From VLSM.Lib Require Import Itauto.[Loading ML file ring_plugin.cmxs (using legacy method) ... done]
[Loading ML file zify_plugin.cmxs (using legacy method) ... done]
[Loading ML file micromega_plugin.cmxs (using legacy method) ... done]
[Loading ML file btauto_plugin.cmxs (using legacy method) ... done]
[Loading ML file coq-itauto.plugin ... done]
From Coq Require Import FunctionalExtensionality.
From stdpp Require Import prelude finite.
From VLSM.Lib Require Import Preamble ListExtras StdppExtras.
From VLSM.Core Require Import VLSM PreloadedVLSM VLSMProjections Composition.
From VLSM.Core Require Import Equivocation Validator ProjectionTraces.
From VLSM.Core Require Import MessageDependencies FreeCompositionValidator.
From VLSM.Examples Require Import BaseELMO UMO.[Loading ML file extraction_plugin.cmxs (using legacy method) ... done]
[Loading ML file equations_plugin.cmxs (using legacy method) ... done]

ELMO: Protocol Definitions and Properties for MO

This module contains definitions and properties of MO components and the MO protocol.

Section sec_MO.

Context
  {Address : Type}
  `{EqDecision Address}
  (State := @State Address)
  (Observation := @Observation Address)
  (Message := @Message Address).

A message is valid for MO if one of the following is the case:

it has no observations and its address belongs to the set of allowed addresses (as determined by the predicate P)
its last observation was another valid message which was sent
its last observation was another valid message which was received and the messages observed previously are also valid

Inductive MO_msg_valid (P : Address -> Prop) : Message -> Prop :=
| MO_mv_nil :
    forall m : Message,
      obs (state m) = [] -> P (adr (state m)) -> MO_msg_valid P m
| MO_mv_send :
    forall m : Message,
      MO_msg_valid P m -> MO_msg_valid P (m <*> MkObservation Send m)
| MO_mv_recv :
    forall m mr : Message,
      MO_msg_valid P m -> MO_msg_valid P mr -> MO_msg_valid P (m <*> MkObservation Receive mr).

Lemma MO_msg_valid_P_adr (P : Address -> Prop) (m : Message) :
  MO_msg_valid P m -> P (adr (state m)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid P m → P (adr (state m))
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid P m → P (adr (state m))
  by induction 1.
Qed.

Lemma MO_msg_valid_dep (P : Address -> Prop) (m : Message) :
  MO_msg_valid P m ->
  forall dm, dm ∈ Message_dependencies m -> MO_msg_valid P dm.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid P m
→ ∀ dm : Message,
    dm ∈ Message_dependencies m → MO_msg_valid P dm
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid P m
→ ∀ dm : Message,
    dm ∈ Message_dependencies m → MO_msg_valid P dm
  unfold Message_dependencies.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid P m
→ ∀ dm : Message,
    dm ∈ list_to_set (map message (obs (state m)))
    → MO_msg_valid P dm
  intros Hv dm Hdm.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hv: MO_msg_valid P m
dm: Message
Hdm: dm ∈ list_to_set (map message (obs (state m)))
MO_msg_valid P dm
  apply elem_of_list_to_set, elem_of_list_fmap in Hdm as (o & -> & Ho).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hv: MO_msg_valid P m
o: BaseELMO.Observation
Ho: o ∈ obs (state m)
MO_msg_valid P (message o)
  revert o Ho; induction Hv; cbn; intros.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
H: obs (state m) = []
H0: P (adr (state m))
o: BaseELMO.Observation
Ho: o ∈ obs (state m)
MO_msg_valid P (message o)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hv: MO_msg_valid P m
IHHv: ∀ o : BaseELMO.Observation,
  o ∈ obs (state m)
  → MO_msg_valid P (message o)
o: BaseELMO.Observation
Ho: o
∈ addObservation' (MkObservation Send m)
    (obs (state m))
MO_msg_valid P (message o)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv1: MO_msg_valid P m
Hv2: MO_msg_valid P mr
IHHv1: ∀ o : BaseELMO.Observation,
  o ∈ obs (state m)
  → MO_msg_valid P (message o)
IHHv2: ∀ o : BaseELMO.Observation,
  o ∈ obs (state mr)
  → MO_msg_valid P (message o)
o: BaseELMO.Observation
Ho: o
∈ addObservation' (MkObservation Receive mr)
    (obs (state m))
MO_msg_valid P (message o)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
H: obs (state m) = []
H0: P (adr (state m))
o: BaseELMO.Observation
Ho: o ∈ obs (state m)
MO_msg_valid P (message o) by destruct m, state; cbn in *; subst; inversion Ho.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hv: MO_msg_valid P m
IHHv: ∀ o : BaseELMO.Observation,
  o ∈ obs (state m)
  → MO_msg_valid P (message o)
o: BaseELMO.Observation
Ho: o
∈ addObservation' (MkObservation Send m)
    (obs (state m))
MO_msg_valid P (message o) by apply elem_of_addObservation in Ho as [-> |]; [| apply IHHv].
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv1: MO_msg_valid P m
Hv2: MO_msg_valid P mr
IHHv1: ∀ o : BaseELMO.Observation,
  o ∈ obs (state m)
  → MO_msg_valid P (message o)
IHHv2: ∀ o : BaseELMO.Observation,
  o ∈ obs (state mr)
  → MO_msg_valid P (message o)
o: BaseELMO.Observation
Ho: o
∈ addObservation' (MkObservation Receive mr)
    (obs (state m))
MO_msg_valid P (message o) by apply elem_of_addObservation in Ho as [-> |]; [| apply IHHv1].
Qed.

Section sec_alternative_definition_of_validity.

Alternative definition of validity

The above constructors of MO_msg_valid may not be the most readable, so we will provide an alternative version of this inductive definition (called MO_msg_valid_alt) and prove them equivalent.

If MO_msg_valid_alt_sends holds for m, then every possible suffix of observations from m is the same as the observations from a message m' which was the next message that was sent after the suffix. Also, the addresses of m and m' have to agree.

Definition MO_msg_valid_alt_sends (m : Message) : Prop :=
  forall (k : nat) (suffix : list Observation) (m' : Message),
    lastn k (obs (state m)) = addObservation' (MkObservation Send m') suffix ->
      obs (state m') = suffix /\ adr (state m') = adr (state m).

If MO_msg_valid_alt_recvs' holds for valid and m, this means that for every suffix of observations from m, the message m', which was the next message received after the suffix, is valid.

Here, validity is determined by an arbitrary predicate. Ultimately, we want to replace this arbitrary predicate with MO_msg_valid_alt, the alternative definition of message validity for MO.

Definition MO_msg_valid_alt_recvs' (valid : Message -> Prop) (m : Message) : Prop :=
  forall (k : nat) (suffix : list Observation) (m' : Message),
    lastn k (obs (state m)) = addObservation' (MkObservation Receive m') suffix ->
      valid m'.

A message is valid for MO (according to the alternative definition) if one of the following holds:

its address belongs to the set of allowed addresses (as determined by P)
it satisfies MO_msg_valid_alt_sends
it satisfies MO_msg_valid_alt_recvs', with MO_msg_valid_alt applied to P used as the validity predicate

Inductive MO_msg_valid_alt (P : Address -> Prop) (m : Message) : Prop :=
{
  P_adr_state : P (adr (state m));
  MO_msg_valid_alt_sends' : MO_msg_valid_alt_sends m;
  MO_msg_valid_alt_recvs'' : MO_msg_valid_alt_recvs' (MO_msg_valid_alt P) m;
}.

Now we just need to define the final version of MO_msg_valid_alt_recvs, in which the validity predicate is set to MO_msg_valid_alt.

Definition MO_msg_valid_alt_recvs (P : Address -> Prop) (m : Message) : Prop :=
  MO_msg_valid_alt_recvs' (MO_msg_valid_alt P) m.

For some proofs to go through, we will need "bounded" versions of the Send and Receive parts of the alternative definition.

By bounded, we mean that we will only look for suffixes at most as long as the whole list of observations of the given message (the suffix can't be any longer than that of course; this matters for purely technical reasons).

Definition MO_msg_valid_alt_sends_bounded (m : Message) : Prop :=
  forall (k : nat) (suffix : list Observation) (m' : Message),
    k <= length (obs (state m)) ->
    lastn k (obs (state m)) = addObservation' (MkObservation Send m') suffix ->
      obs (state m') = suffix /\ adr (state m') = adr (state m).

Definition MO_msg_valid_alt_recvs_bounded (P : Address -> Prop) (m : Message) : Prop :=
  forall (k : nat) (suffix : list Observation) (m' : Message),
    k <= length (obs (state m)) ->
    lastn k (obs (state m)) = addObservation' (MkObservation Receive m') suffix ->
      MO_msg_valid_alt P m'.

The bounded versions are equivalent to the original ones.

Lemma MO_msg_valid_alt_sends_shorten :
  forall (m : Message),
    MO_msg_valid_alt_sends m <-> MO_msg_valid_alt_sends_bounded m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m : Message,
  MO_msg_valid_alt_sends m
  ↔ MO_msg_valid_alt_sends_bounded m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m : Message,
  MO_msg_valid_alt_sends m
  ↔ MO_msg_valid_alt_sends_bounded m
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
MO_msg_valid_alt_sends m
→ MO_msg_valid_alt_sends_bounded m
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
MO_msg_valid_alt_sends_bounded m
→ MO_msg_valid_alt_sends m
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
MO_msg_valid_alt_sends m
→ MO_msg_valid_alt_sends_bounded m unfold MO_msg_valid_alt_sends, MO_msg_valid_alt_sends_bounded.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
(∀ (k : nat) (suffix : list Observation) (m' : Message),
   lastn k (obs (state m)) =
   addObservation' (MkObservation Send m') suffix
   → obs (state m') = suffix
     ∧ adr (state m') = adr (state m))
→ ∀ (k : nat) (suffix : list Observation) (m' : Message),
    k ≤ length (obs (state m))
    → lastn k (obs (state m)) =
      addObservation' (MkObservation Send m') suffix
      → obs (state m') = suffix
        ∧ adr (state m') = adr (state m)
    by intros Hs k suffix m' _ Hlast; eapply Hs.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
MO_msg_valid_alt_sends_bounded m
→ MO_msg_valid_alt_sends m unfold MO_msg_valid_alt_sends, MO_msg_valid_alt_sends_bounded.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
(∀ (k : nat) (suffix : list Observation) (m' : Message),
   k ≤ length (obs (state m))
   → lastn k (obs (state m)) =
     addObservation' (MkObservation Send m') suffix
     → obs (state m') = suffix
       ∧ adr (state m') = adr (state m))
→ ∀ (k : nat) (suffix : list Observation) (m' : Message),
    lastn k (obs (state m)) =
    addObservation' (MkObservation Send m') suffix
    → obs (state m') = suffix
      ∧ adr (state m') = adr (state m)
    intros Hs k suffix m' Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hs: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Send m')
      suffix
    → obs (state m') = suffix
      ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m)
    destruct (decide (k <= length (obs (state m)))).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hs: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Send m')
      suffix
    → obs (state m') = suffix
      ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
l: k ≤ length (obs (state m))
obs (state m') = suffix
∧ adr (state m') = adr (state m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hs: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Send m')
      suffix
    → obs (state m') = suffix
      ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
n: ¬ k ≤ length (obs (state m))
obs (state m') = suffix
∧ adr (state m') = adr (state m)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hs: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Send m')
      suffix
    → obs (state m') = suffix
      ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
l: k ≤ length (obs (state m))
obs (state m') = suffix
∧ adr (state m') = adr (state m) by eapply Hs.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hs: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Send m')
      suffix
    → obs (state m') = suffix
      ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
n: ¬ k ≤ length (obs (state m))
obs (state m') = suffix
∧ adr (state m') = adr (state m) apply (Hs (length (obs (state m)))); [lia |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hs: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Send m')
      suffix
    → obs (state m') = suffix
      ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
n: ¬ k ≤ length (obs (state m))
lastn (length (obs (state m))) (obs (state m)) =
addObservation' (MkObservation Send m') suffix
      by rewrite lastn_ge in *; [| lia | lia].
Qed.

Lemma MO_msg_valid_alt_recvs_shorten :
  forall (P : Address -> Prop) (m : Message),
    MO_msg_valid_alt_recvs P m <-> MO_msg_valid_alt_recvs_bounded P m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt_recvs P m
  ↔ MO_msg_valid_alt_recvs_bounded P m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt_recvs P m
  ↔ MO_msg_valid_alt_recvs_bounded P m
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid_alt_recvs P m
→ MO_msg_valid_alt_recvs_bounded P m
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid_alt_recvs_bounded P m
→ MO_msg_valid_alt_recvs P m
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid_alt_recvs P m
→ MO_msg_valid_alt_recvs_bounded P m unfold MO_msg_valid_alt_recvs, MO_msg_valid_alt_recvs', MO_msg_valid_alt_recvs_bounded.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
(∀ (k : nat) (suffix : list Observation) (m' : Message),
   lastn k (obs (state m)) =
   addObservation' (MkObservation Receive m') suffix
   → MO_msg_valid_alt P m')
→ ∀ (k : nat) (suffix : list Observation) (m' : Message),
    k ≤ length (obs (state m))
    → lastn k (obs (state m)) =
      addObservation' (MkObservation Receive m')
        suffix → MO_msg_valid_alt P m'
    by intros Hr k suffix m' _ Hlast; eapply Hr.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid_alt_recvs_bounded P m
→ MO_msg_valid_alt_recvs P m unfold MO_msg_valid_alt_recvs, MO_msg_valid_alt_recvs', MO_msg_valid_alt_recvs_bounded.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
(∀ (k : nat) (suffix : list Observation) (m' : Message),
   k ≤ length (obs (state m))
   → lastn k (obs (state m)) =
     addObservation' (MkObservation Receive m') suffix
     → MO_msg_valid_alt P m')
→ ∀ (k : nat) (suffix : list Observation) (m' : Message),
    lastn k (obs (state m)) =
    addObservation' (MkObservation Receive m') suffix
    → MO_msg_valid_alt P m'
    intros Hr k suffix m' Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hr: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Receive m')
      suffix → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
MO_msg_valid_alt P m'
    destruct (decide (k <= length (obs (state m)))).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hr: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Receive m')
      suffix → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
l: k ≤ length (obs (state m))
MO_msg_valid_alt P m'
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hr: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Receive m')
      suffix → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
n: ¬ k ≤ length (obs (state m))
MO_msg_valid_alt P m'
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hr: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Receive m')
      suffix → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
l: k ≤ length (obs (state m))
MO_msg_valid_alt P m' by eapply Hr.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hr: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Receive m')
      suffix → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
n: ¬ k ≤ length (obs (state m))
MO_msg_valid_alt P m' apply (Hr (length (obs (state m))) suffix); [lia |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hr: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  k ≤ length (obs (state m))
  → lastn k (obs (state m)) =
    addObservation' (MkObservation Receive m')
      suffix → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
n: ¬ k ≤ length (obs (state m))
lastn (length (obs (state m))) (obs (state m)) =
addObservation' (MkObservation Receive m') suffix
      by rewrite lastn_ge in *; [| lia | lia].
Qed.

Now we need a collection of lemmas that tell us what happens when we extend a message with a new observation of a sent message. We need to do this separately for both the "sends" and the "recvs" parts of the alternative definition.

Lemma MO_msg_valid_alt_sends_Send :
  forall m : Message,
    MO_msg_valid_alt_sends m -> MO_msg_valid_alt_sends (m <*> MkObservation Send m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m : Message,
  MO_msg_valid_alt_sends m
  → MO_msg_valid_alt_sends
      (m <*> MkObservation Send m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m : Message,
  MO_msg_valid_alt_sends m
  → MO_msg_valid_alt_sends
      (m <*> MkObservation Send m)
  unfold MO_msg_valid_alt_sends; cbn; unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m : Message,
  (∀ (k : nat) (suffix : list Observation) (m' : Message),
     lastn k (obs (state m)) =
     MkObservation Send m' :: suffix
     → obs (state m') = suffix
       ∧ adr (state m') = adr (state m))
  → ∀ (k : nat) (suffix : list Observation) (m' : Message),
      lastn k (MkObservation Send m :: obs (state m)) =
      MkObservation Send m' :: suffix
      → obs (state m') = suffix
        ∧ adr (state m') = adr (state m)
  intros m Hvalid k suffix m' Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlast: lastn k
  (MkObservation Send m :: obs (state m)) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m)
  rewrite lastn_cons in Hlast; case_decide.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
H: S (length (obs (state m))) ≤ k
Hlast: MkObservation Send m :: obs (state m) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
H: ¬ S (length (obs (state m))) ≤ k
Hlast: lastn k (obs (state m)) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
H: S (length (obs (state m))) ≤ k
Hlast: MkObservation Send m :: obs (state m) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m) by inversion Hlast.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
H: ¬ S (length (obs (state m))) ≤ k
Hlast: lastn k (obs (state m)) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m) by eapply Hvalid.
Qed.

Lemma MO_msg_valid_alt_recvs_Send :
  forall (P : Address -> Prop) (m : Message),
    MO_msg_valid_alt_recvs P m -> MO_msg_valid_alt_recvs P (m <*> MkObservation Send m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt_recvs P m
  → MO_msg_valid_alt_recvs P
      (m <*> MkObservation Send m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt_recvs P m
  → MO_msg_valid_alt_recvs P
      (m <*> MkObservation Send m)
  unfold MO_msg_valid_alt_recvs, MO_msg_valid_alt_recvs'; cbn; unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  (∀ (k : nat) (suffix : list Observation) (m' : Message),
     lastn k (obs (state m)) =
     MkObservation Receive m' :: suffix
     → MO_msg_valid_alt P m')
  → ∀ (k : nat) (suffix : list Observation) (m' : Message),
      lastn k (MkObservation Send m :: obs (state m)) =
      MkObservation Receive m' :: suffix
      → MO_msg_valid_alt P m'
  intros P m Hvalid k suffix m' Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlast: lastn k
  (MkObservation Send m :: obs (state m)) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m'
  rewrite lastn_cons in Hlast; case_decide.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
H: S (length (obs (state m))) ≤ k
Hlast: MkObservation Send m :: obs (state m) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m'
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
H: ¬ S (length (obs (state m))) ≤ k
Hlast: lastn k (obs (state m)) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m'
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
H: S (length (obs (state m))) ≤ k
Hlast: MkObservation Send m :: obs (state m) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m' by inversion Hlast.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
H: ¬ S (length (obs (state m))) ≤ k
Hlast: lastn k (obs (state m)) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m' by eapply Hvalid.
Qed.

When we put the above lemmas together, we get a lemma for MO_msg_valid_alt which corresponds to one of the constructors of MO_msg_valid.

Lemma MO_msg_valid_alt_Send :
  forall (P : Address -> Prop) (m : Message),
    MO_msg_valid_alt P m -> MO_msg_valid_alt P (m <*> MkObservation Send m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt P m
  → MO_msg_valid_alt P (m <*> MkObservation Send m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt P m
  → MO_msg_valid_alt P (m <*> MkObservation Send m)
  intros P m [Hs Hr]; constructor; cbn; [done | |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hs: P (adr (state m))
Hr: MO_msg_valid_alt_sends m
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P) m
MO_msg_valid_alt_sends (m <*> MkObservation Send m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hs: P (adr (state m))
Hr: MO_msg_valid_alt_sends m
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P) m
MO_msg_valid_alt_recvs' 
  (MO_msg_valid_alt P) 
  (m <*> MkObservation Send m)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hs: P (adr (state m))
Hr: MO_msg_valid_alt_sends m
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P) m
MO_msg_valid_alt_sends (m <*> MkObservation Send m) by apply MO_msg_valid_alt_sends_Send.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hs: P (adr (state m))
Hr: MO_msg_valid_alt_sends m
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P) m
MO_msg_valid_alt_recvs' (MO_msg_valid_alt P)
  (m <*> MkObservation Send m) by apply MO_msg_valid_alt_recvs_Send.
Qed.

We will also need the converses of all these lemmas.

Lemma MO_msg_valid_alt_sends_Send_conv :
  forall m : Message,
    MO_msg_valid_alt_sends (m <*> MkObservation Send m) -> MO_msg_valid_alt_sends m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m : Message,
  MO_msg_valid_alt_sends (m <*> MkObservation Send m)
  → MO_msg_valid_alt_sends m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m : Message,
  MO_msg_valid_alt_sends (m <*> MkObservation Send m)
  → MO_msg_valid_alt_sends m
  intros m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
MO_msg_valid_alt_sends (m <*> MkObservation Send m)
→ MO_msg_valid_alt_sends m
  rewrite (MO_msg_valid_alt_sends_shorten m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
MO_msg_valid_alt_sends (m <*> MkObservation Send m)
→ MO_msg_valid_alt_sends_bounded m
  unfold MO_msg_valid_alt_sends; cbn; unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
(∀ (k : nat) (suffix : list Observation) (m' : Message),
   lastn k (MkObservation Send m :: obs (state m)) =
   MkObservation Send m' :: suffix
   → obs (state m') = suffix
     ∧ adr (state m') = adr (state m))
→ MO_msg_valid_alt_sends_bounded m
  intros Hv k suffix m' Hlen Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (MkObservation Send m :: obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m)
  destruct (decide (1 + length (obs (state m)) <= k)); [lia |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (MkObservation Send m :: obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
n: ¬ 1 + length (obs (state m)) ≤ k
obs (state m') = suffix
∧ adr (state m') = adr (state m)
  apply Hv with k.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (MkObservation Send m :: obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
n: ¬ 1 + length (obs (state m)) ≤ k
lastn k (MkObservation Send m :: obs (state m)) =
MkObservation Send m' :: suffix rewrite lastn_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (MkObservation Send m :: obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
n: ¬ 1 + length (obs (state m)) ≤ k
(if decide (S (length (obs (state m))) ≤ k)
 then MkObservation Send m :: obs (state m)
 else lastn k (obs (state m))) =
MkObservation Send m' :: suffix by case_decide; [lia |].
Qed.

Lemma MO_msg_valid_alt_recvs_Send_conv :
  forall (P : Address -> Prop) (m : Message),
    MO_msg_valid_alt_recvs P (m <*> MkObservation Send m) -> MO_msg_valid_alt_recvs P m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt_recvs P
    (m <*> MkObservation Send m)
  → MO_msg_valid_alt_recvs P m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt_recvs P
    (m <*> MkObservation Send m)
  → MO_msg_valid_alt_recvs P m
  intros P m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid_alt_recvs P (m <*> MkObservation Send m)
→ MO_msg_valid_alt_recvs P m
  rewrite (MO_msg_valid_alt_recvs_shorten P m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid_alt_recvs P (m <*> MkObservation Send m)
→ MO_msg_valid_alt_recvs_bounded P m
  unfold MO_msg_valid_alt_recvs, MO_msg_valid_alt_recvs'; cbn; unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
(∀ (k : nat) (suffix : list Observation) (m' : Message),
   lastn k (MkObservation Send m :: obs (state m)) =
   MkObservation Receive m' :: suffix
   → MO_msg_valid_alt P m')
→ MO_msg_valid_alt_recvs_bounded P m
  intros Hv k suffix m' Hlen Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (MkObservation Send m :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
MO_msg_valid_alt P m'
  destruct (decide (1 + length (obs (state m)) <= k)); [lia |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (MkObservation Send m :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
n: ¬ 1 + length (obs (state m)) ≤ k
MO_msg_valid_alt P m'
  apply (Hv k suffix).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (MkObservation Send m :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
n: ¬ 1 + length (obs (state m)) ≤ k
lastn k (MkObservation Send m :: obs (state m)) =
MkObservation Receive m' :: suffix rewrite lastn_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (MkObservation Send m :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
n: ¬ 1 + length (obs (state m)) ≤ k
(if decide (S (length (obs (state m))) ≤ k)
 then MkObservation Send m :: obs (state m)
 else lastn k (obs (state m))) =
MkObservation Receive m' :: suffix
  by case_decide; [lia |].
Qed.

Lemma MO_msg_valid_alt_Send_conv :
  forall (P : Address -> Prop) (m : Message),
    MO_msg_valid_alt P (m <*> MkObservation Send m) -> MO_msg_valid_alt P m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt P (m <*> MkObservation Send m)
  → MO_msg_valid_alt P m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid_alt P (m <*> MkObservation Send m)
  → MO_msg_valid_alt P m
  intros P m [Hvs Hvr]; split; [done | |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hvs: P (adr (state (m <*> MkObservation Send m)))
Hvr: MO_msg_valid_alt_sends
  (m <*> MkObservation Send m)
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P)
  (m <*>
   MkObservation Send m)
MO_msg_valid_alt_sends m
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hvs: P (adr (state (m <*> MkObservation Send m)))
Hvr: MO_msg_valid_alt_sends
  (m <*> MkObservation Send m)
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P)
  (m <*>
   MkObservation Send m)
MO_msg_valid_alt_recvs' (MO_msg_valid_alt P) m
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hvs: P (adr (state (m <*> MkObservation Send m)))
Hvr: MO_msg_valid_alt_sends
  (m <*> MkObservation Send m)
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P)
  (m <*>
   MkObservation Send m)
MO_msg_valid_alt_sends m by apply MO_msg_valid_alt_sends_Send_conv.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hvs: P (adr (state (m <*> MkObservation Send m)))
Hvr: MO_msg_valid_alt_sends
  (m <*> MkObservation Send m)
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P)
  (m <*>
   MkObservation Send m)
MO_msg_valid_alt_recvs' (MO_msg_valid_alt P) m by apply MO_msg_valid_alt_recvs_Send_conv.
Qed.

We need another collection of lemmas, but this time for the case when a new observation was a received message.

Lemma MO_msg_valid_alt_sends_Receive :
  forall m mr : Message,
    MO_msg_valid_alt_sends m ->
      MO_msg_valid_alt_sends (m <*> MkObservation Receive mr).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m mr : Message,
  MO_msg_valid_alt_sends m
  → MO_msg_valid_alt_sends
      (m <*> MkObservation Receive mr)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m mr : Message,
  MO_msg_valid_alt_sends m
  → MO_msg_valid_alt_sends
      (m <*> MkObservation Receive mr)
  unfold MO_msg_valid_alt_sends; cbn; unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m mr : Message,
  (∀ (k : nat) (suffix : list Observation) (m' : Message),
     lastn k (obs (state m)) =
     MkObservation Send m' :: suffix
     → obs (state m') = suffix
       ∧ adr (state m') = adr (state m))
  → ∀ (k : nat) (suffix : list Observation) (m' : Message),
      lastn k
        (MkObservation Receive mr :: obs (state m)) =
      MkObservation Send m' :: suffix
      → obs (state m') = suffix
        ∧ adr (state m') = adr (state m)
  intros m mr Hm k suffix m' Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlast: lastn k
  (MkObservation Receive mr :: obs (state m)) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m)
  rewrite lastn_cons in Hlast; case_decide.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
H: S (length (obs (state m))) ≤ k
Hlast: MkObservation Receive mr :: obs (state m) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
H: ¬ S (length (obs (state m))) ≤ k
Hlast: lastn k (obs (state m)) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
H: S (length (obs (state m))) ≤ k
Hlast: MkObservation Receive mr :: obs (state m) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m) by inversion Hlast.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
H: ¬ S (length (obs (state m))) ≤ k
Hlast: lastn k (obs (state m)) =
MkObservation Send m' :: suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m) by apply Hm with k.
Qed.

Lemma MO_msg_valid_alt_recvs_Receive :
  forall (P : Address -> Prop) (m mr : Message),
    MO_msg_valid_alt_recvs P m -> MO_msg_valid_alt P mr ->
      MO_msg_valid_alt_recvs P (m <*> MkObservation Receive mr).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m mr : Message),
  MO_msg_valid_alt_recvs P m
  → MO_msg_valid_alt P mr
    → MO_msg_valid_alt_recvs P
        (m <*> MkObservation Receive mr)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m mr : Message),
  MO_msg_valid_alt_recvs P m
  → MO_msg_valid_alt P mr
    → MO_msg_valid_alt_recvs P
        (m <*> MkObservation Receive mr)
  unfold MO_msg_valid_alt_recvs, MO_msg_valid_alt_recvs'; cbn; unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m mr : Message),
  (∀ (k : nat) (suffix : list Observation) (m' : Message),
     lastn k (obs (state m)) =
     MkObservation Receive m' :: suffix
     → MO_msg_valid_alt P m')
  → MO_msg_valid_alt P mr
    → ∀ (k : nat) (suffix : list Observation) (m' : Message),
        lastn k
          (MkObservation Receive mr :: obs (state m)) =
        MkObservation Receive m' :: suffix
        → MO_msg_valid_alt P m'
  intros P m mr Hm Hmr k suffix m' Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
Hmr: MO_msg_valid_alt P mr
k: nat
suffix: list Observation
m': Message
Hlast: lastn k
  (MkObservation Receive mr :: obs (state m)) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m'
  rewrite lastn_cons in Hlast; case_decide.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
Hmr: MO_msg_valid_alt P mr
k: nat
suffix: list Observation
m': Message
H: S (length (obs (state m))) ≤ k
Hlast: MkObservation Receive mr :: obs (state m) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m'
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
Hmr: MO_msg_valid_alt P mr
k: nat
suffix: list Observation
m': Message
H: ¬ S (length (obs (state m))) ≤ k
Hlast: lastn k (obs (state m)) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m'
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
Hmr: MO_msg_valid_alt P mr
k: nat
suffix: list Observation
m': Message
H: S (length (obs (state m))) ≤ k
Hlast: MkObservation Receive mr :: obs (state m) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m' by inversion Hlast; subst; clear Hlast.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hm: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
Hmr: MO_msg_valid_alt P mr
k: nat
suffix: list Observation
m': Message
H: ¬ S (length (obs (state m))) ≤ k
Hlast: lastn k (obs (state m)) =
MkObservation Receive m' :: suffix
MO_msg_valid_alt P m' by apply (Hm k suffix).
Qed.

Lemma MO_msg_valid_alt_Receive :
  forall (P : Address -> Prop) (m mr : Message),
    MO_msg_valid_alt P m -> MO_msg_valid_alt P mr ->
      MO_msg_valid_alt P (m <*> MkObservation Receive mr).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m mr : Message),
  MO_msg_valid_alt P m
  → MO_msg_valid_alt P mr
    → MO_msg_valid_alt P
        (m <*> MkObservation Receive mr)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m mr : Message),
  MO_msg_valid_alt P m
  → MO_msg_valid_alt P mr
    → MO_msg_valid_alt P
        (m <*> MkObservation Receive mr)
  intros P m mr [Hs Hr] Hmr; split; cbn; [done | |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hs: P (adr (state m))
Hr: MO_msg_valid_alt_sends m
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P) m
Hmr: MO_msg_valid_alt P mr
MO_msg_valid_alt_sends
  (m <*> MkObservation Receive mr)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hs: P (adr (state m))
Hr: MO_msg_valid_alt_sends m
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P) m
Hmr: MO_msg_valid_alt P mr
MO_msg_valid_alt_recvs' 
  (MO_msg_valid_alt P)
  (m <*> MkObservation Receive mr)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hs: P (adr (state m))
Hr: MO_msg_valid_alt_sends m
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P) m
Hmr: MO_msg_valid_alt P mr
MO_msg_valid_alt_sends
  (m <*> MkObservation Receive mr) by apply MO_msg_valid_alt_sends_Receive.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hs: P (adr (state m))
Hr: MO_msg_valid_alt_sends m
MO_msg_valid_alt_recvs''0: MO_msg_valid_alt_recvs'
  (MO_msg_valid_alt P) m
Hmr: MO_msg_valid_alt P mr
MO_msg_valid_alt_recvs' (MO_msg_valid_alt P)
  (m <*> MkObservation Receive mr) by apply MO_msg_valid_alt_recvs_Receive.
Qed.

We need the converses of these lemmas too.

Lemma MO_msg_valid_alt_sends_Receive_conv :
  forall m mr : Message,
    MO_msg_valid_alt_sends (m <*> MkObservation Receive mr) ->
      MO_msg_valid_alt_sends m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m mr : Message,
  MO_msg_valid_alt_sends
    (m <*> MkObservation Receive mr)
  → MO_msg_valid_alt_sends m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ m mr : Message,
  MO_msg_valid_alt_sends
    (m <*> MkObservation Receive mr)
  → MO_msg_valid_alt_sends m
  intros m mr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
MO_msg_valid_alt_sends
  (m <*> MkObservation Receive mr)
→ MO_msg_valid_alt_sends m
  rewrite (MO_msg_valid_alt_sends_shorten m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
MO_msg_valid_alt_sends
  (m <*> MkObservation Receive mr)
→ MO_msg_valid_alt_sends_bounded m
  unfold MO_msg_valid_alt_sends; cbn; unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
(∀ (k : nat) (suffix : list Observation) (m' : Message),
   lastn k (MkObservation Receive mr :: obs (state m)) =
   MkObservation Send m' :: suffix
   → obs (state m') = suffix
     ∧ adr (state m') = adr (state m))
→ MO_msg_valid_alt_sends_bounded m
  intros Hv k suffix m' Hlen Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
obs (state m') = suffix
∧ adr (state m') = adr (state m)
  destruct (decide (1 + length (obs (state m)) <= k)); [lia |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
n: ¬ 1 + length (obs (state m)) ≤ k
obs (state m') = suffix
∧ adr (state m') = adr (state m)
  apply Hv with k.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Send m') suffix
n: ¬ 1 + length (obs (state m)) ≤ k
lastn k (MkObservation Receive mr :: obs (state m)) =
MkObservation Send m' :: suffix
  by rewrite lastn_cons; case_decide; [lia |].
Qed.

Lemma MO_msg_valid_alt_recvs_Receive_conv :
  forall (P : Address -> Prop) (m mr : Message),
    MO_msg_valid_alt_recvs P (m <*> MkObservation Receive mr) ->
      MO_msg_valid_alt_recvs P m /\ MO_msg_valid_alt P mr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m mr : Message),
  MO_msg_valid_alt_recvs P
    (m <*> MkObservation Receive mr)
  → MO_msg_valid_alt_recvs P m ∧ MO_msg_valid_alt P mr
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m mr : Message),
  MO_msg_valid_alt_recvs P
    (m <*> MkObservation Receive mr)
  → MO_msg_valid_alt_recvs P m ∧ MO_msg_valid_alt P mr
  intros P m mr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
MO_msg_valid_alt_recvs P
  (m <*> MkObservation Receive mr)
→ MO_msg_valid_alt_recvs P m ∧ MO_msg_valid_alt P mr
  rewrite (MO_msg_valid_alt_recvs_shorten P m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
MO_msg_valid_alt_recvs P
  (m <*> MkObservation Receive mr)
→ MO_msg_valid_alt_recvs_bounded P m
  ∧ MO_msg_valid_alt P mr
  unfold MO_msg_valid_alt_recvs, MO_msg_valid_alt_recvs'; cbn; unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
(∀ (k : nat) (suffix : list Observation) (m' : Message),
   lastn k (MkObservation Receive mr :: obs (state m)) =
   MkObservation Receive m' :: suffix
   → MO_msg_valid_alt P m')
→ MO_msg_valid_alt_recvs_bounded P m
  ∧ MO_msg_valid_alt P mr
  intros Hv; split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
MO_msg_valid_alt_recvs_bounded P m
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
MO_msg_valid_alt P mr
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
MO_msg_valid_alt_recvs_bounded P m intros k suffix m' Hlen Hlast.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
MO_msg_valid_alt P m'
    destruct (decide (1 + length (obs (state m)) <= k)); [lia |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
n: ¬ 1 + length (obs (state m)) ≤ k
MO_msg_valid_alt P m'
    apply (Hv k suffix).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
n: ¬ 1 + length (obs (state m)) ≤ k
lastn k (MkObservation Receive mr :: obs (state m)) =
MkObservation Receive m' :: suffix rewrite lastn_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
k: nat
suffix: list Observation
m': Message
Hlen: k ≤ length (obs (state m))
Hlast: lastn k (obs (state m)) =
addObservation' (MkObservation Receive m')
  suffix
n: ¬ 1 + length (obs (state m)) ≤ k
(if decide (S (length (obs (state m))) ≤ k)
 then MkObservation Receive mr :: obs (state m)
 else lastn k (obs (state m))) =
MkObservation Receive m' :: suffix
    by case_decide; [lia |].
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
MO_msg_valid_alt P mr apply (Hv (1 + length (obs (state m))) (obs (state m))).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hv: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Receive mr :: obs (state m)) =
  MkObservation Receive m' :: suffix
  → MO_msg_valid_alt P m'
lastn (1 + length (obs (state m)))
  (MkObservation Receive mr :: obs (state m)) =
MkObservation Receive mr :: obs (state m)
    by rewrite lastn_ge; cbn; [| lia].
Qed.

Lemma MO_msg_valid_alt_Receive_conv :
  forall (P : Address -> Prop) (m mr : Message),
    MO_msg_valid_alt P (m <*> MkObservation Receive mr) ->
      MO_msg_valid_alt P m /\ MO_msg_valid_alt P mr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m mr : Message),
  MO_msg_valid_alt P (m <*> MkObservation Receive mr)
  → MO_msg_valid_alt P m ∧ MO_msg_valid_alt P mr
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m mr : Message),
  MO_msg_valid_alt P (m <*> MkObservation Receive mr)
  → MO_msg_valid_alt P m ∧ MO_msg_valid_alt P mr
  intros P m mr [HP Hms Hmr]; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
HP: P (adr (state m))
Hms: MO_msg_valid_alt_sends
  (m <*> MkObservation Receive mr)
Hmr: MO_msg_valid_alt_recvs' 
  (MO_msg_valid_alt P)
  (m <*> MkObservation Receive mr)
MO_msg_valid_alt P m ∧ MO_msg_valid_alt P mr
  apply MO_msg_valid_alt_sends_Receive_conv in Hms.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
HP: P (adr (state m))
Hms: MO_msg_valid_alt_sends m
Hmr: MO_msg_valid_alt_recvs' 
  (MO_msg_valid_alt P)
  (m <*> MkObservation Receive mr)
MO_msg_valid_alt P m ∧ MO_msg_valid_alt P mr
  apply MO_msg_valid_alt_recvs_Receive_conv in Hmr as [].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
HP: P (adr (state m))
Hms: MO_msg_valid_alt_sends m
H: MO_msg_valid_alt_recvs P m
H0: MO_msg_valid_alt P mr
MO_msg_valid_alt P m ∧ MO_msg_valid_alt P mr
  by split; [constructor |].
Qed.

Last but not least, we need an inversion lemma which tells us that, if from the state of a message m1 we sent the message m2, then m1 must be equal to m2.

Lemma MO_msg_valid_alt_Send_inv :
  forall (P : Address -> Prop) (m1 m2 : Message),
    MO_msg_valid_alt P (m1 <*> MkObservation Send m2) -> m1 = m2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m1 m2 : Message),
  MO_msg_valid_alt P (m1 <*> MkObservation Send m2)
  → m1 = m2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m1 m2 : Message),
  MO_msg_valid_alt P (m1 <*> MkObservation Send m2)
  → m1 = m2
  intros P m1 m2 [_ Hvs _].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m1, m2: Message
Hvs: MO_msg_valid_alt_sends
  (m1 <*> MkObservation Send m2)
m1 = m2
  unfold MO_msg_valid_alt_sends in Hvs; cbn in *; unfold addObservation' in Hvs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m1, m2: Message
Hvs: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k
    (MkObservation Send m2 :: obs (state m1)) =
  MkObservation Send m' :: suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m1)
m1 = m2
  specialize (Hvs (1 + length (obs (state m1))) (obs (state m1)) m2).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m1, m2: Message
Hvs: lastn (1 + length (obs (state m1)))
  (MkObservation Send m2 :: obs (state m1)) =
MkObservation Send m2 :: obs (state m1)
→ obs (state m2) = obs (state m1)
  ∧ adr (state m2) = adr (state m1)
m1 = m2
  rewrite lastn_cons in Hvs; case_decide; [| lia].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m1, m2: Message
H: S (length (obs (state m1)))
≤ 1 + length (obs (state m1))
Hvs: MkObservation Send m2 :: obs (state m1) =
MkObservation Send m2 :: obs (state m1)
→ obs (state m2) = obs (state m1)
  ∧ adr (state m2) = adr (state m1)
m1 = m2
  destruct (Hvs eq_refl) as [].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m1, m2: Message
H: S (length (obs (state m1)))
≤ 1 + length (obs (state m1))
Hvs: MkObservation Send m2 :: obs (state m1) =
MkObservation Send m2 :: obs (state m1)
→ obs (state m2) = obs (state m1)
  ∧ adr (state m2) = adr (state m1)
H0: obs (state m2) = obs (state m1)
H1: adr (state m2) = adr (state m1)
m1 = m2
  by destruct m1 as [[]], m2 as [[]]; cbn in *; congruence.
Qed.

We now have, by previous lemmas, that MO_msg_valid and MO_msg_valid_alt are equivalent. The proof of the equivalence lemma is structured as follows:

the MO_msg_valid to MO_msg_valid_alt direction is by induction on MO_msg_valid for P and m
the MO_msg_valid_alt to MO_msg_valid direction is by well-founded induction on the size of the message m

Lemma MO_msg_valid__MO_msg_valid_alt :
  forall (P : Address -> Prop) (m : Message),
    MO_msg_valid P m <-> MO_msg_valid_alt P m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid P m ↔ MO_msg_valid_alt P m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (P : Address → Prop) (m : Message),
  MO_msg_valid P m ↔ MO_msg_valid_alt P m
  split; [| revert m].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid P m → MO_msg_valid_alt P m
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
∀ m : Message, MO_msg_valid_alt P m → MO_msg_valid P m
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
MO_msg_valid P m → MO_msg_valid_alt P m induction 1 as [m Hobs | m Hm IH | m mr Hm IHm Hmr IHmr].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hobs: obs (state m) = []
H: P (adr (state m))
MO_msg_valid_alt P m
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hm: MO_msg_valid P m
IH: MO_msg_valid_alt P m
MO_msg_valid_alt P (m <*> MkObservation Send m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hm: MO_msg_valid P m
Hmr: MO_msg_valid P mr
IHm: MO_msg_valid_alt P m
IHmr: MO_msg_valid_alt P mr
MO_msg_valid_alt P (m <*> MkObservation Receive mr)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hobs: obs (state m) = []
H: P (adr (state m))
MO_msg_valid_alt P m by constructor; [done | |]
      ; intros k suffix m' Hlast
      ; rewrite Hobs, lastn_nil in Hlast; inversion Hlast.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m: Message
Hm: MO_msg_valid P m
IH: MO_msg_valid_alt P m
MO_msg_valid_alt P (m <*> MkObservation Send m) by apply MO_msg_valid_alt_Send.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
m, mr: Message
Hm: MO_msg_valid P m
Hmr: MO_msg_valid P mr
IHm: MO_msg_valid_alt P m
IHmr: MO_msg_valid_alt P mr
MO_msg_valid_alt P (m <*> MkObservation Receive mr) by apply MO_msg_valid_alt_Receive.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
∀ m : Message, MO_msg_valid_alt P m → MO_msg_valid P m assert (Hwf := well_founded_lt_compat _ (fun m => @sizeMessage Address m)
      (fun m1 m2 => sizeMessage m1 < sizeMessage m2) (fun _ _ H => H)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
∀ m : Message, MO_msg_valid_alt P m → MO_msg_valid P m
    apply (@well_founded_induction _ (fun m1 m2 => sizeMessage m1 < sizeMessage m2) Hwf
      (fun m => MO_msg_valid_alt P m -> MO_msg_valid P m)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
∀ x : BaseELMO.Message,
  (∀ y : BaseELMO.Message,
     sizeMessage y < sizeMessage x
     → MO_msg_valid_alt P y → MO_msg_valid P y)
  → MO_msg_valid_alt P x → MO_msg_valid P x
    intros [[[| [[] m'] obs'] adr']] IH Hvalid.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage (MkMessage (MkState [] adr'))
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P
  (MkMessage (MkState [] adr'))
MO_msg_valid P (MkMessage (MkState [] adr'))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
m': BaseELMO.Message
obs': list BaseELMO.Observation
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage
    (MkMessage
       (MkState
          (MkObservation Receive m' :: obs') adr'))
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P
  (MkMessage
     (MkState
        (MkObservation Receive m' :: obs')
        adr'))
MO_msg_valid P
  (MkMessage
     (MkState (MkObservation Receive m' :: obs') adr'))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
m': BaseELMO.Message
obs': list BaseELMO.Observation
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage
    (MkMessage
       (MkState (MkObservation Send m' :: obs')
          adr'))
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P
  (MkMessage
     (MkState (MkObservation Send m' :: obs')
        adr'))
MO_msg_valid P
  (MkMessage
     (MkState (MkObservation Send m' :: obs') adr'))
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage (MkMessage (MkState [] adr'))
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P
  (MkMessage (MkState [] adr'))
MO_msg_valid P (MkMessage (MkState [] adr')) by constructor; [| inversion Hvalid].
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
m': BaseELMO.Message
obs': list BaseELMO.Observation
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage
    (MkMessage
       (MkState
          (MkObservation Receive m' :: obs') adr'))
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P
  (MkMessage
     (MkState
        (MkObservation Receive m' :: obs')
        adr'))
MO_msg_valid P
  (MkMessage
     (MkState (MkObservation Receive m' :: obs') adr')) change (MkMessage _) with (MkMessage (MkState obs' adr') <*> MkObservation Receive m') in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
m': BaseELMO.Message
obs': list BaseELMO.Observation
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage
    (MkMessage (MkState obs' adr') <*>
     MkObservation Receive m')
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P
  (MkMessage (MkState obs' adr') <*>
   MkObservation Receive m')
MO_msg_valid P
  (MkMessage (MkState obs' adr') <*>
   MkObservation Receive m')
      apply MO_msg_valid_alt_Receive_conv in Hvalid as [].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
m': BaseELMO.Message
obs': list BaseELMO.Observation
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage
    (MkMessage (MkState obs' adr') <*>
     MkObservation Receive m')
  → MO_msg_valid_alt P y → MO_msg_valid P y
H: MO_msg_valid_alt P (MkMessage (MkState obs' adr'))
H0: MO_msg_valid_alt P m'
MO_msg_valid P
  (MkMessage (MkState obs' adr') <*>
   MkObservation Receive m')
      by constructor 3; (apply IH; [unfold sizeMessage; cbn; lia |]).
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
m': BaseELMO.Message
obs': list BaseELMO.Observation
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage
    (MkMessage
       (MkState (MkObservation Send m' :: obs')
          adr'))
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P
  (MkMessage
     (MkState (MkObservation Send m' :: obs')
        adr'))
MO_msg_valid P
  (MkMessage
     (MkState (MkObservation Send m' :: obs') adr')) change (MkMessage _) with (MkMessage (MkState obs' adr') <*> MkObservation Send m') in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
m': BaseELMO.Message
obs': list BaseELMO.Observation
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage
    (MkMessage (MkState obs' adr') <*>
     MkObservation Send m')
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P
  (MkMessage (MkState obs' adr') <*>
   MkObservation Send m')
MO_msg_valid P
  (MkMessage (MkState obs' adr') <*>
   MkObservation Send m')
      replace (MkMessage (MkState obs' adr')) with m' in *
        by (apply MO_msg_valid_alt_Send_inv in Hvalid; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
m': BaseELMO.Message
obs': list BaseELMO.Observation
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage (m' <*> MkObservation Send m')
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P
  (m' <*> MkObservation Send m')
MO_msg_valid P (m' <*> MkObservation Send m')
      apply MO_msg_valid_alt_Send_conv in Hvalid.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P: Address → Prop
Hwf: wf
  (λ m1 m2 : BaseELMO.Message,
     sizeMessage m1 < sizeMessage m2)
m': BaseELMO.Message
obs': list BaseELMO.Observation
adr': Address
IH: ∀ y : BaseELMO.Message,
  sizeMessage y <
  sizeMessage (m' <*> MkObservation Send m')
  → MO_msg_valid_alt P y → MO_msg_valid P y
Hvalid: MO_msg_valid_alt P m'
MO_msg_valid P (m' <*> MkObservation Send m')
      by constructor 2; apply IH; [unfold sizeMessage; cbn; lia |].
Qed.

End sec_alternative_definition_of_validity.

Inductive MO_component_valid (P : Address -> Prop) : Label -> State -> option Message -> Prop :=
| MOCV_Receive :
    forall (s : State) (m : Message),
      MO_msg_valid P m -> MO_component_valid P Receive s (Some m)
| MOCV_Send :
    forall s : State,
      MO_component_valid P Send s None.

Ltac invert_MO_component_valid :=
repeat match goal with
| H : MO_component_valid _ Receive _ None  |- _ => inversion H; subst; clear H
| H : MO_component_valid _ Send _ (Some _) |- _ => inversion H; subst; clear H
end.

Definition MO_component_machine (P : Address -> Prop) (i : Address) : VLSMMachine ELMO_component_type :=
{|
  initial_state_prop := UMO_component_initial_state_prop i;
  initial_message_prop := const False;
  s0 := Inhabited_UMO_component_initial_state_type i;
  transition := fun l '(st, om) => UMO_component_transition l st om;
  valid := fun l '(st, om) => MO_component_valid P l st om;
|}.

Definition MO_component (P : Address -> Prop) (i : Address) : VLSM Message :=
{|
  vlsm_type := ELMO_component_type;
  vlsm_machine := MO_component_machine P i;
|}.

Section sec_MO_component_lemmas.

Component lemmas

We will use the notation Mi for a MO_component of address i.

Context
  {i : Address}
  {P : Address -> Prop}
  (Mi : VLSM Message := MO_component P i)
  .

Lemma VLSM_incl_UMO_MOComponent : VLSM_incl Mi (UMO_component i).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
VLSM_incl Mi (UMO_component i)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
VLSM_incl Mi (UMO_component i)
  intros; apply basic_VLSM_strong_incl.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
strong_incl_initial_state_preservation
  (MO_component_machine P i) (UMO_component_machine i)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
strong_incl_initial_message_preservation
  (MO_component_machine P i) 
  (UMO_component_machine i)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
strong_incl_valid_preservation
  (MO_component_machine P i) 
  (UMO_component_machine i)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
strong_incl_transition_preservation
  (MO_component_machine P i) 
  (UMO_component_machine i)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
strong_incl_initial_state_preservation
  (MO_component_machine P i) (UMO_component_machine i) by intro.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
strong_incl_initial_message_preservation
  (MO_component_machine P i) (UMO_component_machine i) by intro.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
strong_incl_valid_preservation
  (MO_component_machine P i) (UMO_component_machine i) by inversion 1; subst; constructor.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
strong_incl_transition_preservation
  (MO_component_machine P i) (UMO_component_machine i) by intro.
Qed.

#[export] Instance HasBeenSentCapability_MOComponent : HasBeenSentCapability Mi.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
HasBeenSentCapability Mi
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
HasBeenSentCapability Mi
  constructor 1 with (fun s m => m ∈ sentMessages s);
    [by intros s m; typeclasses eauto |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
has_been_sent_stepwise_prop
  (λ (s : BaseELMO.State) (m : Message),
     m ∈ sentMessages s)
  split; [by intros [] []; cbn in *; subst; cbn; apply not_elem_of_nil |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm Mi)) (s : 
                                                 VLSM.state
                                                 (preloaded_with_all_messages_vlsm
                                                 Mi)) 
  (im : option Message) (s' : VLSM.state
                                (preloaded_with_all_messages_vlsm
                                   Mi)) (om : option
                                                Message),
  input_constrained_transition Mi l (s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ sentMessages s'
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ sentMessages s
  intros l s im s' om [(Hvsp & Hovmp & Hv) Ht] m; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
l: Label
s: BaseELMO.State
im: option Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) im
Hv: MO_component_valid P l s im
Ht: UMO_component_transition l s im = (s', om)
m: Message
m ∈ sentMessages s' ↔ om = Some m ∨ m ∈ sentMessages s
  destruct l, im; cbn in *; invert_MO_component_valid;
    inversion Ht; subst; clear Ht; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi)
  (Some m0)
Hv: MO_component_valid P Receive s (Some m0)
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Receive m0
      :: filter isSend (obs s)
     else filter isSend (obs s))
↔ None = Some m ∨ m ∈ sentMessages s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) None
Hv: MO_component_valid P Send s None
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Send (MkMessage s)
      :: filter isSend (obs s)
     else filter isSend (obs s))
↔ Some (MkMessage s) = Some m ∨ m ∈ sentMessages s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi)
  (Some m0)
Hv: MO_component_valid P Receive s (Some m0)
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Receive m0
      :: filter isSend (obs s)
     else filter isSend (obs s))
↔ None = Some m ∨ m ∈ sentMessages s by rewrite decide_False; cbn; firstorder congruence.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) None
Hv: MO_component_valid P Send s None
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Send (MkMessage s)
      :: filter isSend (obs s)
     else filter isSend (obs s))
↔ Some (MkMessage s) = Some m ∨ m ∈ sentMessages s rewrite decide_True by done; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) None
Hv: MO_component_valid P Send s None
m: Message
m ∈ MkMessage s :: map message (filter isSend (obs s))
↔ Some (MkMessage s) = Some m ∨ m ∈ sentMessages s
    unfold Message; rewrite elem_of_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) None
Hv: MO_component_valid P Send s None
m: Message
m = MkMessage s
∨ m ∈ map message (filter isSend (obs s))
↔ Some (MkMessage s) = Some m ∨ m ∈ sentMessages s
    by firstorder congruence.
Defined.

#[export] Instance HasBeenReceivedCapability_MOComponent : HasBeenReceivedCapability Mi.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
HasBeenReceivedCapability Mi
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
HasBeenReceivedCapability Mi
  constructor 1 with (fun s m => m ∈ receivedMessages s);
    [by intros s m; typeclasses eauto |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
has_been_received_stepwise_prop
  (λ (s : BaseELMO.State) (m : Message),
     m ∈ receivedMessages s)
  split; [by intros [] []; cbn in *; subst; cbn; apply not_elem_of_nil |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm Mi)) (s : 
                                                 VLSM.state
                                                 (preloaded_with_all_messages_vlsm
                                                 Mi)) 
  (im : option Message) (s' : VLSM.state
                                (preloaded_with_all_messages_vlsm
                                   Mi)) (om : option
                                                Message),
  input_constrained_transition Mi l (s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ receivedMessages s'
      ↔ field_selector input msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ receivedMessages s
  intros l s im s' om [(Hvsp & Hovmp & Hv) Ht] m; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
l: Label
s: BaseELMO.State
im: option Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) im
Hv: MO_component_valid P l s im
Ht: UMO_component_transition l s im = (s', om)
m: Message
m ∈ receivedMessages s'
↔ im = Some m ∨ m ∈ receivedMessages s
  destruct l, im; cbn in *; invert_MO_component_valid;
    inversion Ht; subst; clear Ht; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi)
  (Some m0)
Hv: MO_component_valid P Receive s (Some m0)
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Receive m0
      :: filter isReceive (obs s)
     else filter isReceive (obs s))
↔ Some m0 = Some m ∨ m ∈ receivedMessages s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) None
Hv: MO_component_valid P Send s None
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Send (MkMessage s)
      :: filter isReceive (obs s)
     else filter isReceive (obs s))
↔ None = Some m ∨ m ∈ receivedMessages s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi)
  (Some m0)
Hv: MO_component_valid P Receive s (Some m0)
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Receive m0
      :: filter isReceive (obs s)
     else filter isReceive (obs s))
↔ Some m0 = Some m ∨ m ∈ receivedMessages s rewrite decide_True by done; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi)
  (Some m0)
Hv: MO_component_valid P Receive s (Some m0)
m: Message
m ∈ m0 :: map message (filter isReceive (obs s))
↔ Some m0 = Some m ∨ m ∈ receivedMessages s
    unfold Message; rewrite elem_of_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi)
  (Some m0)
Hv: MO_component_valid P Receive s (Some m0)
m: Message
m = m0 ∨ m ∈ map message (filter isReceive (obs s))
↔ Some m0 = Some m ∨ m ∈ receivedMessages s
    by firstorder congruence.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) None
Hv: MO_component_valid P Send s None
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Send (MkMessage s)
      :: filter isReceive (obs s)
     else filter isReceive (obs s))
↔ None = Some m ∨ m ∈ receivedMessages s by rewrite decide_False; cbn; firstorder congruence.
Defined.

#[export] Instance HasBeenDirectlyObservedCapability_MOComponent :
  HasBeenDirectlyObservedCapability Mi :=
    HasBeenDirectlyObservedCapability_from_sent_received Mi.

The initial state of Mi is unique.

Lemma vs0_uniqueness :
  forall is : State,
    UMO_component_initial_state_prop i is ->
      is = ``(vs0 Mi).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ is : State,
  UMO_component_initial_state_prop i is
  → is = `(vs0 Mi)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ is : State,
  UMO_component_initial_state_prop i is
  → is = `(vs0 Mi)
  by intros []; inversion 1; cbv in *; subst.
Qed.

Properties of transitions and traces

In a valid state s, we can send a message containing this state.

Lemma input_constrained_transition_Send :
  forall s : State,
    constrained_state_prop Mi s ->
      input_constrained_transition Mi Send
        (s, None)
        (s <+> MkObservation Send (MkMessage s), Some (MkMessage s)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ s : State,
  constrained_state_prop Mi s
  → input_constrained_transition Mi Send (s, None)
      (s <+> MkObservation Send (MkMessage s),
       Some (MkMessage s))
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ s : State,
  constrained_state_prop Mi s
  → input_constrained_transition Mi Send (s, None)
      (s <+> MkObservation Send (MkMessage s),
       Some (MkMessage s))
  intros s Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
input_constrained_transition Mi Send (s, None)
  (s <+> MkObservation Send (MkMessage s),
   Some (MkMessage s))
  do 2 red; cbn; split_and!; [done | | | done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) None
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
MO_component_valid P Send s None
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) None by exists (MkState [] i); constructor.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
MO_component_valid P Send s None by do 2 constructor.
Qed.

In a valid state s, we can receive any valid message.

Lemma input_constrained_transition_Receive :
  forall (s : State) (m : Message),
    constrained_state_prop Mi s -> MO_msg_valid P m ->
      input_constrained_transition Mi Receive
        (s, Some m)
        (s <+> MkObservation Receive m, None).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s : State) (m : Message),
  constrained_state_prop Mi s
  → MO_msg_valid P m
    → input_constrained_transition Mi Receive
        (s, Some m)
        (s <+> MkObservation Receive m, None)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s : State) (m : Message),
  constrained_state_prop Mi s
  → MO_msg_valid P m
    → input_constrained_transition Mi Receive
        (s, Some m)
        (s <+> MkObservation Receive m, None)
  intros s m Hvsp Hvalid.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
m: Message
Hvsp: constrained_state_prop Mi s
Hvalid: MO_msg_valid P m
input_constrained_transition Mi Receive (s, Some m)
  (s <+> MkObservation Receive m, None)
  do 2 red; cbn; split_and!; [done | | | done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
m: Message
Hvsp: constrained_state_prop Mi s
Hvalid: MO_msg_valid P m
option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) (Some m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
m: Message
Hvsp: constrained_state_prop Mi s
Hvalid: MO_msg_valid P m
MO_component_valid P Receive s (Some m)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
m: Message
Hvsp: constrained_state_prop Mi s
Hvalid: MO_msg_valid P m
option_valid_message_prop
  (preloaded_with_all_messages_vlsm Mi) (Some m) by exists (MkState [] i); constructor; cbn; [| right].
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
m: Message
Hvsp: constrained_state_prop Mi s
Hvalid: MO_msg_valid P m
MO_component_valid P Receive s (Some m) by constructor.
Qed.

If a message m is valid, its state is reachable.

Lemma constrained_state_prop_MO_msg_valid :
  forall m : Message,
    MO_msg_valid P m -> adr (state m) = i ->
      constrained_state_prop Mi (state m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ m : Message,
  MO_msg_valid P m
  → adr (state m) = i
    → constrained_state_prop Mi (state m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ m : Message,
  MO_msg_valid P m
  → adr (state m) = i
    → constrained_state_prop Mi (state m)
  induction 1 as [m Hobs | m Hm IH | m mr Hm IHm Hmr IHmr]; cbn; intros Hadr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
Hobs: obs (state m) = []
H: P (adr (state m))
Hadr: adr (state m) = i
constrained_state_prop Mi (state m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
Hm: MO_msg_valid P m
IH: adr (state m) = i
→ constrained_state_prop Mi (state m)
Hadr: adr (state m) = i
constrained_state_prop Mi
  (state m <+> MkObservation Send m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, mr: Message
Hm: MO_msg_valid P m
Hmr: MO_msg_valid P mr
IHm: adr (state m) = i
→ constrained_state_prop Mi (state m)
IHmr: adr (state mr) = i
→ constrained_state_prop Mi (state mr)
Hadr: adr (state m) = i
constrained_state_prop Mi
  (state m <+> MkObservation Receive mr)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
Hobs: obs (state m) = []
H: P (adr (state m))
Hadr: adr (state m) = i
constrained_state_prop Mi (state m) by exists None; constructor.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
Hm: MO_msg_valid P m
IH: adr (state m) = i
→ constrained_state_prop Mi (state m)
Hadr: adr (state m) = i
constrained_state_prop Mi
  (state m <+> MkObservation Send m) apply (@input_valid_transition_destination _ (preloaded_with_all_messages_vlsm Mi)
      Send (state m) _ None (Some m)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
Hm: MO_msg_valid P m
IH: adr (state m) = i
→ constrained_state_prop Mi (state m)
Hadr: adr (state m) = i
input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) Send
  (state m, None)
  (state m <+> MkObservation Send m, Some m)
    destruct m as [s]; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
Hm: MO_msg_valid P (MkMessage s)
IH: adr s = i → constrained_state_prop Mi s
Hadr: adr s = i
input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) Send (s, None)
  (s <+> MkObservation Send (MkMessage s),
   Some (MkMessage s))
    by apply input_constrained_transition_Send, IH.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, mr: Message
Hm: MO_msg_valid P m
Hmr: MO_msg_valid P mr
IHm: adr (state m) = i
→ constrained_state_prop Mi (state m)
IHmr: adr (state mr) = i
→ constrained_state_prop Mi (state mr)
Hadr: adr (state m) = i
constrained_state_prop Mi
  (state m <+> MkObservation Receive mr) apply (@input_valid_transition_destination _ (preloaded_with_all_messages_vlsm Mi)
      Receive (state m) _ (Some mr) None).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, mr: Message
Hm: MO_msg_valid P m
Hmr: MO_msg_valid P mr
IHm: adr (state m) = i
→ constrained_state_prop Mi (state m)
IHmr: adr (state mr) = i
→ constrained_state_prop Mi (state mr)
Hadr: adr (state m) = i
input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) Receive
  (state m, Some mr)
  (state m <+> MkObservation Receive mr, None)
    destruct m as [s]; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: BaseELMO.State
mr: Message
Hm: MO_msg_valid P (MkMessage s)
Hmr: MO_msg_valid P mr
IHm: adr s = i → constrained_state_prop Mi s
IHmr: adr (state mr) = i
→ constrained_state_prop Mi (state mr)
Hadr: adr s = i
input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) Receive
  (s, Some mr) (s <+> MkObservation Receive mr, None)
    by apply input_constrained_transition_Receive; itauto.
Qed.

Valid transitions and valid traces lead to bigger states.

Lemma MO_component_valid_transition_size :
  forall (s1 s2 : State) (iom oom : option Message) (lbl : Label),
    MO_component_valid P lbl s1 iom ->
    UMO_component_transition lbl s1 iom = (s2, oom) ->
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  MO_component_valid P lbl s1 iom
  → UMO_component_transition lbl s1 iom = (s2, oom)
    → sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  MO_component_valid P lbl s1 iom
  → UMO_component_transition lbl s1 iom = (s2, oom)
    → sizeState s1 < sizeState s2
  by intros [] s2 [im |] oom []; do 2 inversion_clear 1; cbn; lia.
Qed.

Lemma input_constrained_transition_size :
  forall (s1 s2 : State) (iom oom : option Message) (lbl : Label),
    input_constrained_transition Mi lbl (s1, iom) (s2, oom) ->
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  input_constrained_transition Mi lbl (s1, iom)
    (s2, oom) → sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  input_constrained_transition Mi lbl (s1, iom)
    (s2, oom) → sizeState s1 < sizeState s2
  by intros s1 s2 iom oom lbl [(_ & _ & ?) Ht]; cbn in *
  ; eapply MO_component_valid_transition_size.
Qed.

Lemma finite_constrained_trace_from_to_size :
  forall (s1 s2 : State) (tr : list transition_item),
    finite_constrained_trace_from_to Mi s1 s2 tr ->
      s1 = s2 /\ tr = []
        \/
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_constrained_trace_from_to Mi s1 s2 tr
  → s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_constrained_trace_from_to Mi s1 s2 tr
  → s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
  induction 1; [by left |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Mi)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s', iom) (s, oom)
IHfinite_valid_trace_from_to: s = f ∧ tl = []
∨ sizeState s <
  sizeState f
s' = f
∧ {|
    l := l;
    input := iom;
    destination := s;
    output := oom
  |} :: tl = [] ∨ sizeState s' < sizeState f
  assert (sizeState s' < sizeState s)
    by (eapply input_constrained_transition_size; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Mi)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s', iom) (s, oom)
IHfinite_valid_trace_from_to: s = f ∧ tl = []
∨ sizeState s <
  sizeState f
H0: sizeState s' < sizeState s
s' = f
∧ {|
    l := l;
    input := iom;
    destination := s;
    output := oom
  |} :: tl = [] ∨ sizeState s' < sizeState f
  by destruct IHfinite_valid_trace_from_to; [itauto congruence | itauto lia].
Qed.

The final state of a valid transition determines the label, initial state, input message and output message.

Lemma input_constrained_transition_deterministic_conv :
  forall (s1 s2 f : State) (iom1 iom2 oom1 oom2 : option Message) (lbl1 lbl2 : Label),
    input_constrained_transition Mi lbl1 (s1, iom1) (f, oom1) ->
    input_constrained_transition Mi lbl2 (s2, iom2) (f, oom2) ->
      lbl1 = lbl2 /\ s1 = s2 /\ iom1 = iom2 /\ oom1 = oom2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 f : State) (iom1 iom2 oom1
                     oom2 : option Message) (lbl1
                                             lbl2 : Label),
  input_constrained_transition Mi lbl1 (s1, iom1)
    (f, oom1)
  → input_constrained_transition Mi lbl2 (s2, iom2)
      (f, oom2)
    → lbl1 = lbl2
      ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 f : State) (iom1 iom2 oom1
                     oom2 : option Message) (lbl1
                                             lbl2 : Label),
  input_constrained_transition Mi lbl1 (s1, iom1)
    (f, oom1)
  → input_constrained_transition Mi lbl2 (s2, iom2)
      (f, oom2)
    → lbl1 = lbl2
      ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
  intros s1 s2 f iom1 iom2 oom1 oom2 lbl1 lbl2 Hivt1 Hivt2
  ; inversion Hivt1 as [(_ & _ & Hvalid1) Ht1]; subst
  ; inversion Hivt2 as [(_ & _ & Hvalid2) Ht2]; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2, f: State
iom1, iom2, oom1, oom2: option Message
lbl1, lbl2: Label
Hivt1: input_constrained_transition Mi lbl1
  (s1, iom1) (f, oom1)
Hivt2: input_constrained_transition Mi lbl2
  (s2, iom2) (f, oom2)
Hvalid1: valid lbl1 (s1, iom1)
Ht1: transition lbl1 (s1, iom1) = (f, oom1)
Hvalid2: valid lbl2 (s2, iom2)
Ht2: transition lbl2 (s2, iom2) = (f, oom2)
lbl1 = lbl2 ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
  destruct lbl1, lbl2, iom1, iom2; cbn in *
  ; inversion Ht1; subst; clear Ht1
  ; inversion Ht2; subst; clear Ht2
  ; inversion Hvalid1; inversion Hvalid2; invert_MO_component_valid; auto.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2: State
m: Message
Hivt2: input_constrained_transition Mi Receive
  (s2, Some m)
  (s1 <+> MkObservation Receive m, None)
Hivt1: input_constrained_transition Mi Receive
  (s1, Some m)
  (s1 <+> MkObservation Receive m, None)
Hvalid1: MO_component_valid P Receive s1 (Some m)
Hvalid2: MO_component_valid P Receive s2 (Some m)
H1: obs s2 = obs s1
H2: adr s2 = adr s1
s: State
m0: Message
H0: MO_msg_valid P m
H3: s = s1
H: m0 = m
s0: State
m1: Message
H5: MO_msg_valid P m
H6: s0 = s2
H4: m1 = m
Receive = Receive
∧ s1 = s2 ∧ Some m = Some m ∧ None = None
  by destruct s1, s2; cbn in *; subst; itauto.
Qed.

Trace segments between any two states are unique.

Lemma finite_constrained_trace_from_to_unique :
  forall (s1 s2 : State) (tr1 tr2 : list transition_item),
    finite_constrained_trace_from_to Mi s1 s2 tr1 ->
    finite_constrained_trace_from_to Mi s1 s2 tr2 ->
      tr1 = tr2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (tr1 tr2 : list transition_item),
  finite_constrained_trace_from_to Mi s1 s2 tr1
  → finite_constrained_trace_from_to Mi s1 s2 tr2
    → tr1 = tr2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (tr1 tr2 : list transition_item),
  finite_constrained_trace_from_to Mi s1 s2 tr1
  → finite_constrained_trace_from_to Mi s1 s2 tr2
    → tr1 = tr2
  intros s1 s2 tr1 tr2 Hfvt1 Hfvt2; revert tr2 Hfvt2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2: State
tr1: list transition_item
Hfvt1: finite_constrained_trace_from_to Mi s1 s2 tr1
∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi s1 s2 tr2
  → tr1 = tr2
  induction Hfvt1 using finite_valid_trace_from_to_rev_ind; intros.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) si
tr2: list transition_item
Hfvt2: finite_constrained_trace_from_to Mi si si tr2
[] = tr2
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s
  tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s
    tr2 → tr = tr2
tr2: list transition_item
Hfvt2: finite_constrained_trace_from_to Mi si sf tr2
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] = tr2
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) si
tr2: list transition_item
Hfvt2: finite_constrained_trace_from_to Mi si si tr2
[] = tr2 by apply finite_constrained_trace_from_to_size in Hfvt2; itauto (congruence + lia).
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s
  tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s
    tr2 → tr = tr2
tr2: list transition_item
Hfvt2: finite_constrained_trace_from_to Mi si sf tr2
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] = tr2 destruct Hfvt2 using finite_valid_trace_from_to_rev_ind; [| clear IHHfvt2].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (si, oom)
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s
    tr2 → tr = tr2
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) si
tr ++
[{|
   l := l;
   input := iom;
   destination := si;
   output := oom
 |}] = []
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s
    tr2 → tr = tr2
s0: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr0: list transition_item
Hfvt2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s0
  tr0
iom0, oom0: option Message
l0: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l0
  (s0, iom0) (sf, oom0)
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] =
tr0 ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}]
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (si, oom)
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s
    tr2 → tr = tr2
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) si
tr ++
[{|
   l := l;
   input := iom;
   destination := si;
   output := oom
 |}] = [] apply finite_constrained_trace_from_to_size in Hfvt1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hfvt1: si = s ∧ tr = [] ∨ sizeState si < sizeState s
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (si, oom)
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s
    tr2 → tr = tr2
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) si
tr ++
[{|
   l := l;
   input := iom;
   destination := si;
   output := oom
 |}] = []
      apply input_constrained_transition_size in Ht.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hfvt1: si = s ∧ tr = [] ∨ sizeState si < sizeState s
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: sizeState s < sizeState si
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s
    tr2 → tr = tr2
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) si
tr ++
[{|
   l := l;
   input := iom;
   destination := si;
   output := oom
 |}] = []
      by decompose [and or] Hfvt1; subst; clear Hfvt1; lia.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s
    tr2 → tr = tr2
s0: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr0: list transition_item
Hfvt2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s0
  tr0
iom0, oom0: option Message
l0: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l0
  (s0, iom0) (sf, oom0)
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] =
tr0 ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}] assert (l = l0 /\ s = s0 /\ iom = iom0 /\ oom = oom0)
          by (eapply input_constrained_transition_deterministic_conv; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s
    tr2 → tr = tr2
s0: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr0: list transition_item
Hfvt2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s0
  tr0
iom0, oom0: option Message
l0: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l0
  (s0, iom0) (sf, oom0)
H: l = l0 ∧ s = s0 ∧ iom = iom0 ∧ oom = oom0
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] =
tr0 ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}]
      decompose [and] H; subst; clear H.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
tr: list transition_item
si, s0: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s0
  tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
l0: VLSM.label (preloaded_with_all_messages_vlsm Mi)
IHHfvt1: ∀ tr2 : list transition_item,
  finite_constrained_trace_from_to Mi si s0
    tr2 → tr = tr2
iom0, oom0: option Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l0
  (s0, iom0) (sf, oom0)
tr0: list transition_item
Hfvt2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s0
  tr0
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l0
  (s0, iom0) (sf, oom0)
tr ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}] =
tr0 ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}]
      by f_equal; apply IHHfvt1.
Qed.

Traces between any two states are unique.

Lemma finite_constrained_trace_init_to_unique :
  forall (s1 s2 s : State) (tr1 tr2 : list transition_item),
    finite_constrained_trace_init_to Mi s1 s tr1 ->
    finite_constrained_trace_init_to Mi s2 s tr2 ->
      tr1 = tr2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 s : State) (tr1 tr2 : list transition_item),
  finite_constrained_trace_init_to Mi s1 s tr1
  → finite_constrained_trace_init_to Mi s2 s tr2
    → tr1 = tr2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 s : State) (tr1 tr2 : list transition_item),
  finite_constrained_trace_init_to Mi s1 s tr1
  → finite_constrained_trace_init_to Mi s2 s tr2
    → tr1 = tr2
  intros [] [] s tr1 tr2 [Ht1 []] [Ht2 []]; cbn in *; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
tr1, tr2: list transition_item
Ht1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi)
  (MkState [] i) s tr1
Ht2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi)
  (MkState [] i) s tr2
tr1 = tr2
  by eapply finite_constrained_trace_from_to_unique.
Qed.

All above properties also hold for Mi.

Lemma input_valid_transition_Send :
  forall s : State,
    valid_state_prop Mi s ->
      input_valid_transition Mi Send
        (s, None)
        (s <+> MkObservation Send (MkMessage s), Some (MkMessage s)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ s : State,
  valid_state_prop Mi s
  → input_valid_transition Mi Send (s, None)
      (s <+> MkObservation Send (MkMessage s),
       Some (MkMessage s))
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ s : State,
  valid_state_prop Mi s
  → input_valid_transition Mi Send (s, None)
      (s <+> MkObservation Send (MkMessage s),
       Some (MkMessage s))
  intros s Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: valid_state_prop Mi s
input_valid_transition Mi Send (s, None)
  (s <+> MkObservation Send (MkMessage s),
   Some (MkMessage s))
  red; cbn; split_and!; [done | | | done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: valid_state_prop Mi s
option_valid_message_prop Mi None
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: valid_state_prop Mi s
MO_component_valid P Send s None
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: valid_state_prop Mi s
option_valid_message_prop Mi None by exists (MkState [] i); constructor.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: valid_state_prop Mi s
MO_component_valid P Send s None by do 2 constructor.
Qed.

Lemma input_valid_transition_size :
  forall (s1 s2 : State) (iom oom : option Message) (lbl : Label),
    input_valid_transition Mi lbl (s1, iom) (s2, oom) ->
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  input_valid_transition Mi lbl (s1, iom) (s2, oom)
  → sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  input_valid_transition Mi lbl (s1, iom) (s2, oom)
  → sizeState s1 < sizeState s2
  intros s1 s2 iom oom lbl Hivt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2: State
iom, oom: option Message
lbl: Label
Hivt: input_valid_transition Mi lbl (
  s1, iom) (s2, oom)
sizeState s1 < sizeState s2
  eapply input_constrained_transition_size.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2: State
iom, oom: option Message
lbl: Label
Hivt: input_valid_transition Mi lbl (
  s1, iom) (s2, oom)
input_constrained_transition Mi ?lbl (s1, ?iom)
  (s2, ?oom)
  apply (@VLSM_incl_input_valid_transition _ Mi Mi); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2: State
iom, oom: option Message
lbl: Label
Hivt: input_valid_transition Mi lbl (
  s1, iom) (s2, oom)
VLSM_incl_part Mi
  (preloaded_vlsm_machine Mi (λ _ : Message, True))
  by apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Lemma finite_valid_trace_from_to_size :
  forall (s1 s2 : State) (tr : list transition_item),
    finite_valid_trace_from_to Mi s1 s2 tr ->
      s1 = s2 /\ tr = []
        \/
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_valid_trace_from_to Mi s1 s2 tr
  → s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_valid_trace_from_to Mi s1 s2 tr
  → s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
  intros s1 s2 tr Hfvt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Mi s1 s2 tr
s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
  eapply finite_constrained_trace_from_to_size.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Mi s1 s2 tr
finite_constrained_trace_from_to Mi s1 s2 tr
  apply (@VLSM_incl_finite_valid_trace_from_to _ Mi Mi); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Mi s1 s2 tr
VLSM_incl_part Mi
  (preloaded_vlsm_machine Mi (λ _ : Message, True))
  by apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Lemma input_valid_transition_deterministic_conv :
  forall (s1 s2 f : State) (iom1 iom2 oom1 oom2 : option Message) (lbl1 lbl2 : Label),
    input_valid_transition Mi lbl1 (s1, iom1) (f, oom1) ->
    input_valid_transition Mi lbl2 (s2, iom2) (f, oom2) ->
      lbl1 = lbl2 /\ s1 = s2 /\ iom1 = iom2 /\ oom1 = oom2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 f : State) (iom1 iom2 oom1
                     oom2 : option Message) (lbl1
                                             lbl2 : Label),
  input_valid_transition Mi lbl1 (s1, iom1) (f, oom1)
  → input_valid_transition Mi lbl2 (s2, iom2)
      (f, oom2)
    → lbl1 = lbl2
      ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 f : State) (iom1 iom2 oom1
                     oom2 : option Message) (lbl1
                                             lbl2 : Label),
  input_valid_transition Mi lbl1 (s1, iom1) (f, oom1)
  → input_valid_transition Mi lbl2 (s2, iom2)
      (f, oom2)
    → lbl1 = lbl2
      ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
  intros s1 s2 f iom1 iom2 oom1 oom2 lbl1 lbl2 Hivt1 Hivt2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s1, s2, f: State
iom1, iom2, oom1, oom2: option Message
lbl1, lbl2: Label
Hivt1: input_valid_transition Mi lbl1 (
  s1, iom1) (f, oom1)
Hivt2: input_valid_transition Mi lbl2 (
  s2, iom2) (f, oom2)
lbl1 = lbl2 ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
  by eapply input_constrained_transition_deterministic_conv;
    apply (@VLSM_incl_input_valid_transition _ Mi Mi); [| done | | done];
    apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Lemma finite_valid_trace_from_to_unique :
  forall (s1 s2 : State) (l1 l2 : list transition_item),
    finite_valid_trace_from_to Mi s1 s2 l1 ->
    finite_valid_trace_from_to Mi s1 s2 l2 ->
      l1 = l2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (l1 l2 : list transition_item),
  finite_valid_trace_from_to Mi s1 s2 l1
  → finite_valid_trace_from_to Mi s1 s2 l2 → l1 = l2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s1 s2 : State) (l1 l2 : list transition_item),
  finite_valid_trace_from_to Mi s1 s2 l1
  → finite_valid_trace_from_to Mi s1 s2 l2 → l1 = l2
  by intros s1 s2 l1 l2 Hfvt1 Hfvt2;
    eapply finite_constrained_trace_from_to_unique;
    apply VLSM_incl_finite_valid_trace_from_to; [| done | | done];
    apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Lemma finite_valid_trace_init_to_unique :
  forall (s f : State) (l1 l2 : list transition_item),
    finite_valid_trace_init_to Mi s f l1 ->
    finite_valid_trace_init_to Mi s f l2 ->
      l1 = l2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s f : State) (l1 l2 : list transition_item),
  finite_valid_trace_init_to Mi s f l1
  → finite_valid_trace_init_to Mi s f l2 → l1 = l2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (s f : State) (l1 l2 : list transition_item),
  finite_valid_trace_init_to Mi s f l1
  → finite_valid_trace_init_to Mi s f l2 → l1 = l2
  by intros s f l1 l2 Hfvit1 Hfvit2;
    eapply finite_constrained_trace_init_to_unique;
    apply VLSM_incl_finite_valid_trace_init_to; [| done | | done];
    apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Extracting a trace from a state

If a valid trace leads to state s, the trace extracted from s also leads to s.

Lemma finite_constrained_trace_init_to_state2trace :
  forall (is s : State) (tr : list transition_item),
    finite_constrained_trace_init_to Mi is s tr ->
      finite_constrained_trace_init_to Mi is s (state2trace s).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Mi is s tr
  → finite_constrained_trace_init_to Mi is s
      (state2trace s)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Mi is s tr
  → finite_constrained_trace_init_to Mi is s
      (state2trace s)
  intros is s tr [Hfv Hinit]; cbn in *; revert Hinit.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
is, s: State
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) is s tr
UMO_component_initial_state_prop i is
→ finite_constrained_trace_init_to Mi is s
    (state2trace s)
  induction Hfv using finite_valid_trace_from_to_rev_ind; intros.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) si
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si si
  (state2trace si)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (sf, oom)
IHHfv: UMO_component_initial_state_prop i si
→ finite_constrained_trace_init_to Mi si s
    (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si sf
  (state2trace sf)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) si
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si si
  (state2trace si) inversion Hinit; clear Hinit.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi) si
H: obs si = []
H0: adr si = i
finite_constrained_trace_init_to Mi si si
  (state2trace si)
    destruct si; cbn in *; subst; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi)
  (MkState [] i)
finite_constrained_trace_init_to Mi (MkState [] i)
  (MkState [] i) []
    repeat constructor.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi)
  (MkState [] i)
valid_state_prop (preloaded_with_all_messages_vlsm Mi)
  (MkState [] i) exists None.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi)
  (MkState [] i)
valid_state_message_prop
  (preloaded_with_all_messages_vlsm Mi) (MkState [] i)
  None
    by repeat constructor.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (sf, oom)
IHHfv: UMO_component_initial_state_prop i si
→ finite_constrained_trace_init_to Mi si s
    (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si sf
  (state2trace sf) specialize (IHHfv Hinit).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom) (sf, oom)
IHHfv: finite_constrained_trace_init_to Mi si s
  (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si sf
  (state2trace sf)
    destruct Ht as [Hvalid Ht]; cbn in Ht.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Mi)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Mi)
Hvalid: input_valid
  (preloaded_with_all_messages_vlsm Mi) l
  (s, iom)
Ht: UMO_component_transition l s iom = (sf, oom)
IHHfv: finite_constrained_trace_init_to Mi si s
  (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si sf
  (state2trace sf)
    destruct s as [obs adr], l, iom as [im |]
    ; inversion Ht; subst; clear Ht; cbn in *
    ; cycle 1; [done | done | |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si
  (MkState obs adr) tr
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Mi)
    None
  ∧ MO_component_valid P Send
      (MkState obs adr) None
IHHfv: finite_constrained_trace_init_to Mi si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si
  (MkState obs adr <+>
   MkObservation Send (MkMessage (MkState obs adr)))
  (observations2trace obs adr ++
   [{|
      l := Send;
      input := None;
      destination :=
        MkState
          (addObservation'
             (MkObservation Send
                (MkMessage (MkState obs adr))) obs)
          adr;
      output := Some (MkMessage (MkState obs adr))
    |}])
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si
  (MkState obs adr) tr
im: Message
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Mi)
    (Some im)
  ∧ MO_component_valid P Receive
      (MkState obs adr) 
      (Some im)
IHHfv: finite_constrained_trace_init_to Mi si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si
  (MkState obs adr <+> MkObservation Receive im)
  (observations2trace obs adr ++
   [{|
      l := Receive;
      input := Some im;
      destination :=
        MkState (MkObservation Receive im :: obs) adr;
      output := None
    |}])
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si
  (MkState obs adr) tr
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Mi)
    None
  ∧ MO_component_valid P Send
      (MkState obs adr) None
IHHfv: finite_constrained_trace_init_to Mi si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si
  (MkState obs adr <+>
   MkObservation Send (MkMessage (MkState obs adr)))
  (observations2trace obs adr ++
   [{|
      l := Send;
      input := None;
      destination :=
        MkState
          (addObservation'
             (MkObservation Send
                (MkMessage (MkState obs adr))) obs)
          adr;
      output := Some (MkMessage (MkState obs adr))
    |}]) constructor; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si
  (MkState obs adr) tr
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Mi)
    None
  ∧ MO_component_valid P Send
      (MkState obs adr) None
IHHfv: finite_constrained_trace_init_to Mi si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si
  (MkState obs adr <+>
   MkObservation Send (MkMessage (MkState obs adr)))
  (observations2trace obs adr ++
   [{|
      l := Send;
      input := None;
      destination :=
        MkState
          (addObservation'
             (MkObservation Send
                (MkMessage (MkState obs adr))) obs)
          adr;
      output := Some (MkMessage (MkState obs adr))
    |}])
      by eapply extend_right_finite_trace_from_to; [apply IHHfv |]; auto.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si
  (MkState obs adr) tr
im: Message
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Mi)
    (Some im)
  ∧ MO_component_valid P Receive
      (MkState obs adr) 
      (Some im)
IHHfv: finite_constrained_trace_init_to Mi si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Mi si
  (MkState obs adr <+> MkObservation Receive im)
  (observations2trace obs adr ++
   [{|
      l := Receive;
      input := Some im;
      destination :=
        MkState (MkObservation Receive im :: obs) adr;
      output := None
    |}]) constructor; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si
  (MkState obs adr) tr
im: Message
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Mi)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Mi)
    (Some im)
  ∧ MO_component_valid P Receive
      (MkState obs adr) 
      (Some im)
IHHfv: finite_constrained_trace_init_to Mi si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Mi) si
  (MkState obs adr <+> MkObservation Receive im)
  (observations2trace obs adr ++
   [{|
      l := Receive;
      input := Some im;
      destination :=
        MkState (MkObservation Receive im :: obs) adr;
      output := None
    |}])
      by eapply extend_right_finite_trace_from_to; [apply IHHfv |]; auto.
Qed.

The trace extracted from the final state of another trace is equal to that trace.

Lemma finite_constrained_trace_init_to_state2trace_inv :
  forall (is s : State) (tr : list transition_item),
    finite_constrained_trace_init_to Mi is s tr ->
      state2trace s = tr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Mi is s tr
  → state2trace s = tr
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Mi is s tr
  → state2trace s = tr
  intros is s tr Hfvti.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
is, s: State
tr: list transition_item
Hfvti: finite_constrained_trace_init_to Mi is s tr
state2trace s = tr
  assert (Hfvti' : finite_constrained_trace_init_to Mi is s (state2trace s))
    by (eapply finite_constrained_trace_init_to_state2trace; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
is, s: State
tr: list transition_item
Hfvti: finite_constrained_trace_init_to Mi is s tr
Hfvti': finite_constrained_trace_init_to Mi is s
  (state2trace s)
state2trace s = tr
  by eapply finite_constrained_trace_init_to_unique.
Qed.

The trace extracted from a constrained state s leads to s.

Lemma finite_constrained_trace_init_to_state2trace' :
  forall (s : State),
    constrained_state_prop Mi s ->
      finite_constrained_trace_init_to Mi (``(vs0 Mi)) s (state2trace s).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ s : State,
  constrained_state_prop Mi s
  → finite_constrained_trace_init_to Mi (`(vs0 Mi)) s
      (state2trace s)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ s : State,
  constrained_state_prop Mi s
  → finite_constrained_trace_init_to Mi (`(vs0 Mi)) s
      (state2trace s)
  intros s Hs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hs: constrained_state_prop Mi s
finite_constrained_trace_init_to Mi (`(vs0 Mi)) s
  (state2trace s)
  apply valid_state_has_trace in Hs as (is & tr & Htr).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
is: VLSM.state (preloaded_with_all_messages_vlsm Mi)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Mi) is s tr
finite_constrained_trace_init_to Mi (`(vs0 Mi)) s
  (state2trace s)
  apply finite_constrained_trace_init_to_state2trace_inv in Htr as Heqtr; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
is: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Mi) is s
  (state2trace s)
finite_constrained_trace_init_to Mi (`(vs0 Mi)) s
  (state2trace s)
  replace (``(vs0 Mi)) with is; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
is: VLSM.state (preloaded_with_all_messages_vlsm Mi)
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Mi) is s
  (state2trace s)
is = `(vs0 Mi)
  by apply vs0_uniqueness, Htr.
Qed.

Lemma constrained_state_contains_unique_constrained_trace :
  forall s : State,
    constrained_state_prop Mi s ->
      exists tr : list transition_item,
        finite_constrained_trace_init_to Mi (``(vs0 Mi)) s tr
          /\
        forall tr' : list transition_item,
          finite_constrained_trace_init_to Mi (``(vs0 Mi)) s tr' -> tr' = tr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ s : State,
  constrained_state_prop Mi s
  → ∃ tr : list transition_item,
      finite_constrained_trace_init_to Mi (`(vs0 Mi))
        s tr
      ∧ (∀ tr' : list transition_item,
           finite_constrained_trace_init_to Mi
             (`(vs0 Mi)) s tr' → tr' = tr)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ s : State,
  constrained_state_prop Mi s
  → ∃ tr : list transition_item,
      finite_constrained_trace_init_to Mi (`(vs0 Mi))
        s tr
      ∧ (∀ tr' : list transition_item,
           finite_constrained_trace_init_to Mi
             (`(vs0 Mi)) s tr' → tr' = tr)
  intros s Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
∃ tr : list transition_item,
  finite_constrained_trace_init_to Mi (`(vs0 Mi)) s tr
  ∧ (∀ tr' : list transition_item,
       finite_constrained_trace_init_to Mi (`(vs0 Mi))
         s tr' → tr' = tr)
  exists (state2trace s); split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
finite_constrained_trace_init_to Mi (`(vs0 Mi)) s
  (state2trace s)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
∀ tr' : list transition_item,
  finite_constrained_trace_init_to Mi 
    (`(vs0 Mi)) s tr' → 
  tr' = state2trace s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
finite_constrained_trace_init_to Mi (`(vs0 Mi)) s
  (state2trace s) by eapply finite_constrained_trace_init_to_state2trace'.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
∀ tr' : list transition_item,
  finite_constrained_trace_init_to Mi (`(vs0 Mi)) s
    tr' → tr' = state2trace s intros tr' Hfvt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
tr': list transition_item
Hfvt: finite_constrained_trace_init_to Mi 
  (`(vs0 Mi)) s tr'
tr' = state2trace s symmetry.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
s: State
Hvsp: constrained_state_prop Mi s
tr': list transition_item
Hfvt: finite_constrained_trace_init_to Mi 
  (`(vs0 Mi)) s tr'
state2trace s = tr'
    by eapply finite_constrained_trace_init_to_state2trace_inv.
Qed.

State and message suffix relations

Lemma state_suffix_totally_orders_valid_sent_messages :
  forall (m m1 m2 : Message) (obs1 obs2 obs3 : list Observation),
    m = MkMessage (MkState [] i) <**>
      obs1 <*> MkObservation Send m1 <**> obs2 <*> MkObservation Send m2 <**> obs3 ->
    MO_msg_valid_alt_sends m ->
      state_suffix (state m1) (state m2) /\ state_suffix (state m2) (state m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (m m1 m2 : Message) (obs1 obs2
                       obs3 : list Observation),
  m =
  MkMessage (MkState [] i) <**> obs1 <*>
  MkObservation Send m1 <**> obs2 <*>
  MkObservation Send m2 <**> obs3
  → MO_msg_valid_alt_sends m
    → state_suffix (state m1) (state m2)
      ∧ state_suffix (state m2) (state m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ (m m1 m2 : Message) (obs1 obs2
                       obs3 : list Observation),
  m =
  MkMessage (MkState [] i) <**> obs1 <*>
  MkObservation Send m1 <**> obs2 <*>
  MkObservation Send m2 <**> obs3
  → MO_msg_valid_alt_sends m
    → state_suffix (state m1) (state m2)
      ∧ state_suffix (state m2) (state m)
  intros m m1 m2 obs1 obs2 obs3 Heq Hvalid.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: MO_msg_valid_alt_sends m
state_suffix (state m1) (state m2)
∧ state_suffix (state m2) (state m)
  red in Hvalid.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
state_suffix (state m1) (state m2)
∧ state_suffix (state m2) (state m)
  assert (H2 :
    obs (state m2) =
    obs (state (MkMessage (MkState [] i) <**> obs1 <*> MkObservation Send m1 <**> obs2))
    /\ adr (state m2) = i).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
state_suffix (state m1) (state m2)
∧ state_suffix (state m2) (state m)
  {Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
    replace i with (adr (state m)) at 2 by (subst; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = adr (state m)
    apply (Hvalid (1 + length
      (obs (state (MkMessage (MkState [] i) <**> obs1 <*> MkObservation Send m1 <**> obs2))))).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
lastn
  (1 +
   length
     (obs
        (state
           (MkMessage (MkState [] i) <**> obs1 <*>
            MkObservation Send m1 <**> obs2))))
  (obs (state m)) =
addObservation' (MkObservation Send m2)
  (obs
     (state
        (MkMessage (MkState [] i) <**> obs1 <*>
         MkObservation Send m1 <**> obs2)))
    rewrite Heq; simpl.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
lastn
  (S
     (length
        (obs2 ++
         addObservation' (MkObservation Send m1)
           (obs1 ++ []))))
  (obs3 ++
   addObservation' (MkObservation Send m2)
     (obs2 ++
      addObservation' (MkObservation Send m1)
        (obs1 ++ []))) =
addObservation' (MkObservation Send m2)
  (obs2 ++
   addObservation' (MkObservation Send m1)
     (obs1 ++ []))
    rewrite lastn_app_le by (cbn; lia).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
lastn
  (S
     (length
        (obs2 ++
         addObservation' (MkObservation Send m1)
           (obs1 ++ []))))
  (addObservation' (MkObservation Send m2)
     (obs2 ++
      addObservation' (MkObservation Send m1)
        (obs1 ++ []))) =
addObservation' (MkObservation Send m2)
  (obs2 ++
   addObservation' (MkObservation Send m1)
     (obs1 ++ []))
    by rewrite lastn_ge; [| cbn; lia].
  }Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
state_suffix (state m1) (state m2)
∧ state_suffix (state m2) (state m)
  assert (H1 :
    obs (state m1) = obs (state (MkMessage (MkState [] i) <**> obs1))
    /\ adr (state m1) = i).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
∧ adr (state m1) = i
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
H1: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
∧ adr (state m1) = i
state_suffix (state m1) (state m2)
∧ state_suffix (state m2) (state m)
  {Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
∧ adr (state m1) = i
    replace i with (adr (state m)) at 2 by (subst; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
∧ adr (state m1) = adr (state m)
    apply (Hvalid (1 + length (obs (state (MkMessage (MkState [] i) <**> obs1))))).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
lastn
  (1 +
   length
     (obs (state (MkMessage (MkState [] i) <**> obs1))))
  (obs (state m)) =
addObservation' (MkObservation Send m1)
  (obs (state (MkMessage (MkState [] i) <**> obs1)))
    rewrite Heq; simpl.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
lastn (S (length (obs1 ++ [])))
  (obs3 ++
   addObservation' (MkObservation Send m2)
     (obs2 ++
      addObservation' (MkObservation Send m1)
        (obs1 ++ []))) =
addObservation' (MkObservation Send m1) (obs1 ++ [])
    unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
lastn (S (length (obs1 ++ [])))
  (obs3 ++
   MkObservation Send m2
   :: obs2 ++ MkObservation Send m1 :: obs1 ++ []) =
MkObservation Send m1 :: obs1 ++ []
    rewrite <- (app_cons (MkObservation Send m2)),
            <- (app_cons (MkObservation Send m1)), 2!app_assoc.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
lastn (S (length (obs1 ++ [])))
  (((obs3 ++ [MkObservation Send m2]) ++ obs2) ++
   [MkObservation Send m1] ++ obs1 ++ []) =
[MkObservation Send m1] ++ obs1 ++ []
    rewrite lastn_app_le by (cbn; lia).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
lastn (S (length (obs1 ++ [])))
  ([MkObservation Send m1] ++ obs1 ++ []) =
[MkObservation Send m1] ++ obs1 ++ []
    by rewrite lastn_ge; [| cbn; lia].
  }Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H2: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
∧ adr (state m2) = i
H1: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
∧ adr (state m1) = i
state_suffix (state m1) (state m2)
∧ state_suffix (state m2) (state m)
  destruct H1 as [H11 H12], H2 as [H21 H22].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
state_suffix (state m1) (state m2)
∧ state_suffix (state m2) (state m)
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
state_suffix (state m1) (state m2)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
state_suffix (state m2) (state m)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
state_suffix (state m1) (state m2) constructor; [by congruence |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
strict suffix (obs (state m1)) (obs (state m2))
    rewrite H11, H21; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
strict suffix (obs1 ++ [])
  (obs2 ++
   addObservation' (MkObservation Send m1)
     (obs1 ++ []))
    split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
obs1 ++ []
`suffix_of` obs2 ++
            addObservation' (MkObservation Send m1)
              (obs1 ++ [])
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
¬ obs2 ++
  addObservation' (MkObservation Send m1) (obs1 ++ [])
  `suffix_of` obs1 ++ []
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
obs1 ++ []
`suffix_of` obs2 ++
            addObservation' (MkObservation Send m1)
              (obs1 ++ []) by apply suffix_app_r, suffix_cons_r.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
¬ obs2 ++
  addObservation' (MkObservation Send m1) (obs1 ++ [])
  `suffix_of` obs1 ++ [] intros [].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
x: list BaseELMO.Observation
H: obs1 ++ [] =
x ++
obs2 ++
addObservation' (MkObservation Send m1)
  (obs1 ++ [])
False apply (f_equal length) in H.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
x: list BaseELMO.Observation
H: length (obs1 ++ []) =
length
  (x ++
   obs2 ++
   addObservation' (MkObservation Send m1)
     (obs1 ++ []))
False
      rewrite !app_length in H; cbn in H; rewrite app_length in H; cbn in H.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
x: list BaseELMO.Observation
H: length obs1 + 0 =
length x + (length obs2 + S (length obs1 + 0))
False
      by lia.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
state_suffix (state m2) (state m) constructor; [by subst |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
strict suffix (obs (state m2)) (obs (state m))
    rewrite H21, Heq; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
strict suffix
  (obs2 ++
   addObservation' (MkObservation Send m1)
     (obs1 ++ []))
  (obs3 ++
   addObservation' (MkObservation Send m2)
     (obs2 ++
      addObservation' (MkObservation Send m1)
        (obs1 ++ [])))
    split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
obs2 ++
addObservation' (MkObservation Send m1) (obs1 ++ [])
`suffix_of` obs3 ++
            addObservation' (MkObservation Send m2)
              (obs2 ++
               addObservation' (MkObservation Send m1)
                 (obs1 ++ []))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
¬ obs3 ++
  addObservation' (MkObservation Send m2)
    (obs2 ++
     addObservation' (MkObservation Send m1)
       (obs1 ++ []))
  `suffix_of` obs2 ++
              addObservation' 
                (MkObservation Send m1) 
                (obs1 ++ [])
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
obs2 ++
addObservation' (MkObservation Send m1) (obs1 ++ [])
`suffix_of` obs3 ++
            addObservation' (MkObservation Send m2)
              (obs2 ++
               addObservation' (MkObservation Send m1)
                 (obs1 ++ [])) by apply suffix_app_r, suffix_cons_r.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
¬ obs3 ++
  addObservation' (MkObservation Send m2)
    (obs2 ++
     addObservation' (MkObservation Send m1)
       (obs1 ++ []))
  `suffix_of` obs2 ++
              addObservation' (MkObservation Send m1)
                (obs1 ++ []) intros [].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
x: list BaseELMO.Observation
H: obs2 ++
addObservation' (MkObservation Send m1)
  (obs1 ++ []) =
x ++
obs3 ++
addObservation' (MkObservation Send m2)
  (obs2 ++
   addObservation' (MkObservation Send m1)
     (obs1 ++ []))
False apply (f_equal length) in H.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
x: list BaseELMO.Observation
H: length
  (obs2 ++
   addObservation' (MkObservation Send m1)
     (obs1 ++ [])) =
length
  (x ++
   obs3 ++
   addObservation' (MkObservation Send m2)
     (obs2 ++
      addObservation' (MkObservation Send m1)
        (obs1 ++ [])))
False
      unfold addObservation' in H.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m, m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: m =
MkMessage (MkState [] i) <**> obs1 <*>
MkObservation Send m1 <**> obs2 <*>
MkObservation Send m2 <**> obs3
Hvalid: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m')
    suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
H21: obs (state m2) =
obs
  (state
     (MkMessage (MkState [] i) <**> obs1 <*>
      MkObservation Send m1 <**> obs2))
H22: adr (state m2) = i
H11: obs (state m1) =
obs (state (MkMessage (MkState [] i) <**> obs1))
H12: adr (state m1) = i
x: list BaseELMO.Observation
H: length
  (obs2 ++ MkObservation Send m1 :: obs1 ++ []) =
length
  (x ++
   obs3 ++
   MkObservation Send m2
   :: obs2 ++ MkObservation Send m1 :: obs1 ++ [])
False
      by rewrite <- (app_cons (MkObservation _ m1)),
                 <- (app_cons (MkObservation _ m2)), !app_length in H
      ; cbn in H; lia.
Qed.

Definition MO_msg_suffix (m : Message) : Prop :=
  forall k1 k2 : nat, k1 < k2 ->
  forall ob1 ob2 : Observation,
    obs (state m) !! k1 = Some ob1 -> label ob1 = Send ->
    obs (state m) !! k2 = Some ob2 -> label ob2 = Send ->
      state_suffix (state (message ob2)) (state (message ob1)).

Lemma state_suffix_totally_orders_valid_sent_messages' :
  forall m : Message, MO_msg_valid_alt_sends m -> MO_msg_suffix m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ m : Message,
  MO_msg_valid_alt_sends m → MO_msg_suffix m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ m : Message,
  MO_msg_valid_alt_sends m → MO_msg_suffix m
  unfold MO_msg_valid_alt_sends, MO_msg_suffix.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
∀ m : Message,
  (∀ (k : nat) (suffix : list Observation) (m' : Message),
     lastn k (obs (state m)) =
     addObservation' (MkObservation Send m') suffix
     → obs (state m') = suffix
       ∧ adr (state m') = adr (state m))
  → ∀ k1 k2 : nat,
      k1 < k2
      → ∀ ob1 ob2 : Observation,
          obs (state m) !! k1 = Some ob1
          → label ob1 = Send
            → obs (state m) !! k2 = Some ob2
              → label ob2 = Send
                → state_suffix (state (message ob2))
                    (state (message ob1))
  intros m H k1 k2 Hlt ob1 ob2 Heq1 Hlbl1 Heq2 Hlbl2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
state_suffix (state (message ob2))
  (state (message ob1))
  remember (length (obs (state m))) as K.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
state_suffix (state (message ob2))
  (state (message ob1))
  destruct (H (K - k1) (lastn (K - S k1) (obs (state m))) (message ob1)) as [Hobs1 Hadr1]
  ; [by destruct ob1; cbn in *; subst; apply lastn_length_cons |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
state_suffix (state (message ob2))
  (state (message ob1))
  destruct (H (K - k2) (lastn (K - S k2) (obs (state m))) (message ob2)) as [Hobs2 Hadr2]
  ; [by destruct ob2; cbn in *; subst; apply lastn_length_cons |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
state_suffix (state (message ob2))
  (state (message ob1))
  constructor; [by congruence |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
strict suffix (obs (state (message ob2)))
  (obs (state (message ob1)))
  constructor; rewrite Hobs1, Hobs2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
lastn (K - S k2) (obs (state m))
`suffix_of` lastn (K - S k1) (obs (state m))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
¬ lastn (K - S k1) (obs (state m))
  `suffix_of` lastn (K - S k2) (obs (state m))
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
lastn (K - S k2) (obs (state m))
`suffix_of` lastn (K - S k1) (obs (state m)) by apply suffix_lastn; lia.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
¬ lastn (K - S k1) (obs (state m))
  `suffix_of` lastn (K - S k2) (obs (state m)) intros Hsuf.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
Hsuf: lastn (K - S k1) (obs (state m))
`suffix_of` lastn (K - S k2) (obs (state m))
False apply suffix_length in Hsuf.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
Hsuf: length (lastn (K - S k1) (obs (state m)))
≤ length (lastn (K - S k2) (obs (state m)))
False
    rewrite 2!length_lastn in Hsuf.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: obs (state m) !! k1 = Some ob1
Hlbl1: label ob1 = Send
Heq2: obs (state m) !! k2 = Some ob2
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
Hsuf: (K - S k1) `min` length (obs (state m))
≤ (K - S k2) `min` length (obs (state m))
False
    apply lookup_lt_Some in Heq1, Heq2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: Observation
Heq1: k1 < length (obs (state m))
Hlbl1: label ob1 = Send
Heq2: k2 < length (obs (state m))
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
Hsuf: (K - S k1) `min` length (obs (state m))
≤ (K - S k2) `min` length (obs (state m))
False
    unfold Observation in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
P: Address → Prop
Mi:= MO_component P i: VLSM Message
m: Message
H: ∀ (k : nat) (suffix : list BaseELMO.Observation) 
  (m' : Message),
  lastn k (obs (state m)) =
  addObservation' (MkObservation Send m') suffix
  → obs (state m') = suffix
    ∧ adr (state m') = adr (state m)
k1, k2: nat
Hlt: k1 < k2
ob1, ob2: BaseELMO.Observation
Heq1: k1 < length (obs (state m))
Hlbl1: label ob1 = Send
Heq2: k2 < length (obs (state m))
Hlbl2: label ob2 = Send
K: nat
HeqK: K = length (obs (state m))
Hobs1: obs (state (message ob1)) =
lastn (K - S k1) (obs (state m))
Hadr1: adr (state (message ob1)) = adr (state m)
Hobs2: obs (state (message ob2)) =
lastn (K - S k2) (obs (state m))
Hadr2: adr (state (message ob2)) = adr (state m)
Hsuf: (K - S k1) `min` length (obs (state m))
≤ (K - S k2) `min` length (obs (state m))
False
    by destruct (Nat.min_spec (K - S k1) (length (obs (state m)))) as [[H11 H12] | [H11 H12]],
             (Nat.min_spec (K - S k2) (length (obs (state m)))) as [[H21 H22] | [H21 H22]]
    ; rewrite ?H12, ?H22 in Hsuf; lia.
Qed.

End sec_MO_component_lemmas.

Section sec_MOProtocol.

Context
  (index : Type)
  `{finite.Finite index}
  (idx : index -> Address)
  `{!Inj (=) (=) idx}
  (P : Address -> Prop)
  (P' := fun adr => P adr /\ exists i : index, idx i = adr)
  (M : index -> VLSM Message := fun i => MO_component P' (idx i))
  .

Protocol

The MO protocol is a free composition of finitely many MO components (each with the same predicate P.

Definition MO : VLSM Message := free_composite_vlsm M.

Validators

Lemma MO_reachable_view (s : State) i :
  constrained_state_prop (M i) s
    <->
  UMO_reachable (const (MO_msg_valid P'))  s /\ adr s = idx i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
constrained_state_prop (M i) s
↔ UMO_reachable (const (MO_msg_valid P')) s
  ∧ adr s = idx i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
constrained_state_prop (M i) s
↔ UMO_reachable (const (MO_msg_valid P')) s
  ∧ adr s = idx i
  eapply iff_trans.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
constrained_state_prop (M i) s ↔ ?B
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
?B
↔ UMO_reachable (const (MO_msg_valid P')) s
  ∧ adr s = idx i
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
constrained_state_prop (M i) s ↔ ?B apply UMO_based_valid_reachable; cbn; [by inversion 1 | | done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
∀ (s : BaseELMO.State) (om : option BaseELMO.Message),
  constrained_state_prop
    {|
      vlsm_type :=
        {|
          VLSM.state := BaseELMO.State;
          VLSM.label := Label
        |};
      vlsm_machine := MO_component_machine P' (idx i)
    |} s → MO_component_valid P' Send s om ↔ om = None
    by cbn; split; inversion 1; [| constructor].
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
UMO_reachable
  (λ (s : BaseELMO.State) (m : BaseELMO.Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s))
↔ UMO_reachable (const (MO_msg_valid P')) s
  ∧ adr s = idx i apply Morphisms_Prop.and_iff_morphism; cbn; [| by firstorder].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
UMO_reachable
  (λ (s : BaseELMO.State) (m : BaseELMO.Message),
     MO_component_valid P' Receive s (Some m)) s
↔ UMO_reachable (const (MO_msg_valid P')) s
    by split; apply UMO_reachable_impl; inversion 1; subst; [| constructor..].
Qed.

Lemma MO_reachable_adr (s : State) i :
  constrained_state_prop (M i) s -> adr s = idx i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
constrained_state_prop (M i) s → adr s = idx i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
i: index
constrained_state_prop (M i) s → adr s = idx i
  by intros Hadr; apply MO_reachable_view in Hadr as [].
Qed.

Lemma MO_channel_authentication_prop :
  channel_authentication_prop M (Message_sender_index idx) (Message_sender idx).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
channel_authentication_prop M
  (Message_sender_index idx) (Message_sender idx)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
channel_authentication_prop M
  (Message_sender_index idx) (Message_sender idx)
  intros i m ((s & []) & [] & s' & [(Hs & _ & Hv) Ht]);
    inversion Hv; subst; inversion Ht; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
channel_authenticated_message
  (Message_sender_index idx) (Message_sender idx) i
  (MkMessage s)
  unfold channel_authenticated_message, Message_sender.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
option_map (Message_sender_index idx)
  match
    decide
      (is_Some
         (adr2idx idx (adr (state (MkMessage s)))))
  with
  | left Ha =>
      Some (dexist (adr (state (MkMessage s))) Ha)
  | right _ => None
  end = Some i
  erewrite MO_reachable_adr by done.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
option_map (Message_sender_index idx)
  match decide (is_Some (adr2idx idx (idx i))) with
  | left Ha => Some (dexist (idx i) Ha)
  | right _ => None
  end = Some i
  case_decide as Hadr; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hadr: is_Some (adr2idx idx (idx i))
Some (Message_sender_index idx (dexist (idx i) Hadr)) =
Some i
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hadr: ¬ is_Some (adr2idx idx (idx i))
None = Some i
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hadr: is_Some (adr2idx idx (idx i))
Some (Message_sender_index idx (dexist (idx i) Hadr)) =
Some i by f_equal; apply Message_sender_index_inv.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hadr: ¬ is_Some (adr2idx idx (idx i))
None = Some i by contradict Hadr; rewrite adr2idx_idx.
Qed.

Lemma cannot_resend_message_stepwise_MO_component i :
  cannot_resend_message_stepwise_prop (M i).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
cannot_resend_message_stepwise_prop (M i)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
cannot_resend_message_stepwise_prop (M i)
  intros ? * [(Hs & _ & Hv) Ht];
    inversion Hv; subst; inversion Ht; subst;
    simpl; split; intros Hobs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s ∈ sentMessages s
False
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s
∈ receivedMessages
    (s <+> MkObservation Send (MkMessage s))
False
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s ∈ sentMessages s
False by apply elem_of_sentMessages, obs_sizeState in Hobs; cbn in Hobs; lia.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s
∈ receivedMessages
    (s <+> MkObservation Send (MkMessage s))
False rewrite receivedMessages_addObservation, decide_False in Hobs by (intro; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm (M i)) s
Hv: valid Send (s, None)
Ht: transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
Hobs: MkMessage s ∈ receivedMessages s
False
    by apply elem_of_receivedMessages, obs_sizeState in Hobs; cbn in Hobs; lia.
Qed.

#[export] Instance MessageDependencies_MO_component i :
  MessageDependencies (M i) Message_dependencies.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
MessageDependencies (M i) Message_dependencies
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
MessageDependencies (M i) Message_dependencies
  constructor.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
∀ (m : Message) (s' : VLSM.state
                        (preloaded_with_all_messages_vlsm
                           (M i))),
  can_produce (preloaded_with_all_messages_vlsm (M i))
    s' m
  → message_dependencies_full_node_condition (M i)
      Message_dependencies s' m
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
∀ m : Message,
  can_emit (preloaded_with_all_messages_vlsm (M i)) m
  → can_emit
      (preloaded_vlsm (M i)
         (λ msg : Message,
            msg ∈ Message_dependencies m)) m
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
∀ (m : Message) (s' : VLSM.state
                        (preloaded_with_all_messages_vlsm
                           (M i))),
  can_produce (preloaded_with_all_messages_vlsm (M i))
    s' m
  → message_dependencies_full_node_condition (M i)
      Message_dependencies s' m intros m s' ((s, iom) & l & [(_ & _ & Hv) Ht]) dm Hdm; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
s', s: BaseELMO.State
iom: option Message
l: Label
Hv: MO_component_valid P' l s iom
Ht: UMO_component_transition l s iom = (s', Some m)
dm: Message
Hdm: dm ∈ Message_dependencies m
has_been_directly_observed_from_sent_received (M i) s'
  dm
    apply elem_of_list_to_set, elem_of_list_fmap in Hdm as (o & -> & Hy).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
s', s: BaseELMO.State
iom: option Message
l: Label
Hv: MO_component_valid P' l s iom
Ht: UMO_component_transition l s iom = (s', Some m)
o: BaseELMO.Observation
Hy: o ∈ obs (state m)
has_been_directly_observed_from_sent_received (M i) s'
  (message o)
    inversion Hv; subst; inversion Ht; subst; cbn in *; clear Ht.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: BaseELMO.State
Hv: MO_component_valid P' Send s None
o: BaseELMO.Observation
Hy: o ∈ obs s
has_been_directly_observed_from_sent_received (M i)
  (s <+> MkObservation Send (MkMessage s)) (message o)
    red; unfold Message; simpl.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: BaseELMO.State
Hv: MO_component_valid P' Send s None
o: BaseELMO.Observation
Hy: o ∈ obs s
message o
∈ sentMessages
    (s <+> MkObservation Send (MkMessage s))
∨ message o
  ∈ receivedMessages
      (s <+> MkObservation Send (MkMessage s))
    destruct o as [[] ?].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: BaseELMO.State
Hv: MO_component_valid P' Send s None
message: BaseELMO.Message
Hy: MkObservation Receive message ∈ obs s
BaseELMO.message (MkObservation Receive message)
∈ sentMessages
    (s <+> MkObservation Send (MkMessage s))
∨ BaseELMO.message (MkObservation Receive message)
  ∈ receivedMessages
      (s <+> MkObservation Send (MkMessage s))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: BaseELMO.State
Hv: MO_component_valid P' Send s None
message: BaseELMO.Message
Hy: MkObservation Send message ∈ obs s
BaseELMO.message (MkObservation Send message)
∈ sentMessages
    (s <+> MkObservation Send (MkMessage s))
∨ BaseELMO.message (MkObservation Send message)
  ∈ receivedMessages
      (s <+> MkObservation Send (MkMessage s))
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: BaseELMO.State
Hv: MO_component_valid P' Send s None
message: BaseELMO.Message
Hy: MkObservation Receive message ∈ obs s
BaseELMO.message (MkObservation Receive message)
∈ sentMessages
    (s <+> MkObservation Send (MkMessage s))
∨ BaseELMO.message (MkObservation Receive message)
  ∈ receivedMessages
      (s <+> MkObservation Send (MkMessage s)) right; apply elem_of_receivedMessages_addObservation.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: BaseELMO.State
Hv: MO_component_valid P' Send s None
message: BaseELMO.Message
Hy: MkObservation Receive message ∈ obs s
BaseELMO.message (MkObservation Receive message) =
BaseELMO.message (MkObservation Send (MkMessage s))
∧ isReceive (MkObservation Send (MkMessage s))
∨ BaseELMO.message (MkObservation Receive message)
  ∈ receivedMessages s
      by right; apply elem_of_receivedMessages.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: BaseELMO.State
Hv: MO_component_valid P' Send s None
message: BaseELMO.Message
Hy: MkObservation Send message ∈ obs s
BaseELMO.message (MkObservation Send message)
∈ sentMessages
    (s <+> MkObservation Send (MkMessage s))
∨ BaseELMO.message (MkObservation Send message)
  ∈ receivedMessages
      (s <+> MkObservation Send (MkMessage s)) left; apply elem_of_sentMessages_addObservation.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: BaseELMO.State
Hv: MO_component_valid P' Send s None
message: BaseELMO.Message
Hy: MkObservation Send message ∈ obs s
BaseELMO.message (MkObservation Send message) =
BaseELMO.message (MkObservation Send (MkMessage s))
∧ isSend (MkObservation Send (MkMessage s))
∨ BaseELMO.message (MkObservation Send message)
  ∈ sentMessages s
      by right; apply elem_of_sentMessages.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
∀ m : Message,
  can_emit (preloaded_with_all_messages_vlsm (M i)) m
  → can_emit
      (preloaded_vlsm (M i)
         (λ msg : Message,
            msg ∈ Message_dependencies m)) m intros m Hm.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
Hm: can_emit (preloaded_with_all_messages_vlsm (M i))
  m
can_emit
  (preloaded_vlsm (M i)
     (λ msg : Message, msg ∈ Message_dependencies m))
  m
    apply can_emit_has_trace in Hm as (is & tr & item & Htr & Houtput).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
can_emit
  (preloaded_vlsm (M i)
     (λ msg : Message, msg ∈ Message_dependencies m))
  m
    apply (can_emit_from_valid_trace
      (preloaded_vlsm (M i) (fun msg : Message => msg ∈ Message_dependencies m)))
      with is (tr ++ [item]); cycle 1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
trace_has_message (field_selector output) m
  (tr ++ [item])
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
finite_valid_trace
  (preloaded_vlsm (M i)
     (λ msg : Message, msg ∈ Message_dependencies m))
  is (tr ++ [item])
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
trace_has_message (field_selector output) m
  (tr ++ [item]) apply Exists_exists; eexists.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
?x ∈ tr ++ [item] ∧ field_selector output m ?x
      by split; [apply elem_of_app; right; left |].
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
finite_valid_trace
  (preloaded_vlsm (M i)
     (λ msg : Message, msg ∈ Message_dependencies m))
  is (tr ++ [item]) eapply lift_preloaded_trace_to_seeded;
        [by apply cannot_resend_message_stepwise_MO_component | | done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
trace_received_not_sent_before_or_after_invariant
  (tr ++ [item])
  (λ msg : Message, msg ∈ Message_dependencies m)
      intros dm [Hrcv Hnsnd].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ Message_dependencies m
      apply elem_of_list_to_set, elem_of_list_fmap.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
∃ y : BaseELMO.Observation,
  dm = message y ∧ y ∈ obs (state m)
      exists (MkObservation Receive dm); split; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
MkObservation Receive dm ∈ obs (state m)
      apply elem_of_receivedMessages.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      destruct Htr as [Htr His].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm (M i)) is
  (tr ++ [item])
His: initial_state_prop is
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      apply finite_valid_trace_from_app_iff in Htr as [Htr Hitem].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm (M i)) is tr
Hitem: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm (M i))
  (finite_trace_last is tr) [item]
His: initial_state_prop is
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      apply valid_trace_add_default_last in Htr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
Hitem: finite_valid_trace_from
  (preloaded_with_all_messages_vlsm (M i))
  (finite_trace_last is tr) [item]
His: initial_state_prop is
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      apply first_transition_valid in Hitem as [(_ & _ & Hv) Ht].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
m: Message
is: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
tr: list transition_item
item: transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
Hv: valid (l item)
  (finite_trace_last is tr, input item)
Ht: transition (l item)
  (finite_trace_last is tr, input item) =
(destination item, output item)
His: initial_state_prop is
Houtput: output item = Some m
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++ [item])
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++ [item])
dm ∈ receivedMessages (state m)
      destruct item, l, input; cbn in *; inversion Hv; subst; inversion Ht; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
Hv: MO_component_valid P' Send
  (finite_trace_last is tr) None
Ht: (finite_trace_last is tr <+>
 MkObservation Send
   (MkMessage (finite_trace_last is tr)),
 Some (MkMessage (finite_trace_last is tr))) =
(finite_trace_last is tr <+>
 MkObservation Send
   (MkMessage (finite_trace_last is tr)),
 Some (MkMessage (finite_trace_last is tr)))
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hnsnd: ¬ trace_has_message (field_selector output) dm
    (tr ++
     [{|
        l := Send;
        input := None;
        destination :=
          finite_trace_last is tr <+>
          MkObservation Send
            (MkMessage
               (finite_trace_last is tr));
        output :=
          Some
            (MkMessage
               (finite_trace_last is tr))
      |}])
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
dm
∈ receivedMessages
    (state (MkMessage (finite_trace_last is tr)))
      clear Hv Ht Hnsnd; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
dm ∈ receivedMessages (finite_trace_last is tr)
      assert (Hrcv' : trace_has_message (field_selector input) dm tr).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
trace_has_message (field_selector input) dm tr
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
Hrcv': trace_has_message (field_selector input) dm tr
dm ∈ receivedMessages (finite_trace_last is tr)
      {Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
trace_has_message (field_selector input) dm tr
        apply Exists_exists in Hrcv as (dm_item & Hdm_item & Hdm).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
dm_item: transition_item
Hdm_item: dm_item
∈ tr ++
  [{|
     l := Send;
     input := None;
     destination :=
       finite_trace_last is tr <+>
       MkObservation Send
         (MkMessage
            (finite_trace_last is tr));
     output :=
       Some
         (MkMessage
            (finite_trace_last is tr))
   |}]
Hdm: field_selector input dm dm_item
trace_has_message (field_selector input) dm tr
        rewrite elem_of_app, elem_of_list_singleton in Hdm_item.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
dm_item: transition_item
Hdm_item: dm_item ∈ tr
∨ dm_item =
  {|
    l := Send;
    input := None;
    destination :=
      finite_trace_last is tr <+>
      MkObservation Send
        (MkMessage
           (finite_trace_last is tr));
    output :=
      Some
        (MkMessage
           (finite_trace_last is tr))
  |}
Hdm: field_selector input dm dm_item
trace_has_message (field_selector input) dm tr
        destruct Hdm_item as [Hdm_item | ->]; cbn in Hdm; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
dm_item: transition_item
Hdm_item: dm_item ∈ tr
Hdm: input dm_item = Some dm
trace_has_message (field_selector input) dm tr
        by apply Exists_exists; eexists.
      }Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
is: BaseELMO.State
tr: list transition_item
Htr: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (M i)) is
  (finite_trace_last is tr) tr
His: UMO_component_initial_state_prop (idx i) is
dm: Message
Hrcv: trace_has_message (field_selector input) dm
  (tr ++
   [{|
      l := Send;
      input := None;
      destination :=
        finite_trace_last is tr <+>
        MkObservation Send
          (MkMessage (finite_trace_last is tr));
      output :=
        Some
          (MkMessage (finite_trace_last is tr))
    |}])
Hrcv': trace_has_message (field_selector input) dm tr
dm ∈ receivedMessages (finite_trace_last is tr)
      by eapply @has_been_received_examine_one_trace with (vlsm := M i) in Hrcv'; cycle 1.
Qed.

Lemma MO_msg_valid_free :
  forall (m : Message),
    MO_msg_valid P' m ->
    free_valid_message M Message_dependencies m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ m : Message,
  MO_msg_valid P' m
  → free_valid_message M Message_dependencies m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ m : Message,
  MO_msg_valid P' m
  → free_valid_message M Message_dependencies m
  induction m as (m & Hind) using (well_founded_ind
    (msg_dep_happens_before_wf Message_dependencies Message_full_dependencies _)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
MO_msg_valid P' m
→ free_valid_message M Message_dependencies m
  intros Hm; constructor.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
Hm: MO_msg_valid P' m
emittable M m
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
Hm: MO_msg_valid P' m
set_Forall (free_valid_message M Message_dependencies)
  (Message_dependencies m)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
Hm: MO_msg_valid P' m
emittable M m remember (adr (state m)) as a; symmetry in Heqa.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
Hm: MO_msg_valid P' m
a: Address
Heqa: adr (state m) = a
emittable M m
    eapply constrained_state_prop_MO_msg_valid in Heqa as Hstate_m; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
Hm: MO_msg_valid P' m
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop 
  (MO_component P' a) (state m)
emittable M m
    apply MO_msg_valid_P_adr in Hm as (_  & i & Hi).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop 
  (MO_component P' a) (state m)
emittable M m
    rewrite <- Heqa, <- Hi in Hstate_m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop
  (MO_component P' (idx i)) 
  (state m)
emittable M m
    red; unfold can_emit; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop
  (MO_component P' (idx i)) 
  (state m)
∃ (i : index) (som : BaseELMO.State * option Message) 
  (l : Label) (s : BaseELMO.State),
  input_valid_transition
    (preloaded_with_all_messages_vlsm (M i)) l som
    (s, Some m)
    exists i, (state m, None), Send, (state m <+> MkObservation Send m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop
  (MO_component P' (idx i)) 
  (state m)
input_valid_transition
  (preloaded_with_all_messages_vlsm (M i)) Send
  (state m, None)
  (state m <+> MkObservation Send m, Some m)
    repeat split; [done | ..].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop
  (MO_component P' (idx i)) 
  (state m)
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (M i)) None
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop
  (MO_component P' (idx i)) 
  (state m)
valid Send (state m, None)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop
  (MO_component P' (idx i)) 
  (state m)
transition Send (state m, None) =
(state m <+> MkObservation Send m, Some m)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop
  (MO_component P' (idx i)) 
  (state m)
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (M i)) None by apply any_message_is_valid_in_preloaded.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop
  (MO_component P' (idx i)) 
  (state m)
valid Send (state m, None) by constructor.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
i: index
Hi: idx i = adr (state m)
a: Address
Heqa: adr (state m) = a
Hstate_m: constrained_state_prop
  (MO_component P' (idx i)) 
  (state m)
transition Send (state m, None) =
(state m <+> MkObservation Send m, Some m) by destruct m as [[]].
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: BaseELMO.Message
Hind: ∀ y : BaseELMO.Message,
  msg_dep_happens_before Message_dependencies y
    m
  → MO_msg_valid P' y
    → free_valid_message M Message_dependencies
        y
Hm: MO_msg_valid P' m
set_Forall (free_valid_message M Message_dependencies)
  (Message_dependencies m) by intros dm Hdm; apply Hind; [constructor | eapply MO_msg_valid_dep].
Qed.

Lemma MO_component_validating :
  forall (i : index),
    component_projection_validator_prop M (free_constraint M) i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ i : index,
  component_projection_validator_prop M
    (free_constraint M) i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ i : index,
  component_projection_validator_prop M
    (free_constraint M) i
  intros i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
component_projection_validator_prop M
  (free_constraint M) i
  eapply free_valid_message_yields_projection_validator;
    [by apply MO_channel_authentication_prop | by typeclasses eauto |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
free_valid_message_condition M Message_dependencies i
  intros li si m (_ & _ & Hv).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
li: VLSM.label
  (preloaded_with_all_messages_vlsm (M i))
si: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
m: Message
Hv: valid li (si, Some m)
free_valid_message M Message_dependencies m
  inversion Hv as [? ? Hm |]; subst; clear i si Hv.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
m: Message
Hm: MO_msg_valid P' m
free_valid_message M Message_dependencies m
  by apply MO_msg_valid_free.
Qed.

Equivocation

Lemma rec_obs_input_constrained_transition :
  forall (i : index) (s1 s2 : State) (m1 m2 : option Message) (lbl : Label),
    input_constrained_transition (M i) lbl (s1, m1) (s2, m2) ->
      forall ob : Observation, rec_obs s1 ob -> rec_obs s2 ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (i : index) (s1 s2 : State) (m1 m2 : option Message) 
  (lbl : Label),
  input_constrained_transition (M i) lbl (s1, m1)
    (s2, m2)
  → ∀ ob : Observation, rec_obs s1 ob → rec_obs s2 ob
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (i : index) (s1 s2 : State) (m1 m2 : option Message) 
  (lbl : Label),
  input_constrained_transition (M i) lbl (s1, m1)
    (s2, m2)
  → ∀ ob : Observation, rec_obs s1 ob → rec_obs s2 ob
  intros i s1 s2 m1 m2 lbl Hivt ob Hro.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s1, s2: State
m1, m2: option Message
lbl: Label
Hivt: input_constrained_transition 
  (M i) lbl (s1, m1) (s2, m2)
ob: Observation
Hro: rec_obs s1 ob
rec_obs s2 ob
  destruct Hivt as [(_ & _ & Hvalid) Ht]; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s1, s2: State
m1, m2: option Message
lbl: Label
Hvalid: MO_component_valid P' lbl s1 m1
Ht: UMO_component_transition lbl s1 m1 = (s2, m2)
ob: Observation
Hro: rec_obs s1 ob
rec_obs s2 ob
  by inversion Hvalid; subst; inversion Ht; subst; cbn in *; constructor.
Qed.

Record incomparable_state (s1 s2 : State) : Prop :=
{
  incs_not_state_suffix12 : ~ state_suffix s1 s2;
  incs_not_state_suffix21 : ~ state_suffix s2 s1;
  incs_not_equal : s1 <> s2;
}.

Lemma rec_obs_send_inv
  (Q : State -> Observation -> Prop) s ob
  (Hnew : Q s (MkObservation Send (MkMessage s)))
  (Hprev : rec_obs s ob -> Q s ob) :
  rec_obs (s <+> MkObservation Send (MkMessage s)) ob -> Q s ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
Q: State → Observation → Prop
s: State
ob: BaseELMO.Observation
Hnew: Q s (MkObservation Send (MkMessage s))
Hprev: rec_obs s ob → Q s ob
rec_obs (s <+> MkObservation Send (MkMessage s)) ob
→ Q s ob
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
Q: State → Observation → Prop
s: State
ob: BaseELMO.Observation
Hnew: Q s (MkObservation Send (MkMessage s))
Hprev: rec_obs s ob → Q s ob
rec_obs (s <+> MkObservation Send (MkMessage s)) ob
→ Q s ob
  by inversion 1; (replace s with s0 in *; [auto | apply eq_State]).
Qed.

Lemma rec_obs_recv_inv
  (Q : State -> Message -> Observation -> Prop) s m ob
  (Hnew : Q s m (MkObservation Receive m))
  (Hprev : rec_obs s ob -> Q s m ob)
  (Hrecv : rec_obs (state m) ob -> Q s m ob) :
  rec_obs (s <+> MkObservation Receive m) ob -> Q s m ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
Q: State → Message → Observation → Prop
s: State
m: Message
ob: BaseELMO.Observation
Hnew: Q s m (MkObservation Receive m)
Hprev: rec_obs s ob → Q s m ob
Hrecv: rec_obs (state m) ob → Q s m ob
rec_obs (s <+> MkObservation Receive m) ob → Q s m ob
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
Q: State → Message → Observation → Prop
s: State
m: Message
ob: BaseELMO.Observation
Hnew: Q s m (MkObservation Receive m)
Hprev: rec_obs s ob → Q s m ob
Hrecv: rec_obs (state m) ob → Q s m ob
rec_obs (s <+> MkObservation Receive m) ob → Q s m ob
  by inversion 1; (replace s with s0 in *; [auto | apply eq_State]).
Qed.

Lemma rec_obs_addObservation_iff (s : State) (ob' ob : Observation) :
  rec_obs (s <+> ob) ob'
    <->
  rec_obs s ob' \/ ob' = ob \/ label ob = Receive /\ rec_obs (state (message ob)) ob'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
rec_obs (s <+> ob) ob'
↔ rec_obs s ob'
  ∨ ob' = ob
    ∨ label ob = Receive
      ∧ rec_obs (state (message ob)) ob'
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
rec_obs (s <+> ob) ob'
↔ rec_obs s ob'
  ∨ ob' = ob
    ∨ label ob = Receive
      ∧ rec_obs (state (message ob)) ob'
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
rec_obs (s <+> ob) ob'
→ rec_obs s ob'
  ∨ ob' = ob
    ∨ label ob = Receive
      ∧ rec_obs (state (message ob)) ob'
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
rec_obs s ob'
∨ ob' = ob
  ∨ label ob = Receive
    ∧ rec_obs (state (message ob)) ob'
→ rec_obs (s <+> ob) ob'
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
rec_obs (s <+> ob) ob'
→ rec_obs s ob'
  ∨ ob' = ob
    ∨ label ob = Receive
      ∧ rec_obs (state (message ob)) ob' inversion 1; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob': Observation
H0: rec_obs (s <+> ob') ob'
s0: BaseELMO.State
H3: obs s0 = obs s
H4: adr s0 = adr s
rec_obs s ob'
∨ ob' = ob'
  ∨ label ob' = Receive
    ∧ rec_obs (state (message ob')) ob'
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
H0: rec_obs (s <+> ob) ob'
s0: BaseELMO.State
H5: rec_obs s0 ob'
H3: obs s0 = obs s
H4: adr s0 = adr s
rec_obs s ob'
∨ ob' = ob
  ∨ label ob = Receive
    ∧ rec_obs (state (message ob)) ob'
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob': Observation
m: BaseELMO.Message
H0: rec_obs (s <+> MkObservation Receive m) ob'
s0: BaseELMO.State
H5: rec_obs (state m) ob'
H3: obs s0 = obs s
H4: adr s0 = adr s
rec_obs s ob'
∨ ob' = MkObservation Receive m
  ∨ label (MkObservation Receive m) = Receive
    ∧ rec_obs
        (state (message (MkObservation Receive m)))
        ob'
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob': Observation
H0: rec_obs (s <+> ob') ob'
s0: BaseELMO.State
H3: obs s0 = obs s
H4: adr s0 = adr s
rec_obs s ob'
∨ ob' = ob'
  ∨ label ob' = Receive
    ∧ rec_obs (state (message ob')) ob' by right; left.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
H0: rec_obs (s <+> ob) ob'
s0: BaseELMO.State
H5: rec_obs s0 ob'
H3: obs s0 = obs s
H4: adr s0 = adr s
rec_obs s ob'
∨ ob' = ob
  ∨ label ob = Receive
    ∧ rec_obs (state (message ob)) ob' by left; replace s with s0 by (apply eq_State; done).
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob': Observation
m: BaseELMO.Message
H0: rec_obs (s <+> MkObservation Receive m) ob'
s0: BaseELMO.State
H5: rec_obs (state m) ob'
H3: obs s0 = obs s
H4: adr s0 = adr s
rec_obs s ob'
∨ ob' = MkObservation Receive m
  ∨ label (MkObservation Receive m) = Receive
    ∧ rec_obs
        (state (message (MkObservation Receive m)))
        ob' by right; right.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
rec_obs s ob'
∨ ob' = ob
  ∨ label ob = Receive
    ∧ rec_obs (state (message ob)) ob'
→ rec_obs (s <+> ob) ob' destruct 1 as [Hprev | [-> | Hob]].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
Hprev: rec_obs s ob'
rec_obs (s <+> ob) ob'
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob: Observation
rec_obs (s <+> ob) ob
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
Hob: label ob = Receive
∧ rec_obs (state (message ob)) ob'
rec_obs (s <+> ob) ob'
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
Hprev: rec_obs s ob'
rec_obs (s <+> ob) ob' by apply rec_prev.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob: Observation
rec_obs (s <+> ob) ob by apply rec_new.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob', ob: Observation
Hob: label ob = Receive
∧ rec_obs (state (message ob)) ob'
rec_obs (s <+> ob) ob' destruct ob as [l m]; cbn in Hob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob': Observation
l: Label
m: BaseELMO.Message
Hob: l = Receive ∧ rec_obs (state m) ob'
rec_obs (s <+> MkObservation l m) ob'
      destruct Hob as [-> Hm].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob': Observation
m: BaseELMO.Message
Hm: rec_obs (state m) ob'
rec_obs (s <+> MkObservation Receive m) ob'
      by apply rec_recv.
Qed.

Lemma unfold_rec_obs :
  forall (s : State) (ob : Observation),
    rec_obs s ob
      <->
    ob ∈ obs s \/ exists m, MkObservation Receive m ∈ obs s /\ rec_obs (state m) ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (s : State) (ob : Observation),
  rec_obs s ob
  ↔ ob ∈ obs s
    ∨ (∃ m : BaseELMO.Message,
         MkObservation Receive m ∈ obs s
         ∧ rec_obs (state m) ob)
Proof using.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (s : State) (ob : Observation),
  rec_obs s ob
  ↔ ob ∈ obs s
    ∨ (∃ m : BaseELMO.Message,
         MkObservation Receive m ∈ obs s
         ∧ rec_obs (state m) ob) clear. (* avoid unneccessary dependence on section variables *)Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
∀ (s : State) (ob : Observation),
  rec_obs s ob
  ↔ ob ∈ obs s
    ∨ (∃ m : BaseELMO.Message,
         MkObservation Receive m ∈ obs s
         ∧ rec_obs (state m) ob)
  intros s ob; split.Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: State
ob: Observation
rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m : BaseELMO.Message,
       MkObservation Receive m ∈ obs s
       ∧ rec_obs (state m) ob)
Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: State
ob: Observation
ob ∈ obs s
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs s
     ∧ rec_obs (state m) ob) → 
rec_obs s ob
  -Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: State
ob: Observation
rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m : BaseELMO.Message,
       MkObservation Receive m ∈ obs s
       ∧ rec_obs (state m) ob) induction 1.Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: BaseELMO.State
ob: BaseELMO.Observation
H: rec_obs (s <+> ob) ob
ob ∈ obs (s <+> ob)
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs (s <+> ob)
     ∧ rec_obs (state m) ob)
Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: BaseELMO.State
ob', ob: BaseELMO.Observation
H: rec_obs (s <+> ob') ob
r: rec_obs s ob
IHr: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m : BaseELMO.Message,
       MkObservation Receive m ∈ obs s
       ∧ rec_obs (state m) ob)
ob ∈ obs (s <+> ob')
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs (s <+> ob')
     ∧ rec_obs (state m) ob)
Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: BaseELMO.State
m: BaseELMO.Message
ob: BaseELMO.Observation
H: rec_obs (s <+> MkObservation Receive m) ob
r: rec_obs (state m) ob
IHr: rec_obs (state m) ob
→ ob ∈ obs (state m)
  ∨ (∃ m0 : BaseELMO.Message,
       MkObservation Receive m0 ∈ obs (state m)
       ∧ rec_obs (state m0) ob)
ob ∈ obs (s <+> MkObservation Receive m)
∨ (∃ m0 : BaseELMO.Message,
     MkObservation Receive m0
     ∈ obs (s <+> MkObservation Receive m)
     ∧ rec_obs (state m0) ob)
    +Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: BaseELMO.State
ob: BaseELMO.Observation
H: rec_obs (s <+> ob) ob
ob ∈ obs (s <+> ob)
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs (s <+> ob)
     ∧ rec_obs (state m) ob) by left; constructor.
    +Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: BaseELMO.State
ob', ob: BaseELMO.Observation
H: rec_obs (s <+> ob') ob
r: rec_obs s ob
IHr: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m : BaseELMO.Message,
       MkObservation Receive m ∈ obs s
       ∧ rec_obs (state m) ob)
ob ∈ obs (s <+> ob')
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs (s <+> ob')
     ∧ rec_obs (state m) ob) by setoid_rewrite elem_of_addObservation; firstorder.
    +Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: BaseELMO.State
m: BaseELMO.Message
ob: BaseELMO.Observation
H: rec_obs (s <+> MkObservation Receive m) ob
r: rec_obs (state m) ob
IHr: rec_obs (state m) ob
→ ob ∈ obs (state m)
  ∨ (∃ m0 : BaseELMO.Message,
       MkObservation Receive m0 ∈ obs (state m)
       ∧ rec_obs (state m0) ob)
ob ∈ obs (s <+> MkObservation Receive m)
∨ (∃ m0 : BaseELMO.Message,
     MkObservation Receive m0
     ∈ obs (s <+> MkObservation Receive m)
     ∧ rec_obs (state m0) ob) by setoid_rewrite elem_of_addObservation; firstorder.
  -Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
s: State
ob: Observation
ob ∈ obs s
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs s
     ∧ rec_obs (state m) ob) → rec_obs s ob induction s using addObservation_ind.Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
ob: Observation
a: Address
ob ∈ obs (MkState [] a)
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs (MkState [] a)
     ∧ rec_obs (state m) ob)
→ rec_obs (MkState [] a) ob
Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
ob: Observation
ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs s
     ∧ rec_obs (state m) ob) → 
rec_obs s ob
ob ∈ obs (s <+> ob0)
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs (s <+> ob0)
     ∧ rec_obs (state m) ob) → 
rec_obs (s <+> ob0) ob
    +Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
ob: Observation
a: Address
ob ∈ obs (MkState [] a)
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs (MkState [] a)
     ∧ rec_obs (state m) ob)
→ rec_obs (MkState [] a) ob by firstorder using elem_of_nil.
    +Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
ob: Observation
ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs s
     ∧ rec_obs (state m) ob) → 
rec_obs s ob
ob ∈ obs (s <+> ob0)
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs (s <+> ob0)
     ∧ rec_obs (state m) ob) → rec_obs (s <+> ob0) ob setoid_rewrite elem_of_addObservation.Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
ob: Observation
ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs s
     ∧ rec_obs (state m) ob) → 
rec_obs s ob
(ob = ob0 ∨ ob ∈ obs s)
∨ (∃ m : BaseELMO.Message,
     (MkObservation Receive m = ob0
      ∨ MkObservation Receive m ∈ obs s)
     ∧ rec_obs (state m) ob) → rec_obs (s <+> ob0) ob
      rewrite rec_obs_addObservation_iff.Address: Type
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
ob: Observation
ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s
∨ (∃ m : BaseELMO.Message,
     MkObservation Receive m ∈ obs s
     ∧ rec_obs (state m) ob) → 
rec_obs s ob
(ob = ob0 ∨ ob ∈ obs s)
∨ (∃ m : BaseELMO.Message,
     (MkObservation Receive m = ob0
      ∨ MkObservation Receive m ∈ obs s)
     ∧ rec_obs (state m) ob)
→ rec_obs s ob
  ∨ ob = ob0
    ∨ label ob0 = Receive
      ∧ rec_obs (state (message ob0)) ob
      by firstorder; subst; auto.
Qed.

Set Warnings "-cannot-define-projection".
Record local_equivocators (s : State) (i : Address) : Prop :=
{
  lceqv_ob1 : Observation;
  lceqv_ob2 : Observation;
  lceqv_adr1 : adr (state (message lceqv_ob1)) = i;
  lceqv_adr2 : adr (state (message lceqv_ob2)) = i;
  lceqv_rec_obs1 : rec_obs s lceqv_ob1;
  lceqv_rec_obs2 : rec_obs s lceqv_ob2;
  lceqv_incomparable : incomparable (message lceqv_ob1) (message lceqv_ob2);
}.
Set Warnings "cannot-define-projection".

Definition composite_rec_observation
  (s : VLSM.state MO) (ob : Observation) : Prop :=
    exists i : index, rec_obs (s i) ob.

Definition state_after_sending (m : Message) : State :=
  state m <+> MkObservation Send m.

Set Warnings "-cannot-define-projection".
Record global_equivocators
  (sigma : VLSM.state MO) (i : index) : Prop :=
{
  globeqv_ob : Observation;
  globeqv_adr : adr (state (message globeqv_ob)) = idx i;
  globeqv_cro : composite_rec_observation sigma globeqv_ob;
  s := state_after_sending (message globeqv_ob);
  globeqv_nss : ~ state_suffix s (sigma i);
  globeqv_neq : s <> sigma i;
}.
Set Warnings "cannot-define-projection".

Lemma obs_rec_obs :
  forall (s : State) ob,
    ob ∈ obs s -> rec_obs s ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (s : State) (ob : BaseELMO.Observation),
  ob ∈ obs s → rec_obs s ob
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (s : State) (ob : BaseELMO.Observation),
  ob ∈ obs s → rec_obs s ob
  intros s ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob: BaseELMO.Observation
ob ∈ obs s → rec_obs s ob
  induction s using addObservation_ind.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob: BaseELMO.Observation
a: Address
ob ∈ obs (MkState [] a) → rec_obs (MkState [] a) ob
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s → rec_obs s ob
ob ∈ obs (s <+> ob0) → rec_obs (s <+> ob0) ob
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob: BaseELMO.Observation
a: Address
ob ∈ obs (MkState [] a) → rec_obs (MkState [] a) ob by inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s → rec_obs s ob
ob ∈ obs (s <+> ob0) → rec_obs (s <+> ob0) ob intros [<- | Hob]%elem_of_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s → rec_obs s ob
rec_obs (s <+> ob) ob
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s → rec_obs s ob
Hob: ob ∈ obs s
rec_obs (s <+> ob0) ob
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s → rec_obs s ob
rec_obs (s <+> ob) ob by apply rec_new.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: ob ∈ obs s → rec_obs s ob
Hob: ob ∈ obs s
rec_obs (s <+> ob0) ob by apply rec_prev, IHs, Hob.
Qed.

Lemma messages_rec_obs :
  forall i (s : VLSM.state (M i)),
    constrained_state_prop (M i) s ->
    forall (m' : Message) (ob : Observation),
      m' ∈ messages s ->
      rec_obs (state m') ob ->
      rec_obs s ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (i : index) (s : VLSM.state (M i)),
  constrained_state_prop (M i) s
  → ∀ (m' : Message) (ob : Observation),
      m' ∈ messages s
      → rec_obs (state m') ob → rec_obs s ob
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (i : index) (s : VLSM.state (M i)),
  constrained_state_prop (M i) s
  → ∀ (m' : Message) (ob : Observation),
      m' ∈ messages s
      → rec_obs (state m') ob → rec_obs s ob
  intros i s Hs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state (M i)
Hs: constrained_state_prop (M i) s
∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
  induction Hs using valid_state_prop_ind.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: initial_state_prop s
∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
l: VLSM.label
  (preloaded_with_all_messages_vlsm (M i))
om, om': option Message
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm (M i)) l
  (s, om) (s', om')
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
∀ (m' : Message) (ob : Observation),
  m' ∈ messages s'
  → rec_obs (state m') ob → rec_obs s' ob
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Hs: initial_state_prop s
∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob destruct s as [ol a].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
ol: list BaseELMO.Observation
a: Address
Hs: initial_state_prop (MkState ol a)
∀ (m' : Message) (ob : Observation),
  m' ∈ messages (MkState ol a)
  → rec_obs (state m') ob → rec_obs (MkState ol a) ob
    assert (ol = []) as -> by apply Hs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
a: Address
Hs: initial_state_prop (MkState [] a)
∀ (m' : Message) (ob : Observation),
  m' ∈ messages (MkState [] a)
  → rec_obs (state m') ob → rec_obs (MkState [] a) ob
    by inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
l: VLSM.label
  (preloaded_with_all_messages_vlsm (M i))
om, om': option Message
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm (M i)) l
  (s, om) (s', om')
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
∀ (m' : Message) (ob : Observation),
  m' ∈ messages s'
  → rec_obs (state m') ob → rec_obs s' ob intros m' ob Hm' Hob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s': VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
l: VLSM.label
  (preloaded_with_all_messages_vlsm (M i))
om, om': option Message
s: VLSM.state
  (preloaded_with_all_messages_vlsm (M i))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm (M i)) l
  (s, om) (s', om')
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m' ∈ messages s'
Hob: rec_obs (state m') ob
rec_obs s' ob
    destruct Ht as [(_ & _ & Hvalid) Ht], Hvalid as [s m _ | s];
      cbn in Ht; injection Ht as [= <- <-].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
m: Message
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m' ∈ messages (s <+> MkObservation Receive m)
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Receive m) ob
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m'
∈ messages
    (s <+> MkObservation Send (MkMessage s))
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Send (MkMessage s)) ob
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
m: Message
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m' ∈ messages (s <+> MkObservation Receive m)
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Receive m) ob change (m' ∈ m :: messages s) in Hm'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
m: Message
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m' ∈ m :: messages s
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Receive m) ob
      apply elem_of_cons in Hm' as [-> | Hm'].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
m: Message
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
ob: Observation
Hob: rec_obs (state m) ob
rec_obs (s <+> MkObservation Receive m) ob
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
m: Message
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m' ∈ messages s
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Receive m) ob
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
m: Message
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
ob: Observation
Hob: rec_obs (state m) ob
rec_obs (s <+> MkObservation Receive m) ob by apply rec_recv.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
m: Message
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m' ∈ messages s
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Receive m) ob by eapply rec_prev, IHHs.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m'
∈ messages
    (s <+> MkObservation Send (MkMessage s))
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Send (MkMessage s)) ob change (m' ∈ MkMessage s :: messages s) in Hm'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m' ∈ MkMessage s :: messages s
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Send (MkMessage s)) ob
      apply elem_of_cons in Hm' as [-> | Hm'].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
ob: Observation
Hob: rec_obs (state (MkMessage s)) ob
rec_obs (s <+> MkObservation Send (MkMessage s)) ob
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m' ∈ messages s
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Send (MkMessage s)) ob
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
ob: Observation
Hob: rec_obs (state (MkMessage s)) ob
rec_obs (s <+> MkObservation Send (MkMessage s)) ob by apply rec_prev.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
i: index
s: State
IHHs: ∀ (m' : Message) (ob : Observation),
  m' ∈ messages s
  → rec_obs (state m') ob → rec_obs s ob
m': Message
ob: Observation
Hm': m' ∈ messages s
Hob: rec_obs (state m') ob
rec_obs (s <+> MkObservation Send (MkMessage s)) ob by eapply rec_prev, IHHs.
Qed.

Lemma unfold_robs_fwd :
  forall (s : State) ob,
    rec_obs s ob ->
      ob ∈ obs s \/ exists (m' : Message), m' ∈ messages s /\ rec_obs (state m') ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (s : State) (ob : BaseELMO.Observation),
  rec_obs s ob
  → ob ∈ obs s
    ∨ (∃ m' : Message,
         m' ∈ messages s ∧ rec_obs (state m') ob)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (s : State) (ob : BaseELMO.Observation),
  rec_obs s ob
  → ob ∈ obs s
    ∨ (∃ m' : Message,
         m' ∈ messages s ∧ rec_obs (state m') ob)
  intros s ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob: BaseELMO.Observation
rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
  induction s using addObservation_ind; [by inversion 1 |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
rec_obs (s <+> ob0) ob
→ ob ∈ obs (s <+> ob0)
  ∨ (∃ m' : Message,
       m' ∈ messages (s <+> ob0)
       ∧ rec_obs (state m') ob)
  intro Hob; inversion Hob; subst; clear Hob
  ; replace s0 with s in * by (apply eq_State; done); clear H2 H3.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
s0: BaseELMO.State
ob ∈ obs (s <+> ob)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> ob) ∧ rec_obs (state m') ob)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
s0: BaseELMO.State
H4: rec_obs s ob
ob ∈ obs (s <+> ob0)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> ob0) ∧ rec_obs (state m') ob)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
m: BaseELMO.Message
s0: BaseELMO.State
H4: rec_obs (state m) ob
ob ∈ obs (s <+> MkObservation Receive m)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> MkObservation Receive m)
     ∧ rec_obs (state m') ob)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
s0: BaseELMO.State
ob ∈ obs (s <+> ob)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> ob) ∧ rec_obs (state m') ob) by left; constructor.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
s0: BaseELMO.State
H4: rec_obs s ob
ob ∈ obs (s <+> ob0)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> ob0) ∧ rec_obs (state m') ob) destruct (IHs H4) as [Hob | (m' & Hm & Hob)].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
s0: BaseELMO.State
H4: rec_obs s ob
Hob: ob ∈ obs s
ob ∈ obs (s <+> ob0)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> ob0) ∧ rec_obs (state m') ob)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
s0: BaseELMO.State
H4: rec_obs s ob
m': Message
Hm: m' ∈ messages s
Hob: rec_obs (state m') ob
ob ∈ obs (s <+> ob0)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> ob0) ∧ rec_obs (state m') ob)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
s0: BaseELMO.State
H4: rec_obs s ob
Hob: ob ∈ obs s
ob ∈ obs (s <+> ob0)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> ob0) ∧ rec_obs (state m') ob) by left; constructor.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob, ob0: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
s0: BaseELMO.State
H4: rec_obs s ob
m': Message
Hm: m' ∈ messages s
Hob: rec_obs (state m') ob
ob ∈ obs (s <+> ob0)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> ob0) ∧ rec_obs (state m') ob) by right; exists m'; split; [constructor |].
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
ob: BaseELMO.Observation
s: BaseELMO.State
IHs: rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
m: BaseELMO.Message
s0: BaseELMO.State
H4: rec_obs (state m) ob
ob ∈ obs (s <+> MkObservation Receive m)
∨ (∃ m' : Message,
     m' ∈ messages (s <+> MkObservation Receive m)
     ∧ rec_obs (state m') ob) by right; exists m; split; [constructor |].
Qed.

Lemma unfold_robs_rev :
  forall [Q : State -> Message -> Prop] [s : State],
    UMO_reachable Q s ->
    forall ob,
      (ob ∈ obs s \/ exists (m' : Message), m' ∈ messages s /\ rec_obs (state m') ob) ->
        rec_obs s ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (Q : State → Message → Prop) (s : State),
  UMO_reachable Q s
  → ∀ ob : BaseELMO.Observation,
      ob ∈ obs s
      ∨ (∃ m' : Message,
           m' ∈ messages s ∧ rec_obs (state m') ob)
      → rec_obs s ob
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (Q : State → Message → Prop) (s : State),
  UMO_reachable Q s
  → ∀ ob : BaseELMO.Observation,
      ob ∈ obs s
      ∨ (∃ m' : Message,
           m' ∈ messages s ∧ rec_obs (state m') ob)
      → rec_obs s ob
  by induction 1; intros ob [Hob | [m' [Hob ?]]];
    apply (@not_elem_of_nil, @elem_of_addObservation, @elem_of_messages_addObservation) in Hob;
    destruct Hob; subst; constructor; eauto.
Qed.

Lemma unfold_robs :
  forall (Q : State -> Message -> Prop) (s : State),
    UMO_reachable Q s ->
    forall ob,
      rec_obs s ob
        <->
      ob ∈ obs s \/ exists (m' : Message), m' ∈ messages s /\ rec_obs (state m') ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (Q : State → Message → Prop) (s : State),
  UMO_reachable Q s
  → ∀ ob : BaseELMO.Observation,
      rec_obs s ob
      ↔ ob ∈ obs s
        ∨ (∃ m' : Message,
             m' ∈ messages s ∧ rec_obs (state m') ob)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
∀ (Q : State → Message → Prop) (s : State),
  UMO_reachable Q s
  → ∀ ob : BaseELMO.Observation,
      rec_obs s ob
      ↔ ob ∈ obs s
        ∨ (∃ m' : Message,
             m' ∈ messages s ∧ rec_obs (state m') ob)
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
Q: State → Message → Prop
s: State
H0: UMO_reachable Q s
ob: BaseELMO.Observation
rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
Q: State → Message → Prop
s: State
H0: UMO_reachable Q s
ob: BaseELMO.Observation
ob ∈ obs s
∨ (∃ m' : Message,
     m' ∈ messages s ∧ rec_obs (state m') ob)
→ rec_obs s ob
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
Q: State → Message → Prop
s: State
H0: UMO_reachable Q s
ob: BaseELMO.Observation
rec_obs s ob
→ ob ∈ obs s
  ∨ (∃ m' : Message,
       m' ∈ messages s ∧ rec_obs (state m') ob) by apply unfold_robs_fwd.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
Q: State → Message → Prop
s: State
H0: UMO_reachable Q s
ob: BaseELMO.Observation
ob ∈ obs s
∨ (∃ m' : Message,
     m' ∈ messages s ∧ rec_obs (state m') ob)
→ rec_obs s ob by eapply unfold_robs_rev.
Qed.

Lemma rec_obs_size_desc (s : State) (ob : Observation) :
  rec_obs s ob -> sizeState (state (message ob)) < sizeState s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob: Observation
rec_obs s ob
→ sizeState (state (message ob)) < sizeState s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
ob: Observation
rec_obs s ob
→ sizeState (state (message ob)) < sizeState s
  by induction 1; rewrite addObservation_size, sizeObservation_unfold; cbn; lia.
Qed.

Lemma rec_obs_acyclic (s : State) :
  forall l, ~ rec_obs s (MkObservation l (MkMessage s)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
∀ l : Label,
  ¬ rec_obs s (MkObservation l (MkMessage s))
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
P: Address → Prop
P':= λ adr : Address,
  P adr ∧ (∃ i : index, idx i = adr): Address → Prop
M:= λ i : index, MO_component P' (idx i): index → VLSM Message
s: State
∀ l : Label,
  ¬ rec_obs s (MkObservation l (MkMessage s))
  by intros l Hrobs; apply rec_obs_size_desc, Nat.lt_irrefl in Hrobs.
Qed.

End sec_MOProtocol.

End sec_MO.

Arguments rec_obs_send_inv : clear implicits.
Arguments rec_obs_recv_inv : clear implicits.