From VLSM.Lib Require Import Itauto.[Loading ML file ring_plugin.cmxs (using legacy method) ... done]
[Loading ML file zify_plugin.cmxs (using legacy method) ... done]
[Loading ML file micromega_plugin.cmxs (using legacy method) ... done]
[Loading ML file btauto_plugin.cmxs (using legacy method) ... done]
[Loading ML file coq-itauto.plugin ... done]
From Coq Require Import FunctionalExtensionality.
From stdpp Require Import prelude finite.
From VLSM.Lib Require Import Preamble StdppExtras StdppListSet.
From VLSM.Core Require Import VLSM VLSMProjections Composition Equivocation ProjectionTraces.
From VLSM.Examples Require Import BaseELMO.[Loading ML file extraction_plugin.cmxs (using legacy method) ... done]
[Loading ML file equations_plugin.cmxs (using legacy method) ... done]

ELMO: Protocol Definitions and Properties for UMO

This module contains definitions and properties of UMO components and the UMO protocol.

Section sec_UMO.

Context
  {Address : Type}
  `{EqDecision Address}
  (State := @State Address)
  (Observation := @Observation Address)
  (Message := @Message Address).

Component definition

The initial state has no observations and the same address as the component.

Definition UMO_component_initial_state_prop (i : Address) (st : State) : Prop :=
  obs st = [] /\ adr st = i.

Definition UMO_component_initial_state_type (i : Address) : Type :=
  {st : State | UMO_component_initial_state_prop i st}.

Program Definition UMO_component_initial_state
  (i : Address) : UMO_component_initial_state_type i := MkState [] i.
Next Obligation.Address: Type
State:= BaseELMO.State: Type
EqDecision0: EqDecision Address
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
UMO_component_initial_state_prop i (MkState [] i)
Proof.Address: Type
State:= BaseELMO.State: Type
EqDecision0: EqDecision Address
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
UMO_component_initial_state_prop i (MkState [] i)
  by compute.
Defined.

#[export] Instance Inhabited_UMO_component_initial_state_type (i : Address) :
  Inhabited (UMO_component_initial_state_type i) :=
    populate (UMO_component_initial_state i).

Definition UMO_component_transition
  (l : Label) (s : State) (om : option Message)
  : State * option Message :=
  match l, om with
  | Send, Some m => (s, om)
  | Send, None   =>
      let ob := MkObservation Send (MkMessage s) in
      let st := s <+> ob in
      let msg := Some (MkMessage s) in
        (st, msg)
  | Receive, None => (s, None)
  | Receive, Some m =>
      let ob := MkObservation Receive m in
      let st := s <+> ob in
      let msg := None in
        (st, msg)
  end.

Inductive UMO_component_valid : Label -> State -> option Message -> Prop :=
| OCV_Send    : forall st : State, UMO_component_valid Send st None
| OCV_Receive : forall (st : State) (msg : Message), UMO_component_valid Receive st (Some msg).

Ltac invert_UMO_component_valid :=
repeat match goal with
| H : UMO_component_valid Receive _ None  |- _ => inversion H; subst; clear H
| H : UMO_component_valid Send _ (Some _) |- _ => inversion H; subst; clear H
end.

Definition UMO_component_machine (i : Address) : VLSMMachine ELMO_component_type :=
{|
  initial_state_prop := UMO_component_initial_state_prop i;
  initial_message_prop := const False;
  s0 := Inhabited_UMO_component_initial_state_type i;
  transition := fun l '(st, om) => UMO_component_transition l st om;
  valid := fun l '(st, om) => UMO_component_valid l st om;
|}.

Definition UMO_component (i : Address) : VLSM Message :=
{|
  vlsm_type := ELMO_component_type;
  vlsm_machine := UMO_component_machine i;
|}.

UMO components have a unique initial state.

Lemma UMO_component_initial_state_unique :
  forall {i : Address} {s1 s2 : State},
    UMO_component_initial_state_prop i s1 ->
    UMO_component_initial_state_prop i s2 ->
      s1 = s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (i : Address) (s1 s2 : State),
  UMO_component_initial_state_prop i s1
  → UMO_component_initial_state_prop i s2 → s1 = s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (i : Address) (s1 s2 : State),
  UMO_component_initial_state_prop i s1
  → UMO_component_initial_state_prop i s2 → s1 = s2
  by do 2 inversion 1; destruct s1, s2; cbn in *; subst.
Qed.

Lemma UMO_component_initial_state_spec :
  forall {i : Address} {s : State},
    UMO_component_initial_state_prop i s -> s = MkState [] i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (i : Address) (s : State),
  UMO_component_initial_state_prop i s
  → s = MkState [] i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (i : Address) (s : State),
  UMO_component_initial_state_prop i s
  → s = MkState [] i
  by inversion 1; destruct s; cbn in *; subst.
Qed.

#[export] Instance HasBeenSentCapability_UMO_component
  (i : Address) : HasBeenSentCapability (UMO_component i).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
HasBeenSentCapability (UMO_component i)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
HasBeenSentCapability (UMO_component i)
  apply Build_HasBeenSentCapability with (fun s m => m ∈ sentMessages s)
  ; [by intros s m; typeclasses eauto |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
has_been_sent_stepwise_prop
  (λ (s : BaseELMO.State) (m : Message),
     m ∈ sentMessages s)
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
∀ s : VLSM.state (UMO_component i),
  initial_state_prop s
  → ∀ m : Message, m ∉ sentMessages s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm
            (UMO_component i))) 
  (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            (UMO_component i))) 
  (im : option Message) 
  (s' : VLSM.state
          (preloaded_with_all_messages_vlsm
             (UMO_component i))) 
  (om : option Message),
  input_constrained_transition 
    (UMO_component i) l (
    s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ sentMessages s'
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ sentMessages s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
∀ s : VLSM.state (UMO_component i),
  initial_state_prop s
  → ∀ m : Message, m ∉ sentMessages s by intros [] []; cbn in *; subst; cbn; apply not_elem_of_nil.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm
            (UMO_component i))) (s : VLSM.state
                                       (preloaded_with_all_messages_vlsm
                                          (UMO_component
                                             i))) 
  (im : option Message) (s' : VLSM.state
                                (preloaded_with_all_messages_vlsm
                                   (UMO_component i))) 
  (om : option Message),
  input_constrained_transition (UMO_component i) l
    (s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ sentMessages s'
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ sentMessages s intros l s im s' om [(Hvsp & Hovmp & Hv) Ht] m; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
l: Label
s: BaseELMO.State
im: option Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) im
Hv: UMO_component_valid l s im
Ht: UMO_component_transition l s im = (s', om)
m: Message
m ∈ sentMessages s' ↔ om = Some m ∨ m ∈ sentMessages s
    destruct l, im; cbn in *; invert_UMO_component_valid
    ; inversion Ht; subst; clear Ht; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) 
  (Some m0)
Hv: UMO_component_valid Receive s (Some m0)
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Receive m0
      :: filter isSend (obs s)
     else filter isSend (obs s))
↔ None = Some m ∨ m ∈ sentMessages s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) None
Hv: UMO_component_valid Send s None
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Send (MkMessage s)
      :: filter isSend (obs s)
     else filter isSend (obs s))
↔ Some (MkMessage s) = Some m ∨ m ∈ sentMessages s
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) 
  (Some m0)
Hv: UMO_component_valid Receive s (Some m0)
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Receive m0
      :: filter isSend (obs s)
     else filter isSend (obs s))
↔ None = Some m ∨ m ∈ sentMessages s by rewrite decide_False; cbn; firstorder congruence.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) None
Hv: UMO_component_valid Send s None
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Send (MkMessage s)
      :: filter isSend (obs s)
     else filter isSend (obs s))
↔ Some (MkMessage s) = Some m ∨ m ∈ sentMessages s rewrite decide_True by done; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) None
Hv: UMO_component_valid Send s None
m: Message
m ∈ MkMessage s :: map message (filter isSend (obs s))
↔ Some (MkMessage s) = Some m ∨ m ∈ sentMessages s
      unfold Message; rewrite elem_of_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) None
Hv: UMO_component_valid Send s None
m: Message
m = MkMessage s
∨ m ∈ map message (filter isSend (obs s))
↔ Some (MkMessage s) = Some m ∨ m ∈ sentMessages s
      by firstorder congruence.
Defined.

#[export] Instance HasBeenReceivedCapability_UMO_component
  (i : Address) : HasBeenReceivedCapability (UMO_component i).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
HasBeenReceivedCapability (UMO_component i)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
HasBeenReceivedCapability (UMO_component i)
  eapply Build_HasBeenReceivedCapability with (fun s m => m ∈ receivedMessages s)
  ; [intros s m; typeclasses eauto | split].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
∀ s : VLSM.state (UMO_component i),
  initial_state_prop s
  → ∀ m : Message, m ∉ receivedMessages s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm
            (UMO_component i))) 
  (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            (UMO_component i))) 
  (im : option Message) 
  (s' : VLSM.state
          (preloaded_with_all_messages_vlsm
             (UMO_component i))) 
  (om : option Message),
  input_constrained_transition 
    (UMO_component i) l (
    s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ receivedMessages s'
      ↔ field_selector input msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ receivedMessages s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
∀ s : VLSM.state (UMO_component i),
  initial_state_prop s
  → ∀ m : Message, m ∉ receivedMessages s by intros [] []; cbn in *; subst; cbn; apply not_elem_of_nil.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
∀ (l : VLSM.label
         (preloaded_with_all_messages_vlsm
            (UMO_component i))) (s : VLSM.state
                                       (preloaded_with_all_messages_vlsm
                                          (UMO_component
                                             i))) 
  (im : option Message) (s' : VLSM.state
                                (preloaded_with_all_messages_vlsm
                                   (UMO_component i))) 
  (om : option Message),
  input_constrained_transition (UMO_component i) l
    (s, im) (s', om)
  → ∀ msg : Message,
      msg ∈ receivedMessages s'
      ↔ field_selector input msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ msg ∈ receivedMessages s intros l s im s' om [(Hvsp & Hovmp & Hv) Ht] m; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
l: Label
s: BaseELMO.State
im: option Message
s': BaseELMO.State
om: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) im
Hv: UMO_component_valid l s im
Ht: UMO_component_transition l s im = (s', om)
m: Message
m ∈ receivedMessages s'
↔ im = Some m ∨ m ∈ receivedMessages s
    destruct l, im; cbn in *; invert_UMO_component_valid
    ; inversion Ht; subst; clear Ht; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) 
  (Some m0)
Hv: UMO_component_valid Receive s (Some m0)
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Receive m0
      :: filter isReceive (obs s)
     else filter isReceive (obs s))
↔ Some m0 = Some m ∨ m ∈ receivedMessages s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) None
Hv: UMO_component_valid Send s None
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Send (MkMessage s)
      :: filter isReceive (obs s)
     else filter isReceive (obs s))
↔ None = Some m ∨ m ∈ receivedMessages s
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) 
  (Some m0)
Hv: UMO_component_valid Receive s (Some m0)
m: Message
m
∈ map message
    (if decide True
     then
      MkObservation Receive m0
      :: filter isReceive (obs s)
     else filter isReceive (obs s))
↔ Some m0 = Some m ∨ m ∈ receivedMessages s rewrite decide_True by done; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) 
  (Some m0)
Hv: UMO_component_valid Receive s (Some m0)
m: Message
m ∈ m0 :: map message (filter isReceive (obs s))
↔ Some m0 = Some m ∨ m ∈ receivedMessages s
      unfold Message; rewrite elem_of_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
m0: Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) 
  (Some m0)
Hv: UMO_component_valid Receive s (Some m0)
m: Message
m = m0 ∨ m ∈ map message (filter isReceive (obs s))
↔ Some m0 = Some m ∨ m ∈ receivedMessages s
      by firstorder congruence.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: BaseELMO.State
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) s
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) None
Hv: UMO_component_valid Send s None
m: Message
m
∈ map message
    (if decide False
     then
      MkObservation Send (MkMessage s)
      :: filter isReceive (obs s)
     else filter isReceive (obs s))
↔ None = Some m ∨ m ∈ receivedMessages s by rewrite decide_False; cbn; firstorder congruence.
Defined.

#[export] Instance HasBeenDirectlyObservedCapability_UMO_component
  (i : Address) : HasBeenDirectlyObservedCapability (UMO_component i) :=
    HasBeenDirectlyObservedCapability_from_sent_received (UMO_component i).

A reachability predicate specialized for VLSMs refining UMO. UMO_reachable C s is equivalent to constrained_state_prop V s if the valid transitions of VLSM V follow UMO_component_transition and the validity predicate is a refinement of UMO_component_valid which does not further restrict the Send case.

Inductive UMO_reachable (C : State -> Message -> Prop) : State -> Prop :=
| reach_init :
    forall a, UMO_reachable C (MkState [] a)
| reach_send :
    forall s, UMO_reachable C s -> UMO_reachable C (s <+> MkObservation Send (MkMessage s))
| reach_recv :
    forall s msg, C s msg -> UMO_reachable C s ->
      UMO_reachable C (s <+> MkObservation Receive msg).

An alternative induction principle for UMO_reachable which has a single case for addObservation that covers both Send and Receive. The hypotheses available in that case use a match on the label to cover the differences between the cases. This is useful for proofs where the Send and Receive cases share some reasoning.

Lemma UMO_reachable_ind'
  (C : State -> Message -> Prop) (P : State -> Prop)
  (Hinit : forall a, P (MkState [] a))
  (Hextend : forall s l msg,
      UMO_reachable C s ->
      match l with
      | Send => msg = MkMessage s
      | Receive => C s msg
      end ->
      P s -> P (s <+> MkObservation l msg)) :
  forall s, UMO_reachable C s -> P s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C: State → Message → Prop
P: State → Prop
Hinit: ∀ a : Address, P (MkState [] a)
Hextend: ∀ (s : State) (l : Label) (msg : Message),
  UMO_reachable C s
  → match l with
    | Receive => C s msg
    | Send => msg = MkMessage s
    end
    → P s → P (s <+> MkObservation l msg)
∀ s : State, UMO_reachable C s → P s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C: State → Message → Prop
P: State → Prop
Hinit: ∀ a : Address, P (MkState [] a)
Hextend: ∀ (s : State) (l : Label) (msg : Message),
  UMO_reachable C s
  → match l with
    | Receive => C s msg
    | Send => msg = MkMessage s
    end
    → P s → P (s <+> MkObservation l msg)
∀ s : State, UMO_reachable C s → P s
  intros s Hs; induction Hs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C: State → Message → Prop
P: State → Prop
Hinit: ∀ a : Address, P (MkState [] a)
Hextend: ∀ (s : State) (l : Label) (msg : Message),
  UMO_reachable C s
  → match l with
    | Receive => C s msg
    | Send => msg = MkMessage s
    end
    → P s → P (s <+> MkObservation l msg)
a: Address
P (MkState [] a)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C: State → Message → Prop
P: State → Prop
Hinit: ∀ a : Address, P (MkState [] a)
Hextend: ∀ (s : State) (l : Label) (msg : Message),
  UMO_reachable C s
  → match l with
    | Receive => C s msg
    | Send => msg = MkMessage s
    end
    → P s → P (s <+> MkObservation l msg)
s: State
Hs: UMO_reachable C s
IHHs: P s
P (s <+> MkObservation Send (MkMessage s))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C: State → Message → Prop
P: State → Prop
Hinit: ∀ a : Address, P (MkState [] a)
Hextend: ∀ (s : State) (l : Label) (msg : Message),
  UMO_reachable C s
  → match l with
    | Receive => C s msg
    | Send => msg = MkMessage s
    end
    → P s → P (s <+> MkObservation l msg)
s: State
msg: Message
H: C s msg
Hs: UMO_reachable C s
IHHs: P s
P (s <+> MkObservation Receive msg)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C: State → Message → Prop
P: State → Prop
Hinit: ∀ a : Address, P (MkState [] a)
Hextend: ∀ (s : State) (l : Label) (msg : Message),
  UMO_reachable C s
  → match l with
    | Receive => C s msg
    | Send => msg = MkMessage s
    end
    → P s → P (s <+> MkObservation l msg)
a: Address
P (MkState [] a) by apply Hinit.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C: State → Message → Prop
P: State → Prop
Hinit: ∀ a : Address, P (MkState [] a)
Hextend: ∀ (s : State) (l : Label) (msg : Message),
  UMO_reachable C s
  → match l with
    | Receive => C s msg
    | Send => msg = MkMessage s
    end
    → P s → P (s <+> MkObservation l msg)
s: State
Hs: UMO_reachable C s
IHHs: P s
P (s <+> MkObservation Send (MkMessage s)) by apply Hextend.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C: State → Message → Prop
P: State → Prop
Hinit: ∀ a : Address, P (MkState [] a)
Hextend: ∀ (s : State) (l : Label) (msg : Message),
  UMO_reachable C s
  → match l with
    | Receive => C s msg
    | Send => msg = MkMessage s
    end
    → P s → P (s <+> MkObservation l msg)
s: State
msg: Message
H: C s msg
Hs: UMO_reachable C s
IHHs: P s
P (s <+> MkObservation Receive msg) by apply Hextend.
Qed.

A specialized induction principle for UMO_reachable when the conclusion begins with ∀ m, m ∈ messages s → .... This handles splitting m ∈ messages (s <+> ob) into cases for m ∈ messages s and for the new observation, and uses a new case HPrev to handle the m ∈ messages s parts for both Send and Receive. Unfortunately the induction _ using _ variant of the induction tactic cannot recognize this lemma as an induction principle, so it must be used with refine or apply.

Lemma UMO_reachable_elem_of_messages_ind
  (C : State -> Message -> Prop)
  (P : State -> Message -> Prop)
  (HPrev : forall s (Hs : UMO_reachable C s) m ob,
    m ∈ messages s ->
    P s m -> P (s <+> ob) m)
  (HSend : forall s (Hs : UMO_reachable C s),
    (forall m', m' ∈ messages s -> P s m') ->
    P (s <+> MkObservation Send (MkMessage s)) (MkMessage s))
  (HRecv : forall s (Hs : UMO_reachable C s) mr,
    C s mr ->
    (forall m', m' ∈ messages s -> P s m') ->
    P (s <+> MkObservation Receive mr) mr) :
  forall s, UMO_reachable C s ->
    forall m', m' ∈ messages s -> P s m'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C, P: State → Message → Prop
HPrev: ∀ s : State,
  UMO_reachable C s
  → ∀ (m : Message) (ob : BaseELMO.Observation),
      m ∈ messages s → P s m → P (s <+> ob) m
HSend: ∀ s : State,
  UMO_reachable C s
  → (∀ m' : Message, m' ∈ messages s → P s m')
    → P
        (s <+>
         MkObservation Send (MkMessage s))
        (MkMessage s)
HRecv: ∀ s : State,
  UMO_reachable C s
  → ∀ mr : Message,
      C s mr
      → (∀ m' : Message,
           m' ∈ messages s → P s m')
        → P (s <+> MkObservation Receive mr)
            mr
∀ s : State,
  UMO_reachable C s
  → ∀ m' : Message, m' ∈ messages s → P s m'
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C, P: State → Message → Prop
HPrev: ∀ s : State,
  UMO_reachable C s
  → ∀ (m : Message) (ob : BaseELMO.Observation),
      m ∈ messages s → P s m → P (s <+> ob) m
HSend: ∀ s : State,
  UMO_reachable C s
  → (∀ m' : Message, m' ∈ messages s → P s m')
    → P
        (s <+>
         MkObservation Send (MkMessage s))
        (MkMessage s)
HRecv: ∀ s : State,
  UMO_reachable C s
  → ∀ mr : Message,
      C s mr
      → (∀ m' : Message,
           m' ∈ messages s → P s m')
        → P (s <+> MkObservation Receive mr)
            mr
∀ s : State,
  UMO_reachable C s
  → ∀ m' : Message, m' ∈ messages s → P s m'
  intros s Hs; induction Hs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C, P: State → Message → Prop
HPrev: ∀ s : State,
  UMO_reachable C s
  → ∀ (m : Message) (ob : BaseELMO.Observation),
      m ∈ messages s → P s m → P (s <+> ob) m
HSend: ∀ s : State,
  UMO_reachable C s
  → (∀ m' : Message, m' ∈ messages s → P s m')
    → P
        (s <+>
         MkObservation Send (MkMessage s))
        (MkMessage s)
HRecv: ∀ s : State,
  UMO_reachable C s
  → ∀ mr : Message,
      C s mr
      → (∀ m' : Message,
           m' ∈ messages s → P s m')
        → P (s <+> MkObservation Receive mr)
            mr
a: Address
∀ m' : Message,
  m' ∈ messages (MkState [] a) → P (MkState [] a) m'
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C, P: State → Message → Prop
HPrev: ∀ s : State,
  UMO_reachable C s
  → ∀ (m : Message) (ob : BaseELMO.Observation),
      m ∈ messages s → P s m → P (s <+> ob) m
HSend: ∀ s : State,
  UMO_reachable C s
  → (∀ m' : Message, m' ∈ messages s → P s m')
    → P
        (s <+>
         MkObservation Send (MkMessage s))
        (MkMessage s)
HRecv: ∀ s : State,
  UMO_reachable C s
  → ∀ mr : Message,
      C s mr
      → (∀ m' : Message,
           m' ∈ messages s → P s m')
        → P (s <+> MkObservation Receive mr)
            mr
s: State
Hs: UMO_reachable C s
IHHs: ∀ m' : Message, m' ∈ messages s → P s m'
∀ m' : Message,
  m'
  ∈ messages (s <+> MkObservation Send (MkMessage s))
  → P (s <+> MkObservation Send (MkMessage s)) m'
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C, P: State → Message → Prop
HPrev: ∀ s : State,
  UMO_reachable C s
  → ∀ (m : Message) (ob : BaseELMO.Observation),
      m ∈ messages s → P s m → P (s <+> ob) m
HSend: ∀ s : State,
  UMO_reachable C s
  → (∀ m' : Message, m' ∈ messages s → P s m')
    → P
        (s <+>
         MkObservation Send (MkMessage s))
        (MkMessage s)
HRecv: ∀ s : State,
  UMO_reachable C s
  → ∀ mr : Message,
      C s mr
      → (∀ m' : Message,
           m' ∈ messages s → P s m')
        → P (s <+> MkObservation Receive mr)
            mr
s: State
msg: Message
H: C s msg
Hs: UMO_reachable C s
IHHs: ∀ m' : Message, m' ∈ messages s → P s m'
∀ m' : Message,
  m' ∈ messages (s <+> MkObservation Receive msg)
  → P (s <+> MkObservation Receive msg) m'
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C, P: State → Message → Prop
HPrev: ∀ s : State,
  UMO_reachable C s
  → ∀ (m : Message) (ob : BaseELMO.Observation),
      m ∈ messages s → P s m → P (s <+> ob) m
HSend: ∀ s : State,
  UMO_reachable C s
  → (∀ m' : Message, m' ∈ messages s → P s m')
    → P
        (s <+>
         MkObservation Send (MkMessage s))
        (MkMessage s)
HRecv: ∀ s : State,
  UMO_reachable C s
  → ∀ mr : Message,
      C s mr
      → (∀ m' : Message,
           m' ∈ messages s → P s m')
        → P (s <+> MkObservation Receive mr)
            mr
a: Address
∀ m' : Message,
  m' ∈ messages (MkState [] a) → P (MkState [] a) m' by inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C, P: State → Message → Prop
HPrev: ∀ s : State,
  UMO_reachable C s
  → ∀ (m : Message) (ob : BaseELMO.Observation),
      m ∈ messages s → P s m → P (s <+> ob) m
HSend: ∀ s : State,
  UMO_reachable C s
  → (∀ m' : Message, m' ∈ messages s → P s m')
    → P
        (s <+>
         MkObservation Send (MkMessage s))
        (MkMessage s)
HRecv: ∀ s : State,
  UMO_reachable C s
  → ∀ mr : Message,
      C s mr
      → (∀ m' : Message,
           m' ∈ messages s → P s m')
        → P (s <+> MkObservation Receive mr)
            mr
s: State
Hs: UMO_reachable C s
IHHs: ∀ m' : Message, m' ∈ messages s → P s m'
∀ m' : Message,
  m'
  ∈ messages (s <+> MkObservation Send (MkMessage s))
  → P (s <+> MkObservation Send (MkMessage s)) m' by intros m' [-> | Hm']%elem_of_messages_addObservation; eauto.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
C, P: State → Message → Prop
HPrev: ∀ s : State,
  UMO_reachable C s
  → ∀ (m : Message) (ob : BaseELMO.Observation),
      m ∈ messages s → P s m → P (s <+> ob) m
HSend: ∀ s : State,
  UMO_reachable C s
  → (∀ m' : Message, m' ∈ messages s → P s m')
    → P
        (s <+>
         MkObservation Send (MkMessage s))
        (MkMessage s)
HRecv: ∀ s : State,
  UMO_reachable C s
  → ∀ mr : Message,
      C s mr
      → (∀ m' : Message,
           m' ∈ messages s → P s m')
        → P (s <+> MkObservation Receive mr)
            mr
s: State
msg: Message
H: C s msg
Hs: UMO_reachable C s
IHHs: ∀ m' : Message, m' ∈ messages s → P s m'
∀ m' : Message,
  m' ∈ messages (s <+> MkObservation Receive msg)
  → P (s <+> MkObservation Receive msg) m' by intros m' [-> | Hm']%elem_of_messages_addObservation; eauto.
Qed.

Lemma UMO_reachable_impl (P Q : State -> Message -> Prop) (HPQ : forall s m, P s m -> Q s m) :
  forall s, UMO_reachable P s -> UMO_reachable Q s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P, Q: State → Message → Prop
HPQ: ∀ (s : State) (m : Message), P s m → Q s m
∀ s : State, UMO_reachable P s → UMO_reachable Q s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
P, Q: State → Message → Prop
HPQ: ∀ (s : State) (m : Message), P s m → Q s m
∀ s : State, UMO_reachable P s → UMO_reachable Q s
  by induction 1; constructor; auto.
Qed.

Send transitions in a constrained state are ok.

Lemma input_constrained_transition_Send :
  forall (i : Address) (m : Message),
    constrained_state_prop (UMO_component i) (state m) ->
      input_constrained_transition (UMO_component i)
        Send (state m, None) (state m <+> MkObservation Send m, Some m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (i : Address) (m : Message),
  constrained_state_prop (UMO_component i) (state m)
  → input_constrained_transition (UMO_component i)
      Send (state m, None)
      (state m <+> MkObservation Send m, Some m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (i : Address) (m : Message),
  constrained_state_prop (UMO_component i) (state m)
  → input_constrained_transition (UMO_component i)
      Send (state m, None)
      (state m <+> MkObservation Send m, Some m)
  intros; do 2 (red; cbn); split_and!.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
m: Message
H: constrained_state_prop (UMO_component i) (state m)
valid_state_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (state m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
m: Message
H: constrained_state_prop (UMO_component i) (state m)
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  None
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
m: Message
H: constrained_state_prop (UMO_component i) (state m)
UMO_component_valid Send (state m) None
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
m: Message
H: constrained_state_prop (UMO_component i) (state m)
(state m <+> MkObservation Send (MkMessage (state m)),
 Some (MkMessage (state m))) =
(state m <+> MkObservation Send m, Some m)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
m: Message
H: constrained_state_prop (UMO_component i) (state m)
valid_state_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (state m) done.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
m: Message
H: constrained_state_prop (UMO_component i) (state m)
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  None by apply option_valid_message_None.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
m: Message
H: constrained_state_prop (UMO_component i) (state m)
UMO_component_valid Send (state m) None by constructor.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
m: Message
H: constrained_state_prop (UMO_component i) (state m)
(state m <+> MkObservation Send (MkMessage (state m)),
 Some (MkMessage (state m))) =
(state m <+> MkObservation Send m, Some m) by do 3 f_equal; apply eq_Message.
Qed.

Receive transitions in a constrained state are ok.

Lemma input_constrained_transition_Receive :
  forall (i : Address) (s : State) (m : Message),
    constrained_state_prop (UMO_component i) s ->
    input_constrained_transition (UMO_component i)
      Receive (s, Some m) (s <+> MkObservation Receive m, None).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (i : Address) (s : State) (m : Message),
  constrained_state_prop (UMO_component i) s
  → input_constrained_transition (UMO_component i)
      Receive (s, Some m)
      (s <+> MkObservation Receive m, None)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
∀ (i : Address) (s : State) (m : Message),
  constrained_state_prop (UMO_component i) s
  → input_constrained_transition (UMO_component i)
      Receive (s, Some m)
      (s <+> MkObservation Receive m, None)
  intros; do 2 (red; cbn); split_and!; [done | | | done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: State
m: Message
H: constrained_state_prop (UMO_component i) s
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (Some m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: State
m: Message
H: constrained_state_prop (UMO_component i) s
UMO_component_valid Receive s (Some m)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: State
m: Message
H: constrained_state_prop (UMO_component i) s
option_valid_message_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (Some m) by apply any_message_is_valid_in_preloaded.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
s: State
m: Message
H: constrained_state_prop (UMO_component i) s
UMO_component_valid Receive s (Some m) by constructor.
Qed.

This lemma shows that for a VLSM based on UMO reachability in the VLSM according to constrained_state_prop is equivalent to UMO_reachable with a predicate based on the VLSM's valid predicate, plus a condition on the address.

In particular the VLSM must work over the same VLSMType as UMO, of Message, State, and Label, the transition function must be UMO_component_transition, and the valid and initial_state_prop must be restrictions of UMO's predicates.

This lemma usually should not be used directly, but instead used to prove a "view" lemma for a specific VLSM, such as ELMO_reachable_view in the VLSM.ELMO.ELMO module.

Lemma UMO_based_valid_reachable
  (VM : VLSMMachine (Build_VLSMType Message State Label))
  (V := mk_vlsm VM)
  (Hinit_empty : forall si, initial_state_prop V si -> obs si = [])
  (Hsend_spec : forall s om, constrained_state_prop V s -> valid V Send (s, om) <-> om = None)
  (Htransition : forall l s om, transition V l (s, om) = UMO_component_transition l s om) :
  forall (s : State),
    constrained_state_prop V s
      <->
    UMO_reachable (fun s m => VM.(valid) Receive (s, Some m)) s
      /\ initial_state_prop V (MkState [] (adr s)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
∀ s : State,
  constrained_state_prop V s
  ↔ UMO_reachable
      (λ (s0 : State) (m : Message),
         valid Receive (s0, Some m)) s
    ∧ initial_state_prop (MkState [] (adr s))
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
∀ s : State,
  constrained_state_prop V s
  ↔ UMO_reachable
      (λ (s0 : State) (m : Message),
         valid Receive (s0, Some m)) s
    ∧ initial_state_prop (MkState [] (adr s))
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
constrained_state_prop V s
→ UMO_reachable
    (λ (s : State) (m : Message),
       valid Receive (s, Some m)) s
  ∧ initial_state_prop (MkState [] (adr s))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
constrained_state_prop V s
→ UMO_reachable
    (λ (s : State) (m : Message),
       valid Receive (s, Some m)) s
  ∧ initial_state_prop (MkState [] (adr s)) intros Hs; induction Hs using valid_state_prop_ind.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hs: initial_state_prop s
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s': VLSM.state (preloaded_with_all_messages_vlsm V)
l: VLSM.label (preloaded_with_all_messages_vlsm V)
om, om': option Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm V) l (
  s, om) (s', om')
IHHs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s))
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s'
∧ initial_state_prop (MkState [] (adr s'))
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hs: initial_state_prop s
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s)) destruct s as [ol a].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
ol: list BaseELMO.Observation
a: Address
Hs: initial_state_prop (MkState ol a)
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) (MkState ol a)
∧ initial_state_prop (MkState [] (adr (MkState ol a)))
      cbn in *; replace ol with (@nil Observation) in * by (specialize (Hinit_empty _ Hs); done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : State,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : State) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : Label) (s : State) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
ol: list BaseELMO.Observation
a: Address
Hs: initial_state_prop (MkState [] a)
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) (MkState [] a)
∧ initial_state_prop (MkState [] a)
      by split; [apply reach_init |].
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s': VLSM.state (preloaded_with_all_messages_vlsm V)
l: VLSM.label (preloaded_with_all_messages_vlsm V)
om, om': option Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm V) l (
  s, om) (s', om')
IHHs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s))
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s'
∧ initial_state_prop (MkState [] (adr s')) destruct Ht as [(_ & _ & Hvalid) Ht].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s': VLSM.state (preloaded_with_all_messages_vlsm V)
l: VLSM.label (preloaded_with_all_messages_vlsm V)
om, om': option Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: valid l (s, om)
Ht: transition l (s, om) = (s', om')
IHHs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s))
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s'
∧ initial_state_prop (MkState [] (adr s'))
      cbn in Ht; rewrite Htransition in Ht.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s': VLSM.state (preloaded_with_all_messages_vlsm V)
l: VLSM.label (preloaded_with_all_messages_vlsm V)
om, om': option Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: valid l (s, om)
Ht: UMO_component_transition l s om = (s', om')
IHHs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s))
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s'
∧ initial_state_prop (MkState [] (adr s'))
      destruct IHHs as [IH Hadr].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s': VLSM.state (preloaded_with_all_messages_vlsm V)
l: VLSM.label (preloaded_with_all_messages_vlsm V)
om, om': option Message
s: VLSM.state (preloaded_with_all_messages_vlsm V)
Hvalid: valid l (s, om)
Ht: UMO_component_transition l s om = (s', om')
IH: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop (MkState [] (adr s))
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s'
∧ initial_state_prop (MkState [] (adr s'))
      by destruct l, om; inversion Ht; subst; auto using @UMO_reachable.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
∧ initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s intros [Hs Hadr].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop (MkState [] (adr s))
constrained_state_prop V s
    induction Hs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
a: Address
Hadr: initial_state_prop
  (MkState [] (adr (MkState [] a)))
constrained_state_prop V (MkState [] a)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
constrained_state_prop V
  (s <+> MkObservation Send (MkMessage s))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
msg: Message
H: valid Receive (s, Some msg)
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr (s <+> MkObservation Receive msg)))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
constrained_state_prop V
  (s <+> MkObservation Receive msg)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
a: Address
Hadr: initial_state_prop
  (MkState [] (adr (MkState [] a)))
constrained_state_prop V (MkState [] a) by apply initial_state_is_valid.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
constrained_state_prop V
  (s <+> MkObservation Send (MkMessage s)) apply input_valid_transition_destination
        with (l := Send) (s := s) (om := None) (om' := Some (MkMessage s)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
input_valid_transition
  (preloaded_with_all_messages_vlsm V) Send (s, None)
  (s <+> MkObservation Send (MkMessage s),
   Some (MkMessage s))
      repeat split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
valid_state_prop (preloaded_with_all_messages_vlsm V)
  s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
option_valid_message_prop
  (preloaded_with_all_messages_vlsm V) None
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
valid Send (s, None)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s))
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
valid_state_prop (preloaded_with_all_messages_vlsm V)
  s by apply IHHs.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
option_valid_message_prop
  (preloaded_with_all_messages_vlsm V) None by apply option_valid_message_None.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
valid Send (s, None) by apply Hsend_spec; [apply IHHs |].
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr
        (s <+> MkObservation Send (MkMessage s))))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
transition Send (s, None) =
(s <+> MkObservation Send (MkMessage s),
 Some (MkMessage s)) by cbn; rewrite Htransition.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
msg: Message
H: valid Receive (s, Some msg)
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr (s <+> MkObservation Receive msg)))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
constrained_state_prop V
  (s <+> MkObservation Receive msg) apply input_valid_transition_destination
        with (l := Receive) (s := s) (om := Some msg) (om' := None).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
msg: Message
H: valid Receive (s, Some msg)
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr (s <+> MkObservation Receive msg)))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
input_valid_transition
  (preloaded_with_all_messages_vlsm V) Receive
  (s, Some msg)
  (s <+> MkObservation Receive msg, None)
      repeat split; [| | done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
msg: Message
H: valid Receive (s, Some msg)
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr (s <+> MkObservation Receive msg)))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
valid_state_prop (preloaded_with_all_messages_vlsm V)
  s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
msg: Message
H: valid Receive (s, Some msg)
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr (s <+> MkObservation Receive msg)))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
option_valid_message_prop
  (preloaded_with_all_messages_vlsm V) 
  (Some msg)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
msg: Message
H: valid Receive (s, Some msg)
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr (s <+> MkObservation Receive msg)))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
transition Receive (s, Some msg) =
(s <+> MkObservation Receive msg, None)
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
msg: Message
H: valid Receive (s, Some msg)
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr (s <+> MkObservation Receive msg)))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
valid_state_prop (preloaded_with_all_messages_vlsm V)
  s by apply IHHs.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
msg: Message
H: valid Receive (s, Some msg)
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr (s <+> MkObservation Receive msg)))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
option_valid_message_prop
  (preloaded_with_all_messages_vlsm V) (Some msg) by apply any_message_is_valid_in_preloaded.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
VM: VLSMMachine
  {| VLSM.state := State; VLSM.label := Label |}
V:= {|
  vlsm_type :=
    {| VLSM.state := State; VLSM.label := Label |};
  vlsm_machine := VM
|}: VLSM Message
Hinit_empty: ∀ si : VLSM.state V,
  initial_state_prop si → obs si = []
Hsend_spec: ∀ (s : VLSM.state
         (preloaded_with_all_messages_vlsm
            V)) (om : option Message),
  constrained_state_prop V s
  → valid Send (s, om) ↔ om = None
Htransition: ∀ (l : VLSM.label V) (s : VLSM.state V) 
  (om : option Message),
  transition l (s, om) =
  UMO_component_transition l s om
s: State
msg: Message
H: valid Receive (s, Some msg)
Hs: UMO_reachable
  (λ (s : State) (m : Message),
     valid Receive (s, Some m)) s
Hadr: initial_state_prop
  (MkState []
     (adr (s <+> MkObservation Receive msg)))
IHHs: initial_state_prop (MkState [] (adr s))
→ constrained_state_prop V s
transition Receive (s, Some msg) =
(s <+> MkObservation Receive msg, None) by cbn; rewrite Htransition.
Qed.

Every valid state contains a unique valid trace leading to it

To prove this, we will need some basic properties of UMO components.

Section sec_UMO_component_lemmas.

Ui is a notation for an UMO_component of address i.

Context
  {i : Address}
  (Ui : VLSM Message := UMO_component i)
  .

Lemma UMO_reachable_valid_state_prop :
  forall s, valid_state_prop Ui s ->
  UMO_reachable (const (const True)) s /\ adr s = i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : VLSM.state Ui,
  valid_state_prop Ui s
  → UMO_reachable (const (const True)) s ∧ adr s = i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : VLSM.state Ui,
  valid_state_prop Ui s
  → UMO_reachable (const (const True)) s ∧ adr s = i
  induction 1 using valid_state_prop_ind;
    [by destruct s, Hs as [Hobs Hadr]; cbn in *; subst; split; [constructor 1 |] |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s': VLSM.state Ui
l: VLSM.label Ui
om, om': option Message
s: VLSM.state Ui
Ht: input_valid_transition Ui l (s, om) (s', om')
IHvalid_state_prop: UMO_reachable
  (const (const True)) s
∧ adr s = i
UMO_reachable (const (const True)) s' ∧ adr s' = i
  by destruct Ht as [(_ & _ & Hv) Ht]; inversion Hv; subst; inversion Ht; subst;
    destruct_and!; (split; [constructor |]).
Qed.

Lemma UMO_reachable_constrained_state_prop :
  forall (s : State),
    constrained_state_prop (UMO_component i) s
      <->
    UMO_reachable (fun _ _ => True) s /\ adr s = i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  constrained_state_prop (UMO_component i) s
  ↔ UMO_reachable (λ (_ : State) (_ : Message), True)
      s ∧ adr s = i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  constrained_state_prop (UMO_component i) s
  ↔ UMO_reachable (λ (_ : State) (_ : Message), True)
      s ∧ adr s = i
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
constrained_state_prop (UMO_component i) s
→ UMO_reachable (λ (_ : State) (_ : Message), True) s
  ∧ adr s = i
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
UMO_reachable (λ (_ : State) (_ : Message), True) s
∧ adr s = i
→ constrained_state_prop (UMO_component i) s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
constrained_state_prop (UMO_component i) s
→ UMO_reachable (λ (_ : State) (_ : Message), True) s
  ∧ adr s = i induction 1 using valid_state_prop_ind;
      [by destruct s, Hs as [Hobs Hadr]; cbn in *; subst; split; [constructor 1 |] |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s': VLSM.state
  (preloaded_with_all_messages_vlsm
     (UMO_component i))
l: VLSM.label
  (preloaded_with_all_messages_vlsm
     (UMO_component i))
om, om': option Message
s: VLSM.state
  (preloaded_with_all_messages_vlsm
     (UMO_component i))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (UMO_component i)) l (
  s, om) (s', om')
IHvalid_state_prop: UMO_reachable
  (λ (_ : State) (_ : Message),
     True) s ∧ adr s = i
UMO_reachable (λ (_ : State) (_ : Message), True) s'
∧ adr s' = i
    by destruct Ht as [(_ & _ & Hv) Ht]; inversion Hv; subst; inversion Ht; subst;
      destruct_and!; (split; [constructor |]).
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
UMO_reachable (λ (_ : State) (_ : Message), True) s
∧ adr s = i
→ constrained_state_prop (UMO_component i) s intros [Hur Hadr].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hur: UMO_reachable
  (λ (_ : State) (_ : Message), True) s
Hadr: adr s = i
constrained_state_prop (UMO_component i) s
    induction Hur; red; cbn in Hadr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
a: Address
Hadr: a = i
valid_state_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (MkState [] a)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hur: UMO_reachable
  (λ (_ : State) (_ : Message), True) s
Hadr: adr s = i
IHHur: adr s = i
→ constrained_state_prop (UMO_component i) s
valid_state_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (s <+> MkObservation Send (MkMessage s))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
msg: Message
H: True
Hur: UMO_reachable
  (λ (_ : State) (_ : Message), True) s
Hadr: adr s = i
IHHur: adr s = i
→ constrained_state_prop (UMO_component i) s
valid_state_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (s <+> MkObservation Receive msg)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
a: Address
Hadr: a = i
valid_state_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (MkState [] a) by apply initial_state_is_valid; cbv.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hur: UMO_reachable
  (λ (_ : State) (_ : Message), True) s
Hadr: adr s = i
IHHur: adr s = i
→ constrained_state_prop (UMO_component i) s
valid_state_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (s <+> MkObservation Send (MkMessage s)) by eapply input_valid_transition_destination, input_constrained_transition_Send, IHHur.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
msg: Message
H: True
Hur: UMO_reachable
  (λ (_ : State) (_ : Message), True) s
Hadr: adr s = i
IHHur: adr s = i
→ constrained_state_prop (UMO_component i) s
valid_state_prop
  (preloaded_with_all_messages_vlsm (UMO_component i))
  (s <+> MkObservation Receive msg) by eapply input_valid_transition_destination, input_constrained_transition_Receive, IHHur.
Qed.

The initial state of Ui is unique.

Lemma vs0_uniqueness :
  forall is : State,
    UMO_component_initial_state_prop i is ->
      is = ``(vs0 Ui).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ is : State,
  UMO_component_initial_state_prop i is
  → is = `(vs0 Ui)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ is : State,
  UMO_component_initial_state_prop i is
  → is = `(vs0 Ui)
  by intros []; inversion 1; cbv in *; by subst.
Qed.

Transitions of an UMO component preserve the address of the component.

Lemma UMO_component_transition_adr :
  forall (s1 s2 : State) (iom oom : option Message) (lbl : Label),
    UMO_component_transition lbl s1 iom = (s2, oom) ->
      adr s2 = adr s1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  UMO_component_transition lbl s1 iom = (s2, oom)
  → adr s2 = adr s1
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  UMO_component_transition lbl s1 iom = (s2, oom)
  → adr s2 = adr s1
  by intros s1 s2 [im |] oom []; inversion_clear 1.
Qed.

For every trace segment, the initial and final state have the same address.

Lemma adr_of_states_within_constrained_trace :
  forall (is s : State) (tr : list transition_item),
    finite_constrained_trace_from_to Ui is s tr ->
      adr s = adr is.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_from_to Ui is s tr
  → adr s = adr is
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_from_to Ui is s tr
  → adr s = adr is
  induction 1; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (s, oom)
IHfinite_valid_trace_from_to: adr f = adr s
adr f = adr s'
  transitivity (adr s); [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (s, oom)
IHfinite_valid_trace_from_to: adr f = adr s
adr s = adr s'
  eapply UMO_component_transition_adr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (s, oom)
IHfinite_valid_trace_from_to: adr f = adr s
UMO_component_transition ?lbl s' ?iom = (s, ?oom)
  by destruct Ht as [_ Ht]; cbn in Ht.
Qed.

Lemma adr_of_states_within_valid_trace :
  forall (is s : State) (tr : list transition_item),
    finite_valid_trace_from_to Ui is s tr ->
      adr s = adr is.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_valid_trace_from_to Ui is s tr
  → adr s = adr is
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_valid_trace_from_to Ui is s tr
  → adr s = adr is
  induction 1; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state Ui
tl: list transition_item
H: finite_valid_trace_from_to Ui s f tl
s': VLSM.state Ui
iom, oom: option Message
l: VLSM.label Ui
Ht: input_valid_transition Ui l (s', iom) (s, oom)
IHfinite_valid_trace_from_to: adr f = adr s
adr f = adr s'
  transitivity (adr s); [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state Ui
tl: list transition_item
H: finite_valid_trace_from_to Ui s f tl
s': VLSM.state Ui
iom, oom: option Message
l: VLSM.label Ui
Ht: input_valid_transition Ui l (s', iom) (s, oom)
IHfinite_valid_trace_from_to: adr f = adr s
adr s = adr s'
  eapply UMO_component_transition_adr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state Ui
tl: list transition_item
H: finite_valid_trace_from_to Ui s f tl
s': VLSM.state Ui
iom, oom: option Message
l: VLSM.label Ui
Ht: input_valid_transition Ui l (s', iom) (s, oom)
IHfinite_valid_trace_from_to: adr f = adr s
UMO_component_transition ?lbl s' ?iom = (s, ?oom)
  by destruct Ht as [_ Ht]; cbn in Ht.
Qed.

If a state is reachable, its address is the same as the address of the component.

Lemma adr_of_constrained_trace :
  forall (is s : State) (tr : list transition_item),
    finite_constrained_trace_init_to Ui is s tr ->
      adr s = i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Ui is s tr
  → adr s = i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Ui is s tr
  → adr s = i
  intros is s tr [Hfvt Hinit].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) is s tr
Hinit: initial_state_prop is
adr s = i
  transitivity (adr is).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) is s tr
Hinit: initial_state_prop is
adr s = adr is
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) is s tr
Hinit: initial_state_prop is
adr is = i
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) is s tr
Hinit: initial_state_prop is
adr s = adr is by eapply adr_of_states_within_constrained_trace.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) is s tr
Hinit: initial_state_prop is
adr is = i by destruct Hinit, is; cbn in *.
Qed.

Lemma adr_of_valid_trace :
  forall (is s : State) (tr : list transition_item),
    finite_valid_trace_init_to Ui is s tr ->
      adr s = i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_valid_trace_init_to Ui is s tr → adr s = i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_valid_trace_init_to Ui is s tr → adr s = i
  intros is s tr [Hfvt Hinit].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui is s tr
Hinit: initial_state_prop is
adr s = i
  transitivity (adr is).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui is s tr
Hinit: initial_state_prop is
adr s = adr is
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui is s tr
Hinit: initial_state_prop is
adr is = i
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui is s tr
Hinit: initial_state_prop is
adr s = adr is by eapply adr_of_states_within_valid_trace.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui is s tr
Hinit: initial_state_prop is
adr is = i by destruct Hinit, is; cbn in *.
Qed.

The address of a valid state is the same as the address of the component.

Lemma adr_of_constrained_state :
  forall s : State,
    constrained_state_prop Ui s -> adr s = i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State, constrained_state_prop Ui s → adr s = i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State, constrained_state_prop Ui s → adr s = i
  intros s Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: constrained_state_prop Ui s
adr s = i
  apply valid_state_has_trace in Hvsp as (is & tr & Hfvti).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
is: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
Hfvti: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Ui) is s
  tr
adr s = i
  by eapply adr_of_constrained_trace.
Qed.

Lemma adr_of_valid_state :
  forall s : State,
    valid_state_prop Ui s -> adr s = i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State, valid_state_prop Ui s → adr s = i
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State, valid_state_prop Ui s → adr s = i
  intros s Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: valid_state_prop Ui s
adr s = i
  apply valid_state_has_trace in Hvsp as (is & tr & Hfvti).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
is: VLSM.state Ui
tr: list transition_item
Hfvti: finite_valid_trace_init_to Ui is s tr
adr s = i
  by eapply adr_of_valid_trace.
Qed.

Valid transitions lead to bigger states.

Lemma UMO_component_valid_transition_size :
  forall (s1 s2 : State) (iom oom : option Message) (lbl : Label),
    UMO_component_valid lbl s1 iom ->
    UMO_component_transition lbl s1 iom = (s2, oom) ->
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  UMO_component_valid lbl s1 iom
  → UMO_component_transition lbl s1 iom = (s2, oom)
    → sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  UMO_component_valid lbl s1 iom
  → UMO_component_transition lbl s1 iom = (s2, oom)
    → sizeState s1 < sizeState s2
  by intros [] s2 [im |] oom []; do 2 inversion_clear 1; cbn; lia.
Qed.

Lemma input_constrained_transition_size :
  forall (s1 s2 : State) (iom oom : option Message) (lbl : Label),
    input_constrained_transition Ui lbl (s1, iom) (s2, oom) ->
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  input_constrained_transition Ui lbl (s1, iom)
    (s2, oom) → sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  input_constrained_transition Ui lbl (s1, iom)
    (s2, oom) → sizeState s1 < sizeState s2
  intros s1 s2 iom oom lbl [(_ & _ & Hvalid) Ht]; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
iom, oom: option Message
lbl: Label
Hvalid: UMO_component_valid lbl s1 iom
Ht: UMO_component_transition lbl s1 iom = (s2, oom)
sizeState s1 < sizeState s2
  by eapply UMO_component_valid_transition_size.
Qed.

A finite_valid_trace is either empty or its final state is bigger than its initial state.

Lemma finite_constrained_trace_from_to_size :
  forall (s1 s2 : State) (tr : list transition_item),
    finite_constrained_trace_from_to Ui s1 s2 tr ->
      s1 = s2 /\ tr = []
        \/
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_constrained_trace_from_to Ui s1 s2 tr
  → s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_constrained_trace_from_to Ui s1 s2 tr
  → s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
  induction 1; [by left |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (s, oom)
IHfinite_valid_trace_from_to: s = f ∧ tl = []
∨ sizeState s <
  sizeState f
s' = f
∧ {|
    l := l;
    input := iom;
    destination := s;
    output := oom
  |} :: tl = [] ∨ sizeState s' < sizeState f
  assert (sizeState s' < sizeState s)
      by (eapply input_constrained_transition_size; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (s, oom)
IHfinite_valid_trace_from_to: s = f ∧ tl = []
∨ sizeState s <
  sizeState f
H0: sizeState s' < sizeState s
s' = f
∧ {|
    l := l;
    input := iom;
    destination := s;
    output := oom
  |} :: tl = [] ∨ sizeState s' < sizeState f
  by destruct IHfinite_valid_trace_from_to; [itauto congruence | itauto lia].
Qed.

If a trace leads from a state to itself, then it is empty.

Lemma finite_constrained_trace_from_to_inv :
  forall (s : State) (tr : list transition_item),
    finite_constrained_trace_from_to Ui s s tr -> tr = [].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (tr : list transition_item),
  finite_constrained_trace_from_to Ui s s tr → tr = []
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (tr : list transition_item),
  finite_constrained_trace_from_to Ui s s tr → tr = []
  by intros s tr Hfvt; apply finite_constrained_trace_from_to_size in Hfvt; itauto lia.
Qed.

The same lemmas as above, but for the component Ui. They follow from the above lemmas because there is a VLSM inclusion from Ui to Ui preloaded with all messages.

Lemma input_valid_transition_size :
  forall (s1 s2 : State) (iom oom : option Message) (lbl : Label),
    input_valid_transition Ui lbl (s1, iom) (s2, oom) ->
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  input_valid_transition Ui lbl (s1, iom) (s2, oom)
  → sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (iom oom : option Message) (lbl : Label),
  input_valid_transition Ui lbl (s1, iom) (s2, oom)
  → sizeState s1 < sizeState s2
  intros s1 s2 iom oom lbl Hivt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
iom, oom: option Message
lbl: Label
Hivt: input_valid_transition Ui lbl (
  s1, iom) (s2, oom)
sizeState s1 < sizeState s2
  eapply input_constrained_transition_size.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
iom, oom: option Message
lbl: Label
Hivt: input_valid_transition Ui lbl (
  s1, iom) (s2, oom)
input_constrained_transition Ui ?lbl (s1, ?iom)
  (s2, ?oom)
  apply (@VLSM_incl_input_valid_transition _ Ui Ui); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
iom, oom: option Message
lbl: Label
Hivt: input_valid_transition Ui lbl (
  s1, iom) (s2, oom)
VLSM_incl_part Ui
  (preloaded_vlsm_machine Ui (λ _ : Message, True))
  by apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Lemma finite_valid_trace_from_to_size :
  forall (s1 s2 : State) (tr : list transition_item),
    finite_valid_trace_from_to Ui s1 s2 tr ->
      s1 = s2 /\ tr = []
        \/
      sizeState s1 < sizeState s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_valid_trace_from_to Ui s1 s2 tr
  → s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_valid_trace_from_to Ui s1 s2 tr
  → s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
  intros s1 s2 tr Hfvt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui s1 s2 tr
s1 = s2 ∧ tr = [] ∨ sizeState s1 < sizeState s2
  eapply finite_constrained_trace_from_to_size.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui s1 s2 tr
finite_constrained_trace_from_to Ui s1 s2 tr
  apply (@VLSM_incl_finite_valid_trace_from_to _ Ui Ui); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui s1 s2 tr
VLSM_incl_part Ui
  (preloaded_vlsm_machine Ui (λ _ : Message, True))
  by apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Lemma finite_valid_trace_from_to_inv :
  forall (s : State) (tr : list transition_item),
    finite_valid_trace_from_to Ui s s tr -> tr = [].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (tr : list transition_item),
  finite_valid_trace_from_to Ui s s tr → tr = []
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (tr : list transition_item),
  finite_valid_trace_from_to Ui s s tr → tr = []
  intros s tr Hfvt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui s s tr
tr = []
  eapply finite_constrained_trace_from_to_inv.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui s s tr
finite_constrained_trace_from_to Ui ?s ?s tr
  apply (@VLSM_incl_finite_valid_trace_from_to _ Ui Ui); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to Ui s s tr
VLSM_incl_part Ui
  (preloaded_vlsm_machine Ui (λ _ : Message, True))
  by apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

transitions in any VLSM are deterministic, i.e., the final state and output message are determined by the label, initial state and input message.

For UMO components, an extremely strong converse property also holds: the label, initial state, input message and output message are all determined by the final state of a valid transition. Basically, this is true because every state contains the whole trace/history.

Lemma input_constrained_transition_deterministic_conv :
  forall (s1 s2 f : State) (iom1 iom2 oom1 oom2 : option Message) (lbl1 lbl2 : Label),
    input_constrained_transition Ui lbl1 (s1, iom1) (f, oom1) ->
    input_constrained_transition Ui lbl2 (s2, iom2) (f, oom2) ->
      lbl1 = lbl2 /\ s1 = s2 /\ iom1 = iom2 /\ oom1 = oom2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 f : State) (iom1 iom2 oom1
                     oom2 : option Message) (lbl1
                                             lbl2 : Label),
  input_constrained_transition Ui lbl1 (s1, iom1)
    (f, oom1)
  → input_constrained_transition Ui lbl2 (s2, iom2)
      (f, oom2)
    → lbl1 = lbl2
      ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 f : State) (iom1 iom2 oom1
                     oom2 : option Message) (lbl1
                                             lbl2 : Label),
  input_constrained_transition Ui lbl1 (s1, iom1)
    (f, oom1)
  → input_constrained_transition Ui lbl2 (s2, iom2)
      (f, oom2)
    → lbl1 = lbl2
      ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
  intros s1 s2 f iom1 iom2 oom1 oom2 lbl1 lbl2 Hivt1 Hivt2
  ; inversion Hivt1 as [(_ & _ & Hvalid1) Ht1]; subst
  ; inversion Hivt2 as [(_ & _ & Hvalid2) Ht2]; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2, f: State
iom1, iom2, oom1, oom2: option Message
lbl1, lbl2: Label
Hivt1: input_constrained_transition Ui lbl1
  (s1, iom1) (f, oom1)
Hivt2: input_constrained_transition Ui lbl2
  (s2, iom2) (f, oom2)
Hvalid1: valid lbl1 (s1, iom1)
Ht1: transition lbl1 (s1, iom1) = (f, oom1)
Hvalid2: valid lbl2 (s2, iom2)
Ht2: transition lbl2 (s2, iom2) = (f, oom2)
lbl1 = lbl2 ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
  destruct lbl1, lbl2, iom1, iom2; cbn in *
  ; inversion Ht1; subst; clear Ht1
  ; inversion Ht2; subst; clear Ht2
  ; invert_UMO_component_valid; auto.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
m: Message
Hivt2: input_constrained_transition Ui Receive
  (s2, Some m)
  (s1 <+> MkObservation Receive m, None)
Hivt1: input_constrained_transition Ui Receive
  (s1, Some m)
  (s1 <+> MkObservation Receive m, None)
Hvalid1: UMO_component_valid Receive s1 (Some m)
Hvalid2: UMO_component_valid Receive s2 (Some m)
H1: obs s2 = obs s1
H2: adr s2 = adr s1
Receive = Receive
∧ s1 = s2 ∧ Some m = Some m ∧ None = None
  by destruct s1, s2; cbn in *; subst; itauto.
Qed.

Lemma input_valid_transition_deterministic_conv :
  forall (s1 s2 f : State) (iom1 iom2 oom1 oom2 : option Message) (lbl1 lbl2 : Label),
    input_valid_transition Ui lbl1 (s1, iom1) (f, oom1) ->
    input_valid_transition Ui lbl2 (s2, iom2) (f, oom2) ->
      lbl1 = lbl2 /\ s1 = s2 /\ iom1 = iom2 /\ oom1 = oom2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 f : State) (iom1 iom2 oom1
                     oom2 : option Message) (lbl1
                                             lbl2 : Label),
  input_valid_transition Ui lbl1 (s1, iom1) (f, oom1)
  → input_valid_transition Ui lbl2 (s2, iom2)
      (f, oom2)
    → lbl1 = lbl2
      ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 f : State) (iom1 iom2 oom1
                     oom2 : option Message) (lbl1
                                             lbl2 : Label),
  input_valid_transition Ui lbl1 (s1, iom1) (f, oom1)
  → input_valid_transition Ui lbl2 (s2, iom2)
      (f, oom2)
    → lbl1 = lbl2
      ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
  intros s1 s2 f iom1 iom2 oom1 oom2 lbl1 lbl2 Hivt1 Hivt2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2, f: State
iom1, iom2, oom1, oom2: option Message
lbl1, lbl2: Label
Hivt1: input_valid_transition Ui lbl1 (
  s1, iom1) (f, oom1)
Hivt2: input_valid_transition Ui lbl2 (
  s2, iom2) (f, oom2)
lbl1 = lbl2 ∧ s1 = s2 ∧ iom1 = iom2 ∧ oom1 = oom2
  by eapply input_constrained_transition_deterministic_conv;
    apply (@VLSM_incl_input_valid_transition _ Ui Ui); [| done | | done];
    apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Every trace segment is fully determined by its initial and final state.

Lemma finite_constrained_trace_from_to_unique :
  forall (s1 s2 : State) (l1 l2 : list transition_item),
    finite_constrained_trace_from_to Ui s1 s2 l1 ->
    finite_constrained_trace_from_to Ui s1 s2 l2 ->
      l1 = l2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (l1 l2 : list transition_item),
  finite_constrained_trace_from_to Ui s1 s2 l1
  → finite_constrained_trace_from_to Ui s1 s2 l2
    → l1 = l2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (l1 l2 : list transition_item),
  finite_constrained_trace_from_to Ui s1 s2 l1
  → finite_constrained_trace_from_to Ui s1 s2 l2
    → l1 = l2
  intros s1 s2 l1 l2 Hfvt1 Hfvt2; revert l2 Hfvt2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
l1: list transition_item
Hfvt1: finite_constrained_trace_from_to Ui s1 s2 l1
∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui s1 s2 l2
  → l1 = l2
  induction Hfvt1 using finite_valid_trace_from_to_rev_ind; intros.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) si
l2: list transition_item
Hfvt2: finite_constrained_trace_from_to Ui si si l2
[] = l2
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s
  tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s
    l2 → tr = l2
l2: list transition_item
Hfvt2: finite_constrained_trace_from_to Ui si sf l2
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] = l2
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) si
l2: list transition_item
Hfvt2: finite_constrained_trace_from_to Ui si si l2
[] = l2 by apply finite_constrained_trace_from_to_size in Hfvt2; itauto (congruence + lia).
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s
  tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s
    l2 → tr = l2
l2: list transition_item
Hfvt2: finite_constrained_trace_from_to Ui si sf l2
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] = l2 destruct Hfvt2 using finite_valid_trace_from_to_rev_ind; [| clear IHHfvt2].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (si, oom)
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s
    l2 → tr = l2
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) si
tr ++
[{|
   l := l;
   input := iom;
   destination := si;
   output := oom
 |}] = []
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s
    l2 → tr = l2
s0: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr0: list transition_item
Hfvt2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s0
  tr0
iom0, oom0: option Message
l0: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l0
  (s0, iom0) (sf, oom0)
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] =
tr0 ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}]
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (si, oom)
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s
    l2 → tr = l2
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) si
tr ++
[{|
   l := l;
   input := iom;
   destination := si;
   output := oom
 |}] = [] apply finite_constrained_trace_from_to_size in Hfvt1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hfvt1: si = s ∧ tr = [] ∨ sizeState si < sizeState s
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (si, oom)
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s
    l2 → tr = l2
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) si
tr ++
[{|
   l := l;
   input := iom;
   destination := si;
   output := oom
 |}] = []
      apply input_constrained_transition_size in Ht.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hfvt1: si = s ∧ tr = [] ∨ sizeState si < sizeState s
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: sizeState s < sizeState si
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s
    l2 → tr = l2
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) si
tr ++
[{|
   l := l;
   input := iom;
   destination := si;
   output := oom
 |}] = []
      by decompose [and or] Hfvt1; subst; clear Hfvt1; lia.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s
    l2 → tr = l2
s0: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr0: list transition_item
Hfvt2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s0
  tr0
iom0, oom0: option Message
l0: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l0
  (s0, iom0) (sf, oom0)
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] =
tr0 ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}] assert (l = l0 /\ s = s0 /\ iom = iom0 /\ oom = oom0)
          by (eapply input_constrained_transition_deterministic_conv; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s
  tr
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (sf, oom)
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s
    l2 → tr = l2
s0: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr0: list transition_item
Hfvt2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s0
  tr0
iom0, oom0: option Message
l0: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l0
  (s0, iom0) (sf, oom0)
H: l = l0 ∧ s = s0 ∧ iom = iom0 ∧ oom = oom0
tr ++
[{|
   l := l;
   input := iom;
   destination := sf;
   output := oom
 |}] =
tr0 ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}]
      decompose [and] H; subst; clear H.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
tr: list transition_item
si, s0: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hfvt1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s0
  tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
l0: VLSM.label (preloaded_with_all_messages_vlsm Ui)
IHHfvt1: ∀ l2 : list transition_item,
  finite_constrained_trace_from_to Ui si s0
    l2 → tr = l2
iom0, oom0: option Message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l0
  (s0, iom0) (sf, oom0)
tr0: list transition_item
Hfvt2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s0
  tr0
Ht0: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l0
  (s0, iom0) (sf, oom0)
tr ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}] =
tr0 ++
[{|
   l := l0;
   input := iom0;
   destination := sf;
   output := oom0
 |}]
      by f_equal; apply IHHfvt1.
Qed.

Lemma finite_valid_trace_from_to_unique :
  forall (s1 s2 : State) (l1 l2 : list transition_item),
    finite_valid_trace_from_to Ui s1 s2 l1 ->
    finite_valid_trace_from_to Ui s1 s2 l2 ->
      l1 = l2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (l1 l2 : list transition_item),
  finite_valid_trace_from_to Ui s1 s2 l1
  → finite_valid_trace_from_to Ui s1 s2 l2 → l1 = l2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (l1 l2 : list transition_item),
  finite_valid_trace_from_to Ui s1 s2 l1
  → finite_valid_trace_from_to Ui s1 s2 l2 → l1 = l2
  by intros s1 s2 l1 l2 Hfvt1 Hfvt2;
    eapply finite_constrained_trace_from_to_unique;
    apply VLSM_incl_finite_valid_trace_from_to; [| done | | done];
    apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Every trace is determined by its final state.

Uniqueness

Lemma finite_constrained_trace_init_to_unique :
  forall (s f : State) (l1 l2 : list transition_item),
    finite_constrained_trace_init_to Ui s f l1 ->
    finite_constrained_trace_init_to Ui s f l2 ->
      l1 = l2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s f : State) (l1 l2 : list transition_item),
  finite_constrained_trace_init_to Ui s f l1
  → finite_constrained_trace_init_to Ui s f l2
    → l1 = l2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s f : State) (l1 l2 : list transition_item),
  finite_constrained_trace_init_to Ui s f l1
  → finite_constrained_trace_init_to Ui s f l2
    → l1 = l2
  intros s f l1 l2 [Ht1 _] [Ht2 _].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: State
l1, l2: list transition_item
Ht1: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f l1
Ht2: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f l2
l1 = l2
  by eapply finite_constrained_trace_from_to_unique.
Qed.

Lemma finite_valid_trace_init_to_unique :
  forall (s f : State) (l1 l2 : list transition_item),
    finite_valid_trace_init_to Ui s f l1 ->
    finite_valid_trace_init_to Ui s f l2 ->
      l1 = l2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s f : State) (l1 l2 : list transition_item),
  finite_valid_trace_init_to Ui s f l1
  → finite_valid_trace_init_to Ui s f l2 → l1 = l2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s f : State) (l1 l2 : list transition_item),
  finite_valid_trace_init_to Ui s f l1
  → finite_valid_trace_init_to Ui s f l2 → l1 = l2
  by intros s f l1 l2 Hfvit1 Hfvit2;
    eapply finite_constrained_trace_init_to_unique;
    apply VLSM_incl_finite_valid_trace_init_to; [| done | | done];
    apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

If a valid trace leads to state s, the trace extracted from s also leads to s.

Lemma finite_constrained_trace_init_to_state2trace :
  forall (is s : State) (tr : list transition_item),
    finite_constrained_trace_init_to Ui is s tr ->
      finite_constrained_trace_init_to Ui is s (state2trace s).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Ui is s tr
  → finite_constrained_trace_init_to Ui is s
      (state2trace s)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Ui is s tr
  → finite_constrained_trace_init_to Ui is s
      (state2trace s)
  intros is s tr [Hfv Hinit]; cbn in *; revert Hinit.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) is s tr
UMO_component_initial_state_prop i is
→ finite_constrained_trace_init_to Ui is s
    (state2trace s)
  induction Hfv using finite_valid_trace_from_to_rev_ind; intros.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) si
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si si
  (state2trace si)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (sf, oom)
IHHfv: UMO_component_initial_state_prop i si
→ finite_constrained_trace_init_to Ui si s
    (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si sf
  (state2trace sf)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) si
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si si
  (state2trace si) inversion Hinit; clear Hinit.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) si
H: obs si = []
H0: adr si = i
finite_constrained_trace_init_to Ui si si
  (state2trace si)
    destruct si; cbn in *; subst; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui)
  (MkState [] i)
finite_constrained_trace_init_to Ui (MkState [] i)
  (MkState [] i) []
    repeat constructor.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui)
  (MkState [] i)
valid_state_prop (preloaded_with_all_messages_vlsm Ui)
  (MkState [] i) exists None.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Hsi: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui)
  (MkState [] i)
valid_state_message_prop
  (preloaded_with_all_messages_vlsm Ui) (MkState [] i)
  None
    by repeat constructor.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (sf, oom)
IHHfv: UMO_component_initial_state_prop i si
→ finite_constrained_trace_init_to Ui si s
    (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si sf
  (state2trace sf) specialize (IHHfv Hinit).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom) (sf, oom)
IHHfv: finite_constrained_trace_init_to Ui si s
  (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si sf
  (state2trace sf)
    destruct Ht as [Hvalid Ht]; cbn in Ht.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si s tr
sf: VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Hvalid: input_valid
  (preloaded_with_all_messages_vlsm Ui) l
  (s, iom)
Ht: UMO_component_transition l s iom = (sf, oom)
IHHfv: finite_constrained_trace_init_to Ui si s
  (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si sf
  (state2trace sf)
    destruct s as [obs adr], l, iom as [im |]
    ; inversion Ht; subst; clear Ht; cbn in *
    ; cycle 1; [done | done | |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si
  (MkState obs adr) tr
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Ui)
    None
  ∧ UMO_component_valid Send
      (MkState obs adr) None
IHHfv: finite_constrained_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si
  (MkState obs adr <+>
   MkObservation Send (MkMessage (MkState obs adr)))
  (observations2trace obs adr ++
   [{|
      l := Send;
      input := None;
      destination :=
        MkState
          (addObservation'
             (MkObservation Send
                (MkMessage (MkState obs adr))) obs)
          adr;
      output := Some (MkMessage (MkState obs adr))
    |}])
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si
  (MkState obs adr) tr
im: Message
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Ui)
    (Some im)
  ∧ UMO_component_valid Receive
      (MkState obs adr) 
      (Some im)
IHHfv: finite_constrained_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si
  (MkState obs adr <+> MkObservation Receive im)
  (observations2trace obs adr ++
   [{|
      l := Receive;
      input := Some im;
      destination :=
        MkState (MkObservation Receive im :: obs) adr;
      output := None
    |}])
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si
  (MkState obs adr) tr
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Ui)
    None
  ∧ UMO_component_valid Send
      (MkState obs adr) None
IHHfv: finite_constrained_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si
  (MkState obs adr <+>
   MkObservation Send (MkMessage (MkState obs adr)))
  (observations2trace obs adr ++
   [{|
      l := Send;
      input := None;
      destination :=
        MkState
          (addObservation'
             (MkObservation Send
                (MkMessage (MkState obs adr))) obs)
          adr;
      output := Some (MkMessage (MkState obs adr))
    |}]) constructor; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si
  (MkState obs adr) tr
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Ui)
    None
  ∧ UMO_component_valid Send
      (MkState obs adr) None
IHHfv: finite_constrained_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si
  (MkState obs adr <+>
   MkObservation Send (MkMessage (MkState obs adr)))
  (observations2trace obs adr ++
   [{|
      l := Send;
      input := None;
      destination :=
        MkState
          (addObservation'
             (MkObservation Send
                (MkMessage (MkState obs adr))) obs)
          adr;
      output := Some (MkMessage (MkState obs adr))
    |}])
      by eapply extend_right_finite_trace_from_to; [apply IHHfv |]; auto.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si
  (MkState obs adr) tr
im: Message
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Ui)
    (Some im)
  ∧ UMO_component_valid Receive
      (MkState obs adr) 
      (Some im)
IHHfv: finite_constrained_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_constrained_trace_init_to Ui si
  (MkState obs adr <+> MkObservation Receive im)
  (observations2trace obs adr ++
   [{|
      l := Receive;
      input := Some im;
      destination :=
        MkState (MkObservation Receive im :: obs) adr;
      output := None
    |}]) constructor; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si
  (MkState obs adr) tr
im: Message
Hvalid: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui)
  (MkState obs adr)
∧ option_valid_message_prop
    (preloaded_with_all_messages_vlsm Ui)
    (Some im)
  ∧ UMO_component_valid Receive
      (MkState obs adr) 
      (Some im)
IHHfv: finite_constrained_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) si
  (MkState obs adr <+> MkObservation Receive im)
  (observations2trace obs adr ++
   [{|
      l := Receive;
      input := Some im;
      destination :=
        MkState (MkObservation Receive im :: obs) adr;
      output := None
    |}])
      by eapply extend_right_finite_trace_from_to; [apply IHHfv |]; auto.
Qed.

Lemma finite_valid_trace_init_to_state2trace :
  forall (is s : State) (tr : list transition_item),
    finite_valid_trace_init_to Ui is s tr ->
      finite_valid_trace_init_to Ui is s (state2trace s).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_valid_trace_init_to Ui is s tr
  → finite_valid_trace_init_to Ui is s (state2trace s)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_valid_trace_init_to Ui is s tr
  → finite_valid_trace_init_to Ui is s (state2trace s)
  intros is s tr [Hfv Hinit]; cbn in *; revert Hinit.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui is s tr
UMO_component_initial_state_prop i is
→ finite_valid_trace_init_to Ui is s (state2trace s)
  induction Hfv using finite_valid_trace_from_to_rev_ind; intros.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: VLSM.state Ui
Hsi: valid_state_prop Ui si
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si si (state2trace si)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state Ui
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si s tr
sf: VLSM.state Ui
iom, oom: option Message
l: VLSM.label Ui
Ht: input_valid_transition Ui l (s, iom) (sf, oom)
IHHfv: UMO_component_initial_state_prop i si
→ finite_valid_trace_init_to Ui si s
    (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si sf (state2trace sf)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: VLSM.state Ui
Hsi: valid_state_prop Ui si
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si si (state2trace si) inversion Hinit; clear Hinit.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: VLSM.state Ui
Hsi: valid_state_prop Ui si
H: obs si = []
H0: adr si = i
finite_valid_trace_init_to Ui si si (state2trace si)
    destruct si; cbn in *; subst; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Hsi: valid_state_prop Ui (MkState [] i)
finite_valid_trace_init_to Ui (MkState [] i)
  (MkState [] i) []
    repeat constructor.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Hsi: valid_state_prop Ui (MkState [] i)
valid_state_prop Ui (MkState [] i) exists None.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Hsi: valid_state_prop Ui (MkState [] i)
valid_state_message_prop Ui (MkState [] i) None
    by repeat constructor.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state Ui
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si s tr
sf: VLSM.state Ui
iom, oom: option Message
l: VLSM.label Ui
Ht: input_valid_transition Ui l (s, iom) (sf, oom)
IHHfv: UMO_component_initial_state_prop i si
→ finite_valid_trace_init_to Ui si s
    (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si sf (state2trace sf) specialize (IHHfv Hinit).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state Ui
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si s tr
sf: VLSM.state Ui
iom, oom: option Message
l: VLSM.label Ui
Ht: input_valid_transition Ui l (s, iom) (sf, oom)
IHHfv: finite_valid_trace_init_to Ui si s
  (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si sf (state2trace sf)
    destruct Ht as [Hvalid Ht]; cbn in Ht.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si, s: VLSM.state Ui
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si s tr
sf: VLSM.state Ui
iom, oom: option Message
l: VLSM.label Ui
Hvalid: input_valid Ui l (s, iom)
Ht: UMO_component_transition l s iom = (sf, oom)
IHHfv: finite_valid_trace_init_to Ui si s
  (state2trace s)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si sf (state2trace sf)
    destruct s as [obs adr], l, iom as [im |]
    ; inversion Ht; subst; clear Ht; cbn in *
    ; cycle 1; [done | done | |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si
  (MkState obs adr) tr
Hvalid: valid_state_prop Ui (MkState obs adr)
∧ option_valid_message_prop Ui None
  ∧ UMO_component_valid Send
      (MkState obs adr) None
IHHfv: finite_valid_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si
  (MkState obs adr <+>
   MkObservation Send (MkMessage (MkState obs adr)))
  (observations2trace obs adr ++
   [{|
      l := Send;
      input := None;
      destination :=
        MkState
          (addObservation'
             (MkObservation Send
                (MkMessage (MkState obs adr))) obs)
          adr;
      output := Some (MkMessage (MkState obs adr))
    |}])
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si
  (MkState obs adr) tr
im: Message
Hvalid: valid_state_prop Ui (MkState obs adr)
∧ option_valid_message_prop Ui (Some im)
  ∧ UMO_component_valid Receive
      (MkState obs adr) 
      (Some im)
IHHfv: finite_valid_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si
  (MkState obs adr <+> MkObservation Receive im)
  (observations2trace obs adr ++
   [{|
      l := Receive;
      input := Some im;
      destination :=
        MkState (MkObservation Receive im :: obs) adr;
      output := None
    |}])
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si
  (MkState obs adr) tr
Hvalid: valid_state_prop Ui (MkState obs adr)
∧ option_valid_message_prop Ui None
  ∧ UMO_component_valid Send
      (MkState obs adr) None
IHHfv: finite_valid_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si
  (MkState obs adr <+>
   MkObservation Send (MkMessage (MkState obs adr)))
  (observations2trace obs adr ++
   [{|
      l := Send;
      input := None;
      destination :=
        MkState
          (addObservation'
             (MkObservation Send
                (MkMessage (MkState obs adr))) obs)
          adr;
      output := Some (MkMessage (MkState obs adr))
    |}]) constructor; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si
  (MkState obs adr) tr
Hvalid: valid_state_prop Ui (MkState obs adr)
∧ option_valid_message_prop Ui None
  ∧ UMO_component_valid Send
      (MkState obs adr) None
IHHfv: finite_valid_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_from_to Ui si
  (MkState obs adr <+>
   MkObservation Send (MkMessage (MkState obs adr)))
  (observations2trace obs adr ++
   [{|
      l := Send;
      input := None;
      destination :=
        MkState
          (addObservation'
             (MkObservation Send
                (MkMessage (MkState obs adr))) obs)
          adr;
      output := Some (MkMessage (MkState obs adr))
    |}])
      by eapply extend_right_finite_trace_from_to; [apply IHHfv |]; auto.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si
  (MkState obs adr) tr
im: Message
Hvalid: valid_state_prop Ui (MkState obs adr)
∧ option_valid_message_prop Ui (Some im)
  ∧ UMO_component_valid Receive
      (MkState obs adr) 
      (Some im)
IHHfv: finite_valid_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_init_to Ui si
  (MkState obs adr <+> MkObservation Receive im)
  (observations2trace obs adr ++
   [{|
      l := Receive;
      input := Some im;
      destination :=
        MkState (MkObservation Receive im :: obs) adr;
      output := None
    |}]) constructor; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
si: BaseELMO.State
obs: list BaseELMO.Observation
adr: Address
tr: list transition_item
Hfv: finite_valid_trace_from_to Ui si
  (MkState obs adr) tr
im: Message
Hvalid: valid_state_prop Ui (MkState obs adr)
∧ option_valid_message_prop Ui (Some im)
  ∧ UMO_component_valid Receive
      (MkState obs adr) 
      (Some im)
IHHfv: finite_valid_trace_init_to Ui si
  (MkState obs adr)
  (observations2trace obs adr)
Hinit: UMO_component_initial_state_prop i si
finite_valid_trace_from_to Ui si
  (MkState obs adr <+> MkObservation Receive im)
  (observations2trace obs adr ++
   [{|
      l := Receive;
      input := Some im;
      destination :=
        MkState (MkObservation Receive im :: obs) adr;
      output := None
    |}])
      by eapply extend_right_finite_trace_from_to; [apply IHHfv |]; auto.
Qed.

The trace extracted from the final state of another trace is equal to that trace.

Lemma finite_constrained_trace_init_to_state2trace_inv :
  forall (is s : State) (tr : list transition_item),
    finite_constrained_trace_init_to Ui is s tr ->
      state2trace s = tr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Ui is s tr
  → state2trace s = tr
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_constrained_trace_init_to Ui is s tr
  → state2trace s = tr
  intros is s tr Hfvti.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvti: finite_constrained_trace_init_to Ui is s tr
state2trace s = tr
  assert (Hfvti' : finite_constrained_trace_init_to Ui is s (state2trace s))
      by (eapply finite_constrained_trace_init_to_state2trace; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
is, s: State
tr: list transition_item
Hfvti: finite_constrained_trace_init_to Ui is s tr
Hfvti': finite_constrained_trace_init_to Ui is s
  (state2trace s)
state2trace s = tr
  by eapply finite_constrained_trace_init_to_unique.
Qed.

Lemma finite_valid_trace_init_to_state2trace_inv :
  forall (is s : State) (tr : list transition_item),
    finite_valid_trace_init_to Ui is s tr ->
      state2trace s = tr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_valid_trace_init_to Ui is s tr
  → state2trace s = tr
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (is s : State) (tr : list transition_item),
  finite_valid_trace_init_to Ui is s tr
  → state2trace s = tr
  by intros is s tr Hfvti;
    eapply finite_constrained_trace_init_to_state2trace_inv;
    apply VLSM_incl_finite_valid_trace_init_to; [| done];
    apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

The trace extracted from a reachable state s leads to s.

Existence

Lemma finite_constrained_trace_init_to_state2trace' :
  forall (s : State),
    constrained_state_prop Ui s ->
      finite_constrained_trace_init_to Ui (``(vs0 Ui)) s (state2trace s).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  constrained_state_prop Ui s
  → finite_constrained_trace_init_to Ui (`(vs0 Ui)) s
      (state2trace s)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  constrained_state_prop Ui s
  → finite_constrained_trace_init_to Ui (`(vs0 Ui)) s
      (state2trace s)
  intros s Hs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hs: constrained_state_prop Ui s
finite_constrained_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s)
  apply valid_state_has_trace in Hs as (is & tr & Htr).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
is: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tr: list transition_item
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Ui) is s tr
finite_constrained_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s)
  apply finite_constrained_trace_init_to_state2trace_inv in Htr as Heqtr; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
is: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Ui) is s
  (state2trace s)
finite_constrained_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s)
  replace (``(vs0 Ui)) with is; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
is: VLSM.state (preloaded_with_all_messages_vlsm Ui)
Htr: finite_valid_trace_init_to
  (preloaded_with_all_messages_vlsm Ui) is s
  (state2trace s)
is = `(vs0 Ui)
  by apply vs0_uniqueness, Htr.
Qed.

Lemma constrained_state_contains_unique_constrained_trace :
  forall s : State,
    constrained_state_prop Ui s ->
      exists tr : list transition_item,
        finite_constrained_trace_init_to Ui (``(vs0 Ui)) s tr
          /\
        forall tr' : list transition_item,
          finite_constrained_trace_init_to Ui (``(vs0 Ui)) s tr' -> tr' = tr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  constrained_state_prop Ui s
  → ∃ tr : list transition_item,
      finite_constrained_trace_init_to Ui (`(vs0 Ui))
        s tr
      ∧ (∀ tr' : list transition_item,
           finite_constrained_trace_init_to Ui
             (`(vs0 Ui)) s tr' → tr' = tr)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  constrained_state_prop Ui s
  → ∃ tr : list transition_item,
      finite_constrained_trace_init_to Ui (`(vs0 Ui))
        s tr
      ∧ (∀ tr' : list transition_item,
           finite_constrained_trace_init_to Ui
             (`(vs0 Ui)) s tr' → tr' = tr)
  intros s Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: constrained_state_prop Ui s
∃ tr : list transition_item,
  finite_constrained_trace_init_to Ui (`(vs0 Ui)) s tr
  ∧ (∀ tr' : list transition_item,
       finite_constrained_trace_init_to Ui (`(vs0 Ui))
         s tr' → tr' = tr)
  exists (state2trace s); split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: constrained_state_prop Ui s
finite_constrained_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: constrained_state_prop Ui s
∀ tr' : list transition_item,
  finite_constrained_trace_init_to Ui 
    (`(vs0 Ui)) s tr' → 
  tr' = state2trace s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: constrained_state_prop Ui s
finite_constrained_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s) by eapply finite_constrained_trace_init_to_state2trace'.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: constrained_state_prop Ui s
∀ tr' : list transition_item,
  finite_constrained_trace_init_to Ui (`(vs0 Ui)) s
    tr' → tr' = state2trace s intros tr' Hfvt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: constrained_state_prop Ui s
tr': list transition_item
Hfvt: finite_constrained_trace_init_to Ui 
  (`(vs0 Ui)) s tr'
tr' = state2trace s symmetry.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: constrained_state_prop Ui s
tr': list transition_item
Hfvt: finite_constrained_trace_init_to Ui 
  (`(vs0 Ui)) s tr'
state2trace s = tr'
    by eapply finite_constrained_trace_init_to_state2trace_inv.
Qed.

Existence

Lemma finite_valid_trace_init_to_state2trace' :
  forall (s : State),
    valid_state_prop Ui s ->
      finite_valid_trace_init_to Ui (``(vs0 Ui)) s (state2trace s).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  valid_state_prop Ui s
  → finite_valid_trace_init_to Ui (`(vs0 Ui)) s
      (state2trace s)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  valid_state_prop Ui s
  → finite_valid_trace_init_to Ui (`(vs0 Ui)) s
      (state2trace s)
  intros s Hs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hs: valid_state_prop Ui s
finite_valid_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s)
  apply valid_state_has_trace in Hs as (is & tr & Htr).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
is: VLSM.state Ui
tr: list transition_item
Htr: finite_valid_trace_init_to Ui is s tr
finite_valid_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s)
  apply finite_valid_trace_init_to_state2trace_inv in Htr as Heqtr; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
is: VLSM.state Ui
Htr: finite_valid_trace_init_to Ui is s
  (state2trace s)
finite_valid_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s)
  replace (``(vs0 Ui)) with is; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
is: VLSM.state Ui
Htr: finite_valid_trace_init_to Ui is s
  (state2trace s)
is = `(vs0 Ui)
  by apply vs0_uniqueness, Htr.
Qed.

Lemma valid_state_contains_unique_valid_trace :
  forall s : State,
    valid_state_prop Ui s ->
      exists tr : list transition_item,
        finite_valid_trace_init_to Ui (``(vs0 Ui)) s tr
          /\
        forall tr' : list transition_item,
          finite_valid_trace_init_to Ui (``(vs0 Ui)) s tr' -> tr' = tr.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  valid_state_prop Ui s
  → ∃ tr : list transition_item,
      finite_valid_trace_init_to Ui (`(vs0 Ui)) s tr
      ∧ (∀ tr' : list transition_item,
           finite_valid_trace_init_to Ui (`(vs0 Ui)) s
             tr' → tr' = tr)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  valid_state_prop Ui s
  → ∃ tr : list transition_item,
      finite_valid_trace_init_to Ui (`(vs0 Ui)) s tr
      ∧ (∀ tr' : list transition_item,
           finite_valid_trace_init_to Ui (`(vs0 Ui)) s
             tr' → tr' = tr)
  intros s Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: valid_state_prop Ui s
∃ tr : list transition_item,
  finite_valid_trace_init_to Ui (`(vs0 Ui)) s tr
  ∧ (∀ tr' : list transition_item,
       finite_valid_trace_init_to Ui (`(vs0 Ui)) s tr'
       → tr' = tr)
  exists (state2trace s); split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: valid_state_prop Ui s
finite_valid_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: valid_state_prop Ui s
∀ tr' : list transition_item,
  finite_valid_trace_init_to Ui (`(vs0 Ui)) s tr'
  → tr' = state2trace s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: valid_state_prop Ui s
finite_valid_trace_init_to Ui (`(vs0 Ui)) s
  (state2trace s) by eapply finite_valid_trace_init_to_state2trace'.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: valid_state_prop Ui s
∀ tr' : list transition_item,
  finite_valid_trace_init_to Ui (`(vs0 Ui)) s tr'
  → tr' = state2trace s intros tr' Hfvt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: valid_state_prop Ui s
tr': list transition_item
Hfvt: finite_valid_trace_init_to Ui (`(vs0 Ui)) s tr'
tr' = state2trace s symmetry.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
Hvsp: valid_state_prop Ui s
tr': list transition_item
Hfvt: finite_valid_trace_init_to Ui (`(vs0 Ui)) s tr'
state2trace s = tr'
    by eapply finite_valid_trace_init_to_state2trace_inv.
Qed.

The suffix ordering on states is a strict total order

s1 is a state-suffix of s2 if they have the same address and s1's observations are a strict suffix of s2's observations.

Record state_suffix (s1 s2 : State) : Prop :=
{
  adrs_eq    : adr s1 = adr s2;
  obs_prefix : strict suffix (obs s1) (obs s2);
}.

#[export] Instance state_suffix_dec : RelDecision state_suffix :=
  fun s1 s2 =>
    match decide (adr s1 = adr s2) with
    | left addr_eq =>
        match decide (strict suffix (obs s1) (obs s2)) with
        | left is_suffix => left (Build_state_suffix _ _ addr_eq is_suffix)
        | right Hnot_suffix => right (fun H => Hnot_suffix (obs_prefix _ _ H))
        end
    | right Hnot_addr => right (fun H => Hnot_addr (adrs_eq _ _ H))
    end.

We also define a variant of the suffix relation for messages.

Definition message_suffix (m1 m2 : Message) : Prop :=
  state_suffix (state m1) (state m2).

The state-prefix relation is a strict partial order.

#[export] Instance Irreflexive_state_suffix :
  Irreflexive state_suffix.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Irreflexive state_suffix
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Irreflexive state_suffix
  by intros s (Hadr & Hobs1 & Hobs2).
Qed.

#[export] Instance Transitive_state_suffix :
  Transitive state_suffix.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Transitive state_suffix
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
Transitive state_suffix
  intros s1 s2 s3 (Hadr12 & Hobs12 & Hobs12') (Hadr23 & Hobs23 & Hobs23').Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2, s3: State
Hadr12: adr s1 = adr s2
Hobs12: obs s1 `suffix_of` obs s2
Hobs12': ¬ obs s2 `suffix_of` obs s1
Hadr23: adr s2 = adr s3
Hobs23: obs s2 `suffix_of` obs s3
Hobs23': ¬ obs s3 `suffix_of` obs s2
state_suffix s1 s3
  split; [by congruence |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2, s3: State
Hadr12: adr s1 = adr s2
Hobs12: obs s1 `suffix_of` obs s2
Hobs12': ¬ obs s2 `suffix_of` obs s1
Hadr23: adr s2 = adr s3
Hobs23: obs s2 `suffix_of` obs s3
Hobs23': ¬ obs s3 `suffix_of` obs s2
strict suffix (obs s1) (obs s3)
  by transitivity (obs s2).
Qed.

#[export] Instance StrictOrder_state_suffix :
  StrictOrder state_suffix.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
StrictOrder state_suffix
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
StrictOrder state_suffix
  by split; typeclasses eauto.
Qed.

Lemma state_suffix_empty_minimal :
  forall (s : State) (a : Address), ~ state_suffix s (MkState [] a).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (a : Address),
  ¬ state_suffix s (MkState [] a)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (a : Address),
  ¬ state_suffix s (MkState [] a)
  intros s a [_ [[os Hsuf] Hstrict]]; contradict Hstrict.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
a: Address
os: list BaseELMO.Observation
Hsuf: obs (MkState [] a) = os ++ obs s
obs (MkState [] a) `suffix_of` obs s
  by symmetry in Hsuf; apply app_nil in Hsuf as [-> ->]; exists [].
Qed.

Lemma state_suffix_empty_minimum :
  forall (s : State), s = MkState [] (adr s) \/ state_suffix (MkState [] (adr s)) s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  s = MkState [] (adr s)
  ∨ state_suffix (MkState [] (adr s)) s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ s : State,
  s = MkState [] (adr s)
  ∨ state_suffix (MkState [] (adr s)) s
  intros [[| ob obs] a]; cbn; [by left | right].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
ob: BaseELMO.Observation
obs: list BaseELMO.Observation
a: Address
state_suffix (MkState [] a) (MkState (ob :: obs) a)
  split; cbn; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
ob: BaseELMO.Observation
obs: list BaseELMO.Observation
a: Address
strict suffix [] (ob :: obs)
  split; cbn; [by apply suffix_nil |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
ob: BaseELMO.Observation
obs: list BaseELMO.Observation
a: Address
¬ ob :: obs `suffix_of` []
  by intros H; apply suffix_nil_inv in H; subst.
Qed.

If we add an observation to a state s, s is a suffix of the resulting state.

Lemma state_suffix_addObservation :
  forall (s : State) (ob : Observation),
    state_suffix s (s <+> ob).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (ob : Observation),
  state_suffix s (s <+> ob)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (ob : Observation),
  state_suffix s (s <+> ob)
  intros s ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob: Observation
state_suffix s (s <+> ob)
  constructor; cbn; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob: Observation
strict suffix (obs s) (addObservation' ob (obs s))
  unfold addObservation; split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob: Observation
obs s `suffix_of` addObservation' ob (obs s)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob: Observation
¬ addObservation' ob (obs s) `suffix_of` obs s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob: Observation
obs s `suffix_of` addObservation' ob (obs s) by apply suffix_cons_r.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob: Observation
¬ addObservation' ob (obs s) `suffix_of` obs s by apply suffix_cons_not.
Qed.

Lemma state_suffix_addObservations :
  forall (s : State) (obs' : list Observation),
    obs' <> [] -> state_suffix s (s <++> obs').Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (obs' : list Observation),
  obs' ≠ [] → state_suffix s (s <++> obs')
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (obs' : list Observation),
  obs' ≠ [] → state_suffix s (s <++> obs')
  intros s obs'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
obs': list Observation
obs' ≠ [] → state_suffix s (s <++> obs')
  constructor; cbn; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
obs': list Observation
H: obs' ≠ []
strict suffix (obs s) (obs' ++ obs s)
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
obs': list Observation
H: obs' ≠ []
obs s `suffix_of` obs' ++ obs s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
obs': list Observation
H: obs' ≠ []
¬ obs' ++ obs s `suffix_of` obs s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
obs': list Observation
H: obs' ≠ []
obs s `suffix_of` obs' ++ obs s by apply suffix_app_r.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
obs': list Observation
H: obs' ≠ []
¬ obs' ++ obs s `suffix_of` obs s by intros Hsuf; apply (suffix_app_inv obs' []), suffix_nil_inv in Hsuf.
Qed.

The initial state of a valid transition is a state_suffix of the final state.

Lemma state_suffix_of_UMO_component_valid_transition :
  forall (lbl : Label) (s1 s2 : State) (iom oom : option Message),
    UMO_component_valid lbl s1 iom ->
    UMO_component_transition lbl s1 iom = (s2, oom) ->
      state_suffix s1 s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (lbl : Label) (s1 s2 : State) (iom
                                 oom : option Message),
  UMO_component_valid lbl s1 iom
  → UMO_component_transition lbl s1 iom = (s2, oom)
    → state_suffix s1 s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (lbl : Label) (s1 s2 : State) (iom
                                 oom : option Message),
  UMO_component_valid lbl s1 iom
  → UMO_component_transition lbl s1 iom = (s2, oom)
    → state_suffix s1 s2
  intros [] s1 s2 [im |] oom HValid; cbn
  ; intros H; inversion H; subst; clear H.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1: State
im: Message
HValid: UMO_component_valid Receive s1 (Some im)
state_suffix s1 (s1 <+> MkObservation Receive im)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s2: State
HValid: UMO_component_valid Receive s2 None
state_suffix s2 s2
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s2: State
im: Message
HValid: UMO_component_valid Send s2 (Some im)
state_suffix s2 s2
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1: State
HValid: UMO_component_valid Send s1 None
state_suffix s1
  (s1 <+> MkObservation Send (MkMessage s1))
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1: State
im: Message
HValid: UMO_component_valid Receive s1 (Some im)
state_suffix s1 (s1 <+> MkObservation Receive im) by apply state_suffix_addObservation.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s2: State
HValid: UMO_component_valid Receive s2 None
state_suffix s2 s2 by invert_UMO_component_valid.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s2: State
im: Message
HValid: UMO_component_valid Send s2 (Some im)
state_suffix s2 s2 by invert_UMO_component_valid.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1: State
HValid: UMO_component_valid Send s1 None
state_suffix s1
  (s1 <+> MkObservation Send (MkMessage s1)) by apply state_suffix_addObservation.
Qed.

The previous property carries over from transitions to valid transitions.

Lemma state_suffix_of_input_constrained_transition :
  forall (lbl : Label) (s1 s2 : State) (iom oom : option Message),
    input_constrained_transition Ui lbl (s1, iom) (s2, oom) ->
      state_suffix s1 s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (lbl : Label) (s1 s2 : State) (iom
                                 oom : option Message),
  input_constrained_transition Ui lbl (s1, iom)
    (s2, oom) → state_suffix s1 s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (lbl : Label) (s1 s2 : State) (iom
                                 oom : option Message),
  input_constrained_transition Ui lbl (s1, iom)
    (s2, oom) → state_suffix s1 s2
  intros lbl s1 s2 iom oom [(Hvsp & Hovmp & Hvalid) Ht]; cbn in Ht.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
lbl: Label
s1, s2: State
iom, oom: option Message
Hvsp: valid_state_prop
  (preloaded_with_all_messages_vlsm Ui) s1
Hovmp: option_valid_message_prop
  (preloaded_with_all_messages_vlsm Ui) iom
Hvalid: valid lbl (s1, iom)
Ht: UMO_component_transition lbl s1 iom = (s2, oom)
state_suffix s1 s2
  by eapply state_suffix_of_UMO_component_valid_transition; cycle 1.
Qed.

If there is a trace segment from s1 to s2, then either the states are equal (because the trace is empty), or s1 is a state-suffix of s2.

Lemma state_suffix_of_finite_constrained_trace_from_to :
  forall (s1 s2 : State) (tr : list transition_item),
    finite_constrained_trace_from_to Ui s1 s2 tr ->
      s1 = s2 \/ state_suffix s1 s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_constrained_trace_from_to Ui s1 s2 tr
  → s1 = s2 ∨ state_suffix s1 s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_constrained_trace_from_to Ui s1 s2 tr
  → s1 = s2 ∨ state_suffix s1 s2
  induction 1; [by left |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (s, oom)
IHfinite_valid_trace_from_to: s = f
∨ state_suffix s f
s' = f ∨ state_suffix s' f
  destruct IHfinite_valid_trace_from_to as [-> | IH]; right.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) f f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (f, oom)
state_suffix s' f
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (s, oom)
IH: state_suffix s f
state_suffix s' f
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) f f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (f, oom)
state_suffix s' f by eapply state_suffix_of_input_constrained_transition; eauto.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (s, oom)
IH: state_suffix s f
state_suffix s' f transitivity s; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s, f: VLSM.state (preloaded_with_all_messages_vlsm Ui)
tl: list transition_item
H: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s f tl
s': VLSM.state (preloaded_with_all_messages_vlsm Ui)
iom, oom: option Message
l: VLSM.label (preloaded_with_all_messages_vlsm Ui)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm Ui) l
  (s', iom) (s, oom)
IH: state_suffix s f
state_suffix s' s
    by eapply state_suffix_of_input_constrained_transition; eauto.
Qed.

state_suffix_of_finite_constrained_trace_from_to carries over from trace segments to traces.

Lemma state_suffix_of_finite_constrained_trace_init_to :
  forall (s1 s2 : State) (tr : list transition_item),
    finite_constrained_trace_init_to Ui s1 s2 tr ->
      s1 = s2 \/ state_suffix s1 s2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_constrained_trace_init_to Ui s1 s2 tr
  → s1 = s2 ∨ state_suffix s1 s2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s1 s2 : State) (tr : list transition_item),
  finite_constrained_trace_init_to Ui s1 s2 tr
  → s1 = s2 ∨ state_suffix s1 s2
  intros s1 s2 tr [Hfvt Hinit].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2: State
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm Ui) s1 s2
  tr
Hinit: initial_state_prop s1
s1 = s2 ∨ state_suffix s1 s2
  by eapply state_suffix_of_finite_constrained_trace_from_to.
Qed.

Every reachable state is either initial or the target of some transition. This transition comes from a source state which is also reachable. Additionally, if the label of the transition is Send, we know that the observation contains the source state.

Lemma UMO_reachable_inv P :
  forall s : State,
    UMO_reachable P s ->
      obs s = [] \/
      exists (lbl : Label) (iom oom : option Message) (s' : State) (ob : Observation),
        UMO_component_transition lbl s' iom = (s, oom) /\
        s = s' <+> ob /\
        UMO_reachable P s' /\
        (lbl = Send -> message ob = MkMessage s').Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ s : State,
  UMO_reachable P s
  → obs s = []
    ∨ (∃ (lbl : Label) (iom oom : option Message) 
         (s' : State) (ob : Observation),
         UMO_component_transition lbl s' iom =
         (s, oom)
         ∧ s = s' <+> ob
           ∧ UMO_reachable P s'
             ∧ (lbl = Send → message ob = MkMessage s'))
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ s : State,
  UMO_reachable P s
  → obs s = []
    ∨ (∃ (lbl : Label) (iom oom : option Message) 
         (s' : State) (ob : Observation),
         UMO_component_transition lbl s' iom =
         (s, oom)
         ∧ s = s' <+> ob
           ∧ UMO_reachable P s'
             ∧ (lbl = Send → message ob = MkMessage s'))
  intros s Hs.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
Hs: UMO_reachable P s
obs s = []
∨ (∃ (lbl : Label) (iom oom : option Message) (s' : State) 
     (ob : Observation),
     UMO_component_transition lbl s' iom = (s, oom)
     ∧ s = s' <+> ob
       ∧ UMO_reachable P s'
         ∧ (lbl = Send → message ob = MkMessage s'))
  inversion Hs; [by left | right..].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
Hs: UMO_reachable P s
s0: State
H: UMO_reachable P s0
H0: s0 <+> MkObservation Send (MkMessage s0) = s
∃ (lbl : Label) (iom oom : option Message) (s' : State) 
  (ob : Observation),
  UMO_component_transition lbl s' iom =
  (s0 <+> MkObservation Send (MkMessage s0), oom)
  ∧ s0 <+> MkObservation Send (MkMessage s0) =
    s' <+> ob
    ∧ UMO_reachable P s'
      ∧ (lbl = Send → message ob = MkMessage s')
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
Hs: UMO_reachable P s
s0: State
msg: Message
H: P s0 msg
H0: UMO_reachable P s0
H1: s0 <+> MkObservation Receive msg = s
∃ (lbl : Label) (iom oom : option Message) 
  (s' : State) (ob : Observation),
  UMO_component_transition lbl s' iom =
  (s0 <+> MkObservation Receive msg, oom)
  ∧ s0 <+> MkObservation Receive msg = s' <+> ob
    ∧ UMO_reachable P s'
      ∧ (lbl = Send → message ob = MkMessage s')
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
Hs: UMO_reachable P s
s0: State
H: UMO_reachable P s0
H0: s0 <+> MkObservation Send (MkMessage s0) = s
∃ (lbl : Label) (iom oom : option Message) (s' : State) 
  (ob : Observation),
  UMO_component_transition lbl s' iom =
  (s0 <+> MkObservation Send (MkMessage s0), oom)
  ∧ s0 <+> MkObservation Send (MkMessage s0) =
    s' <+> ob
    ∧ UMO_reachable P s'
      ∧ (lbl = Send → message ob = MkMessage s') by eexists Send, None, (Some (MkMessage s0)), s0, _.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
Hs: UMO_reachable P s
s0: State
msg: Message
H: P s0 msg
H0: UMO_reachable P s0
H1: s0 <+> MkObservation Receive msg = s
∃ (lbl : Label) (iom oom : option Message) (s' : State) 
  (ob : Observation),
  UMO_component_transition lbl s' iom =
  (s0 <+> MkObservation Receive msg, oom)
  ∧ s0 <+> MkObservation Receive msg = s' <+> ob
    ∧ UMO_reachable P s'
      ∧ (lbl = Send → message ob = MkMessage s') by eexists Receive, (Some msg), None, s0, _.
Qed.

If a reachable state s2 is a result of adding an observation to a state s1, then s1 is also reachable. Additionally, if the observation's label is Send, then we can characterize the state s1.

Lemma UMO_reachable_addObservation_inv P :
  forall (s : State) (ob : Observation),
    UMO_reachable P (s <+> ob) -> UMO_reachable P s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (ob : Observation),
  UMO_reachable P (s <+> ob) → UMO_reachable P s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (ob : Observation),
  UMO_reachable P (s <+> ob) → UMO_reachable P s
  intros s ob Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
ob: Observation
Hvsp: UMO_reachable P (s <+> ob)
UMO_reachable P s
  apply UMO_reachable_inv in Hvsp
     as [[=] | (lbl & iom & oom & s' & ob' & Ht & Hadd & Hvsp & Hss')]; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
ob: Observation
lbl: Label
iom, oom: option Message
s': State
ob': Observation
Ht: UMO_component_transition lbl s' iom =
(s <+> ob, oom)
Hadd: s <+> ob = s' <+> ob'
Hvsp: UMO_reachable P s'
Hss': lbl = Send → message ob' = MkMessage s'
UMO_reachable P s
  by apply addObservation_inj in Hadd as [_ ->].
Qed.

Lemma UMO_reachable_addObservation_inv_Send_state P :
  forall (s : State) (m : Message),
    UMO_reachable P (s <+> MkObservation Send m) ->
      s = state m.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  UMO_reachable P (s <+> MkObservation Send m)
  → s = state m
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  UMO_reachable P (s <+> MkObservation Send m)
  → s = state m
  intros s m Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P (s <+> MkObservation Send m)
s = state m
  apply UMO_reachable_inv in Hvsp
     as [[=] | (lbl & iom & oom & s' & ob' & Ht & Hadd & Hvsp & Hlbl)]; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
lbl: Label
iom, oom: option Message
s': State
ob': Observation
Ht: UMO_component_transition lbl s' iom =
(s <+> MkObservation Send m, oom)
Hadd: s <+> MkObservation Send m = s' <+> ob'
Hvsp: UMO_reachable P s'
Hlbl: lbl = Send → message ob' = MkMessage s'
s = state m
  inversion Hadd.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
lbl: Label
iom, oom: option Message
s': State
ob': Observation
Ht: UMO_component_transition lbl s' iom =
(s <+> MkObservation Send m, oom)
Hadd: s <+> MkObservation Send m = s' <+> ob'
Hvsp: UMO_reachable P s'
Hlbl: lbl = Send → message ob' = MkMessage s'
H0: MkObservation Send m = ob'
H1: obs s = obs s'
H2: adr s = adr s'
s = state m
  replace (state m) with (state (message ob')) by (rewrite <- H0; cbn; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
lbl: Label
iom, oom: option Message
s': State
ob': Observation
Ht: UMO_component_transition lbl s' iom =
(s <+> MkObservation Send m, oom)
Hadd: s <+> MkObservation Send m = s' <+> ob'
Hvsp: UMO_reachable P s'
Hlbl: lbl = Send → message ob' = MkMessage s'
H0: MkObservation Send m = ob'
H1: obs s = obs s'
H2: adr s = adr s'
s = state (message ob')
  rewrite Hlbl; [by apply eq_State |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
lbl: Label
iom, oom: option Message
s': State
ob': Observation
Ht: UMO_component_transition lbl s' iom =
(s <+> MkObservation Send m, oom)
Hadd: s <+> MkObservation Send m = s' <+> ob'
Hvsp: UMO_reachable P s'
Hlbl: lbl = Send → message ob' = MkMessage s'
H0: MkObservation Send m = ob'
H1: obs s = obs s'
H2: adr s = adr s'
lbl = Send
  by destruct lbl, iom; cbn in *; inversion Ht; subst; [| | done]
  ; apply (f_equal (fun x => length (obs x))) in Hadd; cbn in Hadd; lia.
Qed.

Lemma UMO_reachable_addObservation_inv_Send P :
  forall (s : State) (m : Message),
    UMO_reachable P (s <+> MkObservation Send m) ->
      UMO_reachable P (state m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  UMO_reachable P (s <+> MkObservation Send m)
  → UMO_reachable P (state m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  UMO_reachable P (s <+> MkObservation Send m)
  → UMO_reachable P (state m)
  intros s m Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P (s <+> MkObservation Send m)
UMO_reachable P (state m)
  erewrite <- UMO_reachable_addObservation_inv_Send_state; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P (s <+> MkObservation Send m)
UMO_reachable P s
  by eapply UMO_reachable_addObservation_inv.
Qed.

Lemma UMO_reachable_addObservation_inv_message P :
  forall (s : State) (ob : Observation),
    UMO_reachable P (s <+> ob) -> label ob = Send ->
      message ob = MkMessage s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (ob : Observation),
  UMO_reachable P (s <+> ob)
  → label ob = Send → message ob = MkMessage s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (ob : Observation),
  UMO_reachable P (s <+> ob)
  → label ob = Send → message ob = MkMessage s
  intros s ob Hvsp Heq.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
ob: Observation
Hvsp: UMO_reachable P (s <+> ob)
Heq: label ob = Send
message ob = MkMessage s
  apply UMO_reachable_inv in Hvsp
     as [[=] | (lbl & iom & oom & s' & ob' & Ht & Hadd & Hvsp & Hss')]; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
ob: Observation
lbl: Label
iom, oom: option Message
s': State
ob': Observation
Ht: UMO_component_transition lbl s' iom =
(s <+> ob, oom)
Hadd: s <+> ob = s' <+> ob'
Hvsp: UMO_reachable P s'
Hss': lbl = Send → message ob' = MkMessage s'
Heq: label ob = Send
message ob = MkMessage s
  apply addObservation_inj in Hadd as [-> ->].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
lbl: Label
iom, oom: option Message
s': State
ob': Observation
Ht: UMO_component_transition lbl s' iom =
(s' <+> ob', oom)
Hvsp: UMO_reachable P s'
Hss': lbl = Send → message ob' = MkMessage s'
Heq: label ob' = Send
message ob' = MkMessage s'
  apply Hss'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
lbl: Label
iom, oom: option Message
s': State
ob': Observation
Ht: UMO_component_transition lbl s' iom =
(s' <+> ob', oom)
Hvsp: UMO_reachable P s'
Hss': lbl = Send → message ob' = MkMessage s'
Heq: label ob' = Send
lbl = Send destruct lbl, iom; inversion Ht; subst; clear Ht; cbn in *; [done | | done | done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s': State
ob': Observation
Hvsp: UMO_reachable P s'
Hss': Receive = Send → message ob' = MkMessage s'
Heq: label ob' = Send
H0: s' = s' <+> ob'
Receive = Send
  by symmetry in H0; apply addObservation_acyclic in H0.
Qed.

If a reachable state s2 results from adding observations to a state s1, then s1 is also reachable.

Lemma UMO_reachable_addObservations_inv P :
  forall (s : State) (obs' : list Observation),
    UMO_reachable P (s <++> obs') -> UMO_reachable P s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (obs' : list Observation),
  UMO_reachable P (s <++> obs') → UMO_reachable P s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (obs' : list Observation),
  UMO_reachable P (s <++> obs') → UMO_reachable P s
  intros s obs'; revert s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
obs': list Observation
∀ s : State,
  UMO_reachable P (s <++> obs') → UMO_reachable P s
  induction obs' as [| ob' obs']; cbn; intros s Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
Hvsp: UMO_reachable P (s <++> [])
UMO_reachable P s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
ob': Observation
obs': list Observation
IHobs': ∀ s : State,
  UMO_reachable P (s <++> obs')
  → UMO_reachable P s
s: State
Hvsp: UMO_reachable P (s <++> (ob' :: obs'))
UMO_reachable P s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
Hvsp: UMO_reachable P (s <++> [])
UMO_reachable P s by rewrite <- addObservations_nil.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
ob': Observation
obs': list Observation
IHobs': ∀ s : State,
  UMO_reachable P (s <++> obs')
  → UMO_reachable P s
s: State
Hvsp: UMO_reachable P (s <++> (ob' :: obs'))
UMO_reachable P s by apply IHobs', UMO_reachable_addObservation_inv with ob'.
Qed.

If a state is constrained, after sending a message it's still constrained.

Lemma constrained_state_prop_Send :
  forall (m : Message),
    constrained_state_prop (UMO_component i) (state m) ->
    constrained_state_prop (UMO_component i) (state m <+> MkObservation Send m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ m : Message,
  constrained_state_prop (UMO_component i) (state m)
  → constrained_state_prop (UMO_component i)
      (state m <+> MkObservation Send m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ m : Message,
  constrained_state_prop (UMO_component i) (state m)
  → constrained_state_prop (UMO_component i)
      (state m <+> MkObservation Send m)
  setoid_rewrite UMO_reachable_constrained_state_prop; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ m : Message,
  UMO_reachable (λ (_ : State) (_ : Message), True)
    (state m) ∧ adr (state m) = i
  → UMO_reachable (λ (_ : State) (_ : Message), True)
      (state m <+> MkObservation Send m)
    ∧ adr (state m) = i
  intros m [Hur Hadr]; split; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m: Message
Hur: UMO_reachable
  (λ (_ : State) (_ : Message), True) 
  (state m)
Hadr: adr (state m) = i
UMO_reachable (λ (_ : State) (_ : Message), True)
  (state m <+> MkObservation Send m)
  by destruct m; constructor.
Qed.

If a state is constrained, after receiving a message it's still constrained.

Lemma constrained_state_prop_Receive :
  forall (s : State) (m : Message),
    constrained_state_prop (UMO_component i) s ->
    constrained_state_prop (UMO_component i) (s <+> MkObservation Receive m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (m : Message),
  constrained_state_prop (UMO_component i) s
  → constrained_state_prop (UMO_component i)
      (s <+> MkObservation Receive m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (m : Message),
  constrained_state_prop (UMO_component i) s
  → constrained_state_prop (UMO_component i)
      (s <+> MkObservation Receive m)
  setoid_rewrite UMO_reachable_constrained_state_prop; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (m : Message),
  UMO_reachable (λ (_ : State) (_ : Message), True) s
  ∧ adr s = i
  → UMO_reachable (λ (_ : State) (_ : Message), True)
      (s <+> MkObservation Receive m) ∧ adr s = i
  intros s m [Hur Hadr]; split; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
m: Message
Hur: UMO_reachable
  (λ (_ : State) (_ : Message), True) s
Hadr: adr s = i
UMO_reachable (λ (_ : State) (_ : Message), True)
  (s <+> MkObservation Receive m)
  by destruct m; constructor.
Qed.

If a state is constrained after adding an observation, it must have been constrained before adding it.

Lemma constrained_state_prop_addObservation_inv :
  forall (s : State) (ob : Observation),
    constrained_state_prop (UMO_component i) (s <+> ob) ->
    constrained_state_prop (UMO_component i) s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (ob : Observation),
  constrained_state_prop (UMO_component i) (s <+> ob)
  → constrained_state_prop (UMO_component i) s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (ob : Observation),
  constrained_state_prop (UMO_component i) (s <+> ob)
  → constrained_state_prop (UMO_component i) s
  setoid_rewrite UMO_reachable_constrained_state_prop; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (ob : Observation),
  UMO_reachable (λ (_ : State) (_ : Message), True)
    (s <+> ob) ∧ adr s = i
  → UMO_reachable (λ (_ : State) (_ : Message), True)
      s ∧ adr s = i
  intros s ob [Hur Hadr]; split; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob: Observation
Hur: UMO_reachable
  (λ (_ : State) (_ : Message), True) 
  (s <+> ob)
Hadr: adr s = i
UMO_reachable (λ (_ : State) (_ : Message), True) s
  by eapply UMO_reachable_addObservation_inv.
Qed.

If a state is constrained after adding some observations, it must have been constrained before adding them.

Lemma constrained_state_prop_addObservations_inv :
  forall (s : State) (obs : list Observation),
    constrained_state_prop (UMO_component i) (s <++> obs) ->
    constrained_state_prop (UMO_component i) s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (obs : list Observation),
  constrained_state_prop (UMO_component i)
    (s <++> obs)
  → constrained_state_prop (UMO_component i) s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (obs : list Observation),
  constrained_state_prop (UMO_component i)
    (s <++> obs)
  → constrained_state_prop (UMO_component i) s
  setoid_rewrite UMO_reachable_constrained_state_prop; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (obs : list Observation),
  UMO_reachable (λ (_ : State) (_ : Message), True)
    (s <++> obs) ∧ adr s = i
  → UMO_reachable (λ (_ : State) (_ : Message), True)
      s ∧ adr s = i
  intros s ob [Hur Hadr]; split; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob: list Observation
Hur: UMO_reachable
  (λ (_ : State) (_ : Message), True)
  (s <++> ob)
Hadr: adr s = i
UMO_reachable (λ (_ : State) (_ : Message), True) s
  by eapply UMO_reachable_addObservations_inv.
Qed.

The lemma just below essentially states that for every reachable state s, messages sent earlier are suffixes of messages sent later and that the messages are suffixes of the state s.

More technically: if the observations of a reachable state s contain two sent messages m1 and m2 (with potentially some more observations in-between), then the state of m1 is a state-suffix of the state of m2 and also the state of m2 is a state-suffix of s.

Lemma state_suffix_totally_orders_sent_messages_UMO_reachable_aux P :
  forall (s : State) (m1 m2 : Message) (obs1 obs2 obs3 : list Observation),
    s = MkState [] (adr s) <++>
      obs1 <+> MkObservation Send m1 <++> obs2 <+> MkObservation Send m2 <++> obs3 ->
    UMO_reachable P s ->
      state_suffix (state m1) (state m2) /\ state_suffix (state m2) s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message) (obs1 obs2
                                 obs3 : list
                                          Observation),
  s =
  MkState [] (adr s) <++> obs1 <+>
  MkObservation Send m1 <++> obs2 <+>
  MkObservation Send m2 <++> obs3
  → UMO_reachable P s
    → state_suffix (state m1) (state m2)
      ∧ state_suffix (state m2) s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message) (obs1 obs2
                                 obs3 : list
                                          Observation),
  s =
  MkState [] (adr s) <++> obs1 <+>
  MkObservation Send m1 <++> obs2 <+>
  MkObservation Send m2 <++> obs3
  → UMO_reachable P s
    → state_suffix (state m1) (state m2)
      ∧ state_suffix (state m2) s
  intros s m1 m2 obs1 obs2 obs3 -> Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Hvsp: UMO_reachable P
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2 <+>
   MkObservation Send m2 <++> obs3)
state_suffix (state m1) (state m2)
∧ state_suffix (state m2)
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2 <+>
     MkObservation Send m2 <++> obs3)
  apply UMO_reachable_addObservations_inv in Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Hvsp: UMO_reachable P
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2 <+>
   MkObservation Send m2)
state_suffix (state m1) (state m2)
∧ state_suffix (state m2)
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2 <+>
     MkObservation Send m2 <++> obs3)
  assert (Hm2 := UMO_reachable_addObservation_inv_message _ _ _ Hvsp).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Hvsp: UMO_reachable P
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2 <+>
   MkObservation Send m2)
Hm2: label (MkObservation Send m2) = Send
→ message (MkObservation Send m2) =
  MkMessage
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2)
state_suffix (state m1) (state m2)
∧ state_suffix (state m2)
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2 <+>
     MkObservation Send m2 <++> obs3)
  apply UMO_reachable_addObservation_inv in Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Hvsp: UMO_reachable P
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
Hm2: label (MkObservation Send m2) = Send
→ message (MkObservation Send m2) =
  MkMessage
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2)
state_suffix (state m1) (state m2)
∧ state_suffix (state m2)
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2 <+>
     MkObservation Send m2 <++> obs3)
  apply UMO_reachable_addObservations_inv in Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Hvsp: UMO_reachable P
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1)
Hm2: label (MkObservation Send m2) = Send
→ message (MkObservation Send m2) =
  MkMessage
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2)
state_suffix (state m1) (state m2)
∧ state_suffix (state m2)
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2 <+>
     MkObservation Send m2 <++> obs3)
  assert (Hm1 := UMO_reachable_addObservation_inv_message _ _ _ Hvsp).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Hvsp: UMO_reachable P
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1)
Hm2: label (MkObservation Send m2) = Send
→ message (MkObservation Send m2) =
  MkMessage
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2)
Hm1: label (MkObservation Send m1) = Send
→ message (MkObservation Send m1) =
  MkMessage (MkState [] (adr s) <++> obs1)
state_suffix (state m1) (state m2)
∧ state_suffix (state m2)
    (MkState [] (adr s) <++> obs1 <+>
     MkObservation Send m1 <++> obs2 <+>
     MkObservation Send m2 <++> obs3)
  cbn in *; rewrite Hm1, Hm2 by done;
  cbn in *; rewrite <- Hm1, <- Hm2 by done
  ; clear Hvsp Hm1 Hm2; split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
state_suffix (MkState [] (adr s) <++> obs1)
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
state_suffix
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2 <+>
   MkObservation Send m2 <++> obs3)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
state_suffix (MkState [] (adr s) <++> obs1)
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2) rewrite addObservations_app.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
state_suffix (MkState [] (adr s) <++> obs1)
  (MkState [] (adr s) <++> obs1 <++>
   (obs2 ++ [MkObservation Send m1]))
    by apply state_suffix_addObservations, ListExtras.last_not_null.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
state_suffix
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2 <+>
   MkObservation Send m2 <++> obs3) rewrite (addObservations_app _ _ obs3).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
state_suffix
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2 <++>
   (obs3 ++ [MkObservation Send m2]))
    by apply state_suffix_addObservations, ListExtras.last_not_null.
Qed.

state_suffix_totally_orders_sent_messages_UMO_reachable_aux easily carries over to valid states.

Lemma state_suffix_totally_orders_sent_messages_valid_state_prop_aux :
  forall (s : State) (m1 m2 : Message) (obs1 obs2 obs3 : list Observation),
    s = MkState [] (adr s) <++>
      obs1 <+> MkObservation Send m1 <++> obs2 <+> MkObservation Send m2 <++> obs3 ->
    valid_state_prop Ui s ->
      state_suffix (state m1) (state m2) /\ state_suffix (state m2) s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (m1 m2 : Message) (obs1 obs2
                                 obs3 : list
                                          Observation),
  s =
  MkState [] (adr s) <++> obs1 <+>
  MkObservation Send m1 <++> obs2 <+>
  MkObservation Send m2 <++> obs3
  → valid_state_prop Ui s
    → state_suffix (state m1) (state m2)
      ∧ state_suffix (state m2) s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (m1 m2 : Message) (obs1 obs2
                                 obs3 : list
                                          Observation),
  s =
  MkState [] (adr s) <++> obs1 <+>
  MkObservation Send m1 <++> obs2 <+>
  MkObservation Send m2 <++> obs3
  → valid_state_prop Ui s
    → state_suffix (state m1) (state m2)
      ∧ state_suffix (state m2) s
  intros s m1 m2 obs1 obs2 obs3 Heq Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: s =
MkState [] (adr s) <++> obs1 <+>
MkObservation Send m1 <++> obs2 <+>
MkObservation Send m2 <++> obs3
Hvsp: valid_state_prop Ui s
state_suffix (state m1) (state m2)
∧ state_suffix (state m2) s
  eapply state_suffix_totally_orders_sent_messages_UMO_reachable_aux; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: s =
MkState [] (adr s) <++> obs1 <+>
MkObservation Send m1 <++> obs2 <+>
MkObservation Send m2 <++> obs3
Hvsp: valid_state_prop Ui s
UMO_reachable ?P s
  by apply UMO_reachable_valid_state_prop.
Qed.

The message_suffix relation is trichotomous on the sentMessages of any reachable state.

Lemma state_suffix_totally_orders_sent_messages_UMO_reachable P :
  forall (s : State) (m1 m2 : Message),
    UMO_reachable P s -> m1 ∈ sentMessages s -> m2 ∈ sentMessages s ->
      message_suffix m1 m2 \/ m1 = m2 \/ message_suffix m2 m1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message),
  UMO_reachable P s
  → m1 ∈ sentMessages s
    → m2 ∈ sentMessages s
      → message_suffix m1 m2
        ∨ m1 = m2 ∨ message_suffix m2 m1
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message),
  UMO_reachable P s
  → m1 ∈ sentMessages s
    → m2 ∈ sentMessages s
      → message_suffix m1 m2
        ∨ m1 = m2 ∨ message_suffix m2 m1
  intros s m1 m2 Hvalid H1 H2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: m1 ∈ sentMessages s
H2: m2 ∈ sentMessages s
message_suffix m1 m2 ∨ m1 = m2 ∨ message_suffix m2 m1
  apply elem_of_sentMessages in H1, H2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: MkObservation Send m1 ∈ obs s
H2: MkObservation Send m2 ∈ obs s
message_suffix m1 m2 ∨ m1 = m2 ∨ message_suffix m2 m1
  destruct (elem_of_list_split_2 _ _ _ H1 H2) as [Heq | (obs1 & obs2 & obs3 & [H | H])]
  ; [right; left | right; right | left].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: MkObservation Send m1 ∈ obs s
H2: MkObservation Send m2 ∈ obs s
Heq: MkObservation Send m1 = MkObservation Send m2
m1 = m2
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: MkObservation Send m1 ∈ obs s
H2: MkObservation Send m2 ∈ obs s
obs1, obs2, obs3: list BaseELMO.Observation
H: obs s =
obs1 ++
MkObservation Send m1
:: obs2 ++ MkObservation Send m2 :: obs3
message_suffix m2 m1
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: MkObservation Send m1 ∈ obs s
H2: MkObservation Send m2 ∈ obs s
obs1, obs2, obs3: list BaseELMO.Observation
H: obs s =
obs1 ++
MkObservation Send m2
:: obs2 ++ MkObservation Send m1 :: obs3
message_suffix m1 m2
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: MkObservation Send m1 ∈ obs s
H2: MkObservation Send m2 ∈ obs s
Heq: MkObservation Send m1 = MkObservation Send m2
m1 = m2 by congruence.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: MkObservation Send m1 ∈ obs s
H2: MkObservation Send m2 ∈ obs s
obs1, obs2, obs3: list BaseELMO.Observation
H: obs s =
obs1 ++
MkObservation Send m1
:: obs2 ++ MkObservation Send m2 :: obs3
message_suffix m2 m1 eapply state_suffix_totally_orders_sent_messages_UMO_reachable_aux with (s := s); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: MkObservation Send m1 ∈ obs s
H2: MkObservation Send m2 ∈ obs s
obs1, obs2, obs3: list BaseELMO.Observation
H: obs s =
obs1 ++
MkObservation Send m1
:: obs2 ++ MkObservation Send m2 :: obs3
s =
MkState [] (adr s) <++> ?obs1 <+>
MkObservation Send m2 <++> ?obs2 <+>
MkObservation Send m1 <++> ?obs3
    by apply eq_State; cbn; [rewrite app_nil_r |].
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: MkObservation Send m1 ∈ obs s
H2: MkObservation Send m2 ∈ obs s
obs1, obs2, obs3: list BaseELMO.Observation
H: obs s =
obs1 ++
MkObservation Send m2
:: obs2 ++ MkObservation Send m1 :: obs3
message_suffix m1 m2 eapply state_suffix_totally_orders_sent_messages_UMO_reachable_aux with (s := s); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvalid: UMO_reachable P s
H1: MkObservation Send m1 ∈ obs s
H2: MkObservation Send m2 ∈ obs s
obs1, obs2, obs3: list BaseELMO.Observation
H: obs s =
obs1 ++
MkObservation Send m2
:: obs2 ++ MkObservation Send m1 :: obs3
s =
MkState [] (adr s) <++> ?obs1 <+>
MkObservation Send m1 <++> ?obs2 <+>
MkObservation Send m2 <++> ?obs3
    by apply eq_State; cbn; [rewrite app_nil_r |].
Qed.

state_suffix_totally_orders_sent_messages_UMO_reachable transfers to sentMessages of valid states.

Lemma state_suffix_totally_orders_sent_messages_valid_state_prop :
  forall (s : State) (m1 m2 : Message),
    valid_state_prop Ui s -> m1 ∈ sentMessages s -> m2 ∈ sentMessages s ->
      message_suffix m1 m2 \/ m1 = m2 \/ message_suffix m2 m1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (m1 m2 : Message),
  valid_state_prop Ui s
  → m1 ∈ sentMessages s
    → m2 ∈ sentMessages s
      → message_suffix m1 m2
        ∨ m1 = m2 ∨ message_suffix m2 m1
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (m1 m2 : Message),
  valid_state_prop Ui s
  → m1 ∈ sentMessages s
    → m2 ∈ sentMessages s
      → message_suffix m1 m2
        ∨ m1 = m2 ∨ message_suffix m2 m1
  intros s m1 m2 Hvsp Hin1 Hin2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
m1, m2: Message
Hvsp: valid_state_prop Ui s
Hin1: m1 ∈ sentMessages s
Hin2: m2 ∈ sentMessages s
message_suffix m1 m2 ∨ m1 = m2 ∨ message_suffix m2 m1
  by eapply state_suffix_totally_orders_sent_messages_UMO_reachable;
    [apply UMO_reachable_valid_state_prop | ..].
Qed.

Observability

Message m1 is directly observable in message m2 if m1 is an element of the list of observation of m2's state.

It would be possible to use a different definition of directly_observable, which goes by cases on whether the message was sent or received.

Definition directly_observable (m1 m2 : Message) : Prop :=
  m1 ∈ map message (obs (state m2)).

Our definition is equivalent to the alternative definition.

Lemma directly_observable_spec_other :
  forall m1 m2 : Message,
    m1 ∈ map message (obs (state m2))
      <->
    m1 ∈ sentMessages (state m2) \/ m1 ∈ receivedMessages (state m2).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ m1 m2 : Message,
  m1 ∈ map message (obs (state m2))
  ↔ m1 ∈ sentMessages (state m2)
    ∨ m1 ∈ receivedMessages (state m2)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ m1 m2 : Message,
  m1 ∈ map message (obs (state m2))
  ↔ m1 ∈ sentMessages (state m2)
    ∨ m1 ∈ receivedMessages (state m2)
  intros m1 m2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m1, m2: Message
m1 ∈ map message (obs (state m2))
↔ m1 ∈ sentMessages (state m2)
  ∨ m1 ∈ receivedMessages (state m2)
  unfold sentMessages, sentMessages', receivedMessages, receivedMessages'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m1, m2: Message
m1 ∈ map message (obs (state m2))
↔ m1 ∈ map message (filter isSend (obs (state m2)))
  ∨ m1
    ∈ map message (filter isReceive (obs (state m2)))
  unfold Message; rewrite !elem_of_list_fmap.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m1, m2: Message
(∃ y : BaseELMO.Observation,
   m1 = message y ∧ y ∈ obs (state m2))
↔ (∃ y : BaseELMO.Observation,
     m1 = message y
     ∧ y ∈ filter isSend (obs (state m2)))
  ∨ (∃ y : BaseELMO.Observation,
       m1 = message y
       ∧ y ∈ filter isReceive (obs (state m2)))
  setoid_rewrite elem_of_list_filter.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m1, m2: Message
(∃ y : BaseELMO.Observation,
   m1 = message y ∧ y ∈ obs (state m2))
↔ (∃ y : BaseELMO.Observation,
     m1 = message y ∧ isSend y ∧ y ∈ obs (state m2))
  ∨ (∃ y : BaseELMO.Observation,
       m1 = message y
       ∧ isReceive y ∧ y ∈ obs (state m2))
  split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m1, m2: Message
(∃ y : BaseELMO.Observation,
   m1 = message y ∧ y ∈ obs (state m2))
→ (∃ y : BaseELMO.Observation,
     m1 = message y ∧ isSend y ∧ y ∈ obs (state m2))
  ∨ (∃ y : BaseELMO.Observation,
       m1 = message y
       ∧ isReceive y ∧ y ∈ obs (state m2))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m1, m2: Message
(∃ y : BaseELMO.Observation,
   m1 = message y ∧ isSend y ∧ y ∈ obs (state m2))
∨ (∃ y : BaseELMO.Observation,
     m1 = message y ∧ isReceive y ∧ y ∈ obs (state m2))
→ ∃ y : BaseELMO.Observation,
    m1 = message y ∧ y ∈ obs (state m2)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m1, m2: Message
(∃ y : BaseELMO.Observation,
   m1 = message y ∧ y ∈ obs (state m2))
→ (∃ y : BaseELMO.Observation,
     m1 = message y ∧ isSend y ∧ y ∈ obs (state m2))
  ∨ (∃ y : BaseELMO.Observation,
       m1 = message y
       ∧ isReceive y ∧ y ∈ obs (state m2)) intros (ob & Hm & Hin); subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m2: Message
ob: BaseELMO.Observation
Hin: ob ∈ obs (state m2)
(∃ y : BaseELMO.Observation,
   message ob = message y
   ∧ isSend y ∧ y ∈ obs (state m2))
∨ (∃ y : BaseELMO.Observation,
     message ob = message y
     ∧ isReceive y ∧ y ∈ obs (state m2))
    destruct (label ob) eqn: Hlob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m2: Message
ob: BaseELMO.Observation
Hin: ob ∈ obs (state m2)
Hlob: label ob = Receive
(∃ y : BaseELMO.Observation,
   message ob = message y
   ∧ isSend y ∧ y ∈ obs (state m2))
∨ (∃ y : BaseELMO.Observation,
     message ob = message y
     ∧ isReceive y ∧ y ∈ obs (state m2))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m2: Message
ob: BaseELMO.Observation
Hin: ob ∈ obs (state m2)
Hlob: label ob = Send
(∃ y : BaseELMO.Observation,
   message ob = message y
   ∧ isSend y ∧ y ∈ obs (state m2))
∨ (∃ y : BaseELMO.Observation,
     message ob = message y
     ∧ isReceive y ∧ y ∈ obs (state m2))
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m2: Message
ob: BaseELMO.Observation
Hin: ob ∈ obs (state m2)
Hlob: label ob = Receive
(∃ y : BaseELMO.Observation,
   message ob = message y
   ∧ isSend y ∧ y ∈ obs (state m2))
∨ (∃ y : BaseELMO.Observation,
     message ob = message y
     ∧ isReceive y ∧ y ∈ obs (state m2)) by right; exists ob; unfold isReceive; rewrite Hlob.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m2: Message
ob: BaseELMO.Observation
Hin: ob ∈ obs (state m2)
Hlob: label ob = Send
(∃ y : BaseELMO.Observation,
   message ob = message y
   ∧ isSend y ∧ y ∈ obs (state m2))
∨ (∃ y : BaseELMO.Observation,
     message ob = message y
     ∧ isReceive y ∧ y ∈ obs (state m2)) by left; exists ob; unfold isSend; rewrite Hlob.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m1, m2: Message
(∃ y : BaseELMO.Observation,
   m1 = message y ∧ isSend y ∧ y ∈ obs (state m2))
∨ (∃ y : BaseELMO.Observation,
     m1 = message y ∧ isReceive y ∧ y ∈ obs (state m2))
→ ∃ y : BaseELMO.Observation,
    m1 = message y ∧ y ∈ obs (state m2) intros [(ob & -> & Hs & Hin) | (ob & -> & Hs & Hin)].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m2: Message
ob: BaseELMO.Observation
Hs: isSend ob
Hin: ob ∈ obs (state m2)
∃ y : BaseELMO.Observation,
  message ob = message y ∧ y ∈ obs (state m2)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m2: Message
ob: BaseELMO.Observation
Hs: isReceive ob
Hin: ob ∈ obs (state m2)
∃ y : BaseELMO.Observation,
  message ob = message y ∧ y ∈ obs (state m2)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m2: Message
ob: BaseELMO.Observation
Hs: isSend ob
Hin: ob ∈ obs (state m2)
∃ y : BaseELMO.Observation,
  message ob = message y ∧ y ∈ obs (state m2) by exists ob.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
m2: Message
ob: BaseELMO.Observation
Hs: isReceive ob
Hin: ob ∈ obs (state m2)
∃ y : BaseELMO.Observation,
  message ob = message y ∧ y ∈ obs (state m2) by exists ob.
Qed.

observable is the transitive closure of directly_observable.

Definition observable : relation Message :=
  tc directly_observable.

If m1 is directly observable in a suffix of m3, then it is also directly observable in m3.

Lemma message_suffix_directly_observable :
  forall m1 m2 m3 : Message,
    message_suffix m2 m3 -> directly_observable m1 m2 -> directly_observable m1 m3.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ m1 m2 m3 : Message,
  message_suffix m2 m3
  → directly_observable m1 m2
    → directly_observable m1 m3
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ m1 m2 m3 : Message,
  message_suffix m2 m3
  → directly_observable m1 m2
    → directly_observable m1 m3
  unfold directly_observable.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ m1 m2 m3 : Message,
  message_suffix m2 m3
  → m1 ∈ map message (obs (state m2))
    → m1 ∈ map message (obs (state m3))
  intros [s1] [s2] [s3] (_ & [obs' Hsuf] & _) Hdo; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s1, s2, s3: BaseELMO.State
obs': list BaseELMO.Observation
Hsuf: obs s3 = obs' ++ obs s2
Hdo: MkMessage s1 ∈ map message (obs s2)
MkMessage s1 ∈ map message (obs s3)
  by unfold Message; rewrite Hsuf, map_app, elem_of_app; right.
Qed.

m is directly observable in state s extended with new observation ob iff m is the message of ob or m is directly observable in s.

Lemma directly_observable_addObservation :
  forall (m : Message) (s : State) (ob : Observation),
    directly_observable m (MkMessage (s <+> ob))
      <->
    directly_observable m (MkMessage s) \/ m = message ob.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (m : Message) (s : State) (ob : Observation),
  directly_observable m (MkMessage (s <+> ob))
  ↔ directly_observable m (MkMessage s)
    ∨ m = message ob
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (m : Message) (s : State) (ob : Observation),
  directly_observable m (MkMessage (s <+> ob))
  ↔ directly_observable m (MkMessage s)
    ∨ m = message ob
  unfold directly_observable, Message.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (m : BaseELMO.Message) (s : State) (ob : Observation),
  m ∈ map message (obs (state (MkMessage (s <+> ob))))
  ↔ m ∈ map message (obs (state (MkMessage s)))
    ∨ m = message ob
  by intros m s ob; cbn; rewrite elem_of_cons; itauto.
Qed.

directly_observable_addObservation easily transfers to a situation in which we add multiple observations at once.

Lemma directly_observable_addObservations :
  forall (m : Message) (s : State) (obs' : list Observation),
    directly_observable m (MkMessage (s <++> obs'))
      <->
    directly_observable m (MkMessage s) \/ m ∈ map message obs'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (m : Message) (s : State) (obs' : list Observation),
  directly_observable m (MkMessage (s <++> obs'))
  ↔ directly_observable m (MkMessage s)
    ∨ m ∈ map message obs'
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (m : Message) (s : State) (obs' : list Observation),
  directly_observable m (MkMessage (s <++> obs'))
  ↔ directly_observable m (MkMessage s)
    ∨ m ∈ map message obs'
  unfold directly_observable, Message.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (m : BaseELMO.Message) (s : State) (obs' : list
                                               Observation),
  m
  ∈ map message
      (obs (state (MkMessage (s <++> obs'))))
  ↔ m ∈ map message (obs (state (MkMessage s)))
    ∨ m ∈ map message obs'
  by intros m s obs'; cbn; rewrite map_app, elem_of_app; itauto.
Qed.

In a reachable state, messages sent earlier are directly observable in messages sent later.

Lemma directly_observable_totally_orders_sent_messages_UMO_reachable P :
  forall (s : State) (m1 m2 : Message) (obs1 obs2 obs3 : list Observation),
    s = MkState [] (adr s) <++>
      obs1 <+> MkObservation Send m1 <++> obs2 <+> MkObservation Send m2 <++> obs3 ->
    UMO_reachable P s ->
      directly_observable m1 m2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message) (obs1 obs2
                                 obs3 : list
                                          Observation),
  s =
  MkState [] (adr s) <++> obs1 <+>
  MkObservation Send m1 <++> obs2 <+>
  MkObservation Send m2 <++> obs3
  → UMO_reachable P s → directly_observable m1 m2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message) (obs1 obs2
                                 obs3 : list
                                          Observation),
  s =
  MkState [] (adr s) <++> obs1 <+>
  MkObservation Send m1 <++> obs2 <+>
  MkObservation Send m2 <++> obs3
  → UMO_reachable P s → directly_observable m1 m2
  intros s m1 m2 obs1 obs2 obs3 Heq Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: s =
MkState [] (adr s) <++> obs1 <+>
MkObservation Send m1 <++> obs2 <+>
MkObservation Send m2 <++> obs3
Hvsp: UMO_reachable P s
directly_observable m1 m2
  rewrite Heq in Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: s =
MkState [] (adr s) <++> obs1 <+>
MkObservation Send m1 <++> obs2 <+>
MkObservation Send m2 <++> obs3
Hvsp: UMO_reachable P
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2 <+>
   MkObservation Send m2 <++> obs3)
directly_observable m1 m2
  apply UMO_reachable_addObservations_inv in Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: s =
MkState [] (adr s) <++> obs1 <+>
MkObservation Send m1 <++> obs2 <+>
MkObservation Send m2 <++> obs3
Hvsp: UMO_reachable P
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2 <+>
   MkObservation Send m2)
directly_observable m1 m2
  apply UMO_reachable_addObservation_inv_message in Hvsp as Heq'; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: s =
MkState [] (adr s) <++> obs1 <+>
MkObservation Send m1 <++> obs2 <+>
MkObservation Send m2 <++> obs3
Hvsp: UMO_reachable P
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2 <+>
   MkObservation Send m2)
Heq': message (MkObservation Send m2) =
MkMessage
  (MkState [] (adr s) <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
directly_observable m1 m2
  cbn in Heq'; subst; clear Heq Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1: Message
obs1, obs2, obs3: list Observation
directly_observable m1
  (MkMessage
     (MkState [] (adr s) <++> obs1 <+>
      MkObservation Send m1 <++> obs2))
  repeat (rewrite ?directly_observable_addObservations, ?directly_observable_addObservation); cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1: Message
obs1, obs2, obs3: list Observation
((directly_observable m1
    (MkMessage (MkState [] (adr s)))
  ∨ m1 ∈ map message obs1) ∨ m1 = m1)
∨ m1 ∈ map message obs2
  by itauto.
Qed.

directly_observable_totally_orders_sent_messages_UMO_reachable can be transferred to valid states.

Lemma directly_observable_totally_orders_sent_messages_valid_state_prop :
  forall (s : State) (m1 m2 : Message) (obs1 obs2 obs3 : list Observation),
    s = MkState [] (adr s) <++>
      obs1 <+> MkObservation Send m1 <++> obs2 <+> MkObservation Send m2 <++> obs3 ->
    valid_state_prop Ui s ->
      directly_observable m1 m2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (m1 m2 : Message) (obs1 obs2
                                 obs3 : list
                                          Observation),
  s =
  MkState [] (adr s) <++> obs1 <+>
  MkObservation Send m1 <++> obs2 <+>
  MkObservation Send m2 <++> obs3
  → valid_state_prop Ui s → directly_observable m1 m2
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (m1 m2 : Message) (obs1 obs2
                                 obs3 : list
                                          Observation),
  s =
  MkState [] (adr s) <++> obs1 <+>
  MkObservation Send m1 <++> obs2 <+>
  MkObservation Send m2 <++> obs3
  → valid_state_prop Ui s → directly_observable m1 m2
  intros s m1 m2 obs1 obs2 obs3 Heq Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
m1, m2: Message
obs1, obs2, obs3: list Observation
Heq: s =
MkState [] (adr s) <++> obs1 <+>
MkObservation Send m1 <++> obs2 <+>
MkObservation Send m2 <++> obs3
Hvsp: valid_state_prop Ui s
directly_observable m1 m2
  by eapply directly_observable_totally_orders_sent_messages_UMO_reachable,
    UMO_reachable_valid_state_prop.
Qed.

If ob belongs to the observations of a state s, we can decompose s into some state s' followed by ob and then possibly some more observations obs'.

Moreover, if the observation was a sent message m, then we know that s' is state m.

Lemma elem_of_obs_split :
  forall (s : State) (ob : Observation),
    ob ∈ obs s ->
      exists (s' : State) (obs' : list Observation),
        s = s' <+> ob <++> obs'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (ob : Observation),
  ob ∈ obs s
  → ∃ (s' : State) (obs' : list Observation),
      s = s' <+> ob <++> obs'
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (ob : Observation),
  ob ∈ obs s
  → ∃ (s' : State) (obs' : list Observation),
      s = s' <+> ob <++> obs'
  intros s m Hin.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
m: Observation
Hin: m ∈ obs s
∃ (s' : State) (obs' : list Observation),
  s = s' <+> m <++> obs'
  apply elem_of_list_split in Hin as (obs1 & obs2 & Hobs); cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
m: Observation
obs1, obs2: list Observation
Hobs: obs s = obs1 ++ m :: obs2
∃ (s' : State) (obs' : list Observation),
  s = s' <+> m <++> obs'
  exists (MkState obs2 (adr s)), obs1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
m: Observation
obs1, obs2: list Observation
Hobs: obs s = obs1 ++ m :: obs2
s = MkState obs2 (adr s) <+> m <++> obs1
  by apply eq_State; cbn.
Qed.

Lemma elem_of_UMO_reachable_obs_Send_split P :
  forall (s : State) (m : Message),
    MkObservation Send m ∈ obs s -> UMO_reachable P s ->
      exists obs' : list Observation,
        s = state m <+> MkObservation Send m <++> obs'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  MkObservation Send m ∈ obs s
  → UMO_reachable P s
    → ∃ obs' : list Observation,
        s = state m <+> MkObservation Send m <++> obs'
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  MkObservation Send m ∈ obs s
  → UMO_reachable P s
    → ∃ obs' : list Observation,
        s = state m <+> MkObservation Send m <++> obs'
  intros s m Hin Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hin: MkObservation Send m ∈ obs s
Hvsp: UMO_reachable P s
∃ obs' : list Observation,
  s = state m <+> MkObservation Send m <++> obs'
  apply elem_of_obs_split in Hin as (s' & obs' & ->).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
s': State
obs': list Observation
Hvsp: UMO_reachable P
  (s' <+> MkObservation Send m <++> obs')
∃ obs'0 : list Observation,
  s' <+> MkObservation Send m <++> obs' =
  state m <+> MkObservation Send m <++> obs'0
  exists obs'; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
s': State
obs': list Observation
Hvsp: UMO_reachable P
  (s' <+> MkObservation Send m <++> obs')
s' <+> MkObservation Send m <++> obs' =
state m <+> MkObservation Send m <++> obs'
  do 2 f_equal.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
s': State
obs': list Observation
Hvsp: UMO_reachable P
  (s' <+> MkObservation Send m <++> obs')
s' = state m
  by apply UMO_reachable_addObservations_inv, UMO_reachable_addObservation_inv_Send_state in Hvsp.
Qed.

Lemma elem_of_UMO_reachable_obs_Send_UMO_reachable P :
  forall (s : State) (m : Message),
    MkObservation Send m ∈ obs s -> UMO_reachable P s ->
      UMO_reachable P (state m).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  MkObservation Send m ∈ obs s
  → UMO_reachable P s → UMO_reachable P (state m)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  MkObservation Send m ∈ obs s
  → UMO_reachable P s → UMO_reachable P (state m)
  intros s m Hin Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hin: MkObservation Send m ∈ obs s
Hvsp: UMO_reachable P s
UMO_reachable P (state m)
  destruct (elem_of_UMO_reachable_obs_Send_split _ _ _ Hin Hvsp) as [obs ->].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
obs: list Observation
Hvsp: UMO_reachable P
  (state m <+> MkObservation Send m <++> obs)
Hin: MkObservation Send m
∈ BaseELMO.obs
    (state m <+> MkObservation Send m <++> obs)
UMO_reachable P (state m)
  by apply UMO_reachable_addObservations_inv, UMO_reachable_addObservation_inv_Send in Hvsp.
Qed.

elem_of_obs_split and elem_of_UMO_reachable_obs_Send_split can be generalized to two observations ob1 and ob2 and from there to any numbers of observations.

Lemma elem_of_obs_split_2 :
  forall (s : State) (ob1 ob2 : Observation),
    ob1 ∈ obs s -> ob2 ∈ obs s ->
      ob1 = ob2
        \/
      exists (s' : State) (obs1 obs2 : list Observation),
        s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
          \/
        s = s' <+> ob2 <++> obs1 <+> ob1 <++> obs2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (ob1 ob2 : Observation),
  ob1 ∈ obs s
  → ob2 ∈ obs s
    → ob1 = ob2
      ∨ (∃ (s' : State) (obs1 obs2 : list Observation),
           s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
           ∨ s =
             s' <+> ob2 <++> obs1 <+> ob1 <++> obs2)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
∀ (s : State) (ob1 ob2 : Observation),
  ob1 ∈ obs s
  → ob2 ∈ obs s
    → ob1 = ob2
      ∨ (∃ (s' : State) (obs1 obs2 : list Observation),
           s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
           ∨ s =
             s' <+> ob2 <++> obs1 <+> ob1 <++> obs2)
  intros s ob1 ob2 Hin1 Hin2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob1, ob2: Observation
Hin1: ob1 ∈ obs s
Hin2: ob2 ∈ obs s
ob1 = ob2
∨ (∃ (s' : State) (obs1 obs2 : list Observation),
     s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
     ∨ s = s' <+> ob2 <++> obs1 <+> ob1 <++> obs2)
  destruct (elem_of_list_split_2 _ _ _ Hin1 Hin2)
    as [Heq | (obs1 & obs2 & obs3 & [Heq | Heq])].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob1, ob2: Observation
Hin1: ob1 ∈ obs s
Hin2: ob2 ∈ obs s
Heq: ob1 = ob2
ob1 = ob2
∨ (∃ (s' : State) (obs1 obs2 : list Observation),
     s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
     ∨ s = s' <+> ob2 <++> obs1 <+> ob1 <++> obs2)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob1, ob2: Observation
Hin1: ob1 ∈ obs s
Hin2: ob2 ∈ obs s
obs1, obs2, obs3: list Observation
Heq: obs s = obs1 ++ ob1 :: obs2 ++ ob2 :: obs3
ob1 = ob2
∨ (∃ (s' : State) (obs1 obs2 : list Observation),
     s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
     ∨ s = s' <+> ob2 <++> obs1 <+> ob1 <++> obs2)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob1, ob2: Observation
Hin1: ob1 ∈ obs s
Hin2: ob2 ∈ obs s
obs1, obs2, obs3: list Observation
Heq: obs s = obs1 ++ ob2 :: obs2 ++ ob1 :: obs3
ob1 = ob2
∨ (∃ (s' : State) (obs1 obs2 : list Observation),
     s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
     ∨ s = s' <+> ob2 <++> obs1 <+> ob1 <++> obs2)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob1, ob2: Observation
Hin1: ob1 ∈ obs s
Hin2: ob2 ∈ obs s
Heq: ob1 = ob2
ob1 = ob2
∨ (∃ (s' : State) (obs1 obs2 : list Observation),
     s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
     ∨ s = s' <+> ob2 <++> obs1 <+> ob1 <++> obs2) by left.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob1, ob2: Observation
Hin1: ob1 ∈ obs s
Hin2: ob2 ∈ obs s
obs1, obs2, obs3: list Observation
Heq: obs s = obs1 ++ ob1 :: obs2 ++ ob2 :: obs3
ob1 = ob2
∨ (∃ (s' : State) (obs1 obs2 : list Observation),
     s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
     ∨ s = s' <+> ob2 <++> obs1 <+> ob1 <++> obs2) right; exists (MkState obs3 (adr s)), obs2, obs1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob1, ob2: Observation
Hin1: ob1 ∈ obs s
Hin2: ob2 ∈ obs s
obs1, obs2, obs3: list Observation
Heq: obs s = obs1 ++ ob1 :: obs2 ++ ob2 :: obs3
s =
MkState obs3 (adr s) <+> ob1 <++> obs2 <+> ob2 <++>
obs1
∨ s =
  MkState obs3 (adr s) <+> ob2 <++> obs2 <+> ob1 <++>
  obs1
    by right; apply eq_State; cbn.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob1, ob2: Observation
Hin1: ob1 ∈ obs s
Hin2: ob2 ∈ obs s
obs1, obs2, obs3: list Observation
Heq: obs s = obs1 ++ ob2 :: obs2 ++ ob1 :: obs3
ob1 = ob2
∨ (∃ (s' : State) (obs1 obs2 : list Observation),
     s = s' <+> ob1 <++> obs1 <+> ob2 <++> obs2
     ∨ s = s' <+> ob2 <++> obs1 <+> ob1 <++> obs2) right; exists (MkState obs3 (adr s)), obs2, obs1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
s: State
ob1, ob2: Observation
Hin1: ob1 ∈ obs s
Hin2: ob2 ∈ obs s
obs1, obs2, obs3: list Observation
Heq: obs s = obs1 ++ ob2 :: obs2 ++ ob1 :: obs3
s =
MkState obs3 (adr s) <+> ob1 <++> obs2 <+> ob2 <++>
obs1
∨ s =
  MkState obs3 (adr s) <+> ob2 <++> obs2 <+> ob1 <++>
  obs1
    by left; apply eq_State; cbn.
Qed.

Lemma elem_of_UMO_reachable_obs_Send_split_2 P :
  forall (s : State) (m1 m2 : Message),
    MkObservation Send m1 ∈ obs s -> MkObservation Send m2 ∈ obs s ->
    UMO_reachable P s ->
      m1 = m2
        \/
      exists obs1 obs2 : list Observation,
        s = state m1 <+> MkObservation Send m1 <++> obs1 <+> MkObservation Send m2 <++> obs2
          \/
        s = state m2 <+> MkObservation Send m2 <++> obs1 <+> MkObservation Send m1 <++> obs2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message),
  MkObservation Send m1 ∈ obs s
  → MkObservation Send m2 ∈ obs s
    → UMO_reachable P s
      → m1 = m2
        ∨ (∃ obs1 obs2 : list Observation,
             s =
             state m1 <+> MkObservation Send m1 <++>
             obs1 <+> MkObservation Send m2 <++> obs2
             ∨ s =
               state m2 <+> MkObservation Send m2 <++>
               obs1 <+> MkObservation Send m1 <++>
               obs2)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message),
  MkObservation Send m1 ∈ obs s
  → MkObservation Send m2 ∈ obs s
    → UMO_reachable P s
      → m1 = m2
        ∨ (∃ obs1 obs2 : list Observation,
             s =
             state m1 <+> MkObservation Send m1 <++>
             obs1 <+> MkObservation Send m2 <++> obs2
             ∨ s =
               state m2 <+> MkObservation Send m2 <++>
               obs1 <+> MkObservation Send m1 <++>
               obs2)
  intros s m1 m2 Hin1 Hin2 Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
Hvsp: UMO_reachable P s
m1 = m2
∨ (∃ obs1 obs2 : list Observation,
     s =
     state m1 <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2
     ∨ s =
       state m2 <+> MkObservation Send m2 <++> obs1 <+>
       MkObservation Send m1 <++> obs2)
  destruct (elem_of_obs_split_2 _ _ _ Hin1 Hin2) as [Heq | (s' & obs1 & obs2 & [Heq | Heq])].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
Hvsp: UMO_reachable P s
Heq: MkObservation Send m1 = MkObservation Send m2
m1 = m2
∨ (∃ obs1 obs2 : list Observation,
     s =
     state m1 <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2
     ∨ s =
       state m2 <+> MkObservation Send m2 <++> obs1 <+>
       MkObservation Send m1 <++> obs2)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
Hvsp: UMO_reachable P s
s': State
obs1, obs2: list Observation
Heq: s =
s' <+> MkObservation Send m1 <++> obs1 <+>
MkObservation Send m2 <++> obs2
m1 = m2
∨ (∃ obs1 obs2 : list Observation,
     s =
     state m1 <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2
     ∨ s =
       state m2 <+> MkObservation Send m2 <++> obs1 <+>
       MkObservation Send m1 <++> obs2)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
Hvsp: UMO_reachable P s
s': State
obs1, obs2: list Observation
Heq: s =
s' <+> MkObservation Send m2 <++> obs1 <+>
MkObservation Send m1 <++> obs2
m1 = m2
∨ (∃ obs1 obs2 : list Observation,
     s =
     state m1 <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2
     ∨ s =
       state m2 <+> MkObservation Send m2 <++> obs1 <+>
       MkObservation Send m1 <++> obs2)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
Hvsp: UMO_reachable P s
Heq: MkObservation Send m1 = MkObservation Send m2
m1 = m2
∨ (∃ obs1 obs2 : list Observation,
     s =
     state m1 <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2
     ∨ s =
       state m2 <+> MkObservation Send m2 <++> obs1 <+>
       MkObservation Send m1 <++> obs2) by left; congruence.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
Hvsp: UMO_reachable P s
s': State
obs1, obs2: list Observation
Heq: s =
s' <+> MkObservation Send m1 <++> obs1 <+>
MkObservation Send m2 <++> obs2
m1 = m2
∨ (∃ obs1 obs2 : list Observation,
     s =
     state m1 <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2
     ∨ s =
       state m2 <+> MkObservation Send m2 <++> obs1 <+>
       MkObservation Send m1 <++> obs2) right; exists obs1, obs2; left; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
s': State
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (s' <+> MkObservation Send m1 <++> obs1 <+>
   MkObservation Send m2 <++> obs2)
Hin2: MkObservation Send m2
∈ obs
    (s' <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2)
Hin1: MkObservation Send m1
∈ obs
    (s' <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2)
s' <+> MkObservation Send m1 <++> obs1 <+>
MkObservation Send m2 <++> obs2 =
state m1 <+> MkObservation Send m1 <++> obs1 <+>
MkObservation Send m2 <++> obs2
    do 4 f_equal.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
s': State
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (s' <+> MkObservation Send m1 <++> obs1 <+>
   MkObservation Send m2 <++> obs2)
Hin2: MkObservation Send m2
∈ obs
    (s' <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2)
Hin1: MkObservation Send m1
∈ obs
    (s' <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2)
s' = state m1
    by eapply UMO_reachable_addObservation_inv_Send_state,
      UMO_reachable_addObservations_inv,
      UMO_reachable_addObservation_inv,
      UMO_reachable_addObservations_inv.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
Hvsp: UMO_reachable P s
s': State
obs1, obs2: list Observation
Heq: s =
s' <+> MkObservation Send m2 <++> obs1 <+>
MkObservation Send m1 <++> obs2
m1 = m2
∨ (∃ obs1 obs2 : list Observation,
     s =
     state m1 <+> MkObservation Send m1 <++> obs1 <+>
     MkObservation Send m2 <++> obs2
     ∨ s =
       state m2 <+> MkObservation Send m2 <++> obs1 <+>
       MkObservation Send m1 <++> obs2) right; exists obs1, obs2; right; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
s': State
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (s' <+> MkObservation Send m2 <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
Hin2: MkObservation Send m2
∈ obs
    (s' <+> MkObservation Send m2 <++> obs1 <+>
     MkObservation Send m1 <++> obs2)
Hin1: MkObservation Send m1
∈ obs
    (s' <+> MkObservation Send m2 <++> obs1 <+>
     MkObservation Send m1 <++> obs2)
s' <+> MkObservation Send m2 <++> obs1 <+>
MkObservation Send m1 <++> obs2 =
state m2 <+> MkObservation Send m2 <++> obs1 <+>
MkObservation Send m1 <++> obs2
    do 4 f_equal.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
s': State
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (s' <+> MkObservation Send m2 <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
Hin2: MkObservation Send m2
∈ obs
    (s' <+> MkObservation Send m2 <++> obs1 <+>
     MkObservation Send m1 <++> obs2)
Hin1: MkObservation Send m1
∈ obs
    (s' <+> MkObservation Send m2 <++> obs1 <+>
     MkObservation Send m1 <++> obs2)
s' = state m2
    by eapply UMO_reachable_addObservation_inv_Send_state,
      UMO_reachable_addObservations_inv,
      UMO_reachable_addObservation_inv,
      UMO_reachable_addObservations_inv.
Qed.

If m belongs to sentMessages of s, then its state has the same address as s.

Lemma adr_of_sentMessages P :
  forall (s : State) (m : Message),
    UMO_reachable P s -> m ∈ sentMessages s ->
      adr (state m) = adr s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  UMO_reachable P s
  → m ∈ sentMessages s → adr (state m) = adr s
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  UMO_reachable P s
  → m ∈ sentMessages s → adr (state m) = adr s
  intros s m Hvsp Hin.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P s
Hin: m ∈ sentMessages s
adr (state m) = adr s
  apply elem_of_sentMessages, elem_of_obs_split in Hin as (s' & obs' & ->); cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
s': State
obs': list Observation
Hvsp: UMO_reachable P
  (s' <+> MkObservation Send m <++> obs')
adr (state m) = adr s'
  apply UMO_reachable_addObservations_inv in Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
s': State
obs': list Observation
Hvsp: UMO_reachable P (s' <+> MkObservation Send m)
adr (state m) = adr s'
  by destruct s'; inversion Hvsp.
Qed.

A message m belongs to the sentMessages of state s if and only if the state state m <+> MkObservation Send m is a (possibly improper) state suffix of s.

Lemma sentMessages_characterization P :
  forall (s : State) (m : Message),
    UMO_reachable P s ->
      m ∈ sentMessages s
        <->
      let s' := state m <+> MkObservation Send m in
        state_suffix s' s \/ s' = s.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  UMO_reachable P s
  → m ∈ sentMessages s
    ↔ (let s' := state m <+> MkObservation Send m in
       state_suffix s' s ∨ s' = s)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m : Message),
  UMO_reachable P s
  → m ∈ sentMessages s
    ↔ (let s' := state m <+> MkObservation Send m in
       state_suffix s' s ∨ s' = s)
  intros s m Hvsp; setoid_rewrite elem_of_sentMessages; split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P s
MkObservation Send m ∈ obs s
→ let s' := state m <+> MkObservation Send m in
  state_suffix s' s ∨ s' = s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P s
(let s' := state m <+> MkObservation Send m in
 state_suffix s' s ∨ s' = s)
→ MkObservation Send m ∈ obs s
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P s
MkObservation Send m ∈ obs s
→ let s' := state m <+> MkObservation Send m in
  state_suffix s' s ∨ s' = s intros Hin; eapply elem_of_UMO_reachable_obs_Send_split in Hin as (obs' & ->); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
obs': list Observation
Hvsp: UMO_reachable P
  (state m <+> MkObservation Send m <++> obs')
let s' := state m <+> MkObservation Send m in
state_suffix s'
  (state m <+> MkObservation Send m <++> obs')
∨ s' = state m <+> MkObservation Send m <++> obs'
    destruct obs' as [| ob obs'].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
Hvsp: UMO_reachable P
  (state m <+> MkObservation Send m <++> [])
let s' := state m <+> MkObservation Send m in
state_suffix s'
  (state m <+> MkObservation Send m <++> [])
∨ s' = state m <+> MkObservation Send m <++> []
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
ob: Observation
obs': list Observation
Hvsp: UMO_reachable P
  (state m <+> MkObservation Send m <++>
   (ob :: obs'))
let s' := state m <+> MkObservation Send m in
state_suffix s'
  (state m <+> MkObservation Send m <++> (ob :: obs'))
∨ s' =
  state m <+> MkObservation Send m <++> (ob :: obs')
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
Hvsp: UMO_reachable P
  (state m <+> MkObservation Send m <++> [])
let s' := state m <+> MkObservation Send m in
state_suffix s'
  (state m <+> MkObservation Send m <++> [])
∨ s' = state m <+> MkObservation Send m <++> [] by right.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
ob: Observation
obs': list Observation
Hvsp: UMO_reachable P
  (state m <+> MkObservation Send m <++>
   (ob :: obs'))
let s' := state m <+> MkObservation Send m in
state_suffix s'
  (state m <+> MkObservation Send m <++> (ob :: obs'))
∨ s' =
  state m <+> MkObservation Send m <++> (ob :: obs') by left; apply state_suffix_addObservations; inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P s
(let s' := state m <+> MkObservation Send m in
 state_suffix s' s ∨ s' = s)
→ MkObservation Send m ∈ obs s cbn; intros [(Hadr & (ob & ->) & Hobs2) | <-].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P s
Hadr: adr (state m <+> MkObservation Send m) = adr s
ob: list BaseELMO.Observation
Hobs2: ¬ ob ++ obs (state m <+> MkObservation Send m)
  `suffix_of` obs
                (state m <+>
                 MkObservation Send m)
MkObservation Send m
∈ ob ++ obs (state m <+> MkObservation Send m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
Hvsp: UMO_reachable P
  (state m <+> MkObservation Send m)
MkObservation Send m
∈ obs (state m <+> MkObservation Send m)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m: Message
Hvsp: UMO_reachable P s
Hadr: adr (state m <+> MkObservation Send m) = adr s
ob: list BaseELMO.Observation
Hobs2: ¬ ob ++ obs (state m <+> MkObservation Send m)
  `suffix_of` obs
                (state m <+>
                 MkObservation Send m)
MkObservation Send m
∈ ob ++ obs (state m <+> MkObservation Send m) by apply elem_of_app; right; constructor.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m: Message
Hvsp: UMO_reachable P
  (state m <+> MkObservation Send m)
MkObservation Send m
∈ obs (state m <+> MkObservation Send m) by constructor.
Qed.

A message m1 was sent before another message m2 if they have the same address and m1 appears in sentMessages of the state of m2.

Definition was_sent_before (m1 m2 : Message) : Prop :=
  adr (state m1) = adr (state m2) /\ m1 ∈ sentMessages (state m2).

We can characterize was_sent_before in terms of state_suffix in two different ways, provided that the state of m2 is reachable.

Lemma was_sent_before_characterization_1 P :
  forall m1 m2 : Message,
    UMO_reachable P (state m2) ->
      was_sent_before m1 m2
        <->
      let s := state m1 <+> MkObservation Send m1 in
        state_suffix s (state m2) \/ s = state m2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ m1 m2 : Message,
  UMO_reachable P (state m2)
  → was_sent_before m1 m2
    ↔ (let s := state m1 <+> MkObservation Send m1 in
       state_suffix s (state m2) ∨ s = state m2)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ m1 m2 : Message,
  UMO_reachable P (state m2)
  → was_sent_before m1 m2
    ↔ (let s := state m1 <+> MkObservation Send m1 in
       state_suffix s (state m2) ∨ s = state m2)
  intros m1 m2 Hvsp; split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
was_sent_before m1 m2
→ let s := state m1 <+> MkObservation Send m1 in
  state_suffix s (state m2) ∨ s = state m2
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
(let s := state m1 <+> MkObservation Send m1 in
 state_suffix s (state m2) ∨ s = state m2)
→ was_sent_before m1 m2
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
was_sent_before m1 m2
→ let s := state m1 <+> MkObservation Send m1 in
  state_suffix s (state m2) ∨ s = state m2 intros [Hadr Hsent].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
Hsent: m1 ∈ sentMessages (state m2)
let s := state m1 <+> MkObservation Send m1 in
state_suffix s (state m2) ∨ s = state m2
    apply elem_of_sentMessages in Hsent.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
Hsent: MkObservation Send m1 ∈ obs (state m2)
let s := state m1 <+> MkObservation Send m1 in
state_suffix s (state m2) ∨ s = state m2
    eapply elem_of_UMO_reachable_obs_Send_split in Hsent as (obs' & ->); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
obs': list Observation
let s := state m1 <+> MkObservation Send m1 in
state_suffix s
  (state m1 <+> MkObservation Send m1 <++> obs')
∨ s = state m1 <+> MkObservation Send m1 <++> obs'
    destruct obs' as [| ob' obs']; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
state_suffix (state m1 <+> MkObservation Send m1)
  (state m1 <+> MkObservation Send m1 <++> [])
∨ state m1 <+> MkObservation Send m1 =
  state m1 <+> MkObservation Send m1 <++> []
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
ob': Observation
obs': list Observation
state_suffix (state m1 <+> MkObservation Send m1)
  (state m1 <+> MkObservation Send m1 <++>
   (ob' :: obs'))
∨ state m1 <+> MkObservation Send m1 =
  state m1 <+> MkObservation Send m1 <++>
  (ob' :: obs')
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
state_suffix (state m1 <+> MkObservation Send m1)
  (state m1 <+> MkObservation Send m1 <++> [])
∨ state m1 <+> MkObservation Send m1 =
  state m1 <+> MkObservation Send m1 <++> [] by right.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
ob': Observation
obs': list Observation
state_suffix (state m1 <+> MkObservation Send m1)
  (state m1 <+> MkObservation Send m1 <++>
   (ob' :: obs'))
∨ state m1 <+> MkObservation Send m1 =
  state m1 <+> MkObservation Send m1 <++>
  (ob' :: obs') by left; apply state_suffix_addObservations; inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
(let s := state m1 <+> MkObservation Send m1 in
 state_suffix s (state m2) ∨ s = state m2)
→ was_sent_before m1 m2 intros [(Hadr & Hsuf & Hnsuf) | Heq]; cbn in *.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
Hsuf: addObservation' (MkObservation Send m1)
  (obs (state m1)) `suffix_of` 
obs (state m2)
Hnsuf: ¬ obs (state m2)
  `suffix_of` addObservation'
                (MkObservation Send m1)
                (obs (state m1))
was_sent_before m1 m2
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Heq: state m1 <+> MkObservation Send m1 = state m2
was_sent_before m1 m2
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
Hsuf: addObservation' (MkObservation Send m1)
  (obs (state m1)) `suffix_of` 
obs (state m2)
Hnsuf: ¬ obs (state m2)
  `suffix_of` addObservation'
                (MkObservation Send m1)
                (obs (state m1))
was_sent_before m1 m2 constructor; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
Hsuf: addObservation' (MkObservation Send m1)
  (obs (state m1)) `suffix_of` 
obs (state m2)
Hnsuf: ¬ obs (state m2)
  `suffix_of` addObservation'
                (MkObservation Send m1)
                (obs (state m1))
m1 ∈ sentMessages (state m2)
      apply elem_of_sentMessages.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
Hsuf: addObservation' (MkObservation Send m1)
  (obs (state m1)) `suffix_of` 
obs (state m2)
Hnsuf: ¬ obs (state m2)
  `suffix_of` addObservation'
                (MkObservation Send m1)
                (obs (state m1))
MkObservation Send m1 ∈ obs (state m2)
      destruct Hsuf as [obs' ->].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
obs': list BaseELMO.Observation
Hnsuf: ¬ obs (state m2)
  `suffix_of` addObservation'
                (MkObservation Send m1)
                (obs (state m1))
MkObservation Send m1
∈ obs' ++
  addObservation' (MkObservation Send m1)
    (obs (state m1))
      unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
obs': list BaseELMO.Observation
Hnsuf: ¬ obs (state m2)
  `suffix_of` addObservation'
                (MkObservation Send m1)
                (obs (state m1))
MkObservation Send m1
∈ obs' ++ MkObservation Send m1 :: obs (state m1)
      by rewrite elem_of_app, elem_of_cons; right; left.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Heq: state m1 <+> MkObservation Send m1 = state m2
was_sent_before m1 m2 constructor.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Heq: state m1 <+> MkObservation Send m1 = state m2
adr (state m1) = adr (state m2)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Heq: state m1 <+> MkObservation Send m1 = state m2
m1 ∈ sentMessages (state m2)
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Heq: state m1 <+> MkObservation Send m1 = state m2
adr (state m1) = adr (state m2) by apply (f_equal adr) in Heq; cbn in Heq.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Heq: state m1 <+> MkObservation Send m1 = state m2
m1 ∈ sentMessages (state m2) by rewrite <- Heq; setoid_rewrite elem_of_sentMessages; left.
Qed.

Lemma was_sent_before_characterization_2 P :
  forall m1 m2 : Message,
    UMO_reachable P (state m2) ->
      was_sent_before m1 m2
        <->
      state_suffix (state m1 <+> MkObservation Send m1) (state m2 <+> MkObservation Send m2).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ m1 m2 : Message,
  UMO_reachable P (state m2)
  → was_sent_before m1 m2
    ↔ state_suffix
        (state m1 <+> MkObservation Send m1)
        (state m2 <+> MkObservation Send m2)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ m1 m2 : Message,
  UMO_reachable P (state m2)
  → was_sent_before m1 m2
    ↔ state_suffix
        (state m1 <+> MkObservation Send m1)
        (state m2 <+> MkObservation Send m2)
  intros m1 m2 Hvsp; split.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
was_sent_before m1 m2
→ state_suffix (state m1 <+> MkObservation Send m1)
    (state m2 <+> MkObservation Send m2)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
state_suffix (state m1 <+> MkObservation Send m1)
  (state m2 <+> MkObservation Send m2)
→ was_sent_before m1 m2
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
was_sent_before m1 m2
→ state_suffix (state m1 <+> MkObservation Send m1)
    (state m2 <+> MkObservation Send m2) intros [Hadr Hsent].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
Hsent: m1 ∈ sentMessages (state m2)
state_suffix (state m1 <+> MkObservation Send m1)
  (state m2 <+> MkObservation Send m2)
    eapply elem_of_sentMessages, elem_of_UMO_reachable_obs_Send_split
      in Hsent as (obs' & ->); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
obs': list Observation
state_suffix (state m1 <+> MkObservation Send m1)
  (state m1 <+> MkObservation Send m1 <++> obs' <+>
   MkObservation Send m2)
    cbn; rewrite addObservation_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1) = adr (state m2)
obs': list Observation
state_suffix (state m1 <+> MkObservation Send m1)
  (state m1 <+> MkObservation Send m1 <++>
   (MkObservation Send m2 :: obs'))
    by apply state_suffix_addObservations; inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
state_suffix (state m1 <+> MkObservation Send m1)
  (state m2 <+> MkObservation Send m2)
→ was_sent_before m1 m2 intros (Hadr & Hsuf & Hnsuf).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m2 <+> MkObservation Send m2)
Hsuf: obs (state m1 <+> MkObservation Send m1)
`suffix_of` obs
              (state m2 <+>
               MkObservation Send m2)
Hnsuf: ¬ obs (state m2 <+> MkObservation Send m2)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
was_sent_before m1 m2
    constructor; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m2 <+> MkObservation Send m2)
Hsuf: obs (state m1 <+> MkObservation Send m1)
`suffix_of` obs
              (state m2 <+>
               MkObservation Send m2)
Hnsuf: ¬ obs (state m2 <+> MkObservation Send m2)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
m1 ∈ sentMessages (state m2)
    apply elem_of_sentMessages.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m2 <+> MkObservation Send m2)
Hsuf: obs (state m1 <+> MkObservation Send m1)
`suffix_of` obs
              (state m2 <+>
               MkObservation Send m2)
Hnsuf: ¬ obs (state m2 <+> MkObservation Send m2)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
MkObservation Send m1 ∈ obs (state m2)
    destruct Hsuf as [obs' Heq].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m2 <+> MkObservation Send m2)
obs': list BaseELMO.Observation
Heq: obs (state m2 <+> MkObservation Send m2) =
obs' ++ obs (state m1 <+> MkObservation Send m1)
Hnsuf: ¬ obs (state m2 <+> MkObservation Send m2)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
MkObservation Send m1 ∈ obs (state m2)
    cbn in Heq; unfold addObservation' in Heq.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m2 <+> MkObservation Send m2)
obs': list BaseELMO.Observation
Heq: MkObservation Send m2 :: obs (state m2) =
obs' ++ MkObservation Send m1 :: obs (state m1)
Hnsuf: ¬ obs (state m2 <+> MkObservation Send m2)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
MkObservation Send m1 ∈ obs (state m2)
    unfold addObservation'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m2 <+> MkObservation Send m2)
obs': list BaseELMO.Observation
Heq: MkObservation Send m2 :: obs (state m2) =
obs' ++ MkObservation Send m1 :: obs (state m1)
Hnsuf: ¬ obs (state m2 <+> MkObservation Send m2)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
MkObservation Send m1 ∈ obs (state m2)
    destruct obs' as [| ob' obs']; inversion Heq; subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1: Message
Hnsuf: ¬ obs (state m1 <+> MkObservation Send m1)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
Heq: MkObservation Send m1 :: obs (state m1) =
[] ++ MkObservation Send m1 :: obs (state m1)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m1 <+> MkObservation Send m1)
Hvsp: UMO_reachable P (state m1)
H1: obs (state m1) = obs (state m1)
MkObservation Send m1 ∈ obs (state m1)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m2 <+> MkObservation Send m2)
obs': list BaseELMO.Observation
Heq: MkObservation Send m2 :: obs (state m2) =
(MkObservation Send m2 :: obs') ++
MkObservation Send m1 :: obs (state m1)
Hnsuf: ¬ obs (state m2 <+> MkObservation Send m2)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
H1: obs (state m2) =
obs' ++ MkObservation Send m1 :: obs (state m1)
MkObservation Send m1 ∈ obs (state m2)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1: Message
Hnsuf: ¬ obs (state m1 <+> MkObservation Send m1)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
Heq: MkObservation Send m1 :: obs (state m1) =
[] ++ MkObservation Send m1 :: obs (state m1)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m1 <+> MkObservation Send m1)
Hvsp: UMO_reachable P (state m1)
H1: obs (state m1) = obs (state m1)
MkObservation Send m1 ∈ obs (state m1) by contradiction Hnsuf.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
Hvsp: UMO_reachable P (state m2)
Hadr: adr (state m1 <+> MkObservation Send m1) =
adr (state m2 <+> MkObservation Send m2)
obs': list BaseELMO.Observation
Heq: MkObservation Send m2 :: obs (state m2) =
(MkObservation Send m2 :: obs') ++
MkObservation Send m1 :: obs (state m1)
Hnsuf: ¬ obs (state m2 <+> MkObservation Send m2)
  `suffix_of` obs
                (state m1 <+>
                 MkObservation Send m1)
H1: obs (state m2) =
obs' ++ MkObservation Send m1 :: obs (state m1)
MkObservation Send m1 ∈ obs (state m2) by rewrite H1, elem_of_app, elem_of_cons; right; left.
Qed.

The relation was_sent_before is trichotomous on the sentMessages of any reachable state.

Lemma was_sent_before_totally_orders_sentMessages_UMO_reachable P :
  forall (s : State) (m1 m2 : Message),
    UMO_reachable P s -> m1 ∈ sentMessages s -> m2 ∈ sentMessages s ->
      was_sent_before m1 m2 \/ m1 = m2 \/ was_sent_before m2 m1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message),
  UMO_reachable P s
  → m1 ∈ sentMessages s
    → m2 ∈ sentMessages s
      → was_sent_before m1 m2
        ∨ m1 = m2 ∨ was_sent_before m2 m1
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
∀ (s : State) (m1 m2 : Message),
  UMO_reachable P s
  → m1 ∈ sentMessages s
    → m2 ∈ sentMessages s
      → was_sent_before m1 m2
        ∨ m1 = m2 ∨ was_sent_before m2 m1
  intros s m1 m2 Hvsp Hin1 Hin2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvsp: UMO_reachable P s
Hin1: m1 ∈ sentMessages s
Hin2: m2 ∈ sentMessages s
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1
  apply elem_of_sentMessages in Hin1, Hin2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvsp: UMO_reachable P s
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1
  assert (Hvsp1 : UMO_reachable P (state m1))
    by (eapply elem_of_UMO_reachable_obs_Send_UMO_reachable; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvsp: UMO_reachable P s
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
Hvsp1: UMO_reachable P (state m1)
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1
  assert (Hvsp2 : UMO_reachable P (state m2))
    by (eapply elem_of_UMO_reachable_obs_Send_UMO_reachable; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvsp: UMO_reachable P s
Hin1: MkObservation Send m1 ∈ obs s
Hin2: MkObservation Send m2 ∈ obs s
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1
  destruct (elem_of_UMO_reachable_obs_Send_split_2 P s m1 m2 Hin1 Hin2)
    as [Heq | (obs1 & obs2 & [-> | ->])]; [done | | |]; clear Hin1 Hin2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvsp: UMO_reachable P s
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
Heq: m1 = m2
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (state m1 <+> MkObservation Send m1 <++> obs1 <+>
   MkObservation Send m2 <++> obs2)
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (state m2 <+> MkObservation Send m2 <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
s: State
m1, m2: Message
Hvsp: UMO_reachable P s
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
Heq: m1 = m2
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1 by right; left.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (state m1 <+> MkObservation Send m1 <++> obs1 <+>
   MkObservation Send m2 <++> obs2)
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1 left.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (state m1 <+> MkObservation Send m1 <++> obs1 <+>
   MkObservation Send m2 <++> obs2)
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
was_sent_before m1 m2
    rewrite was_sent_before_characterization_2; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (state m1 <+> MkObservation Send m1 <++> obs1 <+>
   MkObservation Send m2 <++> obs2)
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
state_suffix (state m1 <+> MkObservation Send m1)
  (state m2 <+> MkObservation Send m2)
    apply UMO_reachable_addObservations_inv,
          UMO_reachable_addObservation_inv_Send_state in Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: state m1 <+> MkObservation Send m1 <++> obs1 =
state m2
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
state_suffix (state m1 <+> MkObservation Send m1)
  (state m2 <+> MkObservation Send m2)
    rewrite <- Hvsp, addObservation_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: state m1 <+> MkObservation Send m1 <++> obs1 =
state m2
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
state_suffix (state m1 <+> MkObservation Send m1)
  (state m1 <+> MkObservation Send m1 <++>
   (MkObservation Send m2 :: obs1))
    by apply state_suffix_addObservations; inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (state m2 <+> MkObservation Send m2 <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
was_sent_before m1 m2
∨ m1 = m2 ∨ was_sent_before m2 m1 right; right.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (state m2 <+> MkObservation Send m2 <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
was_sent_before m2 m1
    rewrite was_sent_before_characterization_2; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: UMO_reachable P
  (state m2 <+> MkObservation Send m2 <++> obs1 <+>
   MkObservation Send m1 <++> obs2)
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
state_suffix (state m2 <+> MkObservation Send m2)
  (state m1 <+> MkObservation Send m1)
    apply UMO_reachable_addObservations_inv,
          UMO_reachable_addObservation_inv_Send_state in Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: state m2 <+> MkObservation Send m2 <++> obs1 =
state m1
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
state_suffix (state m2 <+> MkObservation Send m2)
  (state m1 <+> MkObservation Send m1)
    rewrite <- Hvsp, addObservation_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
i: Address
Ui:= UMO_component i: VLSM Message
P: State → Message → Prop
m1, m2: Message
obs1, obs2: list Observation
Hvsp: state m2 <+> MkObservation Send m2 <++> obs1 =
state m1
Hvsp1: UMO_reachable P (state m1)
Hvsp2: UMO_reachable P (state m2)
state_suffix (state m2 <+> MkObservation Send m2)
  (state m2 <+> MkObservation Send m2 <++>
   (MkObservation Send m1 :: obs1))
    by apply state_suffix_addObservations; inversion 1.
Qed.

Messages m1 and m2 are sent_comparable when m1 = m2 or was_sent_before m1 m2 or was_sent_before m2 m1.

Inductive sent_comparable : Message -> Message -> Prop :=
| sc_refl  : forall m : Message, sent_comparable m m
| sc_wsb_l : forall m1 m2 : Message, was_sent_before m1 m2 -> sent_comparable m1 m2
| sc_wsb_r : forall m1 m2 : Message, was_sent_before m2 m1 -> sent_comparable m1 m2.

Messages m1 and m2 are incomparable if they have the same sender and are not sent_comparable.

Note that incomparable is not simply a negation of sent_comparable, so that there can be messages which are neither sent_comparable nor incomparable.

Definition incomparable (m1 m2 : Message) : Prop :=
  adr (state m1) = adr (state m2) /\ ~ sent_comparable m1 m2.

End sec_UMO_component_lemmas.

#[export] Instance sent_comparable_sym : Symmetric sent_comparable.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
Symmetric sent_comparable
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
Symmetric sent_comparable by intros x y []; constructor. Defined.

#[export] Instance sent_comparable_dec : RelDecision sent_comparable.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
RelDecision sent_comparable
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
RelDecision sent_comparable
  intros m1 m2.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m1, m2: Message
Decision (sent_comparable m1 m2)
  destruct (decide (adr (state m1) = adr (state m2)));
    [| by right; destruct 1; apply n; firstorder congruence].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m1, m2: Message
e: adr (state m1) = adr (state m2)
Decision (sent_comparable m1 m2)
  destruct (decide (obs (state m1) = obs (state m2)));
    [by left; replace m2 with m1 by (apply eq_Message; done); constructor |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m1, m2: Message
e: adr (state m1) = adr (state m2)
n: obs (state m1) ≠ obs (state m2)
Decision (sent_comparable m1 m2)
  destruct (decide (m1 ∈ sentMessages (state m2)));
    [by left; constructor; constructor |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m1, m2: Message
e: adr (state m1) = adr (state m2)
n: obs (state m1) ≠ obs (state m2)
n0: m1 ∉ sentMessages (state m2)
Decision (sent_comparable m1 m2)
  destruct (decide (m2 ∈ sentMessages (state m1)));
    [by left; constructor; constructor |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
m1, m2: Message
e: adr (state m1) = adr (state m2)
n: obs (state m1) ≠ obs (state m2)
n0: m1 ∉ sentMessages (state m2)
n1: m2 ∉ sentMessages (state m1)
Decision (sent_comparable m1 m2)
  by right; destruct 1; firstorder.
Defined.

#[export] Instance incomparable_sym : Symmetric incomparable.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
Symmetric incomparable
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
Symmetric incomparable by intros x y []; constructor. Defined.

Section sec_UMOProtocol.

Context
  (index : Type)
  `{finite.Finite index}
  (idx : index -> Address)
  `{!Inj (=) (=) idx}
  (U : index -> VLSM Message := fun i => UMO_component (idx i))
  .

Protocol

The UMO protocol is a free composition of finitely many UMO components.

Definition UMO : VLSM Message := free_composite_vlsm U.

We set up aliases for some functions operating on free VLSM composition.

Definition UMO_state : Type := composite_state U.
Definition UMO_label : Type := composite_label U.
Definition UMO_transition_item : Type := composite_transition_item U.

We can lift labels, states and traces from an UMO component to the UMO protocol.

Definition lift_to_UMO_label
  (i : index) (li : VLSM.label (U i)) : UMO_label :=
    lift_to_composite_label U i li.

Definition lift_to_UMO_state
  (us : UMO_state) (i : index) (si : VLSM.state (U i)) : UMO_state :=
    lift_to_composite_state U us i si.

Definition lift_to_UMO_trace
  (us : UMO_state) (i : index) (tr : list (transition_item (U i)))
  : list UMO_transition_item :=
    pre_VLSM_embedding_finite_trace_project
      _ _ (lift_to_UMO_label i) (lift_to_UMO_state us i) tr.

We can also lift properties from UMO components to the UMO protocol, among them valid_state_prop, valid_message_prop, input_valid_transition and the various kinds of traces.

Lemma lift_to_UMO :
  forall (us : UMO_state) (Hus : valid_state_prop UMO us) (i : index),
    VLSM_weak_embedding (U i) UMO (lift_to_UMO_label i) (lift_to_UMO_state us i).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ us : UMO_state,
  valid_state_prop UMO us
  → ∀ i : index,
      VLSM_weak_embedding (U i) UMO
        (lift_to_UMO_label i) (lift_to_UMO_state us i)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ us : UMO_state,
  valid_state_prop UMO us
  → ∀ i : index,
      VLSM_weak_embedding (U i) UMO
        (lift_to_UMO_label i) (lift_to_UMO_state us i) by intros; apply lift_to_free_weak_embedding. Qed.

Lemma lift_to_UMO_valid_state_prop :
  forall (i : index) (s : State) (us : UMO_state),
    valid_state_prop UMO us -> valid_state_prop (U i) s ->
      valid_state_prop UMO (lift_to_UMO_state us i s).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (s : State) (us : UMO_state),
  valid_state_prop UMO us
  → valid_state_prop (U i) s
    → valid_state_prop UMO (lift_to_UMO_state us i s)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (s : State) (us : UMO_state),
  valid_state_prop UMO us
  → valid_state_prop (U i) s
    → valid_state_prop UMO (lift_to_UMO_state us i s)
  intros is s us Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
is: index
s: State
us: UMO_state
Hvsp: valid_state_prop UMO us
valid_state_prop (U is) s
→ valid_state_prop UMO (lift_to_UMO_state us is s)
  by eapply VLSM_weak_embedding_valid_state, lift_to_UMO.
Qed.

Lemma lift_to_UMO_valid_message_prop :
  forall (i : index) (om : option Message),
    option_valid_message_prop (U i) om ->
      option_valid_message_prop UMO om.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (om : option Message),
  option_valid_message_prop (U i) om
  → option_valid_message_prop UMO om
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (om : option Message),
  option_valid_message_prop (U i) om
  → option_valid_message_prop UMO om
  intros i [] Hovmp; cycle 1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
Hovmp: option_valid_message_prop (U i) None
option_valid_message_prop UMO None
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
m: Message
Hovmp: option_valid_message_prop (U i) (Some m)
option_valid_message_prop UMO (Some m)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
Hovmp: option_valid_message_prop (U i) None
option_valid_message_prop UMO None exists (fun i => MkState [] (idx i)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
Hovmp: option_valid_message_prop (U i) None
valid_state_message_prop UMO
  (λ i : index, MkState [] (idx i)) None by constructor; compute.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
m: Message
Hovmp: option_valid_message_prop (U i) (Some m)
option_valid_message_prop UMO (Some m) eapply VLSM_weak_embedding_valid_message.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
m: Message
Hovmp: option_valid_message_prop (U i) (Some m)
VLSM_weak_embedding ?X UMO ?label_project
  ?state_project
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
m: Message
Hovmp: option_valid_message_prop (U i) (Some m)
strong_embedding_initial_message_preservation ?X UMO
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
m: Message
Hovmp: option_valid_message_prop (U i) (Some m)
valid_message_prop ?X m
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
m: Message
Hovmp: option_valid_message_prop (U i) (Some m)
VLSM_weak_embedding ?X UMO ?label_project
  ?state_project by apply (lift_to_UMO (fun i => MkState [] (idx i))); exists None; constructor.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
m: Message
Hovmp: option_valid_message_prop (U i) (Some m)
strong_embedding_initial_message_preservation (U ?i)
  UMO by inversion 1.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
m: Message
Hovmp: option_valid_message_prop (U i) (Some m)
valid_message_prop (U ?i) m by apply Hovmp.
Qed.

Lemma lift_to_UMO_input_valid_transition :
  forall (i : index) (lbl : Label) (s1 s2 : State) (iom oom : option Message) (us : UMO_state),
    valid_state_prop UMO us ->
    input_valid_transition (U i) lbl (s1, iom) (s2, oom) ->
      input_valid_transition UMO
        (lift_to_UMO_label i lbl)
        (lift_to_UMO_state us i s1, iom)
        (lift_to_UMO_state us i s2, oom).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (lbl : Label) (s1 s2 : State) (iom
                                             oom : 
                                             option
                                               Message) 
  (us : UMO_state),
  valid_state_prop UMO us
  → input_valid_transition (U i) lbl (s1, iom)
      (s2, oom)
    → input_valid_transition UMO
        (lift_to_UMO_label i lbl)
        (lift_to_UMO_state us i s1, iom)
        (lift_to_UMO_state us i s2, oom)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (lbl : Label) (s1 s2 : State) (iom
                                             oom : 
                                             option
                                               Message) 
  (us : UMO_state),
  valid_state_prop UMO us
  → input_valid_transition (U i) lbl (s1, iom)
      (s2, oom)
    → input_valid_transition UMO
        (lift_to_UMO_label i lbl)
        (lift_to_UMO_state us i s1, iom)
        (lift_to_UMO_state us i s2, oom)
  intros i lbl s1 s2 iom oom us Hivt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
lbl: Label
s1, s2: State
iom, oom: option Message
us: UMO_state
Hivt: valid_state_prop UMO us
input_valid_transition (U i) lbl (s1, iom) (s2, oom)
→ input_valid_transition UMO (lift_to_UMO_label i lbl)
    (lift_to_UMO_state us i s1, iom)
    (lift_to_UMO_state us i s2, oom)
  by apply @VLSM_weak_embedding_input_valid_transition, lift_to_UMO.
Qed.

Lemma lift_to_UMO_finite_valid_trace_from_to :
  forall (i : index) (s1 s2 : State) (tr : list (transition_item (U i))) (us : UMO_state),
    valid_state_prop UMO us ->
    finite_valid_trace_from_to (U i) s1 s2 tr ->
      finite_valid_trace_from_to
        UMO (lift_to_UMO_state us i s1) (lift_to_UMO_state us i s2) (lift_to_UMO_trace us i tr).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (s1 s2 : State) (tr : list
                                      transition_item) 
  (us : UMO_state),
  valid_state_prop UMO us
  → finite_valid_trace_from_to (U i) s1 s2 tr
    → finite_valid_trace_from_to UMO
        (lift_to_UMO_state us i s1)
        (lift_to_UMO_state us i s2)
        (lift_to_UMO_trace us i tr)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (s1 s2 : State) (tr : list
                                      transition_item) 
  (us : UMO_state),
  valid_state_prop UMO us
  → finite_valid_trace_from_to (U i) s1 s2 tr
    → finite_valid_trace_from_to UMO
        (lift_to_UMO_state us i s1)
        (lift_to_UMO_state us i s2)
        (lift_to_UMO_trace us i tr)
  intros i s1 s2 tr us Hvsp Hfvt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
s1, s2: State
tr: list transition_item
us: UMO_state
Hvsp: valid_state_prop UMO us
Hfvt: finite_valid_trace_from_to (U i) s1 s2 tr
finite_valid_trace_from_to UMO
  (lift_to_UMO_state us i s1)
  (lift_to_UMO_state us i s2)
  (lift_to_UMO_trace us i tr)
  by eapply (VLSM_weak_embedding_finite_valid_trace_from_to (lift_to_UMO _ Hvsp i)).
Qed.

Lemma lift_to_UMO_finite_constrained_trace_from_to :
  forall (i : index) (s1 s2 : State) (tr : list (transition_item (U i))) (us : UMO_state),
    constrained_state_prop UMO us ->
    finite_constrained_trace_from_to (U i) s1 s2 tr ->
      finite_constrained_trace_from_to UMO
        (lift_to_UMO_state us i s1) (lift_to_UMO_state us i s2) (lift_to_UMO_trace us i tr).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (s1 s2 : State) (tr : list
                                      transition_item) 
  (us : UMO_state),
  constrained_state_prop UMO us
  → finite_constrained_trace_from_to (U i) s1 s2 tr
    → finite_constrained_trace_from_to UMO
        (lift_to_UMO_state us i s1)
        (lift_to_UMO_state us i s2)
        (lift_to_UMO_trace us i tr)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (s1 s2 : State) (tr : list
                                      transition_item) 
  (us : UMO_state),
  constrained_state_prop UMO us
  → finite_constrained_trace_from_to (U i) s1 s2 tr
    → finite_constrained_trace_from_to UMO
        (lift_to_UMO_state us i s1)
        (lift_to_UMO_state us i s2)
        (lift_to_UMO_trace us i tr)
  intros i s1 s2 tr us Hvsp Hfvt.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
s1, s2: State
tr: list transition_item
us: UMO_state
Hvsp: constrained_state_prop UMO us
Hfvt: finite_constrained_trace_from_to (U i) s1 s2 tr
finite_constrained_trace_from_to UMO
  (lift_to_UMO_state us i s1)
  (lift_to_UMO_state us i s2)
  (lift_to_UMO_trace us i tr)
  unshelve eapply (@VLSM_weak_embedding_finite_valid_trace_from_to _
    (preloaded_with_all_messages_vlsm (U i))
    (preloaded_with_all_messages_vlsm UMO) _ _); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
s1, s2: State
tr: list transition_item
us: UMO_state
Hvsp: constrained_state_prop UMO us
Hfvt: finite_constrained_trace_from_to (U i) s1 s2 tr
VLSM_weak_embedding
  (preloaded_with_all_messages_vlsm (U i))
  (preloaded_with_all_messages_vlsm UMO)
  (lift_to_UMO_label i) (lift_to_UMO_state us i)
  by eapply lift_to_preloaded_free_weak_embedding.
Qed.

Lemma lift_to_UMO_constrained_state_prop :
  forall (i : index) (s : State) (us : UMO_state),
    constrained_state_prop UMO us ->
    constrained_state_prop (U i) s ->
    constrained_state_prop UMO (lift_to_UMO_state us i s).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (s : State) (us : UMO_state),
  constrained_state_prop UMO us
  → constrained_state_prop (U i) s
    → constrained_state_prop UMO
        (lift_to_UMO_state us i s)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (s : State) (us : UMO_state),
  constrained_state_prop UMO us
  → constrained_state_prop (U i) s
    → constrained_state_prop UMO
        (lift_to_UMO_state us i s)
  unfold constrained_state_prop.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (i : index) (s : State) (us : UMO_state),
  valid_state_prop
    (preloaded_with_all_messages_vlsm UMO) us
  → valid_state_prop
      (preloaded_with_all_messages_vlsm (U i)) s
    → valid_state_prop
        (preloaded_with_all_messages_vlsm UMO)
        (lift_to_UMO_state us i s)
  intros is s us Hcsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
is: index
s: State
us: UMO_state
Hcsp: valid_state_prop
  (preloaded_with_all_messages_vlsm UMO) us
valid_state_prop
  (preloaded_with_all_messages_vlsm (U is)) s
→ valid_state_prop
    (preloaded_with_all_messages_vlsm UMO)
    (lift_to_UMO_state us is s)
  by eapply VLSM_weak_embedding_valid_state, lift_to_preloaded_free_weak_embedding.
Qed.

Every state in a UMO component gives rise to a unique trace leading to this state, which we can then lift to the UMO protocol.

Definition UMO_component_state2trace
  (s : UMO_state) (i : index) : list UMO_transition_item :=
    lift_to_UMO_trace s i (state2trace (s i)).

Iterating UMO_component_state2trace shows that every reachable UMO state contains a trace that leads to this state. However, this trace is not unique, because we can concatenate the lifted traces in any order.

Fixpoint UMO_state2trace_aux
  (us : UMO_state) (is : list index) : list UMO_transition_item :=
  match is with
  | [] => []
  | i :: is' =>
    UMO_state2trace_aux (state_update _ us i (MkState [] (idx i))) is' ++
    UMO_component_state2trace us i
  end.

Definition UMO_state2trace
  (us : UMO_state) : list UMO_transition_item :=
    UMO_state2trace_aux us (enum index).

Lemma finite_constrained_trace_init_to_UMO_state2trace :
  forall us : UMO_state,
    constrained_state_prop UMO us ->
      finite_constrained_trace_init_to UMO (``(vs0 UMO)) us (UMO_state2trace us).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ us : UMO_state,
  constrained_state_prop UMO us
  → finite_constrained_trace_init_to UMO (`(vs0 UMO))
      us (UMO_state2trace us)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ us : UMO_state,
  constrained_state_prop UMO us
  → finite_constrained_trace_init_to UMO (`(vs0 UMO))
      us (UMO_state2trace us)
  intros us Hvsp; split; [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO) (`(vs0 UMO))
  us (UMO_state2trace us)
  unfold UMO_state2trace.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO) (`(vs0 UMO))
  us (UMO_state2trace_aux us (enum index))
  assert (Hall : forall i, i ∉ enum index -> us i = MkState [] (idx i))
      by (intros i Hin; contradict Hin; apply elem_of_enum).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hvsp: constrained_state_prop UMO us
Hall: ∀ i : index,
  i ∉ enum index → us i = MkState [] (idx i)
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO) (`(vs0 UMO))
  us (UMO_state2trace_aux us (enum index))
  revert us Hall Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ us : UMO_state,
  (∀ i : index,
     i ∉ enum index → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us (enum index))
  generalize (enum index) as is.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (is : list index) (us : UMO_state),
  (∀ i : index, i ∉ is → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us (UMO_state2trace_aux us is)
  induction is as [| i is']; cbn; intros us Hall Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hall: ∀ i : index, i ∉ [] → us i = MkState [] (idx i)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (λ n : index, MkState [] (idx n)) us []
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (λ n : index, MkState [] (idx n)) us
  (UMO_state2trace_aux
     (state_update U us i (MkState [] (idx i))) is' ++
   UMO_component_state2trace us i)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hall: ∀ i : index, i ∉ [] → us i = MkState [] (idx i)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (λ n : index, MkState [] (idx n)) us [] replace us with (fun n : index => MkState [] (idx n)).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hall: ∀ i : index, i ∉ [] → us i = MkState [] (idx i)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (λ n : index, MkState [] (idx n))
  (λ n : index, MkState [] (idx n)) []
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hall: ∀ i : index, i ∉ [] → us i = MkState [] (idx i)
Hvsp: constrained_state_prop UMO us
(λ n : index, MkState [] (idx n)) = us
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hall: ∀ i : index, i ∉ [] → us i = MkState [] (idx i)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (λ n : index, MkState [] (idx n))
  (λ n : index, MkState [] (idx n)) [] by constructor; apply initial_state_is_valid; compute.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hall: ∀ i : index, i ∉ [] → us i = MkState [] (idx i)
Hvsp: constrained_state_prop UMO us
(λ n : index, MkState [] (idx n)) = us extensionality i; rewrite Hall; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hall: ∀ i : index, i ∉ [] → us i = MkState [] (idx i)
Hvsp: constrained_state_prop UMO us
i: index
i ∉ []
      by apply not_elem_of_nil.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (λ n : index, MkState [] (idx n)) us
  (UMO_state2trace_aux
     (state_update U us i (MkState [] (idx i))) is' ++
   UMO_component_state2trace us i) eapply finite_valid_trace_from_to_app.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (λ n : index, MkState [] (idx n)) ?m
  (UMO_state2trace_aux
     (state_update U us i (MkState [] (idx i))) is')
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO) 
  ?m us (UMO_component_state2trace us i)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (λ n : index, MkState [] (idx n)) ?m
  (UMO_state2trace_aux
     (state_update U us i (MkState [] (idx i))) is') apply IHis'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
∀ i0 : index,
  i0 ∉ is'
  → state_update U us i (MkState [] (idx i)) i0 =
    MkState [] (idx i0)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
constrained_state_prop UMO
  (state_update U us i (MkState [] (idx i)))
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
∀ i0 : index,
  i0 ∉ is'
  → state_update U us i (MkState [] (idx i)) i0 =
    MkState [] (idx i0) intros j Hj.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
j: index
Hj: j ∉ is'
state_update U us i (MkState [] (idx i)) j =
MkState [] (idx j) destruct (decide (i = j)); subst; state_update_simpl; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
j: index
Hj: j ∉ is'
n: i ≠ j
us j = MkState [] (idx j)
        apply Hall.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
j: index
Hj: j ∉ is'
n: i ≠ j
j ∉ i :: is' rewrite elem_of_cons.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
j: index
Hj: j ∉ is'
n: i ≠ j
¬ (j = i ∨ j ∈ is') by intros [].
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
constrained_state_prop UMO
  (state_update U us i (MkState [] (idx i))) by apply pre_composite_free_update_state_with_initial.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (state_update U us i (MkState [] (idx i))) us
  (UMO_component_state2trace us i) replace us with (state_update U us i (us i)) at 2 by (state_update_simpl; done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm UMO)
  (state_update U us i (MkState [] (idx i)))
  (state_update U us i (us i))
  (UMO_component_state2trace us i)
      apply lift_to_UMO_finite_constrained_trace_from_to; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
finite_constrained_trace_from_to (U i)
  (MkState [] (idx i)) (us i) (state2trace (us i))
      apply (composite_constrained_state_project _ us i) in Hvsp as Hvsp'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
Hvsp': constrained_state_prop (U i) (us i)
finite_constrained_trace_from_to (U i)
  (MkState [] (idx i)) (us i) (state2trace (us i))
      apply valid_state_has_trace in Hvsp' as (s & tr & [Hfvt Hinit]).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
s: VLSM.state
  (preloaded_with_all_messages_vlsm (U i))
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (U i)) s
  (us i) tr
Hinit: initial_state_prop s
finite_constrained_trace_from_to (U i)
  (MkState [] (idx i)) (us i) (state2trace (us i))
      replace s with (MkState [] (idx i)) in *; cycle 1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
s: VLSM.state
  (preloaded_with_all_messages_vlsm (U i))
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (U i)) s
  (us i) tr
Hinit: initial_state_prop s
MkState [] (idx i) = s
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
s: VLSM.state
  (preloaded_with_all_messages_vlsm (U i))
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (U i))
  (MkState [] (idx i)) 
  (us i) tr
Hinit: initial_state_prop (MkState [] (idx i))
finite_constrained_trace_from_to 
  (U i) (MkState [] (idx i)) 
  (us i) (state2trace (us i))
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
s: VLSM.state
  (preloaded_with_all_messages_vlsm (U i))
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (U i)) s
  (us i) tr
Hinit: initial_state_prop s
MkState [] (idx i) = s by inversion Hinit; destruct s; cbn in *; subst.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i: index
is': list index
IHis': ∀ us : UMO_state,
  (∀ i : index,
     i ∉ is' → us i = MkState [] (idx i))
  → constrained_state_prop UMO us
    → finite_valid_trace_from_to
        (preloaded_with_all_messages_vlsm UMO)
        (`(vs0 UMO)) us
        (UMO_state2trace_aux us is')
us: UMO_state
Hall: ∀ i0 : index,
  i0 ∉ i :: is' → us i0 = MkState [] (idx i0)
Hvsp: constrained_state_prop UMO us
s: VLSM.state
  (preloaded_with_all_messages_vlsm (U i))
tr: list transition_item
Hfvt: finite_valid_trace_from_to
  (preloaded_with_all_messages_vlsm (U i))
  (MkState [] (idx i)) 
  (us i) tr
Hinit: initial_state_prop (MkState [] (idx i))
finite_constrained_trace_from_to (U i)
  (MkState [] (idx i)) (us i) (state2trace (us i)) by eapply finite_constrained_trace_init_to_state2trace.
Qed.

It turns out that finite_constrained_trace_init_to_UMO_state2trace also holds for valid states.

Lemma finite_valid_trace_from_to_UMO_state2trace :
  forall us : UMO_state,
    valid_state_prop UMO us ->
      finite_valid_trace_init_to UMO (``(vs0 UMO)) us (UMO_state2trace us).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ us : UMO_state,
  valid_state_prop UMO us
  → finite_valid_trace_init_to UMO (`(vs0 UMO)) us
      (UMO_state2trace us)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ us : UMO_state,
  valid_state_prop UMO us
  → finite_valid_trace_init_to UMO (`(vs0 UMO)) us
      (UMO_state2trace us)
  intros us Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hvsp: valid_state_prop UMO us
finite_valid_trace_init_to UMO (`(vs0 UMO)) us
  (UMO_state2trace us)
  apply all_pre_traces_to_valid_state_are_valid_free; [typeclasses eauto | done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hvsp: valid_state_prop UMO us
finite_constrained_trace_init_to
  (free_composite_vlsm U) (`(vs0 UMO)) us
  (UMO_state2trace us)
  apply finite_constrained_trace_init_to_UMO_state2trace.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hvsp: valid_state_prop UMO us
constrained_state_prop UMO us
  eapply (@VLSM_incl_valid_state _ UMO UMO); [| done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
Hvsp: valid_state_prop UMO us
VLSM_incl_part UMO
  (preloaded_vlsm_machine UMO (λ _ : Message, True))
  by apply vlsm_incl_preloaded_with_all_messages_vlsm.
Qed.

Fixpoint UMO_obs_aux (us : UMO_state) (is : list index) : list Observation :=
  match is with
  | [] => []
  | i :: is' => UMO_obs_aux (state_update _ us i (MkState [] (idx i))) is' ++ obs (us i)
  end.

Definition UMO_obs (us : UMO_state) : list Observation :=
  UMO_obs_aux us (enum index).

Fixpoint UMO_sentMessages_aux (us : UMO_state) (is : list index) : set Message :=
  match is with
  | [] => []
  | i :: is' =>
    UMO_sentMessages_aux (state_update _ us i (MkState [] (idx i))) is' ++ sentMessages (us i)
  end.

Definition UMO_sentMessages (us : UMO_state) : set Message :=
  UMO_sentMessages_aux us (enum index).

Fixpoint UMO_receivedMessages_aux (us : UMO_state) (is : list index) : set Message :=
  match is with
  | [] => []
  | i :: is' =>
    UMO_receivedMessages_aux (state_update _ us i (MkState [] (idx i))) is' ++ receivedMessages (us i)
  end.

Definition UMO_receivedMessages (us : UMO_state) : set Message :=
  UMO_receivedMessages_aux us (enum index).

Fixpoint UMO_messages_aux (us : UMO_state) (is : list index) : set Message :=
  match is with
  | [] => []
  | i :: is' =>
    UMO_messages_aux (state_update _ us i (MkState [] (idx i))) is' ++ messages (us i)
  end.

Definition UMO_messages (us : UMO_state) : set Message :=
  UMO_messages_aux us (enum index).

Lemma constrained_state_prop_state_update_init :
  forall (us : UMO_state) (i : index),
    constrained_state_prop UMO us ->
      constrained_state_prop UMO (state_update U us i (MkState [] (idx i))).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (us : UMO_state) (i : index),
  constrained_state_prop UMO us
  → constrained_state_prop UMO
      (state_update U us i (MkState [] (idx i)))
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (us : UMO_state) (i : index),
  constrained_state_prop UMO us
  → constrained_state_prop UMO
      (state_update U us i (MkState [] (idx i)))
  intros us i Hvsp.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
i: index
Hvsp: constrained_state_prop UMO us
constrained_state_prop UMO
  (state_update U us i (MkState [] (idx i)))
  by apply pre_composite_free_update_state_with_initial.
Qed.

Lemma elem_of_UMO_sentMessages :
  forall (us : UMO_state) (m : Message) (i : index),
    constrained_state_prop UMO us -> idx i = adr (state m) ->
      m ∈ UMO_sentMessages us <-> m ∈ sentMessages (us i).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (us : UMO_state) (m : Message) (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → m ∈ UMO_sentMessages us
      ↔ m ∈ sentMessages (us i)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (us : UMO_state) (m : Message) (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → m ∈ UMO_sentMessages us
      ↔ m ∈ sentMessages (us i)
  intros us m i Hvsp Hidx.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
m: Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
m ∈ UMO_sentMessages us ↔ m ∈ sentMessages (us i)
  assert (Hall : forall i, i ∉ enum index -> us i = MkState [] (idx i))
    by (intros j Hin; contradict Hin; apply elem_of_enum).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
m: Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ enum index → us i = MkState [] (idx i)
m ∈ UMO_sentMessages us ↔ m ∈ sentMessages (us i)
  revert us m i Hvsp Hidx Hall.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (us : UMO_state) (m : Message) (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ enum index → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages us
        ↔ m ∈ sentMessages (us i)
  unfold UMO_sentMessages; generalize (enum index) as is.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (is : list index) (us : UMO_state) (m : Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is
        ↔ m ∈ sentMessages (us i)
  induction is as [| i' is']; intros; [by rewrite Hall; [| apply not_elem_of_nil] |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : Message) (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
m ∈ UMO_sentMessages_aux us (i' :: is')
↔ m ∈ sentMessages (us i)
  cbn in *; unfold State, Observation, Message in *; rewrite elem_of_app.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i'))) is'
∨ m ∈ sentMessages (us i') ↔ m ∈ sentMessages (us i)
  assert (Hvsp' :
    forall j, constrained_state_prop (UMO_component (idx j)) (us j))
    by (intro j; apply (preloaded_valid_state_projection _ _ _ Hvsp); done).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i'))) is'
∨ m ∈ sentMessages (us i') ↔ m ∈ sentMessages (us i)
  split; cycle 1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
m ∈ sentMessages (us i)
→ m
  ∈ UMO_sentMessages_aux
      (state_update U us i' (MkState [] (idx i'))) is'
  ∨ m ∈ sentMessages (us i')
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i'))) is'
∨ m ∈ sentMessages (us i') → 
m ∈ sentMessages (us i)
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
m ∈ sentMessages (us i)
→ m
  ∈ UMO_sentMessages_aux
      (state_update U us i' (MkState [] (idx i'))) is'
  ∨ m ∈ sentMessages (us i') intros Hin.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i'))) is'
∨ m ∈ sentMessages (us i')
    destruct (decide (i = i')); subst; [by right |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i'))) is'
∨ m ∈ sentMessages (us i')
    left.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i'))) is' unfold Message, State, Observation in *; cbn.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i'))) is'
    rewrite (IHis' (state_update U us i' (MkState [] (idx i'))) m i).Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
m
∈ sentMessages
    (state_update U us i' (MkState [] (idx i')) i)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
constrained_state_prop UMO
  (state_update U us i' (MkState [] (idx i')))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
idx i = adr (state m)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
∀ i : index,
  i ∉ is'
  → state_update U us i' (MkState [] (idx i')) i =
    MkState [] (idx i)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
m
∈ sentMessages
    (state_update U us i' (MkState [] (idx i')) i) by state_update_simpl.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
constrained_state_prop UMO
  (state_update U us i' (MkState [] (idx i'))) by apply constrained_state_prop_state_update_init.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
idx i = adr (state m) erewrite adr_of_sentMessages, adr_of_constrained_state; [done | .. | done].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
constrained_state_prop (UMO_component (adr (state m)))
  (us i)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
UMO_reachable ?P (us i)
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
constrained_state_prop (UMO_component (adr (state m)))
  (us i) by rewrite <- Hidx; apply Hvsp'.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
UMO_reachable ?P (us i) by eapply UMO_reachable_constrained_state_prop, Hvsp'.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
∀ i : index,
  i ∉ is'
  → state_update U us i' (MkState [] (idx i')) i =
    MkState [] (idx i) intros j Hnin.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
j: index
Hnin: j ∉ is'
state_update U us i' (MkState [] (idx i')) j =
MkState [] (idx j) destruct (decide (i' = j)); subst.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
j: index
Hall: ∀ i : index,
  i ∉ j :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ j
Hnin: j ∉ is'
state_update U us j (MkState [] (idx j)) j =
MkState [] (idx j)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
j: index
Hnin: j ∉ is'
n0: i' ≠ j
state_update U us i' (MkState [] (idx i')) j =
MkState [] (idx j)
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
j: index
Hall: ∀ i : index,
  i ∉ j :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ j
Hnin: j ∉ is'
state_update U us j (MkState [] (idx j)) j =
MkState [] (idx j) by state_update_simpl.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i)
n: i ≠ i'
j: index
Hnin: j ∉ is'
n0: i' ≠ j
state_update U us i' (MkState [] (idx i')) j =
MkState [] (idx j) by state_update_simpl; apply Hall; inversion 1.
  -Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i'))) is'
∨ m ∈ sentMessages (us i') → m ∈ sentMessages (us i) intros [Hin | Hin]; cycle 1.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i')
m ∈ sentMessages (us i)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i')))
    is'
m ∈ sentMessages (us i)
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i')
m ∈ sentMessages (us i) eapply adr_of_sentMessages in Hin as Hin';
        [| by eapply UMO_reachable_constrained_state_prop, Hvsp'].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i')
Hin': adr (state m) = adr (us i')
m ∈ sentMessages (us i)
      erewrite Hin', adr_of_constrained_state in Hidx by apply Hvsp'.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m ∈ sentMessages (us i')
Hin': adr (state m) = adr (us i')
Hidx: idx i = idx i'
m ∈ sentMessages (us i)
      by apply Inj0 in Hidx; subst.
    +Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i')))
    is'
m ∈ sentMessages (us i) rewrite (IHis' _ _ i) in Hin; [| | done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ sentMessages
    (state_update U us i' 
       (MkState [] (idx i')) i)
m ∈ sentMessages (us i)
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i')))
    is'
constrained_state_prop UMO
  (state_update U us i' (MkState [] (idx i')))
Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i')))
    is'
∀ i : index,
  i ∉ is'
  → state_update U us i' (MkState [] (idx i')) i =
    MkState [] (idx i)
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ sentMessages
    (state_update U us i' 
       (MkState [] (idx i')) i)
m ∈ sentMessages (us i) by destruct (decide (i = i')); subst; state_update_simpl; [inversion Hin |].
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i')))
    is'
constrained_state_prop UMO
  (state_update U us i' (MkState [] (idx i'))) by apply constrained_state_prop_state_update_init.
      *Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i')))
    is'
∀ i : index,
  i ∉ is'
  → state_update U us i' (MkState [] (idx i')) i =
    MkState [] (idx i) intros j Hnin.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i')))
    is'
j: index
Hnin: j ∉ is'
state_update U us i' (MkState [] (idx i')) j =
MkState [] (idx j) destruct (decide (i' = j)); subst; state_update_simpl; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM BaseELMO.Message
i': index
is': list index
IHis': ∀ (us : UMO_state) (m : BaseELMO.Message) 
  (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → (∀ i0 : index,
         i0 ∉ is'
         → us i0 = MkState [] (idx i0))
      → m ∈ UMO_sentMessages_aux us is'
        ↔ m ∈ sentMessages (us i)
us: UMO_state
m: BaseELMO.Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
Hall: ∀ i : index,
  i ∉ i' :: is' → us i = MkState [] (idx i)
Hvsp': ∀ j : index,
  constrained_state_prop
    (UMO_component (idx j)) 
    (us j)
Hin: m
∈ UMO_sentMessages_aux
    (state_update U us i' (MkState [] (idx i')))
    is'
j: index
Hnin: j ∉ is'
n: i' ≠ j
us j = MkState [] (idx j)
        by apply Hall; inversion 1.
Qed.

Lemma UMO_sentMessages_characterization :
  forall (us : UMO_state) (m : Message) (i : index),
    constrained_state_prop UMO us -> idx i = adr (state m) ->
      m ∈ UMO_sentMessages us
        <->
      let s' := state m <+> MkObservation Send m in
        state_suffix s' (us i) \/ s' = us i.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (us : UMO_state) (m : Message) (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → m ∈ UMO_sentMessages us
      ↔ (let s' := state m <+> MkObservation Send m in
         state_suffix s' (us i) ∨ s' = us i)
Proof.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
∀ (us : UMO_state) (m : Message) (i : index),
  constrained_state_prop UMO us
  → idx i = adr (state m)
    → m ∈ UMO_sentMessages us
      ↔ (let s' := state m <+> MkObservation Send m in
         state_suffix s' (us i) ∨ s' = us i)
  intros us m i Hvsp Hidx.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
m: Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
m ∈ UMO_sentMessages us
↔ (let s' := state m <+> MkObservation Send m in
   state_suffix s' (us i) ∨ s' = us i)
  rewrite elem_of_UMO_sentMessages by done.Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
m: Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
m ∈ sentMessages (us i)
↔ (let s' := state m <+> MkObservation Send m in
   state_suffix s' (us i) ∨ s' = us i)
  rewrite <- sentMessages_characterization; [done |].Address: Type
EqDecision0: EqDecision Address
State:= BaseELMO.State: Type
Observation:= BaseELMO.Observation: Type
Message:= BaseELMO.Message: Type
index: Type
EqDecision1: EqDecision index
H: finite.Finite index
idx: index → Address
Inj0: Inj eq eq idx
U:= λ i : index, UMO_component (idx i): index → VLSM Message
us: UMO_state
m: Message
i: index
Hvsp: constrained_state_prop UMO us
Hidx: idx i = adr (state m)
UMO_reachable ?Goal (us i)
  by apply @UMO_reachable_constrained_state_prop with (idx i),
    (preloaded_valid_state_projection _ _ _ Hvsp).
Qed.

End sec_UMOProtocol.

End sec_UMO.

Arguments UMO_reachable_ind' [Address]%type_scope (C P Hinit Hextend)%function_scope s Hs.