From VLSM.Lib Require Import Itauto.[Loading ML file ring_plugin.cmxs (using legacy method) ... done]
[Loading ML file zify_plugin.cmxs (using legacy method) ... done]
[Loading ML file micromega_plugin.cmxs (using legacy method) ... done]
[Loading ML file btauto_plugin.cmxs (using legacy method) ... done]
[Loading ML file coq-itauto.plugin ... done]
From stdpp Require Import prelude finite fin_sets fin_maps nmap.
From Coq Require Import Streams FunctionalExtensionality Eqdep_dec.
From VLSM.Lib Require Import Preamble ListExtras FinSetExtras.
From VLSM.Core Require Import VLSM Plans VLSMProjections Composition Equivocation.
From VLSM.Core.Equivocation Require Import NoEquivocation.
From VLSM.Examples Require Import Voting.

Create HintDb list_simpl discriminated.
#[export] Hint Rewrite or_False @elem_of_cons @elem_of_nil @elem_of_app : list_simpl.

Ltac simpl_elem_of_list := rewrite_strat any (topdown (hints list_simpl)).
Ltac simpl_elem_of_list_in H := rewrite_strat any (topdown (hints list_simpl)) in H.

Paxos: A Basic Paxos Protocol

This protocol maintains safety in the presence of message loss, but may not be safe for Byzantine failures.

As in the voting specification, consensus is established by votes from a quorum of acceptor nodes. In addition to acceptor nodes this protocol also has a leader process for each ballot.

In an implementation leader nodes are often selected from among the same computers hosting acceptors, but such colocation is not visible at the protocol level so we just let the leaders be indexed by ballot number.

Represent a set that contains either all values in a type, or just a finite subset.

This is sufficient for representing the set of values that are still possible candidates for the consensus choice.

Variant AllOrFin VSet : Type :=
| any_value
| some_values (vs : VSet).

Arguments any_value   {VSet}.
Arguments some_values [VSet] vs.

#[export] Instance elem_of_all_or_fin `{ElemOf V VSet} : ElemOf V (AllOrFin VSet) :=
  fun v fv =>
  match fv with
  | any_value => True
  | some_values vs => v ∈ vs
  end.

#[export] Instance AllOrFin_eq_dec `{EqDecision VSet} : EqDecision (AllOrFin VSet).VSet: Type
EqDecision0: EqDecision VSet
EqDecision (AllOrFin VSet)
Proof.VSet: Type
EqDecision0: EqDecision VSet
EqDecision (AllOrFin VSet)
  intros [| xs] [| ys]; [by unfold Decision; auto.. |].VSet: Type
EqDecision0: EqDecision VSet
xs, ys: VSet
Decision (some_values xs = some_values ys)
  by destruct (decide_rel eq xs ys); [left | right]; congruence.
Defined.

Section sec_paxos_spec.

Context
  `{FinSet Value VSet}
  `{EqDecision VSet}
  {VSDec : RelDecision (∈@{VSet})}
  `{FinMap Acceptor AMap}
  `{!finite.Finite Acceptor}
  .

Notation ASet := (mapset.mapset AMap).

#[export] Instance ASet_Dom {A:Type} : Dom (AMap A) ASet := mapset.mapset_dom.
#[export] Instance AMap_FinMapDom : fin_map_dom.FinMapDom Acceptor AMap ASet :=
  mapset.mapset_dom_spec.

Context
  (Quorum : ASet -> Prop)
  (QDec : forall Q, Decision (Quorum Q))
  (QClosed : Proper (subseteq ==> impl) Quorum)
  (QA : forall (Q1 Q2 : sig Quorum), exists a, a ∈ `Q1 ∩ `Q2)
  .

Inductive paxos_message_body : Type :=
| m_1a
| m_1b (a : Acceptor) (last_vote : option (Ballot * Value))
| m_1c (safe_v : AllOrFin VSet)
| m_2a (v : Value)
| m_2b (a : Acceptor) (v : Value).

Definition paxos_message : Type := Ballot * paxos_message_body.

#[export] Instance paxos_message_eq_dec : EqDecision paxos_message.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
EqDecision paxos_message
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
EqDecision paxos_message
  assert (EqDecision (option (Ballot * Value))) by typeclasses eauto.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
X: EqDecision (option (Ballot * Value))
EqDecision paxos_message
  assert (EqDecision (AllOrFin VSet)) by typeclasses eauto.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
X: EqDecision (option (Ballot * Value))
X0: EqDecision (AllOrFin VSet)
EqDecision paxos_message
  intros m1 m2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
X: EqDecision (option (Ballot * Value))
X0: EqDecision (AllOrFin VSet)
m1, m2: paxos_message
Decision (m1 = m2)
  refine (prod_eq_dec _ _).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
X: EqDecision (option (Ballot * Value))
X0: EqDecision (AllOrFin VSet)
m1, m2: paxos_message
EqDecision paxos_message_body
  unfold EqDecision, Decision in *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: ∀ x y : Value, {x = y} + {x ≠ y}
H6: FinSet Value VSet
EqDecision1: ∀ x y : VSet, {x = y} + {x ≠ y}
VSDec: ∀ (x : Value) (y : VSet), {x ∈ y} + {x ∉ y}
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: ∀ x y : Acceptor, {x = y} + {x ≠ y}
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, {Quorum Q} + {¬ Quorum Q}
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
X: ∀ x y : option (Ballot * Value), {x = y} + {x ≠ y}
X0: ∀ x y : AllOrFin VSet, {x = y} + {x ≠ y}
m1, m2: paxos_message
∀ x y : paxos_message_body, {x = y} + {x ≠ y}
  decide equality.
Qed.

A 1a message for a ballot b is sent by the leader of b to announce the ballot. An acceptor receiving a 1a message for a ballot greater than maxBal increases maxBal to b and replies with a 1b message with their identitity and the ballot number, carrying their current maxVBal and maxVVal. When the leader has received 1b messages for their ballot from a quorum it determines a set of values safe at b and sends a 1c message (None means all values are safe at b). The leader then also sends a 2a message for some value which it approved in the 1c message (this finishes the participation of the leader) An acceptor receiving a 2a message for a ballot >= their current maxBal sets maxBal and maxVBal to b, maxVVal to the given value, and sends a 2b message for their identitity and the given ballot and value.

Section sec_paxos_acceptor_vlsm.

Context
  (self : Acceptor)
  .

Record paxos_acceptor_state :=
{
  paxos_maxBal : Ballot';
  lastVote : option (Ballot * Value);
  sent_messages : list paxos_message;
}.

Definition maxVBal (sa : paxos_acceptor_state) : Ballot' := fst <$> lastVote sa.
Definition maxVVal (sa : paxos_acceptor_state) : option Value := snd <$> lastVote sa.

Definition paxos_acceptor_initial : paxos_acceptor_state :=
{|
  paxos_maxBal := None;
  lastVote := None;
  sent_messages := [];
|}.

Inductive paxos_acceptor_label : Type :=
| A_send_1b
| A_send_2b.

Definition paxos_acceptor_type : VLSMType paxos_message :=
{|
  state := paxos_acceptor_state;
  label := paxos_acceptor_label;
|}.

Definition paxos_acceptor_valid :
 paxos_acceptor_label -> paxos_acceptor_state * option paxos_message -> Prop :=
  fun l som =>
    match l, som with
    | A_send_1b, (s, Some (b, m_1a)) => (paxos_maxBal s < b)%Z
    | A_send_2b, (s, Some (b, m_2a v)) => (paxos_maxBal s <= b)%Z
    | _, _ => False
    end.

Definition paxos_acceptor_transition
  (l : paxos_acceptor_label) (som : paxos_acceptor_state * option paxos_message)
  : paxos_acceptor_state * option paxos_message :=
  match l, som with
  | A_send_1b, (s, Some (b, m_1a)) =>
      let reply := (b, m_1b self (lastVote s)) in
      ({| paxos_maxBal := Some b; lastVote := lastVote s;
          sent_messages := reply :: sent_messages s; |},
        Some reply)
  | A_send_2b, (s, Some (b, m_2a v)) =>
      let reply := (b, m_2b self v) in
      ({| paxos_maxBal := Some b; lastVote := Some (b, v);
          sent_messages := reply::sent_messages s|},
        Some reply)
  | _, _ => (som.1, None) (* illegal inputs *)
  end.

Definition paxos_acceptor_machine : VLSMMachine paxos_acceptor_type :=
{|
  initial_state_prop := (.= paxos_acceptor_initial);
  s0 := populate (exist _ paxos_acceptor_initial eq_refl);
  initial_message_prop := (fun _ => False);
  valid := paxos_acceptor_valid;
  transition := paxos_acceptor_transition;
|}.

Definition paxos_acceptor_vlsm : VLSM paxos_message := mk_vlsm paxos_acceptor_machine.

Definition paxos_acceptor_has_been_sent
  (s : state paxos_acceptor_vlsm) (m : paxos_message) : Prop :=
    m ∈ sent_messages s.

#[export] Instance paxos_acceptor_has_been_sent_dec :
  RelDecision paxos_acceptor_has_been_sent :=
  fun s m => elem_of_list_dec m (sent_messages s).

Lemma paxos_acceptor_has_been_sent_stepwise_props :
  has_been_sent_stepwise_prop paxos_acceptor_has_been_sent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
has_been_sent_stepwise_prop
  paxos_acceptor_has_been_sent
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
has_been_sent_stepwise_prop
  paxos_acceptor_has_been_sent
  constructor.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
∀ s : state paxos_acceptor_vlsm,
  initial_state_prop s
  → ∀ m : paxos_message,
      ¬ paxos_acceptor_has_been_sent s m
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_acceptor_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_acceptor_vlsm)) 
  (im : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_acceptor_vlsm)) 
  (om : option paxos_message),
  input_constrained_transition paxos_acceptor_vlsm l
    (s, im) (s', om)
  → ∀ msg : paxos_message,
      paxos_acceptor_has_been_sent s' msg
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ paxos_acceptor_has_been_sent s msg
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
∀ s : state paxos_acceptor_vlsm,
  initial_state_prop s
  → ∀ m : paxos_message,
      ¬ paxos_acceptor_has_been_sent s m intros s Hs m.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
s: state paxos_acceptor_vlsm
Hs: initial_state_prop s
m: paxos_message
¬ paxos_acceptor_has_been_sent s m
    unfold paxos_acceptor_has_been_sent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
s: state paxos_acceptor_vlsm
Hs: initial_state_prop s
m: paxos_message
m ∉ sent_messages s
    simpl in Hs; subst s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
m: paxos_message
m ∉ sent_messages paxos_acceptor_initial
    by apply not_elem_of_nil.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_acceptor_vlsm)) (s : state
                                         (preloaded_with_all_messages_vlsm
                                            paxos_acceptor_vlsm)) 
  (im : option paxos_message) (s' : state
                                      (preloaded_with_all_messages_vlsm
                                         paxos_acceptor_vlsm)) 
  (om : option paxos_message),
  input_constrained_transition paxos_acceptor_vlsm l
    (s, im) (s', om)
  → ∀ msg : paxos_message,
      paxos_acceptor_has_been_sent s' msg
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ paxos_acceptor_has_been_sent s msg intros l s im s' om Htrans msg.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
s: state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
om: option paxos_message
Htrans: input_constrained_transition
  paxos_acceptor_vlsm l (
  s, im) (s', om)
msg: paxos_message
paxos_acceptor_has_been_sent s' msg
↔ field_selector output msg
    {|
      l := l;
      input := im;
      destination := s';
      output := om
    |} ∨ paxos_acceptor_has_been_sent s msg
    simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
s: state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
om: option paxos_message
Htrans: input_constrained_transition
  paxos_acceptor_vlsm l (
  s, im) (s', om)
msg: paxos_message
paxos_acceptor_has_been_sent s' msg
↔ om = Some msg ∨ paxos_acceptor_has_been_sent s msg
    enough (H_hist : sent_messages s' =
      match om with Some m' => m' :: sent_messages s | None => sent_messages s end).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
s: state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
om: option paxos_message
Htrans: input_constrained_transition
  paxos_acceptor_vlsm l (
  s, im) (s', om)
msg: paxos_message
H_hist: sent_messages s' =
match om with
| Some m' => m' :: sent_messages s
| None => sent_messages s
end
paxos_acceptor_has_been_sent s' msg
↔ om = Some msg ∨ paxos_acceptor_has_been_sent s msg
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
s: state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
om: option paxos_message
Htrans: input_constrained_transition
  paxos_acceptor_vlsm l (
  s, im) (s', om)
msg: paxos_message
sent_messages s' =
match om with
| Some m' => m' :: sent_messages s
| None => sent_messages s
end
    {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
s: state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
om: option paxos_message
Htrans: input_constrained_transition
  paxos_acceptor_vlsm l (
  s, im) (s', om)
msg: paxos_message
H_hist: sent_messages s' =
match om with
| Some m' => m' :: sent_messages s
| None => sent_messages s
end
paxos_acceptor_has_been_sent s' msg
↔ om = Some msg ∨ paxos_acceptor_has_been_sent s msg
      unfold paxos_acceptor_has_been_sent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
s: state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
om: option paxos_message
Htrans: input_constrained_transition
  paxos_acceptor_vlsm l (
  s, im) (s', om)
msg: paxos_message
H_hist: sent_messages s' =
match om with
| Some m' => m' :: sent_messages s
| None => sent_messages s
end
msg ∈ sent_messages s'
↔ om = Some msg ∨ msg ∈ sent_messages s
      destruct om; rewrite H_hist, ?elem_of_cons; itauto congruence.
    }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
s: state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
om: option paxos_message
Htrans: input_constrained_transition
  paxos_acceptor_vlsm l (
  s, im) (s', om)
msg: paxos_message
sent_messages s' =
match om with
| Some m' => m' :: sent_messages s
| None => sent_messages s
end
    destruct Htrans as [(_ & _ & Hvalid) Htran].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
s: state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
om: option paxos_message
Hvalid: valid l (s, im)
Htran: transition l (s, im) = (s', om)
msg: paxos_message
sent_messages s' =
match om with
| Some m' => m' :: sent_messages s
| None => sent_messages s
end
    change transition with paxos_acceptor_transition in Htran.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
s: state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     paxos_acceptor_vlsm)
om: option paxos_message
Hvalid: valid l (s, im)
Htran: paxos_acceptor_transition l (s, im) = (s', om)
msg: paxos_message
sent_messages s' =
match om with
| Some m' => m' :: sent_messages s
| None => sent_messages s
end
    by destruct l, im as [[? []] |]; simpl in Htran; inversion Htran.
Qed.

#[export] Instance paxos_acceptor_has_been_sent_inst :
  HasBeenSentCapability paxos_acceptor_vlsm :=
{|
  has_been_sent := paxos_acceptor_has_been_sent;
  has_been_sent_dec := paxos_acceptor_has_been_sent_dec;
  has_been_sent_stepwise_props := paxos_acceptor_has_been_sent_stepwise_props;
|}.

End sec_paxos_acceptor_vlsm.

Section sec_paxos_acceptor_vlsm_lem.

Lemma examine_paxos_acceptor_output :
  forall [a l s oim s' ob om],
    paxos_acceptor_transition a l (s, oim) = (s', Some (ob, om)) ->
    match om with
    | m_1b a' _ => l = A_send_1b /\ a' = a
    | m_2b a' _ => l = A_send_2b /\ a' = a
    | _ => False
    end.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (l : paxos_acceptor_label) (s : paxos_acceptor_state) 
  (oim : option paxos_message) (s' : paxos_acceptor_state) 
  (ob : Ballot) (om : paxos_message_body),
  paxos_acceptor_transition a l (s, oim) =
  (s', Some (ob, om))
  → match om with
    | m_1b a' _ => l = A_send_1b ∧ a' = a
    | m_2b a' _ => l = A_send_2b ∧ a' = a
    | _ => False
    end
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (l : paxos_acceptor_label) (s : paxos_acceptor_state) 
  (oim : option paxos_message) (s' : paxos_acceptor_state) 
  (ob : Ballot) (om : paxos_message_body),
  paxos_acceptor_transition a l (s, oim) =
  (s', Some (ob, om))
  → match om with
    | m_1b a' _ => l = A_send_1b ∧ a' = a
    | m_2b a' _ => l = A_send_2b ∧ a' = a
    | _ => False
    end
  by intros a [] s [[? []] |] * Ht; inversion Ht.
Qed.

Lemma paxos_maxBal_mono :
  forall a l s im s' om,
    input_constrained_transition (paxos_acceptor_vlsm a) l (s, im) (s', om) ->
    (paxos_maxBal s <= paxos_maxBal s')%Z.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (l : label
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (im : option
                                              paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (paxos_acceptor_vlsm a))) (om : option
                                               paxos_message),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, im) (s', om)
  → (paxos_maxBal s ≤ paxos_maxBal s')%Z
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (l : label
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (im : option
                                              paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (paxos_acceptor_vlsm a))) (om : option
                                               paxos_message),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, im) (s', om)
  → (paxos_maxBal s ≤ paxos_maxBal s')%Z
  intros * [(_ & _ & Hvalid) Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
Hvalid: valid l (s, im)
Htrans: transition l (s, im) = (s', om)
(paxos_maxBal s ≤ paxos_maxBal s')%Z
  cbn in Hvalid, Htrans;
    unfold paxos_acceptor_valid, paxos_acceptor_transition in Hvalid, Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
Hvalid: match l with
| A_send_1b =>
    match im with
    | Some (b, m_1a) =>
        (paxos_maxBal s < b)%Z
    | Some (b, m_1b _ _) | 
      Some (b, m_1c _) | 
      Some (b, m_2a _) |
      Some (b, m_2b _ _) => False
    | None => False
    end
| A_send_2b =>
    match im with
    | Some (b, m_2a _) =>
        (paxos_maxBal s ≤ b)%Z
    | Some (b, m_1a) | Some (b, m_1b _ _) |
      Some (b, m_1c _) |
      Some (b, m_2b _ _) => False
    | None => False
    end
end
Htrans: match l with
| A_send_1b =>
    match im with
    | Some (b, m_1a) =>
        ({|
           paxos_maxBal := Some b;
           lastVote := lastVote s;
           sent_messages :=
             (b, m_1b a (lastVote s))
             :: sent_messages s
         |}, Some (b, m_1b a (lastVote s)))
    | Some (b, m_1b _ _) | 
      Some (b, m_1c _) | 
      Some (b, m_2a _) |
      Some (b, m_2b _ _) => (
        (s, im).1, None)
    | None => ((s, im).1, None)
    end
| A_send_2b =>
    match im with
    | Some (b, m_2a v) =>
        ({|
           paxos_maxBal := Some b;
           lastVote := Some (b, v);
           sent_messages :=
             (b, m_2b a v) :: sent_messages s
         |}, Some (b, m_2b a v))
    | Some (b, m_1a) | Some (b, m_1b _ _) |
      Some (b, m_1c _) |
      Some (b, m_2b _ _) => (
        (s, im).1, None)
    | None => ((s, im).1, None)
    end
end = (s', om)
(paxos_maxBal s ≤ paxos_maxBal s')%Z
  by repeat case_match; injection Htrans as [= <- <-]; cbn -[Ballot'_to_Z];
    change (Ballot'_to_Z (Some ?b)) with (Ballot_to_Z b); lia.
Qed.

Lemma last_vote_was_sent :
  forall a s,
    constrained_state_prop (paxos_acceptor_vlsm a) s ->
    forall lv,
      lastVote s = Some lv -> has_been_sent (paxos_acceptor_vlsm a) s (lv.1, m_2b a lv.2).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (s : state
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))),
  constrained_state_prop (paxos_acceptor_vlsm a) s
  → ∀ lv : Ballot * Value,
      lastVote s = Some lv
      → has_been_sent (paxos_acceptor_vlsm a) s
          (lv.1, m_2b a lv.2)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (s : state
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))),
  constrained_state_prop (paxos_acceptor_vlsm a) s
  → ∀ lv : Ballot * Value,
      lastVote s = Some lv
      → has_been_sent (paxos_acceptor_vlsm a) s
          (lv.1, m_2b a lv.2)
  intros a s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
  induction Hs using valid_state_prop_ind; intros lv Hlv;
    [by rewrite Hs in Hlv |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s, om) (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
has_been_sent (paxos_acceptor_vlsm a) s'
  (lv.1, m_2b a lv.2)
  rewrite has_been_sent_step_update with (1 := Ht).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s, om) (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ has_been_sent (paxos_acceptor_vlsm a) s
    (lv.1, m_2b a lv.2)
  cut (om' = Some (lv.1, m_2b a lv.2) \/ lastVote s = lastVote s').Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s, om) (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s'
→ om' = Some (lv.1, m_2b a lv.2)
  ∨ has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s, om) (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s'
  {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s, om) (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s'
→ om' = Some (lv.1, m_2b a lv.2)
  ∨ has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
    intros []; [by left |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s, om) (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
H16: lastVote s = lastVote s'
om' = Some (lv.1, m_2b a lv.2)
∨ has_been_sent (paxos_acceptor_vlsm a) s
    (lv.1, m_2b a lv.2)
    by right; apply IHHs; congruence.
  }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s, om) (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s'
  destruct Ht as [_ Ht].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: transition l (s, om) = (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s'
  change transition with (paxos_acceptor_transition a) in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: paxos_acceptor_transition a l (s, om) = (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → has_been_sent (paxos_acceptor_vlsm a) s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s'
  destruct l; cbn in Ht, IHHs |- *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: match om with
| Some (b, m_1a) =>
    ({|
       paxos_maxBal := Some b;
       lastVote := lastVote s;
       sent_messages :=
         (b, m_1b a (lastVote s))
         :: sent_messages s
     |}, Some (b, m_1b a (lastVote s)))
| Some (b, m_1b _ _) | Some (b, m_1c _) |
  Some (b, m_2a _) | Some (b, m_2b _ _) =>
    (s, None)
| None => (s, None)
end = (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → paxos_acceptor_has_been_sent a s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s'
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: match om with
| Some (b, m_2a v) =>
    ({|
       paxos_maxBal := Some b;
       lastVote := Some (b, v);
       sent_messages :=
         (b, m_2b a v) :: sent_messages s
     |}, Some (b, m_2b a v))
| Some (b, m_1a) | Some (b, m_1b _ _) |
  Some (b, m_1c _) | Some (b, m_2b _ _) =>
    (s, None)
| None => (s, None)
end = (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → paxos_acceptor_has_been_sent a s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s'
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: match om with
| Some (b, m_1a) =>
    ({|
       paxos_maxBal := Some b;
       lastVote := lastVote s;
       sent_messages :=
         (b, m_1b a (lastVote s))
         :: sent_messages s
     |}, Some (b, m_1b a (lastVote s)))
| Some (b, m_1b _ _) | Some (b, m_1c _) |
  Some (b, m_2a _) | Some (b, m_2b _ _) =>
    (s, None)
| None => (s, None)
end = (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → paxos_acceptor_has_been_sent a s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s' right.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: match om with
| Some (b, m_1a) =>
    ({|
       paxos_maxBal := Some b;
       lastVote := lastVote s;
       sent_messages :=
         (b, m_1b a (lastVote s))
         :: sent_messages s
     |}, Some (b, m_1b a (lastVote s)))
| Some (b, m_1b _ _) | Some (b, m_1c _) |
  Some (b, m_2a _) | Some (b, m_2b _ _) =>
    (s, None)
| None => (s, None)
end = (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → paxos_acceptor_has_been_sent a s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
lastVote s = lastVote s'
    apply (f_equal fst) in Ht; simpl in Ht; subst s'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → paxos_acceptor_has_been_sent a s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote
  match om with
  | Some (b, m_1a) =>
      ({|
         paxos_maxBal := Some b;
         lastVote := lastVote s;
         sent_messages :=
           (b, m_1b a (lastVote s))
           :: sent_messages s
       |}, Some (b, m_1b a (lastVote s)))
  | Some (b, m_1b _ _) | 
    Some (b, m_1c _) | Some (b, m_2a _) |
    Some (b, m_2b _ _) => (
      s, None)
  | None => (s, None)
  end.1 = Some lv
lastVote s =
lastVote
  match om with
  | Some (b, m_1a) =>
      ({|
         paxos_maxBal := Some b;
         lastVote := lastVote s;
         sent_messages :=
           (b, m_1b a (lastVote s)) :: sent_messages s
       |}, Some (b, m_1b a (lastVote s)))
  | Some (b, m_1b _ _) | Some (b, m_1c _) |
    Some (b, m_2a _) | Some (b, m_2b _ _) => (s, None)
  | None => (s, None)
  end.1
    by destruct om as [[? []] |]; simpl.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: match om with
| Some (b, m_2a v) =>
    ({|
       paxos_maxBal := Some b;
       lastVote := Some (b, v);
       sent_messages :=
         (b, m_2b a v) :: sent_messages s
     |}, Some (b, m_2b a v))
| Some (b, m_1a) | Some (b, m_1b _ _) |
  Some (b, m_1c _) | Some (b, m_2b _ _) =>
    (s, None)
| None => (s, None)
end = (s', om')
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → paxos_acceptor_has_been_sent a s
      (lv.1, m_2b a lv.2)
lv: (Ballot * Value)%type
Hlv: lastVote s' = Some lv
om' = Some (lv.1, m_2b a lv.2)
∨ lastVote s = lastVote s' destruct lv as [b_lv v_lv], om as [[? []]|]; simpl in *;
      injection Ht as [= <- <-]; try (by right); [].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
s: paxos_acceptor_state
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → paxos_acceptor_has_been_sent a s
      (lv.1, m_2b a lv.2)
b_lv: Ballot
v_lv: Value
Hlv: lastVote
  {|
    paxos_maxBal := Some b;
    lastVote := Some (b, v);
    sent_messages :=
      (b, m_2b a v) :: sent_messages s
  |} = Some (b_lv, v_lv)
Some (b, m_2b a v) = Some (b_lv, m_2b a v_lv)
∨ lastVote s =
  lastVote
    {|
      paxos_maxBal := Some b;
      lastVote := Some (b, v);
      sent_messages :=
        (b, m_2b a v) :: sent_messages s
    |}
    left; simpl in Hlv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
s: paxos_acceptor_state
IHHs: ∀ lv : Ballot * Value,
  lastVote s = Some lv
  → paxos_acceptor_has_been_sent a s
      (lv.1, m_2b a lv.2)
b_lv: Ballot
v_lv: Value
Hlv: Some (b, v) = Some (b_lv, v_lv)
Some (b, m_2b a v) = Some (b_lv, m_2b a v_lv)
    by congruence.
Qed.

Lemma paxos_acceptor_sent_bounds_maxBal :
  forall a s,
    constrained_state_prop (paxos_acceptor_vlsm a) s ->
  forall b mb,
    has_been_sent (paxos_acceptor_vlsm a) s (b, mb) ->
    (b <= paxos_maxBal s)%Z.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (s : state
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))),
  constrained_state_prop (paxos_acceptor_vlsm a) s
  → ∀ (b : Ballot) (mb : paxos_message_body),
      has_been_sent (paxos_acceptor_vlsm a) s (b, mb)
      → (b ≤ paxos_maxBal s)%Z
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (s : state
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))),
  constrained_state_prop (paxos_acceptor_vlsm a) s
  → ∀ (b : Ballot) (mb : paxos_message_body),
      has_been_sent (paxos_acceptor_vlsm a) s (b, mb)
      → (b ≤ paxos_maxBal s)%Z
  intros a s Hs b mb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b: Ballot
mb: paxos_message_body
has_been_sent (paxos_acceptor_vlsm a) s (b, mb)
→ (b ≤ paxos_maxBal s)%Z
  apply (from_send_to_from_sent_argument
    (paxos_acceptor_vlsm a) (fun s => b <= paxos_maxBal s)%Z); [.. | done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b: Ballot
mb: paxos_message_body
∀ (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (l : label
                                             (preloaded_with_all_messages_vlsm
                                                (paxos_acceptor_vlsm
                                                 a))) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          (paxos_acceptor_vlsm
                                             a))) 
  (oom : option paxos_message),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, oim) (s', oom)
  → (b ≤ paxos_maxBal s)%Z → (b ≤ paxos_maxBal s')%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b: Ballot
mb: paxos_message_body
∀ (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) 
  (l : label
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (paxos_acceptor_vlsm a))),
  input_constrained_transition 
    (paxos_acceptor_vlsm a) l (
    s, oim) (s', Some (b, mb))
  → (b ≤ paxos_maxBal s')%Z
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b: Ballot
mb: paxos_message_body
∀ (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (l : label
                                             (preloaded_with_all_messages_vlsm
                                                (paxos_acceptor_vlsm
                                                 a))) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          (paxos_acceptor_vlsm
                                             a))) 
  (oom : option paxos_message),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, oim) (s', oom)
  → (b ≤ paxos_maxBal s)%Z → (b ≤ paxos_maxBal s')%Z by intros * Ht; apply paxos_maxBal_mono in Ht; lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b: Ballot
mb: paxos_message_body
∀ (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (l : label
                                             (preloaded_with_all_messages_vlsm
                                                (paxos_acceptor_vlsm
                                                 a))) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          (paxos_acceptor_vlsm
                                             a))),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, oim) (s', Some (b, mb))
  → (b ≤ paxos_maxBal s')%Z intros * [_ Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b: Ballot
mb: paxos_message_body
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Htrans: transition l (s0, oim) = (s', Some (b, mb))
(b ≤ paxos_maxBal s')%Z
    cbn in Htrans; unfold paxos_acceptor_transition in Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b: Ballot
mb: paxos_message_body
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Htrans: match l with
| A_send_1b =>
    match oim with
    | Some (b, m_1a) =>
        ({|
           paxos_maxBal := Some b;
           lastVote := lastVote s0;
           sent_messages :=
             (b, m_1b a (lastVote s0))
             :: sent_messages s0
         |}, Some (b, m_1b a (lastVote s0)))
    | Some (b, m_1b _ _) | 
      Some (b, m_1c _) | 
      Some (b, m_2a _) |
      Some (b, m_2b _ _) =>
        ((s0, oim).1, None)
    | None => ((s0, oim).1, None)
    end
| A_send_2b =>
    match oim with
    | Some (b, m_2a v) =>
        ({|
           paxos_maxBal := Some b;
           lastVote := Some (b, v);
           sent_messages :=
             (b, m_2b a v)
             :: sent_messages s0
         |}, Some (b, m_2b a v))
    | Some (b, m_1a) | Some (b, m_1b _ _) |
      Some (b, m_1c _) |
      Some (b, m_2b _ _) =>
        ((s0, oim).1, None)
    | None => ((s0, oim).1, None)
    end
end = (s', Some (b, mb))
(b ≤ paxos_maxBal s')%Z
    by repeat case_match; inversion Htrans.
Qed.

Lemma maxVBal_le_paxos_maxBal :
  forall a s,
    constrained_state_prop (paxos_acceptor_vlsm a) s ->
      (maxVBal s <= paxos_maxBal s)%Z.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (s : state
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))),
  constrained_state_prop (paxos_acceptor_vlsm a) s
  → (maxVBal s ≤ paxos_maxBal s)%Z
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (s : state
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))),
  constrained_state_prop (paxos_acceptor_vlsm a) s
  → (maxVBal s ≤ paxos_maxBal s)%Z
  intros a s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
(maxVBal s ≤ paxos_maxBal s)%Z
  unfold maxVBal.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
(fst <$> lastVote s ≤ paxos_maxBal s)%Z
  destruct (lastVote s) as [[b_lv v_lv] |] eqn: Heq; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b_lv: Ballot
v_lv: Value
Heq: lastVote s = Some (b_lv, v_lv)
(Z.of_N b_lv ≤ paxos_maxBal s)%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
Heq: lastVote s = None
(-1 ≤ paxos_maxBal s)%Z
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b_lv: Ballot
v_lv: Value
Heq: lastVote s = Some (b_lv, v_lv)
(Z.of_N b_lv ≤ paxos_maxBal s)%Z eapply paxos_acceptor_sent_bounds_maxBal; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
b_lv: Ballot
v_lv: Value
Heq: lastVote s = Some (b_lv, v_lv)
has_been_sent (paxos_acceptor_vlsm a) s (b_lv, ?mb)
    by apply (last_vote_was_sent a s Hs _ Heq).
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hs: constrained_state_prop (paxos_acceptor_vlsm a) s
Heq: lastVote s = None
(-1 ≤ paxos_maxBal s)%Z by destruct (paxos_maxBal s); simpl; lia.
Qed.

Lemma maxVBal_mono :
  forall a l s im s' om,
    input_constrained_transition (paxos_acceptor_vlsm a) l (s, im) (s', om) ->
    (maxVBal s <= maxVBal s')%Z.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (l : label
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (im : option
                                              paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (paxos_acceptor_vlsm a))) (om : option
                                               paxos_message),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, im) (s', om) → (maxVBal s ≤ maxVBal s')%Z
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (l : label
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (im : option
                                              paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (paxos_acceptor_vlsm a))) (om : option
                                               paxos_message),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, im) (s', om) → (maxVBal s ≤ maxVBal s')%Z
  intros * Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
Ht: input_constrained_transition
  (paxos_acceptor_vlsm a) l (
  s, im) (s', om)
(maxVBal s ≤ maxVBal s')%Z
  destruct Ht as [(Hs & _ & Hvalid) Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Hvalid: valid l (s, im)
Htrans: transition l (s, im) = (s', om)
(maxVBal s ≤ maxVBal s')%Z
  cbn in Hvalid, Htrans; unfold paxos_acceptor_valid, paxos_acceptor_transition in Hvalid, Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Hvalid: match l with
| A_send_1b =>
    match im with
    | Some (b, m_1a) =>
        (paxos_maxBal s < b)%Z
    | Some (b, m_1b _ _) | 
      Some (b, m_1c _) | 
      Some (b, m_2a _) |
      Some (b, m_2b _ _) => False
    | None => False
    end
| A_send_2b =>
    match im with
    | Some (b, m_2a _) =>
        (paxos_maxBal s ≤ b)%Z
    | Some (b, m_1a) | Some (b, m_1b _ _) |
      Some (b, m_1c _) |
      Some (b, m_2b _ _) => False
    | None => False
    end
end
Htrans: match l with
| A_send_1b =>
    match im with
    | Some (b, m_1a) =>
        ({|
           paxos_maxBal := Some b;
           lastVote := lastVote s;
           sent_messages :=
             (b, m_1b a (lastVote s))
             :: sent_messages s
         |}, Some (b, m_1b a (lastVote s)))
    | Some (b, m_1b _ _) | 
      Some (b, m_1c _) | 
      Some (b, m_2a _) |
      Some (b, m_2b _ _) => (
        (s, im).1, None)
    | None => ((s, im).1, None)
    end
| A_send_2b =>
    match im with
    | Some (b, m_2a v) =>
        ({|
           paxos_maxBal := Some b;
           lastVote := Some (b, v);
           sent_messages :=
             (b, m_2b a v) :: sent_messages s
         |}, Some (b, m_2b a v))
    | Some (b, m_1a) | Some (b, m_1b _ _) |
      Some (b, m_1c _) |
      Some (b, m_2b _ _) => (
        (s, im).1, None)
    | None => ((s, im).1, None)
    end
end = (s', om)
(maxVBal s ≤ maxVBal s')%Z
  repeat case_match; inversion Htrans; cbn; try done.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
H16: l = A_send_2b
p: paxos_message
b: Ballot
p0: paxos_message_body
v: Value
H19: p0 = m_2a v
H18: p = (b, m_2a v)
H17: im = Some (b, m_2a v)
Hvalid: (paxos_maxBal s ≤ b)%Z
Htrans: ({|
   paxos_maxBal := Some b;
   lastVote := Some (b, v);
   sent_messages :=
     (b, m_2b a v) :: sent_messages s
 |}, Some (b, m_2b a v)) = (
s', om)
H21: {|
  paxos_maxBal := Some b;
  lastVote := Some (b, v);
  sent_messages :=
    (b, m_2b a v) :: sent_messages s
|} = s'
H22: Some (b, m_2b a v) = om
(maxVBal s ≤ Z.of_N b)%Z
  by transitivity (paxos_maxBal s); [apply maxVBal_le_paxos_maxBal |].
Qed.

Lemma sent_vote_le_maxVBal :
  forall a s,
    constrained_state_prop (paxos_acceptor_vlsm a) s ->
  forall b v,
    has_been_sent (paxos_acceptor_vlsm a) s (b, m_2b a v) ->
    (b <= maxVBal s)%Z.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (s : state
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))),
  constrained_state_prop (paxos_acceptor_vlsm a) s
  → ∀ (b : Ballot) (v : Value),
      has_been_sent (paxos_acceptor_vlsm a) s
        (b, m_2b a v) → (b ≤ maxVBal s)%Z
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (s : state
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))),
  constrained_state_prop (paxos_acceptor_vlsm a) s
  → ∀ (b : Ballot) (v : Value),
      has_been_sent (paxos_acceptor_vlsm a) s
        (b, m_2b a v) → (b ≤ maxVBal s)%Z
  intros a s Hs b v; revert s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
∀ s : state
        (preloaded_with_all_messages_vlsm
           (paxos_acceptor_vlsm a)),
  constrained_state_prop (paxos_acceptor_vlsm a) s
  → has_been_sent (paxos_acceptor_vlsm a) s
      (b, m_2b a v) → (b ≤ maxVBal s)%Z
  apply (from_send_to_from_sent_argument (paxos_acceptor_vlsm a) (fun s => b <= maxVBal s)%Z);
    intros * Ht; [by apply maxVBal_mono in Ht; lia |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_constrained_transition
  (paxos_acceptor_vlsm a) l (
  s, oim) (s', Some (b, m_2b a v))
(b ≤ maxVBal s')%Z
  destruct Ht as [_ Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Htrans: transition l (s, oim) =
(s', Some (b, m_2b a v))
(b ≤ maxVBal s')%Z
  destruct (examine_paxos_acceptor_output Htrans) as [-> _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Htrans: transition A_send_2b (s, oim) =
(s', Some (b, m_2b a v))
(b ≤ maxVBal s')%Z
  by cbn in Htrans; repeat case_match; inversion Htrans.
Qed.

Lemma sending_1b_updates_maxBal :
  forall [a l s im s' b lv],
    input_constrained_transition (paxos_acceptor_vlsm a) l (s, im) (s', Some (b, m_1b a lv)) ->
    (paxos_maxBal s < b)%Z /\ (paxos_maxBal s' = Some b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (l : label
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (im : option
                                              paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (paxos_acceptor_vlsm a))) (b : Ballot) 
  (lv : option (Ballot * Value)),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, im) (s', Some (b, m_1b a lv))
  → (paxos_maxBal s < b)%Z ∧ paxos_maxBal s' = Some b
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (a : Acceptor) (l : label
                        (preloaded_with_all_messages_vlsm
                           (paxos_acceptor_vlsm a))) 
  (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (im : option
                                              paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (paxos_acceptor_vlsm a))) (b : Ballot) 
  (lv : option (Ballot * Value)),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, im) (s', Some (b, m_1b a lv))
  → (paxos_maxBal s < b)%Z ∧ paxos_maxBal s' = Some b
  intros * [(_ & _ & Hvalid) Hstep]; cbn in Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b: Ballot
lv: option (Ballot * Value)
Hvalid: valid l (s, im)
Hstep: paxos_acceptor_transition a l (s, im) =
(s', Some (b, m_1b a lv))
(paxos_maxBal s < b)%Z ∧ paxos_maxBal s' = Some b
  apply examine_paxos_acceptor_output in Hstep as Hla; destruct Hla as [-> _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b: Ballot
lv: option (Ballot * Value)
Hstep: paxos_acceptor_transition a A_send_1b (s, im) =
(s', Some (b, m_1b a lv))
Hvalid: valid A_send_1b (s, im)
(paxos_maxBal s < b)%Z ∧ paxos_maxBal s' = Some b
  by destruct im as [[? []] |]; cbn in s, s', Hvalid; inversion Hstep; subst.
Qed.

End sec_paxos_acceptor_vlsm_lem.

Section sec_leaders_vlsm.

We directly define a VLSM that represents all leaders instead of using composite_vlsm, because composite_vlsm requires a finite index set.

A finite map has entries for ballots whose leader is not in the initial state.

Record ballot_state :=
{
  sent_1a : bool;
  gathered_1b : AMap (option (Ballot * Value));
  sent_1c : list (AllOrFin VSet); (* Some if we have sent any 1c - combine with multiple steps *)
  sent_2a : option Value; (* Some v if we have sent a 2a for v *)
}.

Definition initial_ballot_state : ballot_state :=
{|
  sent_1a := false;
  gathered_1b := ∅;
  sent_1c := [];
  sent_2a := None;
|}.

#[export] Instance ballot_state_empty : Empty ballot_state := initial_ballot_state.

Definition set_sent_1a (sb : ballot_state) : ballot_state :=
{|
  sent_1a := true;
  gathered_1b := gathered_1b sb;
  sent_1c := sent_1c sb;
  sent_2a := sent_2a sb;
|}.

Definition insert_gathered_1b
  (a : Acceptor) (last_vote : option (Ballot * Value)) (sb : ballot_state) : ballot_state :=
{|
  sent_1a := sent_1a sb;
  gathered_1b := <[ a := last_vote ]> (gathered_1b sb);
  sent_1c := sent_1c sb;
  sent_2a := sent_2a sb;
|}.

Definition set_sent_1c (safe_v : AllOrFin VSet) (sb : ballot_state) : ballot_state :=
{|
  sent_1a := sent_1a sb;
  gathered_1b := gathered_1b sb;
  sent_1c := safe_v :: sent_1c sb;
  sent_2a := sent_2a sb;
|}.

Definition set_sent_2a (v : Value) (sb : ballot_state) : ballot_state :=
{|
  sent_1a := sent_1a sb;
  gathered_1b := gathered_1b sb;
  sent_1c := sent_1c sb;
  sent_2a := Some v;
|}.

Definition leaders_state := Bmap ballot_state.

Inductive leader_label : Type :=
| L_send_1a
| L_recv_1b
| L_send_1c (safe_v : AllOrFin VSet)
| L_send_2a (v : Value).

Definition leaders_label : Type := Ballot * leader_label.

Definition leaders_type : VLSMType paxos_message :=
{|
  state := leaders_state;
  label := leaders_label;
|}.

Definition calculate_safe_values
  (b : Ballot) (participants : AMap (option (Ballot * Value))) : AllOrFin VSet :=
  let FreeVoters := dom (filter (fun '(_, lv) => lv = None) participants) in
    if decide (Quorum FreeVoters)
    then any_value
    else
      let VotersFor (v : Value) : ASet :=
        dom (filter (fun '(a,lv) => ((fst <$> lv : Ballot') < b)%Z /\
        snd <$> lv = Some v) participants) in
      let VotedValues : VSet := map_to_set (fun _ v => v) (omap (fmap snd) participants) in
        some_values (filter (fun v => Quorum (VotersFor v ∪ FreeVoters)) VotedValues).

Lemma calculate_safe_values_any_ok  (b : Ballot) (participants : AMap (option (Ballot * Value))) :
  calculate_safe_values b participants = any_value ->
    exists Q : sig Quorum, forall a : Acceptor, a ∈ `Q -> participants !! a = Some None.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
calculate_safe_values b participants = any_value
→ ∃ Q : {x : ASet | Quorum x},
    ∀ a : Acceptor,
      a ∈ `Q → participants !! a = Some None
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
calculate_safe_values b participants = any_value
→ ∃ Q : {x : ASet | Quorum x},
    ∀ a : Acceptor,
      a ∈ `Q → participants !! a = Some None
  unfold calculate_safe_values.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
(if
  decide
    (Quorum
       (dom
          (filter (λ '(_, lv), lv = None) participants)))
 then any_value
 else
  some_values
    (filter
       (λ v : Value,
          Quorum
            (dom
               (filter
                  (λ '(_, lv),
                     (fst <$> lv < b)%Z
                     ∧ snd <$> lv = Some v)
                  participants)
             ∪ dom
                 (filter (λ '(_, lv), lv = None)
                    participants)))
       (map_to_set (λ (_ : Acceptor) (v : Value), v)
          (omap (fmap snd) participants)))) =
any_value
→ ∃ Q : {x : ASet | Quorum x},
    ∀ a : Acceptor,
      a ∈ `Q → participants !! a = Some None
  case_match eqn: Hcheck; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
q: Quorum
  (dom
     (filter (λ '(_, lv), lv = None) participants))
Hcheck: decide
  (Quorum
     (dom
        (filter (λ '(_, lv), lv = None)
           participants))) = 
left q
any_value = any_value
→ ∃ Q : {x : ASet | Quorum x},
    ∀ a : Acceptor,
      a ∈ `Q → participants !! a = Some None
  intros _; exists (exist _ _ q).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
q: Quorum
  (dom
     (filter (λ '(_, lv), lv = None) participants))
Hcheck: decide
  (Quorum
     (dom
        (filter (λ '(_, lv), lv = None)
           participants))) = 
left q
∀ a : Acceptor,
  a
  ∈ `(dom
        (filter (λ '(_, lv), lv = None) participants)
      ↾ q) → participants !! a = Some None
  cbn; intros a Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
q: Quorum
  (dom
     (filter (λ '(_, lv), lv = None) participants))
Hcheck: decide
  (Quorum
     (dom
        (filter (λ '(_, lv), lv = None)
           participants))) = 
left q
a: Acceptor
Ha: a
∈ dom
    (filter (λ '(_, lv), lv = None) participants)
participants !! a = Some None
  apply fin_map_dom.elem_of_dom in Ha as [lv Ha].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
q: Quorum
  (dom
     (filter (λ '(_, lv), lv = None) participants))
Hcheck: decide
  (Quorum
     (dom
        (filter (λ '(_, lv), lv = None)
           participants))) = 
left q
a: Acceptor
lv: option (Ballot * Value)
Ha: filter (λ '(_, lv), lv = None) participants !! a =
Some lv
participants !! a = Some None
  by apply map_lookup_filter_Some in Ha as [Ha ->].
Qed.

Lemma calculate_safe_values_some_ok
  (b : Ballot) (participants : AMap (option (Ballot * Value))) (safe_v : VSet) :
  calculate_safe_values b participants = some_values safe_v ->
  forall v : Value, v ∈ safe_v ->
    exists Q : sig Quorum,
    (forall a : Acceptor, a ∈ `Q ->
      (exists (vbal : Ballot), participants !! a = Some (Some (vbal, v)) /\ (vbal < b)%Z)
      \/ participants !! a = Some None)
    /\ exists (a_hist : Acceptor) (lv : option (Ballot * Value)),
         a_hist ∈ `Q /\ participants !! a_hist = Some lv /\ lv <> None.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
safe_v: VSet
calculate_safe_values b participants =
some_values safe_v
→ ∀ v : Value,
    v ∈ safe_v
    → ∃ Q : {x : ASet | Quorum x},
        (∀ a : Acceptor,
           a ∈ `Q
           → (∃ vbal : Ballot,
                participants !! a =
                Some (Some (vbal, v)) ∧ (vbal < b)%Z)
             ∨ participants !! a = Some None)
        ∧ (∃ (a_hist : Acceptor) (lv : option
                                         (Ballot *
                                          Value)),
             a_hist ∈ `Q
             ∧ participants !! a_hist = Some lv
               ∧ lv ≠ None)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
safe_v: VSet
calculate_safe_values b participants =
some_values safe_v
→ ∀ v : Value,
    v ∈ safe_v
    → ∃ Q : {x : ASet | Quorum x},
        (∀ a : Acceptor,
           a ∈ `Q
           → (∃ vbal : Ballot,
                participants !! a =
                Some (Some (vbal, v)) ∧ (vbal < b)%Z)
             ∨ participants !! a = Some None)
        ∧ (∃ (a_hist : Acceptor) (lv : option
                                         (Ballot *
                                          Value)),
             a_hist ∈ `Q
             ∧ participants !! a_hist = Some lv
               ∧ lv ≠ None)
  cbv beta delta[calculate_safe_values].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
safe_v: VSet
(let FreeVoters :=
   dom (filter (λ '(_, lv), lv = None) participants)
   in
 if decide (Quorum FreeVoters)
 then any_value
 else
  let VotersFor :=
    λ v : Value,
      dom
        (filter
           (λ '(_, lv),
              (fst <$> lv < b)%Z ∧ snd <$> lv = Some v)
           participants) in
  let VotedValues :=
    map_to_set (λ (_ : Acceptor) (v : Value), v)
      (omap (fmap snd) participants) in
  some_values
    (filter
       (λ v : Value, Quorum (VotersFor v ∪ FreeVoters))
       VotedValues)) = some_values safe_v
→ ∀ v : Value,
    v ∈ safe_v
    → ∃ Q : {x : ASet | Quorum x},
        (∀ a : Acceptor,
           a ∈ `Q
           → (∃ vbal : Ballot,
                participants !! a =
                Some (Some (vbal, v)) ∧ (vbal < b)%Z)
             ∨ participants !! a = Some None)
        ∧ (∃ (a_hist : Acceptor) (lv : option
                                         (Ballot *
                                          Value)),
             a_hist ∈ `Q
             ∧ participants !! a_hist = Some lv
               ∧ lv ≠ None)
  set (FreeVoters:= dom _).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
safe_v: VSet
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
(let FreeVoters := FreeVoters in
 if decide (Quorum FreeVoters)
 then any_value
 else
  let VotersFor :=
    λ v : Value,
      dom
        (filter
           (λ '(_, lv),
              (fst <$> lv < b)%Z ∧ snd <$> lv = Some v)
           participants) in
  let VotedValues :=
    map_to_set (λ (_ : Acceptor) (v : Value), v)
      (omap (fmap snd) participants) in
  some_values
    (filter
       (λ v : Value, Quorum (VotersFor v ∪ FreeVoters))
       VotedValues)) = some_values safe_v
→ ∀ v : Value,
    v ∈ safe_v
    → ∃ Q : {x : ASet | Quorum x},
        (∀ a : Acceptor,
           a ∈ `Q
           → (∃ vbal : Ballot,
                participants !! a =
                Some (Some (vbal, v)) ∧ (vbal < b)%Z)
             ∨ participants !! a = Some None)
        ∧ (∃ (a_hist : Acceptor) (lv : option
                                         (Ballot *
                                          Value)),
             a_hist ∈ `Q
             ∧ participants !! a_hist = Some lv
               ∧ lv ≠ None)
  set (VotersFor := fun v => dom _).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
safe_v: VSet
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
(let FreeVoters := FreeVoters in
 if decide (Quorum FreeVoters)
 then any_value
 else
  let VotersFor := VotersFor in
  let VotedValues :=
    map_to_set (λ (_ : Acceptor) (v : Value), v)
      (omap (fmap snd) participants) in
  some_values
    (filter
       (λ v : Value, Quorum (VotersFor v ∪ FreeVoters))
       VotedValues)) = some_values safe_v
→ ∀ v : Value,
    v ∈ safe_v
    → ∃ Q : {x : ASet | Quorum x},
        (∀ a : Acceptor,
           a ∈ `Q
           → (∃ vbal : Ballot,
                participants !! a =
                Some (Some (vbal, v)) ∧ (vbal < b)%Z)
             ∨ participants !! a = Some None)
        ∧ (∃ (a_hist : Acceptor) (lv : option
                                         (Ballot *
                                          Value)),
             a_hist ∈ `Q
             ∧ participants !! a_hist = Some lv
               ∧ lv ≠ None)
  simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
safe_v: VSet
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
(if decide (Quorum FreeVoters)
 then any_value
 else
  some_values
    (filter
       (λ v : Value, Quorum (VotersFor v ∪ FreeVoters))
       (map_to_set (λ (_ : Acceptor) (v : Value), v)
          (omap (fmap snd) participants)))) =
some_values safe_v
→ ∀ v : Value,
    v ∈ safe_v
    → ∃ Q : {x : ASet | Quorum x},
        (∀ a : Acceptor,
           a ∈ `Q
           → (∃ vbal : Ballot,
                participants !! a =
                Some (Some (vbal, v)) ∧ (vbal < b)%Z)
             ∨ participants !! a = Some None)
        ∧ (∃ (a_hist : Acceptor) (lv : option
                                         (Ballot *
                                          Value)),
             a_hist ∈ `Q
             ∧ participants !! a_hist = Some lv
               ∧ lv ≠ None)
  destruct (decide (Quorum FreeVoters)) as [| Hno_free_quorum]; [done|].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
safe_v: VSet
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
some_values
  (filter
     (λ v : Value, Quorum (VotersFor v ∪ FreeVoters))
     (map_to_set (λ (_ : Acceptor) (v : Value), v)
        (omap (fmap snd) participants))) =
some_values safe_v
→ ∀ v : Value,
    v ∈ safe_v
    → ∃ Q : {x : ASet | Quorum x},
        (∀ a : Acceptor,
           a ∈ `Q
           → (∃ vbal : Ballot,
                participants !! a =
                Some (Some (vbal, v)) ∧ (vbal < b)%Z)
             ∨ participants !! a = Some None)
        ∧ (∃ (a_hist : Acceptor) (lv : option
                                         (Ballot *
                                          Value)),
             a_hist ∈ `Q
             ∧ participants !! a_hist = Some lv
               ∧ lv ≠ None)
  intros [= <-] v Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
Hv: v
∈ filter
    (λ v : Value,
       Quorum (VotersFor v ∪ FreeVoters))
    (map_to_set (λ (_ : Acceptor) (v : Value), v)
       (omap (fmap snd) participants))
∃ Q : {x : ASet | Quorum x},
  (∀ a : Acceptor,
     a ∈ `Q
     → (∃ vbal : Ballot,
          participants !! a = Some (Some (vbal, v))
          ∧ (vbal < b)%Z)
       ∨ participants !! a = Some None)
  ∧ (∃ (a_hist : Acceptor) (lv : option
                                   (Ballot * Value)),
       a_hist ∈ `Q
       ∧ participants !! a_hist = Some lv ∧ lv ≠ None)
  apply elem_of_filter in Hv as [HQ Hv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
∃ Q : {x : ASet | Quorum x},
  (∀ a : Acceptor,
     a ∈ `Q
     → (∃ vbal : Ballot,
          participants !! a = Some (Some (vbal, v))
          ∧ (vbal < b)%Z)
       ∨ participants !! a = Some None)
  ∧ (∃ (a_hist : Acceptor) (lv : option
                                   (Ballot * Value)),
       a_hist ∈ `Q
       ∧ participants !! a_hist = Some lv ∧ lv ≠ None)
  exists (exist _ _ HQ); simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
(∀ a : Acceptor,
   a ∈ VotersFor v ∪ FreeVoters
   → (∃ vbal : Ballot,
        participants !! a = Some (Some (vbal, v))
        ∧ (vbal < b)%Z)
     ∨ participants !! a = Some None)
∧ (∃ (a_hist : Acceptor) (lv : option (Ballot * Value)),
     a_hist ∈ VotersFor v ∪ FreeVoters
     ∧ participants !! a_hist = Some lv ∧ lv ≠ None)
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
∀ a : Acceptor,
  a ∈ VotersFor v ∪ FreeVoters
  → (∃ vbal : Ballot,
       participants !! a = Some (Some (vbal, v))
       ∧ (vbal < b)%Z) ∨ participants !! a = Some None
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
∃ (a_hist : Acceptor) (lv : option (Ballot * Value)),
  a_hist ∈ VotersFor v ∪ FreeVoters
  ∧ participants !! a_hist = Some lv ∧ lv ≠ None
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
∀ a : Acceptor,
  a ∈ VotersFor v ∪ FreeVoters
  → (∃ vbal : Ballot,
       participants !! a = Some (Some (vbal, v))
       ∧ (vbal < b)%Z) ∨ participants !! a = Some None intros a Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
Ha: a ∈ VotersFor v ∪ FreeVoters
(∃ vbal : Ballot,
   participants !! a = Some (Some (vbal, v))
   ∧ (vbal < b)%Z) ∨ participants !! a = Some None
    apply elem_of_union in Ha as [Ha | Ha];
      apply fin_map_dom.elem_of_dom in Ha as [lv Ha];
      apply map_lookup_filter_Some in Ha;
      [| itauto congruence].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
lv: option (Ballot * Value)
Ha: participants !! a = Some lv
∧ (fst <$> lv < b)%Z ∧ snd <$> lv = Some v
(∃ vbal : Ballot,
   participants !! a = Some (Some (vbal, v))
   ∧ (vbal < b)%Z) ∨ participants !! a = Some None
    destruct Ha as (Ha & Hbal & Hlv).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
lv: option (Ballot * Value)
Ha: participants !! a = Some lv
Hbal: (fst <$> lv < b)%Z
Hlv: snd <$> lv = Some v
(∃ vbal : Ballot,
   participants !! a = Some (Some (vbal, v))
   ∧ (vbal < b)%Z) ∨ participants !! a = Some None
    destruct lv as [[vbal vval] |]; cbn in Hbal, Hlv; [| by contradict Hlv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
vbal: Ballot
vval: Value
Ha: participants !! a = Some (Some (vbal, vval))
Hbal: (Z.of_N vbal < b)%Z
Hlv: Some vval = Some v
(∃ vbal : Ballot,
   participants !! a = Some (Some (vbal, v))
   ∧ (vbal < b)%Z) ∨ participants !! a = Some None
    left; exists vbal.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
vbal: Ballot
vval: Value
Ha: participants !! a = Some (Some (vbal, vval))
Hbal: (Z.of_N vbal < b)%Z
Hlv: Some vval = Some v
participants !! a = Some (Some (vbal, v))
∧ (vbal < b)%Z
    by inversion Hlv; subst v.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
∃ (a_hist : Acceptor) (lv : option (Ballot * Value)),
  a_hist ∈ VotersFor v ∪ FreeVoters
  ∧ participants !! a_hist = Some lv ∧ lv ≠ None cut (exists a : Acceptor, a ∈ VotersFor v).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
(∃ a : Acceptor, a ∈ VotersFor v)
→ ∃ (a_hist : Acceptor) (lv : option (Ballot * Value)),
    a_hist ∈ VotersFor v ∪ FreeVoters
    ∧ participants !! a_hist = Some lv ∧ lv ≠ None
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
∃ a : Acceptor, a ∈ VotersFor v
    {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
(∃ a : Acceptor, a ∈ VotersFor v)
→ ∃ (a_hist : Acceptor) (lv : option (Ballot * Value)),
    a_hist ∈ VotersFor v ∪ FreeVoters
    ∧ participants !! a_hist = Some lv ∧ lv ≠ None
      intros [a Ha]; exists a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
Ha: a ∈ VotersFor v
∃ lv : option (Ballot * Value),
  a ∈ VotersFor v ∪ FreeVoters
  ∧ participants !! a = Some lv ∧ lv ≠ None
      apply fin_map_dom.elem_of_dom in Ha as Ha'; destruct Ha' as [lv Ha_lv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
Ha: a ∈ VotersFor v
lv: option (Ballot * Value)
Ha_lv: filter
  (λ '(_, lv),
     (fst <$> lv < b)%Z ∧ snd <$> lv = Some v)
  participants !! a = Some lv
∃ lv : option (Ballot * Value),
  a ∈ VotersFor v ∪ FreeVoters
  ∧ participants !! a = Some lv ∧ lv ≠ None
      exists lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
Ha: a ∈ VotersFor v
lv: option (Ballot * Value)
Ha_lv: filter
  (λ '(_, lv),
     (fst <$> lv < b)%Z ∧ snd <$> lv = Some v)
  participants !! a = Some lv
a ∈ VotersFor v ∪ FreeVoters
∧ participants !! a = Some lv ∧ lv ≠ None
      split; [by set_solver |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
Ha: a ∈ VotersFor v
lv: option (Ballot * Value)
Ha_lv: filter
  (λ '(_, lv),
     (fst <$> lv < b)%Z ∧ snd <$> lv = Some v)
  participants !! a = Some lv
participants !! a = Some lv ∧ lv ≠ None
      apply map_lookup_filter_Some in Ha_lv as (Hlookup & _ & Hnot_None).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
Ha: a ∈ VotersFor v
lv: option (Ballot * Value)
Hlookup: participants !! a = Some lv
Hnot_None: snd <$> lv = Some v
participants !! a = Some lv ∧ lv ≠ None
      split; [by apply Hlookup |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
a: Acceptor
Ha: a ∈ VotersFor v
lv: option (Ballot * Value)
Hlookup: participants !! a = Some lv
Hnot_None: snd <$> lv = Some v
lv ≠ None
      by destruct lv; cbn.
    }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
∃ a : Acceptor, a ∈ VotersFor v
    apply set_choose.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
VotersFor v ≢ ∅
    intros Hequiv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
Hequiv: VotersFor v ≡ ∅
False
    eapply Hno_free_quorum, QClosed; [| by apply HQ].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
participants: AMap (option (Ballot * Value))
FreeVoters:= dom
  (filter (λ '(_, lv), lv = None)
     participants): ASet
VotersFor:= λ v : Value,
  dom
    (filter
       (λ '(_, lv),
          (fst <$> lv < b)%Z
          ∧ snd <$> lv = Some v)
       participants): Value → ASet
Hno_free_quorum: ¬ Quorum FreeVoters
v: Value
HQ: Quorum (VotersFor v ∪ FreeVoters)
Hv: v
∈ map_to_set (λ (_ : Acceptor) (v : Value), v)
    (omap (fmap snd) participants)
Hequiv: VotersFor v ≡ ∅
VotersFor v ∪ FreeVoters ⊆ FreeVoters
    by rewrite Hequiv, (union_empty_l FreeVoters).
Qed.

Section sec_one_leader.

Context
  (self : Ballot)
  .

Definition leader_valid : leader_label -> (option ballot_state * option paxos_message) -> Prop :=
  fun l '(osb, m) =>
    let sb := default ∅ osb in
    match l, m with
    | L_send_1a, None => True (* no side conditions *)
    | L_recv_1b, Some (b, m_1b a _) => b = self (* no conditions *)
    | L_send_1c safe_vs, None => safe_vs = calculate_safe_values self sb.(gathered_1b)
    | L_send_2a v, None =>
        None = sent_2a sb (* Have not previously sent a 2a *)
        /\ exists safe_vs, v ∈ safe_vs /\ safe_vs ∈ sent_1c sb
    (* Did previously sent 1c that approves v *)
    | _, _ => False
    end.

Definition leader_transition (l : leader_label)
  : ballot_state * option paxos_message -> option (ballot_state * option paxos_message_body) :=
  fun '(sb, im) =>
    match l, im with
    | L_send_1a, None => Some (set_sent_1a sb, Some m_1a)
    | L_recv_1b, Some (b, m_1b a lv) =>
        Some (insert_gathered_1b a lv sb, None)
    | L_send_1c safe_v, None =>
        Some (set_sent_1c safe_v sb, Some (m_1c safe_v))
    | L_send_2a v, None =>
        if sent_2a sb then None else Some (set_sent_2a v sb, Some (m_2a v))
    | _, _ => None
    end.

A quick sanity check that initial_ballot_state cannot be produced in the output of leader_transition. So the reachable values of leader_state have a unique representation in the sense that forall i, m !!! i = n !!! i implies m ≡ n.

Lemma leader_result_not_initial :
  forall l b im r om,
    leader_transition l (b, im) = Some (r, om) ->
    r <> initial_ballot_state.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
∀ (l : leader_label) (b : ballot_state) (im : option
                                                paxos_message) 
  (r : ballot_state) (om : option paxos_message_body),
  leader_transition l (b, im) = Some (r, om)
  → r ≠ initial_ballot_state
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
∀ (l : leader_label) (b : ballot_state) (im : option
                                                paxos_message) 
  (r : ballot_state) (om : option paxos_message_body),
  leader_transition l (b, im) = Some (r, om)
  → r ≠ initial_ballot_state
  intros *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
b: ballot_state
im: option paxos_message
r: ballot_state
om: option paxos_message_body
leader_transition l (b, im) = Some (r, om)
→ r ≠ initial_ballot_state
  unfold leader_transition.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
b: ballot_state
im: option paxos_message
r: ballot_state
om: option paxos_message_body
match l with
| L_send_1a =>
    match im with
    | Some _ => None
    | None => Some (set_sent_1a b, Some m_1a)
    end
| L_recv_1b =>
    match im with
    | Some (_, m_1b a lv) =>
        Some (insert_gathered_1b a lv b, None)
    | _ => None
    end
| L_send_1c safe_v =>
    match im with
    | Some _ => None
    | None =>
        Some
          (set_sent_1c safe_v b, Some (m_1c safe_v))
    end
| L_send_2a v =>
    match im with
    | Some _ => None
    | None =>
        if sent_2a b
        then None
        else Some (set_sent_2a v b, Some (m_2a v))
    end
end = Some (r, om) → r ≠ initial_ballot_state
  repeat case_match; subst; intros [= <- <-]; try discriminate.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
b: ballot_state
b0: Ballot
a: Acceptor
last_vote: option (Ballot * Value)
insert_gathered_1b a last_vote b
≠ initial_ballot_state
  intros Heq.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
b: ballot_state
b0: Ballot
a: Acceptor
last_vote: option (Ballot * Value)
Heq: insert_gathered_1b a last_vote b =
initial_ballot_state
False
  apply (f_equal gathered_1b) in Heq; cbn in Heq.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
b: ballot_state
b0: Ballot
a: Acceptor
last_vote: option (Ballot * Value)
Heq: <[a:=last_vote]> (gathered_1b b) = ∅
False
  by apply insert_non_empty in Heq.
Qed.

Definition leader_messages (sb : ballot_state) : list paxos_message_body :=
  (if sent_1a sb then [m_1a] else [])
    ++ (m_1c <$> sent_1c sb)
    ++ (m_2a <$> option_list (sent_2a sb)).

Lemma leader_messages_correct :
  forall (l : leader_label) (sb : ballot_state) im sb' oom,
    leader_transition l (sb, im) = Some (sb', oom) ->
    forall m, m ∈ leader_messages sb' <-> oom = Some m \/ m ∈ leader_messages sb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
∀ (l : leader_label) (sb : ballot_state) (im : option
                                                 paxos_message) 
  (sb' : ballot_state) (oom : option
                                paxos_message_body),
  leader_transition l (sb, im) = Some (sb', oom)
  → ∀ m : paxos_message_body,
      m ∈ leader_messages sb'
      ↔ oom = Some m ∨ m ∈ leader_messages sb
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
∀ (l : leader_label) (sb : ballot_state) (im : option
                                                 paxos_message) 
  (sb' : ballot_state) (oom : option
                                paxos_message_body),
  leader_transition l (sb, im) = Some (sb', oom)
  → ∀ m : paxos_message_body,
      m ∈ leader_messages sb'
      ↔ oom = Some m ∨ m ∈ leader_messages sb
  intros l sb im sb' oom Ht m.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sb: ballot_state
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
Ht: leader_transition l (sb, im) = Some (sb', oom)
m: paxos_message_body
m ∈ leader_messages sb'
↔ oom = Some m ∨ m ∈ leader_messages sb
  rewrite (eq_comm oom).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sb: ballot_state
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
Ht: leader_transition l (sb, im) = Some (sb', oom)
m: paxos_message_body
m ∈ leader_messages sb'
↔ Some m = oom ∨ m ∈ leader_messages sb
  unfold leader_transition in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sb: ballot_state
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
Ht: match l with
| L_send_1a =>
    match im with
    | Some _ => None
    | None => Some (set_sent_1a sb, Some m_1a)
    end
| L_recv_1b =>
    match im with
    | Some (_, m_1b a lv) =>
        Some (insert_gathered_1b a lv sb, None)
    | _ => None
    end
| L_send_1c safe_v =>
    match im with
    | Some _ => None
    | None =>
        Some
          (set_sent_1c safe_v sb,
           Some (m_1c safe_v))
    end
| L_send_2a v =>
    match im with
    | Some _ => None
    | None =>
        if sent_2a sb
        then None
        else
         Some (set_sent_2a v sb, Some (m_2a v))
    end
end = Some (sb', oom)
m: paxos_message_body
m ∈ leader_messages sb'
↔ Some m = oom ∨ m ∈ leader_messages sb
  pose proof (nosend_lem := fun P => or_r _ P (Some_ne_None m)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sb: ballot_state
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
Ht: match l with
| L_send_1a =>
    match im with
    | Some _ => None
    | None => Some (set_sent_1a sb, Some m_1a)
    end
| L_recv_1b =>
    match im with
    | Some (_, m_1b a lv) =>
        Some (insert_gathered_1b a lv sb, None)
    | _ => None
    end
| L_send_1c safe_v =>
    match im with
    | Some _ => None
    | None =>
        Some
          (set_sent_1c safe_v sb,
           Some (m_1c safe_v))
    end
| L_send_2a v =>
    match im with
    | Some _ => None
    | None =>
        if sent_2a sb
        then None
        else
         Some (set_sent_2a v sb, Some (m_2a v))
    end
end = Some (sb', oom)
m: paxos_message_body
nosend_lem: ∀ P : Prop, Some m = None ∨ P ↔ P
m ∈ leader_messages sb'
↔ Some m = oom ∨ m ∈ leader_messages sb
  by repeat case_match; (try discriminate Ht); subst; injection Ht as [= <- <-]; subst;
    (rewrite ?(inj_iff Some), ?nosend_lem; clear nosend_lem;
     unfold leader_messages; destruct sb as [sent_1a ? ? sent_2a]; simpl in *; subst; simpl);
    [destruct sent_1a | ..]; simpl_elem_of_list; itauto.
Qed.

Lemma leader_gathered_1b_step :
  forall (l : leader_label) (sb : ballot_state) im sb' oom,
    leader_transition l (sb, im) = Some (sb', oom) ->
    forall a lv, gathered_1b sb' !! a = Some lv ->
      (l = L_recv_1b /\ exists b, im = Some (b, m_1b a lv)) \/ gathered_1b sb !! a = Some lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
∀ (l : leader_label) (sb : ballot_state) (im : option
                                                 paxos_message) 
  (sb' : ballot_state) (oom : option
                                paxos_message_body),
  leader_transition l (sb, im) = Some (sb', oom)
  → ∀ (a : Acceptor) (lv : option (Ballot * Value)),
      gathered_1b sb' !! a = Some lv
      → l = L_recv_1b
        ∧ (∃ b : Ballot, im = Some (b, m_1b a lv))
        ∨ gathered_1b sb !! a = Some lv
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
∀ (l : leader_label) (sb : ballot_state) (im : option
                                                 paxos_message) 
  (sb' : ballot_state) (oom : option
                                paxos_message_body),
  leader_transition l (sb, im) = Some (sb', oom)
  → ∀ (a : Acceptor) (lv : option (Ballot * Value)),
      gathered_1b sb' !! a = Some lv
      → l = L_recv_1b
        ∧ (∃ b : Ballot, im = Some (b, m_1b a lv))
        ∨ gathered_1b sb !! a = Some lv
  intros l [? sb_gathered_1b ? ?] * Ht a lv; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sent_1a0: bool
sb_gathered_1b: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
Ht: leader_transition l
  ({|
     sent_1a := sent_1a0;
     gathered_1b := sb_gathered_1b;
     sent_1c := sent_1c0;
     sent_2a := sent_2a0
   |}, im) = Some (sb', oom)
a: Acceptor
lv: option (Ballot * Value)
gathered_1b sb' !! a = Some lv
→ l = L_recv_1b
  ∧ (∃ b : Ballot, im = Some (b, m_1b a lv))
  ∨ sb_gathered_1b !! a = Some lv
  unfold leader_transition in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sent_1a0: bool
sb_gathered_1b: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
Ht: match l with
| L_send_1a =>
    match im with
    | Some _ => None
    | None =>
        Some
          (set_sent_1a
             {|
               sent_1a := sent_1a0;
               gathered_1b := sb_gathered_1b;
               sent_1c := sent_1c0;
               sent_2a := sent_2a0
             |}, Some m_1a)
    end
| L_recv_1b =>
    match im with
    | Some (_, m_1b a lv) =>
        Some
          (insert_gathered_1b a lv
             {|
               sent_1a := sent_1a0;
               gathered_1b := sb_gathered_1b;
               sent_1c := sent_1c0;
               sent_2a := sent_2a0
             |}, None)
    | _ => None
    end
| L_send_1c safe_v =>
    match im with
    | Some _ => None
    | None =>
        Some
          (set_sent_1c safe_v
             {|
               sent_1a := sent_1a0;
               gathered_1b := sb_gathered_1b;
               sent_1c := sent_1c0;
               sent_2a := sent_2a0
             |}, Some (m_1c safe_v))
    end
| L_send_2a v =>
    match im with
    | Some _ => None
    | None =>
        if
         sent_2a
           {|
             sent_1a := sent_1a0;
             gathered_1b := sb_gathered_1b;
             sent_1c := sent_1c0;
             sent_2a := sent_2a0
           |}
        then None
        else
         Some
           (set_sent_2a v
              {|
                sent_1a := sent_1a0;
                gathered_1b := sb_gathered_1b;
                sent_1c := sent_1c0;
                sent_2a := sent_2a0
              |}, Some (m_2a v))
    end
end = Some (sb', oom)
a: Acceptor
lv: option (Ballot * Value)
gathered_1b sb' !! a = Some lv
→ l = L_recv_1b
  ∧ (∃ b : Ballot, im = Some (b, m_1b a lv))
  ∨ sb_gathered_1b !! a = Some lv
  repeat case_match; inversion Ht; cbn; only 1, 3-4: by right.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sent_1a0: bool
sb_gathered_1b: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
H16: l = L_recv_1b
p: paxos_message
b: Ballot
p0: paxos_message_body
a0: Acceptor
last_vote: option (Ballot * Value)
H19: p0 = m_1b a0 last_vote
H18: p = (b, m_1b a0 last_vote)
H17: im = Some (b, m_1b a0 last_vote)
Ht: Some
  (insert_gathered_1b a0 last_vote
     {|
       sent_1a := sent_1a0;
       gathered_1b := sb_gathered_1b;
       sent_1c := sent_1c0;
       sent_2a := sent_2a0
     |}, None) = Some (sb', oom)
a: Acceptor
lv: option (Ballot * Value)
H21: insert_gathered_1b a0 last_vote
  {|
    sent_1a := sent_1a0;
    gathered_1b := sb_gathered_1b;
    sent_1c := sent_1c0;
    sent_2a := sent_2a0
  |} = sb'
H22: None = oom
<[a0:=last_vote]> sb_gathered_1b !! a = Some lv
→ L_recv_1b = L_recv_1b
  ∧ (∃ b0 : Ballot,
       Some (b, m_1b a0 last_vote) =
       Some (b0, m_1b a lv))
  ∨ sb_gathered_1b !! a = Some lv
  destruct (decide (a0 = a)) as [-> | Hneq].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sent_1a0: bool
sb_gathered_1b: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
H16: l = L_recv_1b
p: paxos_message
b: Ballot
p0: paxos_message_body
last_vote: option (Ballot * Value)
a: Acceptor
Ht: Some
  (insert_gathered_1b a last_vote
     {|
       sent_1a := sent_1a0;
       gathered_1b := sb_gathered_1b;
       sent_1c := sent_1c0;
       sent_2a := sent_2a0
     |}, None) = Some (sb', oom)
H17: im = Some (b, m_1b a last_vote)
H18: p = (b, m_1b a last_vote)
H19: p0 = m_1b a last_vote
lv: option (Ballot * Value)
H21: insert_gathered_1b a last_vote
  {|
    sent_1a := sent_1a0;
    gathered_1b := sb_gathered_1b;
    sent_1c := sent_1c0;
    sent_2a := sent_2a0
  |} = sb'
H22: None = oom
<[a:=last_vote]> sb_gathered_1b !! a = Some lv
→ L_recv_1b = L_recv_1b
  ∧ (∃ b0 : Ballot,
       Some (b, m_1b a last_vote) =
       Some (b0, m_1b a lv))
  ∨ sb_gathered_1b !! a = Some lv
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sent_1a0: bool
sb_gathered_1b: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
H16: l = L_recv_1b
p: paxos_message
b: Ballot
p0: paxos_message_body
a0: Acceptor
last_vote: option (Ballot * Value)
H19: p0 = m_1b a0 last_vote
H18: p = (b, m_1b a0 last_vote)
H17: im = Some (b, m_1b a0 last_vote)
Ht: Some
  (insert_gathered_1b a0 last_vote
     {|
       sent_1a := sent_1a0;
       gathered_1b := sb_gathered_1b;
       sent_1c := sent_1c0;
       sent_2a := sent_2a0
     |}, None) = Some (sb', oom)
a: Acceptor
lv: option (Ballot * Value)
H21: insert_gathered_1b a0 last_vote
  {|
    sent_1a := sent_1a0;
    gathered_1b := sb_gathered_1b;
    sent_1c := sent_1c0;
    sent_2a := sent_2a0
  |} = sb'
H22: None = oom
Hneq: a0 ≠ a
<[a0:=last_vote]> sb_gathered_1b !! a = Some lv
→ L_recv_1b = L_recv_1b
  ∧ (∃ b0 : Ballot,
       Some (b, m_1b a0 last_vote) =
       Some (b0, m_1b a lv))
  ∨ sb_gathered_1b !! a = Some lv
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sent_1a0: bool
sb_gathered_1b: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
H16: l = L_recv_1b
p: paxos_message
b: Ballot
p0: paxos_message_body
last_vote: option (Ballot * Value)
a: Acceptor
Ht: Some
  (insert_gathered_1b a last_vote
     {|
       sent_1a := sent_1a0;
       gathered_1b := sb_gathered_1b;
       sent_1c := sent_1c0;
       sent_2a := sent_2a0
     |}, None) = Some (sb', oom)
H17: im = Some (b, m_1b a last_vote)
H18: p = (b, m_1b a last_vote)
H19: p0 = m_1b a last_vote
lv: option (Ballot * Value)
H21: insert_gathered_1b a last_vote
  {|
    sent_1a := sent_1a0;
    gathered_1b := sb_gathered_1b;
    sent_1c := sent_1c0;
    sent_2a := sent_2a0
  |} = sb'
H22: None = oom
<[a:=last_vote]> sb_gathered_1b !! a = Some lv
→ L_recv_1b = L_recv_1b
  ∧ (∃ b0 : Ballot,
       Some (b, m_1b a last_vote) =
       Some (b0, m_1b a lv))
  ∨ sb_gathered_1b !! a = Some lv rewrite lookup_insert; intros [=->].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sent_1a0: bool
sb_gathered_1b: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
H16: l = L_recv_1b
p: paxos_message
b: Ballot
p0: paxos_message_body
a: Acceptor
lv: option (Ballot * Value)
H21: insert_gathered_1b a lv
  {|
    sent_1a := sent_1a0;
    gathered_1b := sb_gathered_1b;
    sent_1c := sent_1c0;
    sent_2a := sent_2a0
  |} = sb'
H19: p0 = m_1b a lv
H18: p = (b, m_1b a lv)
H17: im = Some (b, m_1b a lv)
Ht: Some
  (insert_gathered_1b a lv
     {|
       sent_1a := sent_1a0;
       gathered_1b := sb_gathered_1b;
       sent_1c := sent_1c0;
       sent_2a := sent_2a0
     |}, None) = Some (sb', oom)
H22: None = oom
L_recv_1b = L_recv_1b
∧ (∃ b0 : Ballot,
     Some (b, m_1b a lv) = Some (b0, m_1b a lv))
∨ sb_gathered_1b !! a = Some lv
    by (left; eauto).
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sent_1a0: bool
sb_gathered_1b: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
H16: l = L_recv_1b
p: paxos_message
b: Ballot
p0: paxos_message_body
a0: Acceptor
last_vote: option (Ballot * Value)
H19: p0 = m_1b a0 last_vote
H18: p = (b, m_1b a0 last_vote)
H17: im = Some (b, m_1b a0 last_vote)
Ht: Some
  (insert_gathered_1b a0 last_vote
     {|
       sent_1a := sent_1a0;
       gathered_1b := sb_gathered_1b;
       sent_1c := sent_1c0;
       sent_2a := sent_2a0
     |}, None) = Some (sb', oom)
a: Acceptor
lv: option (Ballot * Value)
H21: insert_gathered_1b a0 last_vote
  {|
    sent_1a := sent_1a0;
    gathered_1b := sb_gathered_1b;
    sent_1c := sent_1c0;
    sent_2a := sent_2a0
  |} = sb'
H22: None = oom
Hneq: a0 ≠ a
<[a0:=last_vote]> sb_gathered_1b !! a = Some lv
→ L_recv_1b = L_recv_1b
  ∧ (∃ b0 : Ballot,
       Some (b, m_1b a0 last_vote) =
       Some (b0, m_1b a lv))
  ∨ sb_gathered_1b !! a = Some lv rewrite lookup_insert_ne by done.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
self: Ballot
l: leader_label
sent_1a0: bool
sb_gathered_1b: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
im: option paxos_message
sb': ballot_state
oom: option paxos_message_body
H16: l = L_recv_1b
p: paxos_message
b: Ballot
p0: paxos_message_body
a0: Acceptor
last_vote: option (Ballot * Value)
H19: p0 = m_1b a0 last_vote
H18: p = (b, m_1b a0 last_vote)
H17: im = Some (b, m_1b a0 last_vote)
Ht: Some
  (insert_gathered_1b a0 last_vote
     {|
       sent_1a := sent_1a0;
       gathered_1b := sb_gathered_1b;
       sent_1c := sent_1c0;
       sent_2a := sent_2a0
     |}, None) = Some (sb', oom)
a: Acceptor
lv: option (Ballot * Value)
H21: insert_gathered_1b a0 last_vote
  {|
    sent_1a := sent_1a0;
    gathered_1b := sb_gathered_1b;
    sent_1c := sent_1c0;
    sent_2a := sent_2a0
  |} = sb'
H22: None = oom
Hneq: a0 ≠ a
sb_gathered_1b !! a = Some lv
→ L_recv_1b = L_recv_1b
  ∧ (∃ b0 : Ballot,
       Some (b, m_1b a0 last_vote) =
       Some (b0, m_1b a lv))
  ∨ sb_gathered_1b !! a = Some lv
    by right.
Qed.

End sec_one_leader.

Definition leaders_valid : leaders_label -> (leaders_state * option paxos_message) -> Prop :=
  fun '(b, l) '(s, om) => leader_valid b l (s !! b, om).

Definition leaders_transition
  : leaders_label -> leaders_state * option paxos_message -> leaders_state * option paxos_message :=
  fun '(b, l) '(s, im) =>
    match leader_transition l (s !!! b, im) with
    | Some (sb', om) => (<[b := sb']> s, pair b <$> om)
    | None => (s, None)
    end.

Definition leaders_machine : VLSMMachine leaders_type :=
{|
  initial_state_prop := (.= ∅);
  s0 := populate (exist _ ∅ eq_refl);
  initial_message_prop := fun _ => False;
  valid := leaders_valid;
  transition := leaders_transition;
|}.

Definition leaders_vlsm : VLSM paxos_message := mk_vlsm leaders_machine.

Definition leaders_messages (s : leaders_state) : list paxos_message :=
  elements (dom s) ≫= fun b : Ballot => pair b <$> leader_messages (s !!! b).

Lemma elem_of_leaders_messages b mb s :
  (b, mb) ∈ leaders_messages s <-> mb ∈ leader_messages (s !!! b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
(b, mb) ∈ leaders_messages s
↔ mb ∈ leader_messages (s !!! b)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
(b, mb) ∈ leaders_messages s
↔ mb ∈ leader_messages (s !!! b)
  unfold leaders_messages.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
(b, mb)
∈ elements (dom s)
  ≫= (λ b : Ballot,
        pair b <$> leader_messages (s !!! b))
↔ mb ∈ leader_messages (s !!! b)
  rewrite elem_of_list_bind.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
(∃ y : Ballot,
   (b, mb) ∈ pair y <$> leader_messages (s !!! y)
   ∧ y ∈ elements (dom s))
↔ mb ∈ leader_messages (s !!! b)
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
(∃ y : Ballot,
   (b, mb) ∈ pair y <$> leader_messages (s !!! y)
   ∧ y ∈ elements (dom s))
→ mb ∈ leader_messages (s !!! b)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
mb ∈ leader_messages (s !!! b)
→ ∃ y : Ballot,
    (b, mb) ∈ pair y <$> leader_messages (s !!! y)
    ∧ y ∈ elements (dom s)
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
(∃ y : Ballot,
   (b, mb) ∈ pair y <$> leader_messages (s !!! y)
   ∧ y ∈ elements (dom s))
→ mb ∈ leader_messages (s !!! b) intros (y & Hmsgs & _).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
y: Ballot
Hmsgs: (b, mb) ∈ pair y <$> leader_messages (s !!! y)
mb ∈ leader_messages (s !!! b)
    by apply elem_of_list_fmap in Hmsgs as [y0 [[= <- <-] Hmsgs]].
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
mb ∈ leader_messages (s !!! b)
→ ∃ y : Ballot,
    (b, mb) ∈ pair y <$> leader_messages (s !!! y)
    ∧ y ∈ elements (dom s) intros Hmsgs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
Hmsgs: mb ∈ leader_messages (s !!! b)
∃ y : Ballot,
  (b, mb) ∈ pair y <$> leader_messages (s !!! y)
  ∧ y ∈ elements (dom s)
    exists b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
Hmsgs: mb ∈ leader_messages (s !!! b)
(b, mb) ∈ pair b <$> leader_messages (s !!! b)
∧ b ∈ elements (dom s)
    split; [by apply elem_of_list_fmap_1 |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
Hmsgs: mb ∈ leader_messages (s !!! b)
b ∈ elements (dom s)
    rewrite elem_of_elements, (fin_map_dom.elem_of_dom s b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
Hmsgs: mb ∈ leader_messages (s !!! b)
is_Some (s !! b)
    rewrite (lookup_total_alt s) in Hmsgs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
mb: paxos_message_body
s: leaders_state
Hmsgs: mb
∈ leader_messages
    (default inhabitant (s !! b))
is_Some (s !! b)
    by destruct (_ !! b); [| apply elem_of_nil in Hmsgs].
Qed.

Lemma leaders_messages_correct :
  forall l s im s' om,
    leaders_transition l (s, im) = (s', om) ->
    forall m, m ∈ leaders_messages s' <-> (om = Some m \/ m ∈ leaders_messages s).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : leaders_label) (s : leaders_state) (im : option
                                                 paxos_message) 
  (s' : leaders_state) (om : option paxos_message),
  leaders_transition l (s, im) = (s', om)
  → ∀ m : paxos_message,
      m ∈ leaders_messages s'
      ↔ om = Some m ∨ m ∈ leaders_messages s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : leaders_label) (s : leaders_state) (im : option
                                                 paxos_message) 
  (s' : leaders_state) (om : option paxos_message),
  leaders_transition l (s, im) = (s', om)
  → ∀ m : paxos_message,
      m ∈ leaders_messages s'
      ↔ om = Some m ∨ m ∈ leaders_messages s
  intros [b l] s im s' om.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
s': leaders_state
om: option paxos_message
leaders_transition (b, l) (s, im) = (s', om)
→ ∀ m : paxos_message,
    m ∈ leaders_messages s'
    ↔ om = Some m ∨ m ∈ leaders_messages s
  unfold leaders_transition.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
s': leaders_state
om: option paxos_message
match leader_transition l (s !!! b, im) with
| Some (sb', om) => (<[b:=sb']> s, pair b <$> om)
| None => (s, None)
end = (s', om)
→ ∀ m : paxos_message,
    m ∈ leaders_messages s'
    ↔ om = Some m ∨ m ∈ leaders_messages s
  destruct (leader_transition _ _) as [[sb' omb] |] eqn: H_local;
    intros [= <- <-] [b_m m]; [| by itauto congruence].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
H_local: leader_transition l (s !!! b, im) =
Some (sb', omb)
b_m: Ballot
m: paxos_message_body
(b_m, m) ∈ leaders_messages (<[b:=sb']> s)
↔ pair b <$> omb = Some (b_m, m)
  ∨ (b_m, m) ∈ leaders_messages s
  apply leader_messages_correct with (m := m) in H_local.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ omb = Some m
  ∨ m ∈ leader_messages (s !!! b)
b_m: Ballot
(b_m, m) ∈ leaders_messages (<[b:=sb']> s)
↔ pair b <$> omb = Some (b_m, m)
  ∨ (b_m, m) ∈ leaders_messages s
  rewrite 2 elem_of_leaders_messages.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ omb = Some m
  ∨ m ∈ leader_messages (s !!! b)
b_m: Ballot
m ∈ leader_messages (<[b:=sb']> s !!! b_m)
↔ pair b <$> omb = Some (b_m, m)
  ∨ m ∈ leader_messages (s !!! b_m)
  destruct (decide (b_m = b)) as [-> | Hneq].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ omb = Some m
  ∨ m ∈ leader_messages (s !!! b)
m ∈ leader_messages (<[b:=sb']> s !!! b)
↔ pair b <$> omb = Some (b, m)
  ∨ m ∈ leader_messages (s !!! b)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ omb = Some m
  ∨ m ∈ leader_messages (s !!! b)
b_m: Ballot
Hneq: b_m ≠ b
m ∈ leader_messages (<[b:=sb']> s !!! b_m)
↔ pair b <$> omb = Some (b_m, m)
  ∨ m ∈ leader_messages (s !!! b_m)
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ omb = Some m
  ∨ m ∈ leader_messages (s !!! b)
m ∈ leader_messages (<[b:=sb']> s !!! b)
↔ pair b <$> omb = Some (b, m)
  ∨ m ∈ leader_messages (s !!! b) rewrite (lookup_total_insert s), H_local.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ omb = Some m
  ∨ m ∈ leader_messages (s !!! b)
omb = Some m ∨ m ∈ leader_messages (s !!! b)
↔ pair b <$> omb = Some (b, m)
  ∨ m ∈ leader_messages (s !!! b)
    destruct omb; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
p, m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ Some p = Some m
  ∨ m ∈ leader_messages (s !!! b)
Some p = Some m ∨ m ∈ leader_messages (s !!! b)
↔ Some (b, p) = Some (b, m)
  ∨ m ∈ leader_messages (s !!! b)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ None = Some m
  ∨ m ∈ leader_messages (s !!! b)
None = Some m ∨ m ∈ leader_messages (s !!! b)
↔ None = Some (b, m) ∨ m ∈ leader_messages (s !!! b)
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
p, m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ Some p = Some m
  ∨ m ∈ leader_messages (s !!! b)
Some p = Some m ∨ m ∈ leader_messages (s !!! b)
↔ Some (b, p) = Some (b, m)
  ∨ m ∈ leader_messages (s !!! b) by rewrite !(inj_iff Some), (inj_iff (pair b)).
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ None = Some m
  ∨ m ∈ leader_messages (s !!! b)
None = Some m ∨ m ∈ leader_messages (s !!! b)
↔ None = Some (b, m) ∨ m ∈ leader_messages (s !!! b) by rewrite !or_r.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ omb = Some m
  ∨ m ∈ leader_messages (s !!! b)
b_m: Ballot
Hneq: b_m ≠ b
m ∈ leader_messages (<[b:=sb']> s !!! b_m)
↔ pair b <$> omb = Some (b_m, m)
  ∨ m ∈ leader_messages (s !!! b_m) rewrite (lookup_total_insert_ne s) by done.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ omb = Some m
  ∨ m ∈ leader_messages (s !!! b)
b_m: Ballot
Hneq: b_m ≠ b
m ∈ leader_messages (s !!! b_m)
↔ pair b <$> omb = Some (b_m, m)
  ∨ m ∈ leader_messages (s !!! b_m)
    rewrite or_r; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: leaders_state
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
m: paxos_message_body
H_local: m ∈ leader_messages sb'
↔ omb = Some m
  ∨ m ∈ leader_messages (s !!! b)
b_m: Ballot
Hneq: b_m ≠ b
pair b <$> omb ≠ Some (b_m, m)
    by destruct omb; simpl; congruence.
Qed.

Send history can be checked without enumerating all the past messages.

Definition leader_has_been_sent (s : ballot_state) (m : paxos_message_body) : Prop :=
  match m with
  | m_1a => sent_1a s = true
  | m_1c vs => vs ∈ sent_1c s
  | m_2a v => sent_2a s = Some v
  | _ => False
  end.

Definition leaders_has_been_sent (s : leaders_state) (m : paxos_message) : Prop :=
  let (b, mb) := m in leader_has_been_sent (s !!! b) mb.

Lemma leaders_messages_iff (s : leaders_state) (m : paxos_message) :
  leaders_has_been_sent s m <-> m ∈ leaders_messages s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
m: paxos_message
leaders_has_been_sent s m ↔ m ∈ leaders_messages s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
m: paxos_message
leaders_has_been_sent s m ↔ m ∈ leaders_messages s
  destruct m as [b m]; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
leader_has_been_sent (s !!! b) m
↔ (b, m) ∈ leaders_messages s
  rewrite elem_of_leaders_messages.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
leader_has_been_sent (s !!! b) m
↔ m ∈ leader_messages (s !!! b)
  generalize (s !!! b); intros sb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
leader_has_been_sent sb m ↔ m ∈ leader_messages sb
  unfold leader_messages; simpl_elem_of_list.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
leader_has_been_sent sb m
↔ m ∈ (if sent_1a sb then [m_1a] else [])
  ∨ m ∈ m_1c <$> sent_1c sb
    ∨ m ∈ m_2a <$> option_list (sent_2a sb)
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
leader_has_been_sent sb m
→ m ∈ (if sent_1a sb then [m_1a] else [])
  ∨ m ∈ m_1c <$> sent_1c sb
    ∨ m ∈ m_2a <$> option_list (sent_2a sb)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
m ∈ (if sent_1a sb then [m_1a] else [])
∨ m ∈ m_1c <$> sent_1c sb
  ∨ m ∈ m_2a <$> option_list (sent_2a sb)
→ leader_has_been_sent sb m
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
leader_has_been_sent sb m
→ m ∈ (if sent_1a sb then [m_1a] else [])
  ∨ m ∈ m_1c <$> sent_1c sb
    ∨ m ∈ m_2a <$> option_list (sent_2a sb) unfold leader_has_been_sent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
match m with
| m_1a => sent_1a sb = true
| m_1c vs => vs ∈ sent_1c sb
| m_2a v => sent_2a sb = Some v
| _ => False
end
→ m ∈ (if sent_1a sb then [m_1a] else [])
  ∨ m ∈ m_1c <$> sent_1c sb
    ∨ m ∈ m_2a <$> option_list (sent_2a sb)
    destruct sb; cbn; intros Hm.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sent_1a0: bool
gathered_1b0: AMap (option (Ballot * Value))
sent_1c0: list (AllOrFin VSet)
sent_2a0: option Value
Hm: match m with
| m_1a => sent_1a0 = true
| m_1c vs => vs ∈ sent_1c0
| m_2a v => sent_2a0 = Some v
| _ => False
end
m ∈ (if sent_1a0 then [m_1a] else [])
∨ m ∈ m_1c <$> sent_1c0
  ∨ m ∈ m_2a <$> option_list sent_2a0
    by destruct m; subst; simpl; simpl_elem_of_list; auto using elem_of_list_fmap_1.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
m ∈ (if sent_1a sb then [m_1a] else [])
∨ m ∈ m_1c <$> sent_1c sb
  ∨ m ∈ m_2a <$> option_list (sent_2a sb)
→ leader_has_been_sent sb m intros [Hm | [Hm | Hm]].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
Hm: m ∈ (if sent_1a sb then [m_1a] else [])
leader_has_been_sent sb m
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
Hm: m ∈ m_1c <$> sent_1c sb
leader_has_been_sent sb m
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
Hm: m ∈ m_2a <$> option_list (sent_2a sb)
leader_has_been_sent sb m
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
Hm: m ∈ (if sent_1a sb then [m_1a] else [])
leader_has_been_sent sb m destruct (sent_1a sb) eqn: H_1a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
H_1a: sent_1a sb = true
Hm: m ∈ [m_1a]
leader_has_been_sent sb m
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
H_1a: sent_1a sb = false
Hm: m ∈ []
leader_has_been_sent sb m
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
H_1a: sent_1a sb = true
Hm: m ∈ [m_1a]
leader_has_been_sent sb m by apply elem_of_list_singleton in Hm as ->.
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
H_1a: sent_1a sb = false
Hm: m ∈ []
leader_has_been_sent sb m by apply elem_of_nil in Hm.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
Hm: m ∈ m_1c <$> sent_1c sb
leader_has_been_sent sb m by apply elem_of_list_fmap in Hm as (? & -> & ?).
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
Hm: m ∈ m_2a <$> option_list (sent_2a sb)
leader_has_been_sent sb m destruct (sent_2a sb) eqn: H_2a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
v: Value
H_2a: sent_2a sb = Some v
Hm: m ∈ m_2a <$> option_list (Some v)
leader_has_been_sent sb m
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
H_2a: sent_2a sb = None
Hm: m ∈ m_2a <$> option_list None
leader_has_been_sent sb m
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
v: Value
H_2a: sent_2a sb = Some v
Hm: m ∈ m_2a <$> option_list (Some v)
leader_has_been_sent sb m by apply elem_of_list_singleton in Hm as ->.
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: leaders_state
b: Ballot
m: paxos_message_body
sb: ballot_state
H_2a: sent_2a sb = None
Hm: m ∈ m_2a <$> option_list None
leader_has_been_sent sb m by apply elem_of_nil in Hm.
Qed.

#[export] Instance leaders_has_been_sent_dec : RelDecision leaders_has_been_sent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
RelDecision leaders_has_been_sent
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
RelDecision leaders_has_been_sent
  by intros s [b []]; simpl; typeclasses eauto.
Defined.

Lemma leaders_has_been_sent_props :
  has_been_sent_stepwise_prop (vlsm := leaders_vlsm) leaders_has_been_sent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
has_been_sent_stepwise_prop leaders_has_been_sent
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
has_been_sent_stepwise_prop leaders_has_been_sent
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state leaders_vlsm,
  initial_state_prop s
  → ∀ m : paxos_message, ¬ leaders_has_been_sent s m
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : label
         (preloaded_with_all_messages_vlsm
            leaders_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            leaders_vlsm)) 
  (im : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             leaders_vlsm)) 
  (om : option paxos_message),
  input_constrained_transition leaders_vlsm l (
    s, im) (s', om)
  → ∀ msg : paxos_message,
      leaders_has_been_sent s' msg
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ leaders_has_been_sent s msg
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state leaders_vlsm,
  initial_state_prop s
  → ∀ m : paxos_message, ¬ leaders_has_been_sent s m intros s -> [b m]; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
m: paxos_message_body
¬ leader_has_been_sent (∅ !!! b) m
    unfold leaders_state; rewrite lookup_total_empty.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
m: paxos_message_body
¬ leader_has_been_sent inhabitant m
    by destruct m; simpl; auto using not_elem_of_nil.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : label
         (preloaded_with_all_messages_vlsm
            leaders_vlsm)) (s : state
                                  (preloaded_with_all_messages_vlsm
                                     leaders_vlsm)) 
  (im : option paxos_message) (s' : state
                                      (preloaded_with_all_messages_vlsm
                                         leaders_vlsm)) 
  (om : option paxos_message),
  input_constrained_transition leaders_vlsm l (s, im)
    (s', om)
  → ∀ msg : paxos_message,
      leaders_has_been_sent s' msg
      ↔ field_selector output msg
          {|
            l := l;
            input := im;
            destination := s';
            output := om
          |} ∨ leaders_has_been_sent s msg intros * [(_ & _ & Hvalid) Ht] m; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm leaders_vlsm)
s: state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
om: option paxos_message
Hvalid: valid l (s, im)
Ht: transition l (s, im) = (s', om)
m: paxos_message
leaders_has_been_sent s' m
↔ om = Some m ∨ leaders_has_been_sent s m
    rewrite 2 leaders_messages_iff.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm leaders_vlsm)
s: state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
om: option paxos_message
Hvalid: valid l (s, im)
Ht: transition l (s, im) = (s', om)
m: paxos_message
m ∈ leaders_messages s'
↔ om = Some m ∨ m ∈ leaders_messages s
    by eapply leaders_messages_correct.
Qed.

#[export] Instance leaders_has_been_sent_cap : HasBeenSentCapability leaders_vlsm :=
{|
  has_been_sent_stepwise_props := leaders_has_been_sent_props;
|}.

Lemma examine_leaders_output :
  forall l s im s' om,
    leaders_transition l (s, im) = (s', Some om) ->
    match om with
    | (b, m_1a) => l = (b, L_send_1a)
    | (b, m_1c vs) => l = (b, L_send_1c vs)
    | (b, m_2a v) => l = (b, L_send_2a v)
    | _ => False
    end.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : leaders_label) (s : leaders_state) (im : option
                                                 paxos_message) 
  (s' : leaders_state) (om : paxos_message),
  leaders_transition l (s, im) = (s', Some om)
  → let (b, p) := om in
    match p with
    | m_1a => l = (b, L_send_1a)
    | m_1c vs => l = (b, L_send_1c vs)
    | m_2a v => l = (b, L_send_2a v)
    | _ => False
    end
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : leaders_label) (s : leaders_state) (im : option
                                                 paxos_message) 
  (s' : leaders_state) (om : paxos_message),
  leaders_transition l (s, im) = (s', Some om)
  → let (b, p) := om in
    match p with
    | m_1a => l = (b, L_send_1a)
    | m_1c vs => l = (b, L_send_1c vs)
    | m_2a v => l = (b, L_send_2a v)
    | _ => False
    end
  unfold leaders_transition, leader_transition.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : leaders_label) (s : leaders_state) (im : option
                                                 paxos_message) 
  (s' : leaders_state) (om : paxos_message),
  (let
   '(b, l0) := l in
    λ '(s0, im0),
      match
        match l0 with
        | L_send_1a =>
            match im0 with
            | Some _ => None
            | None =>
                Some
                  (set_sent_1a (s0 !!! b), Some m_1a)
            end
        | L_recv_1b =>
            match im0 with
            | Some (_, m_1b a lv) =>
                Some
                  (insert_gathered_1b a lv (s0 !!! b),
                   None)
            | _ => None
            end
        | L_send_1c safe_v =>
            match im0 with
            | Some _ => None
            | None =>
                Some
                  (set_sent_1c safe_v (s0 !!! b),
                   Some (m_1c safe_v))
            end
        | L_send_2a v =>
            match im0 with
            | Some _ => None
            | None =>
                if sent_2a (s0 !!! b)
                then None
                else
                 Some
                   (set_sent_2a v (s0 !!! b),
                    Some (m_2a v))
            end
        end
      with
      | Some (sb', om0) =>
          (<[b:=sb']> s0, pair b <$> om0)
      | None => (s0, None)
      end) (s, im) = (s', Some om)
  → let (b, p) := om in
    match p with
    | m_1a => l = (b, L_send_1a)
    | m_1c vs => l = (b, L_send_1c vs)
    | m_2a v => l = (b, L_send_2a v)
    | _ => False
    end
  intros [lb []] s [[ib im] |] s' [ob om] Ht; try done.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
lb: Ballot
s, s': leaders_state
ob: Ballot
om: paxos_message_body
Ht: (<[lb:=set_sent_1a (s !!! lb)]> s,
 pair lb <$> Some m_1a) = (
s', Some (ob, om))
match om with
| m_1a => (lb, L_send_1a) = (ob, L_send_1a)
| m_1c vs => (lb, L_send_1a) = (ob, L_send_1c vs)
| m_2a v => (lb, L_send_1a) = (ob, L_send_2a v)
| _ => False
end
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
lb: Ballot
s: leaders_state
ib: Ballot
im: paxos_message_body
s': leaders_state
ob: Ballot
om: paxos_message_body
Ht: match
  match im with
  | m_1b a lv =>
      Some
        (insert_gathered_1b a lv (s !!! lb), None)
  | _ => None
  end
with
| Some (sb', om) =>
    (<[lb:=sb']> s, pair lb <$> om)
| None => (s, None)
end = (s', Some (ob, om))
match om with
| m_1a => (lb, L_recv_1b) = (ob, L_send_1a)
| m_1c vs => (lb, L_recv_1b) = (ob, L_send_1c vs)
| m_2a v => (lb, L_recv_1b) = (ob, L_send_2a v)
| _ => False
end
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
lb: Ballot
safe_v: AllOrFin VSet
s, s': leaders_state
ob: Ballot
om: paxos_message_body
Ht: (<[lb:=set_sent_1c safe_v (s !!! lb)]> s,
 pair lb <$> Some (m_1c safe_v)) =
(s', Some (ob, om))
match om with
| m_1a => (lb, L_send_1c safe_v) = (ob, L_send_1a)
| m_1c vs =>
    (lb, L_send_1c safe_v) = (ob, L_send_1c vs)
| m_2a v => (lb, L_send_1c safe_v) = (ob, L_send_2a v)
| _ => False
end
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
lb: Ballot
v: Value
s, s': leaders_state
ob: Ballot
om: paxos_message_body
Ht: match
  (if sent_2a (s !!! lb)
   then None
   else
    Some
      (set_sent_2a v (s !!! lb), Some (m_2a v)))
with
| Some (sb', om) =>
    (<[lb:=sb']> s, pair lb <$> om)
| None => (s, None)
end = (s', Some (ob, om))
match om with
| m_1a => (lb, L_send_2a v) = (ob, L_send_1a)
| m_1c vs => (lb, L_send_2a v) = (ob, L_send_1c vs)
| m_2a v0 => (lb, L_send_2a v) = (ob, L_send_2a v0)
| _ => False
end
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
lb: Ballot
s, s': leaders_state
ob: Ballot
om: paxos_message_body
Ht: (<[lb:=set_sent_1a (s !!! lb)]> s,
 pair lb <$> Some m_1a) = (
s', Some (ob, om))
match om with
| m_1a => (lb, L_send_1a) = (ob, L_send_1a)
| m_1c vs => (lb, L_send_1a) = (ob, L_send_1c vs)
| m_2a v => (lb, L_send_1a) = (ob, L_send_2a v)
| _ => False
end by inversion Ht.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
lb: Ballot
s: leaders_state
ib: Ballot
im: paxos_message_body
s': leaders_state
ob: Ballot
om: paxos_message_body
Ht: match
  match im with
  | m_1b a lv =>
      Some
        (insert_gathered_1b a lv (s !!! lb), None)
  | _ => None
  end
with
| Some (sb', om) =>
    (<[lb:=sb']> s, pair lb <$> om)
| None => (s, None)
end = (s', Some (ob, om))
match om with
| m_1a => (lb, L_recv_1b) = (ob, L_send_1a)
| m_1c vs => (lb, L_recv_1b) = (ob, L_send_1c vs)
| m_2a v => (lb, L_recv_1b) = (ob, L_send_2a v)
| _ => False
end by destruct im.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
lb: Ballot
safe_v: AllOrFin VSet
s, s': leaders_state
ob: Ballot
om: paxos_message_body
Ht: (<[lb:=set_sent_1c safe_v (s !!! lb)]> s,
 pair lb <$> Some (m_1c safe_v)) =
(s', Some (ob, om))
match om with
| m_1a => (lb, L_send_1c safe_v) = (ob, L_send_1a)
| m_1c vs =>
    (lb, L_send_1c safe_v) = (ob, L_send_1c vs)
| m_2a v => (lb, L_send_1c safe_v) = (ob, L_send_2a v)
| _ => False
end by inversion Ht.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
lb: Ballot
v: Value
s, s': leaders_state
ob: Ballot
om: paxos_message_body
Ht: match
  (if sent_2a (s !!! lb)
   then None
   else
    Some
      (set_sent_2a v (s !!! lb), Some (m_2a v)))
with
| Some (sb', om) =>
    (<[lb:=sb']> s, pair lb <$> om)
| None => (s, None)
end = (s', Some (ob, om))
match om with
| m_1a => (lb, L_send_2a v) = (ob, L_send_1a)
| m_1c vs => (lb, L_send_2a v) = (ob, L_send_1c vs)
| m_2a v0 => (lb, L_send_2a v) = (ob, L_send_2a v0)
| _ => False
end by destruct (sent_2a _); inversion Ht.
Qed.

End sec_leaders_vlsm.

Section sec_paxos_vlsm.

Inductive paxos_index : Type :=
| leaders_ix
| acceptor_ix (a : Acceptor).

#[export] Instance pi_cancel :
  Cancel eq (from_option acceptor_ix leaders_ix)
    (paxos_index_rect (λ _ : paxos_index, option Acceptor) None Some).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
Cancel eq (from_option acceptor_ix leaders_ix)
  (paxos_index_rect
     (λ _ : paxos_index, option Acceptor) None Some)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
Cancel eq (from_option acceptor_ix leaders_ix)
  (paxos_index_rect
     (λ _ : paxos_index, option Acceptor) None Some)
  by intros [].
Defined.

#[export] Instance paxos_index_eq_dec : EqDecision paxos_index.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
EqDecision paxos_index
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
EqDecision paxos_index
  by generalize cancel_inj; apply inj_eq_dec.
Defined.

#[export] Instance cancel_pi :
  Cancel eq (paxos_index_rect (λ _ : paxos_index, option Acceptor) None Some)
   (from_option acceptor_ix leaders_ix).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
Cancel eq
  (paxos_index_rect
     (λ _ : paxos_index, option Acceptor) None Some)
  (from_option acceptor_ix leaders_ix)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
Cancel eq
  (paxos_index_rect
     (λ _ : paxos_index, option Acceptor) None Some)
  (from_option acceptor_ix leaders_ix)
  by intros [].
Defined.

#[export] Instance acceptor_inj : Inj eq eq (from_option acceptor_ix leaders_ix).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
Inj eq eq (from_option acceptor_ix leaders_ix)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
Inj eq eq (from_option acceptor_ix leaders_ix) by apply cancel_inj. Defined.

#[export] Instance acceptor_surj : Surj eq (from_option acceptor_ix leaders_ix).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
Surj eq (from_option acceptor_ix leaders_ix)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
Surj eq (from_option acceptor_ix leaders_ix) by apply cancel_surj. Defined.

#[export] Instance paxos_index_finite : finite.Finite paxos_index :=
 bijective_finite (from_option acceptor_ix leaders_ix).

Definition IM (ix : paxos_index) : VLSM paxos_message :=
  match ix with
  | leaders_ix => leaders_vlsm
  | acceptor_ix a => paxos_acceptor_vlsm a
  end.

#[export] Instance IM_HasBeenSentCapability (ix : paxos_index) : HasBeenSentCapability (IM ix).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
ix: paxos_index
HasBeenSentCapability (IM ix)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
ix: paxos_index
HasBeenSentCapability (IM ix)
  by destruct ix; typeclasses eauto.
Defined.

Definition paxos_vlsm := composite_vlsm IM (no_equivocations (free_composite_vlsm IM)).

End sec_paxos_vlsm.

Definition message_sender (m : paxos_message_body) : paxos_index :=
  match m with
  | m_1a => leaders_ix
  | m_1b a _ => acceptor_ix a
  | m_1c _ => leaders_ix
  | m_2a _ => leaders_ix
  | m_2b a _ => acceptor_ix a
  end.

Lemma localize_send :
  forall l s im s' om,
    transition paxos_vlsm l (s, im) = (s', Some om) ->
    projT1 l = message_sender (snd om).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : label paxos_vlsm) (s : state paxos_vlsm) (im : 
                                                 option
                                                 paxos_message) 
  (s' : state paxos_vlsm) (om : paxos_message),
  transition l (s, im) = (s', Some om)
  → projT1 l = message_sender om.2
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : label paxos_vlsm) (s : state paxos_vlsm) (im : 
                                                 option
                                                 paxos_message) 
  (s' : state paxos_vlsm) (om : paxos_message),
  transition l (s, im) = (s', Some om)
  → projT1 l = message_sender om.2
  intros * Ht; destruct om as [ob omb]; cbn in Ht |- *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label paxos_vlsm
s: state paxos_vlsm
im: option paxos_message
s': state paxos_vlsm
ob: Ballot
omb: paxos_message_body
Ht: (let (i, li) := l in
 let (si', om') := transition li (s i, im) in
 (state_update IM s i si', om')) =
(s', Some (ob, omb))
projT1 l = message_sender omb
  destruct l as [[| a_l] l], (transition _ _ _) as [si' om'] eqn: H_step in Ht;
    injection Ht as [= <- ->].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label (IM leaders_ix)
s: state paxos_vlsm
im: option paxos_message
ob: Ballot
omb: paxos_message_body
si': state (IM leaders_ix)
H_step: transition l (s leaders_ix, im) =
(si', Some (ob, omb))
projT1 (existT leaders_ix l) = message_sender omb
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a_l: Acceptor
l: label (IM (acceptor_ix a_l))
s: state paxos_vlsm
im: option paxos_message
ob: Ballot
omb: paxos_message_body
si': state (IM (acceptor_ix a_l))
H_step: transition l (s (acceptor_ix a_l), im) =
(si', Some (ob, omb))
projT1 (existT (acceptor_ix a_l) l) =
message_sender omb
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label (IM leaders_ix)
s: state paxos_vlsm
im: option paxos_message
ob: Ballot
omb: paxos_message_body
si': state (IM leaders_ix)
H_step: transition l (s leaders_ix, im) =
(si', Some (ob, omb))
projT1 (existT leaders_ix l) = message_sender omb by apply examine_leaders_output in H_step; destruct omb.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a_l: Acceptor
l: label (IM (acceptor_ix a_l))
s: state paxos_vlsm
im: option paxos_message
ob: Ballot
omb: paxos_message_body
si': state (IM (acceptor_ix a_l))
H_step: transition l (s (acceptor_ix a_l), im) =
(si', Some (ob, omb))
projT1 (existT (acceptor_ix a_l) l) =
message_sender omb cbn in H_step; apply examine_paxos_acceptor_output in H_step.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a_l: Acceptor
l: label (IM (acceptor_ix a_l))
s: state paxos_vlsm
im: option paxos_message
ob: Ballot
omb: paxos_message_body
si': state (IM (acceptor_ix a_l))
H_step: match omb with
| m_1b a' _ => l = A_send_1b ∧ a' = a_l
| m_2b a' _ => l = A_send_2b ∧ a' = a_l
| _ => False
end
projT1 (existT (acceptor_ix a_l) l) =
message_sender omb
    by destruct omb; cbn; itauto congruence.
Qed.

Lemma localize_sent_messages
  (s : state paxos_vlsm)
  (Hs : constrained_state_prop paxos_vlsm s)
  : forall m : paxos_message,
    has_been_sent paxos_vlsm s m
    <-> has_been_sent (IM (message_sender (snd m))) (s (message_sender (snd m))) m.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
  induction Hs using valid_state_prop_ind;
    [by intros m; split; intros []%has_been_sent_no_inits |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
∀ m : paxos_message,
  has_been_sent paxos_vlsm s' m
  ↔ has_been_sent (IM (message_sender m.2))
      (s' (message_sender m.2)) m
  intros [b mb].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
mb: paxos_message_body
has_been_sent paxos_vlsm s' (b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (b, mb)
  erewrite has_been_sent_step_update; [| by apply Ht].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
mb: paxos_message_body
om' = Some (b, mb)
∨ has_been_sent paxos_vlsm s (b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (b, mb)
  rewrite IHHs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
mb: paxos_message_body
om' = Some (b, mb)
∨ has_been_sent (IM (message_sender (b, mb).2))
    (s (message_sender (b, mb).2)) (b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (b, mb)
  destruct l as [i l].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
i: paxos_index
l: label (IM i)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT i l) (s, om) (
  s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
mb: paxos_message_body
om' = Some (b, mb)
∨ has_been_sent (IM (message_sender (b, mb).2))
    (s (message_sender (b, mb).2)) (b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (b, mb)
  destruct (decide (i = message_sender mb)) as [-> | Hneq].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
mb: paxos_message_body
l: label (IM (message_sender mb))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT (message_sender mb) l) (
  s, om) (s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
om' = Some (b, mb)
∨ has_been_sent (IM (message_sender (b, mb).2))
    (s (message_sender (b, mb).2)) (b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (b, mb)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
i: paxos_index
l: label (IM i)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT i l) (s, om) (
  s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
mb: paxos_message_body
Hneq: i ≠ message_sender mb
om' = Some (b, mb)
∨ has_been_sent (IM (message_sender (b, mb).2))
    (s (message_sender (b, mb).2)) (
    b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (
    b, mb)
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
mb: paxos_message_body
l: label (IM (message_sender mb))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT (message_sender mb) l) (
  s, om) (s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
om' = Some (b, mb)
∨ has_been_sent (IM (message_sender (b, mb).2))
    (s (message_sender (b, mb).2)) (b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (b, mb) apply input_valid_transition_preloaded_project_active in Ht; cbn in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
mb: paxos_message_body
l: label (IM (message_sender mb))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition
  (IM (message_sender mb)) l
  (s (message_sender mb), om)
  (s' (message_sender mb), om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
om' = Some (b, mb)
∨ has_been_sent (IM (message_sender (b, mb).2))
    (s (message_sender (b, mb).2)) (b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (b, mb)
    by rewrite <- has_been_sent_step_update.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
i: paxos_index
l: label (IM i)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT i l) (s, om) (
  s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
mb: paxos_message_body
Hneq: i ≠ message_sender mb
om' = Some (b, mb)
∨ has_been_sent (IM (message_sender (b, mb).2))
    (s (message_sender (b, mb).2)) (b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (b, mb) apply input_valid_transition_preloaded_project_any with (i := message_sender mb) in Ht as Ht'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
i: paxos_index
l: label (IM i)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT i l) (s, om) (
  s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
mb: paxos_message_body
Hneq: i ≠ message_sender mb
Ht': s (message_sender mb) = s' (message_sender mb)
∨ (∃ li : label (IM (message_sender mb)),
     existT i l = existT (message_sender mb) li
     ∧ input_constrained_transition
         (IM (message_sender mb)) li
         (s (message_sender mb), om)
         (s' (message_sender mb), om'))
om' = Some (b, mb)
∨ has_been_sent (IM (message_sender (b, mb).2))
    (s (message_sender (b, mb).2)) (b, mb)
↔ has_been_sent (IM (message_sender (b, mb).2))
    (s' (message_sender (b, mb).2)) (b, mb)
    cbn; destruct Ht' as [-> | [li [[= Heq] _]]]; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
i: paxos_index
l: label (IM i)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT i l) (s, om) (
  s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
mb: paxos_message_body
Hneq: i ≠ message_sender mb
om' = Some (b, mb)
∨ has_been_sent (IM (message_sender mb))
    (s' (message_sender mb)) (b, mb)
↔ has_been_sent (IM (message_sender mb))
    (s' (message_sender mb)) (b, mb)
    rewrite or_r; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
i: paxos_index
l: label (IM i)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT i l) (s, om) (
  s', om')
IHHs: ∀ m : paxos_message,
  has_been_sent paxos_vlsm s m
  ↔ has_been_sent (IM (message_sender m.2))
      (s (message_sender m.2)) m
b: Ballot
mb: paxos_message_body
Hneq: i ≠ message_sender mb
om' ≠ Some (b, mb)
    by intros ->; destruct Ht as [_ Hstep]; apply localize_send in Hstep.
Qed.

Notation Pred_Stable_In VLSM P :=
  (forall l s im s' om, input_constrained_transition VLSM l (s, im) (s', om) -> P s -> P s').

Lemma lift_component_stable_prop ix (P : state (IM ix) -> Prop) :
  Pred_Stable_In (IM ix) P ->
  Pred_Stable_In paxos_vlsm (fun s => P (s ix)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
ix: paxos_index
P: state (IM ix) → Prop
Pred_Stable_In (IM ix) P
→ Pred_Stable_In paxos_vlsm
    (λ s0 : ∀ x : paxos_index, state (IM x), P (s0 ix))
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
ix: paxos_index
P: state (IM ix) → Prop
Pred_Stable_In (IM ix) P
→ Pred_Stable_In paxos_vlsm
    (λ s0 : ∀ x : paxos_index, state (IM x), P (s0 ix))
  intros H_stable_in_ix * Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
ix: paxos_index
P: state (IM ix) → Prop
H_stable_in_ix: Pred_Stable_In (IM ix) P
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
Ht: input_constrained_transition paxos_vlsm l (
  s, im) (s', om)
(λ s : ∀ x : paxos_index, state (IM x), P (s ix)) s
→ (λ s : ∀ x : paxos_index, state (IM x), P (s ix)) s'
  destruct l as [i_l l].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
ix: paxos_index
P: state (IM ix) → Prop
H_stable_in_ix: Pred_Stable_In (IM ix) P
i_l: paxos_index
l: label (IM i_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
Ht: input_constrained_transition paxos_vlsm
  (existT i_l l) (s, im) (
  s', om)
P (s ix) → P (s' ix)
  apply input_valid_transition_preloaded_project_any with (i := ix)
    in Ht as [<- | (li & _ & Ht)]; [done|].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
ix: paxos_index
P: state (IM ix) → Prop
H_stable_in_ix: Pred_Stable_In (IM ix) P
i_l: paxos_index
l: label (IM i_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
li: label (IM ix)
Ht: input_constrained_transition 
  (IM ix) li (s ix, im) (
  s' ix, om)
P (s ix) → P (s' ix)
  by eapply H_stable_in_ix.
Qed.

Lemma lift_acceptor_stable_prop (P : paxos_acceptor_state -> Prop) a :
  Pred_Stable_In (paxos_acceptor_vlsm a) P ->
  (forall l s im s' om,
    input_constrained_transition paxos_vlsm l (s, im) (s', om) ->
      P (s (acceptor_ix a)) -> P (s' (acceptor_ix a))).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
P: paxos_acceptor_state → Prop
a: Acceptor
Pred_Stable_In (paxos_acceptor_vlsm a) P
→ ∀ (l : label
           (preloaded_with_all_messages_vlsm
              paxos_vlsm)) (s : state
                                  (preloaded_with_all_messages_vlsm
                                     paxos_vlsm)) 
    (im : option paxos_message) (s' : state
                                        (preloaded_with_all_messages_vlsm
                                           paxos_vlsm)) 
    (om : option paxos_message),
    input_constrained_transition paxos_vlsm l (s, im)
      (s', om)
    → P (s (acceptor_ix a)) → P (s' (acceptor_ix a))
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
P: paxos_acceptor_state → Prop
a: Acceptor
Pred_Stable_In (paxos_acceptor_vlsm a) P
→ ∀ (l : label
           (preloaded_with_all_messages_vlsm
              paxos_vlsm)) (s : state
                                  (preloaded_with_all_messages_vlsm
                                     paxos_vlsm)) 
    (im : option paxos_message) (s' : state
                                        (preloaded_with_all_messages_vlsm
                                           paxos_vlsm)) 
    (om : option paxos_message),
    input_constrained_transition paxos_vlsm l (s, im)
      (s', om)
    → P (s (acceptor_ix a)) → P (s' (acceptor_ix a))
  by exact (lift_component_stable_prop (acceptor_ix a) P).
Qed.

Lemma lift_leaders_stable_prop (P : leaders_state -> Prop) :
  Pred_Stable_In leaders_vlsm P ->
  (forall l s im s' om,
    input_constrained_transition paxos_vlsm l (s, im) (s', om) ->
      P (s leaders_ix) -> P (s' leaders_ix)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
P: leaders_state → Prop
Pred_Stable_In leaders_vlsm P
→ ∀ (l : label
           (preloaded_with_all_messages_vlsm
              paxos_vlsm)) (s : state
                                  (preloaded_with_all_messages_vlsm
                                     paxos_vlsm)) 
    (im : option paxos_message) (s' : state
                                        (preloaded_with_all_messages_vlsm
                                           paxos_vlsm)) 
    (om : option paxos_message),
    input_constrained_transition paxos_vlsm l (s, im)
      (s', om) → P (s leaders_ix) → P (s' leaders_ix)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
P: leaders_state → Prop
Pred_Stable_In leaders_vlsm P
→ ∀ (l : label
           (preloaded_with_all_messages_vlsm
              paxos_vlsm)) (s : state
                                  (preloaded_with_all_messages_vlsm
                                     paxos_vlsm)) 
    (im : option paxos_message) (s' : state
                                        (preloaded_with_all_messages_vlsm
                                           paxos_vlsm)) 
    (om : option paxos_message),
    input_constrained_transition paxos_vlsm l (s, im)
      (s', om) → P (s leaders_ix) → P (s' leaders_ix)
  by exact (lift_component_stable_prop leaders_ix P).
Qed.

Lemma send_implies_sent_argument
  (a b : paxos_message) :
  (forall l s oim s',
    input_constrained_transition paxos_vlsm l (s, oim) (s', Some b) ->
    has_been_sent paxos_vlsm s a) ->
  (forall s,
    constrained_state_prop paxos_vlsm s ->
    has_been_sent paxos_vlsm s b ->
    has_been_sent paxos_vlsm s a).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
(∀ (l : label
          (preloaded_with_all_messages_vlsm paxos_vlsm)) 
   (s : state
          (preloaded_with_all_messages_vlsm paxos_vlsm)) 
   (oim : option paxos_message) (s' : state
                                        (preloaded_with_all_messages_vlsm
                                           paxos_vlsm)),
   input_constrained_transition paxos_vlsm l (s, oim)
     (s', Some b) → has_been_sent paxos_vlsm s a)
→ ∀ s : state
          (preloaded_with_all_messages_vlsm paxos_vlsm),
    constrained_state_prop paxos_vlsm s
    → has_been_sent paxos_vlsm s b
      → has_been_sent paxos_vlsm s a
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
(∀ (l : label
          (preloaded_with_all_messages_vlsm paxos_vlsm)) 
   (s : state
          (preloaded_with_all_messages_vlsm paxos_vlsm)) 
   (oim : option paxos_message) (s' : state
                                        (preloaded_with_all_messages_vlsm
                                           paxos_vlsm)),
   input_constrained_transition paxos_vlsm l (s, oim)
     (s', Some b) → has_been_sent paxos_vlsm s a)
→ ∀ s : state
          (preloaded_with_all_messages_vlsm paxos_vlsm),
    constrained_state_prop paxos_vlsm s
    → has_been_sent paxos_vlsm s b
      → has_been_sent paxos_vlsm s a
  intros * H_at_sent s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a
  induction Hs using valid_state_prop_ind.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: initial_state_prop s
has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a
has_been_sent paxos_vlsm s' b
→ has_been_sent paxos_vlsm s' a
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: initial_state_prop s
has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a by intros Hsent; apply has_been_sent_no_inits in Hsent.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a
has_been_sent paxos_vlsm s' b
→ has_been_sent paxos_vlsm s' a rewrite 2 (has_been_sent_step_update Ht).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a
om' = Some b ∨ has_been_sent paxos_vlsm s b
→ om' = Some a ∨ has_been_sent paxos_vlsm s a
    intros [-> | Hsent_b]; right.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some b)
IHHs: has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a
has_been_sent paxos_vlsm s a
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a
Hsent_b: has_been_sent paxos_vlsm s b
has_been_sent paxos_vlsm s a
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some b)
IHHs: has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a
has_been_sent paxos_vlsm s a by apply H_at_sent in Ht.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a, b: paxos_message
H_at_sent: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)),
  input_constrained_transition paxos_vlsm
    l (s, oim) (s', Some b)
  → has_been_sent paxos_vlsm s a
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: has_been_sent paxos_vlsm s b
→ has_been_sent paxos_vlsm s a
Hsent_b: has_been_sent paxos_vlsm s b
has_been_sent paxos_vlsm s a by apply IHHs.
Qed.

Lemma sends_unique_argument
  A (f : A -> paxos_message) (P : state paxos_vlsm -> Prop)
  (f_inj : Inj eq eq f)
  (HP_stable : forall l s oim s' oom,
    input_constrained_transition paxos_vlsm l (s, oim) (s', oom) ->
    P s -> P s')
  (HP_step : forall l s oim s' x,
      input_constrained_transition paxos_vlsm l (s, oim) (s', Some (f x)) ->
      ~ P s /\ P s') :
  forall s,
    constrained_state_prop paxos_vlsm s ->
  forall a b,
    has_been_sent paxos_vlsm s (f a) ->
    has_been_sent paxos_vlsm s (f b) ->
      a = b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ a b : A,
      has_been_sent paxos_vlsm s (f a)
      → has_been_sent paxos_vlsm s (f b) → a = b
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ a b : A,
      has_been_sent paxos_vlsm s (f a)
      → has_been_sent paxos_vlsm s (f b) → a = b
  intros s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
∀ a b : A,
  has_been_sent paxos_vlsm s (f a)
  → has_been_sent paxos_vlsm s (f b) → a = b
  induction Hs using valid_state_prop_ind;
    [by intros a b []%has_been_sent_no_inits |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ a b : A,
  has_been_sent paxos_vlsm s (f a)
  → has_been_sent paxos_vlsm s (f b) → a = b
∀ a b : A,
  has_been_sent paxos_vlsm s' (f a)
  → has_been_sent paxos_vlsm s' (f b) → a = b
  assert (Hs : constrained_state_prop paxos_vlsm s) by apply Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ a b : A,
  has_been_sent paxos_vlsm s (f a)
  → has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
∀ a b : A,
  has_been_sent paxos_vlsm s' (f a)
  → has_been_sent paxos_vlsm s' (f b) → a = b
  assert (HP_sent : forall s : state paxos_vlsm,
    constrained_state_prop paxos_vlsm s ->
    forall a : A, has_been_sent paxos_vlsm s (f a) -> P s).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ a b : A,
  has_been_sent paxos_vlsm s (f a)
  → has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A, has_been_sent paxos_vlsm s (f a) → P s
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ a b : A,
  has_been_sent paxos_vlsm s (f a)
  → has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
∀ a b : A,
  has_been_sent paxos_vlsm s' (f a)
  → has_been_sent paxos_vlsm s' (f b) → a = b
  {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ a b : A,
  has_been_sent paxos_vlsm s (f a)
  → has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A, has_been_sent paxos_vlsm s (f a) → P s
    clear -HP_step HP_stable.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
EqDecision1: EqDecision VSet
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A, has_been_sent paxos_vlsm s (f a) → P s
    intros s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
EqDecision1: EqDecision VSet
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ a : A, has_been_sent paxos_vlsm s (f a) → P s
    induction Hs using valid_state_prop_ind; intros a Hsent;
      [by apply has_been_sent_no_inits in Hsent |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
EqDecision1: EqDecision VSet
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ a : A, has_been_sent paxos_vlsm s (f a) → P s
a: A
Hsent: has_been_sent paxos_vlsm s' (f a)
P s'
    apply has_been_sent_step_update with (1 := Ht) in Hsent as [-> | Hsent].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
EqDecision1: EqDecision VSet
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f a))
IHHs: ∀ a : A, has_been_sent paxos_vlsm s (f a) → P s
P s'
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
EqDecision1: EqDecision VSet
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ a : A, has_been_sent paxos_vlsm s (f a) → P s
a: A
Hsent: has_been_sent paxos_vlsm s (f a)
P s'
    -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
EqDecision1: EqDecision VSet
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f a))
IHHs: ∀ a : A, has_been_sent paxos_vlsm s (f a) → P s
P s' by apply HP_step in Ht; apply Ht.
    -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
EqDecision1: EqDecision VSet
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ a : A, has_been_sent paxos_vlsm s (f a) → P s
a: A
Hsent: has_been_sent paxos_vlsm s (f a)
P s' by eapply HP_stable, IHHs.
  }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHHs: ∀ a b : A,
  has_been_sent paxos_vlsm s (f a)
  → has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
∀ a b : A,
  has_been_sent paxos_vlsm s' (f a)
  → has_been_sent paxos_vlsm s' (f b) → a = b
  intros a b Ha Hb; specialize (IHHs a b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
a, b: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Ha: has_been_sent paxos_vlsm s' (f a)
Hb: has_been_sent paxos_vlsm s' (f b)
a = b
  rewrite has_been_sent_step_update with (1 := Ht) in Ha, Hb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
a, b: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Ha: om' = Some (f a)
∨ has_been_sent paxos_vlsm s (f a)
Hb: om' = Some (f b)
∨ has_been_sent paxos_vlsm s (f b)
a = b
  destruct Ha as [Ha | Ha], Hb as [Hb | Hb]; [subst om'.. |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f a))
b: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Hb: Some (f a) = Some (f b)
a = b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f a))
b: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Hb: has_been_sent paxos_vlsm s (f b)
a = b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f b))
a: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Ha: has_been_sent paxos_vlsm s (f a)
a = b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
a, b: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Ha: has_been_sent paxos_vlsm s (f a)
Hb: has_been_sent paxos_vlsm s (f b)
a = b
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f a))
b: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Hb: Some (f a) = Some (f b)
a = b by injection Hb; apply inj.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f a))
b: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Hb: has_been_sent paxos_vlsm s (f b)
a = b apply (HP_sent _ Hs) in Hb; contradict Hb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f a))
b: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
¬ P s
    by apply HP_step in Ht; apply Ht.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f b))
a: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Ha: has_been_sent paxos_vlsm s (f a)
a = b apply (HP_sent _ Hs) in Ha; contradict Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: A
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (f b))
a: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
¬ P s
    by apply HP_step in Ht; apply Ht.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
A: Type
f: A → paxos_message
P: state paxos_vlsm → Prop
f_inj: Inj eq eq f
HP_stable: Pred_Stable_In paxos_vlsm P
HP_step: ∀ (l : label
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm
            paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             paxos_vlsm)) 
  (x : A),
  input_constrained_transition paxos_vlsm l
    (s, oim) (s', Some (f x)) → 
  ¬ P s ∧ P s'
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
a, b: A
IHHs: has_been_sent paxos_vlsm s (f a)
→ has_been_sent paxos_vlsm s (f b) → a = b
Hs: constrained_state_prop paxos_vlsm s
HP_sent: ∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ a : A,
      has_been_sent paxos_vlsm s (f a) → P s
Ha: has_been_sent paxos_vlsm s (f a)
Hb: has_been_sent paxos_vlsm s (f b)
a = b by apply IHHs.
Qed.

Lemma sent_1b_once :
  forall (s : state paxos_vlsm),
    constrained_state_prop paxos_vlsm s ->
  forall (b : Ballot) (a : Acceptor) lv1 lv2,
    has_been_sent paxos_vlsm s (b, m_1b a lv1) ->
    has_been_sent paxos_vlsm s (b, m_1b a lv2) ->
    lv1 = lv2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (a : Acceptor) (lv1
                                   lv2 : option
                                           (Ballot *
                                            Value)),
      has_been_sent paxos_vlsm s (b, m_1b a lv1)
      → has_been_sent paxos_vlsm s (b, m_1b a lv2)
        → lv1 = lv2
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (a : Acceptor) (lv1
                                   lv2 : option
                                           (Ballot *
                                            Value)),
      has_been_sent paxos_vlsm s (b, m_1b a lv1)
      → has_been_sent paxos_vlsm s (b, m_1b a lv2)
        → lv1 = lv2
  intros s Hs b a; revert s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ lv1 lv2 : option (Ballot * Value),
      has_been_sent paxos_vlsm s (b, m_1b a lv1)
      → has_been_sent paxos_vlsm s (b, m_1b a lv2)
        → lv1 = lv2
  apply (sends_unique_argument _ (fun x => (b, m_1b a x))
    (fun s => (b <= paxos_maxBal (s (acceptor_ix a)))%Z)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
Inj eq eq
  (λ x : option (Ballot * Value), (b, m_1b a x))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (
    s, oim) (s', oom)
  → (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
    → (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (x : option (Ballot * Value)),
  input_constrained_transition paxos_vlsm l (
    s, oim) (s', Some (b, m_1b a x))
  → ¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
    ∧ (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
Inj eq eq
  (λ x : option (Ballot * Value), (b, m_1b a x)) by intros x y; congruence.
  - (* P_stable *)Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom)
  → (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
    → (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
    apply (lift_acceptor_stable_prop (fun sb => b <= paxos_maxBal sb)%Z a).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
∀ (l : label
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (s : state
                                             (preloaded_with_all_messages_vlsm
                                                (paxos_acceptor_vlsm
                                                 a))) 
  (im : option paxos_message) (s' : state
                                      (preloaded_with_all_messages_vlsm
                                         (paxos_acceptor_vlsm
                                            a))) (om : 
                                                 option
                                                 paxos_message),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, im) (s', om)
  → (b ≤ paxos_maxBal s)%Z → (b ≤ paxos_maxBal s')%Z
    intros * Ht Hle.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
Ht: input_constrained_transition
  (paxos_acceptor_vlsm a) l (
  s, im) (s', om)
Hle: (b ≤ paxos_maxBal s)%Z
(b ≤ paxos_maxBal s')%Z
    transitivity (paxos_maxBal s); [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
Ht: input_constrained_transition
  (paxos_acceptor_vlsm a) l (
  s, im) (s', om)
Hle: (b ≤ paxos_maxBal s)%Z
(paxos_maxBal s ≤ paxos_maxBal s')%Z
    by eapply paxos_maxBal_mono.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (x : option (Ballot * Value)),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', Some (b, m_1b a x))
  → ¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
    ∧ (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z intros * Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: option (Ballot * Value)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1b a x))
¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
    apply input_valid_transition_preloaded_project_active in Ht as Ht'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: option (Ballot * Value)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1b a x))
Ht': input_constrained_transition 
  (IM (projT1 l)) (projT2 l) (
  s (projT1 l), oim)
  (s' (projT1 l), Some (b, m_1b a x))
¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
    destruct Ht as [(_ & _ & Hvalid) Ht].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: option (Ballot * Value)
Hvalid: valid l (s, oim)
Ht: transition l (s, oim) = (s', Some (b, m_1b a x))
Ht': input_constrained_transition 
  (IM (projT1 l)) (projT2 l) (
  s (projT1 l), oim)
  (s' (projT1 l), Some (b, m_1b a x))
¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
    apply localize_send in Ht as Hix.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: option (Ballot * Value)
Hvalid: valid l (s, oim)
Ht: transition l (s, oim) = (s', Some (b, m_1b a x))
Ht': input_constrained_transition 
  (IM (projT1 l)) (projT2 l) (
  s (projT1 l), oim)
  (s' (projT1 l), Some (b, m_1b a x))
Hix: projT1 l = message_sender (b, m_1b a x).2
¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
    destruct l as [ix_l l].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
ix_l: paxos_index
l: label (IM ix_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: option (Ballot * Value)
Hvalid: valid (existT ix_l l) (s, oim)
Ht: transition (existT ix_l l) (s, oim) =
(s', Some (b, m_1b a x))
Ht': input_constrained_transition
  (IM (projT1 (existT ix_l l)))
  (projT2 (existT ix_l l))
  (s (projT1 (existT ix_l l)), oim)
  (s' (projT1 (existT ix_l l)),
   Some (b, m_1b a x))
Hix: projT1 (existT ix_l l) =
message_sender (b, m_1b a x).2
¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
    simpl in Hix; subst ix_l; simpl in Ht'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: option (Ballot * Value)
Ht': input_constrained_transition
  (paxos_acceptor_vlsm a) l
  (s (acceptor_ix a), oim)
  (s' (acceptor_ix a), Some (b, m_1b a x))
Ht: transition (existT (acceptor_ix a) l) (s, oim) =
(s', Some (b, m_1b a x))
Hvalid: valid (existT (acceptor_ix a) l) (s, oim)
¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
    apply sending_1b_updates_maxBal in Ht'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: option (Ballot * Value)
Ht': (paxos_maxBal (s (acceptor_ix a)) < b)%Z
∧ paxos_maxBal (s' (acceptor_ix a)) = Some b
Ht: transition (existT (acceptor_ix a) l) (s, oim) =
(s', Some (b, m_1b a x))
Hvalid: valid (existT (acceptor_ix a) l) (s, oim)
¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (b ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
    destruct Ht' as [Hlt ->].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: option (Ballot * Value)
Hlt: (paxos_maxBal (s (acceptor_ix a)) < b)%Z
Ht: transition (existT (acceptor_ix a) l) (s, oim) =
(s', Some (b, m_1b a x))
Hvalid: valid (existT (acceptor_ix a) l) (s, oim)
¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (b ≤ Some b)%Z
    simpl; fold (Ballot_to_Z b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: option (Ballot * Value)
Hlt: (paxos_maxBal (s (acceptor_ix a)) < b)%Z
Ht: transition (existT (acceptor_ix a) l) (s, oim) =
(s', Some (b, m_1b a x))
Hvalid: valid (existT (acceptor_ix a) l) (s, oim)
¬ (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z ∧ (b ≤ b)%Z
    by lia.
Qed.

Lemma last_vote_was_sent_paxos :
  forall s,
    constrained_state_prop paxos_vlsm s ->
  forall a lv,
    lastVote (s (acceptor_ix a)) = Some lv ->
    has_been_sent paxos_vlsm s (lv.1, m_2b a lv.2).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (a : Acceptor) (lv : Ballot * Value),
      lastVote (s (acceptor_ix a)) = Some lv
      → has_been_sent paxos_vlsm s (lv.1, m_2b a lv.2)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (a : Acceptor) (lv : Ballot * Value),
      lastVote (s (acceptor_ix a)) = Some lv
      → has_been_sent paxos_vlsm s (lv.1, m_2b a lv.2)
  intros s Hs a lv Hlv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
lv: (Ballot * Value)%type
Hlv: lastVote (s (acceptor_ix a)) = Some lv
has_been_sent paxos_vlsm s (lv.1, m_2b a lv.2)
  apply localize_sent_messages; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
lv: (Ballot * Value)%type
Hlv: lastVote (s (acceptor_ix a)) = Some lv
has_been_sent
  (IM (message_sender (lv.1, m_2b a lv.2).2))
  (s (message_sender (lv.1, m_2b a lv.2).2))
  (lv.1, m_2b a lv.2)
  apply last_vote_was_sent; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
lv: (Ballot * Value)%type
Hlv: lastVote (s (acceptor_ix a)) = Some lv
constrained_state_prop (paxos_acceptor_vlsm a)
  (s (message_sender (lv.1, m_2b a lv.2).2))
  by apply valid_state_project_preloaded_to_preloaded with (i := acceptor_ix a) in Hs.
Qed.

Lemma sent_1b_impl_sent_lastvote_as_2b :
  forall s, constrained_state_prop paxos_vlsm s ->
  forall (b : Ballot) (a : Acceptor) (b_lv : Ballot) (v_lv : Value),
    has_been_sent paxos_vlsm s (b, m_1b a (Some (b_lv, v_lv))) ->
    has_been_sent paxos_vlsm s (b_lv, m_2b a v_lv).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (a : Acceptor) (b_lv : Ballot) 
      (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → has_been_sent paxos_vlsm s (b_lv, m_2b a v_lv)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (a : Acceptor) (b_lv : Ballot) 
      (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → has_been_sent paxos_vlsm s (b_lv, m_2b a v_lv)
  intros s Hs b a b_lv v_lv; revert s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → has_been_sent paxos_vlsm s
      (b, m_1b a (Some (b_lv, v_lv)))
    → has_been_sent paxos_vlsm s (b_lv, m_2b a v_lv)
  apply send_implies_sent_argument.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', Some (b, m_1b a (Some (b_lv, v_lv))))
  → has_been_sent paxos_vlsm s (b_lv, m_2b a v_lv)
  intros [i_l l] s im s' Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
i_l: paxos_index
l: label (IM i_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT i_l l) (s, im)
  (s', Some (b, m_1b a (Some (b_lv, v_lv))))
has_been_sent paxos_vlsm s (b_lv, m_2b a v_lv)
  assert (i_l = acceptor_ix a) as ->
    by (destruct Ht as [_ Ht]; apply localize_send in Ht; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT (acceptor_ix a) l) (
  s, im)
  (s', Some (b, m_1b a (Some (b_lv, v_lv))))
has_been_sent paxos_vlsm s (b_lv, m_2b a v_lv)
  apply localize_sent_messages; cbn; [by apply Ht |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT (acceptor_ix a) l) (
  s, im)
  (s', Some (b, m_1b a (Some (b_lv, v_lv))))
paxos_acceptor_has_been_sent a (s (acceptor_ix a))
  (b_lv, m_2b a v_lv)
  apply input_valid_transition_preloaded_project_active
    in Ht as [(Hs & _ & Hvalid) Ht]; cbn in Hvalid, Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (IM (projT1 (existT (acceptor_ix a) l))))
  (s (projT1 (existT (acceptor_ix a) l)))
Hvalid: paxos_acceptor_valid l
  (s (acceptor_ix a), im)
Ht: paxos_acceptor_transition a l
  (s (acceptor_ix a), im) =
(s' (acceptor_ix a),
 Some (b, m_1b a (Some (b_lv, v_lv))))
paxos_acceptor_has_been_sent a (s (acceptor_ix a))
  (b_lv, m_2b a v_lv)
  apply examine_paxos_acceptor_output in Ht as Hl; destruct Hl as [-> _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: paxos_acceptor_transition a A_send_1b
  (s (acceptor_ix a), im) =
(s' (acceptor_ix a),
 Some (b, m_1b a (Some (b_lv, v_lv))))
Hvalid: paxos_acceptor_valid A_send_1b
  (s (acceptor_ix a), im)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (IM
        (projT1
           (existT (acceptor_ix a) A_send_1b))))
  (s (projT1 (existT (acceptor_ix a) A_send_1b)))
paxos_acceptor_has_been_sent a (s (acceptor_ix a))
  (b_lv, m_2b a v_lv)
  simpl in Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: paxos_acceptor_transition a A_send_1b
  (s (acceptor_ix a), im) =
(s' (acceptor_ix a),
 Some (b, m_1b a (Some (b_lv, v_lv))))
Hvalid: match im with
| Some (b, m_1a) =>
    (paxos_maxBal (s (acceptor_ix a)) < b)%Z
| Some (b, m_1b _ _) | Some (b, m_1c _) |
  Some (b, m_2a _) | Some (b, m_2b _ _) =>
    False
| None => False
end
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (IM
        (projT1
           (existT (acceptor_ix a) A_send_1b))))
  (s (projT1 (existT (acceptor_ix a) A_send_1b)))
paxos_acceptor_has_been_sent a (s (acceptor_ix a))
  (b_lv, m_2b a v_lv)
  destruct im as [[ib []] |]; [| done..].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
ib: Ballot
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: paxos_acceptor_transition a A_send_1b
  (s (acceptor_ix a), Some (ib, m_1a)) =
(s' (acceptor_ix a),
 Some (b, m_1b a (Some (b_lv, v_lv))))
Hvalid: (paxos_maxBal (s (acceptor_ix a)) < ib)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (IM
        (projT1
           (existT (acceptor_ix a) A_send_1b))))
  (s (projT1 (existT (acceptor_ix a) A_send_1b)))
paxos_acceptor_has_been_sent a (s (acceptor_ix a))
  (b_lv, m_2b a v_lv)
  injection Ht as [= Heq_s' -> Hlv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
b_lv: Ballot
v_lv: Value
s, s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Heq_s': {|
  paxos_maxBal := Some b;
  lastVote := lastVote (s (acceptor_ix a));
  sent_messages :=
    (b, m_1b a (lastVote (s (acceptor_ix a))))
    :: sent_messages (s (acceptor_ix a))
|} = s' (acceptor_ix a)
Hlv: lastVote (s (acceptor_ix a)) = Some (b_lv, v_lv)
Hvalid: (paxos_maxBal (s (acceptor_ix a)) < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (IM
        (projT1
           (existT (acceptor_ix a) A_send_1b))))
  (s (projT1 (existT (acceptor_ix a) A_send_1b)))
paxos_acceptor_has_been_sent a (s (acceptor_ix a))
  (b_lv, m_2b a v_lv)
  by revert Hlv; apply last_vote_was_sent.
Qed.

Lemma sent_2b_after_2a :
  forall s, constrained_state_prop paxos_vlsm s ->
  forall (b : Ballot) (a : Acceptor) v,
    has_been_sent paxos_vlsm s (b, m_2b a v) ->
    has_been_sent paxos_vlsm s (b, m_2a v).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (a : Acceptor) (v : Value),
      has_been_sent paxos_vlsm s (b, m_2b a v)
      → has_been_sent paxos_vlsm s (b, m_2a v)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (a : Acceptor) (v : Value),
      has_been_sent paxos_vlsm s (b, m_2b a v)
      → has_been_sent paxos_vlsm s (b, m_2a v)
  intros s Hs b a v; revert s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → has_been_sent paxos_vlsm s (b, m_2b a v)
    → has_been_sent paxos_vlsm s (b, m_2a v)
  apply send_implies_sent_argument.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', Some (b, m_2b a v))
  → has_been_sent paxos_vlsm s (b, m_2a v)
  intros [i_l l] s im s' Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
i_l: paxos_index
l: label (IM i_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT i_l l) (s, im) (
  s', Some (b, m_2b a v))
has_been_sent paxos_vlsm s (b, m_2a v)
  cut (im = Some (b, m_2a v)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
i_l: paxos_index
l: label (IM i_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT i_l l) (s, im) (
  s', Some (b, m_2b a v))
im = Some (b, m_2a v)
→ has_been_sent paxos_vlsm s (b, m_2a v)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
i_l: paxos_index
l: label (IM i_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT i_l l) (s, im) (
  s', Some (b, m_2b a v))
im = Some (b, m_2a v)
  {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
i_l: paxos_index
l: label (IM i_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT i_l l) (s, im) (
  s', Some (b, m_2b a v))
im = Some (b, m_2a v)
→ has_been_sent paxos_vlsm s (b, m_2a v)
     by intros ->; destruct Ht as [[_ [_ [_ []]]] _].
  }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
i_l: paxos_index
l: label (IM i_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT i_l l) (s, im) (
  s', Some (b, m_2b a v))
im = Some (b, m_2a v)
  destruct (Ht) as [_ Hstep].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
i_l: paxos_index
l: label (IM i_l)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT i_l l) (s, im) (
  s', Some (b, m_2b a v))
Hstep: transition (existT i_l l) (s, im) =
(s', Some (b, m_2b a v))
im = Some (b, m_2a v)
  apply localize_send in Hstep as Hi_l; simpl in Hi_l; subst i_l; clear Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT (acceptor_ix a) l) (
  s, im) (s', Some (b, m_2b a v))
im = Some (b, m_2a v)
  apply input_valid_transition_preloaded_project_active in Ht; simpl in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition
  (paxos_acceptor_vlsm a) l
  (s (acceptor_ix a), im)
  (s' (acceptor_ix a), Some (b, m_2b a v))
im = Some (b, m_2a v)
  destruct Ht as [(_ & _ & Hvalid) Hstep_a]; cbn in Hstep_a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hvalid: valid l (s (acceptor_ix a), im)
Hstep_a: paxos_acceptor_transition a l
  (s (acceptor_ix a), im) =
(s' (acceptor_ix a), Some (b, m_2b a v))
im = Some (b, m_2a v)
  apply examine_paxos_acceptor_output in Hstep_a as Hl; destruct Hl as [-> _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hstep_a: paxos_acceptor_transition a A_send_2b
  (s (acceptor_ix a), im) =
(s' (acceptor_ix a), Some (b, m_2b a v))
Hvalid: valid A_send_2b (s (acceptor_ix a), im)
im = Some (b, m_2a v)
  by cbn in Hvalid; destruct im as [[? []] |]; inversion Hstep_a.
Qed.

Lemma sent_2a_unique :
  forall s : state paxos_vlsm,
    constrained_state_prop paxos_vlsm s ->
  forall (b : Ballot) (v w : Value),
    has_been_sent paxos_vlsm s (b, m_2a v) ->
    has_been_sent paxos_vlsm s (b, m_2a w) ->
    v = w.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (v w : Value),
      has_been_sent paxos_vlsm s (b, m_2a v)
      → has_been_sent paxos_vlsm s (b, m_2a w) → v = w
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (v w : Value),
      has_been_sent paxos_vlsm s (b, m_2a v)
      → has_been_sent paxos_vlsm s (b, m_2a w) → v = w
  intros s Hs b; revert s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ v w : Value,
      has_been_sent paxos_vlsm s (b, m_2a v)
      → has_been_sent paxos_vlsm s (b, m_2a w) → v = w
  apply (sends_unique_argument Value (fun v => (b, m_2a v))
    (fun s => is_Some (sent_2a ((s leaders_ix : leaders_state) !!! b)))).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
Inj eq eq (λ v : Value, (b, m_2a v))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (
    s, oim) (s', oom)
  → is_Some (sent_2a (s leaders_ix !!! b))
    → is_Some (sent_2a (s' leaders_ix !!! b))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (x : Value),
  input_constrained_transition paxos_vlsm l (
    s, oim) (s', Some (b, m_2a x))
  → ¬ is_Some (sent_2a (s leaders_ix !!! b))
    ∧ is_Some (sent_2a (s' leaders_ix !!! b))
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
Inj eq eq (λ v : Value, (b, m_2a v)) by intros x y; congruence.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom)
  → is_Some (sent_2a (s leaders_ix !!! b))
    → is_Some (sent_2a (s' leaders_ix !!! b)) apply (lift_leaders_stable_prop (fun sl => is_Some (sent_2a (sl !!! b)))).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
∀ (l : label
         (preloaded_with_all_messages_vlsm
            leaders_vlsm)) (s : state
                                  (preloaded_with_all_messages_vlsm
                                     leaders_vlsm)) 
  (im : option paxos_message) (s' : state
                                      (preloaded_with_all_messages_vlsm
                                         leaders_vlsm)) 
  (om : option paxos_message),
  input_constrained_transition leaders_vlsm l (s, im)
    (s', om)
  → is_Some (sent_2a (s !!! b))
    → is_Some (sent_2a (s' !!! b))
    intros [b_l l] * [_ Hstep].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b, b_l: Ballot
l: leader_label
s: state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
om: option paxos_message
Hstep: transition (b_l, l) (s, im) = (s', om)
is_Some (sent_2a (s !!! b))
→ is_Some (sent_2a (s' !!! b))
    change transition with leaders_transition in Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b, b_l: Ballot
l: leader_label
s: state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
om: option paxos_message
Hstep: leaders_transition (b_l, l) (s, im) = (s', om)
is_Some (sent_2a (s !!! b))
→ is_Some (sent_2a (s' !!! b))
    unfold leaders_transition in Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b, b_l: Ballot
l: leader_label
s: state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
im: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
om: option paxos_message
Hstep: match leader_transition l (s !!! b_l, im) with
| Some (sb', om) =>
    (<[b_l:=sb']> s, pair b_l <$> om)
| None => (s, None)
end = (s', om)
is_Some (sent_2a (s !!! b))
→ is_Some (sent_2a (s' !!! b))
    destruct (leader_transition l _) as [[sb' omb] |] eqn: H_step_l;
      injection Hstep as [= <- <-]; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b, b_l: Ballot
l: leader_label
s: state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
H_step_l: leader_transition l (s !!! b_l, im) =
Some (sb', omb)
is_Some (sent_2a (s !!! b))
→ is_Some (sent_2a (<[b_l:=sb']> s !!! b))
    destruct (decide (b = b_l)) as [<- | Hneq];
      [| by rewrite (lookup_total_insert_ne s)].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
H_step_l: leader_transition l (s !!! b, im) =
Some (sb', omb)
is_Some (sent_2a (s !!! b))
→ is_Some (sent_2a (<[b:=sb']> s !!! b))
    rewrite (lookup_total_insert s b sb').Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: leader_label
s: state
  (preloaded_with_all_messages_vlsm leaders_vlsm)
im: option paxos_message
sb': ballot_state
omb: option paxos_message_body
H_step_l: leader_transition l (s !!! b, im) =
Some (sb', omb)
is_Some (sent_2a (s !!! b)) → is_Some (sent_2a sb')
    by cbn in H_step_l; repeat case_match; inversion H_step_l.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (x : Value),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', Some (b, m_2a x))
  → ¬ is_Some (sent_2a (s leaders_ix !!! b))
    ∧ is_Some (sent_2a (s' leaders_ix !!! b)) intros [ix l] * Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
ix: paxos_index
l: label (IM ix)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: Value
Ht: input_constrained_transition paxos_vlsm
  (existT ix l) (s, oim) (
  s', Some (b, m_2a x))
¬ is_Some (sent_2a (s leaders_ix !!! b))
∧ is_Some (sent_2a (s' leaders_ix !!! b))
    destruct (Ht) as [_ Hix].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
ix: paxos_index
l: label (IM ix)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: Value
Ht: input_constrained_transition paxos_vlsm
  (existT ix l) (s, oim) (
  s', Some (b, m_2a x))
Hix: transition (existT ix l) (s, oim) =
(s', Some (b, m_2a x))
¬ is_Some (sent_2a (s leaders_ix !!! b))
∧ is_Some (sent_2a (s' leaders_ix !!! b))
    apply localize_send in Hix; simpl in Hix; subst ix.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: label (IM leaders_ix)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: Value
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_2a x))
¬ is_Some (sent_2a (s leaders_ix !!! b))
∧ is_Some (sent_2a (s' leaders_ix !!! b))
    apply input_valid_transition_preloaded_project_active in Ht; simpl in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: label (IM leaders_ix)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
x: Value
Ht: input_constrained_transition leaders_vlsm l
  (s leaders_ix, oim)
  (s' leaders_ix, Some (b, m_2a x))
¬ is_Some (sent_2a (s leaders_ix !!! b))
∧ is_Some (sent_2a (s' leaders_ix !!! b))
    revert Ht; generalize (s leaders_ix) as sl, (s' leaders_ix) as sl'; clear s s'; intros.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: label (IM leaders_ix)
oim: option paxos_message
x: Value
sl, sl': state (IM leaders_ix)
Ht: input_constrained_transition leaders_vlsm l
  (sl, oim) (sl', Some (b, m_2a x))
¬ is_Some (sent_2a (sl !!! b))
∧ is_Some (sent_2a (sl' !!! b))
    destruct Ht as [(_ & _ & Hvalid) Hstep].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: label (IM leaders_ix)
oim: option paxos_message
x: Value
sl, sl': state (IM leaders_ix)
Hvalid: valid l (sl, oim)
Hstep: transition l (sl, oim) =
(sl', Some (b, m_2a x))
¬ is_Some (sent_2a (sl !!! b))
∧ is_Some (sent_2a (sl' !!! b))
    change valid with leaders_valid in Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: label (IM leaders_ix)
oim: option paxos_message
x: Value
sl, sl': state (IM leaders_ix)
Hvalid: leaders_valid l (sl, oim)
Hstep: transition l (sl, oim) =
(sl', Some (b, m_2a x))
¬ is_Some (sent_2a (sl !!! b))
∧ is_Some (sent_2a (sl' !!! b))
    change transition with leaders_transition in Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
l: label (IM leaders_ix)
oim: option paxos_message
x: Value
sl, sl': state (IM leaders_ix)
Hvalid: leaders_valid l (sl, oim)
Hstep: leaders_transition l (sl, oim) =
(sl', Some (b, m_2a x))
¬ is_Some (sent_2a (sl !!! b))
∧ is_Some (sent_2a (sl' !!! b))
    apply examine_leaders_output in Hstep as Hl; subst l.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
oim: option paxos_message
x: Value
sl, sl': state (IM leaders_ix)
Hstep: leaders_transition (b, L_send_2a x) (sl, oim) =
(sl', Some (b, m_2a x))
Hvalid: leaders_valid (b, L_send_2a x) (sl, oim)
¬ is_Some (sent_2a (sl !!! b))
∧ is_Some (sent_2a (sl' !!! b))
    destruct oim; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
x: Value
sl, sl': state (IM leaders_ix)
Hstep: leaders_transition (b, L_send_2a x) (sl, None) =
(sl', Some (b, m_2a x))
Hvalid: leaders_valid (b, L_send_2a x) (sl, None)
¬ is_Some (sent_2a (sl !!! b))
∧ is_Some (sent_2a (sl' !!! b))
    destruct Hvalid as [H_field_2a _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
x: Value
sl, sl': state (IM leaders_ix)
Hstep: leaders_transition (b, L_send_2a x) (sl, None) =
(sl', Some (b, m_2a x))
H_field_2a: None = sent_2a (default ∅ (sl !! b))
¬ is_Some (sent_2a (sl !!! b))
∧ is_Some (sent_2a (sl' !!! b))
    cbn in Hstep; replace (sent_2a _) with (@None Value) in Hstep |- *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
x: Value
sl, sl': state (IM leaders_ix)
Hstep: (<[b:=set_sent_2a x (sl !!! b)]> sl,
 pair b <$> Some (m_2a x)) =
(sl', Some (b, m_2a x))
H_field_2a: None = sent_2a (default ∅ (sl !! b))
¬ is_Some None ∧ is_Some (sent_2a (sl' !!! b))
    injection Hstep as [= <-].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
x: Value
sl: state (IM leaders_ix)
H_field_2a: None = sent_2a (default ∅ (sl !! b))
¬ is_Some None
∧ is_Some
    (sent_2a
       (<[b:=set_sent_2a x (sl !!! b)]> sl !!! b))
    rewrite (lookup_total_insert sl).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
x: Value
sl: state (IM leaders_ix)
H_field_2a: None = sent_2a (default ∅ (sl !! b))
¬ is_Some None
∧ is_Some (sent_2a (set_sent_2a x (sl !!! b)))
    unfold is_Some; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
x: Value
sl: state (IM leaders_ix)
H_field_2a: None = sent_2a (default ∅ (sl !! b))
¬ (∃ x : Value, None = Some x)
∧ (∃ x0 : Value, Some x = Some x0)
    by split; [intros [] | eexists].
Qed.

Lemma sent_2b_unique :
  forall s,
    constrained_state_prop paxos_vlsm s ->
  forall (b : Ballot) (a : Acceptor) v w,
    has_been_sent paxos_vlsm s (b, m_2b a v) ->
    has_been_sent paxos_vlsm s (b, m_2b a w) ->
    v = w.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (a : Acceptor) (v w : Value),
      has_been_sent paxos_vlsm s (b, m_2b a v)
      → has_been_sent paxos_vlsm s (b, m_2b a w)
        → v = w
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (a : Acceptor) (v w : Value),
      has_been_sent paxos_vlsm s (b, m_2b a v)
      → has_been_sent paxos_vlsm s (b, m_2b a w)
        → v = w
  intros s Hs b a v w Hv Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v, w: Value
Hv: has_been_sent paxos_vlsm s (b, m_2b a v)
Hw: has_been_sent paxos_vlsm s (b, m_2b a w)
v = w
  apply sent_2b_after_2a in Hv, Hw; [| done..].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v, w: Value
Hv: has_been_sent paxos_vlsm s (b, m_2a v)
Hw: has_been_sent paxos_vlsm s (b, m_2a w)
v = w
  by eapply sent_2a_unique.
Qed.

Lemma sent_2a_after_1c :
  forall s,
    constrained_state_prop paxos_vlsm s ->
  forall (b : Ballot) (v : Value),
    has_been_sent paxos_vlsm s (b, m_2a v) ->
    exists (safe_v : AllOrFin VSet),
      v ∈ safe_v /\ has_been_sent paxos_vlsm s (b, m_1c safe_v).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (v : Value),
      has_been_sent paxos_vlsm s (b, m_2a v)
      → ∃ safe_v : AllOrFin VSet,
          v ∈ safe_v
          ∧ has_been_sent paxos_vlsm s
              (b, m_1c safe_v)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (v : Value),
      has_been_sent paxos_vlsm s (b, m_2a v)
      → ∃ safe_v : AllOrFin VSet,
          v ∈ safe_v
          ∧ has_been_sent paxos_vlsm s
              (b, m_1c safe_v)
  intros s Hs b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s (b, m_1c safe_v)
  induction Hs using valid_state_prop_ind;
    [by intros Hsent%has_been_sent_no_inits |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
IHHs: has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s
        (b, m_1c safe_v)
has_been_sent paxos_vlsm s' (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
  rewrite (has_been_sent_step_update Ht).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
IHHs: has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s
        (b, m_1c safe_v)
om' = Some (b, m_2a v)
∨ has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
  intros [Hnew | Hsent]; cycle 1.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
IHHs: has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s
        (b, m_1c safe_v)
Hsent: has_been_sent paxos_vlsm s (b, m_2a v)
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
IHHs: has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s
        (b, m_1c safe_v)
Hnew: om' = Some (b, m_2a v)
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
IHHs: has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s
        (b, m_1c safe_v)
Hsent: has_been_sent paxos_vlsm s (b, m_2a v)
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v) destruct (IHHs Hsent) as (safe_v & Hv & Hsent_1c).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
IHHs: has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s
        (b, m_1c safe_v)
Hsent: has_been_sent paxos_vlsm s (b, m_2a v)
safe_v: AllOrFin VSet
Hv: v ∈ safe_v
Hsent_1c: has_been_sent paxos_vlsm s (b, m_1c safe_v)
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    exists safe_v; split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
IHHs: has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s
        (b, m_1c safe_v)
Hsent: has_been_sent paxos_vlsm s (b, m_2a v)
safe_v: AllOrFin VSet
Hv: v ∈ safe_v
Hsent_1c: has_been_sent paxos_vlsm s (b, m_1c safe_v)
has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    rewrite (has_been_sent_step_update Ht).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
IHHs: has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s
        (b, m_1c safe_v)
Hsent: has_been_sent paxos_vlsm s (b, m_2a v)
safe_v: AllOrFin VSet
Hv: v ∈ safe_v
Hsent_1c: has_been_sent paxos_vlsm s (b, m_1c safe_v)
om' = Some (b, m_1c safe_v)
∨ has_been_sent paxos_vlsm s (b, m_1c safe_v)
    by right.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
IHHs: has_been_sent paxos_vlsm s (b, m_2a v)
→ ∃ safe_v : AllOrFin VSet,
    v ∈ safe_v
    ∧ has_been_sent paxos_vlsm s
        (b, m_1c safe_v)
Hnew: om' = Some (b, m_2a v)
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v) clear IHHs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
b: Ballot
v: Value
Hnew: om' = Some (b, m_2a v)
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    subst om'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (b, m_2a v))
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    assert (Hs' : constrained_state_prop paxos_vlsm s')
      by (apply input_valid_transition_destination in Ht; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    destruct l as [ix l].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
ix: paxos_index
l: label (IM ix)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT ix l) (s, om) (
  s', Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    destruct (Ht) as [_ Hstep].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
ix: paxos_index
l: label (IM ix)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT ix l) (s, om) (
  s', Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
Hstep: transition (existT ix l) (s, om) =
(s', Some (b, m_2a v))
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    apply localize_send in Hstep; simpl in Hstep; subst ix.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix l) (
  s, om) (s', Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    apply input_valid_transition_preloaded_project_active in Ht; simpl in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Ht: input_constrained_transition leaders_vlsm l
  (s leaders_ix, om)
  (s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    destruct (Ht) as [_ Hstep].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Ht: input_constrained_transition leaders_vlsm l
  (s leaders_ix, om)
  (s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
Hstep: transition l (s leaders_ix, om) =
(s' leaders_ix, Some (b, m_2a v))
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    apply examine_leaders_output in Hstep; subst l.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Ht: input_constrained_transition leaders_vlsm
  (b, L_send_2a v) (s leaders_ix, om)
  (s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    destruct Ht as [(_ & _ & Hvalid) Hstep]; cbn in Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Hvalid: match om with
| Some _ => False
| None =>
    None =
    sent_2a (default ∅ (s leaders_ix !! b))
    ∧ (∃ safe_vs : AllOrFin VSet,
         v ∈ safe_vs
         ∧ safe_vs
           ∈ sent_1c
               (default ∅ (s leaders_ix !! b)))
end
Hstep: transition (b, L_send_2a v) (s leaders_ix, om) =
(s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    change transition with leaders_transition in Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om: option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Hvalid: match om with
| Some _ => False
| None =>
    None =
    sent_2a (default ∅ (s leaders_ix !! b))
    ∧ (∃ safe_vs : AllOrFin VSet,
         v ∈ safe_vs
         ∧ safe_vs
           ∈ sent_1c
               (default ∅ (s leaders_ix !! b)))
end
Hstep: leaders_transition (b, L_send_2a v)
  (s leaders_ix, om) =
(s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    destruct om; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s', s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
Hvalid: None =
sent_2a (default ∅ (s leaders_ix !! b))
∧ (∃ safe_vs : AllOrFin VSet,
     v ∈ safe_vs
     ∧ safe_vs
       ∈ sent_1c
           (default ∅ (s leaders_ix !! b)))
Hstep: leaders_transition (b, L_send_2a v)
  (s leaders_ix, None) =
(s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    destruct Hvalid as (H_no_sent_2a & safe_v & H_vs & H_sent_1c).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s', s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
H_no_sent_2a: None =
sent_2a (default ∅ (s leaders_ix !! b))
safe_v: AllOrFin VSet
H_vs: v ∈ safe_v
H_sent_1c: safe_v
∈ sent_1c (default ∅ (s leaders_ix !! b))
Hstep: leaders_transition (b, L_send_2a v)
  (s leaders_ix, None) =
(s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
∃ safe_v : AllOrFin VSet,
  v ∈ safe_v
  ∧ has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    exists safe_v; split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s', s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
H_no_sent_2a: None =
sent_2a (default ∅ (s leaders_ix !! b))
safe_v: AllOrFin VSet
H_vs: v ∈ safe_v
H_sent_1c: safe_v
∈ sent_1c (default ∅ (s leaders_ix !! b))
Hstep: leaders_transition (b, L_send_2a v)
  (s leaders_ix, None) =
(s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
has_been_sent paxos_vlsm s' (b, m_1c safe_v)
    apply localize_sent_messages; cbn in Hstep |- *; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s', s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
H_no_sent_2a: None =
sent_2a (default ∅ (s leaders_ix !! b))
safe_v: AllOrFin VSet
H_vs: v ∈ safe_v
H_sent_1c: safe_v
∈ sent_1c (default ∅ (s leaders_ix !! b))
Hstep: match
  (if sent_2a (s leaders_ix !!! b)
   then None
   else
    Some
      (set_sent_2a v (s leaders_ix !!! b),
       Some (m_2a v)))
with
| Some (sb', om) =>
    (<[b:=sb']> (s leaders_ix), pair b <$> om)
| None => (s leaders_ix, None)
end = (s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
safe_v ∈ sent_1c (s' leaders_ix !!! b)
    replace (sent_2a _) with (@None Value) in Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s', s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
H_no_sent_2a: None =
sent_2a (default ∅ (s leaders_ix !! b))
safe_v: AllOrFin VSet
H_vs: v ∈ safe_v
H_sent_1c: safe_v
∈ sent_1c (default ∅ (s leaders_ix !! b))
Hstep: (<[b:=set_sent_2a v (s leaders_ix !!! b)]>
   (s leaders_ix), pair b <$> Some (m_2a v)) =
(s' leaders_ix, Some (b, m_2a v))
Hs': constrained_state_prop paxos_vlsm s'
safe_v ∈ sent_1c (s' leaders_ix !!! b)
    injection Hstep as [= <-].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s', s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
H_no_sent_2a: None =
sent_2a (default ∅ (s leaders_ix !! b))
safe_v: AllOrFin VSet
H_vs: v ∈ safe_v
H_sent_1c: safe_v
∈ sent_1c (default ∅ (s leaders_ix !! b))
Hs': constrained_state_prop paxos_vlsm s'
safe_v
∈ sent_1c
    (<[b:=set_sent_2a v (s leaders_ix !!! b)]>
       (s leaders_ix) !!! b)
    rewrite (lookup_total_insert (s leaders_ix)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s', s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
H_no_sent_2a: None =
sent_2a (default ∅ (s leaders_ix !! b))
safe_v: AllOrFin VSet
H_vs: v ∈ safe_v
H_sent_1c: safe_v
∈ sent_1c (default ∅ (s leaders_ix !! b))
Hs': constrained_state_prop paxos_vlsm s'
safe_v ∈ sent_1c (set_sent_2a v (s leaders_ix !!! b))
    change (safe_v ∈ sent_1c ((s leaders_ix : leaders_state) !!! b)) in H_sent_1c.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s', s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
H_no_sent_2a: None =
sent_2a (default ∅ (s leaders_ix !! b))
safe_v: AllOrFin VSet
H_vs: v ∈ safe_v
H_sent_1c: safe_v
∈ sent_1c
    ((s leaders_ix : leaders_state) !!! b)
Hs': constrained_state_prop paxos_vlsm s'
safe_v ∈ sent_1c (set_sent_2a v (s leaders_ix !!! b))
    revert H_sent_1c.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s', s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b: Ballot
v: Value
H_no_sent_2a: None =
sent_2a (default ∅ (s leaders_ix !! b))
safe_v: AllOrFin VSet
H_vs: v ∈ safe_v
Hs': constrained_state_prop paxos_vlsm s'
safe_v
∈ sent_1c ((s leaders_ix : leaders_state) !!! b)
→ safe_v
  ∈ sent_1c (set_sent_2a v (s leaders_ix !!! b))
    clear -s; generalize ((s leaders_ix : leaders_state) !!! b) as sb; clear s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
EqDecision1: EqDecision VSet
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
b: Ballot
v: Value
safe_v: AllOrFin VSet
∀ sb : ballot_state,
  safe_v ∈ sent_1c sb
  → safe_v ∈ sent_1c (set_sent_2a v sb)
    by intros []; simpl.
Qed.

Lemma sender_id_m_2b :
  forall s,
    constrained_state_prop paxos_vlsm s ->
  forall a b v a',
    (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a')) ->
    a' = a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (a : Acceptor) (b : Ballot) (v : Value) (a' : Acceptor),
      (b, m_2b a v)
      ∈ sent_messages (s (acceptor_ix a')) → a' = a
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (a : Acceptor) (b : Ballot) (v : Value) (a' : Acceptor),
      (b, m_2b a v)
      ∈ sent_messages (s (acceptor_ix a')) → a' = a
  intros s Hs a b v a'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
a': Acceptor
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a'))
→ a' = a
  induction Hs using valid_state_prop_ind;
    [by rewrite (Hs (acceptor_ix a')), elem_of_nil |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
a: Acceptor
b: Ballot
v: Value
a': Acceptor
IHHs: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix a')) → 
a' = a
(b, m_2b a v) ∈ sent_messages (s' (acceptor_ix a'))
→ a' = a
  destruct (decide (a' = a)); [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
a: Acceptor
b: Ballot
v: Value
a': Acceptor
IHHs: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix a')) → 
a' = a
n: a' ≠ a
(b, m_2b a v) ∈ sent_messages (s' (acceptor_ix a'))
→ a' = a
  intros Hs'; apply IHHs; clear IHHs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
a: Acceptor
b: Ballot
v: Value
a': Acceptor
n: a' ≠ a
Hs': (b, m_2b a v)
∈ sent_messages (s' (acceptor_ix a'))
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a'))
  apply input_valid_transition_preloaded_project_any with (i := acceptor_ix a') in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a': Acceptor
Ht: s (acceptor_ix a') = s' (acceptor_ix a')
∨ (∃ li : label (IM (acceptor_ix a')),
     l = existT (acceptor_ix a') li
     ∧ input_constrained_transition
         (IM (acceptor_ix a')) li
         (s (acceptor_ix a'), om)
         (s' (acceptor_ix a'), om'))
a: Acceptor
b: Ballot
v: Value
n: a' ≠ a
Hs': (b, m_2b a v)
∈ sent_messages (s' (acceptor_ix a'))
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a'))
  destruct Ht as [-> | (li & -> & _ & Hstep)]; [done |]; cbn in Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a': Acceptor
li: label (IM (acceptor_ix a'))
Hstep: paxos_acceptor_transition a' li
  (s (acceptor_ix a'), om) =
(s' (acceptor_ix a'), om')
a: Acceptor
b: Ballot
v: Value
n: a' ≠ a
Hs': (b, m_2b a v)
∈ sent_messages (s' (acceptor_ix a'))
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a'))
  revert Hstep Hs'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a': Acceptor
li: label (IM (acceptor_ix a'))
a: Acceptor
b: Ballot
v: Value
n: a' ≠ a
paxos_acceptor_transition a' li
  (s (acceptor_ix a'), om) =
(s' (acceptor_ix a'), om')
→ (b, m_2b a v) ∈ sent_messages (s' (acceptor_ix a'))
  → (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a'))
  generalize (s (acceptor_ix a')); intros sa.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a': Acceptor
li: label (IM (acceptor_ix a'))
a: Acceptor
b: Ballot
v: Value
n: a' ≠ a
sa: state (IM (acceptor_ix a'))
paxos_acceptor_transition a' li (sa, om) =
(s' (acceptor_ix a'), om')
→ (b, m_2b a v) ∈ sent_messages (s' (acceptor_ix a'))
  → (b, m_2b a v) ∈ sent_messages sa
  generalize (s' (acceptor_ix a')); intros sa'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a': Acceptor
li: label (IM (acceptor_ix a'))
a: Acceptor
b: Ballot
v: Value
n: a' ≠ a
sa, sa': state (IM (acceptor_ix a'))
paxos_acceptor_transition a' li (sa, om) = (sa', om')
→ (b, m_2b a v) ∈ sent_messages sa'
  → (b, m_2b a v) ∈ sent_messages sa
  unfold paxos_acceptor_transition.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
a': Acceptor
li: label (IM (acceptor_ix a'))
a: Acceptor
b: Ballot
v: Value
n: a' ≠ a
sa, sa': state (IM (acceptor_ix a'))
match li with
| A_send_1b =>
    match om with
    | Some (b, m_1a) =>
        ({|
           paxos_maxBal := Some b;
           lastVote := lastVote sa;
           sent_messages :=
             (b, m_1b a' (lastVote sa))
             :: sent_messages sa
         |}, Some (b, m_1b a' (lastVote sa)))
    | Some (b, m_1b _ _) | Some (b, m_1c _) |
      Some (b, m_2a _) | Some (b, m_2b _ _) =>
        ((sa, om).1, None)
    | None => ((sa, om).1, None)
    end
| A_send_2b =>
    match om with
    | Some (b, m_2a v) =>
        ({|
           paxos_maxBal := Some b;
           lastVote := Some (b, v);
           sent_messages :=
             (b, m_2b a' v) :: sent_messages sa
         |}, Some (b, m_2b a' v))
    | Some (b, m_1a) | Some (b, m_1b _ _) |
      Some (b, m_1c _) | Some (b, m_2b _ _) =>
        ((sa, om).1, None)
    | None => ((sa, om).1, None)
    end
end = (sa', om')
→ (b, m_2b a v) ∈ sent_messages sa'
  → (b, m_2b a v) ∈ sent_messages sa
  by repeat case_match; intros [= <- <-]; cbn; try done;
    rewrite elem_of_cons; intros [[=] |].
Qed.

Define various functions and lemmas that only need to work over a single state, without referring to transitions.

This includes the claims of invariants.

Section sec_paxos_refinement_map.

Context
  (s : state paxos_vlsm)
  (Hs : constrained_state_prop paxos_vlsm s)
  .

Definition was_voted (a : Acceptor) (b : Ballot) (v : Value) : Prop :=
  has_been_sent paxos_vlsm s (b, m_2b a v).

Definition is_chosen (v : Value) : Prop :=
  exists (Q : sig Quorum) (b : Ballot), forall a, a ∈ `Q -> was_voted a b v.

These predicates are decidable. The sets Ballot and Value may be infinite, but it is only necessary to consider ballots or values that have ever been used in a phase 2B vote message, and the set of sent messages is finite.

Definition vote_messages : list (Ballot * Acceptor * Value) :=
  enum Acceptor ≫= fun a =>
    omap
      (fun '(b, m) =>
         match m with
         | m_2b a' v => if decide (a' = a) then Some (b, a, v) else None
         | _ => None
         end)
      (sent_messages (s (acceptor_ix a))).

Lemma vote_messages_complete :
  forall a b v,
    was_voted a b v -> (b, a, v) ∈ vote_messages.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  was_voted a b v → (b, a, v) ∈ vote_messages
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  was_voted a b v → (b, a, v) ∈ vote_messages
  intros a b v [[| ia] Hsent]; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: has_been_sent (IM (acceptor_ix ia))
  (s (acceptor_ix ia)) (
  b, m_2b a v)
(b, a, v) ∈ vote_messages
  change (has_been_sent _) with (paxos_acceptor_has_been_sent a) in Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: paxos_acceptor_has_been_sent a
  (s (acceptor_ix ia)) (
  b, m_2b a v)
(b, a, v) ∈ vote_messages
  unfold paxos_acceptor_has_been_sent in Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
(b, a, v) ∈ vote_messages
  unfold vote_messages.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
(b, a, v)
∈ enum Acceptor
  ≫= (λ a : Acceptor,
        omap
          (λ pat : Ballot * paxos_message_body,
             match pat with
             | (b, m_1a) | (b, m_1b _ _) |
               (b, m_1c _) | (b, m_2a _) => None
             | (b, m_2b a' v) =>
                 if decide (a' = a)
                 then Some (b, a, v)
                 else None
             end) (sent_messages (s (acceptor_ix a))))
  rewrite elem_of_list_bind.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
∃ y : Acceptor,
  (b, a, v)
  ∈ omap
      (λ pat : Ballot * paxos_message_body,
         match pat with
         | (b, m_1a) | (b, m_1b _ _) | (b, m_1c _) |
           (b, m_2a _) => None
         | (b, m_2b a' v) =>
             if decide (a' = y)
             then Some (b, y, v)
             else None
         end) (sent_messages (s (acceptor_ix y)))
  ∧ y ∈ enum Acceptor
  exists a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
(b, a, v)
∈ omap
    (λ pat : Ballot * paxos_message_body,
       match pat with
       | (b, m_1a) | (b, m_1b _ _) | (b, m_1c _) |
         (b, m_2a _) => None
       | (b, m_2b a' v) =>
           if decide (a' = a)
           then Some (b, a, v)
           else None
       end) (sent_messages (s (acceptor_ix a)))
∧ a ∈ enum Acceptor
  rewrite elem_of_list_omap.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
(∃ x : Ballot * paxos_message_body,
   x ∈ sent_messages (s (acceptor_ix a))
   ∧ match x with
     | (b, m_1a) | (b, m_1b _ _) | (b, m_1c _) |
       (b, m_2a _) => None
     | (b, m_2b a' v) =>
         if decide (a' = a)
         then Some (b, a, v)
         else None
     end = Some (b, a, v)) ∧ a ∈ enum Acceptor
  split; [| by apply elem_of_enum].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
∃ x : Ballot * paxos_message_body,
  x ∈ sent_messages (s (acceptor_ix a))
  ∧ match x with
    | (b, m_1a) | (b, m_1b _ _) | (b, m_1c _) |
      (b, m_2a _) => None
    | (b, m_2b a' v) =>
        if decide (a' = a)
        then Some (b, a, v)
        else None
    end = Some (b, a, v)
  exists (b, m_2b a v).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
∧ (if decide (a = a) then Some (b, a, v) else None) =
  Some (b, a, v)
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
(if decide (a = a) then Some (b, a, v) else None) =
Some (b, a, v)
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a)) by apply sender_id_m_2b in Hsent as Heq; subst.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
ia: Acceptor
Hsent: (b, m_2b a v)
∈ sent_messages (s (acceptor_ix ia))
(if decide (a = a) then Some (b, a, v) else None) =
Some (b, a, v) by rewrite decide_True.
Qed.

Lemma vote_messages_sound :
  forall a b v,
    (b, a, v) ∈ vote_messages -> was_voted a b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  (b, a, v) ∈ vote_messages → was_voted a b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  (b, a, v) ∈ vote_messages → was_voted a b v
  intros a b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
(b, a, v) ∈ vote_messages → was_voted a b v
  unfold vote_messages.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
(b, a, v)
∈ enum Acceptor
  ≫= (λ a : Acceptor,
        omap
          (λ pat : Ballot * paxos_message_body,
             match pat with
             | (b, m_1a) | (b, m_1b _ _) |
               (b, m_1c _) | (b, m_2a _) => None
             | (b, m_2b a' v) =>
                 if decide (a' = a)
                 then Some (b, a, v)
                 else None
             end) (sent_messages (s (acceptor_ix a))))
→ was_voted a b v
  rewrite elem_of_list_bind.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
(∃ y : Acceptor,
   (b, a, v)
   ∈ omap
       (λ pat : Ballot * paxos_message_body,
          match pat with
          | (b, m_1a) | (b, m_1b _ _) | (b, m_1c _) |
            (b, m_2a _) => None
          | (b, m_2b a' v) =>
              if decide (a' = y)
              then Some (b, y, v)
              else None
          end) (sent_messages (s (acceptor_ix y)))
   ∧ y ∈ enum Acceptor) → was_voted a b v
  intros [a' Helem].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
a': Acceptor
Helem: (b, a, v)
∈ omap
    (λ pat : Ballot * paxos_message_body,
       match pat with
       | (b, m_1a) | (b, m_1b _ _) |
         (b, m_1c _) | (b, m_2a _) => None
       | (b, m_2b a'0 v) =>
           if decide (a'0 = a')
           then Some (b, a', v)
           else None
       end)
    (sent_messages (s (acceptor_ix a')))
∧ a' ∈ enum Acceptor
was_voted a b v
  rewrite elem_of_list_omap in Helem.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
a': Acceptor
Helem: (∃ x : Ballot * paxos_message_body,
   x ∈ sent_messages (s (acceptor_ix a'))
   ∧ match x with
     | (b, m_1a) | (b, m_1b _ _) |
       (b, m_1c _) | (b, m_2a _) => None
     | (b, m_2b a'0 v) =>
         if decide (a'0 = a')
         then Some (b, a', v)
         else None
     end = Some (b, a, v))
∧ a' ∈ enum Acceptor
was_voted a b v
  destruct Helem as [[[b' mb] [Helem Hmsg]] _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
a': Acceptor
b': Ballot
mb: paxos_message_body
Helem: (b', mb) ∈ sent_messages (s (acceptor_ix a'))
Hmsg: match mb with
| m_2b a'0 v =>
    if decide (a'0 = a')
    then Some (b', a', v)
    else None
| _ => None
end = Some (b, a, v)
was_voted a b v
  exists (acceptor_ix a).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
a': Acceptor
b': Ballot
mb: paxos_message_body
Helem: (b', mb) ∈ sent_messages (s (acceptor_ix a'))
Hmsg: match mb with
| m_2b a'0 v =>
    if decide (a'0 = a')
    then Some (b', a', v)
    else None
| _ => None
end = Some (b, a, v)
has_been_sent (IM (acceptor_ix a)) (s (acceptor_ix a))
  (b, m_2b a v)
  destruct mb; [by inversion Hmsg.. |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
a': Acceptor
b': Ballot
a0: Acceptor
v0: Value
Helem: (b', m_2b a0 v0)
∈ sent_messages (s (acceptor_ix a'))
Hmsg: (if decide (a0 = a')
 then Some (b', a', v0)
 else None) = Some (b, a, v)
has_been_sent (IM (acceptor_ix a)) (s (acceptor_ix a))
  (b, m_2b a v)
  destruct (decide (a0 = a')) as [<- |]; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
b': Ballot
a0: Acceptor
v0: Value
Helem: (b', m_2b a0 v0)
∈ sent_messages (s (acceptor_ix a0))
Hmsg: Some (b', a0, v0) = Some (b, a, v)
has_been_sent (IM (acceptor_ix a)) (s (acceptor_ix a))
  (b, m_2b a v)
  by inversion Hmsg; subst.
Qed.

Definition combine_votesets : Bmap (AMap VSet) -> Bmap (AMap VSet) -> Bmap (AMap VSet) :=
  union_with (fun av1 av2 => Some (union_with (fun vs1 vs2 => Some (union vs1 vs2)) av1 av2)).

Definition vote_in_voteset : Ballot -> Acceptor -> Value -> Bmap (AMap VSet) -> Prop :=
  fun b a v S => v ∈ ((S !!! b) !!! a).

Definition singleton_voteset : Ballot -> Acceptor -> Value -> Bmap (AMap VSet) :=
  fun b a v => {[b := {[a := {[ v ]} ]} ]}.

Lemma entry_of_singleton_voteset :
  forall b a v b' a' v',
    vote_in_voteset b a v (singleton_voteset b' a' v') <-> (b, a, v) = (b', a', v').Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (a : Acceptor) (v : Value) (b' : Ballot) 
  (a' : Acceptor) (v' : Value),
  vote_in_voteset b a v (singleton_voteset b' a' v')
  ↔ (b, a, v) = (b', a', v')
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (a : Acceptor) (v : Value) (b' : Ballot) 
  (a' : Acceptor) (v' : Value),
  vote_in_voteset b a v (singleton_voteset b' a' v')
  ↔ (b, a, v) = (b', a', v')
  intros b a v b' a' v'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
vote_in_voteset b a v (singleton_voteset b' a' v')
↔ (b, a, v) = (b', a', v')
  unfold vote_in_voteset, singleton_voteset.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
v ∈ ({[b' := {[a' := {[v']}]}]} !!! b) !!! a
↔ (b, a, v) = (b', a', v')
  split; [| by intros [= <- <- <-]; rewrite 2 lookup_total_singleton, elem_of_singleton].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
v ∈ ({[b' := {[a' := {[v']}]}]} !!! b) !!! a
→ (b, a, v) = (b', a', v')
  intros H_elem.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ ({[b' := {[a' := {[v']}]}]} !!! b) !!! a
(b, a, v) = (b', a', v')
  replace b' with b in *; cycle 1.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ ({[b' := {[a' := {[v']}]}]} !!! b) !!! a
b = b'
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ ({[b := {[a' := {[v']}]}]} !!! b) !!! a
(b, a, v) = (b, a', v')
  {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ ({[b' := {[a' := {[v']}]}]} !!! b) !!! a
b = b'
    destruct (decide (b' = b)); [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ ({[b' := {[a' := {[v']}]}]} !!! b) !!! a
n: b' ≠ b
b = b'
    rewrite lookup_total_singleton_ne in H_elem by done; cbn in H_elem.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ ∅ !!! a
n: b' ≠ b
b = b'
    rewrite lookup_total_empty in H_elem; cbn in H_elem.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ ∅
n: b' ≠ b
b = b'
    by rewrite elem_of_empty in H_elem.
  }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ ({[b := {[a' := {[v']}]}]} !!! b) !!! a
(b, a, v) = (b, a', v')
  rewrite lookup_total_singleton in H_elem.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ {[a' := {[v']}]} !!! a
(b, a, v) = (b, a', v')
  replace a' with a in *; cycle 1.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ {[a' := {[v']}]} !!! a
a = a'
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ {[a := {[v']}]} !!! a
(b, a, v) = (b, a, v')
  {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ {[a' := {[v']}]} !!! a
a = a'
    destruct (decide (a' = a)); [done|].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ {[a' := {[v']}]} !!! a
n: a' ≠ a
a = a'
    rewrite lookup_total_singleton_ne in H_elem by done; cbn in H_elem.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ ∅
n: a' ≠ a
a = a'
    by rewrite elem_of_empty in H_elem.
  }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v ∈ {[a := {[v']}]} !!! a
(b, a, v) = (b, a, v')
  rewrite lookup_total_singleton, elem_of_singleton in H_elem.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
H_elem: v = v'
(b, a, v) = (b, a, v')
  by subst.
Qed.

Lemma entry_of_combine_votesets :
  forall b a v S1 S2,
    vote_in_voteset b a v (combine_votesets S1 S2)
    <-> vote_in_voteset b a v S1 \/ vote_in_voteset b a v S2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (a : Acceptor) (v : Value) (S1
                                           S2 : Bmap
                                                 (AMap
                                                 VSet)),
  vote_in_voteset b a v (combine_votesets S1 S2)
  ↔ vote_in_voteset b a v S1
    ∨ vote_in_voteset b a v S2
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (a : Acceptor) (v : Value) (S1
                                           S2 : Bmap
                                                 (AMap
                                                 VSet)),
  vote_in_voteset b a v (combine_votesets S1 S2)
  ↔ vote_in_voteset b a v S1
    ∨ vote_in_voteset b a v S2
  intros b a v S1 S2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
S1, S2: Bmap (AMap VSet)
vote_in_voteset b a v (combine_votesets S1 S2)
↔ vote_in_voteset b a v S1 ∨ vote_in_voteset b a v S2
  unfold vote_in_voteset, combine_votesets, lookup_total, map_lookup_total; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
S1, S2: Bmap (AMap VSet)
v
∈ default ∅
    (default ∅
       (union_with
          (λ av1 av2 : AMap VSet,
             Some
               (union_with
                  (λ vs1 vs2 : VSet, Some (vs1 ∪ vs2))
                  av1 av2)) S1 S2 !! b) !! a)
↔ v ∈ default ∅ (default ∅ (S1 !! b) !! a)
  ∨ v ∈ default ∅ (default ∅ (S2 !! b) !! a)
  rewrite lookup_union_with.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
S1, S2: Bmap (AMap VSet)
v
∈ default ∅
    (default ∅
       (union_with
          (λ av1 av2 : AMap VSet,
             Some
               (union_with
                  (λ vs1 vs2 : VSet, Some (vs1 ∪ vs2))
                  av1 av2)) (S1 !! b) (S2 !! b)) !! a)
↔ v ∈ default ∅ (default ∅ (S1 !! b) !! a)
  ∨ v ∈ default ∅ (default ∅ (S2 !! b) !! a)
  generalize (S1 !! b); intro S1b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
S1, S2: Bmap (AMap VSet)
S1b: option (AMap VSet)
v
∈ default ∅
    (default ∅
       (union_with
          (λ av1 av2 : AMap VSet,
             Some
               (union_with
                  (λ vs1 vs2 : VSet, Some (vs1 ∪ vs2))
                  av1 av2)) S1b (S2 !! b)) !! a)
↔ v ∈ default ∅ (default ∅ S1b !! a)
  ∨ v ∈ default ∅ (default ∅ (S2 !! b) !! a)
  generalize (S2 !! b); intro S2b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
S1, S2: Bmap (AMap VSet)
S1b, S2b: option (AMap VSet)
v
∈ default ∅
    (default ∅
       (union_with
          (λ av1 av2 : AMap VSet,
             Some
               (union_with
                  (λ vs1 vs2 : VSet, Some (vs1 ∪ vs2))
                  av1 av2)) S1b S2b) !! a)
↔ v ∈ default ∅ (default ∅ S1b !! a)
  ∨ v ∈ default ∅ (default ∅ S2b !! a)
  destruct S1b as [av1 |], S2b as [av2 |]; simpl;
    [| by rewrite lookup_empty; simpl; rewrite elem_of_empty; itauto..].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
S1, S2: Bmap (AMap VSet)
av1, av2: AMap VSet
v
∈ default ∅
    (union_with (λ vs1 vs2 : VSet, Some (vs1 ∪ vs2))
       av1 av2 !! a)
↔ v ∈ default ∅ (av1 !! a) ∨ v ∈ default ∅ (av2 !! a)
  rewrite lookup_union_with.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
S1, S2: Bmap (AMap VSet)
av1, av2: AMap VSet
v
∈ default ∅
    (union_with (λ vs1 vs2 : VSet, Some (vs1 ∪ vs2))
       (av1 !! a) (av2 !! a))
↔ v ∈ default ∅ (av1 !! a) ∨ v ∈ default ∅ (av2 !! a)
  generalize (av1 !! a); intro av1a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
S1, S2: Bmap (AMap VSet)
av1, av2: AMap VSet
av1a: option VSet
v
∈ default ∅
    (union_with (λ vs1 vs2 : VSet, Some (vs1 ∪ vs2))
       av1a (av2 !! a))
↔ v ∈ default ∅ av1a ∨ v ∈ default ∅ (av2 !! a)
  generalize (av2 !! a); intro av2a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
S1, S2: Bmap (AMap VSet)
av1, av2: AMap VSet
av1a, av2a: option VSet
v
∈ default ∅
    (union_with (λ vs1 vs2 : VSet, Some (vs1 ∪ vs2))
       av1a av2a)
↔ v ∈ default ∅ av1a ∨ v ∈ default ∅ av2a
  by destruct av1a as [vs1 |], av2a as [vs2 |]; simpl; set_solver.
Qed.

Definition paxos_votes : Bmap (AMap VSet) :=
  foldr (fun '(b, a, v) => combine_votesets (singleton_voteset b a v)) ∅ vote_messages.

Lemma elem_of_paxos_votes :
  forall b a v,
    (b, a, v) ∈ vote_messages <-> vote_in_voteset b a v paxos_votes.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (a : Acceptor) (v : Value),
  (b, a, v) ∈ vote_messages
  ↔ vote_in_voteset b a v paxos_votes
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (a : Acceptor) (v : Value),
  (b, a, v) ∈ vote_messages
  ↔ vote_in_voteset b a v paxos_votes
  intros b a v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
(b, a, v) ∈ vote_messages
↔ vote_in_voteset b a v paxos_votes
  unfold paxos_votes.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
(b, a, v) ∈ vote_messages
↔ vote_in_voteset b a v
    (foldr
       (λ '(b, a, v),
          combine_votesets (singleton_voteset b a v))
       ∅ vote_messages)
  induction vote_messages; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
(b, a, v) ∈ [] ↔ vote_in_voteset b a v ∅
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
a0: (Ballot * Acceptor * Value)%type
l: list (Ballot * Acceptor * Value)
IHl: (b, a, v) ∈ l
↔ vote_in_voteset b a v
    (foldr
       (λ '(b, a, v),
          combine_votesets
            (singleton_voteset b a v)) ∅ l)
(b, a, v) ∈ a0 :: l
↔ vote_in_voteset b a v
    ((let
      '(b, a, v) := a0 in
       combine_votesets (singleton_voteset b a v))
       (foldr
          (λ '(b, a, v),
             combine_votesets
               (singleton_voteset b a v)) ∅ l))
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
(b, a, v) ∈ [] ↔ vote_in_voteset b a v ∅ rewrite elem_of_nil.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
False ↔ vote_in_voteset b a v ∅
    unfold vote_in_voteset.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
False ↔ v ∈ (∅ !!! b) !!! a
    by do 2 (rewrite lookup_total_empty; simpl); rewrite elem_of_empty.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
a0: (Ballot * Acceptor * Value)%type
l: list (Ballot * Acceptor * Value)
IHl: (b, a, v) ∈ l
↔ vote_in_voteset b a v
    (foldr
       (λ '(b, a, v),
          combine_votesets
            (singleton_voteset b a v)) ∅ l)
(b, a, v) ∈ a0 :: l
↔ vote_in_voteset b a v
    ((let
      '(b, a, v) := a0 in
       combine_votesets (singleton_voteset b a v))
       (foldr
          (λ '(b, a, v),
             combine_votesets
               (singleton_voteset b a v)) ∅ l)) destruct a0 as [[b' a'] v']; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
l: list (Ballot * Acceptor * Value)
IHl: (b, a, v) ∈ l
↔ vote_in_voteset b a v
    (foldr
       (λ '(b, a, v),
          combine_votesets
            (singleton_voteset b a v)) ∅ l)
(b, a, v) ∈ (b', a', v') :: l
↔ vote_in_voteset b a v
    (combine_votesets (singleton_voteset b' a' v')
       (foldr
          (λ '(b, a, v),
             combine_votesets
               (singleton_voteset b a v)) ∅ l))
    rewrite elem_of_cons, entry_of_combine_votesets, entry_of_singleton_voteset.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
v: Value
b': Ballot
a': Acceptor
v': Value
l: list (Ballot * Acceptor * Value)
IHl: (b, a, v) ∈ l
↔ vote_in_voteset b a v
    (foldr
       (λ '(b, a, v),
          combine_votesets
            (singleton_voteset b a v)) ∅ l)
(b, a, v) = (b', a', v') ∨ (b, a, v) ∈ l
↔ (b, a, v) = (b', a', v')
  ∨ vote_in_voteset b a v
      (foldr
         (λ '(b, a, v),
            combine_votesets (singleton_voteset b a v))
         ∅ l)
    by itauto.
Qed.

Lemma paxos_votes_good :
  forall a b v,
    was_voted a b v <-> vote_in_voteset b a v paxos_votes.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  was_voted a b v ↔ vote_in_voteset b a v paxos_votes
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  was_voted a b v ↔ vote_in_voteset b a v paxos_votes
  intros a b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
was_voted a b v ↔ vote_in_voteset b a v paxos_votes
  rewrite <- elem_of_paxos_votes.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
was_voted a b v ↔ (b, a, v) ∈ vote_messages
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
was_voted a b v → (b, a, v) ∈ vote_messages
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
(b, a, v) ∈ vote_messages → was_voted a b v
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
was_voted a b v → (b, a, v) ∈ vote_messages by apply vote_messages_complete.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
(b, a, v) ∈ vote_messages → was_voted a b v by apply vote_messages_sound.
Qed.

Definition votes_from_paxos_acceptor (acc : paxos_acceptor_state) : Bmap VSet :=
  let m_2a_msgs_a :=
    omap (fun m => match m with (b, m_2b _ v) => Some (b, v) | _ => None end) (sent_messages acc)
  in
    foldr (fun '(b, v) votes => mmap_insert b v votes) ∅ m_2a_msgs_a.

Lemma votes_from_paxos_acceptor_to_sent (a : Acceptor) :
  forall b v,
    v ∈ votes_from_paxos_acceptor (s (acceptor_ix a)) !!! b ->
      (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
∀ (b : Ballot) (v : Value),
  v
  ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
    !!! b
  → (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
∀ (b : Ballot) (v : Value),
  v
  ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
    !!! b
  → (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
  intros b v Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
Hv: v
∈ votes_from_paxos_acceptor (s (acceptor_ix a))
  !!! b
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
  pose proof (Hsender := fun a' => sender_id_m_2b s Hs a' b v a).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
Hv: v
∈ votes_from_paxos_acceptor (s (acceptor_ix a))
  !!! b
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v)
  ∈ sent_messages (s (acceptor_ix a))
  → a = a'
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
  unfold votes_from_paxos_acceptor in Hv; revert Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v)
  ∈ sent_messages (s (acceptor_ix a))
  → a = a'
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) (sent_messages (s (acceptor_ix a))))
  !!! b
→ (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
  set (msgs := sent_messages (s (acceptor_ix a))) in *; clearbody msgs; clear s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ msgs → a = a'
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) msgs) !!! b → (b, m_2b a v) ∈ msgs
  induction msgs; cbn; [by rewrite lookup_total_empty; simpl; set_solver |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    match
      (let (b, y) := a0 in
       match y with
       | m_2b _ v => Some (b, v)
       | _ => None
       end)
    with
    | Some y =>
        y
        :: omap
             (λ m : Ballot * paxos_message_body,
                let (b, y0) := m in
                match y0 with
                | m_2b _ v => Some (b, v)
                | _ => None
                end) msgs
    | None =>
        omap
          (λ m : Ballot * paxos_message_body,
             let (b, y) := m in
             match y with
             | m_2b _ v => Some (b, v)
             | _ => None
             end) msgs
    end !!! b → (b, m_2b a v) ∈ a0 :: msgs
  case_match.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
p: (Ballot * Value)%type
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = Some p
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (p
     :: omap
          (λ m : Ballot * paxos_message_body,
             let (b, y) := m in
             match y with
             | m_2b _ v => Some (b, v)
             | _ => None
             end) msgs) !!! b
→ (b, m_2b a v) ∈ a0 :: msgs
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = None
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) msgs) !!! b
→ (b, m_2b a v) ∈ a0 :: msgs
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
p: (Ballot * Value)%type
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = Some p
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (p
     :: omap
          (λ m : Ballot * paxos_message_body,
             let (b, y) := m in
             match y with
             | m_2b _ v => Some (b, v)
             | _ => None
             end) msgs) !!! b
→ (b, m_2b a v) ∈ a0 :: msgs destruct p as [b0 v0]; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
b0: Ballot
v0: Value
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = Some (b0, v0)
v
∈ mmap_insert b0 v0
    (foldr
       (λ '(b, v) (votes : Bmap VSet),
          mmap_insert b v votes) ∅
       (omap
          (λ m : Ballot * paxos_message_body,
             let (b, y) := m in
             match y with
             | m_2b _ v => Some (b, v)
             | _ => None
             end) msgs)) !!! b
→ (b, m_2b a v) ∈ a0 :: msgs
    intros Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
b0: Ballot
v0: Value
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = Some (b0, v0)
Hv: v
∈ mmap_insert b0 v0
    (foldr
       (λ '(b, v) (votes : Bmap VSet),
          mmap_insert b v votes) ∅
       (omap
          (λ m : Ballot * paxos_message_body,
             let (b, y) := m in
             match y with
             | m_2b _ v => Some (b, v)
             | _ => None
             end) msgs)) !!! b
(b, m_2b a v) ∈ a0 :: msgs
    apply elem_of_mmap_insert in Hv as [[-> ->] |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = Some (b, v)
(b, m_2b a v) ∈ a0 :: msgs
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
b0: Ballot
v0: Value
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = Some (b0, v0)
H17: v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) msgs) !!! b
(b, m_2b a v) ∈ a0 :: msgs
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = Some (b, v)
(b, m_2b a v) ∈ a0 :: msgs destruct a0 as [b0 []]; try done.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
b0: Ballot
a0: Acceptor
v0: Value
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ (b0, m_2b a0 v0) :: msgs
  → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
H16: Some (b0, v0) = Some (b, v)
(b, m_2b a v) ∈ (b0, m_2b a0 v0) :: msgs
      assert ((b, m_2b a0 v) ∈ (b0, m_2b a0 v0) :: msgs)
        by (rewrite elem_of_cons; left; congruence).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
b0: Ballot
a0: Acceptor
v0: Value
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ (b0, m_2b a0 v0) :: msgs
  → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
H16: Some (b0, v0) = Some (b, v)
H17: (b, m_2b a0 v) ∈ (b0, m_2b a0 v0) :: msgs
(b, m_2b a v) ∈ (b0, m_2b a0 v0) :: msgs
      by erewrite Hsender.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
b0: Ballot
v0: Value
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = Some (b0, v0)
H17: v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) msgs) !!! b
(b, m_2b a v) ∈ a0 :: msgs right; apply IHmsgs; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
b0: Ballot
v0: Value
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = Some (b0, v0)
H17: v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) msgs) !!! b
∀ a' : Acceptor, (b, m_2b a' v) ∈ msgs → a = a'
      by intros a' Ha'; apply Hsender; constructor.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = None
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) msgs) !!! b
→ (b, m_2b a v) ∈ a0 :: msgs intros Hv; constructor.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = None
Hv: v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) msgs) !!! b
(b, m_2b a v) ∈ msgs
    apply IHmsgs; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
Hsender: ∀ a' : Acceptor,
  (b, m_2b a' v) ∈ a0 :: msgs → a = a'
IHmsgs: (∀ a' : Acceptor,
   (b, m_2b a' v) ∈ msgs → a = a')
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
  → (b, m_2b a v) ∈ msgs
H16: (let (b, y) := a0 in
 match y with
 | m_2b _ v => Some (b, v)
 | _ => None
 end) = None
Hv: v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) msgs) !!! b
∀ a' : Acceptor, (b, m_2b a' v) ∈ msgs → a = a'
    by intros a' Ha'; apply Hsender; constructor.
Qed.

Lemma votes_from_paxos_acceptor_from_sent (a : Acceptor) :
  forall b v,
    (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a)) ->
    v ∈ votes_from_paxos_acceptor (s (acceptor_ix a)) !!! b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
∀ (b : Ballot) (v : Value),
  (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
  → v
    ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
      !!! b
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
∀ (b : Ballot) (v : Value),
  (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
  → v
    ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
      !!! b
  intros b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
→ v
  ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
    !!! b
  unfold votes_from_paxos_acceptor.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) (sent_messages (s (acceptor_ix a))))
    !!! b
  generalize (sent_messages (s (acceptor_ix a))) as msgs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
∀ msgs : list paxos_message,
  (b, m_2b a v) ∈ msgs
  → v
    ∈ foldr
        (λ '(b, v) (votes : Bmap VSet),
           mmap_insert b v votes) ∅
        (omap
           (λ m : Ballot * paxos_message_body,
              let (b, y) := m in
              match y with
              | m_2b _ v => Some (b, v)
              | _ => None
              end) msgs) !!! b
  induction msgs; intros H_elem; [by apply elem_of_nil in H_elem |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
a0: paxos_message
msgs: list paxos_message
IHmsgs: (b, m_2b a v) ∈ msgs
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
H_elem: (b, m_2b a v) ∈ a0 :: msgs
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) (a0 :: msgs)) !!! b
  destruct a0 as [b0 m0].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
b0: Ballot
m0: paxos_message_body
msgs: list paxos_message
IHmsgs: (b, m_2b a v) ∈ msgs
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
H_elem: (b, m_2b a v) ∈ (b0, m0) :: msgs
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) ((b0, m0) :: msgs)) !!! b
  apply elem_of_cons in H_elem as [<- | H_elem].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
b0: Ballot
m0: paxos_message_body
msgs: list paxos_message
IHmsgs: (b, m_2b a v) ∈ msgs
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) ((b, m_2b a v) :: msgs)) !!! b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
b0: Ballot
m0: paxos_message_body
msgs: list paxos_message
IHmsgs: (b, m_2b a v) ∈ msgs
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
H_elem: (b, m_2b a v) ∈ msgs
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) ((b0, m0) :: msgs)) !!! b
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
b0: Ballot
m0: paxos_message_body
msgs: list paxos_message
IHmsgs: (b, m_2b a v) ∈ msgs
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) ((b, m_2b a v) :: msgs)) !!! b by simpl; apply elem_of_mmap_insert; left.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
b0: Ballot
m0: paxos_message_body
msgs: list paxos_message
IHmsgs: (b, m_2b a v) ∈ msgs
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
H_elem: (b, m_2b a v) ∈ msgs
v
∈ foldr
    (λ '(b, v) (votes : Bmap VSet),
       mmap_insert b v votes) ∅
    (omap
       (λ m : Ballot * paxos_message_body,
          let (b, y) := m in
          match y with
          | m_2b _ v => Some (b, v)
          | _ => None
          end) ((b0, m0) :: msgs)) !!! b destruct m0; simpl; try apply (IHmsgs H_elem); [].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
b0: Ballot
a0: Acceptor
v0: Value
msgs: list paxos_message
IHmsgs: (b, m_2b a v) ∈ msgs
→ v
  ∈ foldr
      (λ '(b, v) (votes : Bmap VSet),
         mmap_insert b v votes) ∅
      (omap
         (λ m : Ballot * paxos_message_body,
            let (b, y) := m in
            match y with
            | m_2b _ v => Some (b, v)
            | _ => None
            end) msgs) !!! b
H_elem: (b, m_2b a v) ∈ msgs
v
∈ mmap_insert b0 v0
    (foldr
       (λ '(b, v) (votes : Bmap VSet),
          mmap_insert b v votes) ∅
       (list_omap (Ballot * paxos_message_body)%type
          (Ballot * Value)%type
          (λ m : Ballot * paxos_message_body,
             let (b, y) := m in
             match y with
             | m_2b _ v => Some (b, v)
             | _ => None
             end) msgs)) !!! b
    by apply elem_of_mmap_insert; right; apply IHmsgs.
Qed.

Lemma votes_from_paxos_acceptor_iff :
  forall a b v,
    (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
    <-> v ∈ votes_from_paxos_acceptor (s (acceptor_ix a)) !!! b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
  ↔ v
    ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
      !!! b
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
  ↔ v
    ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
      !!! b
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
→ v
  ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
    !!! b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
v
∈ votes_from_paxos_acceptor (s (acceptor_ix a)) !!! b
→ (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
→ v
  ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
    !!! b by apply votes_from_paxos_acceptor_from_sent.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
v
∈ votes_from_paxos_acceptor (s (acceptor_ix a)) !!! b
→ (b, m_2b a v) ∈ sent_messages (s (acceptor_ix a)) by apply votes_from_paxos_acceptor_to_sent.
Qed.

The projection from Paxos to Voting maps each acceptor to a voter, using the paxos_maxBal of the acceptor and the set votes_from_paxos_acceptor as the maxBal and votes of the voter.

Definition to_voting_state : state (voting_vlsm Value VSet Acceptor ASet Quorum) :=
  fun a =>
    {|
      maxBal := paxos_maxBal (s (acceptor_ix a));
      votes := votes_from_paxos_acceptor (s (acceptor_ix a));
    |}.

The source development from Lamport provides some predicates which are conjectured to be invariants of the Paxos transition system, and conjectured to be sufficient to finish the refinement proof, but does not provide proofs.

Some of the conjectured invariants are defined using predicates from the Voting module applied to the projection of the state.

Definition V_DidNotVoteIn : Acceptor -> Ballot -> Prop :=
  fun a b => Voting.did_not_vote_in _ VSet (to_voting_state a) b.

Definition V_VotedFor : Acceptor -> Ballot -> Value -> Prop :=
  fun a b v => Voting.voted_for _ VSet (to_voting_state a) b v.

Definition V_SafeAt : Ballot -> Value -> Prop :=
  fun b v => Voting.SafeAt _ VSet _ ASet Quorum to_voting_state v b.

Conjectured invariants. The definitions named "_prop" are the statements of the conjectured invariants.

Definition Inv_past_vote_info_prop : Prop :=
  forall (a : Acceptor),
    (maxVBal (s (acceptor_ix a)) <= paxos_maxBal (s (acceptor_ix a)))%Z
    /\ (forall (b : Ballot),
         (maxVBal (s (acceptor_ix a)) < b)%Z -> (b < paxos_maxBal (s (acceptor_ix a)))%Z ->
            V_DidNotVoteIn a b)
    /\ match lastVote (s (acceptor_ix a)) with
       | None => True
       | Some (b_lv, v_lv) => V_VotedFor a b_lv v_lv
       end.

Definition P1bInv_prop : Prop :=
  forall (b_m : Ballot) (a_m : Acceptor) (lv_m : option (Ballot * Value)),
    let mbal_m := fst <$> lv_m : Ballot' in
      has_been_sent paxos_vlsm s (b_m, m_1b a_m lv_m) ->
      (b_m <= paxos_maxBal (s (acceptor_ix a_m)))%Z
      /\ (mbal_m < b_m)%Z
      /\ (forall (b : Ballot), (b < b_m)%Z -> (mbal_m < b)%Z -> V_DidNotVoteIn a_m b).

Definition P1cInv_prop : Prop :=
  forall b_m (vs_m : AllOrFin VSet),
    has_been_sent paxos_vlsm s (b_m, m_1c vs_m) ->
  forall (v : Value), v ∈ vs_m -> V_SafeAt b_m v.

Definition P2aInv_prop : Prop :=
  forall b_m v_m,
    has_been_sent paxos_vlsm s (b_m, m_2a v_m) ->
      exists vs_c, v_m ∈ vs_c /\ has_been_sent paxos_vlsm s (b_m, m_1c vs_c).

This holds for a Quorum Q and b if all acceptors in Q have sent a 1b message for ballot b, and either all those messages recorded that the acceptor has no previous vote, or there is some ballot b_c which is not earlier than any previous vote from the 1b messages, such that there is a 1c message for ballot b_c asserting that v is safe, and also any acceptors from Q whose last_vote was exactly at ballot b_c voted for v (recall the last_vote records what the acceptor sent in its last 2b message, so a 2b message from round b_c comes after this 1c message).

Definition NoPrevVotes (s : state paxos_vlsm) (As : ASet) (b : Ballot) : Prop :=
  forall a, a ∈ As -> forall lv, has_been_sent _ s (b, m_1b a lv) -> lv = None.

(* A curiosity - could we allow a prev vote that actually votes for v to come after the 1c? *)

Definition ShowsSafeAt (s : state paxos_vlsm) (Q : sig Quorum) (b : Ballot) (v : Value) : Prop :=
  (forall a, a ∈ `Q -> exists last_vote, has_been_sent _ s (b, m_1b a last_vote))
  /\ (NoPrevVotes s (`Q) b
     \/ (exists b_1c vsafe, v ∈ vsafe /\ has_been_sent _ s (b_1c, m_1c vsafe)
        (*
          This clause added for convenience in induction.
          A 1c message will imply a ShowsSafeAt at it's time,
          and we would like one with (b_1c < b) so we can use it for induction.
          It should be equivalent (on preloaded-valid states) by
          arguing that w.l.o.g we can chose b_1c to be the newest time
          recorded in a last_vote in the 1b messages from the first clause.
         *)
         /\ (exists a, a ∈ `Q /\ exists v_lv_a, has_been_sent _ s (b, m_1b a (Some (b_1c, v_lv_a))))
         /\ (forall a, a ∈ `Q -> forall b_lv v_lv,
              has_been_sent _ s (b, m_1b a (Some (b_lv, v_lv))) ->
                (b_lv <= b_1c)%Z /\ (b_lv = b_1c -> v_lv = v)))).

Lemma gathered_1b_ok :
  forall (b : Ballot) (a : Acceptor) lv,
    gathered_1b ((s leaders_ix : leaders_state) !!! b) !! a = Some lv ->
    has_been_sent paxos_vlsm s (b, m_1b a lv).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (a : Acceptor) (lv : option
                                      (Ballot * Value)),
  gathered_1b ((s leaders_ix : leaders_state) !!! b)
  !! a = Some lv
  → has_been_sent paxos_vlsm s (b, m_1b a lv)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (a : Acceptor) (lv : option
                                      (Ballot * Value)),
  gathered_1b ((s leaders_ix : leaders_state) !!! b)
  !! a = Some lv
  → has_been_sent paxos_vlsm s (b, m_1b a lv)
  induction Hs using valid_state_prop_ind.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
Hs0: initial_state_prop s
∀ (b : Ballot) (a : Acceptor) (lv : option
                                      (Ballot * Value)),
  gathered_1b (s leaders_ix !!! b) !! a = Some lv
  → has_been_sent paxos_vlsm s (b, m_1b a lv)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s'
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
∀ (b : Ballot) (a : Acceptor) 
  (lv : option (Ballot * Value)),
  gathered_1b (s' leaders_ix !!! b) !! a = Some lv
  → has_been_sent paxos_vlsm s' (b, m_1b a lv)
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
Hs0: initial_state_prop s
∀ (b : Ballot) (a : Acceptor) (lv : option
                                      (Ballot * Value)),
  gathered_1b (s leaders_ix !!! b) !! a = Some lv
  → has_been_sent paxos_vlsm s (b, m_1b a lv) intros a b lv Hlookup.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
Hs0: initial_state_prop s
a: Ballot
b: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s leaders_ix !!! a) !! b =
Some lv
has_been_sent paxos_vlsm s (a, m_1b b lv)
    rewrite (Hs0 leaders_ix) in Hlookup.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
Hs0: initial_state_prop s
a: Ballot
b: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (∅ !!! a) !! b = Some lv
has_been_sent paxos_vlsm s (a, m_1b b lv)
    rewrite (lookup_total_empty (A := ballot_state) (M := Bmap)) in Hlookup; cbn in Hlookup.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
Hs0: initial_state_prop s
a: Ballot
b: Acceptor
lv: option (Ballot * Value)
Hlookup: ∅ !! b = Some lv
has_been_sent paxos_vlsm s (a, m_1b b lv)
    by rewrite lookup_empty in Hlookup.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s'
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
∀ (b : Ballot) (a : Acceptor) (lv : option
                                      (Ballot * Value)),
  gathered_1b (s' leaders_ix !!! b) !! a = Some lv
  → has_been_sent paxos_vlsm s' (b, m_1b a lv) rename Hs into Hs'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
∀ (b : Ballot) (a : Acceptor) (lv : option
                                      (Ballot * Value)),
  gathered_1b (s' leaders_ix !!! b) !! a = Some lv
  → has_been_sent paxos_vlsm s' (b, m_1b a lv)
    assert (Hs : constrained_state_prop paxos_vlsm s) by apply Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (a : Acceptor) (lv : option
                                      (Ballot * Value)),
  gathered_1b (s' leaders_ix !!! b) !! a = Some lv
  → has_been_sent paxos_vlsm s' (b, m_1b a lv)
    intros b a lv Hlookup.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm) l
  (s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
has_been_sent paxos_vlsm s' (b, m_1b a lv)
    destruct l as [[| a_l] li]; cycle 1.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
a_l: Acceptor
li: label (IM (acceptor_ix a_l))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT (acceptor_ix a_l) li) (
  s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
has_been_sent paxos_vlsm s' (b, m_1b a lv)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
li: label (IM leaders_ix)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
has_been_sent paxos_vlsm s' (b, m_1b a lv)
    + (* On an acceptor state, the gathered_1b field of the leaders state can't change *)Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
a_l: Acceptor
li: label (IM (acceptor_ix a_l))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT (acceptor_ix a_l) li) (
  s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
has_been_sent paxos_vlsm s' (b, m_1b a lv)
      rewrite has_been_sent_step_update by (apply Ht; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
a_l: Acceptor
li: label (IM (acceptor_ix a_l))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT (acceptor_ix a_l) li) (
  s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
om' = Some (b, m_1b a lv)
∨ has_been_sent paxos_vlsm s (b, m_1b a lv)
      right; apply IHc; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
a_l: Acceptor
li: label (IM (acceptor_ix a_l))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT (acceptor_ix a_l) li) (
  s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
gathered_1b (s leaders_ix !!! b) !! a = Some lv
      cut (s' leaders_ix = s leaders_ix); [by intros <- |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
a_l: Acceptor
li: label (IM (acceptor_ix a_l))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT (acceptor_ix a_l) li) (
  s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
s' leaders_ix = s leaders_ix
      apply input_valid_transition_preloaded_project_any with (i := leaders_ix) in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
a_l: Acceptor
li: label (IM (acceptor_ix a_l))
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: s leaders_ix = s' leaders_ix
∨ (∃ li0 : label (IM leaders_ix),
     existT (acceptor_ix a_l) li =
     existT leaders_ix li0
     ∧ input_constrained_transition
         (IM leaders_ix) li0 (
         s leaders_ix, om) (
         s' leaders_ix, om'))
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
s' leaders_ix = s leaders_ix
      by destruct Ht as [<- | [? [[=]]]].
    + (* On a leader update, has_been_sent of acceptor messages can't change *)Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
li: label (IM leaders_ix)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
has_been_sent paxos_vlsm s' (b, m_1b a lv)
      destruct (Ht) as [_ Hstep]; cbn in Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
li: label (IM leaders_ix)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
Hstep: (let (si', om') :=
   leaders_transition li (s leaders_ix, om) in
 (state_update IM s leaders_ix si', om')) =
(s', om')
has_been_sent paxos_vlsm s' (b, m_1b a lv)
      destruct (leaders_transition _ _) as [si' om'0] eqn: H_leaders_step in Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs': constrained_state_prop paxos_vlsm s'
li: label (IM leaders_ix)
om, om': option paxos_message
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (s', om')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s' leaders_ix !!! b) !! a =
Some lv
si': leaders_state
om'0: option paxos_message
H_leaders_step: leaders_transition li
  (s leaders_ix, om) = (
si', om'0)
Hstep: (state_update IM s leaders_ix si', om'0) =
(s', om')
has_been_sent paxos_vlsm s' (b, m_1b a lv)
      injection Hstep as [= <- ->].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
si': leaders_state
li: label (IM leaders_ix)
om, om': option paxos_message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (state_update IM s leaders_ix si', om')
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix si')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b
  (state_update IM s leaders_ix si'
     leaders_ix !!! b) !! a = 
Some lv
H_leaders_step: leaders_transition li
  (s leaders_ix, om) = (
si', om')
has_been_sent paxos_vlsm
  (state_update IM s leaders_ix si') (b, m_1b a lv)
      rewrite state_update_eq in Hlookup.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
si': leaders_state
li: label (IM leaders_ix)
om, om': option paxos_message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (state_update IM s leaders_ix si', om')
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix si')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (si' !!! b) !! a = Some lv
H_leaders_step: leaders_transition li
  (s leaders_ix, om) = (
si', om')
has_been_sent paxos_vlsm
  (state_update IM s leaders_ix si') (b, m_1b a lv)
      apply localize_sent_messages; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
si': leaders_state
li: label (IM leaders_ix)
om, om': option paxos_message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (state_update IM s leaders_ix si', om')
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix si')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (si' !!! b) !! a = Some lv
H_leaders_step: leaders_transition li
  (s leaders_ix, om) = (
si', om')
has_been_sent (IM (message_sender (b, m_1b a lv).2))
  (state_update IM s leaders_ix si'
     (message_sender (b, m_1b a lv).2)) (b, m_1b a lv)
      simpl; rewrite state_update_neq by discriminate.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
si': leaders_state
li: label (IM leaders_ix)
om, om': option paxos_message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (state_update IM s leaders_ix si', om')
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix si')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (si' !!! b) !! a = Some lv
H_leaders_step: leaders_transition li
  (s leaders_ix, om) = (
si', om')
paxos_acceptor_has_been_sent a (s (acceptor_ix a))
  (b, m_1b a lv)
      rewrite <- (localize_sent_messages s Hs (b, m_1b a lv)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
si': leaders_state
li: label (IM leaders_ix)
om, om': option paxos_message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (state_update IM s leaders_ix si', om')
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix si')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (si' !!! b) !! a = Some lv
H_leaders_step: leaders_transition li
  (s leaders_ix, om) = (
si', om')
has_been_sent paxos_vlsm s (b, m_1b a lv)
      unfold leaders_transition in H_leaders_step.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
si': leaders_state
li: label (IM leaders_ix)
om, om': option paxos_message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix li) (
  s, om) (state_update IM s leaders_ix si', om')
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix si')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (si' !!! b) !! a = Some lv
H_leaders_step: (let
 '(b, l) := li in
  λ '(s, im),
    match
      leader_transition l
        (s !!! b, im)
    with
    | Some (sb', om) =>
        (<[b:=sb']> s, pair b <$> om)
    | None => (s, None)
    end) (s leaders_ix, om) =
(si', om')
has_been_sent paxos_vlsm s (b, m_1b a lv)
      destruct li as [b_l l].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
si': leaders_state
b_l: Ballot
l: leader_label
om, om': option paxos_message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b_l, l)) (
  s, om) (state_update IM s leaders_ix si', om')
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix si')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (si' !!! b) !! a = Some lv
H_leaders_step: match
  leader_transition l
    (s leaders_ix !!! b_l, om)
with
| Some (sb', om) =>
    (<[b_l:=sb']> (s leaders_ix),
     pair b_l <$> om)
| None => (s leaders_ix, None)
end = (si', om')
has_been_sent paxos_vlsm s (b, m_1b a lv)
      assert (H_unchanged : s leaders_ix = si' -> has_been_sent paxos_vlsm s (b, m_1b a lv))
        by (intros <-; auto).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
si': leaders_state
b_l: Ballot
l: leader_label
om, om': option paxos_message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b_l, l)) (
  s, om) (state_update IM s leaders_ix si', om')
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix si')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (si' !!! b) !! a = Some lv
H_leaders_step: match
  leader_transition l
    (s leaders_ix !!! b_l, om)
with
| Some (sb', om) =>
    (<[b_l:=sb']> (s leaders_ix),
     pair b_l <$> om)
| None => (s leaders_ix, None)
end = (si', om')
H_unchanged: s leaders_ix = si'
→ has_been_sent paxos_vlsm s
    (b, m_1b a lv)
has_been_sent paxos_vlsm s (b, m_1b a lv)
      destruct (leader_transition _ _) as [[slb' lom] |] eqn: H_leader_step in H_leaders_step;
        [| by apply H_unchanged; congruence].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
si': leaders_state
b_l: Ballot
l: leader_label
om, om': option paxos_message
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b_l, l)) (
  s, om) (state_update IM s leaders_ix si', om')
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix si')
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (si' !!! b) !! a = Some lv
slb': ballot_state
lom: option paxos_message_body
H_leader_step: leader_transition l
  (s leaders_ix !!! b_l, om) =
Some (slb', lom)
H_leaders_step: (<[b_l:=slb']> (s leaders_ix),
 pair b_l <$> lom) = (si', om')
H_unchanged: s leaders_ix = si'
→ has_been_sent paxos_vlsm s
    (b, m_1b a lv)
has_been_sent paxos_vlsm s (b, m_1b a lv)
      injection H_leaders_step as [= <- <-].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b_l: Ballot
l: leader_label
om: option paxos_message
slb': ballot_state
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b_l:=slb']> (s leaders_ix)))
lom: option paxos_message_body
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b_l, l)) (
  s, om)
  (state_update IM s leaders_ix
     (<[b_l:=slb']> (s leaders_ix)),
   pair b_l <$> lom)
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b
  (<[b_l:=slb']> (s leaders_ix) !!! b) !! a =
Some lv
H_leader_step: leader_transition l
  (s leaders_ix !!! b_l, om) =
Some (slb', lom)
H_unchanged: s leaders_ix =
<[b_l:=slb']> (s leaders_ix)
→ has_been_sent paxos_vlsm s
    (b, m_1b a lv)
has_been_sent paxos_vlsm s (b, m_1b a lv)
      destruct (decide (b = b_l)) as [<- |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: leader_label
om: option paxos_message
slb': ballot_state
b: Ballot
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)))
lom: option paxos_message_body
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b, l)) (
  s, om)
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)), 
   pair b <$> lom)
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
lv: option (Ballot * Value)
H_unchanged: s leaders_ix =
<[b:=slb']> (s leaders_ix)
→ has_been_sent paxos_vlsm s
    (b, m_1b a lv)
H_leader_step: leader_transition l
  (s leaders_ix !!! b, om) =
Some (slb', lom)
Hlookup: gathered_1b
  (<[b:=slb']> (s leaders_ix) !!! b) !! a =
Some lv
has_been_sent paxos_vlsm s (b, m_1b a lv)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b_l: Ballot
l: leader_label
om: option paxos_message
slb': ballot_state
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b_l:=slb']> (s leaders_ix)))
lom: option paxos_message_body
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b_l, l)) (
  s, om)
  (state_update IM s leaders_ix
     (<[b_l:=slb']> (s leaders_ix)),
   pair b_l <$> lom)
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b
  (<[b_l:=slb']> (s leaders_ix) !!! b) !! a =
Some lv
H_leader_step: leader_transition l
  (s leaders_ix !!! b_l, om) =
Some (slb', lom)
H_unchanged: s leaders_ix =
<[b_l:=slb']> (s leaders_ix)
→ has_been_sent paxos_vlsm s
    (b, m_1b a lv)
n: b ≠ b_l
has_been_sent paxos_vlsm s (b, m_1b a lv)
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: leader_label
om: option paxos_message
slb': ballot_state
b: Ballot
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)))
lom: option paxos_message_body
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b, l)) (
  s, om)
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)), 
   pair b <$> lom)
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
lv: option (Ballot * Value)
H_unchanged: s leaders_ix =
<[b:=slb']> (s leaders_ix)
→ has_been_sent paxos_vlsm s
    (b, m_1b a lv)
H_leader_step: leader_transition l
  (s leaders_ix !!! b, om) =
Some (slb', lom)
Hlookup: gathered_1b
  (<[b:=slb']> (s leaders_ix) !!! b) !! a =
Some lv
has_been_sent paxos_vlsm s (b, m_1b a lv) clear H_unchanged.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: leader_label
om: option paxos_message
slb': ballot_state
b: Ballot
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)))
lom: option paxos_message_body
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b, l)) (
  s, om)
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)), 
   pair b <$> lom)
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
lv: option (Ballot * Value)
H_leader_step: leader_transition l
  (s leaders_ix !!! b, om) =
Some (slb', lom)
Hlookup: gathered_1b
  (<[b:=slb']> (s leaders_ix) !!! b) !! a =
Some lv
has_been_sent paxos_vlsm s (b, m_1b a lv)
        rewrite (lookup_total_insert (s leaders_ix)) in Hlookup by done.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: leader_label
om: option paxos_message
slb': ballot_state
b: Ballot
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)))
lom: option paxos_message_body
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b, l)) (
  s, om)
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)), 
   pair b <$> lom)
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
lv: option (Ballot * Value)
H_leader_step: leader_transition l
  (s leaders_ix !!! b, om) =
Some (slb', lom)
Hlookup: gathered_1b slb' !! a = Some lv
has_been_sent paxos_vlsm s (b, m_1b a lv)
        apply leader_gathered_1b_step with (1 := H_leader_step)
          in Hlookup as [[-> [b' ->]] |]; [| by auto].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
slb': ballot_state
b: Ballot
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)))
lom: option paxos_message_body
a: Acceptor
lv: option (Ballot * Value)
b': Ballot
H_leader_step: leader_transition L_recv_1b
  (s leaders_ix !!! b,
   Some (b', m_1b a lv)) =
Some (slb', lom)
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b, L_recv_1b))
  (s, Some (b', m_1b a lv))
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)), 
   pair b <$> lom)
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
has_been_sent paxos_vlsm s (b, m_1b a lv)
        destruct Ht as [(_ & _ & Hvalid) _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
slb': ballot_state
b: Ballot
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)))
lom: option paxos_message_body
a: Acceptor
lv: option (Ballot * Value)
b': Ballot
H_leader_step: leader_transition L_recv_1b
  (s leaders_ix !!! b,
   Some (b', m_1b a lv)) =
Some (slb', lom)
Hvalid: valid (existT leaders_ix (b, L_recv_1b))
  (s, Some (b', m_1b a lv))
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
has_been_sent paxos_vlsm s (b, m_1b a lv)
        destruct Hvalid as [H_leader_valid H_no_equivocation].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
slb': ballot_state
b: Ballot
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)))
lom: option paxos_message_body
a: Acceptor
lv: option (Ballot * Value)
b': Ballot
H_leader_step: leader_transition L_recv_1b
  (s leaders_ix !!! b,
   Some (b', m_1b a lv)) =
Some (slb', lom)
H_leader_valid: valid
  (existT leaders_ix (b, L_recv_1b))
  (s, Some (b', m_1b a lv))
H_no_equivocation: no_equivocations
  (free_composite_vlsm IM)
  (existT leaders_ix
     (b, L_recv_1b))
  (s, Some (b', m_1b a lv))
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
has_been_sent paxos_vlsm s (b, m_1b a lv)
        cbn in H_leader_valid; subst b'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
slb': ballot_state
b: Ballot
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b:=slb']> (s leaders_ix)))
lom: option paxos_message_body
a: Acceptor
lv: option (Ballot * Value)
H_leader_step: leader_transition L_recv_1b
  (s leaders_ix !!! b,
   Some (b, m_1b a lv)) =
Some (slb', lom)
H_no_equivocation: no_equivocations
  (free_composite_vlsm IM)
  (existT leaders_ix
     (b, L_recv_1b))
  (s, Some (b, m_1b a lv))
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
has_been_sent paxos_vlsm s (b, m_1b a lv)
        by destruct H_no_equivocation.
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b_l: Ballot
l: leader_label
om: option paxos_message
slb': ballot_state
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b_l:=slb']> (s leaders_ix)))
lom: option paxos_message_body
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b_l, l)) (
  s, om)
  (state_update IM s leaders_ix
     (<[b_l:=slb']> (s leaders_ix)),
   pair b_l <$> lom)
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b
  (<[b_l:=slb']> (s leaders_ix) !!! b) !! a =
Some lv
H_leader_step: leader_transition l
  (s leaders_ix !!! b_l, om) =
Some (slb', lom)
H_unchanged: s leaders_ix =
<[b_l:=slb']> (s leaders_ix)
→ has_been_sent paxos_vlsm s
    (b, m_1b a lv)
n: b ≠ b_l
has_been_sent paxos_vlsm s (b, m_1b a lv) rewrite (lookup_total_insert_ne (s leaders_ix)) in Hlookup by done.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b_l: Ballot
l: leader_label
om: option paxos_message
slb': ballot_state
Hs': constrained_state_prop paxos_vlsm
  (state_update IM s leaders_ix
     (<[b_l:=slb']> (s leaders_ix)))
lom: option paxos_message_body
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  (existT leaders_ix (b_l, l)) (
  s, om)
  (state_update IM s leaders_ix
     (<[b_l:=slb']> (s leaders_ix)),
   pair b_l <$> lom)
IHc: constrained_state_prop paxos_vlsm s
→ ∀ (b : Ballot) (a : Acceptor) 
    (lv : option (Ballot * Value)),
    gathered_1b (s leaders_ix !!! b) !! a =
    Some lv
    → has_been_sent paxos_vlsm s (b, m_1b a lv)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hlookup: gathered_1b (s leaders_ix !!! b) !! a =
Some lv
H_leader_step: leader_transition l
  (s leaders_ix !!! b_l, om) =
Some (slb', lom)
H_unchanged: s leaders_ix =
<[b_l:=slb']> (s leaders_ix)
→ has_been_sent paxos_vlsm s
    (b, m_1b a lv)
n: b ≠ b_l
has_been_sent paxos_vlsm s (b, m_1b a lv)
        by apply IHc.
Qed.

Lemma check_safe_at_okay :
  forall b v,
    v ∈ calculate_safe_values b ((s leaders_ix : leaders_state) !!! b).(gathered_1b) ->
      exists Q : sig Quorum, ShowsSafeAt s Q b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (v : Value),
  v
  ∈ calculate_safe_values b
      (gathered_1b
         ((s leaders_ix : leaders_state) !!! b))
  → ∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
∀ (b : Ballot) (v : Value),
  v
  ∈ calculate_safe_values b
      (gathered_1b
         ((s leaders_ix : leaders_state) !!! b))
  → ∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
  intros b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
v
∈ calculate_safe_values b
    (gathered_1b
       ((s leaders_ix : leaders_state) !!! b))
→ ∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
  destruct (calculate_safe_values _ _) as [| safe_vs] eqn: H_safe_vs; simpl; intros Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
H_safe_vs: calculate_safe_values b
  (gathered_1b (s leaders_ix !!! b)) =
any_value
Hv: v ∈ any_value
∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
H_safe_vs: calculate_safe_values b
  (gathered_1b (s leaders_ix !!! b)) =
some_values safe_vs
Hv: v ∈ some_values safe_vs
∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
H_safe_vs: calculate_safe_values b
  (gathered_1b (s leaders_ix !!! b)) =
any_value
Hv: v ∈ any_value
∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v apply calculate_safe_values_any_ok in H_safe_vs as [Q HQ].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → gathered_1b (s leaders_ix !!! b) !! a =
    Some None
Hv: v ∈ any_value
∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
    exists Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → gathered_1b (s leaders_ix !!! b) !! a =
    Some None
Hv: v ∈ any_value
ShowsSafeAt s Q b v
    unfold ShowsSafeAt.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → gathered_1b (s leaders_ix !!! b) !! a =
    Some None
Hv: v ∈ any_value
(∀ a : Acceptor,
   a ∈ `Q
   → ∃ last_vote : option (Ballot * Value),
       has_been_sent paxos_vlsm s
         (b, m_1b a last_vote))
∧ (NoPrevVotes s (`Q) b
   ∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
        v ∈ vsafe
        ∧ has_been_sent paxos_vlsm s
            (b_1c, m_1c vsafe)
          ∧ (∃ a : Acceptor,
               a ∈ `Q
               ∧ (∃ v_lv_a : Value,
                    has_been_sent paxos_vlsm s
                      (b, m_1b a (Some (b_1c, v_lv_a)))))
            ∧ (∀ a : Acceptor,
                 a ∈ `Q
                 → ∀ (b_lv : Ballot) (v_lv : Value),
                     has_been_sent paxos_vlsm s
                       (b, m_1b a (Some (b_lv, v_lv)))
                     → (b_lv ≤ b_1c)%Z
                       ∧ (b_lv = b_1c → v_lv = v))))
    split; [| left]; (intros a Ha; specialize (HQ a Ha); apply gathered_1b_ok in HQ).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: has_been_sent paxos_vlsm s (b, m_1b a None)
Hv: v ∈ any_value
Ha: a ∈ `Q
∃ last_vote : option (Ballot * Value),
  has_been_sent paxos_vlsm s (b, m_1b a last_vote)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: has_been_sent paxos_vlsm s (b, m_1b a None)
Hv: v ∈ any_value
Ha: a ∈ `Q
∀ lv : option (Ballot * Value),
  has_been_sent paxos_vlsm s (b, m_1b a lv)
  → lv = None
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: has_been_sent paxos_vlsm s (b, m_1b a None)
Hv: v ∈ any_value
Ha: a ∈ `Q
∃ last_vote : option (Ballot * Value),
  has_been_sent paxos_vlsm s (b, m_1b a last_vote) by exists None.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: has_been_sent paxos_vlsm s (b, m_1b a None)
Hv: v ∈ any_value
Ha: a ∈ `Q
∀ lv : option (Ballot * Value),
  has_been_sent paxos_vlsm s (b, m_1b a lv)
  → lv = None by intros; eapply sent_1b_once.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
H_safe_vs: calculate_safe_values b
  (gathered_1b (s leaders_ix !!! b)) =
some_values safe_vs
Hv: v ∈ some_values safe_vs
∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v apply calculate_safe_values_some_ok with (v := v)
      in H_safe_vs as (Q & HQ & H_some_Q_voted); [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
    exists Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
ShowsSafeAt s Q b v
    unfold ShowsSafeAt.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
(∀ a : Acceptor,
   a ∈ `Q
   → ∃ last_vote : option (Ballot * Value),
       has_been_sent paxos_vlsm s
         (b, m_1b a last_vote))
∧ (NoPrevVotes s (`Q) b
   ∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
        v ∈ vsafe
        ∧ has_been_sent paxos_vlsm s
            (b_1c, m_1c vsafe)
          ∧ (∃ a : Acceptor,
               a ∈ `Q
               ∧ (∃ v_lv_a : Value,
                    has_been_sent paxos_vlsm s
                      (b, m_1b a (Some (b_1c, v_lv_a)))))
            ∧ (∀ a : Acceptor,
                 a ∈ `Q
                 → ∀ (b_lv : Ballot) (v_lv : Value),
                     has_been_sent paxos_vlsm s
                       (b, m_1b a (Some (b_lv, v_lv)))
                     → (b_lv ≤ b_1c)%Z
                       ∧ (b_lv = b_1c → v_lv = v))))
    split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option (Ballot * Value),
      has_been_sent paxos_vlsm s (b, m_1b a last_vote)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b, m_1b a (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) (v_lv : Value),
                  has_been_sent paxos_vlsm s
                    (b, m_1b a (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c → v_lv = v)))
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option (Ballot * Value),
      has_been_sent paxos_vlsm s (b, m_1b a last_vote) intros a Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
a: Acceptor
Ha: a ∈ `Q
∃ last_vote : option (Ballot * Value),
  has_been_sent paxos_vlsm s (b, m_1b a last_vote)
      destruct (HQ a Ha) as [(vbal & HQ' & Hbal_lt) | HQ']; apply gathered_1b_ok in HQ'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
a: Acceptor
Ha: a ∈ `Q
vbal: Ballot
HQ': has_been_sent paxos_vlsm s
  (b, m_1b a (Some (vbal, v)))
Hbal_lt: (vbal < b)%Z
∃ last_vote : option (Ballot * Value),
  has_been_sent paxos_vlsm s (b, m_1b a last_vote)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
a: Acceptor
Ha: a ∈ `Q
HQ': has_been_sent paxos_vlsm s (b, m_1b a None)
∃ last_vote : option (Ballot * Value),
  has_been_sent paxos_vlsm s (b, m_1b a last_vote)
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
a: Acceptor
Ha: a ∈ `Q
vbal: Ballot
HQ': has_been_sent paxos_vlsm s
  (b, m_1b a (Some (vbal, v)))
Hbal_lt: (vbal < b)%Z
∃ last_vote : option (Ballot * Value),
  has_been_sent paxos_vlsm s (b, m_1b a last_vote) by exists (Some (vbal, v)).
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
a: Acceptor
Ha: a ∈ `Q
HQ': has_been_sent paxos_vlsm s (b, m_1b a None)
∃ last_vote : option (Ballot * Value),
  has_been_sent paxos_vlsm s (b, m_1b a last_vote) by exists None.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b, m_1b a (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) (v_lv : Value),
                  has_been_sent paxos_vlsm s
                    (b, m_1b a (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c → v_lv = v))) right.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ some_values safe_vs
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      change (v ∈ safe_vs) in Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      set (messages_from_Q :=
        filter (fun '(a, _) => a ∈ `Q) (gathered_1b ((s leaders_ix : leaders_state) !!! b))).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      set (prev_votes := map_to_set (fun _ b => b) (omap (fmap fst) messages_from_Q) : Bset).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      assert (H16 : prev_votes ≢ ∅).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
prev_votes ≢ ∅
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
prev_votes ≢ ∅
        destruct H_some_Q_voted as (a_hist & lv_hist & Ha_hist & Hlookup & H_lv_not_none).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
a_hist: Acceptor
lv_hist: option (Ballot * Value)
Ha_hist: a_hist ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some lv_hist
H_lv_not_none: lv_hist ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
prev_votes ≢ ∅
        destruct lv_hist as [[lv_bal lv_val] |]; [clear H_lv_not_none | done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
a_hist: Acceptor
lv_bal: Ballot
lv_val: Value
Ha_hist: a_hist ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (lv_bal, lv_val))
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
prev_votes ≢ ∅
        destruct (HQ a_hist Ha_hist) as [(a_hist_bal & Ha_bal & Hbal_lt) |]; [| by congruence].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
a_hist: Acceptor
lv_bal: Ballot
lv_val: Value
Ha_hist: a_hist ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (lv_bal, lv_val))
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
a_hist_bal: Ballot
Ha_bal: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (a_hist_bal, v))
Hbal_lt: (a_hist_bal < b)%Z
prev_votes ≢ ∅
        apply (non_empty_inhabited a_hist_bal), elem_of_map_to_set.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
a_hist: Acceptor
lv_bal: Ballot
lv_val: Value
Ha_hist: a_hist ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (lv_bal, lv_val))
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
a_hist_bal: Ballot
Ha_bal: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (a_hist_bal, v))
Hbal_lt: (a_hist_bal < b)%Z
∃ (i : Acceptor) (x : Ballot),
  omap (fmap fst) messages_from_Q !! i = Some x
  ∧ x = a_hist_bal
        exists a_hist, a_hist_bal.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
a_hist: Acceptor
lv_bal: Ballot
lv_val: Value
Ha_hist: a_hist ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (lv_bal, lv_val))
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
a_hist_bal: Ballot
Ha_bal: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (a_hist_bal, v))
Hbal_lt: (a_hist_bal < b)%Z
omap (fmap fst) messages_from_Q !! a_hist =
Some a_hist_bal ∧ a_hist_bal = a_hist_bal
        split; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
a_hist: Acceptor
lv_bal: Ballot
lv_val: Value
Ha_hist: a_hist ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (lv_bal, lv_val))
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
a_hist_bal: Ballot
Ha_bal: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (a_hist_bal, v))
Hbal_lt: (a_hist_bal < b)%Z
omap (fmap fst) messages_from_Q !! a_hist =
Some a_hist_bal
        apply lookup_omap_Some.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
a_hist: Acceptor
lv_bal: Ballot
lv_val: Value
Ha_hist: a_hist ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (lv_bal, lv_val))
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
a_hist_bal: Ballot
Ha_bal: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (a_hist_bal, v))
Hbal_lt: (a_hist_bal < b)%Z
∃ x : option (Ballot * Value),
  fst <$> x = Some a_hist_bal
  ∧ messages_from_Q !! a_hist = Some x
        exists (Some (a_hist_bal, v)); split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
a_hist: Acceptor
lv_bal: Ballot
lv_val: Value
Ha_hist: a_hist ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (lv_bal, lv_val))
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
a_hist_bal: Ballot
Ha_bal: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (a_hist_bal, v))
Hbal_lt: (a_hist_bal < b)%Z
messages_from_Q !! a_hist =
Some (Some (a_hist_bal, v))
        unfold messages_from_Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
a_hist: Acceptor
lv_bal: Ballot
lv_val: Value
Ha_hist: a_hist ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (lv_bal, lv_val))
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
a_hist_bal: Ballot
Ha_bal: gathered_1b (s leaders_ix !!! b) !! a_hist =
Some (Some (a_hist_bal, v))
Hbal_lt: (a_hist_bal < b)%Z
filter (λ '(a, _), a ∈ `Q)
  (gathered_1b (s leaders_ix !!! b)) !! a_hist =
Some (Some (a_hist_bal, v))
        by apply map_lookup_filter_Some.
      }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      assert (H17 : exists newest_vote : N,
        newest_vote ∈ prev_votes /\ minimal (flip N.le) newest_vote prev_votes).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
∃ newest_vote : N,
  newest_vote ∈ prev_votes
  ∧ minimal (flip N.le) newest_vote prev_votes
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
H17: ∃ newest_vote : N,
  newest_vote ∈ prev_votes
  ∧ minimal (flip N.le) newest_vote prev_votes
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
∃ newest_vote : N,
  newest_vote ∈ prev_votes
  ∧ minimal (flip N.le) newest_vote prev_votes
        by apply minimal_exists; try typeclasses eauto.
      }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
H17: ∃ newest_vote : N,
  newest_vote ∈ prev_votes
  ∧ minimal (flip N.le) newest_vote prev_votes
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      destruct H17 as (newest_lv & H_newest_lv_voted & H_newest_lv_maximal).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: N
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      change Ballot in newest_lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      exists newest_lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
∃ vsafe : AllOrFin VSet,
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (newest_lv, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (newest_lv, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ newest_lv)%Z
                 ∧ (b_lv = newest_lv → v_lv = v))
      assert (H_prev_votes : forall b_vote : Ballot, b_vote ∈ prev_votes <->
        exists a, a ∈ `Q /\
        gathered_1b ((s leaders_ix : leaders_state) !!! b) !! a = Some (Some (b_vote, v))).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b (s leaders_ix !!! b) !! a =
         Some (Some (b_vote, v)))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
∃ vsafe : AllOrFin VSet,
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (newest_lv, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (newest_lv, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ newest_lv)%Z
                 ∧ (b_lv = newest_lv → v_lv = v))
      {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b (s leaders_ix !!! b) !! a =
         Some (Some (b_vote, v)))
        intros b_vote.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
b_vote ∈ prev_votes
↔ (∃ a : Acceptor,
     a ∈ `Q
     ∧ gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (b_vote, v)))
        split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
b_vote ∈ prev_votes
→ ∃ a : Acceptor,
    a ∈ `Q
    ∧ gathered_1b (s leaders_ix !!! b) !! a =
      Some (Some (b_vote, v))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
(∃ a : Acceptor,
   a ∈ `Q
   ∧ gathered_1b (s leaders_ix !!! b) !! a =
     Some (Some (b_vote, v))) → 
b_vote ∈ prev_votes
        -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
b_vote ∈ prev_votes
→ ∃ a : Acceptor,
    a ∈ `Q
    ∧ gathered_1b (s leaders_ix !!! b) !! a =
      Some (Some (b_vote, v)) intro H_voted.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
H_voted: b_vote ∈ prev_votes
∃ a : Acceptor,
  a ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b) !! a =
    Some (Some (b_vote, v))
          apply elem_of_map_to_set in H_voted as (a_bv & x & H_a_bv & ->).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a_bv: Acceptor
H_a_bv: omap (fmap fst) messages_from_Q !! a_bv =
Some b_vote
∃ a : Acceptor,
  a ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b) !! a =
    Some (Some (b_vote, v))
          exists a_bv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a_bv: Acceptor
H_a_bv: omap (fmap fst) messages_from_Q !! a_bv =
Some b_vote
a_bv ∈ `Q
∧ gathered_1b (s leaders_ix !!! b) !! a_bv =
  Some (Some (b_vote, v))
          apply lookup_omap_Some in H_a_bv as (x & H_x_fst & H_a_bv).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a_bv: Acceptor
x: option (Ballot * Value)
H_x_fst: fst <$> x = Some b_vote
H_a_bv: messages_from_Q !! a_bv = Some x
a_bv ∈ `Q
∧ gathered_1b (s leaders_ix !!! b) !! a_bv =
  Some (Some (b_vote, v))
          destruct x as [[xbal xv] |]; [| by contradict H_x_fst].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a_bv: Acceptor
xbal: Ballot
xv: Value
H_x_fst: fst <$> Some (xbal, xv) = Some b_vote
H_a_bv: messages_from_Q !! a_bv =
Some (Some (xbal, xv))
a_bv ∈ `Q
∧ gathered_1b (s leaders_ix !!! b) !! a_bv =
  Some (Some (b_vote, v))
          injection H_x_fst as [=->].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a_bv: Acceptor
xv: Value
H_a_bv: messages_from_Q !! a_bv =
Some (Some (b_vote, xv))
a_bv ∈ `Q
∧ gathered_1b (s leaders_ix !!! b) !! a_bv =
  Some (Some (b_vote, v))
          apply map_lookup_filter_Some in H_a_bv as [H_abv_lookup H_abv_Q].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a_bv: Acceptor
xv: Value
H_abv_lookup: gathered_1b (s leaders_ix !!! b)
!! a_bv = Some (Some (b_vote, xv))
H_abv_Q: a_bv ∈ `Q
a_bv ∈ `Q
∧ gathered_1b (s leaders_ix !!! b) !! a_bv =
  Some (Some (b_vote, v))
          split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a_bv: Acceptor
xv: Value
H_abv_lookup: gathered_1b (s leaders_ix !!! b)
!! a_bv = Some (Some (b_vote, xv))
H_abv_Q: a_bv ∈ `Q
gathered_1b (s leaders_ix !!! b) !! a_bv =
Some (Some (b_vote, v))
          by destruct (HQ _ H_abv_Q) as [(vbal' & H_abv_lookup' & _) |]; congruence.
        -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
(∃ a : Acceptor,
   a ∈ `Q
   ∧ gathered_1b (s leaders_ix !!! b) !! a =
     Some (Some (b_vote, v))) → b_vote ∈ prev_votes intros (a & Ha & Hlookup).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a: Acceptor
Ha: a ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (b_vote, v))
b_vote ∈ prev_votes
          apply elem_of_map_to_set.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a: Acceptor
Ha: a ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (b_vote, v))
∃ (i : Acceptor) (x : Ballot),
  omap (fmap fst) messages_from_Q !! i = Some x
  ∧ x = b_vote
          exists a, b_vote.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a: Acceptor
Ha: a ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (b_vote, v))
omap (fmap fst) messages_from_Q !! a = Some b_vote
∧ b_vote = b_vote
          split; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a: Acceptor
Ha: a ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (b_vote, v))
omap (fmap fst) messages_from_Q !! a = Some b_vote
          apply lookup_omap_Some.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a: Acceptor
Ha: a ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (b_vote, v))
∃ x : option (Ballot * Value),
  fst <$> x = Some b_vote
  ∧ messages_from_Q !! a = Some x
          exists (Some (b_vote, v)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a: Acceptor
Ha: a ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (b_vote, v))
fst <$> Some (b_vote, v) = Some b_vote
∧ messages_from_Q !! a = Some (Some (b_vote, v))
          split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
b_vote: Ballot
a: Acceptor
Ha: a ∈ `Q
Hlookup: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (b_vote, v))
messages_from_Q !! a = Some (Some (b_vote, v))
          by apply map_lookup_filter_Some.
      }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
∃ vsafe : AllOrFin VSet,
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (newest_lv, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (newest_lv, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ newest_lv)%Z
                 ∧ (b_lv = newest_lv → v_lv = v))
      apply H_prev_votes in H_newest_lv_voted as Hsent; destruct Hsent as (a' & _ & Hsent).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
Hsent: gathered_1b (s leaders_ix !!! b) !! a' =
Some (Some (newest_lv, v))
∃ vsafe : AllOrFin VSet,
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (newest_lv, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (newest_lv, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ newest_lv)%Z
                 ∧ (b_lv = newest_lv → v_lv = v))
      apply preloaded_with_all_messages_valid_state_prop in Hs as Hs_pre.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
Hsent: gathered_1b (s leaders_ix !!! b) !! a' =
Some (Some (newest_lv, v))
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∃ vsafe : AllOrFin VSet,
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (newest_lv, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (newest_lv, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ newest_lv)%Z
                 ∧ (b_lv = newest_lv → v_lv = v))
      apply gathered_1b_ok, sent_1b_impl_sent_lastvote_as_2b, sent_2b_after_2a, sent_2a_after_1c
        in Hsent as (vsafe_vs & H_v_safe_vs & H_safe_vs_sent); [| done..].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∃ vsafe : AllOrFin VSet,
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s (newest_lv, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (b, m_1b a (Some (newest_lv, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ newest_lv)%Z
                 ∧ (b_lv = newest_lv → v_lv = v))
      exists vsafe_vs; split; [done |]; split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
(∃ a : Acceptor,
   a ∈ `Q
   ∧ (∃ v_lv_a : Value,
        has_been_sent paxos_vlsm s
          (b, m_1b a (Some (newest_lv, v_lv_a)))))
∧ (∀ a : Acceptor,
     a ∈ `Q
     → ∀ (b_lv : Ballot) (v_lv : Value),
         has_been_sent paxos_vlsm s
           (b, m_1b a (Some (b_lv, v_lv)))
         → (b_lv ≤ newest_lv)%Z
           ∧ (b_lv = newest_lv → v_lv = v))
      split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b, m_1b a (Some (newest_lv, v_lv_a))))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ newest_lv)%Z
        ∧ (b_lv = newest_lv → v_lv = v)
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b, m_1b a (Some (newest_lv, v_lv_a)))) rename H_newest_lv_voted into Hnew.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
Hnew: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b, m_1b a (Some (newest_lv, v_lv_a))))
        unfold prev_votes in Hnew.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
Hnew: newest_lv
∈ map_to_set (λ (_ : Acceptor) (b : Ballot), b)
    (omap (fmap fst) messages_from_Q)
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b, m_1b a (Some (newest_lv, v_lv_a))))
        apply elem_of_map_to_set in Hnew as (a & ? & Hnew & ->).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
a: Acceptor
Hnew: omap (fmap fst) messages_from_Q !! a =
Some newest_lv
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b, m_1b a (Some (newest_lv, v_lv_a))))
        exists a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
a: Acceptor
Hnew: omap (fmap fst) messages_from_Q !! a =
Some newest_lv
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a ∈ `Q
∧ (∃ v_lv_a : Value,
     has_been_sent paxos_vlsm s
       (b, m_1b a (Some (newest_lv, v_lv_a))))
        apply lookup_omap_Some in Hnew as (lv_new & Hlv_new & Hnew).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
a: Acceptor
lv_new: option (Ballot * Value)
Hlv_new: fst <$> lv_new = Some newest_lv
Hnew: messages_from_Q !! a = Some lv_new
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a ∈ `Q
∧ (∃ v_lv_a : Value,
     has_been_sent paxos_vlsm s
       (b, m_1b a (Some (newest_lv, v_lv_a))))
        destruct lv_new as [[b_new v_new] |]; cbn in Hlv_new; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
a: Acceptor
b_new: Ballot
v_new: Value
Hlv_new: Some b_new = Some newest_lv
Hnew: messages_from_Q !! a =
Some (Some (b_new, v_new))
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a ∈ `Q
∧ (∃ v_lv_a : Value,
     has_been_sent paxos_vlsm s
       (b, m_1b a (Some (newest_lv, v_lv_a))))
        injection Hlv_new as [= ->].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
a: Acceptor
v_new: Value
Hnew: messages_from_Q !! a =
Some (Some (newest_lv, v_new))
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a ∈ `Q
∧ (∃ v_lv_a : Value,
     has_been_sent paxos_vlsm s
       (b, m_1b a (Some (newest_lv, v_lv_a))))
        apply map_lookup_filter_Some in Hnew as [Hnew Ha].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
a: Acceptor
v_new: Value
Hnew: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (newest_lv, v_new))
Ha: a ∈ `Q
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a ∈ `Q
∧ (∃ v_lv_a : Value,
     has_been_sent paxos_vlsm s
       (b, m_1b a (Some (newest_lv, v_lv_a))))
        split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
a: Acceptor
v_new: Value
Hnew: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (newest_lv, v_new))
Ha: a ∈ `Q
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∃ v_lv_a : Value,
  has_been_sent paxos_vlsm s
    (b, m_1b a (Some (newest_lv, v_lv_a)))
        exists v_new.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
a: Acceptor
v_new: Value
Hnew: gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (newest_lv, v_new))
Ha: a ∈ `Q
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
has_been_sent paxos_vlsm s
  (b, m_1b a (Some (newest_lv, v_new)))
        by apply gathered_1b_ok in Hnew.
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ newest_lv)%Z
        ∧ (b_lv = newest_lv → v_lv = v) intros a Ha b_a v_a Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
(b_a ≤ newest_lv)%Z ∧ (b_a = newest_lv → v_a = v)
        assert (H_sent_unique : forall lv,
          gathered_1b ((s leaders_ix : leaders_state) !!! b) !! a = Some lv ->
            lv = (Some (b_a, v_a))).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
∀ lv : option (Ballot * Value),
  gathered_1b (s leaders_ix !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
(b_a ≤ newest_lv)%Z ∧ (b_a = newest_lv → v_a = v)
        {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
∀ lv : option (Ballot * Value),
  gathered_1b (s leaders_ix !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
          intros lv' Hlv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
lv': option (Ballot * Value)
Hlv: gathered_1b (s leaders_ix !!! b) !! a = Some lv'
lv' = Some (b_a, v_a)
          apply gathered_1b_ok in Hlv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
lv': option (Ballot * Value)
Hlv: has_been_sent paxos_vlsm s (b, m_1b a lv')
lv' = Some (b_a, v_a)
          by eapply sent_1b_once.
        }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
(b_a ≤ newest_lv)%Z ∧ (b_a = newest_lv → v_a = v)
        assert (b_a ∈ prev_votes).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
b_a ∈ prev_votes
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
H17: b_a ∈ prev_votes
(b_a ≤ newest_lv)%Z ∧ (b_a = newest_lv → v_a = v)
        {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
b_a ∈ prev_votes
          apply H_prev_votes.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
∃ a : Acceptor,
  a ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b) !! a =
    Some (Some (b_a, v))
          exists a; split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
gathered_1b (s leaders_ix !!! b) !! a =
Some (Some (b_a, v))
          by destruct (HQ a Ha) as [(vbal' & Hsent2 & _) | Hsent2];
            rewrite Hsent2; apply H_sent_unique in Hsent2; congruence.
        }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
H17: b_a ∈ prev_votes
(b_a ≤ newest_lv)%Z ∧ (b_a = newest_lv → v_a = v)
        split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
H17: b_a ∈ prev_votes
(b_a ≤ newest_lv)%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
H17: b_a ∈ prev_votes
b_a = newest_lv → v_a = v
        --Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
H17: b_a ∈ prev_votes
(b_a ≤ newest_lv)%Z apply N2Z.inj_le.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
H17: b_a ∈ prev_votes
(b_a ≤ newest_lv)%N
           generalize (H_newest_lv_maximal b_a H17); simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
H17: b_a ∈ prev_votes
((newest_lv ≤ b_a)%N → (b_a ≤ newest_lv)%N)
→ (b_a ≤ newest_lv)%N
           by lia.
        --Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
safe_vs: VSet
Q: {x : ASet | Quorum x}
HQ: ∀ a : Acceptor,
  a ∈ `Q
  → (∃ vbal : Ballot,
       gathered_1b (s leaders_ix !!! b) !! a =
       Some (Some (vbal, v)) ∧ 
       (vbal < b)%Z)
    ∨ gathered_1b (s leaders_ix !!! b) !! a =
      Some None
H_some_Q_voted: ∃ (a_hist : Acceptor) (lv : 
                       option
                       (Ballot *
                       Value)),
  a_hist ∈ `Q
  ∧ gathered_1b (s leaders_ix !!! b)
    !! a_hist = Some lv ∧ 
    lv ≠ None
Hv: v ∈ safe_vs
messages_from_Q:= filter (λ '(a, _), a ∈ `Q)
  (gathered_1b
     ((s leaders_ix : leaders_state)
      !!! b)): AMap (option (Ballot * Value))
prev_votes:= map_to_set
  (λ (_ : Acceptor) (b : Ballot), b)
  (omap (fmap fst) messages_from_Q)
:
Bset: Bset
H16: prev_votes ≢ ∅
newest_lv: Ballot
H_newest_lv_voted: newest_lv ∈ prev_votes
H_newest_lv_maximal: minimal (flip N.le) newest_lv
  prev_votes
H_prev_votes: ∀ b_vote : Ballot,
  b_vote ∈ prev_votes
  ↔ (∃ a : Acceptor,
       a ∈ `Q
       ∧ gathered_1b
           ((s leaders_ix
             :
             leaders_state) !!! b) !! a =
         Some (Some (b_vote, v)))
a': Acceptor
vsafe_vs: AllOrFin VSet
H_v_safe_vs: v ∈ vsafe_vs
H_safe_vs_sent: has_been_sent paxos_vlsm s
  (newest_lv, m_1c vsafe_vs)
Hs_pre: constrained_state_prop
  (preloaded_with_all_messages_vlsm
     paxos_vlsm) s
a: Acceptor
Ha: a ∈ `Q
b_a: Ballot
v_a: Value
Hsent: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_a, v_a)))
H_sent_unique: ∀ lv : option (Ballot * Value),
  gathered_1b
    ((s leaders_ix : leaders_state)
     !!! b) !! a = Some lv
  → lv = Some (b_a, v_a)
H17: b_a ∈ prev_votes
b_a = newest_lv → v_a = v by destruct (HQ a Ha) as [(vbal' & Hsent2 & _) | Hsent2];
            apply H_sent_unique in Hsent2; congruence.
Qed.

Now we relate these claimed inductive properties, Paxos's ShowsSafeAt, and Voting's SafeAt

Lemma PT1 :
  P1bInv_prop -> P1cInv_prop ->
  forall (Q : sig Quorum) (b : Ballot) (v : Value),
    ShowsSafeAt s Q b v -> V_SafeAt b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
P1bInv_prop
→ P1cInv_prop
  → ∀ (Q : {x : ASet | Quorum x}) (b : Ballot) (v : Value),
      ShowsSafeAt s Q b v → V_SafeAt b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
P1bInv_prop
→ P1cInv_prop
  → ∀ (Q : {x : ASet | Quorum x}) (b : Ballot) (v : Value),
      ShowsSafeAt s Q b v → V_SafeAt b v
  unfold P1bInv_prop, P1cInv_prop, ShowsSafeAt.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
(∀ (b_m : Ballot) (a_m : Acceptor) (lv_m : option
                                             (Ballot *
                                              Value)),
   has_been_sent paxos_vlsm s (b_m, m_1b a_m lv_m)
   → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
     ∧ (fst <$> lv_m < b_m)%Z
       ∧ (∀ b : Ballot,
            (b < b_m)%Z
            → (fst <$> lv_m < b)%Z
              → V_DidNotVoteIn a_m b))
→ (∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
     has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
     → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v)
  → ∀ (Q : {x : ASet | Quorum x}) (b : Ballot) (v : Value),
      (∀ a : Acceptor,
         a ∈ `Q
         → ∃ last_vote : option (Ballot * Value),
             has_been_sent paxos_vlsm s
               (b, m_1b a last_vote))
      ∧ (NoPrevVotes s (`Q) b
         ∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
              v ∈ vsafe
              ∧ has_been_sent paxos_vlsm s
                  (b_1c, m_1c vsafe)
                ∧ (∃ a : Acceptor,
                     a ∈ `Q
                     ∧ (∃ v_lv_a : Value,
                          has_been_sent paxos_vlsm s
                            (b,
                             m_1b a
                               (Some (b_1c, v_lv_a)))))
                  ∧ (∀ a : Acceptor,
                       a ∈ `Q
                       → ∀ (b_lv : Ballot) (v_lv : Value),
                           has_been_sent paxos_vlsm s
                             (b,
                              m_1b a
                                (Some (b_lv, v_lv)))
                           → (b_lv ≤ b_1c)%Z
                             ∧ (b_lv = b_1c → v_lv = v))))
      → V_SafeAt b v
  intros Inv1 Inv2 Q bv v [H_Q_voted_bv Hprev_votes].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
V_SafeAt bv v
  assert (H_non_voter :
    forall a : Acceptor, a ∈ `Q ->
      has_been_sent paxos_vlsm s (bv, m_1b a None) ->
      forall (d : Ballot), (d < bv)%Z -> V_DidNotVoteIn a d).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s (bv, m_1b a None)
    → ∀ d : Ballot, (d < bv)%Z → V_DidNotVoteIn a d
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
V_SafeAt bv v
  {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s (bv, m_1b a None)
    → ∀ d : Ballot, (d < bv)%Z → V_DidNotVoteIn a d
    intros a Ha Hsent d Hd.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
a: Acceptor
Ha: a ∈ `Q
Hsent: has_been_sent paxos_vlsm s (bv, m_1b a None)
d: Ballot
Hd: (d < bv)%Z
V_DidNotVoteIn a d
    apply Inv1 in Hsent as (_ & _ & Hsent).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
a: Acceptor
Ha: a ∈ `Q
Hsent: ∀ b : Ballot,
  (b < bv)%Z
  → (fst <$> None < b)%Z → V_DidNotVoteIn a b
d: Ballot
Hd: (d < bv)%Z
V_DidNotVoteIn a d
    apply (Hsent _ Hd).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
a: Acceptor
Ha: a ∈ `Q
Hsent: ∀ b : Ballot,
  (b < bv)%Z
  → (fst <$> None < b)%Z → V_DidNotVoteIn a b
d: Ballot
Hd: (d < bv)%Z
(fst <$> None < d)%Z
    by unfold Ballot_to_Z; cbn; lia.
  }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
V_SafeAt bv v
  assert (Hwlog : NoPrevVotes s (`Q) bv -> SafeAt _ VSet _ ASet Quorum to_voting_state v bv).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
V_SafeAt bv v
  {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
    (* There were no votes from Q before bv, so Q preserves safety of v all the way back *)
    intros H_no_prev_votes d Hd.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Value VSet Acceptor ASet
    Quorum to_voting_state d v Q
    exists Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
consensus_blocking_quorum Value VSet Acceptor ASet
  Quorum to_voting_state d v Q
    unfold consensus_blocking_quorum.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     vote_committed VSet (to_voting_state a) d)
∧ allQuorum Acceptor ASet Quorum Q
    (λ a : Acceptor,
       voted_none_but Value VSet (to_voting_state a) d
         v)
    split; intros a Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
vote_committed VSet (to_voting_state a) d
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
voted_none_but Value VSet (to_voting_state a) d v
    -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
vote_committed VSet (to_voting_state a) d unfold vote_committed.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
(maxBal VSet (to_voting_state a) > d)%Z
      destruct (H_Q_voted_bv a Ha) as [a_lv H_a_sent_bv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
a_lv: option (Ballot * Value)
H_a_sent_bv: has_been_sent paxos_vlsm s
  (bv, m_1b a a_lv)
(maxBal VSet (to_voting_state a) > d)%Z
      destruct (Inv1 _ _ _ H_a_sent_bv) as [H_a_maxbal _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
a_lv: option (Ballot * Value)
H_a_sent_bv: has_been_sent paxos_vlsm s
  (bv, m_1b a a_lv)
H_a_maxbal: (bv ≤ paxos_maxBal (s (acceptor_ix a)))%Z
(maxBal VSet (to_voting_state a) > d)%Z
      by simpl; lia.
    -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
voted_none_but Value VSet (to_voting_state a) d v unfold voted_none_but.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
∀ w : Value,
  voted_for Value VSet (to_voting_state a) d w → w = v
      destruct (H_Q_voted_bv a Ha) as [a_lv H_a_sent_bv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
a_lv: option (Ballot * Value)
H_a_sent_bv: has_been_sent paxos_vlsm s
  (bv, m_1b a a_lv)
∀ w : Value,
  voted_for Value VSet (to_voting_state a) d w → w = v
      assert (a_lv = None) as -> by (apply (H_no_prev_votes a Ha); done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_a_sent_bv: has_been_sent paxos_vlsm s
  (bv, m_1b a None)
∀ w : Value,
  voted_for Value VSet (to_voting_state a) d w → w = v
      intros w Hvote.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
H_no_prev_votes: NoPrevVotes s (`Q) bv
d: Ballot
Hd: (d < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_a_sent_bv: has_been_sent paxos_vlsm s
  (bv, m_1b a None)
w: Value
Hvote: voted_for Value VSet (to_voting_state a) d w
w = v
      by apply H_non_voter in Hvote.
  }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
Hprev_votes: NoPrevVotes s (`Q) bv
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent
                   paxos_vlsm s
                   (bv,
                    m_1b a
                      (Some
                       (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent
                    paxos_vlsm s
                    (bv,
                     m_1b a
                       (Some
                       (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
V_SafeAt bv v
  destruct Hprev_votes as [| H_had_1c]; [by apply Hwlog |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
H_had_1c: ∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s
      (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s
                (bv,
                 m_1b a
                   (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) 
               (v_lv : Value),
               has_been_sent paxos_vlsm s
                 (bv,
                  m_1b a
                    (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
V_SafeAt bv v
  destruct H_had_1c as (b_1c & vsafe & H_v_vsafe & H_sent_1c & _ & H_last_votes_bounded).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
V_SafeAt bv v
  assert (H_safe_at_1c : SafeAt _ VSet _ ASet Quorum to_voting_state v b_1c)
    by (eapply Inv2; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
H_safe_at_1c: SafeAt Value VSet Acceptor ASet Quorum
  to_voting_state v b_1c
V_SafeAt bv v
  intros d Hd.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
H_safe_at_1c: SafeAt Value VSet Acceptor ASet Quorum
  to_voting_state v b_1c
d: Ballot
Hd: (d < bv)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Value VSet Acceptor ASet
    Quorum to_voting_state d v Q
  assert (Hwlog2 : (d < b_1c)%Z -> exists Q0,
    consensus_blocking_quorum _ VSet _ ASet Quorum to_voting_state d v Q0).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
H_safe_at_1c: SafeAt Value VSet Acceptor ASet Quorum
  to_voting_state v b_1c
d: Ballot
Hd: (d < bv)%Z
(d < b_1c)%Z
→ ∃ Q0 : {x : ASet | Quorum x},
    consensus_blocking_quorum Value VSet Acceptor ASet
      Quorum to_voting_state d v Q0
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
H_safe_at_1c: SafeAt Value VSet Acceptor ASet Quorum
  to_voting_state v b_1c
d: Ballot
Hd: (d < bv)%Z
Hwlog2: (d < b_1c)%Z
→ ∃ Q0 : {x : ASet | Quorum x},
    consensus_blocking_quorum Value VSet
      Acceptor ASet Quorum to_voting_state d
      v Q0
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Value VSet Acceptor ASet
    Quorum to_voting_state d v Q
  {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
H_safe_at_1c: SafeAt Value VSet Acceptor ASet Quorum
  to_voting_state v b_1c
d: Ballot
Hd: (d < bv)%Z
(d < b_1c)%Z
→ ∃ Q0 : {x : ASet | Quorum x},
    consensus_blocking_quorum Value VSet Acceptor ASet
      Quorum to_voting_state d v Q0
    by intros Hlt; apply H_safe_at_1c; lia.
  }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
H_safe_at_1c: SafeAt Value VSet Acceptor ASet Quorum
  to_voting_state v b_1c
d: Ballot
Hd: (d < bv)%Z
Hwlog2: (d < b_1c)%Z
→ ∃ Q0 : {x : ASet | Quorum x},
    consensus_blocking_quorum Value VSet
      Acceptor ASet Quorum to_voting_state d
      v Q0
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Value VSet Acceptor ASet
    Quorum to_voting_state d v Q
  destruct (Z.le_gt_cases b_1c d) as [Hle |]; [| by itauto].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hwlog: NoPrevVotes s (`Q) bv
→ SafeAt Value VSet Acceptor ASet Quorum
    to_voting_state v bv
H_safe_at_1c: SafeAt Value VSet Acceptor ASet Quorum
  to_voting_state v b_1c
d: Ballot
Hd: (d < bv)%Z
Hwlog2: (d < b_1c)%Z
→ ∃ Q0 : {x : ASet | Quorum x},
    consensus_blocking_quorum Value VSet
      Acceptor ASet Quorum to_voting_state d
      v Q0
Hle: (b_1c ≤ d)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Value VSet Acceptor ASet
    Quorum to_voting_state d v Q
  clear H_safe_at_1c Hwlog Hwlog2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Value VSet Acceptor ASet
    Quorum to_voting_state d v Q
  exists Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
consensus_blocking_quorum Value VSet Acceptor ASet
  Quorum to_voting_state d v Q
  split; intros a Ha; destruct (H_Q_voted_bv a Ha) as [a_lv Hsent].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
a_lv: option (Ballot * Value)
Hsent: has_been_sent paxos_vlsm s (bv, m_1b a a_lv)
vote_committed VSet (to_voting_state a) d
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
a_lv: option (Ballot * Value)
Hsent: has_been_sent paxos_vlsm s (bv, m_1b a a_lv)
voted_none_but Value VSet (to_voting_state a) d v
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
a_lv: option (Ballot * Value)
Hsent: has_been_sent paxos_vlsm s (bv, m_1b a a_lv)
vote_committed VSet (to_voting_state a) d unfold vote_committed.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
a_lv: option (Ballot * Value)
Hsent: has_been_sent paxos_vlsm s (bv, m_1b a a_lv)
(maxBal VSet (to_voting_state a) > d)%Z
    apply Inv1 in Hsent as [Hbound _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
a_lv: option (Ballot * Value)
Hbound: (bv ≤ paxos_maxBal (s (acceptor_ix a)))%Z
(maxBal VSet (to_voting_state a) > d)%Z
    by simpl; lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
a_lv: option (Ballot * Value)
Hsent: has_been_sent paxos_vlsm s (bv, m_1b a a_lv)
voted_none_but Value VSet (to_voting_state a) d v destruct a_lv as [[b_lv v_lv] |];
      [| by intros w Hvote; contradict Hvote; eapply H_non_voter].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_lv, v_lv)))
voted_none_but Value VSet (to_voting_state a) d v
    destruct (Inv1 _ _ _ Hsent) as (_ & H_blv & H_dnv).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_lv, v_lv)))
H_blv: (fst <$> Some (b_lv, v_lv) < bv)%Z
H_dnv: ∀ b : Ballot,
  (b < bv)%Z
  → (fst <$> Some (b_lv, v_lv) < b)%Z
    → V_DidNotVoteIn a b
voted_none_but Value VSet (to_voting_state a) d v
    change (b_lv < bv)%Z in H_blv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_lv, v_lv)))
H_blv: (b_lv < bv)%Z
H_dnv: ∀ b : Ballot,
  (b < bv)%Z
  → (fst <$> Some (b_lv, v_lv) < b)%Z
    → V_DidNotVoteIn a b
voted_none_but Value VSet (to_voting_state a) d v
    specialize (H_dnv d Hd).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_lv, v_lv)))
H_blv: (b_lv < bv)%Z
H_dnv: (fst <$> Some (b_lv, v_lv) < d)%Z
→ V_DidNotVoteIn a d
voted_none_but Value VSet (to_voting_state a) d v
    change (Z.lt _ _) with (b_lv < d)%Z in H_dnv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_lv, v_lv)))
H_blv: (b_lv < bv)%Z
H_dnv: (b_lv < d)%Z → V_DidNotVoteIn a d
voted_none_but Value VSet (to_voting_state a) d v
    destruct (H_last_votes_bounded a Ha _ _ Hsent) as [H_blv_b1c H_vlv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_lv, v_lv)))
H_blv: (b_lv < bv)%Z
H_dnv: (b_lv < d)%Z → V_DidNotVoteIn a d
H_blv_b1c: (b_lv ≤ b_1c)%Z
H_vlv: b_lv = b_1c → v_lv = v
voted_none_but Value VSet (to_voting_state a) d v
    intros w Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_lv, v_lv)))
H_blv: (b_lv < bv)%Z
H_dnv: (b_lv < d)%Z → V_DidNotVoteIn a d
H_blv_b1c: (b_lv ≤ b_1c)%Z
H_vlv: b_lv = b_1c → v_lv = v
w: Value
Hw: voted_for Value VSet (to_voting_state a) d w
w = v
    assert (Htmp : (b_lv < d)%Z \/ (b_lv =@{Z} b_1c /\ d =@{Z} b_1c)) by lia.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_lv, v_lv)))
H_blv: (b_lv < bv)%Z
H_dnv: (b_lv < d)%Z → V_DidNotVoteIn a d
H_blv_b1c: (b_lv ≤ b_1c)%Z
H_vlv: b_lv = b_1c → v_lv = v
w: Value
Hw: voted_for Value VSet (to_voting_state a) d w
Htmp: (b_lv < d)%Z ∨ b_lv = b_1c ∧ d = b_1c
w = v
    destruct Htmp as [| [H_blv_eq H_d_eq]]; [by apply H_dnv in Hw |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_lv, v_lv)))
H_blv: (b_lv < bv)%Z
H_dnv: (b_lv < d)%Z → V_DidNotVoteIn a d
H_blv_b1c: (b_lv ≤ b_1c)%Z
H_vlv: b_lv = b_1c → v_lv = v
w: Value
Hw: voted_for Value VSet (to_voting_state a) d w
H_blv_eq: b_lv = b_1c
H_d_eq: d = b_1c
w = v
    apply N2Z.inj in H_blv_eq; specialize (H_vlv H_blv_eq); subst b_lv v_lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
d: Ballot
Hd: (d < bv)%Z
Hle: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < d)%Z → V_DidNotVoteIn a d
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
Hw: voted_for Value VSet (to_voting_state a) d w
H_d_eq: d = b_1c
w = v
    apply N2Z.inj in H_d_eq; subst d.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
Hw: voted_for Value VSet (to_voting_state a) b_1c w
w = v
    assert (has_been_sent paxos_vlsm s (b_1c, m_2b a w)) as H_sent_w.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
Hw: voted_for Value VSet (to_voting_state a) b_1c w
has_been_sent paxos_vlsm s (b_1c, m_2b a w)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
Hw: voted_for Value VSet (to_voting_state a) b_1c w
H_sent_w: has_been_sent paxos_vlsm s (b_1c, m_2b a w)
w = v
    {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
Hw: voted_for Value VSet (to_voting_state a) b_1c w
has_been_sent paxos_vlsm s (b_1c, m_2b a w)
      apply (localize_sent_messages s); [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
Hw: voted_for Value VSet (to_voting_state a) b_1c w
has_been_sent (IM (message_sender (b_1c, m_2b a w).2))
  (s (message_sender (b_1c, m_2b a w).2))
  (b_1c, m_2b a w)
      cbn; unfold paxos_acceptor_has_been_sent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
Hw: voted_for Value VSet (to_voting_state a) b_1c w
(b_1c, m_2b a w) ∈ sent_messages (s (acceptor_ix a))
      unfold voted_for, to_voting_state in Hw; simpl in Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
Hw: w
∈ votes_from_paxos_acceptor (s (acceptor_ix a))
  !!! b_1c
(b_1c, m_2b a w) ∈ sent_messages (s (acceptor_ix a))
      by apply votes_from_paxos_acceptor_iff in Hw.
    }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
Hw: voted_for Value VSet (to_voting_state a) b_1c w
H_sent_w: has_been_sent paxos_vlsm s (b_1c, m_2b a w)
w = v
    clear Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s
  (bv, m_1b a (Some (b_1c, v)))
w: Value
H_sent_w: has_been_sent paxos_vlsm s (b_1c, m_2b a w)
w = v
    apply sent_1b_impl_sent_lastvote_as_2b in Hsent; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn a_m b)
Inv2: ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
  has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
  → ∀ v : Value, v ∈ vs_m → V_SafeAt b_m v
Q: {x : ASet | Quorum x}
bv: Ballot
v: Value
H_Q_voted_bv: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (bv, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
H_v_vsafe: v ∈ vsafe
H_sent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H_last_votes_bounded: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm
        s
        (bv,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H_non_voter: ∀ a : Acceptor,
  a ∈ `Q
  → has_been_sent paxos_vlsm s
      (bv, m_1b a None)
    → ∀ d : Ballot,
        (d < bv)%Z → V_DidNotVoteIn a d
Hle: (b_1c ≤ b_1c)%Z
Hd: (b_1c < bv)%Z
a: Acceptor
Ha: a ∈ `Q
H_blv_b1c: (b_1c ≤ b_1c)%Z
H_dnv: (b_1c < b_1c)%Z → V_DidNotVoteIn a b_1c
H_blv: (b_1c < bv)%Z
Hsent: has_been_sent paxos_vlsm s (b_1c, m_2b a v)
w: Value
H_sent_w: has_been_sent paxos_vlsm s (b_1c, m_2b a w)
w = v
    by eapply sent_2b_unique.
Qed.

Definition PInv : Prop := Inv_past_vote_info_prop /\ P1bInv_prop /\ P1cInv_prop /\ P2aInv_prop.

ShowsSafeAt s Q b v holds if Q is a set of acceptors which are consistent with value v at ballot b.

1. Every acceptor in Q sent a 1b message for ballot b. 2. Either none of those 1b messages record a past vote, or a 1c message supporting b was sent at a ballot m1c_bal which is at least as large as the maxVBal of any acceptor in Q, and if the maxVVal of any acceptor was from the same round as m1c_bal then also their maxVVal is v (from that round).

We can have m1c_bal strictly less than b, if the acceptors in Q all have a last vote at least that early.

End sec_paxos_refinement_map.

Lemma V_VotedFor_iff :
  forall s,
    constrained_state_prop paxos_vlsm s ->
  forall a b v,
    V_VotedFor s a b v <->
    has_been_sent paxos_vlsm s (b, m_2b a v).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (a : Acceptor) (b : Ballot) (v : Value),
      V_VotedFor s a b v
      ↔ has_been_sent paxos_vlsm s (b, m_2b a v)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (a : Acceptor) (b : Ballot) (v : Value),
      V_VotedFor s a b v
      ↔ has_been_sent paxos_vlsm s (b, m_2b a v)
  intros s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  V_VotedFor s a b v
  ↔ has_been_sent paxos_vlsm s (b, m_2b a v)
  unfold V_VotedFor, voted_for, to_voting_state; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
∀ (a : Acceptor) (b : Ballot) (v : Value),
  v
  ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
    !!! b ↔ composite_has_been_sent IM s (b, m_2b a v)
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
v
∈ votes_from_paxos_acceptor (s (acceptor_ix a)) !!! b
→ composite_has_been_sent IM s (b, m_2b a v)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
composite_has_been_sent IM s (b, m_2b a v)
→ v
  ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
    !!! b
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
v
∈ votes_from_paxos_acceptor (s (acceptor_ix a)) !!! b
→ composite_has_been_sent IM s (b, m_2b a v) intros H_vote_msg.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
H_vote_msg: v
∈ votes_from_paxos_acceptor
    (s (acceptor_ix a)) !!! b
composite_has_been_sent IM s (b, m_2b a v)
    apply localize_sent_messages; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
H_vote_msg: v
∈ votes_from_paxos_acceptor
    (s (acceptor_ix a)) !!! b
has_been_sent (IM (message_sender (b, m_2b a v).2))
  (s (message_sender (b, m_2b a v).2)) (b, m_2b a v)
    by apply votes_from_paxos_acceptor_iff.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
composite_has_been_sent IM s (b, m_2b a v)
→ v
  ∈ votes_from_paxos_acceptor (s (acceptor_ix a))
    !!! b intros H_sent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
H_sent: composite_has_been_sent IM s (b, m_2b a v)
v
∈ votes_from_paxos_acceptor (s (acceptor_ix a)) !!! b
    apply votes_from_paxos_acceptor_iff; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
H_sent: composite_has_been_sent IM s (b, m_2b a v)
(b, m_2b a v) ∈ sent_messages (s (acceptor_ix a))
    by apply localize_sent_messages in H_sent.
Qed.

Lemma V_DidNotVoteIn_iff :
  forall s,
    constrained_state_prop paxos_vlsm s ->
  forall a b,
    V_DidNotVoteIn s a b <->
      forall v, ~ has_been_sent paxos_vlsm s (b, m_2b a v).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (a : Acceptor) (b : Ballot),
      V_DidNotVoteIn s a b
      ↔ (∀ v : Value,
           ¬ has_been_sent paxos_vlsm s (b, m_2b a v))
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (a : Acceptor) (b : Ballot),
      V_DidNotVoteIn s a b
      ↔ (∀ v : Value,
           ¬ has_been_sent paxos_vlsm s (b, m_2b a v))
  by split; intros H_vote v; specialize (H_vote v); contradict H_vote; apply V_VotedFor_iff.
Qed.

Lemma past_vote_info_is_invariant:
  forall s,
    constrained_state_prop paxos_vlsm s ->
      Inv_past_vote_info_prop s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → Inv_past_vote_info_prop s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → Inv_past_vote_info_prop s
  intros s Hs a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
(maxVBal (s (acceptor_ix a))
 ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (∀ b : Ballot,
     (maxVBal (s (acceptor_ix a)) < b)%Z
     → (b < paxos_maxBal (s (acceptor_ix a)))%Z
       → V_DidNotVoteIn s a b)
  ∧ match lastVote (s (acceptor_ix a)) with
    | Some (b_lv, v_lv) => V_VotedFor s a b_lv v_lv
    | None => True
    end
  split; [| split].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
(maxVBal (s (acceptor_ix a))
 ≤ paxos_maxBal (s (acceptor_ix a)))%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
∀ b : Ballot,
  (maxVBal (s (acceptor_ix a)) < b)%Z
  → (b < paxos_maxBal (s (acceptor_ix a)))%Z
    → V_DidNotVoteIn s a b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
match lastVote (s (acceptor_ix a)) with
| Some (b_lv, v_lv) => V_VotedFor s a b_lv v_lv
| None => True
end
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
(maxVBal (s (acceptor_ix a))
 ≤ paxos_maxBal (s (acceptor_ix a)))%Z apply valid_state_project_preloaded_to_preloaded with (i := acceptor_ix a) in Hs as Hsa.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
(maxVBal (s (acceptor_ix a))
 ≤ paxos_maxBal (s (acceptor_ix a)))%Z
    by eapply maxVBal_le_paxos_maxBal.
  - (* No voting in the middle *)Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
∀ b : Ballot,
  (maxVBal (s (acceptor_ix a)) < b)%Z
  → (b < paxos_maxBal (s (acceptor_ix a)))%Z
    → V_DidNotVoteIn s a b
    intros b H_VBal H_Bal v Hvote.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
H_VBal: (maxVBal (s (acceptor_ix a)) < b)%Z
H_Bal: (b < paxos_maxBal (s (acceptor_ix a)))%Z
v: Value
Hvote: voted_for Value VSet (to_voting_state s a) b v
False
    clear H_Bal (* don't *).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
H_VBal: (maxVBal (s (acceptor_ix a)) < b)%Z
v: Value
Hvote: voted_for Value VSet (to_voting_state s a) b v
False
    apply valid_state_project_preloaded_to_preloaded with (i := acceptor_ix a) in Hs as Hsa.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
H_VBal: (maxVBal (s (acceptor_ix a)) < b)%Z
v: Value
Hvote: voted_for Value VSet (to_voting_state s a) b v
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
False
    apply V_VotedFor_iff, localize_sent_messages, sent_vote_le_maxVBal in Hvote; [| done..].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
H_VBal: (maxVBal (s (acceptor_ix a)) < b)%Z
v: Value
Hvote: (b
 ≤ maxVBal
     (s (message_sender (b, m_2b a v).2)))%Z
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
False
    by simpl in Hvote; lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
match lastVote (s (acceptor_ix a)) with
| Some (b_lv, v_lv) => V_VotedFor s a b_lv v_lv
| None => True
end destruct (lastVote _) as [[b v] |] eqn: Hlv; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
Hlv: lastVote (s (acceptor_ix a)) = Some (b, v)
V_VotedFor s a b v
    apply V_VotedFor_iff; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
a: Acceptor
b: Ballot
v: Value
Hlv: lastVote (s (acceptor_ix a)) = Some (b, v)
has_been_sent paxos_vlsm s (b, m_2b a v)
    by apply last_vote_was_sent_paxos in Hlv.
Qed.

Lemma P1bInv_is_invariant:
  forall s,
    constrained_state_prop paxos_vlsm s ->
    P1bInv_prop s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s → P1bInv_prop s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s → P1bInv_prop s
  cbv beta delta [P1bInv_prop].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b_m : Ballot) (a_m : Acceptor) (lv_m : option
                                                (Ballot *
                                                 Value)),
      let mbal_m := fst <$> lv_m in
      has_been_sent paxos_vlsm s (b_m, m_1b a_m lv_m)
      → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
        ∧ (mbal_m < b_m)%Z
          ∧ (∀ b : Ballot,
               (b < b_m)%Z
               → (mbal_m < b)%Z
                 → V_DidNotVoteIn s a_m b)
  intros s Hs b a lv mbal_m Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
(b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
∧ (mbal_m < b)%Z
  ∧ (∀ b0 : Ballot,
       (b0 < b)%Z
       → (mbal_m < b0)%Z → V_DidNotVoteIn s a b0)
  split; [| split].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
(b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
(mbal_m < b)%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
∀ b0 : Ballot,
  (b0 < b)%Z → (mbal_m < b0)%Z → V_DidNotVoteIn s a b0
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
(b ≤ paxos_maxBal (s (acceptor_ix a)))%Z apply valid_state_project_preloaded_to_preloaded with (i:=acceptor_ix a) in Hs as Hsa.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
(b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
    by apply localize_sent_messages, paxos_acceptor_sent_bounds_maxBal in Hsent.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
(mbal_m < b)%Z subst mbal_m.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
(fst <$> lv < b)%Z
    apply localize_sent_messages in Hsent; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hsent: has_been_sent
  (IM (message_sender (b, m_1b a lv).2))
  (s (message_sender (b, m_1b a lv).2))
  (b, m_1b a lv)
(fst <$> lv < b)%Z
    simpl message_sender in Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hsent: has_been_sent (IM (acceptor_ix a))
  (s (acceptor_ix a)) (b, m_1b a lv)
(fst <$> lv < b)%Z
    change (IM _) with (paxos_acceptor_vlsm a) in Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hsent: has_been_sent (paxos_acceptor_vlsm a)
  (s (acceptor_ix a)) (b, m_1b a lv)
(fst <$> lv < b)%Z
    pattern (s (acceptor_ix a)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hsent: has_been_sent (paxos_acceptor_vlsm a)
  (s (acceptor_ix a)) (b, m_1b a lv)
(λ _ : state (IM (acceptor_ix a)), (fst <$> lv < b)%Z)
  (s (acceptor_ix a))
    revert Hsent; apply (from_send_to_from_sent_argument (paxos_acceptor_vlsm a));
      [done | ..]; cycle 1.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
constrained_state_prop (paxos_acceptor_vlsm a)
  (s (acceptor_ix a))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
∀ (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) 
  (l : label
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm
             (paxos_acceptor_vlsm a))),
  input_constrained_transition 
    (paxos_acceptor_vlsm a) l (
    s, oim) (s', Some (b, m_1b a lv))
  → (fst <$> lv < b)%Z
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
constrained_state_prop (paxos_acceptor_vlsm a)
  (s (acceptor_ix a)) by apply valid_state_project_preloaded_to_preloaded with (i:=acceptor_ix a) in Hs.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
∀ (s : state
         (preloaded_with_all_messages_vlsm
            (paxos_acceptor_vlsm a))) (l : label
                                             (preloaded_with_all_messages_vlsm
                                                (paxos_acceptor_vlsm
                                                 a))) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          (paxos_acceptor_vlsm
                                             a))),
  input_constrained_transition (paxos_acceptor_vlsm a)
    l (s, oim) (s', Some (b, m_1b a lv))
  → (fst <$> lv < b)%Z clear s Hs; intros s * Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_constrained_transition
  (paxos_acceptor_vlsm a) l (
  s, oim) (s', Some (b, m_1b a lv))
(fst <$> lv < b)%Z
      apply input_valid_transition_origin in Ht as Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_constrained_transition
  (paxos_acceptor_vlsm a) l (
  s, oim) (s', Some (b, m_1b a lv))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
(fst <$> lv < b)%Z
      destruct (Ht) as [_ Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_constrained_transition
  (paxos_acceptor_vlsm a) l (
  s, oim) (s', Some (b, m_1b a lv))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Htrans: transition l (s, oim) =
(s', Some (b, m_1b a lv))
(fst <$> lv < b)%Z
      apply sending_1b_updates_maxBal in Ht as [Hb _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hb: (paxos_maxBal s < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Htrans: transition l (s, oim) =
(s', Some (b, m_1b a lv))
(fst <$> lv < b)%Z
      assert (maxVBal s <= paxos_maxBal s)%Z by (apply maxVBal_le_paxos_maxBal; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hb: (paxos_maxBal s < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Htrans: transition l (s, oim) =
(s', Some (b, m_1b a lv))
H16: (maxVBal s ≤ paxos_maxBal s)%Z
(fst <$> lv < b)%Z
      cbn in Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hb: (paxos_maxBal s < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Htrans: paxos_acceptor_transition a l (s, oim) =
(s', Some (b, m_1b a lv))
H16: (maxVBal s ≤ paxos_maxBal s)%Z
(fst <$> lv < b)%Z
      apply examine_paxos_acceptor_output in Htrans as Hl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hb: (paxos_maxBal s < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Htrans: paxos_acceptor_transition a l (s, oim) =
(s', Some (b, m_1b a lv))
H16: (maxVBal s ≤ paxos_maxBal s)%Z
Hl: l = A_send_1b ∧ a = a
(fst <$> lv < b)%Z
      destruct Hl as [-> _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hb: (paxos_maxBal s < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Htrans: paxos_acceptor_transition a A_send_1b
  (s, oim) = (s', Some (b, m_1b a lv))
H16: (maxVBal s ≤ paxos_maxBal s)%Z
(fst <$> lv < b)%Z
      simpl in Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hb: (paxos_maxBal s < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Htrans: match oim with
| Some (b, m_1a) =>
    ({|
       paxos_maxBal := Some b;
       lastVote := lastVote s;
       sent_messages :=
         (b, m_1b a (lastVote s))
         :: sent_messages s
     |}, Some (b, m_1b a (lastVote s)))
| Some (b, m_1b _ _) | Some (b, m_1c _) |
  Some (b, m_2a _) | Some (b, m_2b _ _) =>
    (s, None)
| None => (s, None)
end = (s', Some (b, m_1b a lv))
H16: (maxVBal s ≤ paxos_maxBal s)%Z
(fst <$> lv < b)%Z
      destruct oim as [[? []] |]; try discriminate; [].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b0: Ballot
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hb: (paxos_maxBal s < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
Htrans: ({|
   paxos_maxBal := Some b0;
   lastVote := lastVote s;
   sent_messages :=
     (b0, m_1b a (lastVote s))
     :: sent_messages s
 |}, Some (b0, m_1b a (lastVote s))) =
(s', Some (b, m_1b a lv))
H16: (maxVBal s ≤ paxos_maxBal s)%Z
(fst <$> lv < b)%Z
      injection Htrans as [= <- -> <-].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hb: (paxos_maxBal s < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
H16: (maxVBal s ≤ paxos_maxBal s)%Z
(fst <$> lastVote s < b)%Z
      change (maxVBal s < b)%Z.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hb: (paxos_maxBal s < b)%Z
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s
H16: (maxVBal s ≤ paxos_maxBal s)%Z
(maxVBal s < b)%Z
      by lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
∀ b0 : Ballot,
  (b0 < b)%Z → (mbal_m < b0)%Z → V_DidNotVoteIn s a b0 intros b_mid; revert b_mid. (* rename the bound variable *)Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
Hsent: has_been_sent paxos_vlsm s (b, m_1b a lv)
∀ b_mid : Ballot,
  (b_mid < b)%Z
  → (mbal_m < b_mid)%Z → V_DidNotVoteIn s a b_mid
    revert Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
has_been_sent paxos_vlsm s (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (mbal_m < b_mid)%Z → V_DidNotVoteIn s a b_mid
    setoid_rewrite V_DidNotVoteIn_iff; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
has_been_sent paxos_vlsm s (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (mbal_m < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent paxos_vlsm s
              (b_mid, m_2b a v)
    setoid_rewrite localize_sent_messages; [| done..].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
has_been_sent (IM (message_sender (b, m_1b a lv).2))
  (s (message_sender (b, m_1b a lv).2)) (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (mbal_m < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (IM (message_sender (b_mid, m_2b a v).2))
              (s (message_sender (b_mid, m_2b a v).2))
              (b_mid, m_2b a v)
    simpl (message_sender _).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
has_been_sent (IM (acceptor_ix a)) (s (acceptor_ix a))
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (mbal_m < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent (IM (acceptor_ix a))
              (s (acceptor_ix a)) (b_mid, m_2b a v)
    change (IM (acceptor_ix a)) with (paxos_acceptor_vlsm a).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
mbal_m:= fst <$> lv: Ballot'
has_been_sent (paxos_acceptor_vlsm a)
  (s (acceptor_ix a)) (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (mbal_m < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent (paxos_acceptor_vlsm a)
              (s (acceptor_ix a)) (b_mid, m_2b a v)
    subst mbal_m.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
has_been_sent (paxos_acceptor_vlsm a)
  (s (acceptor_ix a)) (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent (paxos_acceptor_vlsm a)
              (s (acceptor_ix a)) (b_mid, m_2b a v)
    assert (Hsa : constrained_state_prop (paxos_acceptor_vlsm a) (s (acceptor_ix a))).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
constrained_state_prop (paxos_acceptor_vlsm a)
  (s (acceptor_ix a))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hsa: constrained_state_prop (paxos_acceptor_vlsm a)
  (s (acceptor_ix a))
has_been_sent (paxos_acceptor_vlsm a)
  (s (acceptor_ix a)) (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent 
              (paxos_acceptor_vlsm a)
              (s (acceptor_ix a)) (
              b_mid, m_2b a v)
    {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
constrained_state_prop (paxos_acceptor_vlsm a)
  (s (acceptor_ix a))
      by apply valid_state_project_preloaded_to_preloaded with (i := acceptor_ix a) in Hs.
    }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
Hsa: constrained_state_prop (paxos_acceptor_vlsm a)
  (s (acceptor_ix a))
has_been_sent (paxos_acceptor_vlsm a)
  (s (acceptor_ix a)) (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent (paxos_acceptor_vlsm a)
              (s (acceptor_ix a)) (b_mid, m_2b a v)
    induction Hsa using valid_state_prop_ind;
      [by intros _ b_mid _ _ v; apply has_been_sent_no_inits |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', om')
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent (paxos_acceptor_vlsm a) s'
              (b_mid, m_2b a v)
    intros H_sent_s'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', om')
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
∀ b_mid : Ballot,
  (b_mid < b)%Z
  → (fst <$> lv < b_mid)%Z
    → ∀ v : Value,
        ¬ has_been_sent (paxos_acceptor_vlsm a) s'
            (b_mid, m_2b a v)
    apply input_valid_transition_origin in Ht as Hs0.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', om')
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
∀ b_mid : Ballot,
  (b_mid < b)%Z
  → (fst <$> lv < b_mid)%Z
    → ∀ v : Value,
        ¬ has_been_sent (paxos_acceptor_vlsm a) s'
            (b_mid, m_2b a v)
    destruct (proj1 (has_been_sent_step_update Ht _) H_sent_s') as [-> | H_sent_s].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b, m_1b a lv))
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
∀ b_mid : Ballot,
  (b_mid < b)%Z
  → (fst <$> lv < b_mid)%Z
    → ∀ v : Value,
        ¬ has_been_sent (paxos_acceptor_vlsm a) s'
            (b_mid, m_2b a v)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', om')
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
∀ b_mid : Ballot,
  (b_mid < b)%Z
  → (fst <$> lv < b_mid)%Z
    → ∀ v : Value,
        ¬ has_been_sent 
            (paxos_acceptor_vlsm a) s'
            (b_mid, m_2b a v)
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b, m_1b a lv))
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
∀ b_mid : Ballot,
  (b_mid < b)%Z
  → (fst <$> lv < b_mid)%Z
    → ∀ v : Value,
        ¬ has_been_sent (paxos_acceptor_vlsm a) s'
            (b_mid, m_2b a v) clear IHHsa.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b, m_1b a lv))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
∀ b_mid : Ballot,
  (b_mid < b)%Z
  → (fst <$> lv < b_mid)%Z
    → ∀ v : Value,
        ¬ has_been_sent (paxos_acceptor_vlsm a) s'
            (b_mid, m_2b a v)
      intros b_mid Hmid1 Hmid2 v H_sent_old_s'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b, m_1b a lv))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
v: Value
H_sent_old_s': has_been_sent (paxos_acceptor_vlsm a)
  s' (b_mid, m_2b a v)
False
      apply (has_been_sent_step_update Ht) in H_sent_old_s'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b, m_1b a lv))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
v: Value
H_sent_old_s': Some (b, m_1b a lv) =
Some (b_mid, m_2b a v)
∨ has_been_sent
    (paxos_acceptor_vlsm a) s0
    (b_mid, m_2b a v)
False
      destruct H_sent_old_s' as [| H_sent_old_s]; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b, m_1b a lv))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
v: Value
H_sent_old_s: has_been_sent (paxos_acceptor_vlsm a)
  s0 (b_mid, m_2b a v)
False
      apply sent_vote_le_maxVBal in H_sent_old_s; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b, m_1b a lv))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
v: Value
H_sent_old_s: (b_mid ≤ maxVBal s0)%Z
False
      destruct Ht as [(_ & _ & Hvalid) Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Hvalid: valid l (s0, om)
Htrans: transition l (s0, om) =
(s', Some (b, m_1b a lv))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
v: Value
H_sent_old_s: (b_mid ≤ maxVBal s0)%Z
False
      destruct (examine_paxos_acceptor_output Htrans) as [-> _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Htrans: transition A_send_1b (s0, om) =
(s', Some (b, m_1b a lv))
Hvalid: valid A_send_1b (s0, om)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
v: Value
H_sent_old_s: (b_mid ≤ maxVBal s0)%Z
False
      change transition with (paxos_acceptor_transition a) in Htrans; cbn in Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Htrans: match om with
| Some (b, m_1a) =>
    ({|
       paxos_maxBal := Some b;
       lastVote := lastVote s0;
       sent_messages :=
         (b, m_1b a (lastVote s0))
         :: sent_messages s0
     |}, Some (b, m_1b a (lastVote s0)))
| Some (b, m_1b _ _) | Some (b, m_1c _) |
  Some (b, m_2a _) | Some (b, m_2b _ _) =>
    (s0, None)
| None => (s0, None)
end = (s', Some (b, m_1b a lv))
Hvalid: valid A_send_1b (s0, om)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
v: Value
H_sent_old_s: (b_mid ≤ maxVBal s0)%Z
False
      destruct om as [[? []] |]; try discriminate; [].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b0: Ballot
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Htrans: ({|
   paxos_maxBal := Some b0;
   lastVote := lastVote s0;
   sent_messages :=
     (b0, m_1b a (lastVote s0))
     :: sent_messages s0
 |}, Some (b0, m_1b a (lastVote s0))) =
(s', Some (b, m_1b a lv))
Hvalid: valid A_send_1b (s0, Some (b0, m_1a))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
v: Value
H_sent_old_s: (b_mid ≤ maxVBal s0)%Z
False
      injection Htrans as [= <- -> <-].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a)
  {|
    paxos_maxBal := Some b;
    lastVote := lastVote s0;
    sent_messages :=
      (b, m_1b a (lastVote s0))
      :: sent_messages s0
  |} (b, m_1b a (lastVote s0))
Hvalid: valid A_send_1b (s0, Some (b, m_1a))
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lastVote s0 < b_mid)%Z
v: Value
H_sent_old_s: (b_mid ≤ maxVBal s0)%Z
False
      change valid with paxos_acceptor_valid in Hvalid; cbn in Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a)
  {|
    paxos_maxBal := Some b;
    lastVote := lastVote s0;
    sent_messages :=
      (b, m_1b a (lastVote s0))
      :: sent_messages s0
  |} (b, m_1b a (lastVote s0))
Hvalid: (paxos_maxBal s0 < b)%Z
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lastVote s0 < b_mid)%Z
v: Value
H_sent_old_s: (b_mid ≤ maxVBal s0)%Z
False
      change (maxVBal s0 < b_mid)%Z in Hmid2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
H_sent_s': has_been_sent (paxos_acceptor_vlsm a)
  {|
    paxos_maxBal := Some b;
    lastVote := lastVote s0;
    sent_messages :=
      (b, m_1b a (lastVote s0))
      :: sent_messages s0
  |} (b, m_1b a (lastVote s0))
Hvalid: (paxos_maxBal s0 < b)%Z
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (maxVBal s0 < b_mid)%Z
v: Value
H_sent_old_s: (b_mid ≤ maxVBal s0)%Z
False
      by lia.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', om')
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
∀ b_mid : Ballot,
  (b_mid < b)%Z
  → (fst <$> lv < b_mid)%Z
    → ∀ v : Value,
        ¬ has_been_sent (paxos_acceptor_vlsm a) s'
            (b_mid, m_2b a v) intros b_mid Hmid1 Hmid2 v H_sent_old_s'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om, om': option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', om')
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
b_mid: Ballot
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
v: Value
H_sent_old_s': has_been_sent (paxos_acceptor_vlsm a)
  s' (b_mid, m_2b a v)
False
      apply (has_been_sent_step_update Ht) in H_sent_old_s' as [-> | H_bad_send_s0];
        [| by eapply IHHsa].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b_mid: Ballot
v: Value
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b_mid, m_2b a v))
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
False
      assert (b <= paxos_maxBal s0)%Z by (apply paxos_acceptor_sent_bounds_maxBal in H_sent_s; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b_mid: Ballot
v: Value
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b_mid, m_2b a v))
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
H16: (b ≤ paxos_maxBal s0)%Z
False
      cut (paxos_maxBal s0 <= b_mid)%Z; [by lia |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b_mid: Ballot
v: Value
Ht: input_valid_transition
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) l (
  s0, om) (s', Some (b_mid, m_2b a v))
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
H16: (b ≤ paxos_maxBal s0)%Z
(paxos_maxBal s0 ≤ b_mid)%Z
      destruct Ht as [(_ & _ & Hvalid) Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
l: label
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b_mid: Ballot
v: Value
Hvalid: valid l (s0, om)
Htrans: transition l (s0, om) =
(s', Some (b_mid, m_2b a v))
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
H16: (b ≤ paxos_maxBal s0)%Z
(paxos_maxBal s0 ≤ b_mid)%Z
      destruct (examine_paxos_acceptor_output Htrans) as [-> _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b_mid: Ballot
v: Value
Htrans: transition A_send_2b (s0, om) =
(s', Some (b_mid, m_2b a v))
Hvalid: valid A_send_2b (s0, om)
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
H16: (b ≤ paxos_maxBal s0)%Z
(paxos_maxBal s0 ≤ b_mid)%Z
      change transition with (paxos_acceptor_transition a) in Htrans; cbn in Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
om: option paxos_message
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b_mid: Ballot
v: Value
Htrans: match om with
| Some (b, m_2a v) =>
    ({|
       paxos_maxBal := Some b;
       lastVote := Some (b, v);
       sent_messages :=
         (b, m_2b a v) :: sent_messages s0
     |}, Some (b, m_2b a v))
| Some (b, m_1a) | Some (b, m_1b _ _) |
  Some (b, m_1c _) | Some (b, m_2b _ _) =>
    (s0, None)
| None => (s0, None)
end = (s', Some (b_mid, m_2b a v))
Hvalid: valid A_send_2b (s0, om)
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
H16: (b ≤ paxos_maxBal s0)%Z
(paxos_maxBal s0 ≤ b_mid)%Z
      destruct om as [[? []] |]; try discriminate; [].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b0: Ballot
v0: Value
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b_mid: Ballot
v: Value
Htrans: ({|
   paxos_maxBal := Some b0;
   lastVote := Some (b0, v0);
   sent_messages :=
     (b0, m_2b a v0) :: sent_messages s0
 |}, Some (b0, m_2b a v0)) =
(s', Some (b_mid, m_2b a v))
Hvalid: valid A_send_2b (s0, Some (b0, m_2a v0))
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
H16: (b ≤ paxos_maxBal s0)%Z
(paxos_maxBal s0 ≤ b_mid)%Z
      change valid with paxos_acceptor_valid in Hvalid; cbn in Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
a: Acceptor
lv: option (Ballot * Value)
s': state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b0: Ballot
v0: Value
s0: state
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a))
b_mid: Ballot
v: Value
Htrans: ({|
   paxos_maxBal := Some b0;
   lastVote := Some (b0, v0);
   sent_messages :=
     (b0, m_2b a v0) :: sent_messages s0
 |}, Some (b0, m_2b a v0)) =
(s', Some (b_mid, m_2b a v))
Hvalid: (paxos_maxBal s0 ≤ b0)%Z
IHHsa: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
→ ∀ b_mid : Ballot,
    (b_mid < b)%Z
    → (fst <$> lv < b_mid)%Z
      → ∀ v : Value,
          ¬ has_been_sent
              (paxos_acceptor_vlsm a) s0
              (b_mid, m_2b a v)
H_sent_s': has_been_sent (paxos_acceptor_vlsm a) s'
  (b, m_1b a lv)
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm
     (paxos_acceptor_vlsm a)) s0
H_sent_s: has_been_sent (paxos_acceptor_vlsm a) s0
  (b, m_1b a lv)
Hmid1: (b_mid < b)%Z
Hmid2: (fst <$> lv < b_mid)%Z
H16: (b ≤ paxos_maxBal s0)%Z
(paxos_maxBal s0 ≤ b_mid)%Z
      by injection Htrans as [= <- ->].
Qed.

Lemma V_SafeAt_stable :
  forall [l s oim s' oom],
    input_constrained_transition paxos_vlsm l (s, oim) (s', oom) ->
  forall b v,
    V_SafeAt s b v -> V_SafeAt s' b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom)
  → ∀ (b : Ballot) (v : Value),
      V_SafeAt s b v → V_SafeAt s' b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom)
  → ∀ (b : Ballot) (v : Value),
      V_SafeAt s b v → V_SafeAt s' b v
  unfold V_SafeAt, SafeAt, consensus_blocking_quorum.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom)
  → ∀ (b : Ballot) (v : Value),
      (∀ d : Ballot,
         (d < b)%Z
         → ∃ Q : {x : ASet | Quorum x},
             allQuorum Acceptor ASet Quorum Q
               (λ a : Acceptor,
                  vote_committed VSet
                    (to_voting_state s a) d)
             ∧ allQuorum Acceptor ASet Quorum Q
                 (λ a : Acceptor,
                    voted_none_but Value VSet
                      (to_voting_state s a) d v))
      → ∀ d : Ballot,
          (d < b)%Z
          → ∃ Q : {x : ASet | Quorum x},
              allQuorum Acceptor ASet Quorum Q
                (λ a : Acceptor,
                   vote_committed VSet
                     (to_voting_state s' a) d)
              ∧ allQuorum Acceptor ASet Quorum Q
                  (λ a : Acceptor,
                     voted_none_but Value VSet
                       (to_voting_state s' a) d v)
  intros * Ht b v H_prev d Hd.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
∃ Q : {x : ASet | Quorum x},
  allQuorum Acceptor ASet Quorum Q
    (λ a : Acceptor,
       vote_committed VSet (to_voting_state s' a) d)
  ∧ allQuorum Acceptor ASet Quorum Q
      (λ a : Acceptor,
         voted_none_but Value VSet
           (to_voting_state s' a) d v)
  destruct (H_prev d Hd) as (Q & HQ1 & HQ2).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     vote_committed VSet (to_voting_state s a) d)
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
∃ Q : {x : ASet | Quorum x},
  allQuorum Acceptor ASet Quorum Q
    (λ a : Acceptor,
       vote_committed VSet (to_voting_state s' a) d)
  ∧ allQuorum Acceptor ASet Quorum Q
      (λ a : Acceptor,
         voted_none_but Value VSet
           (to_voting_state s' a) d v)
  exists Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     vote_committed VSet (to_voting_state s a) d)
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     vote_committed VSet (to_voting_state s' a) d)
∧ allQuorum Acceptor ASet Quorum Q
    (λ a : Acceptor,
       voted_none_but Value VSet
         (to_voting_state s' a) d v)
  split; intros a Ha; specialize (HQ1 a Ha).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
Ha: a ∈ `Q
vote_committed VSet (to_voting_state s' a) d
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
Ha: a ∈ `Q
voted_none_but Value VSet (to_voting_state s' a) d v
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
Ha: a ∈ `Q
vote_committed VSet (to_voting_state s' a) d revert HQ1; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
Ha: a ∈ `Q
vote_committed VSet (to_voting_state s a) d
→ vote_committed VSet (to_voting_state s' a) d
    unfold vote_committed, to_voting_state; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
Ha: a ∈ `Q
(paxos_maxBal (s (acceptor_ix a)) > d)%Z
→ (paxos_maxBal (s' (acceptor_ix a)) > d)%Z
    apply input_valid_transition_preloaded_project_any with (i := acceptor_ix a)
      in Ht as [-> | (li & -> & Ht)]; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
a: Acceptor
li: label (IM (acceptor_ix a))
Ht: input_constrained_transition 
  (IM (acceptor_ix a)) li
  (s (acceptor_ix a), oim)
  (s' (acceptor_ix a), oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
Ha: a ∈ `Q
(paxos_maxBal (s (acceptor_ix a)) > d)%Z
→ (paxos_maxBal (s' (acceptor_ix a)) > d)%Z
    apply paxos_maxBal_mono in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
a: Acceptor
li: label (IM (acceptor_ix a))
Ht: (paxos_maxBal (s (acceptor_ix a))
 ≤ paxos_maxBal (s' (acceptor_ix a)))%Z
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
Ha: a ∈ `Q
(paxos_maxBal (s (acceptor_ix a)) > d)%Z
→ (paxos_maxBal (s' (acceptor_ix a)) > d)%Z
    by lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
HQ2: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     voted_none_but Value VSet
       (to_voting_state s a) d v)
Ha: a ∈ `Q
voted_none_but Value VSet (to_voting_state s' a) d v specialize (HQ2 a Ha); revert HQ2; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
Ha: a ∈ `Q
voted_none_but Value VSet (to_voting_state s a) d v
→ voted_none_but Value VSet (to_voting_state s' a) d v
    apply input_valid_transition_origin in Ht as Hs0.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
voted_none_but Value VSet (to_voting_state s a) d v
→ voted_none_but Value VSet (to_voting_state s' a) d v
    apply input_valid_transition_destination in Ht as Hs'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
voted_none_but Value VSet (to_voting_state s a) d v
→ voted_none_but Value VSet (to_voting_state s' a) d v
    unfold voted_none_but.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(∀ w : Value,
   voted_for Value VSet (to_voting_state s a) d w
   → w = v)
→ ∀ w : Value,
    voted_for Value VSet (to_voting_state s' a) d w
    → w = v
    setoid_rewrite V_VotedFor_iff; [| done..].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
H_prev: ∀ d : Ballot,
  (d < b)%Z
  → ∃ Q : {x : ASet | Quorum x},
      allQuorum Acceptor ASet Quorum Q
        (λ a : Acceptor,
           vote_committed VSet
             (to_voting_state s a) d)
      ∧ allQuorum Acceptor ASet Quorum Q
          (λ a : Acceptor,
             voted_none_but Value VSet
               (to_voting_state s a) d v)
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(∀ w : Value,
   has_been_sent paxos_vlsm s (d, m_2b a w) → w = v)
→ ∀ w : Value,
    has_been_sent paxos_vlsm s' (d, m_2b a w) → w = v
    clear H_prev; intros H_prev w Hsent_s'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
H_prev: ∀ w : Value,
  has_been_sent paxos_vlsm s (d, m_2b a w)
  → w = v
w: Value
Hsent_s': has_been_sent paxos_vlsm s' (d, m_2b a w)
w = v
    apply H_prev; clear H_prev.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
b: Ballot
v: Value
d: Ballot
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
w: Value
Hsent_s': has_been_sent paxos_vlsm s' (d, m_2b a w)
has_been_sent paxos_vlsm s (d, m_2b a w)
    apply (has_been_sent_step_update Ht) in Hsent_s' as [-> |]; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
a: Acceptor
w: Value
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (d, m_2b a w))
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
has_been_sent paxos_vlsm s (d, m_2b a w)
    exfalso.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
a: Acceptor
w: Value
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (d, m_2b a w))
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (λ a : Acceptor,
   vote_committed VSet (to_voting_state s a) d)
  a
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
False
    unfold vote_committed in HQ1; simpl in HQ1.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
a: Acceptor
w: Value
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (d, m_2b a w))
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (paxos_maxBal (s (acceptor_ix a)) > d)%Z
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
False
    cut (paxos_maxBal (s (acceptor_ix a)) <= d)%Z; [by lia |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
a: Acceptor
w: Value
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (d, m_2b a w))
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (paxos_maxBal (s (acceptor_ix a)) > d)%Z
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(paxos_maxBal (s (acceptor_ix a)) ≤ d)%Z
    destruct l as [li l].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
li: paxos_index
l: label (IM li)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
a: Acceptor
w: Value
Ht: input_constrained_transition paxos_vlsm
  (existT li l) (s, oim) (
  s', Some (d, m_2b a w))
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (paxos_maxBal (s (acceptor_ix a)) > d)%Z
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(paxos_maxBal (s (acceptor_ix a)) ≤ d)%Z
    assert (li = acceptor_ix a) as ->
      by (destruct Ht as [_ Htrans]; apply localize_send in Htrans; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
w: Value
Ht: input_constrained_transition paxos_vlsm
  (existT (acceptor_ix a) l) (
  s, oim) (s', Some (d, m_2b a w))
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (paxos_maxBal (s (acceptor_ix a)) > d)%Z
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(paxos_maxBal (s (acceptor_ix a)) ≤ d)%Z
    apply input_valid_transition_preloaded_project_active in Ht; simpl in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
w: Value
Ht: input_constrained_transition
  (paxos_acceptor_vlsm a) l
  (s (acceptor_ix a), oim)
  (s' (acceptor_ix a), Some (d, m_2b a w))
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (paxos_maxBal (s (acceptor_ix a)) > d)%Z
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(paxos_maxBal (s (acceptor_ix a)) ≤ d)%Z
    destruct Ht as [(_ & _ & Hvalid) Htrans]; cbn in Htrans, Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
l: label (IM (acceptor_ix a))
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
w: Value
Hvalid: paxos_acceptor_valid l
  (s (acceptor_ix a), oim)
Htrans: paxos_acceptor_transition a l
  (s (acceptor_ix a), oim) =
(s' (acceptor_ix a), Some (d, m_2b a w))
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (paxos_maxBal (s (acceptor_ix a)) > d)%Z
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(paxos_maxBal (s (acceptor_ix a)) ≤ d)%Z
    apply examine_paxos_acceptor_output in Htrans as Hl; destruct Hl as [-> _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
w: Value
Htrans: paxos_acceptor_transition a A_send_2b
  (s (acceptor_ix a), oim) =
(s' (acceptor_ix a), Some (d, m_2b a w))
Hvalid: paxos_acceptor_valid A_send_2b
  (s (acceptor_ix a), oim)
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (paxos_maxBal (s (acceptor_ix a)) > d)%Z
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(paxos_maxBal (s (acceptor_ix a)) ≤ d)%Z
    simpl in Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
w: Value
Htrans: paxos_acceptor_transition a A_send_2b
  (s (acceptor_ix a), oim) =
(s' (acceptor_ix a), Some (d, m_2b a w))
Hvalid: match oim with
| Some (b, m_2a _) =>
    (paxos_maxBal (s (acceptor_ix a)) ≤ b)%Z
| Some (b, m_1a) | Some (b, m_1b _ _) |
  Some (b, m_1c _) | Some (b, m_2b _ _) =>
    False
| None => False
end
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (paxos_maxBal (s (acceptor_ix a)) > d)%Z
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(paxos_maxBal (s (acceptor_ix a)) ≤ d)%Z
    destruct oim as [[? []] |]; try done; [].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
a: Acceptor
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
b0: Ballot
v0: Value
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
d: Ballot
w: Value
Htrans: paxos_acceptor_transition a A_send_2b
  (s (acceptor_ix a), Some (b0, m_2a v0)) =
(s' (acceptor_ix a), Some (d, m_2b a w))
Hvalid: (paxos_maxBal (s (acceptor_ix a)) ≤ b0)%Z
b: Ballot
v: Value
Hd: (d < b)%Z
Q: {x : ASet | Quorum x}
HQ1: (paxos_maxBal (s (acceptor_ix a)) > d)%Z
Ha: a ∈ `Q
Hs0: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(paxos_maxBal (s (acceptor_ix a)) ≤ d)%Z
    by inversion Htrans; subst.
Qed.

Lemma P2aInv_is_invariant :
  forall (s : state paxos_vlsm),
    constrained_state_prop paxos_vlsm s ->
    P2aInv_prop s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s → P2aInv_prop s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s → P2aInv_prop s
  unfold P2aInv_prop.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ (b_m : Ballot) (v_m : Value),
      has_been_sent paxos_vlsm s (b_m, m_2a v_m)
      → ∃ vs_c : AllOrFin VSet,
          v_m ∈ vs_c
          ∧ has_been_sent paxos_vlsm s
              (b_m, m_1c vs_c)
  intros s Hs b v Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Hsent: has_been_sent paxos_vlsm s (b, m_2a v)
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c ∧ has_been_sent paxos_vlsm s (b, m_1c vs_c)
  pattern s; revert s Hs Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → has_been_sent paxos_vlsm s (b, m_2a v)
    → (λ s0 : state paxos_vlsm,
         ∃ vs_c : AllOrFin VSet,
           v ∈ vs_c
           ∧ has_been_sent paxos_vlsm s0
               (b, m_1c vs_c)) s
  change (state paxos_vlsm) with (state (preloaded_with_all_messages_vlsm paxos_vlsm)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → has_been_sent paxos_vlsm s (b, m_2a v)
    → (λ s0 : state
                (preloaded_with_all_messages_vlsm
                   paxos_vlsm),
         ∃ vs_c : AllOrFin VSet,
           v ∈ vs_c
           ∧ has_been_sent paxos_vlsm s0
               (b, m_1c vs_c)) s
  apply from_send_to_from_sent_argument.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom)
  → (∃ vs_c : AllOrFin VSet,
       v ∈ vs_c
       ∧ has_been_sent paxos_vlsm s (b, m_1c vs_c))
    → ∃ vs_c : AllOrFin VSet,
        v ∈ vs_c
        ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm paxos_vlsm)),
  input_constrained_transition paxos_vlsm l (
    s, oim) (s', Some (b, m_2a v))
  → ∃ vs_c : AllOrFin VSet,
      v ∈ vs_c
      ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
  - (* the propery is just an existential around has_been_sent, so stability is easy *)Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom)
  → (∃ vs_c : AllOrFin VSet,
       v ∈ vs_c
       ∧ has_been_sent paxos_vlsm s (b, m_1c vs_c))
    → ∃ vs_c : AllOrFin VSet,
        v ∈ vs_c
        ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    intros * Ht (vs & Hv & Hsent).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
vs: AllOrFin VSet
Hv: v ∈ vs
Hsent: has_been_sent paxos_vlsm s (b, m_1c vs)
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    exists vs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
vs: AllOrFin VSet
Hv: v ∈ vs
Hsent: has_been_sent paxos_vlsm s (b, m_1c vs)
v ∈ vs ∧ has_been_sent paxos_vlsm s' (b, m_1c vs)
    split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
vs: AllOrFin VSet
Hv: v ∈ vs
Hsent: has_been_sent paxos_vlsm s (b, m_1c vs)
has_been_sent paxos_vlsm s' (b, m_1c vs)
    apply (has_been_sent_step_update Ht).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
vs: AllOrFin VSet
Hv: v ∈ vs
Hsent: has_been_sent paxos_vlsm s (b, m_1c vs)
oom = Some (b, m_1c vs)
∨ has_been_sent paxos_vlsm s (b, m_1c vs)
    by right.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', Some (b, m_2a v))
  → ∃ vs_c : AllOrFin VSet,
      v ∈ vs_c
      ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c) intros * Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_2a v))
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    apply input_valid_transition_origin in Ht as Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    destruct l as [ix l].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
ix: paxos_index
l: label (IM ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT ix l) (s, oim) (
  s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    destruct (Ht) as [_ Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
ix: paxos_index
l: label (IM ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT ix l) (s, oim) (
  s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Htrans: transition (existT ix l) (s, oim) =
(s', Some (b, m_2a v))
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    apply localize_send in Htrans; simpl in Htrans; subst ix.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    apply input_valid_transition_preloaded_project_active in Ht as Ht_l; simpl in Ht_l.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Ht_l: input_constrained_transition leaders_vlsm l
  (s leaders_ix, oim)
  (s' leaders_ix, Some (b, m_2a v))
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    destruct Ht_l as [(_ & _ & Hvalid) Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Hvalid: valid l (s leaders_ix, oim)
Htrans: transition l (s leaders_ix, oim) =
(s' leaders_ix, Some (b, m_2a v))
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    change valid with leaders_valid in Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Hvalid: leaders_valid l (s leaders_ix, oim)
Htrans: transition l (s leaders_ix, oim) =
(s' leaders_ix, Some (b, m_2a v))
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    change transition with leaders_transition in Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Hvalid: leaders_valid l (s leaders_ix, oim)
Htrans: leaders_transition l (s leaders_ix, oim) =
(s' leaders_ix, Some (b, m_2a v))
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    apply examine_leaders_output in Htrans as Hl; subst l.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix (b, L_send_2a v)) (
  s, oim) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Htrans: leaders_transition (b, L_send_2a v)
  (s leaders_ix, oim) =
(s' leaders_ix, Some (b, m_2a v))
Hvalid: leaders_valid (b, L_send_2a v)
  (s leaders_ix, oim)
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    simpl in Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix (b, L_send_2a v)) (
  s, oim) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Htrans: leaders_transition (b, L_send_2a v)
  (s leaders_ix, oim) =
(s' leaders_ix, Some (b, m_2a v))
Hvalid: match oim with
| Some _ => False
| None =>
    None =
    sent_2a (default ∅ (s leaders_ix !! b))
    ∧ (∃ safe_vs : AllOrFin VSet,
         v ∈ safe_vs
         ∧ safe_vs
           ∈ sent_1c
               (default ∅ (s leaders_ix !! b)))
end
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    destruct oim; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s, s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix (b, L_send_2a v)) (
  s, None) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Htrans: leaders_transition (b, L_send_2a v)
  (s leaders_ix, None) =
(s' leaders_ix, Some (b, m_2a v))
Hvalid: None =
sent_2a (default ∅ (s leaders_ix !! b))
∧ (∃ safe_vs : AllOrFin VSet,
     v ∈ safe_vs
     ∧ safe_vs
       ∈ sent_1c
           (default ∅ (s leaders_ix !! b)))
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    destruct Hvalid as (_ & vs & Hv & Hvs).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s, s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix (b, L_send_2a v)) (
  s, None) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Htrans: leaders_transition (b, L_send_2a v)
  (s leaders_ix, None) =
(s' leaders_ix, Some (b, m_2a v))
vs: AllOrFin VSet
Hv: v ∈ vs
Hvs: vs ∈ sent_1c (default ∅ (s leaders_ix !! b))
∃ vs_c : AllOrFin VSet,
  v ∈ vs_c
  ∧ has_been_sent paxos_vlsm s' (b, m_1c vs_c)
    exists vs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s, s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix (b, L_send_2a v)) (
  s, None) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Htrans: leaders_transition (b, L_send_2a v)
  (s leaders_ix, None) =
(s' leaders_ix, Some (b, m_2a v))
vs: AllOrFin VSet
Hv: v ∈ vs
Hvs: vs ∈ sent_1c (default ∅ (s leaders_ix !! b))
v ∈ vs ∧ has_been_sent paxos_vlsm s' (b, m_1c vs)
    split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s, s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix (b, L_send_2a v)) (
  s, None) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Htrans: leaders_transition (b, L_send_2a v)
  (s leaders_ix, None) =
(s' leaders_ix, Some (b, m_2a v))
vs: AllOrFin VSet
Hv: v ∈ vs
Hvs: vs ∈ sent_1c (default ∅ (s leaders_ix !! b))
has_been_sent paxos_vlsm s' (b, m_1c vs)
    rewrite (has_been_sent_step_update Ht); right.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s, s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix (b, L_send_2a v)) (
  s, None) (s', Some (b, m_2a v))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Htrans: leaders_transition (b, L_send_2a v)
  (s leaders_ix, None) =
(s' leaders_ix, Some (b, m_2a v))
vs: AllOrFin VSet
Hv: v ∈ vs
Hvs: vs ∈ sent_1c (default ∅ (s leaders_ix !! b))
has_been_sent paxos_vlsm s (b, m_1c vs)
    by apply localize_sent_messages.
Qed.

Lemma ShowsSafeAt_stable :
  forall [l s oim s' oom],
    input_constrained_transition paxos_vlsm l (s, oim) (s', oom) ->
  forall (Q : sig Quorum) b v,
    ShowsSafeAt s Q b v -> ShowsSafeAt s' Q b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom)
  → ∀ (Q : {x : ASet | Quorum x}) (b : Ballot) (v : Value),
      ShowsSafeAt s Q b v → ShowsSafeAt s' Q b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom)
  → ∀ (Q : {x : ASet | Quorum x}) (b : Ballot) (v : Value),
      ShowsSafeAt s Q b v → ShowsSafeAt s' Q b v
  intros * Ht Q b v [H_participated_b H_safe_v].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_v: NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b,
                    m_1b a
                      (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent paxos_vlsm
                    s
                    (b,
                     m_1b a
                       (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
ShowsSafeAt s' Q b v
  apply input_valid_transition_destination in Ht as Hs'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_v: NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b,
                    m_1b a
                      (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent paxos_vlsm
                    s
                    (b,
                     m_1b a
                       (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
ShowsSafeAt s' Q b v
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_v: NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b,
                    m_1b a
                      (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent paxos_vlsm
                    s
                    (b,
                     m_1b a
                       (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option (Ballot * Value),
      has_been_sent paxos_vlsm s'
        (b, m_1b a last_vote)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_v: NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b,
                    m_1b a
                      (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent paxos_vlsm
                    s
                    (b,
                     m_1b a
                       (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
NoPrevVotes s' (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s'
                   (b, m_1b a (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) (v_lv : Value),
                  has_been_sent paxos_vlsm s'
                    (b, m_1b a (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c → v_lv = v)))
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_v: NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b,
                    m_1b a
                      (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent paxos_vlsm
                    s
                    (b,
                     m_1b a
                       (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option (Ballot * Value),
      has_been_sent paxos_vlsm s'
        (b, m_1b a last_vote) intros a Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_v: NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b,
                    m_1b a
                      (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent paxos_vlsm
                    s
                    (b,
                     m_1b a
                       (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
∃ last_vote : option (Ballot * Value),
  has_been_sent paxos_vlsm s' (b, m_1b a last_vote)
    destruct (H_participated_b a Ha) as [lv Hlv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_v: NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b,
                    m_1b a
                      (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent paxos_vlsm
                    s
                    (b,
                     m_1b a
                       (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hlv: has_been_sent paxos_vlsm s (b, m_1b a lv)
∃ last_vote : option (Ballot * Value),
  has_been_sent paxos_vlsm s' (b, m_1b a last_vote)
    exists lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_v: NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b,
                    m_1b a
                      (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent paxos_vlsm
                    s
                    (b,
                     m_1b a
                       (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hlv: has_been_sent paxos_vlsm s (b, m_1b a lv)
has_been_sent paxos_vlsm s' (b, m_1b a lv)
    by apply (has_been_sent_step_update Ht); right.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_v: NoPrevVotes s (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : 
                      AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s
         (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s
                   (b,
                    m_1b a
                      (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) 
                  (v_lv : Value),
                  has_been_sent paxos_vlsm
                    s
                    (b,
                     m_1b a
                       (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c
                       → 
                       v_lv = v)))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
NoPrevVotes s' (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s'
                   (b, m_1b a (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) (v_lv : Value),
                  has_been_sent paxos_vlsm s'
                    (b, m_1b a (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c → v_lv = v))) destruct H_safe_v as [H_no_votes | H_safe_votes].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_no_votes: NoPrevVotes s (`Q) b
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
NoPrevVotes s' (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s'
                   (b, m_1b a (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) (v_lv : Value),
                  has_been_sent paxos_vlsm s'
                    (b, m_1b a (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c → v_lv = v)))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_votes: ∃ (b_1c : Ballot) (vsafe : 
                   AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s
      (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm
                s
                (b,
                 m_1b a
                   (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) 
               (v_lv : Value),
               has_been_sent paxos_vlsm
                 s
                 (b,
                  m_1b a
                    (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c
                    → v_lv = v))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
NoPrevVotes s' (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s'
                   (b, m_1b a (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) (v_lv : Value),
                  has_been_sent paxos_vlsm s'
                    (b, m_1b a (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c → v_lv = v)))
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_no_votes: NoPrevVotes s (`Q) b
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
NoPrevVotes s' (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s'
                   (b, m_1b a (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) (v_lv : Value),
                  has_been_sent paxos_vlsm s'
                    (b, m_1b a (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c → v_lv = v))) left.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_no_votes: NoPrevVotes s (`Q) b
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
NoPrevVotes s' (`Q) b
      intros a Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_no_votes: NoPrevVotes s (`Q) b
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
∀ lv : option (Ballot * Value),
  has_been_sent paxos_vlsm s' (b, m_1b a lv)
  → lv = None
      destruct (H_participated_b a Ha) as [lv Hlv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_no_votes: NoPrevVotes s (`Q) b
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hlv: has_been_sent paxos_vlsm s (b, m_1b a lv)
∀ lv : option (Ballot * Value),
  has_been_sent paxos_vlsm s' (b, m_1b a lv)
  → lv = None
      specialize (H_no_votes a Ha lv Hlv); subst lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
Hlv: has_been_sent paxos_vlsm s (b, m_1b a None)
∀ lv : option (Ballot * Value),
  has_been_sent paxos_vlsm s' (b, m_1b a lv)
  → lv = None
      assert (H_sent_None : has_been_sent paxos_vlsm s' (b, m_1b a None))
        by (apply (has_been_sent_step_update Ht); right; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
Hlv: has_been_sent paxos_vlsm s (b, m_1b a None)
H_sent_None: has_been_sent paxos_vlsm s'
  (b, m_1b a None)
∀ lv : option (Ballot * Value),
  has_been_sent paxos_vlsm s' (b, m_1b a lv)
  → lv = None
      intros lv Hlv'; revert Hlv' H_sent_None.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
Hlv: has_been_sent paxos_vlsm s (b, m_1b a None)
lv: option (Ballot * Value)
has_been_sent paxos_vlsm s' (b, m_1b a lv)
→ has_been_sent paxos_vlsm s' (b, m_1b a None)
  → lv = None
      by apply sent_1b_once.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_votes: ∃ (b_1c : Ballot) (vsafe : 
                   AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s
      (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm
                s
                (b,
                 m_1b a
                   (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) 
               (v_lv : Value),
               has_been_sent paxos_vlsm
                 s
                 (b,
                  m_1b a
                    (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c
                    → v_lv = v))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
NoPrevVotes s' (`Q) b
∨ (∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
     v ∈ vsafe
     ∧ has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
       ∧ (∃ a : Acceptor,
            a ∈ `Q
            ∧ (∃ v_lv_a : Value,
                 has_been_sent paxos_vlsm s'
                   (b, m_1b a (Some (b_1c, v_lv_a)))))
         ∧ (∀ a : Acceptor,
              a ∈ `Q
              → ∀ (b_lv : Ballot) (v_lv : Value),
                  has_been_sent paxos_vlsm s'
                    (b, m_1b a (Some (b_lv, v_lv)))
                  → (b_lv ≤ b_1c)%Z
                    ∧ (b_lv = b_1c → v_lv = v))) right.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_safe_votes: ∃ (b_1c : Ballot) (vsafe : 
                   AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s
      (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm
                s
                (b,
                 m_1b a
                   (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) 
               (v_lv : Value),
               has_been_sent paxos_vlsm
                 s
                 (b,
                  m_1b a
                    (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c
                    → v_lv = v))
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s'
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s'
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      destruct H_safe_votes as (b_1c & vsafe & Hvs & Hsent_1c & H1c_from_votes & Hvoted_by_1c).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∃ (b_1c : Ballot) (vsafe : AllOrFin VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent paxos_vlsm s'
                (b, m_1b a (Some (b_1c, v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) (v_lv : Value),
               has_been_sent paxos_vlsm s'
                 (b, m_1b a (Some (b_lv, v_lv)))
               → (b_lv ≤ b_1c)%Z
                 ∧ (b_lv = b_1c → v_lv = v))
      exists b_1c, vsafe.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
v ∈ vsafe
∧ has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
  ∧ (∃ a : Acceptor,
       a ∈ `Q
       ∧ (∃ v_lv_a : Value,
            has_been_sent paxos_vlsm s'
              (b, m_1b a (Some (b_1c, v_lv_a)))))
    ∧ (∀ a : Acceptor,
         a ∈ `Q
         → ∀ (b_lv : Ballot) (v_lv : Value),
             has_been_sent paxos_vlsm s'
               (b, m_1b a (Some (b_lv, v_lv)))
             → (b_lv ≤ b_1c)%Z
               ∧ (b_lv = b_1c → v_lv = v))
      split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
has_been_sent paxos_vlsm s' (b_1c, m_1c vsafe)
∧ (∃ a : Acceptor,
     a ∈ `Q
     ∧ (∃ v_lv_a : Value,
          has_been_sent paxos_vlsm s'
            (b, m_1b a (Some (b_1c, v_lv_a)))))
  ∧ (∀ a : Acceptor,
       a ∈ `Q
       → ∀ (b_lv : Ballot) (v_lv : Value),
           has_been_sent paxos_vlsm s'
             (b, m_1b a (Some (b_lv, v_lv)))
           → (b_lv ≤ b_1c)%Z
             ∧ (b_lv = b_1c → v_lv = v))
      split; [by apply (has_been_sent_step_update Ht); right |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
(∃ a : Acceptor,
   a ∈ `Q
   ∧ (∃ v_lv_a : Value,
        has_been_sent paxos_vlsm s'
          (b, m_1b a (Some (b_1c, v_lv_a)))))
∧ (∀ a : Acceptor,
     a ∈ `Q
     → ∀ (b_lv : Ballot) (v_lv : Value),
         has_been_sent paxos_vlsm s'
           (b, m_1b a (Some (b_lv, v_lv)))
         → (b_lv ≤ b_1c)%Z ∧ (b_lv = b_1c → v_lv = v))
      split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s'
         (b, m_1b a (Some (b_1c, v_lv_a))))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s'
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z ∧ (b_lv = b_1c → v_lv = v)
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s'
         (b, m_1b a (Some (b_1c, v_lv_a)))) destruct H1c_from_votes as (a & Ha & v_lv_a & H_a_voted_at_1c).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
a: Acceptor
Ha: a ∈ `Q
v_lv_a: Value
H_a_voted_at_1c: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_1c, v_lv_a)))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s'
         (b, m_1b a (Some (b_1c, v_lv_a))))
        exists a; split; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
a: Acceptor
Ha: a ∈ `Q
v_lv_a: Value
H_a_voted_at_1c: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_1c, v_lv_a)))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∃ v_lv_a : Value,
  has_been_sent paxos_vlsm s'
    (b, m_1b a (Some (b_1c, v_lv_a)))
        exists v_lv_a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
a: Acceptor
Ha: a ∈ `Q
v_lv_a: Value
H_a_voted_at_1c: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_1c, v_lv_a)))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
has_been_sent paxos_vlsm s'
  (b, m_1b a (Some (b_1c, v_lv_a)))
        by apply (has_been_sent_step_update Ht); right.
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s'
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z ∧ (b_lv = b_1c → v_lv = v) intros a Ha b_lv v_lv H_sent_s'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
H_sent_s': has_been_sent paxos_vlsm s'
  (b, m_1b a (Some (b_lv, v_lv)))
(b_lv ≤ b_1c)%Z ∧ (b_lv = b_1c → v_lv = v)
        apply (Hvoted_by_1c a Ha b_lv v_lv).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
H_sent_s': has_been_sent paxos_vlsm s'
  (b, m_1b a (Some (b_lv, v_lv)))
has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_lv, v_lv)))
        destruct (H_participated_b a Ha) as [lv H_sent_1b].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
H_sent_s': has_been_sent paxos_vlsm s'
  (b, m_1b a (Some (b_lv, v_lv)))
lv: option (Ballot * Value)
H_sent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_lv, v_lv)))
        cut (lv = Some (b_lv, v_lv)); [by intros -> |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
H_sent_s': has_been_sent paxos_vlsm s'
  (b, m_1b a (Some (b_lv, v_lv)))
lv: option (Ballot * Value)
H_sent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
lv = Some (b_lv, v_lv)
        revert H_sent_s'; apply sent_1b_once; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oom: option paxos_message
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', oom)
Q: {x : ASet | Quorum x}
b: Ballot
v: Value
H_participated_b: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot * Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vsafe: AllOrFin VSet
Hvs: v ∈ vsafe
Hsent_1c: has_been_sent paxos_vlsm s
  (b_1c, m_1c vsafe)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
Hvoted_by_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c → v_lv = v)
Hs': valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm)
  s'
a: Acceptor
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
lv: option (Ballot * Value)
H_sent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
has_been_sent paxos_vlsm s' (b, m_1b a lv)
        by apply (has_been_sent_step_update Ht); right.
Qed.

Lemma sent_1c_implies_ShowsSafeAt :
  forall (s : state paxos_vlsm),
    constrained_state_prop paxos_vlsm s ->
  forall b vs,
    has_been_sent paxos_vlsm s (b, m_1c vs) ->
  forall v, v ∈ vs -> exists (Q : sig Quorum), ShowsSafeAt s Q b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (vs : AllOrFin VSet),
      has_been_sent paxos_vlsm s (b, m_1c vs)
      → ∀ v : Value,
          v ∈ vs
          → ∃ Q : {x : ASet | Quorum x},
              ShowsSafeAt s Q b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (vs : AllOrFin VSet),
      has_been_sent paxos_vlsm s (b, m_1c vs)
      → ∀ v : Value,
          v ∈ vs
          → ∃ Q : {x : ASet | Quorum x},
              ShowsSafeAt s Q b v
  intros s Hs b vs Hsent v Hv; revert s Hs Hsent.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → has_been_sent paxos_vlsm s (b, m_1c vs)
    → ∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
  change (state paxos_vlsm) with (state (preloaded_with_all_messages_vlsm paxos_vlsm)).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → has_been_sent paxos_vlsm s (b, m_1c vs)
    → ∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
  apply from_send_to_from_sent_argument;
    [by intros * ? [Q ?]; exists Q; eapply ShowsSafeAt_stable |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', Some (b, m_1c vs))
  → ∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s' Q b v
  intros * Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1c vs))
∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s' Q b v
  assert (Hs : constrained_state_prop paxos_vlsm s) by apply Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s' Q b v
  cut (exists Q, ShowsSafeAt s Q b v);
    [by intros [Q ?]; exists Q; eapply ShowsSafeAt_stable |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
  apply (check_safe_at_okay s Hs).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
v
∈ calculate_safe_values b
    (gathered_1b (s leaders_ix !!! b))
  destruct (Ht) as [_ Hix].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
Hix: transition l (s, oim) = (s', Some (b, m_1c vs))
v
∈ calculate_safe_values b
    (gathered_1b (s leaders_ix !!! b))
  destruct l as [ix l]; apply localize_send in Hix; simpl in Hix; subst ix.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
v
∈ calculate_safe_values b
    (gathered_1b (s leaders_ix !!! b))
  apply input_valid_transition_preloaded_project_active in Ht; simpl in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition leaders_vlsm l
  (s leaders_ix, oim)
  (s' leaders_ix, Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
v
∈ calculate_safe_values b
    (gathered_1b (s leaders_ix !!! b))
  destruct (Ht) as [(_ & _ & Hvalid) Hlabel].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition leaders_vlsm l
  (s leaders_ix, oim)
  (s' leaders_ix, Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
Hvalid: valid l (s leaders_ix, oim)
Hlabel: transition l (s leaders_ix, oim) =
(s' leaders_ix, Some (b, m_1c vs))
v
∈ calculate_safe_values b
    (gathered_1b (s leaders_ix !!! b))
  apply examine_leaders_output in Hlabel; subst l.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition leaders_vlsm
  (b, L_send_1c vs) (s leaders_ix, oim)
  (s' leaders_ix, Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
Hvalid: valid (b, L_send_1c vs) (s leaders_ix, oim)
v
∈ calculate_safe_values b
    (gathered_1b (s leaders_ix !!! b))
  change valid with leaders_valid in Hvalid; cbn in Hvalid.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition leaders_vlsm
  (b, L_send_1c vs) (s leaders_ix, oim)
  (s' leaders_ix, Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
Hvalid: match oim with
| Some _ => False
| None =>
    vs =
    calculate_safe_values b
      (gathered_1b
         (default ∅ (s leaders_ix !! b)))
end
v
∈ calculate_safe_values b
    (gathered_1b (s leaders_ix !!! b))
  destruct oim; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s, s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition leaders_vlsm
  (b, L_send_1c vs) (s leaders_ix, None)
  (s' leaders_ix, Some (b, m_1c vs))
Hs: constrained_state_prop paxos_vlsm s
Hvalid: vs =
calculate_safe_values b
  (gathered_1b
     (default ∅ (s leaders_ix !! b)))
v
∈ calculate_safe_values b
    (gathered_1b (s leaders_ix !!! b))
  by rewrite Hvalid in Hv.
Qed.

Lemma ShowsSafeAt_impl_V_SafeAt :
   forall (s : state paxos_vlsm),
    constrained_state_prop paxos_vlsm s ->
  forall b v,
    (exists (Q : sig Quorum), ShowsSafeAt s Q b v) ->
      V_SafeAt s b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (v : Value),
      (∃ Q : {x : ASet | Quorum x},
         ShowsSafeAt s Q b v) → V_SafeAt s b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state paxos_vlsm,
  constrained_state_prop paxos_vlsm s
  → ∀ (b : Ballot) (v : Value),
      (∃ Q : {x : ASet | Quorum x},
         ShowsSafeAt s Q b v) → V_SafeAt s b v
  intros s Hs b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
(∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v)
→ V_SafeAt s b v
  assert (Inv1 : P1bInv_prop s) by (apply P1bInv_is_invariant; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Inv1: P1bInv_prop s
(∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v)
→ V_SafeAt s b v
  assert (Inv2 : P2aInv_prop s) by (apply P2aInv_is_invariant; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Inv1: P1bInv_prop s
Inv2: P2aInv_prop s
(∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v)
→ V_SafeAt s b v
  unfold P1bInv_prop in Inv1.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: P2aInv_prop s
(∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v)
→ V_SafeAt s b v
  unfold P2aInv_prop in Inv2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
(∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v)
→ V_SafeAt s b v
  (*
    We might need to unfold the ShowsSafeAt and drop the part about voting at b to
    get the correct induction goal.
  *)
  induction (N.lt_wf_0 b) as [b _ IHb].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: N
IHb: ∀ y : N,
  (y < b)%N
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
(∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v)
→ V_SafeAt s b v
  setoid_rewrite N2Z.inj_lt in IHb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: N
IHb: ∀ y : N,
  (Z.of_N y < Z.of_N b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
(∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v)
→ V_SafeAt s b v
  change Z.of_N with Ballot_to_Z in *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: N
IHb: ∀ y : N,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
(∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v)
→ V_SafeAt s b v
  change N with Ballot in *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
(∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v)
→ V_SafeAt s b v
  intros [Q [H_Q_participating [H_Q_never_voted | H_Q_protects_to_past_1c]]].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
V_SafeAt s b v
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_protects_to_past_1c: ∃ (b_1c : Ballot) (vsafe : 
                   AllOrFin
                     VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm
      s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent
                paxos_vlsm s
                (b,
                 m_1b a
                   (Some
                      (b_1c,
                       v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) 
               (v_lv : Value),
               has_been_sent
                 paxos_vlsm
                 s
                 (b,
                  m_1b a
                    (Some
                       (
                       b_lv,
                       v_lv)))
               → (b_lv
                  ≤ b_1c)%Z
                 ∧ (b_lv =
                    b_1c
                    → v_lv =
                      v))
V_SafeAt s b v
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
V_SafeAt s b v intros b' Hb'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Value VSet Acceptor ASet
    Quorum (to_voting_state s) b' v Q
    exists Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
consensus_blocking_quorum Value VSet Acceptor ASet
  Quorum (to_voting_state s) b' v Q
    unfold consensus_blocking_quorum.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     vote_committed VSet (to_voting_state s a) b')
∧ allQuorum Acceptor ASet Quorum Q
    (λ a : Acceptor,
       voted_none_but Value VSet (to_voting_state s a)
         b' v)
    split; intros a Ha;
      apply valid_state_project_preloaded_to_preloaded with (i := acceptor_ix a) in Hs as Hsa;
      destruct (H_Q_participating a Ha) as [lv Hsent_1b].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
vote_committed VSet (to_voting_state s a) b'
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
voted_none_but Value VSet (to_voting_state s a) b' v
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
vote_committed VSet (to_voting_state s a) b' unfold vote_committed; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
(paxos_maxBal (s (acceptor_ix a)) > b')%Z
      cut (b <= paxos_maxBal (s (acceptor_ix a)))%Z; [by lia |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
(b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
      by apply localize_sent_messages, paxos_acceptor_sent_bounds_maxBal in Hsent_1b.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
voted_none_but Value VSet (to_voting_state s a) b' v intros w Hvoted.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
w: Value
Hvoted: voted_for Value VSet (to_voting_state s a) b'
  w
w = v
      apply V_VotedFor_iff in Hvoted; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
w: Value
Hvoted: has_been_sent paxos_vlsm s (b', m_2b a w)
w = v
      contradict Hvoted.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_never_voted: NoPrevVotes s (`Q) b
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
w: Value
¬ has_been_sent paxos_vlsm s (b', m_2b a w)
      specialize (H_Q_never_voted a Ha _ Hsent_1b); subst lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a None)
w: Value
¬ has_been_sent paxos_vlsm s (b', m_2b a w)
      apply Inv1 in Hsent_1b as (_ & _ & H_dnv); cbn in H_dnv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
H_dnv: ∀ b0 : Ballot,
  (b0 < b)%Z
  → (-1 < b0)%Z → V_DidNotVoteIn s a b0
w: Value
¬ has_been_sent paxos_vlsm s (b', m_2b a w)
      setoid_rewrite V_DidNotVoteIn_iff in H_dnv; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
H_dnv: ∀ b0 : Ballot,
  (b0 < b)%Z
  → (-1 < b0)%Z
    → ∀ v : Value,
        ¬ has_been_sent paxos_vlsm s
            (b0, m_2b a v)
w: Value
¬ has_been_sent paxos_vlsm s (b', m_2b a w)
      apply (H_dnv _ Hb').Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b': Ballot
Hb': (b' < b)%Z
a: Acceptor
Ha: a ∈ `Q
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
H_dnv: ∀ b0 : Ballot,
  (b0 < b)%Z
  → (-1 < b0)%Z
    → ∀ v : Value,
        ¬ has_been_sent paxos_vlsm s
            (b0, m_2b a v)
w: Value
(-1 < b')%Z
      by unfold Ballot_to_Z; lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
H_Q_protects_to_past_1c: ∃ (b_1c : Ballot) (vsafe : 
                   AllOrFin
                     VSet),
  v ∈ vsafe
  ∧ has_been_sent paxos_vlsm
      s (b_1c, m_1c vsafe)
    ∧ (∃ a : Acceptor,
         a ∈ `Q
         ∧ (∃ v_lv_a : Value,
              has_been_sent
                paxos_vlsm s
                (b,
                 m_1b a
                   (Some
                      (b_1c,
                       v_lv_a)))))
      ∧ (∀ a : Acceptor,
           a ∈ `Q
           → ∀ (b_lv : Ballot) 
               (v_lv : Value),
               has_been_sent
                 paxos_vlsm
                 s
                 (b,
                  m_1b a
                    (Some
                       (
                       b_lv,
                       v_lv)))
               → (b_lv
                  ≤ b_1c)%Z
                 ∧ (b_lv =
                    b_1c
                    → v_lv =
                      v))
V_SafeAt s b v (*
      Here Q is only known to protect as far back as
      some ballot b_1c, where a previous 1c message for v
      had been sent.
    *)
    destruct H_Q_protects_to_past_1c as
      (b_1c & vs & Hv & H_sent_1c & H1c_from_votes & H_Q_voted_before_1c).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
V_SafeAt s b v
    assert (b_1c < b)%Z.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
(b_1c < b)%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
V_SafeAt s b v
    {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
(b_1c < b)%Z
      destruct H1c_from_votes as (a & Ha & v_lv_a & H_a_voted_at_1c).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
a: Acceptor
Ha: a ∈ `Q
v_lv_a: Value
H_a_voted_at_1c: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_1c, v_lv_a)))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
(b_1c < b)%Z
      by destruct (Inv1 _ _ _ H_a_voted_at_1c) as (_ & Hb_1c_lt_b & _).
    }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
V_SafeAt s b v
    assert (H_safe_at_1c' : V_SafeAt s b_1c v)
      by (intro; eapply IHb, sent_1c_implies_ShowsSafeAt; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
V_SafeAt s b v
    intros d Hd.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Value VSet Acceptor ASet
    Quorum (to_voting_state s) d v Q
    destruct (Z.lt_ge_cases d b_1c) as [H_d_lt_1c | H_d_ge_1c];
      [by apply (H_safe_at_1c' d H_d_lt_1c) |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Value VSet Acceptor ASet
    Quorum (to_voting_state s) d v Q
    exists Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
consensus_blocking_quorum Value VSet Acceptor ASet
  Quorum (to_voting_state s) d v Q
    (*
      No acceptor in Q voted between b_1c and b,
      any vote from Q at b_1c was for v, so
      Q is consensus_blocking strictly between by having no votes,
      and at b_1c less trivially.
    *)
    unfold consensus_blocking_quorum.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor,
     vote_committed VSet (to_voting_state s a) d)
∧ allQuorum Acceptor ASet Quorum Q
    (λ a : Acceptor,
       voted_none_but Value VSet (to_voting_state s a)
         d v)
    split; intros a Ha;
      destruct (H_Q_participating a Ha) as [lv Hsent_1b].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
vote_committed VSet (to_voting_state s a) d
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
voted_none_but Value VSet (to_voting_state s a) d v
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
vote_committed VSet (to_voting_state s a) d unfold vote_committed; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
(paxos_maxBal (s (acceptor_ix a)) > d)%Z
      cut (b <= paxos_maxBal (s (acceptor_ix a)))%Z; [by lia |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
(b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
      apply localize_sent_messages in Hsent_1b; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent
  (IM (message_sender (b, m_1b a lv).2))
  (s (message_sender (b, m_1b a lv).2))
  (b, m_1b a lv)
(b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
      apply valid_state_project_preloaded_to_preloaded with (i:=acceptor_ix a) in Hs as Hsa.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent
  (IM (message_sender (b, m_1b a lv).2))
  (s (message_sender (b, m_1b a lv).2))
  (b, m_1b a lv)
Hsa: constrained_state_prop (IM (acceptor_ix a))
  (s (acceptor_ix a))
(b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
      by apply paxos_acceptor_sent_bounds_maxBal in Hsent_1b.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
voted_none_but Value VSet (to_voting_state s a) d v intros w Hvote_w.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
w = v
      destruct (Inv1 _ _ _ Hsent_1b) as (H_b_s & H_b_lv & Hdnv).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
H_Q_voted_before_1c: ∀ a : Acceptor,
  a ∈ `Q
  → ∀ (b_lv : Ballot) (v_lv : Value),
      has_been_sent paxos_vlsm s
        (b,
         m_1b a
           (Some (b_lv, v_lv)))
      → (b_lv ≤ b_1c)%Z
        ∧ (b_lv = b_1c
           → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (fst <$> lv < b)%Z
Hdnv: ∀ b0 : Ballot,
  (b0 < b)%Z
  → (fst <$> lv < b0)%Z → V_DidNotVoteIn s a b0
w = v
      specialize (H_Q_voted_before_1c a Ha).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (fst <$> lv < b)%Z
Hdnv: ∀ b0 : Ballot,
  (b0 < b)%Z
  → (fst <$> lv < b0)%Z → V_DidNotVoteIn s a b0
w = v
      specialize (Hdnv _ Hd).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
lv: option (Ballot * Value)
Hsent_1b: has_been_sent paxos_vlsm s (b, m_1b a lv)
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (fst <$> lv < b)%Z
Hdnv: (fst <$> lv < d)%Z → V_DidNotVoteIn s a d
w = v
      destruct lv as [[b_lv v_lv] |];
        [| by contradict Hvote_w; apply Hdnv; simpl; unfold Ballot_to_Z; lia].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_lv, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (fst <$> Some (b_lv, v_lv) < b)%Z
Hdnv: (fst <$> Some (b_lv, v_lv) < d)%Z
→ V_DidNotVoteIn s a d
w = v
      destruct (H_Q_voted_before_1c _ _ Hsent_1b) as [H_lv_le H_lv_eq_only_v].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_lv, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (fst <$> Some (b_lv, v_lv) < b)%Z
Hdnv: (fst <$> Some (b_lv, v_lv) < d)%Z
→ V_DidNotVoteIn s a d
H_lv_le: (b_lv ≤ b_1c)%Z
H_lv_eq_only_v: b_lv = b_1c → v_lv = v
w = v
      change (b_lv < b)%Z in H_b_lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_lv, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (b_lv < b)%Z
Hdnv: (fst <$> Some (b_lv, v_lv) < d)%Z
→ V_DidNotVoteIn s a d
H_lv_le: (b_lv ≤ b_1c)%Z
H_lv_eq_only_v: b_lv = b_1c → v_lv = v
w = v
      change (Z.lt _ _) with (b_lv < d)%Z in Hdnv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_lv, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (b_lv < b)%Z
Hdnv: (b_lv < d)%Z → V_DidNotVoteIn s a d
H_lv_le: (b_lv ≤ b_1c)%Z
H_lv_eq_only_v: b_lv = b_1c → v_lv = v
w = v
      assert (Htmp : (b_lv < d \/ b_lv =@{Z} d)%Z) by lia.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_lv, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (b_lv < b)%Z
Hdnv: (b_lv < d)%Z → V_DidNotVoteIn s a d
H_lv_le: (b_lv ≤ b_1c)%Z
H_lv_eq_only_v: b_lv = b_1c → v_lv = v
Htmp: (b_lv < d)%Z ∨ b_lv = d
w = v
      destruct Htmp as [H_lv_lt | H_lv_eq];
        [by apply Hdnv in Hvote_w |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
b_lv: Ballot
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_lv, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (b_lv < b)%Z
Hdnv: (b_lv < d)%Z → V_DidNotVoteIn s a d
H_lv_le: (b_lv ≤ b_1c)%Z
H_lv_eq_only_v: b_lv = b_1c → v_lv = v
H_lv_eq: b_lv = d
w = v
      apply N2Z.inj in H_lv_eq; subst b_lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (d, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_lv_eq_only_v: d = b_1c → v_lv = v
H_lv_le: (d ≤ b_1c)%Z
Hdnv: (d < d)%Z → V_DidNotVoteIn s a d
H_b_lv: (d < b)%Z
w = v
      clear Hdnv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (d, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_lv_eq_only_v: d = b_1c → v_lv = v
H_lv_le: (d ≤ b_1c)%Z
H_b_lv: (d < b)%Z
w = v
      assert (H_d_eq : d =@{Z} b_1c) by lia.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
d: Ballot
Hd: (d < b)%Z
H_d_ge_1c: (b_1c ≤ d)%Z
Ha: a ∈ `Q
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (d, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a) d
  w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_lv_eq_only_v: d = b_1c → v_lv = v
H_lv_le: (d ≤ b_1c)%Z
H_b_lv: (d < b)%Z
H_d_eq: d = b_1c
w = v
      apply N2Z.inj in H_d_eq; subst d.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
H_d_ge_1c: (b_1c ≤ b_1c)%Z
Hd: (b_1c < b)%Z
Ha: a ∈ `Q
v_lv: Value
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_1c, v_lv)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a)
  b_1c w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (b_1c < b)%Z
H_lv_le: (b_1c ≤ b_1c)%Z
H_lv_eq_only_v: b_1c = b_1c → v_lv = v
w = v
      specialize (H_lv_eq_only_v (eq_refl _)); subst v_lv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
H_d_ge_1c: (b_1c ≤ b_1c)%Z
Hd: (b_1c < b)%Z
Ha: a ∈ `Q
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_1c, v)))
w: Value
Hvote_w: voted_for Value VSet (to_voting_state s a)
  b_1c w
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (b_1c < b)%Z
H_lv_le: (b_1c ≤ b_1c)%Z
w = v
      apply V_VotedFor_iff in Hvote_w; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
H_d_ge_1c: (b_1c ≤ b_1c)%Z
Hd: (b_1c < b)%Z
Ha: a ∈ `Q
Hsent_1b: has_been_sent paxos_vlsm s
  (b, m_1b a (Some (b_1c, v)))
w: Value
Hvote_w: has_been_sent paxos_vlsm s (b_1c, m_2b a w)
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (b_1c < b)%Z
H_lv_le: (b_1c ≤ b_1c)%Z
w = v
      apply sent_1b_impl_sent_lastvote_as_2b in Hsent_1b; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
v: Value
Inv1: ∀ (b_m : Ballot) (a_m : Acceptor) 
  (lv_m : option (Ballot * Value)),
  has_been_sent paxos_vlsm s
    (b_m, m_1b a_m lv_m)
  → (b_m ≤ paxos_maxBal (s (acceptor_ix a_m)))%Z
    ∧ (fst <$> lv_m < b_m)%Z
      ∧ (∀ b : Ballot,
           (b < b_m)%Z
           → (fst <$> lv_m < b)%Z
             → V_DidNotVoteIn s a_m b)
Inv2: ∀ (b_m : Ballot) (v_m : Value),
  has_been_sent paxos_vlsm s (b_m, m_2a v_m)
  → ∃ vs_c : AllOrFin VSet,
      v_m ∈ vs_c
      ∧ has_been_sent paxos_vlsm s
          (b_m, m_1c vs_c)
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z
  → (∃ Q : {x : ASet | Quorum x},
       ShowsSafeAt s Q y v) → 
    V_SafeAt s y v
Q: {x : ASet | Quorum x}
H_Q_participating: ∀ a : Acceptor,
  a ∈ `Q
  → ∃ last_vote : option
                    (Ballot *
                     Value),
      has_been_sent paxos_vlsm s
        (b, m_1b a last_vote)
b_1c: Ballot
vs: AllOrFin VSet
Hv: v ∈ vs
H_sent_1c: has_been_sent paxos_vlsm s (b_1c, m_1c vs)
H1c_from_votes: ∃ a : Acceptor,
  a ∈ `Q
  ∧ (∃ v_lv_a : Value,
       has_been_sent paxos_vlsm s
         (b,
          m_1b a
            (Some (b_1c, v_lv_a))))
a: Acceptor
H_Q_voted_before_1c: ∀ (b_lv : Ballot) (v_lv : Value),
  has_been_sent paxos_vlsm s
    (b,
     m_1b a (Some (b_lv, v_lv)))
  → (b_lv ≤ b_1c)%Z
    ∧ (b_lv = b_1c → v_lv = v)
H16: (b_1c < b)%Z
H_safe_at_1c': V_SafeAt s b_1c v
H_d_ge_1c: (b_1c ≤ b_1c)%Z
Hd: (b_1c < b)%Z
Ha: a ∈ `Q
Hsent_1b: has_been_sent paxos_vlsm s (b_1c, m_2b a v)
w: Value
Hvote_w: has_been_sent paxos_vlsm s (b_1c, m_2b a w)
H_b_s: (b ≤ paxos_maxBal (s (acceptor_ix a)))%Z
H_b_lv: (b_1c < b)%Z
H_lv_le: (b_1c ≤ b_1c)%Z
w = v
      by eapply sent_2b_unique.
Qed.

Lemma P1cInv_is_invariant :
  forall s,
    constrained_state_prop paxos_vlsm s ->
    P1cInv_prop s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s → P1cInv_prop s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s → P1cInv_prop s
  unfold P1cInv_prop.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
∀ s : state
        (preloaded_with_all_messages_vlsm paxos_vlsm),
  constrained_state_prop paxos_vlsm s
  → ∀ (b_m : Ballot) (vs_m : AllOrFin VSet),
      has_been_sent paxos_vlsm s (b_m, m_1c vs_m)
      → ∀ v : Value, v ∈ vs_m → V_SafeAt s b_m v
  intros s Hs b vs Hsent v Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
vs: AllOrFin VSet
Hsent: has_been_sent paxos_vlsm s (b, m_1c vs)
v: Value
Hv: v ∈ vs
V_SafeAt s b v
  pattern s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
vs: AllOrFin VSet
Hsent: has_been_sent paxos_vlsm s (b, m_1c vs)
v: Value
Hv: v ∈ vs
(λ s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm),
   V_SafeAt s b v) s
  revert Hsent; apply from_send_to_from_sent_argument; [.. | done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom) → V_SafeAt s b v → V_SafeAt s' b v
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) 
  (s' : state
          (preloaded_with_all_messages_vlsm paxos_vlsm)),
  input_constrained_transition paxos_vlsm l (
    s, oim) (s', Some (b, m_1c vs)) → 
  V_SafeAt s' b v
  - (* V_SafeAt is persistant *)Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)) 
  (oom : option paxos_message),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', oom) → V_SafeAt s b v → V_SafeAt s' b v
    by intros * Ht; apply (V_SafeAt_stable Ht).
  - (* V_SafeAt holds when the 1c is sent *)Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: constrained_state_prop paxos_vlsm s
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', Some (b, m_1c vs)) → V_SafeAt s' b v
    clear s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
∀ (s : state
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (l : label
         (preloaded_with_all_messages_vlsm paxos_vlsm)) 
  (oim : option paxos_message) (s' : state
                                       (preloaded_with_all_messages_vlsm
                                          paxos_vlsm)),
  input_constrained_transition paxos_vlsm l (s, oim)
    (s', Some (b, m_1c vs)) → V_SafeAt s' b v
    intros * Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1c vs))
V_SafeAt s' b v
    apply input_valid_transition_origin in Ht as Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1c vs))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
V_SafeAt s' b v
    destruct (Ht) as [_ Hsender].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1c vs))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Hsender: transition l (s, oim) =
(s', Some (b, m_1c vs))
V_SafeAt s' b v
    apply localize_send in Hsender.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm l
  (s, oim) (s', Some (b, m_1c vs))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Hsender: projT1 l = message_sender (b, m_1c vs).2
V_SafeAt s' b v
    destruct l as [li l]; simpl in Hsender; subst li.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_1c vs))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
V_SafeAt s' b v
    apply input_valid_transition_preloaded_project_active in Ht as Ht_l; simpl in Ht_l.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_1c vs))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Ht_l: input_constrained_transition leaders_vlsm l
  (s leaders_ix, oim)
  (s' leaders_ix, Some (b, m_1c vs))
V_SafeAt s' b v
    destruct Ht_l as [(_ & _ & Hvalid) Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
l: label (IM leaders_ix)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix l) (
  s, oim) (s', Some (b, m_1c vs))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Hvalid: valid l (s leaders_ix, oim)
Htrans: transition l (s leaders_ix, oim) =
(s' leaders_ix, Some (b, m_1c vs))
V_SafeAt s' b v
    apply examine_leaders_output in Htrans as ->.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
oim: option paxos_message
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix (b, L_send_1c vs)) (
  s, oim) (s', Some (b, m_1c vs))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Hvalid: valid (b, L_send_1c vs) (s leaders_ix, oim)
V_SafeAt s' b v
    cbn in Hvalid; destruct oim; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
vs: AllOrFin VSet
v: Value
Hv: v ∈ vs
s, s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix (b, L_send_1c vs)) (
  s, None) (s', Some (b, m_1c vs))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
Hvalid: vs =
calculate_safe_values b
  (gathered_1b
     (default ∅ (s leaders_ix !! b)))
V_SafeAt s' b v
    subst vs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hv: v
∈ calculate_safe_values b
    (gathered_1b (default ∅ (s leaders_ix !! b)))
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix
     (b,
      L_send_1c
        (calculate_safe_values b
           (gathered_1b
              (default ∅ (s leaders_ix !! b))))))
  (s, None)
  (s',
   Some
     (b,
      m_1c
        (calculate_safe_values b
           (gathered_1b
              (default ∅ (s leaders_ix !! b))))))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
V_SafeAt s' b v
    apply check_safe_at_okay in Hv; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hv: ∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Ht: input_constrained_transition paxos_vlsm
  (existT leaders_ix
     (b,
      L_send_1c
        (calculate_safe_values b
           (gathered_1b
              (default ∅ (s leaders_ix !! b))))))
  (s, None)
  (s',
   Some
     (b,
      m_1c
        (calculate_safe_values b
           (gathered_1b
              (default ∅ (s leaders_ix !! b))))))
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
V_SafeAt s' b v
    apply (V_SafeAt_stable Ht); clear Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
b: Ballot
v: Value
s: state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hv: ∃ Q : {x : ASet | Quorum x}, ShowsSafeAt s Q b v
s': state
  (preloaded_with_all_messages_vlsm paxos_vlsm)
Hs: valid_state_prop
  (preloaded_with_all_messages_vlsm paxos_vlsm) s
V_SafeAt s b v
    by eapply ShowsSafeAt_impl_V_SafeAt.
Qed.

Lemma paxos_invariants (s : state paxos_vlsm) :
  constrained_state_prop paxos_vlsm s -> PInv s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
constrained_state_prop paxos_vlsm s → PInv s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
constrained_state_prop paxos_vlsm s → PInv s
  intros Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
PInv s
  unfold PInv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv_past_vote_info_prop s
∧ P1bInv_prop s ∧ P1cInv_prop s ∧ P2aInv_prop s
  repeat split_and.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv_past_vote_info_prop s
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
P1bInv_prop s
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
P1cInv_prop s
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
P2aInv_prop s
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
Inv_past_vote_info_prop s by apply past_vote_info_is_invariant.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
P1bInv_prop s by apply P1bInv_is_invariant.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
P1cInv_prop s by apply P1cInv_is_invariant.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
EqDecision1: EqDecision VSet
VSDec: RelDecision elem_of
Acceptor: Type
AMap: Type → Type
H7: FMap AMap
H8: ∀ A : Type, Lookup Acceptor A (AMap A)
H9: ∀ A : Type, Empty (AMap A)
H10: ∀ A : Type, PartialAlter Acceptor A (AMap A)
H11: OMap AMap
H12: Merge AMap
H13: ∀ A : Type, MapFold Acceptor A (AMap A)
EqDecision2: EqDecision Acceptor
H14: FinMap Acceptor AMap
H15: finite.Finite Acceptor
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QClosed: Proper (subseteq ==> impl) Quorum
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
s: state paxos_vlsm
Hs: constrained_state_prop paxos_vlsm s
P2aInv_prop s by apply P2aInv_is_invariant.
Qed.

End sec_paxos_spec.