  `{finite.Finite index}
  (IM : index -> VLSM message)
  `{forall i : index, HasBeenSentCapability (IM i)}
  `{forall i : index, HasBeenReceivedCapability (IM i)}
  (i : index)
  (s : state (IM i))
  (Hs : constrained_state_prop (IM i) s)
  (m : message)
  : composite_has_been_directly_observed IM (lift_to_composite_state' IM i s) m
      <->
    has_been_directly_observed (IM i) s m.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
↔ has_been_directly_observed (IM i) s m
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
↔ has_been_directly_observed (IM i) s m
  pose (free_composite_vlsm IM) as Free.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
↔ has_been_directly_observed (IM i) s m
  assert (Hlift_s : constrained_state_prop Free (lift_to_composite_state' IM i s)).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
constrained_state_prop Free
  (lift_to_composite_state' IM i s)
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
↔ has_been_directly_observed (IM i) s m
  {message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
constrained_state_prop Free
  (lift_to_composite_state' IM i s) revert Hs.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
m: message
Free:= free_composite_vlsm IM: VLSM message
constrained_state_prop (IM i) s
→ constrained_state_prop Free
    (lift_to_composite_state' IM i s)  apply valid_state_preloaded_composite_free_lift. }message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
↔ has_been_directly_observed (IM i) s m
  split; intros Hobs.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
has_been_directly_observed (IM i) s m
message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: has_been_directly_observed (IM i) s m
composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
has_been_directly_observed (IM i) s m apply (proper_directly_observed (IM i)); [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
selected_message_exists_in_all_preloaded_traces (IM i)
  item_sends_or_receives s m
    intros is tr Htr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
trace_has_message item_sends_or_receives m tr
    apply composite_has_been_directly_observed_free_iff, proper_directly_observed in Hobs
    ; [| done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: selected_message_exists_in_all_preloaded_traces
  (free_composite_vlsm IM)
  item_sends_or_receives
  (lift_to_composite_state' IM i s) m
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
trace_has_message item_sends_or_receives m tr
    apply (VLSM_embedding_finite_valid_trace_init_to
      (lift_to_composite_preloaded_VLSM_embedding IM i)) in Htr as Hpre_tr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: selected_message_exists_in_all_preloaded_traces
  (free_composite_vlsm IM)
  item_sends_or_receives
  (lift_to_composite_state' IM i s) m
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
trace_has_message item_sends_or_receives m tr
    specialize (Hobs _ _ Hpre_tr).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
tr: list transition_item
Hobs: trace_has_message item_sends_or_receives m
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
is: state (preloaded_with_all_messages_vlsm (IM i))
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
trace_has_message item_sends_or_receives m tr
    apply Exists_exists.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
tr: list transition_item
Hobs: trace_has_message item_sends_or_receives m
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
is: state (preloaded_with_all_messages_vlsm (IM i))
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ x : transition_item,
  x ∈ tr ∧ item_sends_or_receives m x
    apply Exists_exists in Hobs.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
tr: list transition_item
Hobs: ∃ x : transition_item,
  x
  ∈ VLSM_embedding_finite_trace_project
      (lift_to_composite_preloaded_VLSM_embedding
         IM i) tr ∧ item_sends_or_receives m x
is: state (preloaded_with_all_messages_vlsm (IM i))
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ x : transition_item,
  x ∈ tr ∧ item_sends_or_receives m x
    destruct Hobs as [composite_item [Hcomposite_item Hx]].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
tr: list transition_item
composite_item: transition_item
Hcomposite_item: composite_item
∈ VLSM_embedding_finite_trace_project
    (lift_to_composite_preloaded_VLSM_embedding
       IM i) tr
Hx: item_sends_or_receives m composite_item
is: state (preloaded_with_all_messages_vlsm (IM i))
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ x : transition_item,
  x ∈ tr ∧ item_sends_or_receives m x
    apply elem_of_list_fmap_2 in Hcomposite_item as [item [Hcomposite_item Hitem]].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
tr: list transition_item
composite_item, item: transition_item
Hcomposite_item: composite_item =
pre_VLSM_embedding_transition_item_project
  (preloaded_with_all_messages_vlsm
     (IM i))
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_label IM i)
  (lift_to_composite_state' IM i)
  item
Hitem: item ∈ tr
Hx: item_sends_or_receives m composite_item
is: state (preloaded_with_all_messages_vlsm (IM i))
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ x : transition_item,
  x ∈ tr ∧ item_sends_or_receives m x
    exists item.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
tr: list transition_item
composite_item, item: transition_item
Hcomposite_item: composite_item =
pre_VLSM_embedding_transition_item_project
  (preloaded_with_all_messages_vlsm
     (IM i))
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_label IM i)
  (lift_to_composite_state' IM i)
  item
Hitem: item ∈ tr
Hx: item_sends_or_receives m composite_item
is: state (preloaded_with_all_messages_vlsm (IM i))
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
item ∈ tr ∧ item_sends_or_receives m item
    split; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
tr: list transition_item
composite_item, item: transition_item
Hcomposite_item: composite_item =
pre_VLSM_embedding_transition_item_project
  (preloaded_with_all_messages_vlsm
     (IM i))
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_label IM i)
  (lift_to_composite_state' IM i)
  item
Hitem: item ∈ tr
Hx: item_sends_or_receives m composite_item
is: state (preloaded_with_all_messages_vlsm (IM i))
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
item_sends_or_receives m item
    subst composite_item.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
tr: list transition_item
item: transition_item
Hitem: item ∈ tr
Hx: item_sends_or_receives m
  (pre_VLSM_embedding_transition_item_project
     (preloaded_with_all_messages_vlsm (IM i))
     (preloaded_with_all_messages_vlsm
        (free_composite_vlsm IM))
     (lift_to_composite_label IM i)
     (lift_to_composite_state' IM i) item)
is: state (preloaded_with_all_messages_vlsm (IM i))
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
item_sends_or_receives m item
    by destruct item.
  -message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: has_been_directly_observed (IM i) s m
composite_has_been_directly_observed IM
  (lift_to_composite_state' IM i s) m apply composite_has_been_directly_observed_free_iff, proper_directly_observed; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: has_been_directly_observed (IM i) s m
selected_message_exists_in_all_preloaded_traces
  (free_composite_vlsm IM) item_sends_or_receives
  (lift_to_composite_state' IM i s) m
    apply has_been_directly_observed_consistency; [by typeclasses eauto | done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: has_been_directly_observed (IM i) s m
selected_message_exists_in_some_preloaded_traces
  (free_composite_vlsm IM) item_sends_or_receives
  (lift_to_composite_state' IM i s) m
    apply proper_directly_observed in Hobs ; [| done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: selected_message_exists_in_all_preloaded_traces
  (IM i) item_sends_or_receives s m
selected_message_exists_in_some_preloaded_traces
  (free_composite_vlsm IM) item_sends_or_receives
  (lift_to_composite_state' IM i s) m
    apply has_been_directly_observed_consistency in Hobs; [| by typeclasses eauto | done].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
Hobs: selected_message_exists_in_some_preloaded_traces
  (IM i) item_sends_or_receives s m
selected_message_exists_in_some_preloaded_traces
  (free_composite_vlsm IM) item_sends_or_receives
  (lift_to_composite_state' IM i s) m
    destruct Hobs as [is [tr [Htr Hobs]]].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hobs: trace_has_message item_sends_or_receives m tr
selected_message_exists_in_some_preloaded_traces
  (free_composite_vlsm IM) item_sends_or_receives
  (lift_to_composite_state' IM i s) m
    apply (VLSM_embedding_finite_valid_trace_init_to
      (lift_to_composite_preloaded_VLSM_embedding IM i)) in Htr as Hpre_tr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hobs: trace_has_message item_sends_or_receives m tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
selected_message_exists_in_some_preloaded_traces
  (free_composite_vlsm IM) item_sends_or_receives
  (lift_to_composite_state' IM i s) m
    eexists.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hobs: trace_has_message item_sends_or_receives m tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ (tr0 : list transition_item) (_ : finite_valid_trace_init_to
                                      (preloaded_with_all_messages_vlsm
                                         (free_composite_vlsm
                                            IM))
                                      ?start
                                      (lift_to_composite_state'
                                         IM i s) tr0),
  trace_has_message item_sends_or_receives m tr0 eexists.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hobs: trace_has_message item_sends_or_receives m tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ _ : finite_valid_trace_init_to
        (preloaded_with_all_messages_vlsm
           (free_composite_vlsm IM)) ?start
        (lift_to_composite_state' IM i s) ?tr,
  trace_has_message item_sends_or_receives m ?tr exists Hpre_tr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hobs: trace_has_message item_sends_or_receives m tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
trace_has_message item_sends_or_receives m
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding IM i)
     tr)
    apply Exists_exists.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hobs: trace_has_message item_sends_or_receives m tr
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ x : transition_item,
  x
  ∈ VLSM_embedding_finite_trace_project
      (lift_to_composite_preloaded_VLSM_embedding IM i)
      tr ∧ item_sends_or_receives m x
    apply Exists_exists in Hobs.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
Hobs: ∃ x : transition_item,
  x ∈ tr ∧ item_sends_or_receives m x
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ x : transition_item,
  x
  ∈ VLSM_embedding_finite_trace_project
      (lift_to_composite_preloaded_VLSM_embedding IM i)
      tr ∧ item_sends_or_receives m x
    destruct Hobs as [item [Hitem Hx]].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
item: transition_item
Hitem: item ∈ tr
Hx: item_sends_or_receives m item
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ x : transition_item,
  x
  ∈ VLSM_embedding_finite_trace_project
      (lift_to_composite_preloaded_VLSM_embedding IM i)
      tr ∧ item_sends_or_receives m x
    exists (lift_to_composite_transition_item' IM i item).message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
item: transition_item
Hitem: item ∈ tr
Hx: item_sends_or_receives m item
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
lift_to_composite_transition_item' IM i item
∈ VLSM_embedding_finite_trace_project
    (lift_to_composite_preloaded_VLSM_embedding IM i)
    tr
∧ item_sends_or_receives m
    (lift_to_composite_transition_item' IM i item)
    split; [| by destruct item].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
item: transition_item
Hitem: item ∈ tr
Hx: item_sends_or_receives m item
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
lift_to_composite_transition_item' IM i item
∈ VLSM_embedding_finite_trace_project
    (lift_to_composite_preloaded_VLSM_embedding IM i)
    tr
    apply elem_of_list_fmap.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenSentCapability (IM i)
H1: ∀ i : index, HasBeenReceivedCapability (IM i)
i: index
s: state (IM i)
Hs: constrained_state_prop (IM i) s
m: message
Free:= free_composite_vlsm IM: VLSM message
Hlift_s: constrained_state_prop Free
  (lift_to_composite_state' IM i s)
is: state (preloaded_with_all_messages_vlsm (IM i))
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm (IM i)) is s
  tr
item: transition_item
Hitem: item ∈ tr
Hx: item_sends_or_receives m item
Hpre_tr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm
     (free_composite_vlsm IM))
  (lift_to_composite_state' IM i is)
  (lift_to_composite_state' IM i s)
  (VLSM_embedding_finite_trace_project
     (lift_to_composite_preloaded_VLSM_embedding
        IM i) tr)
∃ y : transition_item,
  lift_to_composite_transition_item' IM i item =
  pre_VLSM_embedding_transition_item_project
    (preloaded_with_all_messages_vlsm (IM i))
    (preloaded_with_all_messages_vlsm
       (free_composite_vlsm IM))
    (lift_to_composite_label IM i)
    (lift_to_composite_state' IM i) y ∧ y ∈ tr
    by exists item.
Qed.

Section sec_CompositeComputableMessages.

Context
  `{EqDecision message}
  `{finite.Finite index}
  (IM : index -> VLSM message)
  (indexed_oracle_set : forall i, state (IM i) -> set message)
  (indexed_message_selector : forall i, message -> transition_item (IM i) -> Prop)
  (Free := free_composite_vlsm IM)
  .

Definition composite_oracle_set (s : composite_state IM) : set message :=
  concat (map (fun i => indexed_oracle_set i (s i)) (enum index)).

Lemma elem_of_composite_oracle_set :
  forall (s : composite_state IM) (m : message),
    m ∈ composite_oracle_set s <-> exists i, m ∈ indexed_oracle_set i (s i).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
indexed_oracle_set: ∀ i : index,
  state (IM i) → set message
indexed_message_selector: ∀ i : index,
  message
  → transition_item → Prop
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (m : message),
  m ∈ composite_oracle_set s
  ↔ (∃ i : index, m ∈ indexed_oracle_set i (s i))
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
indexed_oracle_set: ∀ i : index,
  state (IM i) → set message
indexed_message_selector: ∀ i : index,
  message
  → transition_item → Prop
Free:= free_composite_vlsm IM: VLSM message
∀ (s : composite_state IM) (m : message),
  m ∈ composite_oracle_set s
  ↔ (∃ i : index, m ∈ indexed_oracle_set i (s i))
  intros; split; setoid_rewrite elem_of_list_In; setoid_rewrite in_concat;
    setoid_rewrite in_map_iff.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
indexed_oracle_set: ∀ i : index,
  state (IM i) → set message
indexed_message_selector: ∀ i : index,
  message
  → transition_item → Prop
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
m: message
(∃ x : list message,
   (∃ x0 : index,
      indexed_oracle_set x0 (s x0) = x
      ∧ In x0 (enum index)) ∧ In m x)
→ ∃ i : index, In m (indexed_oracle_set i (s i))
message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
indexed_oracle_set: ∀ i : index,
  state (IM i) → set message
indexed_message_selector: ∀ i : index,
  message
  → transition_item → Prop
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
m: message
(∃ i : index, In m (indexed_oracle_set i (s i)))
→ ∃ x : list message,
    (∃ x0 : index,
       indexed_oracle_set x0 (s x0) = x
       ∧ In x0 (enum index)) ∧ 
    In m x
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
indexed_oracle_set: ∀ i : index,
  state (IM i) → set message
indexed_message_selector: ∀ i : index,
  message
  → transition_item → Prop
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
m: message
(∃ x : list message,
   (∃ x0 : index,
      indexed_oracle_set x0 (s x0) = x
      ∧ In x0 (enum index)) ∧ In m x)
→ ∃ i : index, In m (indexed_oracle_set i (s i)) by intros (? & (? & <- & _) & ?); eexists.
  -message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
indexed_oracle_set: ∀ i : index,
  state (IM i) → set message
indexed_message_selector: ∀ i : index,
  message
  → transition_item → Prop
Free:= free_composite_vlsm IM: VLSM message
s: composite_state IM
m: message
(∃ i : index, In m (indexed_oracle_set i (s i)))
→ ∃ x : list message,
    (∃ x0 : index,
       indexed_oracle_set x0 (s x0) = x
       ∧ In x0 (enum index)) ∧ In m x by intros []; repeat esplit; [apply elem_of_list_In, elem_of_enum |].
Qed.

Lemma composite_computable_messages_oracle
   (Hcmos : forall i,
      computable_messages_oracle (IM i)
        (indexed_oracle_set i) (indexed_message_selector i))
  : computable_messages_oracle Free composite_oracle_set
      (composite_message_selector IM (message_selectors := indexed_message_selector)).message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
indexed_oracle_set: ∀ i : index,
  state (IM i) → set message
indexed_message_selector: ∀ i : index,
  message
  → transition_item → Prop
Free:= free_composite_vlsm IM: VLSM message
Hcmos: ∀ i : index,
  computable_messages_oracle 
    (IM i) (indexed_oracle_set i)
    (indexed_message_selector i)
computable_messages_oracle Free composite_oracle_set
  (composite_message_selector IM
     (message_selectors:=indexed_message_selector))
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
indexed_oracle_set: ∀ i : index,
  state (IM i) → set message
indexed_message_selector: ∀ i : index,
  message
  → transition_item → Prop
Free:= free_composite_vlsm IM: VLSM message
Hcmos: ∀ i : index,
  computable_messages_oracle 
    (IM i) (indexed_oracle_set i)
    (indexed_message_selector i)
computable_messages_oracle Free composite_oracle_set
  (composite_message_selector IM
     (message_selectors:=indexed_message_selector))
  by constructor; intros
  ; setoid_rewrite elem_of_composite_oracle_set
  ; apply free_composite_stepwise_props
     with (message_selectors := indexed_message_selector)
          (oracles := fun (i : index) (s : state (IM i)) (m : message) =>
            m ∈ indexed_oracle_set i s)
  ; [| done | | done]; intro; apply Hcmos.
Qed.

End sec_CompositeComputableMessages.

Section sec_composite_computable_sent_received_observed.

Context
  `{EqDecision message}
  `{finite.Finite index}
  (IM : index -> VLSM message)
  `{forall i, ComputableSentMessages (IM i)}
  `{forall i, ComputableReceivedMessages (IM i)}
  .

Definition composite_received_messages_set : composite_state IM -> list message :=
  composite_oracle_set IM (fun i => received_messages_set).

Definition composite_sent_messages_set : composite_state IM -> list message :=
  composite_oracle_set IM (fun i => sent_messages_set).

Definition composite_observed_messages_set (s : composite_state IM) : list message :=
  composite_sent_messages_set s ++ composite_received_messages_set s.

Lemma elem_of_composite_received_messages_set :
  forall (s : composite_state IM) (m : message),
    composite_has_been_received IM s m
      <->
    m ∈ composite_received_messages_set s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
∀ (s : composite_state IM) (m : message),
  composite_has_been_received IM s m
  ↔ m ∈ composite_received_messages_set s
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
∀ (s : composite_state IM) (m : message),
  composite_has_been_received IM s m
  ↔ m ∈ composite_received_messages_set s
  setoid_rewrite elem_of_composite_oracle_set.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
∀ (s : composite_state IM) (m : message),
  composite_has_been_received IM s m
  ↔ (∃ i : index, m ∈ received_messages_set (s i))
  by split; intros [i Hi]; exists i; apply has_been_received_messages_set_iff.
Qed.

Lemma elem_of_composite_sent_messages_set :
  forall (s : composite_state IM) (m : message),
    composite_has_been_sent IM s m
      <->
    m ∈ composite_sent_messages_set s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
∀ (s : composite_state IM) (m : message),
  composite_has_been_sent IM s m
  ↔ m ∈ composite_sent_messages_set s
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
∀ (s : composite_state IM) (m : message),
  composite_has_been_sent IM s m
  ↔ m ∈ composite_sent_messages_set s
  setoid_rewrite elem_of_composite_oracle_set.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
∀ (s : composite_state IM) (m : message),
  composite_has_been_sent IM s m
  ↔ (∃ i : index, m ∈ sent_messages_set (s i))
  by split; intros [i Hi]; exists i; apply elem_of_sent_messages_set.
Qed.

Lemma elem_of_composite_observed_messages_set :
  forall (s : composite_state IM) (m : message),
    composite_has_been_directly_observed IM s m
      <->
    m ∈ composite_observed_messages_set s.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
∀ (s : composite_state IM) (m : message),
  composite_has_been_directly_observed IM s m
  ↔ m ∈ composite_observed_messages_set s
Proof.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
∀ (s : composite_state IM) (m : message),
  composite_has_been_directly_observed IM s m
  ↔ m ∈ composite_observed_messages_set s
  intros s m.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
s: composite_state IM
m: message
composite_has_been_directly_observed IM s m
↔ m ∈ composite_observed_messages_set s
  unfold composite_observed_messages_set.message: Type
EqDecision0: EqDecision message
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, ComputableSentMessages (IM i)
H1: ∀ i : index, ComputableReceivedMessages (IM i)
s: composite_state IM
m: message
composite_has_been_directly_observed IM s m
↔ m
  ∈ composite_sent_messages_set s ++
    composite_received_messages_set s
  by rewrite elem_of_app, composite_has_been_directly_observed_sent_received_iff,
     elem_of_composite_sent_messages_set, elem_of_composite_received_messages_set.
Qed.

End sec_composite_computable_sent_received_observed.

Section sec_cannot_resend_message.

Context
  {message : Type}
  `{EqDecision message}
  (X : VLSM message)
  `{HasBeenSentCapability message X}
  `{HasBeenReceivedCapability message X}
  .

Definition state_received_not_sent (s : state X) (m : message) : Prop :=
  has_been_received X s m /\ ~ has_been_sent X s m.

Lemma state_received_not_sent_trace_iff
  (m : message)
  (s is : state (preloaded_with_all_messages_vlsm X))
  (tr : list transition_item)
  (Htr : finite_constrained_trace_init_to X is s tr)
  : state_received_not_sent s m <-> trace_received_not_sent_before_or_after tr m.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
state_received_not_sent s m
↔ trace_received_not_sent_before_or_after tr m
Proof.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
state_received_not_sent s m
↔ trace_received_not_sent_before_or_after tr m
  assert (Hs : constrained_state_prop X s)
    by (apply proj1, valid_trace_last_pstate in Htr; done).message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
state_received_not_sent s m
↔ trace_received_not_sent_before_or_after tr m
  split; intros [Hbrm Hnbsm].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: has_been_received X s m
Hnbsm: ¬ has_been_sent X s m
trace_received_not_sent_before_or_after tr m
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ trace_has_message (field_selector output) m
    tr
state_received_not_sent s m
  -message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: has_been_received X s m
Hnbsm: ¬ has_been_sent X s m
trace_received_not_sent_before_or_after tr m apply proper_received in Hbrm; [| done].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: selected_message_exists_in_all_preloaded_traces
  X (field_selector input) s m
Hnbsm: ¬ has_been_sent X s m
trace_received_not_sent_before_or_after tr m
    specialize (Hbrm is tr Htr).message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ has_been_sent X s m
trace_received_not_sent_before_or_after tr m
    split; [done |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ has_been_sent X s m
¬ trace_has_message (field_selector output) m tr
    intro Hbsm.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ has_been_sent X s m
Hbsm: trace_has_message (field_selector output) m tr
False elim Hnbsm.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ has_been_sent X s m
Hbsm: trace_has_message (field_selector output) m tr
has_been_sent X s m
    apply proper_sent; [done |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ has_been_sent X s m
Hbsm: trace_has_message (field_selector output) m tr
selected_message_exists_in_all_preloaded_traces X
  (field_selector output) s m
    by apply has_been_sent_consistency; [.. | exists is, tr, Htr].
  -message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ trace_has_message (field_selector output) m
    tr
state_received_not_sent s m split.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ trace_has_message (field_selector output) m
    tr
has_been_received X s m
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ trace_has_message (field_selector output) m
    tr
¬ has_been_sent X s m
    +message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ trace_has_message (field_selector output) m
    tr
has_been_received X s m apply proper_received; [done |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ trace_has_message (field_selector output) m
    tr
selected_message_exists_in_all_preloaded_traces X
  (field_selector input) s m
      by apply has_been_received_consistency; [.. | exists is, tr, Htr].
    +message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ trace_has_message (field_selector output) m
    tr
¬ has_been_sent X s m intro Hbsm.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ trace_has_message (field_selector output) m
    tr
Hbsm: has_been_sent X s m
False elim Hnbsm.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
m: message
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
Hs: constrained_state_prop X s
Hbrm: trace_has_message (field_selector input) m tr
Hnbsm: ¬ trace_has_message (field_selector output) m
    tr
Hbsm: has_been_sent X s m
trace_has_message (field_selector output) m tr
      by apply proper_sent in Hbsm; [eapply Hbsm |].
Qed.

Definition state_received_not_sent_invariant
  (s : state X)
  (P : message -> Prop)
  : Prop
  := forall m, state_received_not_sent s m -> P m.

Lemma state_received_not_sent_invariant_trace_iff
  (P : message -> Prop)
  (s is : state (preloaded_with_all_messages_vlsm X))
  (tr : list transition_item)
  (Htr : finite_constrained_trace_init_to X is s tr)
  : state_received_not_sent_invariant s P <->
    trace_received_not_sent_before_or_after_invariant tr P.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
P: message → Prop
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
state_received_not_sent_invariant s P
↔ trace_received_not_sent_before_or_after_invariant tr
    P
Proof.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
P: message → Prop
s, is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_constrained_trace_init_to X is s tr
state_received_not_sent_invariant s P
↔ trace_received_not_sent_before_or_after_invariant tr
    P
  by split; intros Hinv m Hm
  ; apply Hinv
  ; apply (state_received_not_sent_trace_iff m s is tr Htr).
Qed.

A sent message cannot have been previously sent or received.

Definition cannot_resend_message_stepwise_prop : Prop :=
  forall l s oim s' m,
    input_constrained_transition X l (s, oim) (s', Some m) ->
    ~ has_been_sent X s m /\ ~ has_been_received X s' m.

Lemma cannot_resend_received_message_in_future
  (Hno_resend : cannot_resend_message_stepwise_prop)
  (s1 s2 : state (preloaded_with_all_messages_vlsm X))
  (Hfuture : in_futures (preloaded_with_all_messages_vlsm X) s1 s2)
  : forall m : message,
    state_received_not_sent s1 m -> state_received_not_sent s2 m.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s1, s2: state (preloaded_with_all_messages_vlsm X)
Hfuture: in_futures
  (preloaded_with_all_messages_vlsm X) s1 s2
∀ m : message,
  state_received_not_sent s1 m
  → state_received_not_sent s2 m
Proof.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s1, s2: state (preloaded_with_all_messages_vlsm X)
Hfuture: in_futures
  (preloaded_with_all_messages_vlsm X) s1 s2
∀ m : message,
  state_received_not_sent s1 m
  → state_received_not_sent s2 m
  intros m Hm.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s1, s2: state (preloaded_with_all_messages_vlsm X)
Hfuture: in_futures
  (preloaded_with_all_messages_vlsm X) s1 s2
m: message
Hm: state_received_not_sent s1 m
state_received_not_sent s2 m
  destruct Hfuture as [tr2 Htr2].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s1, s2: state (preloaded_with_all_messages_vlsm X)
tr2: list transition_item
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) s1 s2
  tr2
m: message
Hm: state_received_not_sent s1 m
state_received_not_sent s2 m
  induction Htr2; [done |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s, f: state (preloaded_with_all_messages_vlsm X)
tl: list transition_item
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) s f tl
s': state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (s', iom) (s, oom)
m: message
Hm: state_received_not_sent s' m
IHHtr2: state_received_not_sent s m
→ state_received_not_sent f m
state_received_not_sent f m
  apply IHHtr2; clear IHHtr2.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s, f: state (preloaded_with_all_messages_vlsm X)
tl: list transition_item
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) s f tl
s': state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (s', iom) (s, oom)
m: message
Hm: state_received_not_sent s' m
state_received_not_sent s m
  pose proof (Hrupd := has_been_received_step_update Ht m).message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s, f: state (preloaded_with_all_messages_vlsm X)
tl: list transition_item
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) s f tl
s': state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (s', iom) (s, oom)
m: message
Hm: state_received_not_sent s' m
Hrupd: has_been_received X s m
↔ iom = Some m ∨ has_been_received X s' m
state_received_not_sent s m
  pose proof (Hmupd := has_been_sent_step_update Ht m).message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s, f: state (preloaded_with_all_messages_vlsm X)
tl: list transition_item
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) s f tl
s': state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (s', iom) (s, oom)
m: message
Hm: state_received_not_sent s' m
Hrupd: has_been_received X s m
↔ iom = Some m ∨ has_been_received X s' m
Hmupd: has_been_sent X s m
↔ oom = Some m ∨ has_been_sent X s' m
state_received_not_sent s m
  destruct Hm as [Hr Hs].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s, f: state (preloaded_with_all_messages_vlsm X)
tl: list transition_item
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) s f tl
s': state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (s', iom) (s, oom)
m: message
Hr: has_been_received X s' m
Hs: ¬ has_been_sent X s' m
Hrupd: has_been_received X s m
↔ iom = Some m ∨ has_been_received X s' m
Hmupd: has_been_sent X s m
↔ oom = Some m ∨ has_been_sent X s' m
state_received_not_sent s m
  split; [by itauto |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s, f: state (preloaded_with_all_messages_vlsm X)
tl: list transition_item
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) s f tl
s': state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (s', iom) (s, oom)
m: message
Hr: has_been_received X s' m
Hs: ¬ has_been_sent X s' m
Hrupd: has_been_received X s m
↔ iom = Some m ∨ has_been_received X s' m
Hmupd: has_been_sent X s m
↔ oom = Some m ∨ has_been_sent X s' m
¬ has_been_sent X s m
  intros [-> |]%Hmupd; [| by apply Hs].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
s, f: state (preloaded_with_all_messages_vlsm X)
tl: list transition_item
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) s f tl
s': state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (s', iom) (s, Some m)
Hr: has_been_received X s' m
Hs: ¬ has_been_sent X s' m
Hrupd: has_been_received X s m
↔ iom = Some m ∨ has_been_received X s' m
Hmupd: has_been_sent X s m
↔ Some m = Some m ∨ has_been_sent X s' m
False
  by apply Hno_resend in Ht; itauto.
Qed.

Context
  (Hno_resend : cannot_resend_message_stepwise_prop)
  .

Lemma input_valid_transition_received_not_resent l s m s' om'
  (Ht : input_constrained_transition X l (s, Some m) (s', om'))
  : om' <> Some m.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
om': option message
Ht: input_constrained_transition X l (
  s, Some m) (s', om')
om' ≠ Some m
Proof.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
om': option message
Ht: input_constrained_transition X l (
  s, Some m) (s', om')
om' ≠ Some m
  destruct om' as [m' |]; [| by congruence].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
m': message
Ht: input_constrained_transition X l (
  s, Some m) (s', Some m')
Some m' ≠ Some m
  intro Heq.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
m': message
Ht: input_constrained_transition X l (
  s, Some m) (s', Some m')
Heq: Some m' = Some m
False inversion Heq.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
m': message
Ht: input_constrained_transition X l (
  s, Some m) (s', Some m')
Heq: Some m' = Some m
H2: m' = m
False subst m'.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
Heq: Some m = Some m
Ht: input_constrained_transition X l (
  s, Some m) (s', Some m)
False clear Heq.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_constrained_transition X l (
  s, Some m) (s', Some m)
False
  destruct (Hno_resend _ _ _ _ _ Ht) as [_ Hnbr_m].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_constrained_transition X l (
  s, Some m) (s', Some m)
Hnbr_m: ¬ has_been_received X s' m
False
  elim Hnbr_m.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_constrained_transition X l (
  s, Some m) (s', Some m)
Hnbr_m: ¬ has_been_received X s' m
has_been_received X s' m clear Hnbr_m.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
Ht: input_constrained_transition X l (
  s, Some m) (s', Some m)
has_been_received X s' m
  apply exists_right_finite_trace_from in Ht.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s': state (preloaded_with_all_messages_vlsm X)
Ht: ∃ (s0 : state
          (preloaded_with_all_messages_vlsm X)) 
  (ts : list transition_item),
  finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm X) s0 s'
    (ts ++
     [{|
        l := l;
        input := Some m;
        destination := s';
        output := Some m
      |}]) ∧ finite_trace_last s0 ts = s
has_been_received X s' m
  destruct Ht as [is [tr [Htr Hs]]].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s', is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := Some m
    |}])
Hs: finite_trace_last is tr = s
has_been_received X s' m
  apply proj1 in Htr as Hlst.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s', is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := Some m
    |}])
Hs: finite_trace_last is tr = s
Hlst: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := Some m
    |}])
has_been_received X s' m apply finite_valid_trace_from_to_last_pstate in Hlst.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s', is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := Some m
    |}])
Hs: finite_trace_last is tr = s
Hlst: valid_state_prop
  (preloaded_with_all_messages_vlsm X) s'
has_been_received X s' m
  apply proper_received; [done |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s', is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := Some m
    |}])
Hs: finite_trace_last is tr = s
Hlst: valid_state_prop
  (preloaded_with_all_messages_vlsm X) s'
selected_message_exists_in_all_preloaded_traces X
  (field_selector input) s' m
  apply has_been_received_consistency; [done | done |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s', is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := Some m
    |}])
Hs: finite_trace_last is tr = s
Hlst: valid_state_prop
  (preloaded_with_all_messages_vlsm X) s'
selected_message_exists_in_some_preloaded_traces X
  (field_selector input) s' m
  exists _, _, Htr.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
l: label (preloaded_with_all_messages_vlsm X)
s: state (preloaded_with_all_messages_vlsm X)
m: message
s', is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s'
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := Some m
    |}])
Hs: finite_trace_last is tr = s
Hlst: valid_state_prop
  (preloaded_with_all_messages_vlsm X) s'
trace_has_message (field_selector input) m
  (tr ++
   [{|
      l := l;
      input := Some m;
      destination := s';
      output := Some m
    |}])
  by apply Exists_app; right; apply Exists_cons; left.
Qed.

Lemma lift_preloaded_trace_to_seeded
  (P : message -> Prop)
  (tr : list transition_item)
  (Htrm : trace_received_not_sent_before_or_after_invariant tr P)
  (is : state (preloaded_with_all_messages_vlsm X))
  (Htr : finite_constrained_trace X is tr)
  : finite_valid_trace (preloaded_vlsm X P) is tr.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
Htrm: trace_received_not_sent_before_or_after_invariant
  tr P
is: state (preloaded_with_all_messages_vlsm X)
Htr: finite_constrained_trace X is tr
finite_valid_trace (preloaded_vlsm X P) is tr
Proof.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
Htrm: trace_received_not_sent_before_or_after_invariant
  tr P
is: state (preloaded_with_all_messages_vlsm X)
Htr: finite_constrained_trace X is tr
finite_valid_trace (preloaded_vlsm X P) is tr
  unfold trace_received_not_sent_before_or_after_invariant in Htrm.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after tr m
  → P m
is: state (preloaded_with_all_messages_vlsm X)
Htr: finite_constrained_trace X is tr
finite_valid_trace (preloaded_vlsm X P) is tr
  split; [| by apply Htr].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after tr m
  → P m
is: state (preloaded_with_all_messages_vlsm X)
Htr: finite_constrained_trace X is tr
finite_valid_trace_from (preloaded_vlsm X P) is tr
  induction Htr using finite_valid_trace_rev_ind; intros.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after [] m
  → P m
si: state (preloaded_with_all_messages_vlsm X)
Hsi: initial_state_prop si
finite_valid_trace_from (preloaded_vlsm X P) si []
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
finite_valid_trace_from 
  (preloaded_vlsm X P) si 
  (tr ++ [x])
  -message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after [] m
  → P m
si: state (preloaded_with_all_messages_vlsm X)
Hsi: initial_state_prop si
finite_valid_trace_from (preloaded_vlsm X P) si [] rapply @finite_valid_trace_from_empty.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after [] m
  → P m
si: state (preloaded_with_all_messages_vlsm X)
Hsi: initial_state_prop si
valid_state_prop (preloaded_vlsm X P) si
    by apply initial_state_is_valid.
  -message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
finite_valid_trace_from (preloaded_vlsm X P) si
  (tr ++ [x]) assert (trace_received_not_sent_before_or_after_invariant tr P) as Htrm'.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
trace_received_not_sent_before_or_after_invariant tr P
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
finite_valid_trace_from 
  (preloaded_vlsm X P) si 
  (tr ++ [x])
    {message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
trace_received_not_sent_before_or_after_invariant tr P intros m [Hrecv Hsend].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
m: message
Hrecv: trace_has_message (field_selector input) m tr
Hsend: ¬ trace_has_message (field_selector output) m
    tr
P m apply (Htrm m); clear Htrm.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
m: message
Hrecv: trace_has_message (field_selector input) m tr
Hsend: ¬ trace_has_message (field_selector output) m
    tr
trace_received_not_sent_before_or_after (tr ++ [x]) m
      split; [by apply Exists_app; left |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
m: message
Hrecv: trace_has_message (field_selector input) m tr
Hsend: ¬ trace_has_message (field_selector output) m
    tr
¬ trace_has_message (field_selector output) m
    (tr ++ [x])
      contradict Hsend.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
m: message
Hrecv: trace_has_message (field_selector input) m tr
Hsend: trace_has_message (field_selector output) m
  (tr ++ [x])
trace_has_message (field_selector output) m tr
      unfold trace_has_message in Hsend.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
m: message
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) (tr ++ [x])
trace_has_message (field_selector output) m tr
      rewrite Exists_app, Exists_cons, Exists_nil in Hsend.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
m: message
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ field_selector output m x ∨ False
trace_has_message (field_selector output) m tr
      simpl in Hsend.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
m: message
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ oom = Some m ∨ False
trace_has_message (field_selector output) m tr
      cut (oom <> Some m); [by itauto |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
m: message
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ oom = Some m ∨ False
oom ≠ Some m
      intros ->.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := Some m
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, Some m)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ Some m = Some m ∨ False
False
      cut (has_been_received X sf m); [by apply (Hno_resend _ _ _ _ _ Hx) |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := Some m
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, Some m)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ Some m = Some m ∨ False
has_been_received X sf m
      apply (has_been_received_step_update Hx); right.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := Some m
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, Some m)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ Some m = Some m ∨ False
has_been_received X (finite_trace_last si tr) m
      erewrite oracle_partial_trace_update.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := Some m
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, Some m)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ Some m = Some m ∨ False
trace_has_message ?Goal1 m ?Goal4
∨ has_been_received X ?Goal3 m
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := Some m
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, Some m)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ Some m = Some m ∨ False
oracle_stepwise_props ?Goal1 (has_been_received X)
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := Some m
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, Some m)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ Some m = Some m ∨ False
finite_constrained_trace_from_to X 
  ?Goal3 (finite_trace_last si tr) 
  ?Goal4
      -message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := Some m
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, Some m)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ Some m = Some m ∨ False
trace_has_message ?Goal1 m ?Goal4
∨ has_been_received X ?Goal3 m by left.
      -message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := Some m
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, Some m)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ Some m = Some m ∨ False
oracle_stepwise_props (field_selector input)
  (has_been_received X) by apply has_been_received_stepwise_props.
      -message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom: option message
l: label (preloaded_with_all_messages_vlsm X)
m: message
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := Some m
|}: transition_item
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, Some m)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Hrecv: trace_has_message (field_selector input) m tr
Hsend: Exists (field_selector output m) tr
∨ Some m = Some m ∨ False
finite_constrained_trace_from_to X ?Goal0
  (finite_trace_last si tr) tr by apply valid_trace_add_default_last in Htr; apply Htr.
    }message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: (∀ m : message,
   trace_received_not_sent_before_or_after tr
     m → P m)
→ finite_valid_trace_from 
    (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
finite_valid_trace_from (preloaded_vlsm X P) si
  (tr ++ [x])
    specialize (IHHtr Htrm').message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
finite_valid_trace_from (preloaded_vlsm X P) si
  (tr ++ [x])
    apply (extend_right_finite_trace_from _ IHHtr).message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
input_valid_transition (preloaded_vlsm X P) l
  (finite_trace_last si tr, iom) (sf, oom)
    repeat split; try apply Hx;
    [by apply finite_valid_trace_last_pstate |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
iom, oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := iom;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, iom) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
option_valid_message_prop (preloaded_vlsm X P) iom
    destruct iom as [m |]; [| by apply option_valid_message_None].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
option_valid_message_prop (preloaded_vlsm X P)
  (Some m)
    (*
      If m was sent during tr, it is valid because it was
      produced in a valid (by IHHtr) trace.
      If m was not sent during tr,
    *)
    assert (Decision (trace_has_message (field_selector output) m tr)) as [Hsent | Hnot_sent].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Decision
  (trace_has_message (field_selector output) m tr)
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hsent: trace_has_message (field_selector output) m tr
option_valid_message_prop 
  (preloaded_vlsm X P) 
  (Some m)
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
option_valid_message_prop 
  (preloaded_vlsm X P) 
  (Some m)
    apply (@Exists_dec _).message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
∀ x : transition_item,
  Decision (field_selector output m x)
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hsent: trace_has_message (field_selector output) m tr
option_valid_message_prop 
  (preloaded_vlsm X P) 
  (Some m)
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
option_valid_message_prop 
  (preloaded_vlsm X P) 
  (Some m) intros.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
x0: transition_item
Decision (field_selector output m x0)
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hsent: trace_has_message (field_selector output) m tr
option_valid_message_prop 
  (preloaded_vlsm X P) 
  (Some m)
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
option_valid_message_prop 
  (preloaded_vlsm X P) 
  (Some m) apply decide_eq.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hsent: trace_has_message (field_selector output) m tr
option_valid_message_prop (preloaded_vlsm X P)
  (Some m)
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
option_valid_message_prop 
  (preloaded_vlsm X P) 
  (Some m)
    +message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hsent: trace_has_message (field_selector output) m tr
option_valid_message_prop (preloaded_vlsm X P)
  (Some m) by eapply valid_trace_output_is_valid.
    +message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
option_valid_message_prop (preloaded_vlsm X P)
  (Some m) apply initial_message_is_valid.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
initial_message_prop m
      right.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
P m apply Htrm.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
trace_received_not_sent_before_or_after (tr ++ [x]) m
      split.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
trace_has_message (field_selector input) m (tr ++ [x])
message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
¬ trace_has_message (field_selector output) m
    (tr ++ [x])
      *message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
trace_has_message (field_selector input) m (tr ++ [x]) by apply Exists_app; right; apply Exists_cons; left.
      *message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hnot_sent: ¬ trace_has_message
    (field_selector output) m tr
¬ trace_has_message (field_selector output) m
    (tr ++ [x]) intro Hsent; destruct Hnot_sent.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hsent: trace_has_message (field_selector output) m
  (tr ++ [x])
trace_has_message (field_selector output) m tr
        unfold trace_has_message in Hsent.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hsent: Exists (field_selector output m) (tr ++ [x])
trace_has_message (field_selector output) m tr
        rewrite Exists_app, Exists_cons, Exists_nil in Hsent.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
oom: option message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := oom
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, oom)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hsent: Exists (field_selector output m) tr
∨ field_selector output m x ∨ False
trace_has_message (field_selector output) m tr
        destruct Hsent as [Hsent | [[= ->] | []]]; [done | exfalso].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := Some m
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, Some m)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
False
        apply Hno_resend in Hx as Hx'.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := Some m
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, Some m)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
Hx': ¬ has_been_sent X (finite_trace_last si tr) m
∧ ¬ has_been_received X sf m
False
        apply (proj2 Hx'); clear Hx'.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
tr: list transition_item
sf: state (preloaded_with_all_messages_vlsm X)
m: message
l: label (preloaded_with_all_messages_vlsm X)
x:= {|
  l := l;
  input := Some m;
  destination := sf;
  output := Some m
|}: transition_item
Htrm: ∀ m : message,
  trace_received_not_sent_before_or_after
    (tr ++ [x]) m → P m
si: state (preloaded_with_all_messages_vlsm X)
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) si tr
Hx: input_valid_transition
  (preloaded_with_all_messages_vlsm X) l
  (finite_trace_last si tr, Some m) (
  sf, Some m)
IHHtr: finite_valid_trace_from 
  (preloaded_vlsm X P) si tr
Htrm': trace_received_not_sent_before_or_after_invariant
  tr P
has_been_received X sf m
        by rewrite (has_been_received_step_update Hx); left.
Qed.

Lemma lift_preloaded_state_to_seeded
  (P : message -> Prop)
  (s : state X)
  (Hequiv_s : state_received_not_sent_invariant s P)
  (Hs : constrained_state_prop X s)
  : valid_state_prop (preloaded_vlsm X P) s.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
Hs: constrained_state_prop X s
valid_state_prop (preloaded_vlsm X P) s
Proof.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
Hs: constrained_state_prop X s
valid_state_prop (preloaded_vlsm X P) s
  apply valid_state_has_trace in Hs as Htr.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
Hs: constrained_state_prop X s
Htr: ∃ (is : state
          (preloaded_with_all_messages_vlsm X)) 
  (tr : list transition_item),
  finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm X) is s tr
valid_state_prop (preloaded_vlsm X P) s
  destruct Htr as [is [tr Htr]].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
Hs: constrained_state_prop X s
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s tr
valid_state_prop (preloaded_vlsm X P) s
  specialize (lift_preloaded_trace_to_seeded P tr) as Hlift.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
Hs: constrained_state_prop X s
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s tr
Hlift: trace_received_not_sent_before_or_after_invariant
  tr P
→ ∀ is : state
           (preloaded_with_all_messages_vlsm X),
    finite_constrained_trace X is tr
    → finite_valid_trace 
        (preloaded_vlsm X P) is tr
valid_state_prop (preloaded_vlsm X P) s
  spec Hlift; [by revert Hequiv_s; apply state_received_not_sent_invariant_trace_iff with is |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
Hs: constrained_state_prop X s
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s tr
Hlift: ∀ is : state
         (preloaded_with_all_messages_vlsm X),
  finite_constrained_trace X is tr
  → finite_valid_trace 
      (preloaded_vlsm X P) is tr
valid_state_prop (preloaded_vlsm X P) s
  specialize (Hlift _ (valid_trace_forget_last Htr)).message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
Hs: constrained_state_prop X s
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s tr
Hlift: finite_valid_trace (preloaded_vlsm X P) is tr
valid_state_prop (preloaded_vlsm X P) s
  apply proj1 in Hlift.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
Hs: constrained_state_prop X s
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s tr
Hlift: finite_valid_trace_from 
  (preloaded_vlsm X P) is tr
valid_state_prop (preloaded_vlsm X P) s
  apply finite_valid_trace_last_pstate in Hlift.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
Hs: constrained_state_prop X s
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) is s tr
Hlift: valid_state_prop (preloaded_vlsm X P)
  (finite_trace_last is tr)
valid_state_prop (preloaded_vlsm X P) s
  by rewrite <- (valid_trace_get_last Htr).
Qed.

Lemma lift_generated_to_seeded
  (P : message -> Prop)
  (s : state X)
  (Hequiv_s : state_received_not_sent_invariant s P)
  (m : message)
  (Hgen : can_produce (preloaded_with_all_messages_vlsm X) s m)
  : can_produce (preloaded_vlsm X P) s m.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
m: message
Hgen: can_produce
  (preloaded_with_all_messages_vlsm X) s m
can_produce (preloaded_vlsm X P) s m
Proof.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
m: message
Hgen: can_produce
  (preloaded_with_all_messages_vlsm X) s m
can_produce (preloaded_vlsm X P) s m
  apply non_empty_valid_trace_from_can_produce.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
m: message
Hgen: can_produce
  (preloaded_with_all_messages_vlsm X) s m
∃ (is : state (preloaded_vlsm X P)) (tr : list
                                            transition_item) 
  (item : transition_item),
  finite_valid_trace (preloaded_vlsm X P) is tr
  ∧ last_error tr = Some item
    ∧ destination item = s ∧ output item = Some m
  apply non_empty_valid_trace_from_can_produce in Hgen.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
m: message
Hgen: ∃ (is : state
          (preloaded_with_all_messages_vlsm X)) 
  (tr : list transition_item) 
  (item : transition_item),
  finite_valid_trace
    (preloaded_with_all_messages_vlsm X) is tr
  ∧ last_error tr = Some item
    ∧ destination item = s
      ∧ output item = Some m
∃ (is : state (preloaded_vlsm X P)) (tr : list
                                            transition_item) 
  (item : transition_item),
  finite_valid_trace (preloaded_vlsm X P) is tr
  ∧ last_error tr = Some item
    ∧ destination item = s ∧ output item = Some m
  destruct Hgen as [is [tr [item [Htr Hgen]]]].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
m: message
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) is tr
Hgen: last_error tr = Some item
∧ destination item = s ∧ output item = Some m
∃ (is : state (preloaded_vlsm X P)) (tr : list
                                            transition_item) 
  (item : transition_item),
  finite_valid_trace (preloaded_vlsm X P) is tr
  ∧ last_error tr = Some item
    ∧ destination item = s ∧ output item = Some m
  exists is, tr, item.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
m: message
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) is tr
Hgen: last_error tr = Some item
∧ destination item = s ∧ output item = Some m
finite_valid_trace (preloaded_vlsm X P) is tr
∧ last_error tr = Some item
  ∧ destination item = s ∧ output item = Some m split; [| done].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
m: message
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) is tr
Hgen: last_error tr = Some item
∧ destination item = s ∧ output item = Some m
finite_valid_trace (preloaded_vlsm X P) is tr
  specialize (lift_preloaded_trace_to_seeded P tr) as Hlift.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
m: message
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) is tr
Hgen: last_error tr = Some item
∧ destination item = s ∧ output item = Some m
Hlift: trace_received_not_sent_before_or_after_invariant
  tr P
→ ∀ is : state
           (preloaded_with_all_messages_vlsm X),
    finite_constrained_trace X is tr
    → finite_valid_trace 
        (preloaded_vlsm X P) is tr
finite_valid_trace (preloaded_vlsm X P) is tr
  apply Hlift; [| done].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
Hequiv_s: state_received_not_sent_invariant s P
m: message
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) is tr
Hgen: last_error tr = Some item
∧ destination item = s ∧ output item = Some m
Hlift: trace_received_not_sent_before_or_after_invariant
  tr P
→ ∀ is : state
           (preloaded_with_all_messages_vlsm X),
    finite_constrained_trace X is tr
    → finite_valid_trace 
        (preloaded_vlsm X P) is tr
trace_received_not_sent_before_or_after_invariant tr P
  revert Hequiv_s.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
m: message
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) is tr
Hgen: last_error tr = Some item
∧ destination item = s ∧ output item = Some m
Hlift: trace_received_not_sent_before_or_after_invariant
  tr P
→ ∀ is : state
           (preloaded_with_all_messages_vlsm X),
    finite_constrained_trace X is tr
    → finite_valid_trace 
        (preloaded_vlsm X P) is tr
state_received_not_sent_invariant s P
→ trace_received_not_sent_before_or_after_invariant tr
    P
  apply state_received_not_sent_invariant_trace_iff with is.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
m: message
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) is tr
Hgen: last_error tr = Some item
∧ destination item = s ∧ output item = Some m
Hlift: trace_received_not_sent_before_or_after_invariant
  tr P
→ ∀ is : state
           (preloaded_with_all_messages_vlsm X),
    finite_constrained_trace X is tr
    → finite_valid_trace 
        (preloaded_vlsm X P) is tr
finite_constrained_trace_init_to X is s tr
  eapply valid_trace_add_last in Htr; [done |].message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
m: message
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) is tr
Hgen: last_error tr = Some item
∧ destination item = s ∧ output item = Some m
Hlift: trace_received_not_sent_before_or_after_invariant
  tr P
→ ∀ is : state
           (preloaded_with_all_messages_vlsm X),
    finite_constrained_trace X is tr
    → finite_valid_trace 
        (preloaded_vlsm X P) is tr
finite_trace_last is tr = s
  apply last_error_destination_last.message: Type
EqDecision0: EqDecision message
X: VLSM message
H: HasBeenSentCapability X
H0: HasBeenReceivedCapability X
Hno_resend: cannot_resend_message_stepwise_prop
P: message → Prop
s: state X
m: message
is: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm X) is tr
Hgen: last_error tr = Some item
∧ destination item = s ∧ output item = Some m
Hlift: trace_received_not_sent_before_or_after_invariant
  tr P
→ ∀ is : state
           (preloaded_with_all_messages_vlsm X),
    finite_constrained_trace X is tr
    → finite_valid_trace 
        (preloaded_vlsm X P) is tr
option_map destination (last_error tr) = Some s
  by destruct Hgen as [-> [<- _]].
Qed.

End sec_cannot_resend_message.

Section sec_has_been_sent_irrelevance.

Since we have several ways of obtaining the has_been_sent property, we sometimes need to show that they are equivalent.

Context
  {message : Type}
  (X : VLSM message)
  (Hbs1 : HasBeenSentCapability X)
  (Hbs2 : HasBeenSentCapability X)
  .

Lemma has_been_sent_irrelevance
  (s : state (preloaded_with_all_messages_vlsm X))
  (m : message)
  (Hs : constrained_state_prop X s)
  : @has_been_sent _ X Hbs1 s m -> @has_been_sent _ X Hbs2 s m.message: Type
X: VLSM message
Hbs1, Hbs2: HasBeenSentCapability X
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hs: constrained_state_prop X s
has_been_sent X s m → has_been_sent X s m
Proof.message: Type
X: VLSM message
Hbs1, Hbs2: HasBeenSentCapability X
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hs: constrained_state_prop X s
has_been_sent X s m → has_been_sent X s m
  intro H.message: Type
X: VLSM message
Hbs1, Hbs2: HasBeenSentCapability X
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hs: constrained_state_prop X s
H: has_been_sent X s m
has_been_sent X s m
  apply proper_sent in H; [| done].message: Type
X: VLSM message
Hbs1, Hbs2: HasBeenSentCapability X
s: state (preloaded_with_all_messages_vlsm X)
m: message
Hs: constrained_state_prop X s
H: selected_message_exists_in_all_preloaded_traces X
  (field_selector output) s m
has_been_sent X s m
  by apply proper_sent.
Qed.

End sec_has_been_sent_irrelevance.

Section sec_all_traces_to_valid_state_are_valid.

Context
  {message : Type}
  {index : Type}
  `{finite.Finite index}
  (IM : index -> VLSM message)
  `{forall i : index, (HasBeenReceivedCapability (IM i))}
  (constraint : composite_label IM -> composite_state IM * option message -> Prop)
  (X := composite_vlsm IM constraint)
  (Y := free_composite_vlsm IM)
  (PreY := preloaded_with_all_messages_vlsm Y).

Under HasBeenReceivedCapability assumptions, and given the fact that any valid state s has a valid trace leading to it, in which all (received) messages are valid, it follows that any message which has_been_received for state s is valid.

Hence, given any preloaded trace leading to s, all messages received within it must be valid, thus the trace itself is valid.

Lemma all_pre_traces_to_valid_state_are_valid_free
  (s is : state PreY) (tr : list (transition_item PreY))
  (Hs : valid_state_prop Y s)
  (Htr : finite_constrained_trace_init_to Y is s tr)
  : finite_valid_trace_init_to Y is s tr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_constrained_trace_init_to Y is s tr
finite_valid_trace_init_to Y is s tr
Proof.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_constrained_trace_init_to Y is s tr
finite_valid_trace_init_to Y is s tr
  apply pre_traces_with_valid_inputs_are_valid in Htr; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_constrained_trace_init_to Y is s tr
Forall
  (λ item : transition_item,
     option_valid_message_prop Y (input item)) tr
  red in Htr; apply valid_trace_last_pstate in Htr as Hspre.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Y) is s tr
Hspre: valid_state_prop
  (preloaded_with_all_messages_vlsm Y) s
Forall
  (λ item : transition_item,
     option_valid_message_prop Y (input item)) tr
  apply Forall_forall; intros.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Y) is s tr
Hspre: valid_state_prop
  (preloaded_with_all_messages_vlsm Y) s
x: transition_item
H1: x ∈ tr
option_valid_message_prop Y (input x)
  destruct (input x) as [m |] eqn: Hm; [| by apply option_valid_message_None].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Y) is s tr
Hspre: valid_state_prop
  (preloaded_with_all_messages_vlsm Y) s
x: transition_item
H1: x ∈ tr
m: message
Hm: input x = Some m
option_valid_message_prop Y (Some m)
  eapply received_valid; cbn; [done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Y) is s tr
Hspre: valid_state_prop
  (preloaded_with_all_messages_vlsm Y) s
x: transition_item
H1: x ∈ tr
m: message
Hm: input x = Some m
composite_has_been_received IM s m
  specialize (proper_received _ s Hspre m) as Hproper.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Y) is s tr
Hspre: valid_state_prop
  (preloaded_with_all_messages_vlsm Y) s
x: transition_item
H1: x ∈ tr
m: message
Hm: input x = Some m
Hproper: has_been_received_prop Y
  (has_been_received Y) s m
composite_has_been_received IM s m
  apply proj2 in Hproper.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Y) is s tr
Hspre: valid_state_prop
  (preloaded_with_all_messages_vlsm Y) s
x: transition_item
H1: x ∈ tr
m: message
Hm: input x = Some m
Hproper: selected_message_exists_in_all_preloaded_traces
  Y (field_selector input) s m
→ has_been_received Y s m
composite_has_been_received IM s m apply Hproper.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Y) is s tr
Hspre: valid_state_prop
  (preloaded_with_all_messages_vlsm Y) s
x: transition_item
H1: x ∈ tr
m: message
Hm: input x = Some m
Hproper: selected_message_exists_in_all_preloaded_traces
  Y (field_selector input) s m
→ has_been_received Y s m
selected_message_exists_in_all_preloaded_traces Y
  (field_selector input) s m
  apply has_been_received_consistency; [by typeclasses eauto | done |].message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Y) is s tr
Hspre: valid_state_prop
  (preloaded_with_all_messages_vlsm Y) s
x: transition_item
H1: x ∈ tr
m: message
Hm: input x = Some m
Hproper: selected_message_exists_in_all_preloaded_traces
  Y (field_selector input) s m
→ has_been_received Y s m
selected_message_exists_in_some_preloaded_traces Y
  (field_selector input) s m
  exists is, tr, Htr.message, index: Type
EqDecision0: EqDecision index
H: finite.Finite index
IM: index → VLSM message
H0: ∀ i : index, HasBeenReceivedCapability (IM i)
constraint: composite_label IM
→ composite_state IM * option message
  → Prop
X:= composite_vlsm IM constraint: VLSM message
Y:= free_composite_vlsm IM: VLSM message
PreY:= preloaded_with_all_messages_vlsm Y: VLSM message
s, is: state PreY
tr: list transition_item
Hs: valid_state_prop Y s
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Y) is s tr
Hspre: valid_state_prop
  (preloaded_with_all_messages_vlsm Y) s
x: transition_item
H1: x ∈ tr
m: message
Hm: input x = Some m
Hproper: selected_message_exists_in_all_preloaded_traces
  Y (field_selector input) s m
→ has_been_received Y s m
trace_has_message (field_selector input) m tr
  by apply Exists_exists; eexists.
Qed.

End sec_all_traces_to_valid_state_are_valid.

Section sec_has_been_received_in_state.

Context
  {message : Type}
  (X : VLSM message)
  `{HasBeenReceivedCapability message X}
  .

Lemma has_been_received_in_state s1 m :
  valid_state_prop X s1 ->
  has_been_received X s1 m ->
  exists (s0 : state X) (item : transition_item) (tr : list transition_item),
    input item = Some m /\
    finite_valid_trace_from_to X s0 s1 (item :: tr).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
valid_state_prop X s1
→ has_been_received X s1 m
  → ∃ (s0 : state X) (item : transition_item) (tr : 
                                               list
                                                 transition_item),
      input item = Some m
      ∧ finite_valid_trace_from_to X s0 s1
          (item :: tr)
Proof.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
valid_state_prop X s1
→ has_been_received X s1 m
  → ∃ (s0 : state X) (item : transition_item) (tr : 
                                               list
                                                 transition_item),
      input item = Some m
      ∧ finite_valid_trace_from_to X s0 s1
          (item :: tr)
  intros Hpsp Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
Hhbr: has_been_received X s1 m
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  pose proof (Hetr := valid_state_has_trace _ _ Hpsp).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
Hhbr: has_been_received X s1 m
Hetr: ∃ (is : state X) (tr : list transition_item),
  finite_valid_trace_init_to X is s1 tr
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  destruct Hetr as [ist [tr Hetr]].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
Hhbr: has_been_received X s1 m
ist: state X
tr: list transition_item
Hetr: finite_valid_trace_init_to X ist s1 tr
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  apply proper_received in Hhbr; [| by apply preloaded_with_all_messages_valid_state_prop, Hpsp].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
Hhbr: selected_message_exists_in_all_preloaded_traces
  X (field_selector input) s1 m
ist: state X
tr: list transition_item
Hetr: finite_valid_trace_init_to X ist s1 tr
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  unfold selected_message_exists_in_all_preloaded_traces in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
Hhbr: specialized_selected_message_exists_in_all_traces
  (preloaded_with_all_messages_vlsm X)
  (field_selector input) s1 m
ist: state X
tr: list transition_item
Hetr: finite_valid_trace_init_to X ist s1 tr
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  unfold specialized_selected_message_exists_in_all_traces in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
Hhbr: ∀ (start : state
             (preloaded_with_all_messages_vlsm
                X)) (tr : list transition_item),
  finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm X) start
    s1 tr
  → trace_has_message (field_selector input) m
      tr
ist: state X
tr: list transition_item
Hetr: finite_valid_trace_init_to X ist s1 tr
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  specialize (Hhbr ist tr).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
→ trace_has_message (field_selector input) m tr
Hetr: finite_valid_trace_init_to X ist s1 tr
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  unfold finite_valid_trace_init_to in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr ∧ initial_state_prop ist
→ trace_has_message (field_selector input) m tr
Hetr: finite_valid_trace_init_to X ist s1 tr
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  unfold finite_valid_trace_init_to in Hetr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr ∧ initial_state_prop ist
→ trace_has_message (field_selector input) m tr
Hetr: finite_valid_trace_from_to X ist s1 tr
∧ initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  destruct Hetr as [Hfptf Hisp].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr ∧ initial_state_prop ist
→ trace_has_message (field_selector input) m tr
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  pose proof (Hfptf' := preloaded_weaken_finite_valid_trace_from_to _ _ _ _ Hfptf).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr ∧ initial_state_prop ist
→ trace_has_message (field_selector input) m tr
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
Hfptf': finite_constrained_trace_from_to X ist s1 tr
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  specialize (Hhbr (conj Hfptf' Hisp)).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: trace_has_message (field_selector input) m tr
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
Hfptf': finite_constrained_trace_from_to X ist s1 tr
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  clear Hfptf'.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: trace_has_message (field_selector input) m tr
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  unfold trace_has_message in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: Exists (field_selector input m) tr
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr) unfold field_selector in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: Exists
  (λ item : transition_item,
     input item = Some m) tr
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  apply Exists_exists in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
Hhbr: ∃ x : transition_item,
  x ∈ tr ∧ input x = Some m
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  destruct Hhbr as [tritem [Htritemin Hintritem]].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
Htritemin: tritem ∈ tr
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  apply elem_of_list_split in Htritemin.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
Htritemin: ∃ l1 l2 : list transition_item,
  tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  destruct Htritemin as [l1 [l2 Heqtr]].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
Heqtr: tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to X ist s1 tr
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  rewrite Heqtr in Hfptf.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
Heqtr: tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to X ist s1
  (l1 ++ tritem :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  apply (finite_valid_trace_from_to_app_split X) in Hfptf.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
Heqtr: tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to X ist
  (finite_trace_last ist l1) l1
∧ finite_valid_trace_from_to X
    (finite_trace_last ist l1) s1
    (tritem :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  destruct Hfptf as [Htr1 Htr2].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
Heqtr: tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Htr1: finite_valid_trace_from_to X ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to X
  (finite_trace_last ist l1) s1 
  (tritem :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  destruct tritem eqn: Heqtritem.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
input: option message
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtritem: tritem =
{|
  l := l;
  input := input;
  destination := destination;
  output := output
|}
Heqtr: tr =
l1 ++
{|
  l := l;
  input := input;
  destination := destination;
  output := output
|} :: l2
Hintritem: VLSM.input
  {|
    l := l;
    input := input;
    destination := destination;
    output := output
  |} = Some m
Htr1: finite_valid_trace_from_to X ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to X
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := input;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  VLSM.input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  simpl in Hintritem.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
input: option message
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtritem: tritem =
{|
  l := l;
  input := input;
  destination := destination;
  output := output
|}
Heqtr: tr =
l1 ++
{|
  l := l;
  input := input;
  destination := destination;
  output := output
|} :: l2
Hintritem: input = Some m
Htr1: finite_valid_trace_from_to X ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to X
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := input;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  VLSM.input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr) subst input.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtr: tr =
l1 ++
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|} :: l2
Heqtritem: tritem =
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|}
Htr1: finite_valid_trace_from_to X ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to X
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := Some m;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state X) (item : transition_item) (tr : list
                                                 transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X s0 s1 (item :: tr)
  eexists.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtr: tr =
l1 ++
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|} :: l2
Heqtritem: tritem =
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|}
Htr1: finite_valid_trace_from_to X ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to X
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := Some m;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ (item : transition_item) (tr0 : list transition_item),
  input item = Some m
  ∧ finite_valid_trace_from_to X ?s0 s1 (item :: tr0) eexists.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtr: tr =
l1 ++
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|} :: l2
Heqtritem: tritem =
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|}
Htr1: finite_valid_trace_from_to X ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to X
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := Some m;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ tr0 : list transition_item,
  input ?item = Some m
  ∧ finite_valid_trace_from_to X ?s0 s1 (?item :: tr0) eexists.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state X
m: message
Hpsp: valid_state_prop X s1
ist: state X
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtr: tr =
l1 ++
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|} :: l2
Heqtritem: tritem =
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|}
Htr1: finite_valid_trace_from_to X ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to X
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := Some m;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
input ?item = Some m
∧ finite_valid_trace_from_to X ?s0 s1 (?item :: ?tr)
  by split; [| apply  Htr2].
Qed.

Lemma has_been_received_in_state_preloaded s1 m :
  constrained_state_prop X s1 ->
  has_been_received X s1 m ->
  exists (s0 : state (preloaded_with_all_messages_vlsm X))
    (item : transition_item) (tr : list transition_item),
    input item = Some m /\
    finite_constrained_trace_from_to X s0 s1 (item :: tr).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
constrained_state_prop X s1
→ has_been_received X s1 m
  → ∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
      (item : transition_item) (tr : list
                                       transition_item),
      input item = Some m
      ∧ finite_constrained_trace_from_to X s0 s1
          (item :: tr)
Proof.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
constrained_state_prop X s1
→ has_been_received X s1 m
  → ∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
      (item : transition_item) (tr : list
                                       transition_item),
      input item = Some m
      ∧ finite_constrained_trace_from_to X s0 s1
          (item :: tr)
  intros Hpsp Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
Hhbr: has_been_received X s1 m
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  pose proof (Hetr := valid_state_has_trace _ _ Hpsp).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
Hhbr: has_been_received X s1 m
Hetr: ∃ (is : state
          (preloaded_with_all_messages_vlsm X)) 
  (tr : list transition_item),
  finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm X) is s1
    tr
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  destruct Hetr as [ist [tr Hetr]].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
Hhbr: has_been_received X s1 m
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hetr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  apply proper_received in Hhbr; [| by apply Hpsp].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
Hhbr: selected_message_exists_in_all_preloaded_traces
  X (field_selector input) s1 m
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hetr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  unfold selected_message_exists_in_all_preloaded_traces in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
Hhbr: specialized_selected_message_exists_in_all_traces
  (preloaded_with_all_messages_vlsm X)
  (field_selector input) s1 m
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hetr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  unfold specialized_selected_message_exists_in_all_traces in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
Hhbr: ∀ (start : state
             (preloaded_with_all_messages_vlsm
                X)) (tr : list transition_item),
  finite_valid_trace_init_to
    (preloaded_with_all_messages_vlsm X) start
    s1 tr
  → trace_has_message (field_selector input) m
      tr
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hetr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  specialize (Hhbr ist tr).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hhbr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
→ trace_has_message (field_selector input) m tr
Hetr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  unfold finite_valid_trace_init_to in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hhbr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr ∧ initial_state_prop ist
→ trace_has_message (field_selector input) m tr
Hetr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  unfold finite_valid_trace_init_to in Hetr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hhbr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr ∧ initial_state_prop ist
→ trace_has_message (field_selector input) m tr
Hetr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr ∧ initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  destruct Hetr as [Hfptf Hisp].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hhbr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr ∧ initial_state_prop ist
→ trace_has_message (field_selector input) m tr
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  specialize (Hhbr (conj Hfptf Hisp)).message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hhbr: trace_has_message (field_selector input) m tr
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  unfold trace_has_message in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hhbr: Exists (field_selector input m) tr
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr) unfold field_selector in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hhbr: Exists
  (λ item : transition_item,
     input item = Some m) tr
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  apply Exists_exists in Hhbr.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
Hhbr: ∃ x : transition_item,
  x ∈ tr ∧ input x = Some m
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  destruct Hhbr as [tritem [Htritemin Hintritem]].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
Htritemin: tritem ∈ tr
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  apply elem_of_list_split in Htritemin.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
Htritemin: ∃ l1 l2 : list transition_item,
  tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  destruct Htritemin as [l1 [l2 Heqtr]].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
Heqtr: tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  tr
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  rewrite Heqtr in Hfptf.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
Heqtr: tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist s1
  (l1 ++ tritem :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  apply (finite_valid_trace_from_to_app_split (preloaded_with_all_messages_vlsm X)) in Hfptf.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
Heqtr: tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Hfptf: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist
  (finite_trace_last ist l1) l1
∧ finite_valid_trace_from_to
    (preloaded_with_all_messages_vlsm X)
    (finite_trace_last ist l1) s1
    (tritem :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  destruct Hfptf as [Htr1 Htr2].message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
Heqtr: tr = l1 ++ tritem :: l2
Hintritem: input tritem = Some m
Htr1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X)
  (finite_trace_last ist l1) s1 
  (tritem :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  destruct tritem eqn: Heqtritem.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
input: option message
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtritem: tritem =
{|
  l := l;
  input := input;
  destination := destination;
  output := output
|}
Heqtr: tr =
l1 ++
{|
  l := l;
  input := input;
  destination := destination;
  output := output
|} :: l2
Hintritem: VLSM.input
  {|
    l := l;
    input := input;
    destination := destination;
    output := output
  |} = Some m
Htr1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X)
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := input;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  VLSM.input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  simpl in Hintritem.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
input: option message
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtritem: tritem =
{|
  l := l;
  input := input;
  destination := destination;
  output := output
|}
Heqtr: tr =
l1 ++
{|
  l := l;
  input := input;
  destination := destination;
  output := output
|} :: l2
Hintritem: input = Some m
Htr1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X)
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := input;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  VLSM.input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr) subst input.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtr: tr =
l1 ++
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|} :: l2
Heqtritem: tritem =
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|}
Htr1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X)
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := Some m;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ (s0 : state (preloaded_with_all_messages_vlsm X)) 
  (item : transition_item) (tr : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X s0 s1
      (item :: tr)
  eexists.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtr: tr =
l1 ++
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|} :: l2
Heqtritem: tritem =
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|}
Htr1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X)
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := Some m;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ (item : transition_item) (tr0 : list transition_item),
  input item = Some m
  ∧ finite_constrained_trace_from_to X ?s0 s1
      (item :: tr0) eexists.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtr: tr =
l1 ++
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|} :: l2
Heqtritem: tritem =
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|}
Htr1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X)
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := Some m;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
∃ tr0 : list transition_item,
  input ?item = Some m
  ∧ finite_constrained_trace_from_to X ?s0 s1
      (?item :: tr0) eexists.message: Type
X: VLSM message
H: HasBeenReceivedCapability X
s1: state (preloaded_with_all_messages_vlsm X)
m: message
Hpsp: constrained_state_prop X s1
ist: state (preloaded_with_all_messages_vlsm X)
tr: list transition_item
tritem: transition_item
l1, l2: list transition_item
l: label (preloaded_with_all_messages_vlsm X)
destination: state
  (preloaded_with_all_messages_vlsm X)
output: option message
Heqtr: tr =
l1 ++
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|} :: l2
Heqtritem: tritem =
{|
  l := l;
  input := Some m;
  destination := destination;
  output := output
|}
Htr1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X) ist
  (finite_trace_last ist l1) l1
Htr2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm X)
  (finite_trace_last ist l1) s1
  ({|
     l := l;
     input := Some m;
     destination := destination;
     output := output
   |} :: l2)
Hisp: initial_state_prop ist
input ?item = Some m
∧ finite_constrained_trace_from_to X ?s0 s1
    (?item :: ?tr)
  by split; [| apply  Htr2].
Qed.

End sec_has_been_received_in_state.