From VLSM.Lib Require Import Itauto.[Loading ML file ring_plugin.cmxs (using legacy method) ... done]
[Loading ML file zify_plugin.cmxs (using legacy method) ... done]
[Loading ML file micromega_plugin.cmxs (using legacy method) ... done]
[Loading ML file btauto_plugin.cmxs (using legacy method) ... done]
[Loading ML file coq-itauto.plugin ... done]
From stdpp Require Import prelude finite fin_sets fin_maps nmap.
From Coq Require Import Streams FunctionalExtensionality Eqdep_dec.
From VLSM.Lib Require Import Preamble ListExtras FinSetExtras.
From VLSM.Core Require Import VLSM Plans VLSMProjections Composition.
From VLSM.Examples Require Import Consensus.

Paxos: Specification of Consensus by Voting

A specification of a consensus algorithm where a set of nodes, the acceptors, agree on a value by voting.

The algorithm uses numbered rounds of voting. Each acceptor casts at most one vote per round. A value is chosen when a sufficient set of acceptors, a quorum, have voted for the same value in the same round.

This specification is closer to something implementable than the Consensus module, but still has some restrictions on the allowed transitions of an acceptor that can only be checked with access to the states of all acceptors. We model this as a composite VLSM with a composition constraint.

Ballot numbers

Definition Ballot := N.

Ballot numbers extended with a minimal element "-1" that comes before others

Definition Ballot' := option Ballot.

Definition Ballot'_to_Z (b : Ballot') : Z := from_option Z.of_N (-1)%Z b.
Definition Ballot_to_Z (b : Ballot) : Z := Z.of_N b.

Coercion Ballot_to_Z : Ballot >-> Z.
Coercion Ballot'_to_Z : Ballot' >-> Z.

Ltac ballot_lia := unfold Ballot_to_Z in *; lia.

Lemma Ballot_lt_wf : well_founded (fun (x y : Ballot) => (x < y)%Z).wf (λ x y : Ballot, (x < y)%Z)
Proof.wf (λ x y : Ballot, (x < y)%Z)
  generalize N.lt_wf_0.wf N.lt → wf (λ x y : Ballot, (x < y)%Z)
  by apply (wf_projected N.lt id), N2Z.inj_lt.
Qed.

Definition Ballot_peano_ind :
  forall (P : Ballot -> Prop),
    P 0%N -> (forall (b : Ballot), P b -> P (N.succ b)) -> forall b, P b
  := N.peano_ind.

ballot-indexed-map

Definition Bmap : Type -> Type := @Nmap.

#[export] Instance Bmap_eq_dec : ∀ {A : Type}, EqDecision A -> EqDecision (Bmap A) := _.

#[export] Instance Bfmap : FMap Bmap := _.
#[export] Instance Blookup : ∀ {A : Type}, Lookup Ballot A (Bmap A) := _.
#[export] Instance Bempty : ∀ {A : Type}, Empty (Bmap A) := _.
#[export] Instance Bpartial_alter : ∀ {A : Type}, PartialAlter Ballot A (Bmap A) := _.
#[export] Instance Bomap : OMap Bmap := _.
#[export] Instance Bmerge : Merge Bmap := _.
#[export] Instance FinMap_Ballot_Bmap : FinMap Ballot Bmap := _.

Notation Bset := (mapset.mapset Bmap).

#[export] Instance Bmap_dom {A : Type} : Dom (Bmap A) Bset := _.
#[export] Instance FinMapDom_Bmap_Bset : fin_map_dom.FinMapDom Ballot Bmap Bset := _.

Lemma Ballot'_Zeq_iff (b : Ballot') (x : Ballot) :
  (b : Z) = (x : Z) <-> b = Some x.b: Ballot'
x: Ballot
(b : Z) = (x : Z) ↔ b = Some x
Proof.b: Ballot'
x: Ballot
(b : Z) = (x : Z) ↔ b = Some x
  by destruct b; cbn; [rewrite (inj_iff Z.of_N) |]; split; (congruence || ballot_lia).
Qed.

Section sec_voting_spec.

Context
  (Value : Type)
  (VSet : Type) `{FinSet Value VSet}
  {VSDec : RelDecision (∈@{VSet})}
  .

Section sec_acceptor_vlsm.

Record acceptor_state : Type :=
{
  votes : Bmap VSet;
  maxBal : Ballot';
}.

Defining several predicates over single voting states.

Section sec_acceptor_state_predicates.

Context
  (AState : acceptor_state)
  .

Definition voted_for (b : Ballot) (v : Value) := v ∈ votes AState !!! b.

#[export] Instance voted_for_dec (b : Ballot) (v : Value) : Decision (voted_for b v) :=
  VSDec _ _.

Definition did_not_vote_in (b : Ballot) : Prop :=
  forall v : Value, ~ voted_for b v.

End sec_acceptor_state_predicates.

Acceptor labels:

SkipToRound b means: commit to not voting in any ballots before b
Vote b v means: vote for v in ballot b.

Inductive acceptor_label : Type :=
| SkipToRound (b : Ballot)
| Vote (b : Ballot) (v : Value).

#[export] Program Instance acceptor_label_dec : EqDecision acceptor_label :=
  fun x y =>
    match x, y with
    | SkipToRound x_b, SkipToRound y_b =>
        if decide (x_b = y_b) then left _ else right _
    | Vote x_b x_v, Vote y_b y_v =>
        if decide (x_b = y_b) then
          if decide (x_v = y_v) then left _
          else right _
        else right _
    | SkipToRound _, Vote _ _ => right _
    | Vote _ _, SkipToRound _ => right _
    end.
Solve Obligations with congruence.

Definition acceptor_type : VLSMType False :=
{|
  state := acceptor_state;
  label := acceptor_label;
|}.

Definition acceptor_initial : acceptor_state :=
{|
  votes := ∅;
  maxBal := None;
|}.

Definition acceptor_initial_state_prop (s : acceptor_state) : Prop :=
  s = acceptor_initial.

Definition acceptor_valid : acceptor_label -> acceptor_state * option False -> Prop :=
  fun l '(s, _) =>
    match l with
    | SkipToRound b => (maxBal s < b)%Z
    | Vote b v => (maxBal s <= b)%Z /\ did_not_vote_in s b
    end.

Definition acceptor_transition
  : acceptor_label -> acceptor_state * option False -> acceptor_state * option False :=
  fun l '(s, _) =>
    let s_votes := votes s in
    match l with
    | SkipToRound b => ({| votes := s_votes; maxBal := Some b; |}, None)
    | Vote b v => ({| votes := mmap_insert b v s_votes; maxBal := Some b; |}, None)
    end.

Definition acceptor_machine : VLSMMachine acceptor_type :=
{|
  initial_state_prop := (.= acceptor_initial);
  s0 := populate (exist _ acceptor_initial eq_refl);
  initial_message_prop := (fun _ => False);
  transition := acceptor_transition;
  valid := acceptor_valid;
|}.

Definition acceptor_vlsm : VLSM False := mk_vlsm acceptor_machine.

End sec_acceptor_vlsm.

(* Little predicates *)
Definition voted_none_but (sa : acceptor_state) (b : Ballot) (v : Value) :=
  forall w : Value, voted_for sa b w -> w = v.

Definition vote_committed (sa : acceptor_state) (b : Ballot) := (maxBal sa > b)%Z.

Context
  (Acceptor : Type) `{finite.Finite Acceptor}
  (ASet : Type) `{FinSet Acceptor ASet}
  .

Section sec_voting_vlsm.

Context
  (Quorum : ASet -> Prop)
  (IM := fun (_ : Acceptor) => acceptor_vlsm)
  .

#[local] Notation composition_constraint :=
  (composite_label IM -> composite_state IM * option False -> Prop).

Definition allQuorum (Q : sig Quorum) (P : Acceptor -> Prop) : Prop :=
  forall a : Acceptor, a ∈ `Q -> P a.

Definition consensus_blocking_quorum
  (s : composite_state IM) (b : Ballot) (v : Value) (Q : sig Quorum) : Prop :=
    allQuorum Q (fun a : Acceptor => vote_committed (s a) b)
    /\ allQuorum Q (fun a : Acceptor => voted_none_but (s a) b v).

Definition SafeAt (s : composite_state IM) (v : Value) (b : Ballot) : Prop :=
  forall (d : Ballot), (d < b)%Z -> exists Q : sig Quorum, consensus_blocking_quorum s d v Q.

SafeAt as defined in the paper

Inductive SafeAt_alt (s : composite_state IM) (v : Value) : Ballot -> Prop :=
| SafeStart : SafeAt_alt s v 0%N
| SafeQuorum : forall (b : Ballot) (Q : sig Quorum) (c' : Ballot'),
    (c' < b)%Z ->
    allQuorum Q (fun a : Acceptor => (maxBal (s a) >= b)%Z) ->
    (forall (d : Ballot), (c' < d)%Z -> (d < b)%Z ->
      allQuorum Q (fun a => did_not_vote_in (s a) d)) ->
    (c' <> None ->
     SafeAt_alt s v (default 0%N c')
       /\ allQuorum Q (fun a : Acceptor => voted_none_but (s a) (default 0%N c') v)) ->
    SafeAt_alt s v b.

(*
  I think SafeAt is equivalent to saying that at each earlier step c there is a quorum of
  nodes that have passed round c and only voted for v or for nothing at round c.
*)

Lemma safeAt_alt_fwd :
  forall s v b,
    SafeAt_alt s v b -> SafeAt s v b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (v : Value) (b : Ballot),
  SafeAt_alt s v b → SafeAt s v b
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (v : Value) (b : Ballot),
  SafeAt_alt s v b → SafeAt s v b
  intros s v b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
SafeAt_alt s v b → SafeAt s v b
  induction (Ballot_lt_wf b) as [b _ IHb].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
SafeAt_alt s v b → SafeAt s v b
  intros Hsafe.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Hsafe: SafeAt_alt s v b
SafeAt s v b
  induction Hsafe as [| b Q c' Hc' H_maxBal Hno_vote Hc_votes]; intros d Hd; [by ballot_lia |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum s d v Q
  assert ((c' <= d) \/ (c' > d))%Z as [H_use_Q | H_d_lt_c] by lia.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_use_Q: (c' ≤ d)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum s d v Q
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_d_lt_c: (c' > d)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum s d v Q
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_use_Q: (c' ≤ d)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum s d v Q exists Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_use_Q: (c' ≤ d)%Z
consensus_blocking_quorum s d v Q
    split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_use_Q: (c' ≤ d)%Z
allQuorum Q (λ a : Acceptor, vote_committed (s a) d)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_use_Q: (c' ≤ d)%Z
allQuorum Q (λ a : Acceptor, voted_none_but (s a) d v)
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_use_Q: (c' ≤ d)%Z
allQuorum Q (λ a : Acceptor, vote_committed (s a) d) intros a Ha; generalize (H_maxBal a Ha).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_use_Q: (c' ≤ d)%Z
a: Acceptor
Ha: a ∈ `Q
(maxBal (s a) >= b)%Z → vote_committed (s a) d
      by unfold vote_committed; lia.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_use_Q: (c' ≤ d)%Z
allQuorum Q (λ a : Acceptor, voted_none_but (s a) d v) apply Z.le_lteq in H_use_Q as [| ->%Ballot'_Zeq_iff].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H16: (c' < d)%Z
allQuorum Q (λ a : Acceptor, voted_none_but (s a) d v)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
d: Ballot
Hc': (Some d < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hc_votes: Some d ≠ None
→ SafeAt_alt s v (default 0%N (Some d))
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N (Some d)) v)
Hno_vote: ∀ d0 : Ballot,
  (Some d < d0)%Z
  → (d0 < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d0)
Hd: (d < b)%Z
allQuorum Q (λ a : Acceptor, voted_none_but (s a) d v)
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H16: (c' < d)%Z
allQuorum Q (λ a : Acceptor, voted_none_but (s a) d v) intros a Ha w Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H16: (c' < d)%Z
a: Acceptor
Ha: a ∈ `Q
w: Value
Hw: voted_for (s a) d w
w = v
        by apply Hno_vote in Hw.
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
d: Ballot
Hc': (Some d < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hc_votes: Some d ≠ None
→ SafeAt_alt s v (default 0%N (Some d))
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N (Some d)) v)
Hno_vote: ∀ d0 : Ballot,
  (Some d < d0)%Z
  → (d0 < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d0)
Hd: (d < b)%Z
allQuorum Q (λ a : Acceptor, voted_none_but (s a) d v) by destruct Hc_votes as [_ Hc_votes].
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c': Ballot'
Hc': (c' < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (c' < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: c' ≠ None
→ SafeAt_alt s v (default 0%N c')
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but 
           (s a) (default 0%N c') v)
d: Ballot
Hd: (d < b)%Z
H_d_lt_c: (c' > d)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum s d v Q destruct c' as [c |]; simpl in *; [| by ballot_lia].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c: Ballot
Hc': (Z.of_N c < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  (Z.of_N c < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: Some c ≠ None
→ SafeAt_alt s v c
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but (s a) c v)
d: Ballot
Hd: (d < b)%Z
H_d_lt_c: (Z.of_N c > d)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum s d v Q
    change (Z.of_N c) with (c : Z) in *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: ∀ y : Ballot,
  (y < b)%Z → SafeAt_alt s v y → SafeAt s v y
Q: {x : ASet | Quorum x}
c: Ballot
Hc': ((c : Z) < b)%Z
H_maxBal: allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= b)%Z)
Hno_vote: ∀ d : Ballot,
  ((c : Z) < d)%Z
  → (d < b)%Z
    → allQuorum Q
        (λ a : Acceptor,
           did_not_vote_in (s a) d)
Hc_votes: Some c ≠ None
→ SafeAt_alt s v c
  ∧ allQuorum Q
      (λ a : Acceptor,
         voted_none_but (s a) c v)
d: Ballot
Hd: (d < b)%Z
H_d_lt_c: ((c : Z) > d)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum s d v Q
    by apply (IHb c Hc'); [apply Hc_votes | lia].
Qed.

Lemma safeAt_alt_rev :
  forall s v b,
    SafeAt s v b -> SafeAt_alt s v b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (v : Value) (b : Ballot),
  SafeAt s v b → SafeAt_alt s v b
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (v : Value) (b : Ballot),
  SafeAt s v b → SafeAt_alt s v b
  intros s v b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
SafeAt s v b → SafeAt_alt s v b
  induction b using Ballot_peano_ind; intros H_Sb; [by apply SafeStart |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
SafeAt_alt s v (N.succ b)
  destruct (H_Sb b) as (Q & H_Q_maxBal & H_Q_votes); [by ballot_lia |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
SafeAt_alt s v (N.succ b)
  apply SafeQuorum with (Q := Q) (c' := Some b); simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
(Z.of_N b < N.succ b)%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= N.succ b)%Z)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
∀ d : Ballot,
  (Z.of_N b < d)%Z
  → (d < N.succ b)%Z
    → allQuorum Q
        (λ a : Acceptor, did_not_vote_in (s a) d)
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
Some b ≠ None
→ SafeAt_alt s v b
  ∧ allQuorum Q
      (λ a : Acceptor, voted_none_but (s a) b v)
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
(Z.of_N b < N.succ b)%Z by ballot_lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
allQuorum Q
  (λ a : Acceptor, (maxBal (s a) >= N.succ b)%Z) intros a Ha; generalize (H_Q_maxBal a Ha).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
a: Acceptor
Ha: a ∈ `Q
vote_committed (s a) b → (maxBal (s a) >= N.succ b)%Z
    by unfold vote_committed; destruct (maxBal (s a)); simpl; ballot_lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
∀ d : Ballot,
  (Z.of_N b < d)%Z
  → (d < N.succ b)%Z
    → allQuorum Q
        (λ a : Acceptor, did_not_vote_in (s a) d) by ballot_lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
Some b ≠ None
→ SafeAt_alt s v b
  ∧ allQuorum Q
      (λ a : Acceptor, voted_none_but (s a) b v) intros _; split; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
SafeAt_alt s v b
    apply IHb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
SafeAt s v b
    intros d Hd; apply H_Sb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
IHb: SafeAt s v b → SafeAt_alt s v b
H_Sb: SafeAt s v (N.succ b)
Q: {x : ASet | Quorum x}
H_Q_maxBal: allQuorum Q
  (λ a : Acceptor, vote_committed (s a) b)
H_Q_votes: allQuorum Q
  (λ a : Acceptor,
     voted_none_but (s a) b v)
d: Ballot
Hd: (d < b)%Z
(d < N.succ b)%Z
    by ballot_lia.
Qed.

Lemma SafeAt_alt_iff : 
  forall s v b,
    SafeAt s v b <-> SafeAt_alt s v b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (v : Value) (b : Ballot),
  SafeAt s v b ↔ SafeAt_alt s v b
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (v : Value) (b : Ballot),
  SafeAt s v b ↔ SafeAt_alt s v b
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
SafeAt s v b → SafeAt_alt s v b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
SafeAt_alt s v b → SafeAt s v b
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
SafeAt s v b → SafeAt_alt s v b by apply safeAt_alt_rev.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
v: Value
b: Ballot
SafeAt_alt s v b → SafeAt s v b by apply safeAt_alt_fwd.
Qed.

Definition voting_composition_constraint
  : composite_label IM -> composite_state IM * option False -> Prop :=
  fun '(existT i l) '(s, _) =>
    match l with
    | SkipToRound _ => True (* Local checks suffice here *)
    | Vote b v => (* Voting needs to check that value v is consistent with all other acceptors. *)
        (forall j, j <> i -> voted_none_but (s j) b v)
        /\ SafeAt s v b
    end.

Definition voting_vlsm : VLSM False := composite_vlsm IM voting_composition_constraint.

End sec_voting_vlsm.

How to recognize consensus, also for the refinement mapping.

Context
  (Quorum : ASet -> Prop)
  (QDec : forall Q, Decision (Quorum Q))
  (* The key quorum assumption is that any two quorums have a nonempty intersection. *)
  (QA : forall (Q1 Q2 : sig Quorum), exists a : Acceptor, a ∈ `Q1 ∩ `Q2)
  (* For convenience we also assume that any superset of a quorum is a quorum. *)
  (QClosed : Proper (subseteq ==> impl) Quorum)
  (IM : Acceptor -> VLSM False := fun _ => acceptor_vlsm).

Definition ballot_chose (s : composite_state IM) (b : Ballot) (v : Value) : Prop :=
  exists (Q : sig Quorum), allQuorum Quorum Q (fun a : Acceptor => voted_for (s a) b v).

Definition ballots_with_votes (s : composite_state IM) : Nset :=
  union_list ((fun a : Acceptor => dom (votes (s a))) <$> enum Acceptor).

Lemma ballot_chose_inrange :
  forall s b v,
    ballot_chose s b v -> b ∈ ballots_with_votes s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (b : Ballot) (v : Value),
  ballot_chose s b v → b ∈ ballots_with_votes s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (b : Ballot) (v : Value),
  ballot_chose s b v → b ∈ ballots_with_votes s
  unfold ballot_chose.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (b : Ballot) (v : Value),
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v))
  → b ∈ ballots_with_votes s
  intros s b v [Q HQ].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
b ∈ ballots_with_votes s
  assert (exists a, a ∈ `Q) as [a Ha]
    by (setoid_rewrite <- (intersection_idemp (`Q)); apply QA).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
b ∈ ballots_with_votes s
  apply elem_of_union_list.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
∃ X : Nset,
  X
  ∈ (λ a : Acceptor, dom (votes (s a))) <$>
    enum Acceptor ∧ b ∈ X
  eexists; split; [by eapply elem_of_list_fmap_1, (elem_of_enum a) |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
b ∈ dom (votes (s a))
  apply fin_map_dom.elem_of_dom.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
is_Some (votes (s a) !! b)
  generalize (HQ a Ha).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
voted_for (s a) b v → is_Some (votes (s a) !! b)
  unfold voted_for.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
v ∈ votes (s a) !!! b → is_Some (votes (s a) !! b)
  rewrite lookup_total_alt.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
v ∈ default inhabitant (votes (s a) !! b)
→ is_Some (votes (s a) !! b)
  destruct (votes (s a) !! b); cbn; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
v ∈ ∅ → is_Some None
  by rewrite elem_of_empty.
Qed.

#[export] Instance ballot_chose_dec :
  forall s b v,
    Decision (ballot_chose s b v).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (b : Ballot) (v : Value),
  Decision (ballot_chose s b v)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (b : Ballot) (v : Value),
  Decision (ballot_chose s b v)
  intros s b v; unfold ballot_chose.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Decision
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v))
  pose (voters := list_to_set (filter (fun a => voted_for (s a) b v) (enum Acceptor)) : ASet).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Decision
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v))
  assert (Hvoters : forall Q, allQuorum Quorum Q (fun a => voted_for (s a) b v) <-> `Q ⊆ voters).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
Decision
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v))
  {Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
    intros [Q HQ]; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
allQuorum Quorum (Q ↾ HQ)
  (λ a : Acceptor, voted_for (s a) b v) ↔ Q ⊆ voters
    split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
allQuorum Quorum (Q ↾ HQ)
  (λ a : Acceptor, voted_for (s a) b v) → Q ⊆ voters
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
Q ⊆ voters
→ allQuorum Quorum (Q ↾ HQ)
    (λ a : Acceptor, voted_for (s a) b v)
    -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
allQuorum Quorum (Q ↾ HQ)
  (λ a : Acceptor, voted_for (s a) b v) → Q ⊆ voters intros HallQ a Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
HallQ: allQuorum Quorum (Q ↾ HQ)
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ Q
a ∈ voters
      specialize (HallQ a Ha).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
a: Acceptor
HallQ: (λ a : Acceptor, voted_for (s a) b v) a
Ha: a ∈ Q
a ∈ voters
      apply elem_of_list_to_set, elem_of_list_filter.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
a: Acceptor
HallQ: (λ a : Acceptor, voted_for (s a) b v) a
Ha: a ∈ Q
voted_for (s a) b v ∧ a ∈ enum Acceptor
      by split; [| apply elem_of_enum].
    -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
Q ⊆ voters
→ allQuorum Quorum (Q ↾ HQ)
    (λ a : Acceptor, voted_for (s a) b v) intros Hsub a Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
Hsub: Q ⊆ voters
a: Acceptor
Ha: a ∈ `(Q ↾ HQ)
voted_for (s a) b v
      specialize (Hsub a Ha).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
a: Acceptor
Hsub: a ∈ voters
Ha: a ∈ `(Q ↾ HQ)
voted_for (s a) b v
      apply elem_of_list_to_set, elem_of_list_filter in Hsub.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Q: ASet
HQ: Quorum Q
a: Acceptor
Hsub: voted_for (s a) b v ∧ a ∈ enum Acceptor
Ha: a ∈ `(Q ↾ HQ)
voted_for (s a) b v
      by apply Hsub.
  }Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
Decision
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v))
  destruct (QDec voters) as [yes | no].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
yes: Quorum voters
Decision
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v))
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
no: ¬ Quorum voters
Decision
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v))
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
yes: Quorum voters
Decision
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v)) left; exists (exist _ voters yes).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
yes: Quorum voters
allQuorum Quorum (voters ↾ yes)
  (λ a : Acceptor, voted_for (s a) b v)
    by apply Hvoters.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
no: ¬ Quorum voters
Decision
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v)) right.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
no: ¬ Quorum voters
¬ (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v))
    contradict no.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
no: ∃ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
Quorum voters
    destruct no as [Q' HQ'].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
Q': {x : ASet | Quorum x}
HQ': allQuorum Quorum Q'
  (λ a : Acceptor, voted_for (s a) b v)
Quorum voters
    apply Hvoters in HQ'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
Q': {x : ASet | Quorum x}
HQ': `Q' ⊆ voters
Quorum voters
    generalize (proj2_sig Q').Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
voters:= list_to_set
  (filter
     (λ a : Acceptor, voted_for (s a) b v)
     (enum Acceptor))
:
ASet: ASet
Hvoters: ∀ Q : {x : ASet | Quorum x},
  allQuorum Quorum Q
    (λ a : Acceptor, voted_for (s a) b v)
  ↔ `Q ⊆ voters
Q': {x : ASet | Quorum x}
HQ': `Q' ⊆ voters
Quorum (`Q') → Quorum voters
    by eapply QClosed.
Qed.

Definition ballot_proposals (s : composite_state IM) (b : Ballot) : VSet :=
  union_list ((fun a => votes (s a) !!! b) <$> enum Acceptor).

Lemma ballot_chose_in_proposals :
  forall s b v,
    ballot_chose s b v -> v ∈ ballot_proposals s b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (b : Ballot) (v : Value),
  ballot_chose s b v → v ∈ ballot_proposals s b
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (b : Ballot) (v : Value),
  ballot_chose s b v → v ∈ ballot_proposals s b
  unfold ballot_chose, ballot_proposals.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state IM) (b : Ballot) (v : Value),
  (∃ Q : {x : ASet | Quorum x},
     allQuorum Quorum Q
       (λ a : Acceptor, voted_for (s a) b v))
  → v
    ∈ ⋃ ((λ a : Acceptor, votes (s a) !!! b) <$>
         enum Acceptor)
  intros s b v [Q HQ].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
v
∈ ⋃ ((λ a : Acceptor, votes (s a) !!! b) <$>
     enum Acceptor)
  destruct (QA Q Q) as [a Ha].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q ∩ `Q
v
∈ ⋃ ((λ a : Acceptor, votes (s a) !!! b) <$>
     enum Acceptor)
  rewrite (intersection_idemp (`Q)) in Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
v
∈ ⋃ ((λ a : Acceptor, votes (s a) !!! b) <$>
     enum Acceptor)
  specialize (HQ a Ha); simpl in HQ.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: voted_for (s a) b v
Ha: a ∈ `Q
v
∈ ⋃ ((λ a : Acceptor, votes (s a) !!! b) <$>
     enum Acceptor)
  unfold voted_for in HQ.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: v ∈ votes (s a) !!! b
Ha: a ∈ `Q
v
∈ ⋃ ((λ a : Acceptor, votes (s a) !!! b) <$>
     enum Acceptor)
  apply elem_of_union_list.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: v ∈ votes (s a) !!! b
Ha: a ∈ `Q
∃ X : VSet,
  X
  ∈ (λ a : Acceptor, votes (s a) !!! b) <$>
    enum Acceptor ∧ v ∈ X
  exists (votes (s a) !!! b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: v ∈ votes (s a) !!! b
Ha: a ∈ `Q
votes (s a) !!! b
∈ (λ a : Acceptor, votes (s a) !!! b) <$>
  enum Acceptor ∧ v ∈ votes (s a) !!! b
  split; [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: v ∈ votes (s a) !!! b
Ha: a ∈ `Q
votes (s a) !!! b
∈ (λ a : Acceptor, votes (s a) !!! b) <$>
  enum Acceptor
  refine (elem_of_list_fmap_1 _ _ a _).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state IM
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
a: Acceptor
HQ: v ∈ votes (s a) !!! b
Ha: a ∈ `Q
a ∈ enum Acceptor
  by apply elem_of_enum.
Qed.

Definition chosen_by_ballot (s : state (voting_vlsm Quorum)) (b : Ballot) : VSet :=
  set_filter (fun v => ballot_chose s b v) _ (ballot_proposals s b).

Definition chosen (s : state (voting_vlsm Quorum)) : VSet :=
  union_list (chosen_by_ballot s <$> elements (ballots_with_votes s)).

Lemma chosen_iff :
  forall (s : state (voting_vlsm Quorum)) (v : Value),
    v ∈ chosen s <-> exists b, ballot_chose s b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : state (voting_vlsm Quorum)) (v : Value),
  v ∈ chosen s ↔ (∃ b : Ballot, ballot_chose s b v)
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : state (voting_vlsm Quorum)) (v : Value),
  v ∈ chosen s ↔ (∃ b : Ballot, ballot_chose s b v)
  intros s v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
v ∈ chosen s ↔ (∃ b : Ballot, ballot_chose s b v)
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
v ∈ chosen s → ∃ b : Ballot, ballot_chose s b v
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
(∃ b : Ballot, ballot_chose s b v) → v ∈ chosen s
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
v ∈ chosen s → ∃ b : Ballot, ballot_chose s b v intros Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
Hv: v ∈ chosen s
∃ b : Ballot, ballot_chose s b v
    unfold chosen in Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
Hv: v
∈ ⋃ (chosen_by_ballot s <$>
     elements (ballots_with_votes s))
∃ b : Ballot, ballot_chose s b v
    apply elem_of_union_list in Hv as (C_by_b & HC & Hb).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
C_by_b: VSet
HC: C_by_b
∈ chosen_by_ballot s <$>
  elements (ballots_with_votes s)
Hb: v ∈ C_by_b
∃ b : Ballot, ballot_chose s b v
    apply elem_of_list_fmap in HC as (b & -> & _).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: v ∈ chosen_by_ballot s b
∃ b : Ballot, ballot_chose s b v
    exists b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: v ∈ chosen_by_ballot s b
ballot_chose s b v
    unfold chosen_by_ballot in Hb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: v
∈ set_filter (λ v : Value, ballot_chose s b v)
    (ballot_chose_dec s b) 
    (ballot_proposals s b)
ballot_chose s b v
    apply elem_of_filter in Hb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: ballot_chose s b v ∧ v ∈ ballot_proposals s b
ballot_chose s b v
    by apply Hb.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
(∃ b : Ballot, ballot_chose s b v) → v ∈ chosen s intros [b Hb].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: ballot_chose s b v
v ∈ chosen s
    apply ballot_chose_inrange in Hb as Hb_dom.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: ballot_chose s b v
Hb_dom: b ∈ ballots_with_votes s
v ∈ chosen s
    unfold chosen.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: ballot_chose s b v
Hb_dom: b ∈ ballots_with_votes s
v
∈ ⋃ (chosen_by_ballot s <$>
     elements (ballots_with_votes s))
    apply elem_of_union_list.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: ballot_chose s b v
Hb_dom: b ∈ ballots_with_votes s
∃ X : VSet,
  X
  ∈ chosen_by_ballot s <$>
    elements (ballots_with_votes s) ∧ v ∈ X
    exists (chosen_by_ballot s b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: ballot_chose s b v
Hb_dom: b ∈ ballots_with_votes s
chosen_by_ballot s b
∈ chosen_by_ballot s <$>
  elements (ballots_with_votes s)
∧ v ∈ chosen_by_ballot s b
    split; [by apply elem_of_list_fmap_1, elem_of_elements |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: ballot_chose s b v
Hb_dom: b ∈ ballots_with_votes s
v ∈ chosen_by_ballot s b
    unfold chosen_by_ballot.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: ballot_chose s b v
Hb_dom: b ∈ ballots_with_votes s
v
∈ set_filter (λ v : Value, ballot_chose s b v)
    (ballot_chose_dec s b) (ballot_proposals s b)
    apply elem_of_filter.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
v: Value
b: Ballot
Hb: ballot_chose s b v
Hb_dom: b ∈ ballots_with_votes s
ballot_chose s b v ∧ v ∈ ballot_proposals s b
    by apply ballot_chose_in_proposals in Hb as Hv.
Qed.

Each acceptor can vote for at most one value in any given ballot

(* VInv1 *)
Definition acceptor_no_conflict_prop (s : state (voting_vlsm Quorum)) : Prop :=
  forall (a : Acceptor) (b : Ballot) (v w : Value),
    voted_for (s a) b v -> voted_for (s a) b w -> v = w.

(* VInv2 *)

Every vote is for a safe value

Definition acceptor_votes_safe_prop (s : state (voting_vlsm Quorum)) : Prop :=
  forall (a : Acceptor) (b : Ballot) (v : Value),
    voted_for (s a) b v -> SafeAt Quorum s v b.

Lemma step_cases :
  forall [li s om s' om'],
    input_valid_transition (voting_vlsm Quorum) li (s, om) (s', om') ->
    let (i, l) := li in
    s' = state_update IM s i ((acceptor_transition l (s i, om)).1) /\
    match l with
    | SkipToRound b' =>
        (maxBal (s i) < b')%Z
    | Vote b v =>
        (maxBal (s i) <= b)%Z /\
          did_not_vote_in (s i) b /\
          SafeAt Quorum s v b
    end.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (li : label (voting_vlsm Quorum)) (s : state
                                           (voting_vlsm
                                              Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) li
    (s, om) (s', om')
  → let (i, l) := li in
    s' =
    state_update IM s i
      (acceptor_transition l (s i, om)).1
    ∧ match l with
      | SkipToRound b' => (maxBal (s i) < b')%Z
      | Vote b v =>
          (maxBal (s i) ≤ b)%Z
          ∧ did_not_vote_in (s i) b
            ∧ SafeAt Quorum s v b
      end
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (li : label (voting_vlsm Quorum)) (s : state
                                           (voting_vlsm
                                              Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) li
    (s, om) (s', om')
  → let (i, l) := li in
    s' =
    state_update IM s i
      (acceptor_transition l (s i, om)).1
    ∧ match l with
      | SkipToRound b' => (maxBal (s i) < b')%Z
      | Vote b v =>
          (maxBal (s i) ≤ b)%Z
          ∧ did_not_vote_in (s i) b
            ∧ SafeAt Quorum s v b
      end
  intros [i l] s om s' om' [(_ & _ & Hlv & Hcv) Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hlv: valid (existT i l) (s, om)
Hcv: voting_composition_constraint Quorum
  (existT i l) (s, om)
Htrans: transition (existT i l) (s, om) = (s', om')
s' =
state_update IM s i
  (acceptor_transition l (s i, om)).1
∧ match l with
  | SkipToRound b' => (maxBal (s i) < b')%Z
  | Vote b v =>
      (maxBal (s i) ≤ b)%Z
      ∧ did_not_vote_in (s i) b ∧ SafeAt Quorum s v b
  end
  split.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hlv: valid (existT i l) (s, om)
Hcv: voting_composition_constraint Quorum
  (existT i l) (s, om)
Htrans: transition (existT i l) (s, om) = (s', om')
s' =
state_update IM s i
  (acceptor_transition l (s i, om)).1
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hlv: valid (existT i l) (s, om)
Hcv: voting_composition_constraint Quorum
  (existT i l) (s, om)
Htrans: transition (existT i l) (s, om) = (s', om')
match l with
| SkipToRound b' => (maxBal (s i) < b')%Z
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b ∧ SafeAt Quorum s v b
end
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hlv: valid (existT i l) (s, om)
Hcv: voting_composition_constraint Quorum
  (existT i l) (s, om)
Htrans: transition (existT i l) (s, om) = (s', om')
s' =
state_update IM s i
  (acceptor_transition l (s i, om)).1 by destruct l; inversion Htrans.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hlv: valid (existT i l) (s, om)
Hcv: voting_composition_constraint Quorum
  (existT i l) (s, om)
Htrans: transition (existT i l) (s, om) = (s', om')
match l with
| SkipToRound b' => (maxBal (s i) < b')%Z
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b ∧ SafeAt Quorum s v b
end destruct l.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b: Ballot
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hlv: valid (existT i (SkipToRound b)) (s, om)
Hcv: voting_composition_constraint Quorum
  (existT i (SkipToRound b)) (
  s, om)
Htrans: transition (existT i (SkipToRound b)) (s, om) =
(s', om')
(maxBal (s i) < b)%Z
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b: Ballot
v: Value
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hlv: valid (existT i (Vote b v)) (s, om)
Hcv: voting_composition_constraint Quorum
  (existT i (Vote b v)) (
  s, om)
Htrans: transition (existT i (Vote b v)) (s, om) =
(s', om')
(maxBal (s i) ≤ b)%Z
∧ did_not_vote_in (s i) b ∧ SafeAt Quorum s v b
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b: Ballot
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hlv: valid (existT i (SkipToRound b)) (s, om)
Hcv: voting_composition_constraint Quorum
  (existT i (SkipToRound b)) (
  s, om)
Htrans: transition (existT i (SkipToRound b)) (s, om) =
(s', om')
(maxBal (s i) < b)%Z by apply Hlv.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b: Ballot
v: Value
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hlv: valid (existT i (Vote b v)) (s, om)
Hcv: voting_composition_constraint Quorum
  (existT i (Vote b v)) (
  s, om)
Htrans: transition (existT i (Vote b v)) (s, om) =
(s', om')
(maxBal (s i) ≤ b)%Z
∧ did_not_vote_in (s i) b ∧ SafeAt Quorum s v b by split_and!; [apply Hlv.. | apply Hcv].
Qed.

Lemma step_cases' :
  forall [li s om s' om'],
    input_valid_transition (voting_vlsm Quorum) li (s, om) (s', om') ->
    let (i, l) := li in
    match l with
    | SkipToRound b' =>
        (maxBal (s i) < b')%Z
          /\ s' = state_update IM s i {| votes := votes (s i); maxBal := Some b'; |}
    | Vote b v =>
        (maxBal (s i) <= b)%Z /\
          did_not_vote_in (s i) b /\
          (forall j, j <> i -> voted_none_but (s j) b v) /\
          SafeAt Quorum s v b /\
          s' = state_update IM s i {| votes := mmap_insert b v (votes (s i)); maxBal := Some b |}
    end.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (li : label (voting_vlsm Quorum)) (s : state
                                           (voting_vlsm
                                              Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) li
    (s, om) (s', om')
  → let (i, l) := li in
    match l with
    | SkipToRound b' =>
        (maxBal (s i) < b')%Z
        ∧ s' =
          state_update IM s i
            {|
              votes := votes (s i); maxBal := Some b'
            |}
    | Vote b v =>
        (maxBal (s i) ≤ b)%Z
        ∧ did_not_vote_in (s i) b
          ∧ (∀ j : Acceptor,
               j ≠ i → voted_none_but (s j) b v)
            ∧ SafeAt Quorum s v b
              ∧ s' =
                state_update IM s i
                  {|
                    votes :=
                      mmap_insert b v (votes (s i));
                    maxBal := Some b
                  |}
    end
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (li : label (voting_vlsm Quorum)) (s : state
                                           (voting_vlsm
                                              Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) li
    (s, om) (s', om')
  → let (i, l) := li in
    match l with
    | SkipToRound b' =>
        (maxBal (s i) < b')%Z
        ∧ s' =
          state_update IM s i
            {|
              votes := votes (s i); maxBal := Some b'
            |}
    | Vote b v =>
        (maxBal (s i) ≤ b)%Z
        ∧ did_not_vote_in (s i) b
          ∧ (∀ j : Acceptor,
               j ≠ i → voted_none_but (s j) b v)
            ∧ SafeAt Quorum s v b
              ∧ s' =
                state_update IM s i
                  {|
                    votes :=
                      mmap_insert b v (votes (s i));
                    maxBal := Some b
                  |}
    end
  intros [i l] s om s' om' [(_ & _ & Hvalid) Htrans].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hvalid: valid (existT i l) (s, om)
Htrans: transition (existT i l) (s, om) = (s', om')
match l with
| SkipToRound b' =>
    (maxBal (s i) < b')%Z
    ∧ s' =
      state_update IM s i
        {| votes := votes (s i); maxBal := Some b' |}
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ (∀ j : Acceptor,
           j ≠ i → voted_none_but (s j) b v)
        ∧ SafeAt Quorum s v b
          ∧ s' =
            state_update IM s i
              {|
                votes := mmap_insert b v (votes (s i));
                maxBal := Some b
              |}
end
  rewrite (surjective_pairing (transition _ _)) in Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hvalid: valid (existT i l) (s, om)
Htrans: ((transition (existT i l) (s, om)).1,
 (transition (existT i l) (s, om)).2) =
(s', om')
match l with
| SkipToRound b' =>
    (maxBal (s i) < b')%Z
    ∧ s' =
      state_update IM s i
        {| votes := votes (s i); maxBal := Some b' |}
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ (∀ j : Acceptor,
           j ≠ i → voted_none_but (s j) b v)
        ∧ SafeAt Quorum s v b
          ∧ s' =
            state_update IM s i
              {|
                votes := mmap_insert b v (votes (s i));
                maxBal := Some b
              |}
end
  apply (f_equal fst) in Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hvalid: valid (existT i l) (s, om)
Htrans: ((transition (existT i l) (s, om)).1,
 (transition (existT i l) (s, om)).2).1 =
(s', om').1
match l with
| SkipToRound b' =>
    (maxBal (s i) < b')%Z
    ∧ s' =
      state_update IM s i
        {| votes := votes (s i); maxBal := Some b' |}
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ (∀ j : Acceptor,
           j ≠ i → voted_none_but (s j) b v)
        ∧ SafeAt Quorum s v b
          ∧ s' =
            state_update IM s i
              {|
                votes := mmap_insert b v (votes (s i));
                maxBal := Some b
              |}
end
  cbn [fst] in Htrans.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hvalid: valid (existT i l) (s, om)
Htrans: (transition (existT i l) (s, om)).1 = s'
match l with
| SkipToRound b' =>
    (maxBal (s i) < b')%Z
    ∧ s' =
      state_update IM s i
        {| votes := votes (s i); maxBal := Some b' |}
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ (∀ j : Acceptor,
           j ≠ i → voted_none_but (s j) b v)
        ∧ SafeAt Quorum s v b
          ∧ s' =
            state_update IM s i
              {|
                votes := mmap_insert b v (votes (s i));
                maxBal := Some b
              |}
end
  subst s'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om, om': option False
Hvalid: valid (existT i l) (s, om)
match l with
| SkipToRound b' =>
    (maxBal (s i) < b')%Z
    ∧ (transition (existT i l) (s, om)).1 =
      state_update IM s i
        {| votes := votes (s i); maxBal := Some b' |}
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ (∀ j : Acceptor,
           j ≠ i → voted_none_but (s j) b v)
        ∧ SafeAt Quorum s v b
          ∧ (transition (existT i l) (s, om)).1 =
            state_update IM s i
              {|
                votes := mmap_insert b v (votes (s i));
                maxBal := Some b
              |}
end
  by destruct l; simpl; repeat split; apply Hvalid.
Qed.

Lemma step_cases'' :
  forall [li s om s' om'],
    input_valid_transition (voting_vlsm Quorum) li (s, om) (s', om') ->
  forall a,
    let (i, l) := li in
    if decide (a = i)
    then s' a =
      {|
        maxBal := Some
          match l with
          | SkipToRound b' => b'
          | Vote b _ => b
          end;
        votes :=
          match l with
          | SkipToRound _ => votes (s a)
          | Vote b v => mmap_insert b v (votes (s a))
          end;
      |}
    else s' a = s a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (li : label (voting_vlsm Quorum)) (s : state
                                           (voting_vlsm
                                              Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) li
    (s, om) (s', om')
  → ∀ a : Acceptor,
      let (i, l) := li in
      if decide (a = i)
      then
       s' a =
       {|
         votes :=
           match l with
           | SkipToRound _ => votes (s a)
           | Vote b v => mmap_insert b v (votes (s a))
           end;
         maxBal :=
           Some
             match l with
             | SkipToRound b' => b'
             | Vote b _ => b
             end
       |}
      else s' a = s a
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (li : label (voting_vlsm Quorum)) (s : state
                                           (voting_vlsm
                                              Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) li
    (s, om) (s', om')
  → ∀ a : Acceptor,
      let (i, l) := li in
      if decide (a = i)
      then
       s' a =
       {|
         votes :=
           match l with
           | SkipToRound _ => votes (s a)
           | Vote b v => mmap_insert b v (votes (s a))
           end;
         maxBal :=
           Some
             match l with
             | SkipToRound b' => b'
             | Vote b _ => b
             end
       |}
      else s' a = s a
  intros [i l] s om s' om' Ht a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Ht: input_valid_transition (voting_vlsm Quorum)
  (existT i l) (s, om) (
  s', om')
a: Acceptor
if decide (a = i)
then
 s' a =
 {|
   votes :=
     match l with
     | SkipToRound _ => votes (s a)
     | Vote b v => mmap_insert b v (votes (s a))
     end;
   maxBal :=
     Some
       match l with
       | SkipToRound b' => b'
       | Vote b _ => b
       end
 |}
else s' a = s a
  apply step_cases in Ht as [-> _].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
if decide (a = i)
then
 state_update IM s i
   (acceptor_transition l (s i, om)).1 a =
 {|
   votes :=
     match l with
     | SkipToRound _ => votes (s a)
     | Vote b v => mmap_insert b v (votes (s a))
     end;
   maxBal :=
     Some
       match l with
       | SkipToRound b' => b'
       | Vote b _ => b
       end
 |}
else
 state_update IM s i
   (acceptor_transition l (s i, om)).1 a = s a
  destruct (decide (a = i)); [| by rewrite state_update_neq].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
e: a = i
state_update IM s i
  (acceptor_transition l (s i, om)).1 a =
{|
  votes :=
    match l with
    | SkipToRound _ => votes (s a)
    | Vote b v => mmap_insert b v (votes (s a))
    end;
  maxBal :=
    Some
      match l with
      | SkipToRound b' => b'
      | Vote b _ => b
      end
|}
  subst i; rewrite state_update_eq.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
(acceptor_transition l (s a, om)).1 =
{|
  votes :=
    match l with
    | SkipToRound _ => votes (s a)
    | Vote b v => mmap_insert b v (votes (s a))
    end;
  maxBal :=
    Some
      match l with
      | SkipToRound b' => b'
      | Vote b _ => b
      end
|}
  destruct (s a) as [mb_a votes_a].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
mb_a: Bmap VSet
votes_a: Ballot'
(acceptor_transition l
   ({| votes := mb_a; maxBal := votes_a |}, om)).1 =
{|
  votes :=
    match l with
    | SkipToRound _ =>
        votes {| votes := mb_a; maxBal := votes_a |}
    | Vote b v =>
        mmap_insert b v
          (votes
             {| votes := mb_a; maxBal := votes_a |})
    end;
  maxBal :=
    Some
      match l with
      | SkipToRound b' => b'
      | Vote b _ => b
      end
|}
  destruct om as [[] |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om': option False
a: Acceptor
mb_a: Bmap VSet
votes_a: Ballot'
(acceptor_transition l
   ({| votes := mb_a; maxBal := votes_a |}, None)).1 =
{|
  votes :=
    match l with
    | SkipToRound _ =>
        votes {| votes := mb_a; maxBal := votes_a |}
    | Vote b v =>
        mmap_insert b v
          (votes
             {| votes := mb_a; maxBal := votes_a |})
    end;
  maxBal :=
    Some
      match l with
      | SkipToRound b' => b'
      | Vote b _ => b
      end
|}
  by destruct l; simpl.
Qed.

Lemma prev_votes:
  forall [li s om s' om'],
    input_valid_transition (voting_vlsm Quorum) li (s, om) (s', om') ->
  forall a b v,
    voted_for (s' a) b v ->
    match li with
    | existT i (SkipToRound _) => voted_for (s a) b v
    | existT i (Vote bv vv) =>
        (a = i /\ b = bv /\ v = vv) \/ ((a ≠ i \/ b ≠ bv) /\ voted_for (s a) b v)
    end.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (li : label (voting_vlsm Quorum)) (s : state
                                           (voting_vlsm
                                              Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) li
    (s, om) (s', om')
  → ∀ (a : Acceptor) (b : Ballot) (v : Value),
      voted_for (s' a) b v
      → let (i, l) := li in
        match l with
        | SkipToRound _ => voted_for (s a) b v
        | Vote bv vv =>
            a = i ∧ b = bv ∧ v = vv
            ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
        end
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (li : label (voting_vlsm Quorum)) (s : state
                                           (voting_vlsm
                                              Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) li
    (s, om) (s', om')
  → ∀ (a : Acceptor) (b : Ballot) (v : Value),
      voted_for (s' a) b v
      → let (i, l) := li in
        match l with
        | SkipToRound _ => voted_for (s a) b v
        | Vote bv vv =>
            a = i ∧ b = bv ∧ v = vv
            ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
        end
  intros [i l] s om s' om' [Hs' Ht]%step_cases a b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Hs': s' =
state_update IM s i
  (acceptor_transition l (s i, om)).1
Ht: match l with
| SkipToRound b' => (maxBal (s i) < b')%Z
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ SafeAt Quorum s v b
end
a: Acceptor
b: Ballot
v: Value
voted_for (s' a) b v
→ match l with
  | SkipToRound _ => voted_for (s a) b v
  | Vote bv vv =>
      a = i ∧ b = bv ∧ v = vv
      ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
  end
  rewrite Hs'; clear Hs'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Ht: match l with
| SkipToRound b' => (maxBal (s i) < b')%Z
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ SafeAt Quorum s v b
end
a: Acceptor
b: Ballot
v: Value
voted_for
  (state_update IM s i
     (acceptor_transition l (s i, om)).1 a) b v
→ match l with
  | SkipToRound _ => voted_for (s a) b v
  | Vote bv vv =>
      a = i ∧ b = bv ∧ v = vv
      ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
  end
  destruct (decide (a = i)); [| by rewrite state_update_neq; destruct l; auto].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Ht: match l with
| SkipToRound b' => (maxBal (s i) < b')%Z
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ SafeAt Quorum s v b
end
a: Acceptor
b: Ballot
v: Value
e: a = i
voted_for
  (state_update IM s i
     (acceptor_transition l (s i, om)).1 a) b v
→ match l with
  | SkipToRound _ => voted_for (s a) b v
  | Vote bv vv =>
      a = i ∧ b = bv ∧ v = vv
      ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
  end
  subst i; rewrite state_update_eq.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label acceptor_vlsm
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
a: Acceptor
Ht: match l with
| SkipToRound b' => (maxBal (s a) < b')%Z
| Vote b v =>
    (maxBal (s a) ≤ b)%Z
    ∧ did_not_vote_in (s a) b
      ∧ SafeAt Quorum s v b
end
b: Ballot
v: Value
voted_for (acceptor_transition l (s a, om)).1 b v
→ match l with
  | SkipToRound _ => voted_for (s a) b v
  | Vote bv vv =>
      a = a ∧ b = bv ∧ v = vv
      ∨ (a ≠ a ∨ b ≠ bv) ∧ voted_for (s a) b v
  end
  destruct l; simpl; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
a: Acceptor
Ht: (maxBal (s a) ≤ b0)%Z
∧ did_not_vote_in (s a) b0
  ∧ SafeAt Quorum s v0 b0
b: Ballot
v: Value
voted_for
  {|
    votes := mmap_insert b0 v0 (votes (s a));
    maxBal := Some b0
  |} b v
→ a = a ∧ b = b0 ∧ v = v0
  ∨ (a ≠ a ∨ b ≠ b0) ∧ voted_for (s a) b v
  unfold voted_for, mmap_insert; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
a: Acceptor
Ht: (maxBal (s a) ≤ b0)%Z
∧ did_not_vote_in (s a) b0
  ∧ SafeAt Quorum s v0 b0
b: Ballot
v: Value
v
∈ <[b0:={[v0]} ∪ votes (s a) !!! b0]> (votes (s a))
  !!! b
→ a = a ∧ b = b0 ∧ v = v0
  ∨ (a ≠ a ∨ b ≠ b0) ∧ v ∈ votes (s a) !!! b
  destruct (decide (b0 = b));
    [| by rewrite lookup_total_insert_ne by done; right; set_solver].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
a: Acceptor
Ht: (maxBal (s a) ≤ b0)%Z
∧ did_not_vote_in (s a) b0
  ∧ SafeAt Quorum s v0 b0
b: Ballot
v: Value
e: b0 = b
v
∈ <[b0:={[v0]} ∪ votes (s a) !!! b0]> (votes (s a))
  !!! b
→ a = a ∧ b = b0 ∧ v = v0
  ∨ (a ≠ a ∨ b ≠ b0) ∧ v ∈ votes (s a) !!! b
  subst b0; rewrite lookup_total_insert.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
v0: Value
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
a: Acceptor
b: Ballot
Ht: (maxBal (s a) ≤ b)%Z
∧ did_not_vote_in (s a) b ∧ SafeAt Quorum s v0 b
v: Value
v ∈ {[v0]} ∪ votes (s a) !!! b
→ a = a ∧ b = b ∧ v = v0
  ∨ (a ≠ a ∨ b ≠ b) ∧ v ∈ votes (s a) !!! b
  assert (votes (s a) !!! b ≡@{VSet} ∅) as -> by (apply elem_of_equiv_empty, Ht).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
v0: Value
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
a: Acceptor
b: Ballot
Ht: (maxBal (s a) ≤ b)%Z
∧ did_not_vote_in (s a) b ∧ SafeAt Quorum s v0 b
v: Value
v ∈ {[v0]} ∪ ∅
→ a = a ∧ b = b ∧ v = v0 ∨ (a ≠ a ∨ b ≠ b) ∧ v ∈ ∅
  by left; set_solver.
Qed.

A stronger claim which is that two votes on the same ballot cannot be for different values, even if they are from different acceptors. This is not needed to prove safety, only for liveness.

(* VInv3 *)
Definition ballot_no_conflict_prop (s : state (voting_vlsm Quorum)) : Prop :=
  forall (a1 a2 : Acceptor) (b : Ballot) (v1 v2 : Value),
    voted_for (s a1) b v1 -> voted_for (s a2) b v2 -> v1 = v2.

Corollary corr_conflict_props (s : state (voting_vlsm Quorum)) :
  ballot_no_conflict_prop s -> acceptor_no_conflict_prop s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
ballot_no_conflict_prop s
→ acceptor_no_conflict_prop s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
ballot_no_conflict_prop s
→ acceptor_no_conflict_prop s
  by unfold acceptor_no_conflict_prop, ballot_no_conflict_prop; eauto.
Qed.

invariance of VInv1

Lemma inv_acceptor_no_conflict :
  forall s,
    valid_state_prop (voting_vlsm Quorum) s ->
    acceptor_no_conflict_prop s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → acceptor_no_conflict_prop s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → acceptor_no_conflict_prop s
  intros s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
acceptor_no_conflict_prop s
  induction Hs using valid_state_prop_ind; intros a b v w.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v, w: Value
voted_for (s a) b v → voted_for (s a) b w → v = w
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: acceptor_no_conflict_prop s
a: Acceptor
b: Ballot
v, w: Value
voted_for (s' a) b v → voted_for (s' a) b w → v = w
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v, w: Value
voted_for (s a) b v → voted_for (s a) b w → v = w rewrite (Hs a); clear Hs s a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b: Ballot
v, w: Value
voted_for acceptor_initial b v
→ voted_for acceptor_initial b w → v = w
    intro Hv; exfalso; contradict Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b: Ballot
v, w: Value
¬ voted_for acceptor_initial b v
    unfold voted_for; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b: Ballot
v, w: Value
v ∉ ∅ !!! b
    rewrite lookup_total_empty. (* matching a typo in stdpp *)Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b: Ballot
v, w: Value
v ∉ inhabitant
    simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b: Ballot
v, w: Value
v ∉ ∅
    by apply not_elem_of_empty.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: acceptor_no_conflict_prop s
a: Acceptor
b: Ballot
v, w: Value
voted_for (s' a) b v → voted_for (s' a) b w → v = w intros Hv Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: acceptor_no_conflict_prop s
a: Acceptor
b: Ballot
v, w: Value
Hv: voted_for (s' a) b v
Hw: voted_for (s' a) b w
v = w
    apply (prev_votes Ht a b) in Hv, Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: acceptor_no_conflict_prop s
a: Acceptor
b: Ballot
v, w: Value
Hv: let (i, l) := l in
match l with
| SkipToRound _ => voted_for (s a) b v
| Vote bv vv =>
    a = i ∧ b = bv ∧ v = vv
    ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
end
Hw: let (i, l) := l in
match l with
| SkipToRound _ => voted_for (s a) b w
| Vote bv vv =>
    a = i ∧ b = bv ∧ w = vv
    ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b w
end
v = w
    specialize (IHHs a b v w).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
a: Acceptor
b: Ballot
v, w: Value
IHHs: voted_for (s a) b v
→ voted_for (s a) b w → v = w
Hv: let (i, l) := l in
match l with
| SkipToRound _ => voted_for (s a) b v
| Vote bv vv =>
    a = i ∧ b = bv ∧ v = vv
    ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
end
Hw: let (i, l) := l in
match l with
| SkipToRound _ => voted_for (s a) b w
| Vote bv vv =>
    a = i ∧ b = bv ∧ w = vv
    ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b w
end
v = w
    by destruct l as [i []]; [auto | itauto congruence].
Qed.

VInv4 in the paper

Definition maxBal_limits_votes_prop (s : state (voting_vlsm Quorum)) : Prop :=
  forall a (b : Ballot),
    (maxBal (s a) < b)%Z -> did_not_vote_in (s a) b.

Lemma inv_max_bal_limits_votes :
  forall s,
    valid_state_prop (voting_vlsm Quorum) s ->
    maxBal_limits_votes_prop s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → maxBal_limits_votes_prop s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → maxBal_limits_votes_prop s
  unfold maxBal_limits_votes_prop.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → ∀ (a : Acceptor) (b : Ballot),
      (maxBal (s a) < b)%Z → did_not_vote_in (s a) b
  intros s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z → did_not_vote_in (s a) b
  induction Hs using valid_state_prop_ind; intros a b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
(maxBal (s a) < b)%Z → did_not_vote_in (s a) b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
a: Acceptor
b: Ballot
(maxBal (s' a) < b)%Z → did_not_vote_in (s' a) b
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
(maxBal (s a) < b)%Z → did_not_vote_in (s a) b intros _ v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
¬ voted_for (s a) b v
    rewrite (Hs a).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
¬ voted_for acceptor_initial b v
    unfold voted_for; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
v ∉ ∅ !!! b
    rewrite lookup_total_empty; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
v ∉ ∅
    by apply not_elem_of_empty.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
a: Acceptor
b: Ballot
(maxBal (s' a) < b)%Z → did_not_vote_in (s' a) b destruct l as [i l].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
i: Acceptor
l: label acceptor_vlsm
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum)
  (existT i l) (s, om) (
  s', om')
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
a: Acceptor
b: Ballot
(maxBal (s' a) < b)%Z → did_not_vote_in (s' a) b
    apply step_cases in Ht as [Hs' Hl].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
i: Acceptor
l: label acceptor_vlsm
om, om': option False
s: state (voting_vlsm Quorum)
Hs': s' =
state_update IM s i
  (acceptor_transition l (s i, om)).1
Hl: match l with
| SkipToRound b' => (maxBal (s i) < b')%Z
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ SafeAt Quorum s v b
end
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
a: Acceptor
b: Ballot
(maxBal (s' a) < b)%Z → did_not_vote_in (s' a) b
    destruct (decide (a = i)); [subst i |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label acceptor_vlsm
om, om': option False
s: state (voting_vlsm Quorum)
a: Acceptor
Hl: match l with
| SkipToRound b' => (maxBal (s a) < b')%Z
| Vote b v =>
    (maxBal (s a) ≤ b)%Z
    ∧ did_not_vote_in (s a) b
      ∧ SafeAt Quorum s v b
end
Hs': s' =
state_update IM s a
  (acceptor_transition l (s a, om)).1
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
(maxBal (s' a) < b)%Z → did_not_vote_in (s' a) b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
i: Acceptor
l: label acceptor_vlsm
om, om': option False
s: state (voting_vlsm Quorum)
Hs': s' =
state_update IM s i
  (acceptor_transition l (s i, om)).1
Hl: match l with
| SkipToRound b' => (maxBal (s i) < b')%Z
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ SafeAt Quorum s v b
end
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
a: Acceptor
b: Ballot
n: a ≠ i
(maxBal (s' a) < b)%Z → did_not_vote_in (s' a) b
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label acceptor_vlsm
om, om': option False
s: state (voting_vlsm Quorum)
a: Acceptor
Hl: match l with
| SkipToRound b' => (maxBal (s a) < b')%Z
| Vote b v =>
    (maxBal (s a) ≤ b)%Z
    ∧ did_not_vote_in (s a) b
      ∧ SafeAt Quorum s v b
end
Hs': s' =
state_update IM s a
  (acceptor_transition l (s a, om)).1
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
(maxBal (s' a) < b)%Z → did_not_vote_in (s' a) b rewrite Hs', state_update_eq; clear Hs'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label acceptor_vlsm
om, om': option False
s: state (voting_vlsm Quorum)
a: Acceptor
Hl: match l with
| SkipToRound b' => (maxBal (s a) < b')%Z
| Vote b v =>
    (maxBal (s a) ≤ b)%Z
    ∧ did_not_vote_in (s a) b
      ∧ SafeAt Quorum s v b
end
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
(maxBal (acceptor_transition l (s a, om)).1 < b)%Z
→ did_not_vote_in (acceptor_transition l (s a, om)).1
    b
      destruct l as [b' | bv vv]; simpl in *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
b': Ballot
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) < b')%Z
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
(Z.of_N b' < b)%Z
→ did_not_vote_in
    {| votes := votes (s a); maxBal := Some b' |} b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
bv: Ballot
vv: Value
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) ≤ bv)%Z
∧ did_not_vote_in (s a) bv
  ∧ SafeAt Quorum s vv bv
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
(Z.of_N bv < b)%Z
→ did_not_vote_in
    {|
      votes := mmap_insert bv vv (votes (s a));
      maxBal := Some bv
    |} b
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
b': Ballot
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) < b')%Z
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
(Z.of_N b' < b)%Z
→ did_not_vote_in
    {| votes := votes (s a); maxBal := Some b' |} b intros Hb'.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
b': Ballot
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) < b')%Z
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
Hb': (Z.of_N b' < b)%Z
did_not_vote_in
  {| votes := votes (s a); maxBal := Some b' |} b
        apply IHHs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
b': Ballot
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) < b')%Z
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
Hb': (Z.of_N b' < b)%Z
(maxBal (s a) < b)%Z
        revert Hl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
b': Ballot
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
Hb': (Z.of_N b' < b)%Z
(maxBal (s a) < b')%Z → (maxBal (s a) < b)%Z
        by destruct (maxBal (s a)); simpl; ballot_lia.
      *Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
bv: Ballot
vv: Value
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) ≤ bv)%Z
∧ did_not_vote_in (s a) bv
  ∧ SafeAt Quorum s vv bv
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
(Z.of_N bv < b)%Z
→ did_not_vote_in
    {|
      votes := mmap_insert bv vv (votes (s a));
      maxBal := Some bv
    |} b intros Hb v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
bv: Ballot
vv: Value
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) ≤ bv)%Z
∧ did_not_vote_in (s a) bv
  ∧ SafeAt Quorum s vv bv
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
Hb: (Z.of_N bv < b)%Z
v: Value
¬ voted_for
    {|
      votes := mmap_insert bv vv (votes (s a));
      maxBal := Some bv
    |} b v
        unfold voted_for, mmap_insert; simpl.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
bv: Ballot
vv: Value
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) ≤ bv)%Z
∧ did_not_vote_in (s a) bv
  ∧ SafeAt Quorum s vv bv
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
Hb: (Z.of_N bv < b)%Z
v: Value
v
∉ <[bv:={[vv]} ∪ votes (s a) !!! bv]> (votes (s a))
  !!! b
        rewrite lookup_total_insert_ne by ballot_lia.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
bv: Ballot
vv: Value
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) ≤ bv)%Z
∧ did_not_vote_in (s a) bv
  ∧ SafeAt Quorum s vv bv
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
Hb: (Z.of_N bv < b)%Z
v: Value
v ∉ votes (s a) !!! b
        apply IHHs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
bv: Ballot
vv: Value
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) ≤ bv)%Z
∧ did_not_vote_in (s a) bv
  ∧ SafeAt Quorum s vv bv
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
Hb: (Z.of_N bv < b)%Z
v: Value
(maxBal (s a) < b)%Z
        generalize (proj1 Hl).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': composite_state (λ _ : Acceptor, acceptor_vlsm)
bv: Ballot
vv: Value
om, om': option False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
a: Acceptor
Hl: (maxBal (s a) ≤ bv)%Z
∧ did_not_vote_in (s a) bv
  ∧ SafeAt Quorum s vv bv
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
b: Ballot
Hb: (Z.of_N bv < b)%Z
v: Value
(maxBal (s a) ≤ bv)%Z → (maxBal (s a) < b)%Z
        by destruct (maxBal (s a)); simpl; ballot_lia.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
i: Acceptor
l: label acceptor_vlsm
om, om': option False
s: state (voting_vlsm Quorum)
Hs': s' =
state_update IM s i
  (acceptor_transition l (s i, om)).1
Hl: match l with
| SkipToRound b' => (maxBal (s i) < b')%Z
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ SafeAt Quorum s v b
end
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
a: Acceptor
b: Ballot
n: a ≠ i
(maxBal (s' a) < b)%Z → did_not_vote_in (s' a) b rewrite Hs', state_update_neq by done.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
i: Acceptor
l: label acceptor_vlsm
om, om': option False
s: state (voting_vlsm Quorum)
Hs': s' =
state_update IM s i
  (acceptor_transition l (s i, om)).1
Hl: match l with
| SkipToRound b' => (maxBal (s i) < b')%Z
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ SafeAt Quorum s v b
end
IHHs: ∀ (a : Acceptor) (b : Ballot),
  (maxBal (s a) < b)%Z
  → did_not_vote_in (s a) b
a: Acceptor
b: Ballot
n: a ≠ i
(maxBal (s a) < b)%Z → did_not_vote_in (s a) b
      by apply IHHs.
Qed.

Lemma cbq_blocks :
  forall s b v w,
    (exists Q, consensus_blocking_quorum Quorum s b v Q) ->
    ballot_chose s b w ->
    v = w.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state (λ _ : Acceptor, acceptor_vlsm)) 
  (b : Ballot) (v w : Value),
  (∃ Q : {x : ASet | Quorum x},
     consensus_blocking_quorum Quorum s b v Q)
  → ballot_chose s b w → v = w
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (s : composite_state (λ _ : Acceptor, acceptor_vlsm)) 
  (b : Ballot) (v w : Value),
  (∃ Q : {x : ASet | Quorum x},
     consensus_blocking_quorum Quorum s b v Q)
  → ballot_chose s b w → v = w
  intros s b v w (Q & _ & Hblock) [QQ Hchose].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
b: Ballot
v, w: Value
Q: {x : ASet | Quorum x}
Hblock: allQuorum Quorum Q
  (λ a : Acceptor, voted_none_but (s a) b v)
QQ: {x : ASet | Quorum x}
Hchose: allQuorum Quorum QQ
  (λ a : Acceptor, voted_for (s a) b w)
v = w
  destruct (QA Q QQ) as [a Ha].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
b: Ballot
v, w: Value
Q: {x : ASet | Quorum x}
Hblock: allQuorum Quorum Q
  (λ a : Acceptor, voted_none_but (s a) b v)
QQ: {x : ASet | Quorum x}
Hchose: allQuorum Quorum QQ
  (λ a : Acceptor, voted_for (s a) b w)
a: Acceptor
Ha: a ∈ `Q ∩ `QQ
v = w
  apply elem_of_intersection in Ha as [Ha_Q Ha_QQ].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
b: Ballot
v, w: Value
Q: {x : ASet | Quorum x}
Hblock: allQuorum Quorum Q
  (λ a : Acceptor, voted_none_but (s a) b v)
QQ: {x : ASet | Quorum x}
Hchose: allQuorum Quorum QQ
  (λ a : Acceptor, voted_for (s a) b w)
a: Acceptor
Ha_Q: a ∈ `Q
Ha_QQ: a ∈ `QQ
v = w
  symmetry.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: composite_state (λ _ : Acceptor, acceptor_vlsm)
b: Ballot
v, w: Value
Q: {x : ASet | Quorum x}
Hblock: allQuorum Quorum Q
  (λ a : Acceptor, voted_none_but (s a) b v)
QQ: {x : ASet | Quorum x}
Hchose: allQuorum Quorum QQ
  (λ a : Acceptor, voted_for (s a) b w)
a: Acceptor
Ha_Q: a ∈ `Q
Ha_QQ: a ∈ `QQ
w = v
  by eapply Hblock; [| apply Hchose].
Qed.

(* does not need invariants yet *)
Lemma VT0 :
  forall s,
    valid_state_prop (voting_vlsm Quorum) s ->
    forall (v w : Value) (b c : Ballot),
      (b > c)%N -> SafeAt Quorum s v b -> ballot_chose s c w -> v = w.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → ∀ (v w : Value) (b c : Ballot),
      (b > c)%N
      → SafeAt Quorum s v b
        → ballot_chose s c w → v = w
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → ∀ (v w : Value) (b c : Ballot),
      (b > c)%N
      → SafeAt Quorum s v b
        → ballot_chose s c w → v = w
  intros s Hs v w b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: Ballot
∀ c : Ballot,
  (b > c)%N
  → SafeAt Quorum s v b → ballot_chose s c w → v = w
  set (P b := forall (c : Ballot),
    (b > c)%N -> SafeAt Quorum s v b -> ballot_chose s c w -> v = w).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: Ballot
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
∀ c : Ballot,
  (b > c)%N
  → SafeAt Quorum s v b → ballot_chose s c w → v = w
  fold (P b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: Ballot
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
P b
  induction b using N.peano_ind; [by intro; lia |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: N
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
IHb: P b
P (N.succ b)
  intros c Hc Hsafe Hchosen.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: N
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
IHb: P b
c: Ballot
Hc: (N.succ b > c)%N
Hsafe: SafeAt Quorum s v (N.succ b)
Hchosen: ballot_chose s c w
v = w
  apply N.gt_lt, N.lt_succ_r, N.lt_eq_cases in Hc as [Hc%N.lt_gt | ->].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: N
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
IHb: P b
c: Ballot
Hc: (b > c)%N
Hsafe: SafeAt Quorum s v (N.succ b)
Hchosen: ballot_chose s c w
v = w
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: N
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
IHb: P b
Hsafe: SafeAt Quorum s v (N.succ b)
Hchosen: ballot_chose s b w
v = w
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: N
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
IHb: P b
c: Ballot
Hc: (b > c)%N
Hsafe: SafeAt Quorum s v (N.succ b)
Hchosen: ballot_chose s c w
v = w apply (IHb c Hc); [| done].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: N
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
IHb: P b
c: Ballot
Hc: (b > c)%N
Hsafe: SafeAt Quorum s v (N.succ b)
Hchosen: ballot_chose s c w
SafeAt Quorum s v b
    by intros d Hd; apply Hsafe; ballot_lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: N
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
IHb: P b
Hsafe: SafeAt Quorum s v (N.succ b)
Hchosen: ballot_chose s b w
v = w eapply cbq_blocks; [| by apply Hchosen].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v, w: Value
b: N
P:= λ b : N,
  ∀ c : Ballot,
    (b > c)%N
    → SafeAt Quorum s v b
      → ballot_chose s c w → v = w: N → Prop
IHb: P b
Hsafe: SafeAt Quorum s v (N.succ b)
Hchosen: ballot_chose s b w
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Quorum s b v Q
    by apply Hsafe; ballot_lia.
Qed.

Lemma Q_nonempty :
  forall (Q : sig Quorum), exists a, a ∈ `Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ Q : {x : ASet | Quorum x}, ∃ a : Acceptor, a ∈ `Q
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ Q : {x : ASet | Quorum x}, ∃ a : Acceptor, a ∈ `Q
  intros Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
Q: {x : ASet | Quorum x}
∃ a : Acceptor, a ∈ `Q
  destruct (QA Q Q) as [a Ha].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
Q: {x : ASet | Quorum x}
a: Acceptor
Ha: a ∈ `Q ∩ `Q
∃ a : Acceptor, a ∈ `Q
  by exists a; apply intersection_idemp.
Qed.

Lemma VT1 :
  forall s,
    valid_state_prop (voting_vlsm Quorum) s ->
    acceptor_no_conflict_prop s ->
    acceptor_votes_safe_prop s ->
    forall (v w : Value),
      v ∈ chosen s -> w ∈ chosen s -> v = w.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → acceptor_no_conflict_prop s
    → acceptor_votes_safe_prop s
      → ∀ v w : Value,
          v ∈ chosen s → w ∈ chosen s → v = w
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → acceptor_no_conflict_prop s
    → acceptor_votes_safe_prop s
      → ∀ v w : Value,
          v ∈ chosen s → w ∈ chosen s → v = w
  intros s Hs Hinv1 Hinv2 v w Hv Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
Hv: v ∈ chosen s
Hw: w ∈ chosen s
v = w
  apply chosen_iff in Hv as [b Hchose_v].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
Hw: w ∈ chosen s
v = w
  apply chosen_iff in Hw as [c Hchose_w].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
v = w
  destruct (Hchose_v) as [Q Hv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
v = w
  destruct (Hchose_w) as [R Hw].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
v = w
  destruct (Q_nonempty Q) as [av Hav].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: av ∈ `Q
v = w
  destruct (Q_nonempty R) as [aw Haw].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: av ∈ `Q
aw: Acceptor
Haw: aw ∈ `R
v = w
  apply Hv in Hav.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: aw ∈ `R
v = w
  apply Hw in Haw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
v = w
  simpl in Hv, Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
v = w
  assert (SafeAt Quorum s v b) by (eapply Hinv2; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
v = w
  assert (SafeAt Quorum s w c) by (eapply Hinv2; done).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
v = w
  destruct (N.lt_total b c) as [H_b_lt_c | [H_bc | H_c_lt_b]].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_b_lt_c: (b < c)%N
v = w
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_bc: b = c
v = w
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_c_lt_b: (c < b)%N
v = w
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_b_lt_c: (b < c)%N
v = w apply N.lt_gt in H_b_lt_c.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_b_lt_c: (c > b)%N
v = w
    symmetry.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_b_lt_c: (c > b)%N
w = v
    by eapply VT0.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_bc: b = c
v = w destruct (QA Q R) as [a Ha].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_bc: b = c
a: Acceptor
Ha: a ∈ `Q ∩ `R
v = w
    apply elem_of_intersection in Ha as [Ha_Q Ha_R].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_bc: b = c
a: Acceptor
Ha_Q: a ∈ `Q
Ha_R: a ∈ `R
v = w
    subst c.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
Hchose_w: ballot_chose s b w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) b w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) b w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w b
a: Acceptor
Ha_Q: a ∈ `Q
Ha_R: a ∈ `R
v = w
    apply (Hinv1 a b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
Hchose_w: ballot_chose s b w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) b w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) b w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w b
a: Acceptor
Ha_Q: a ∈ `Q
Ha_R: a ∈ `R
voted_for (s a) b v
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
Hchose_w: ballot_chose s b w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) b w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) b w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w b
a: Acceptor
Ha_Q: a ∈ `Q
Ha_R: a ∈ `R
voted_for (s a) b w
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
Hchose_w: ballot_chose s b w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) b w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) b w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w b
a: Acceptor
Ha_Q: a ∈ `Q
Ha_R: a ∈ `R
voted_for (s a) b v by apply Hv.
    +Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
Hchose_w: ballot_chose s b w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) b w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) b w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w b
a: Acceptor
Ha_Q: a ∈ `Q
Ha_R: a ∈ `R
voted_for (s a) b w by apply Hw.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_c_lt_b: (c < b)%N
v = w apply N.lt_gt in H_c_lt_b.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hinv1: acceptor_no_conflict_prop s
Hinv2: acceptor_votes_safe_prop s
v, w: Value
b: Ballot
Hchose_v: ballot_chose s b v
c: Ballot
Hchose_w: ballot_chose s c w
Q: {x : ASet | Quorum x}
Hv: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
R: {x : ASet | Quorum x}
Hw: allQuorum Quorum R
  (λ a : Acceptor, voted_for (s a) c w)
av: Acceptor
Hav: voted_for (s av) b v
aw: Acceptor
Haw: voted_for (s aw) c w
H16: SafeAt Quorum s v b
H17: SafeAt Quorum s w c
H_c_lt_b: (b > c)%N
v = w
    by eapply VT0.
Qed.

Lemma prev_vote_committed :
  forall [l s s' om om'],
    input_valid_transition (voting_vlsm Quorum) l (s, om) (s', om') ->
    forall a b v, vote_committed (s a) b -> voted_for (s' a) b v -> voted_for (s a) b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (l : label (voting_vlsm Quorum)) (s
                                    s' : state
                                           (voting_vlsm
                                              Quorum)) 
  (om om' : option False),
  input_valid_transition (voting_vlsm Quorum) l
    (s, om) (s', om')
  → ∀ (a : Acceptor) (b : Ballot) (v : Value),
      vote_committed (s a) b
      → voted_for (s' a) b v → voted_for (s a) b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (l : label (voting_vlsm Quorum)) (s
                                    s' : state
                                           (voting_vlsm
                                              Quorum)) 
  (om om' : option False),
  input_valid_transition (voting_vlsm Quorum) l
    (s, om) (s', om')
  → ∀ (a : Acceptor) (b : Ballot) (v : Value),
      vote_committed (s a) b
      → voted_for (s' a) b v → voted_for (s a) b v
  intros * Ht *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
a: Acceptor
b: Ballot
v: Value
vote_committed (s a) b
→ voted_for (s' a) b v → voted_for (s a) b v
  apply step_cases' in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: let (i, l) := l in
match l with
| SkipToRound b' =>
    (maxBal (s i) < b')%Z
    ∧ s' =
      state_update IM s i
        {|
          votes := votes (s i); maxBal := Some b'
        |}
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ (∀ j : Acceptor,
           j ≠ i → voted_none_but (s j) b v)
        ∧ SafeAt Quorum s v b
          ∧ s' =
            state_update IM s i
              {|
                votes :=
                  mmap_insert b v (votes (s i));
                maxBal := Some b
              |}
end
a: Acceptor
b: Ballot
v: Value
vote_committed (s a) b
→ voted_for (s' a) b v → voted_for (s a) b v
  unfold vote_committed, voted_for.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: let (i, l) := l in
match l with
| SkipToRound b' =>
    (maxBal (s i) < b')%Z
    ∧ s' =
      state_update IM s i
        {|
          votes := votes (s i); maxBal := Some b'
        |}
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ (∀ j : Acceptor,
           j ≠ i → voted_none_but (s j) b v)
        ∧ SafeAt Quorum s v b
          ∧ s' =
            state_update IM s i
              {|
                votes :=
                  mmap_insert b v (votes (s i));
                maxBal := Some b
              |}
end
a: Acceptor
b: Ballot
v: Value
(maxBal (s a) > b)%Z
→ v ∈ votes (s' a) !!! b → v ∈ votes (s a) !!! b
  destruct l as [i []].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b0: Ballot
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: (maxBal (s i) < b0)%Z
∧ s' =
  state_update IM s i
    {| votes := votes (s i); maxBal := Some b0 |}
a: Acceptor
b: Ballot
v: Value
(maxBal (s a) > b)%Z
→ v ∈ votes (s' a) !!! b → v ∈ votes (s a) !!! b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b0: Ballot
v0: Value
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: (maxBal (s i) ≤ b0)%Z
∧ did_not_vote_in (s i) b0
  ∧ (∀ j : Acceptor,
       j ≠ i → voted_none_but (s j) b0 v0)
    ∧ SafeAt Quorum s v0 b0
      ∧ s' =
        state_update IM s i
          {|
            votes :=
              mmap_insert b0 v0 (votes (s i));
            maxBal := Some b0
          |}
a: Acceptor
b: Ballot
v: Value
(maxBal (s a) > b)%Z
→ v ∈ votes (s' a) !!! b → v ∈ votes (s a) !!! b
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b0: Ballot
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: (maxBal (s i) < b0)%Z
∧ s' =
  state_update IM s i
    {| votes := votes (s i); maxBal := Some b0 |}
a: Acceptor
b: Ballot
v: Value
(maxBal (s a) > b)%Z
→ v ∈ votes (s' a) !!! b → v ∈ votes (s a) !!! b destruct Ht as [Hb ->].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b0: Ballot
s: state (voting_vlsm Quorum)
om, om': option False
Hb: (maxBal (s i) < b0)%Z
a: Acceptor
b: Ballot
v: Value
(maxBal (s a) > b)%Z
→ v
  ∈ votes
      (state_update IM s i
         {| votes := votes (s i); maxBal := Some b0 |}
         a) !!! b → v ∈ votes (s a) !!! b
    destruct (decide (a = i)); [| by rewrite state_update_neq].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b0: Ballot
s: state (voting_vlsm Quorum)
om, om': option False
Hb: (maxBal (s i) < b0)%Z
a: Acceptor
b: Ballot
v: Value
e: a = i
(maxBal (s a) > b)%Z
→ v
  ∈ votes
      (state_update IM s i
         {| votes := votes (s i); maxBal := Some b0 |}
         a) !!! b → v ∈ votes (s a) !!! b
    by subst i; rewrite state_update_eq.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b0: Ballot
v0: Value
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: (maxBal (s i) ≤ b0)%Z
∧ did_not_vote_in (s i) b0
  ∧ (∀ j : Acceptor,
       j ≠ i → voted_none_but (s j) b0 v0)
    ∧ SafeAt Quorum s v0 b0
      ∧ s' =
        state_update IM s i
          {|
            votes :=
              mmap_insert b0 v0 (votes (s i));
            maxBal := Some b0
          |}
a: Acceptor
b: Ballot
v: Value
(maxBal (s a) > b)%Z
→ v ∈ votes (s' a) !!! b → v ∈ votes (s a) !!! b destruct Ht as (Hbal & Hnv & _ & _ & ->).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om, om': option False
Hbal: (maxBal (s i) ≤ b0)%Z
Hnv: did_not_vote_in (s i) b0
a: Acceptor
b: Ballot
v: Value
(maxBal (s a) > b)%Z
→ v
  ∈ votes
      (state_update IM s i
         {|
           votes := mmap_insert b0 v0 (votes (s i));
           maxBal := Some b0
         |} a) !!! b → v ∈ votes (s a) !!! b
    destruct (decide (a = i)); [| by rewrite state_update_neq].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om, om': option False
Hbal: (maxBal (s i) ≤ b0)%Z
Hnv: did_not_vote_in (s i) b0
a: Acceptor
b: Ballot
v: Value
e: a = i
(maxBal (s a) > b)%Z
→ v
  ∈ votes
      (state_update IM s i
         {|
           votes := mmap_insert b0 v0 (votes (s i));
           maxBal := Some b0
         |} a) !!! b → v ∈ votes (s a) !!! b
    subst i; rewrite state_update_eq.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
Hnv: did_not_vote_in (s a) b0
Hbal: (maxBal (s a) ≤ b0)%Z
b: Ballot
v: Value
(maxBal (s a) > b)%Z
→ v
  ∈ votes
      {|
        votes := mmap_insert b0 v0 (votes (s a));
        maxBal := Some b0
      |} !!! b → v ∈ votes (s a) !!! b
    destruct (maxBal (s a)) as [mb_a |]; [| by simpl; ballot_lia].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
Hnv: did_not_vote_in (s a) b0
mb_a: Ballot
Hbal: (Some mb_a ≤ b0)%Z
b: Ballot
v: Value
(Some mb_a > b)%Z
→ v
  ∈ votes
      {|
        votes := mmap_insert b0 v0 (votes (s a));
        maxBal := Some b0
      |} !!! b → v ∈ votes (s a) !!! b
    simpl in Hbal |- *.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
Hnv: did_not_vote_in (s a) b0
mb_a: Ballot
Hbal: (Z.of_N mb_a ≤ b0)%Z
b: Ballot
v: Value
(Z.of_N mb_a > b)%Z
→ v ∈ mmap_insert b0 v0 (votes (s a)) !!! b
  → v ∈ votes (s a) !!! b
    intros Hb.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
Hnv: did_not_vote_in (s a) b0
mb_a: Ballot
Hbal: (Z.of_N mb_a ≤ b0)%Z
b: Ballot
v: Value
Hb: (Z.of_N mb_a > b)%Z
v ∈ mmap_insert b0 v0 (votes (s a)) !!! b
→ v ∈ votes (s a) !!! b
    assert (b <> b0)%Z by ballot_lia.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
Hnv: did_not_vote_in (s a) b0
mb_a: Ballot
Hbal: (Z.of_N mb_a ≤ b0)%Z
b: Ballot
v: Value
Hb: (Z.of_N mb_a > b)%Z
H16: b ≠ b0
v ∈ mmap_insert b0 v0 (votes (s a)) !!! b
→ v ∈ votes (s a) !!! b
    rewrite elem_of_mmap_insert.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
b0: Ballot
v0: Value
s: state (voting_vlsm Quorum)
om, om': option False
a: Acceptor
Hnv: did_not_vote_in (s a) b0
mb_a: Ballot
Hbal: (Z.of_N mb_a ≤ b0)%Z
b: Ballot
v: Value
Hb: (Z.of_N mb_a > b)%Z
H16: b ≠ b0
v0 = v ∧ b0 = b ∨ v ∈ votes (s a) !!! b
→ v ∈ votes (s a) !!! b
    by itauto.
Qed.

Lemma safe_at_preserved :
  forall [l s s' om om'],
    input_valid_transition (voting_vlsm Quorum) l (s, om) (s', om') ->
    forall b v, SafeAt Quorum s b v -> SafeAt Quorum s' b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (l : label (voting_vlsm Quorum)) (s
                                    s' : state
                                           (voting_vlsm
                                              Quorum)) 
  (om om' : option False),
  input_valid_transition (voting_vlsm Quorum) l
    (s, om) (s', om')
  → ∀ (b : Value) (v : Ballot),
      SafeAt Quorum s b v → SafeAt Quorum s' b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (l : label (voting_vlsm Quorum)) (s
                                    s' : state
                                           (voting_vlsm
                                              Quorum)) 
  (om om' : option False),
  input_valid_transition (voting_vlsm Quorum) l
    (s, om) (s', om')
  → ∀ (b : Value) (v : Ballot),
      SafeAt Quorum s b v → SafeAt Quorum s' b v
  intros l s s' om om' Ht b v Hsafe d Hd.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Quorum s' d b Q
  destruct (Hsafe d Hd) as (Q & Hbal & Hvotes).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
Hbal: allQuorum Quorum Q
  (λ a : Acceptor, vote_committed (s a) d)
Hvotes: allQuorum Quorum Q
  (λ a : Acceptor, voted_none_but (s a) d b)
∃ Q : {x : ASet | Quorum x},
  consensus_blocking_quorum Quorum s' d b Q
  exists Q.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
Hbal: allQuorum Quorum Q
  (λ a : Acceptor, vote_committed (s a) d)
Hvotes: allQuorum Quorum Q
  (λ a : Acceptor, voted_none_but (s a) d b)
consensus_blocking_quorum Quorum s' d b Q
  split; intros a Ha; specialize (Hbal a Ha); specialize (Hvotes a Ha); simpl in Hbal, Hvotes.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hbal: vote_committed (s a) d
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
vote_committed (s' a) d
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hbal: vote_committed (s a) d
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
voted_none_but (s' a) d b
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hbal: vote_committed (s a) d
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
vote_committed (s' a) d revert Hbal.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
vote_committed (s a) d → vote_committed (s' a) d
    unfold vote_committed.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
(maxBal (s a) > d)%Z → (maxBal (s' a) > d)%Z
    pose proof (step_cases'' Ht a) as Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
Hstep: let (i, l) := l in
if decide (a = i)
then
 s' a =
 {|
   votes :=
     match l with
     | SkipToRound _ => votes (s a)
     | Vote b v =>
         mmap_insert b v (votes (s a))
     end;
   maxBal :=
     Some
       match l with
       | SkipToRound b' => b'
       | Vote b _ => b
       end
 |}
else s' a = s a
(maxBal (s a) > d)%Z → (maxBal (s' a) > d)%Z
    destruct l as [i l].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum)
  (existT i l) (s, om) (
  s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
Hstep: if decide (a = i)
then
 s' a =
 {|
   votes :=
     match l with
     | SkipToRound _ => votes (s a)
     | Vote b v =>
         mmap_insert b v (votes (s a))
     end;
   maxBal :=
     Some
       match l with
       | SkipToRound b' => b'
       | Vote b _ => b
       end
 |}
else s' a = s a
(maxBal (s a) > d)%Z → (maxBal (s' a) > d)%Z
    destruct (decide (a = i)); [| by congruence].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum)
  (existT i l) (s, om) (
  s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
e: a = i
Hstep: s' a =
{|
  votes :=
    match l with
    | SkipToRound _ => votes (s a)
    | Vote b v =>
        mmap_insert b v (votes (s a))
    end;
  maxBal :=
    Some
      match l with
      | SkipToRound b' => b'
      | Vote b _ => b
      end
|}
(maxBal (s a) > d)%Z → (maxBal (s' a) > d)%Z
    rewrite Hstep; cbn; clear Hstep.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum)
  (existT i l) (s, om) (
  s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
e: a = i
(maxBal (s a) > d)%Z
→ (Z.of_N
     match l with
     | SkipToRound b' => b'
     | Vote b _ => b
     end > d)%Z
    apply step_cases' in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: match l with
| SkipToRound b' =>
    (maxBal (s i) < b')%Z
    ∧ s' =
      state_update IM s i
        {|
          votes := votes (s i); maxBal := Some b'
        |}
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ (∀ j : Acceptor,
           j ≠ i → voted_none_but (s j) b v)
        ∧ SafeAt Quorum s v b
          ∧ s' =
            state_update IM s i
              {|
                votes :=
                  mmap_insert b v (votes (s i));
                maxBal := Some b
              |}
end
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
e: a = i
(maxBal (s a) > d)%Z
→ (Z.of_N
     match l with
     | SkipToRound b' => b'
     | Vote b _ => b
     end > d)%Z
    subst a.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
i: Acceptor
l: label acceptor_vlsm
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: match l with
| SkipToRound b' =>
    (maxBal (s i) < b')%Z
    ∧ s' =
      state_update IM s i
        {|
          votes := votes (s i); maxBal := Some b'
        |}
| Vote b v =>
    (maxBal (s i) ≤ b)%Z
    ∧ did_not_vote_in (s i) b
      ∧ (∀ j : Acceptor,
           j ≠ i → voted_none_but (s j) b v)
        ∧ SafeAt Quorum s v b
          ∧ s' =
            state_update IM s i
              {|
                votes :=
                  mmap_insert b v (votes (s i));
                maxBal := Some b
              |}
end
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
Ha: i ∈ `Q
Hvotes: voted_none_but (s i) d b
(maxBal (s i) > d)%Z
→ (Z.of_N
     match l with
     | SkipToRound b' => b'
     | Vote b _ => b
     end > d)%Z
    by destruct l; simpl in Ht |- *;
      destruct Ht as [Ht _]; revert Ht;
      destruct (maxBal (s i)); simpl; ballot_lia.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hbal: vote_committed (s a) d
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
voted_none_but (s' a) d b unfold voted_none_but.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hbal: vote_committed (s a) d
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
∀ w : Value, voted_for (s' a) d w → w = b
    intros w Hw.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s, s': state (voting_vlsm Quorum)
om, om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Value
v: Ballot
Hsafe: SafeAt Quorum s b v
d: Ballot
Hd: (d < v)%Z
Q: {x : ASet | Quorum x}
a: Acceptor
Hbal: vote_committed (s a) d
Hvotes: voted_none_but (s a) d b
Ha: a ∈ `Q
w: Value
Hw: voted_for (s' a) d w
w = b
    by apply Hvotes, (prev_vote_committed Ht).
Qed.

(* Need invariance of VInv2 VInv3 VInv4 *)

Lemma inv_acceptor_votes_safe :
  forall s,
    valid_state_prop (voting_vlsm Quorum) s ->
    acceptor_votes_safe_prop s.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → acceptor_votes_safe_prop s
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → acceptor_votes_safe_prop s
  intros s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
acceptor_votes_safe_prop s
  induction Hs using valid_state_prop_ind; unfold acceptor_votes_safe_prop; intros a b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
voted_for (s a) b v → SafeAt Quorum s v b
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: acceptor_votes_safe_prop s
a: Acceptor
b: Ballot
v: Value
voted_for (s' a) b v → SafeAt Quorum s' v b
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
voted_for (s a) b v → SafeAt Quorum s v b intros Hvote; contradict Hvote.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
¬ voted_for (s a) b v
    rewrite (Hs a).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
¬ voted_for acceptor_initial b v
    unfold voted_for; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
v ∉ ∅ !!! b
    rewrite lookup_total_empty; cbn.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: initial_state_prop s
a: Acceptor
b: Ballot
v: Value
v ∉ ∅
    by apply not_elem_of_empty.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: acceptor_votes_safe_prop s
a: Acceptor
b: Ballot
v: Value
voted_for (s' a) b v → SafeAt Quorum s' v b intros Hvote.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: acceptor_votes_safe_prop s
a: Acceptor
b: Ballot
v: Value
Hvote: voted_for (s' a) b v
SafeAt Quorum s' v b
    apply (prev_votes Ht) in Hvote.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: acceptor_votes_safe_prop s
a: Acceptor
b: Ballot
v: Value
Hvote: let (i, l) := l in
match l with
| SkipToRound _ => voted_for (s a) b v
| Vote bv vv =>
    a = i ∧ b = bv ∧ v = vv
    ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
end
SafeAt Quorum s' v b
    pose proof (Hpres := safe_at_preserved Ht v b).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
IHHs: acceptor_votes_safe_prop s
a: Acceptor
b: Ballot
v: Value
Hvote: let (i, l) := l in
match l with
| SkipToRound _ => voted_for (s a) b v
| Vote bv vv =>
    a = i ∧ b = bv ∧ v = vv
    ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
end
Hpres: SafeAt Quorum s v b → SafeAt Quorum s' v b
SafeAt Quorum s' v b
    specialize (IHHs a b v).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
l: label (voting_vlsm Quorum)
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
a: Acceptor
b: Ballot
v: Value
IHHs: voted_for (s a) b v → SafeAt Quorum s v b
Hvote: let (i, l) := l in
match l with
| SkipToRound _ => voted_for (s a) b v
| Vote bv vv =>
    a = i ∧ b = bv ∧ v = vv
    ∨ (a ≠ i ∨ b ≠ bv) ∧ voted_for (s a) b v
end
Hpres: SafeAt Quorum s v b → SafeAt Quorum s' v b
SafeAt Quorum s' v b
    destruct l as [i [b' | b' w]]; [by auto |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
i: Acceptor
b': Ballot
w: Value
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum)
  (existT i (Vote b' w)) (
  s, om) (s', om')
a: Acceptor
b: Ballot
v: Value
IHHs: voted_for (s a) b v → SafeAt Quorum s v b
Hvote: a = i ∧ b = b' ∧ v = w
∨ (a ≠ i ∨ b ≠ b') ∧ voted_for (s a) b v
Hpres: SafeAt Quorum s v b → SafeAt Quorum s' v b
SafeAt Quorum s' v b
    assert (Hw : SafeAt Quorum s w b') by (apply step_cases in Ht; apply Ht).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s': state (voting_vlsm Quorum)
i: Acceptor
b': Ballot
w: Value
om, om': option False
s: state (voting_vlsm Quorum)
Ht: input_valid_transition (voting_vlsm Quorum)
  (existT i (Vote b' w)) (
  s, om) (s', om')
a: Acceptor
b: Ballot
v: Value
IHHs: voted_for (s a) b v → SafeAt Quorum s v b
Hvote: a = i ∧ b = b' ∧ v = w
∨ (a ≠ i ∨ b ≠ b') ∧ voted_for (s a) b v
Hpres: SafeAt Quorum s v b → SafeAt Quorum s' v b
Hw: SafeAt Quorum s w b'
SafeAt Quorum s' v b
    by decompose [and or] Hvote; subst; auto.
Qed.

Lemma vote_stable :
  forall l s om s' om',
    input_valid_transition (voting_vlsm Quorum) l (s, om) (s', om') ->
    forall a (b : Ballot) v,
      voted_for (s a) b v -> voted_for (s' a) b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (l : label (voting_vlsm Quorum)) (s : state
                                          (voting_vlsm
                                             Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) l
    (s, om) (s', om')
  → ∀ (a : Acceptor) (b : Ballot) (v : Value),
      voted_for (s a) b v → voted_for (s' a) b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (l : label (voting_vlsm Quorum)) (s : state
                                          (voting_vlsm
                                             Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) l
    (s, om) (s', om')
  → ∀ (a : Acceptor) (b : Ballot) (v : Value),
      voted_for (s a) b v → voted_for (s' a) b v
  intros * Ht a b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
a: Acceptor
b: Ballot
v: Value
voted_for (s a) b v → voted_for (s' a) b v
  pose proof (sigT_prod_sigT l); destruct (prod_of_sigT l) as [i li]; subst l.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
i: Acceptor
li: acceptor_label
Ht: input_valid_transition (voting_vlsm Quorum)
  (sigT_of_prod (i, li)) (
  s, om) (s', om')
a: Acceptor
b: Ballot
v: Value
voted_for (s a) b v → voted_for (s' a) b v
  apply step_cases'' with (a := a) in Ht; cbn in Ht.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
i: Acceptor
li: acceptor_label
a: Acceptor
Ht: if decide (a = i)
then
 s' a =
 {|
   votes :=
     match li with
     | SkipToRound _ => votes (s a)
     | Vote b v => mmap_insert b v (votes (s a))
     end;
   maxBal :=
     Some
       match li with
       | SkipToRound b' => b'
       | Vote b _ => b
       end
 |}
else s' a = s a
b: Ballot
v: Value
voted_for (s a) b v → voted_for (s' a) b v
  destruct (decide (a = i)); [| by congruence].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
i: Acceptor
li: acceptor_label
a: Acceptor
e: a = i
Ht: s' a =
{|
  votes :=
    match li with
    | SkipToRound _ => votes (s a)
    | Vote b v => mmap_insert b v (votes (s a))
    end;
  maxBal :=
    Some
      match li with
      | SkipToRound b' => b'
      | Vote b _ => b
      end
|}
b: Ballot
v: Value
voted_for (s a) b v → voted_for (s' a) b v
  unfold voted_for.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
i: Acceptor
li: acceptor_label
a: Acceptor
e: a = i
Ht: s' a =
{|
  votes :=
    match li with
    | SkipToRound _ => votes (s a)
    | Vote b v => mmap_insert b v (votes (s a))
    end;
  maxBal :=
    Some
      match li with
      | SkipToRound b' => b'
      | Vote b _ => b
      end
|}
b: Ballot
v: Value
v ∈ votes (s a) !!! b → v ∈ votes (s' a) !!! b
  destruct li; rewrite Ht; cbn; [done |].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
i: Acceptor
b0: Ballot
v0: Value
a: Acceptor
e: a = i
Ht: s' a =
{|
  votes := mmap_insert b0 v0 (votes (s a));
  maxBal := Some b0
|}
b: Ballot
v: Value
v ∈ votes (s a) !!! b
→ v ∈ mmap_insert b0 v0 (votes (s a)) !!! b
  by rewrite elem_of_mmap_insert; itauto.
Qed.

Lemma choice_stable :
  forall l s om s' om',
    input_valid_transition (voting_vlsm Quorum) l (s, om) (s', om') ->
    forall b v,
      ballot_chose s b v -> ballot_chose s' b v.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (l : label (voting_vlsm Quorum)) (s : state
                                          (voting_vlsm
                                             Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) l
    (s, om) (s', om')
  → ∀ (b : Ballot) (v : Value),
      ballot_chose s b v → ballot_chose s' b v
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ (l : label (voting_vlsm Quorum)) (s : state
                                          (voting_vlsm
                                             Quorum)) 
  (om : option False) (s' : state (voting_vlsm Quorum)) 
  (om' : option False),
  input_valid_transition (voting_vlsm Quorum) l
    (s, om) (s', om')
  → ∀ (b : Ballot) (v : Value),
      ballot_chose s b v → ballot_chose s' b v
  intros l s om s' om' Ht b v [Q HQ].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
ballot_chose s' b v
  exists Q; intros a Ha.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
l: label (voting_vlsm Quorum)
s: state (voting_vlsm Quorum)
om: option False
s': state (voting_vlsm Quorum)
om': option False
Ht: input_valid_transition (voting_vlsm Quorum) l
  (s, om) (s', om')
b: Ballot
v: Value
Q: {x : ASet | Quorum x}
HQ: allQuorum Quorum Q
  (λ a : Acceptor, voted_for (s a) b v)
a: Acceptor
Ha: a ∈ `Q
voted_for (s' a) b v
  by eapply vote_stable, HQ.
Qed.

Lemma voting_safe :
  forall s,
    valid_state_prop (voting_vlsm Quorum) s ->
    forall b1 v1 b2 v2,
      ballot_chose s b1 v1 -> ballot_chose s b2 v2 ->
      v1 = v2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → ∀ (b1 : Ballot) (v1 : Value) (b2 : Ballot) (v2 : Value),
      ballot_chose s b1 v1
      → ballot_chose s b2 v2 → v1 = v2
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → ∀ (b1 : Ballot) (v1 : Value) (b2 : Ballot) (v2 : Value),
      ballot_chose s b1 v1
      → ballot_chose s b2 v2 → v1 = v2
  intros s Hs.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
∀ (b1 : Ballot) (v1 : Value) (b2 : Ballot) (v2 : Value),
  ballot_chose s b1 v1
  → ballot_chose s b2 v2 → v1 = v2
  match goal with
  |- forall b1 v1 b2 v2, @?P b1 v1 b2 v2 =>
      cut (forall (b1 : Ballot) v1 (b2 : Ballot) v2, (b1 < b2)%Z -> P b1 v1 b2 v2)
  end.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
(∀ (b1 : Ballot) (v1 : Value) (b2 : Ballot) (v2 : Value),
   (b1 < b2)%Z
   → (λ (b3 : Ballot) (v3 : Value) (b4 : Ballot) (v4 : Value),
        ballot_chose s b3 v3
        → ballot_chose s b4 v4 → v3 = v4) b1 v1 b2 v2)
→ ∀ (b1 : Ballot) (v1 : Value) (b2 : Ballot) (v2 : Value),
    ballot_chose s b1 v1
    → ballot_chose s b2 v2 → v1 = v2
Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
∀ (b1 : Ballot) (v1 : Value) 
  (b2 : Ballot) (v2 : Value),
  (b1 < b2)%Z
  → (λ (b3 : Ballot) (v3 : Value) 
       (b4 : Ballot) (v4 : Value),
       ballot_chose s b3 v3
       → ballot_chose s b4 v4 → v3 = v4) b1 v1 b2 v2
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
(∀ (b1 : Ballot) (v1 : Value) (b2 : Ballot) (v2 : Value),
   (b1 < b2)%Z
   → (λ (b3 : Ballot) (v3 : Value) (b4 : Ballot) (v4 : Value),
        ballot_chose s b3 v3
        → ballot_chose s b4 v4 → v3 = v4) b1 v1 b2 v2)
→ ∀ (b1 : Ballot) (v1 : Value) (b2 : Ballot) (v2 : Value),
    ballot_chose s b1 v1
    → ballot_chose s b2 v2 → v1 = v2 intros Hwlog * Hv1 Hv2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
Hwlog: ∀ (b1 : Ballot) (v1 : Value) 
  (b2 : Ballot) (v2 : Value),
  (b1 < b2)%Z
  → (λ (b3 : Ballot) (v3 : Value) 
       (b4 : Ballot) (v4 : Value),
       ballot_chose s b3 v3
       → ballot_chose s b4 v4 → v3 = v4) b1 v1
      b2 v2
b1: Ballot
v1: Value
b2: Ballot
v2: Value
Hv1: ballot_chose s b1 v1
Hv2: ballot_chose s b2 v2
v1 = v2
    destruct (Z.lt_total b1 b2) as [| [Heq |]]; [by eauto | clear Hwlog | by symmetry; eauto].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
b1: Ballot
v1: Value
b2: Ballot
v2: Value
Hv1: ballot_chose s b1 v1
Hv2: ballot_chose s b2 v2
Heq: b1 = b2
v1 = v2
    apply (inj_iff Ballot_to_Z) in Heq; subst b2.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
b1: Ballot
v1, v2: Value
Hv1: ballot_chose s b1 v1
Hv2: ballot_chose s b1 v2
v1 = v2
    destruct Hv1 as [Q_v1 Hv1], Hv2 as [Q_v2 Hv2].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
b1: Ballot
v1, v2: Value
Q_v1: {x : ASet | Quorum x}
Hv1: allQuorum Quorum Q_v1
  (λ a : Acceptor, voted_for (s a) b1 v1)
Q_v2: {x : ASet | Quorum x}
Hv2: allQuorum Quorum Q_v2
  (λ a : Acceptor, voted_for (s a) b1 v2)
v1 = v2
    destruct (QA Q_v1 Q_v2) as [a [Ha_Q1 Ha_Q2]%elem_of_intersection].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
b1: Ballot
v1, v2: Value
Q_v1: {x : ASet | Quorum x}
Hv1: allQuorum Quorum Q_v1
  (λ a : Acceptor, voted_for (s a) b1 v1)
Q_v2: {x : ASet | Quorum x}
Hv2: allQuorum Quorum Q_v2
  (λ a : Acceptor, voted_for (s a) b1 v2)
a: Acceptor
Ha_Q1: a ∈ `Q_v1
Ha_Q2: a ∈ `Q_v2
v1 = v2
    by eapply (inv_acceptor_no_conflict _ Hs); eauto.
  -Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
∀ (b1 : Ballot) (v1 : Value) (b2 : Ballot) (v2 : Value),
  (b1 < b2)%Z
  → (λ (b3 : Ballot) (v3 : Value) (b4 : Ballot) (v4 : Value),
       ballot_chose s b3 v3
       → ballot_chose s b4 v4 → v3 = v4) b1 v1 b2 v2 intros b1 v1 b2 v2 H_lt [Q_v1 H_v1] [Q_v2 H_v2].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
b1: Ballot
v1: Value
b2: Ballot
v2: Value
H_lt: (b1 < b2)%Z
Q_v1: {x : ASet | Quorum x}
H_v1: allQuorum Quorum Q_v1
  (λ a : Acceptor, voted_for (s a) b1 v1)
Q_v2: {x : ASet | Quorum x}
H_v2: allQuorum Quorum Q_v2
  (λ a : Acceptor, voted_for (s a) b2 v2)
v1 = v2
    destruct (Q_nonempty Q_v2) as [a2 Ha2].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
b1: Ballot
v1: Value
b2: Ballot
v2: Value
H_lt: (b1 < b2)%Z
Q_v1: {x : ASet | Quorum x}
H_v1: allQuorum Quorum Q_v1
  (λ a : Acceptor, voted_for (s a) b1 v1)
Q_v2: {x : ASet | Quorum x}
H_v2: allQuorum Quorum Q_v2
  (λ a : Acceptor, voted_for (s a) b2 v2)
a2: Acceptor
Ha2: a2 ∈ `Q_v2
v1 = v2
    pose proof (inv_acceptor_votes_safe _ Hs a2 _ _ (H_v2 _ Ha2) b1 H_lt) as [Q12 H_b1_v2].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
b1: Ballot
v1: Value
b2: Ballot
v2: Value
H_lt: (b1 < b2)%Z
Q_v1: {x : ASet | Quorum x}
H_v1: allQuorum Quorum Q_v1
  (λ a : Acceptor, voted_for (s a) b1 v1)
Q_v2: {x : ASet | Quorum x}
H_v2: allQuorum Quorum Q_v2
  (λ a : Acceptor, voted_for (s a) b2 v2)
a2: Acceptor
Ha2: a2 ∈ `Q_v2
Q12: {x : ASet | Quorum x}
H_b1_v2: consensus_blocking_quorum Quorum s b1 v2 Q12
v1 = v2
    destruct (QA Q_v1 Q12) as [a [Ha_Q1 Ha_Q12]%elem_of_intersection].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
b1: Ballot
v1: Value
b2: Ballot
v2: Value
H_lt: (b1 < b2)%Z
Q_v1: {x : ASet | Quorum x}
H_v1: allQuorum Quorum Q_v1
  (λ a : Acceptor, voted_for (s a) b1 v1)
Q_v2: {x : ASet | Quorum x}
H_v2: allQuorum Quorum Q_v2
  (λ a : Acceptor, voted_for (s a) b2 v2)
a2: Acceptor
Ha2: a2 ∈ `Q_v2
Q12: {x : ASet | Quorum x}
H_b1_v2: consensus_blocking_quorum Quorum s b1 v2 Q12
a: Acceptor
Ha_Q1: a ∈ `Q_v1
Ha_Q12: a ∈ `Q12
v1 = v2
    destruct H_b1_v2 as [_ H_b1_v2].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
b1: Ballot
v1: Value
b2: Ballot
v2: Value
H_lt: (b1 < b2)%Z
Q_v1: {x : ASet | Quorum x}
H_v1: allQuorum Quorum Q_v1
  (λ a : Acceptor, voted_for (s a) b1 v1)
Q_v2: {x : ASet | Quorum x}
H_v2: allQuorum Quorum Q_v2
  (λ a : Acceptor, voted_for (s a) b2 v2)
a2: Acceptor
Ha2: a2 ∈ `Q_v2
Q12: {x : ASet | Quorum x}
H_b1_v2: allQuorum Quorum Q12
  (λ a : Acceptor,
     voted_none_but (s a) b1 v2)
a: Acceptor
Ha_Q1: a ∈ `Q_v1
Ha_Q12: a ∈ `Q12
v1 = v2
    by apply (H_b1_v2 _ Ha_Q12) in H_v1.
Qed.

Lemma chosen_subsingleton :
  forall s,
    valid_state_prop (voting_vlsm Quorum) s ->
    forall v, v ∈ chosen s -> chosen s ≡ {[ v ]}.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → ∀ v : Value, v ∈ chosen s → chosen s ≡ {[v]}
Proof.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
∀ s : state (voting_vlsm Quorum),
  valid_state_prop (voting_vlsm Quorum) s
  → ∀ v : Value, v ∈ chosen s → chosen s ≡ {[v]}
  intros s Hs v Hv.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v: Value
Hv: v ∈ chosen s
chosen s ≡ {[v]}
  pose proof (Hsafe := voting_safe s Hs).Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v: Value
Hv: v ∈ chosen s
Hsafe: ∀ (b1 : Ballot) (v1 : Value) 
  (b2 : Ballot) (v2 : Value),
  ballot_chose s b1 v1
  → ballot_chose s b2 v2 → v1 = v2
chosen s ≡ {[v]}
  rewrite set_equiv; intros x; rewrite elem_of_singleton.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v: Value
Hv: v ∈ chosen s
Hsafe: ∀ (b1 : Ballot) (v1 : Value) 
  (b2 : Ballot) (v2 : Value),
  ballot_chose s b1 v1
  → ballot_chose s b2 v2 → v1 = v2
x: Value
x ∈ chosen s ↔ x = v
  split; [| by intros ->].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v: Value
Hv: v ∈ chosen s
Hsafe: ∀ (b1 : Ballot) (v1 : Value) 
  (b2 : Ballot) (v2 : Value),
  ballot_chose s b1 v1
  → ballot_chose s b2 v2 → v1 = v2
x: Value
x ∈ chosen s → x = v
  intros Hx.Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v: Value
Hv: v ∈ chosen s
Hsafe: ∀ (b1 : Ballot) (v1 : Value) 
  (b2 : Ballot) (v2 : Value),
  ballot_chose s b1 v1
  → ballot_chose s b2 v2 → v1 = v2
x: Value
Hx: x ∈ chosen s
x = v
  apply chosen_iff in Hv as [bv Hv].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v: Value
bv: Ballot
Hv: ballot_chose s bv v
Hsafe: ∀ (b1 : Ballot) (v1 : Value) 
  (b2 : Ballot) (v2 : Value),
  ballot_chose s b1 v1
  → ballot_chose s b2 v2 → v1 = v2
x: Value
Hx: x ∈ chosen s
x = v
  apply chosen_iff in Hx as [bx Hx].Value, VSet: Type
H: ElemOf Value VSet
H0: Empty VSet
H1: Singleton Value VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements Value VSet
EqDecision0: EqDecision Value
H6: FinSet Value VSet
VSDec: RelDecision elem_of
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
IM:= λ _ : Acceptor, acceptor_vlsm: Acceptor → VLSM False
s: state (voting_vlsm Quorum)
Hs: valid_state_prop (voting_vlsm Quorum) s
v: Value
bv: Ballot
Hv: ballot_chose s bv v
Hsafe: ∀ (b1 : Ballot) (v1 : Value) 
  (b2 : Ballot) (v2 : Value),
  ballot_chose s b1 v1
  → ballot_chose s b2 v2 → v1 = v2
x: Value
bx: Ballot
Hx: ballot_chose s bx x
x = v
  by eapply Hsafe.
Qed.

End sec_voting_spec.

Section sec_voting_simulates_consensus.

Context
  (V : Type)
  (VSet : Type) `{FinSet V VSet}
  {VSDec : RelDecision (∈@{VSet})}
  (CV : VLSM False := consensus_vlsm V VSet)
  (Acceptor : Type) `{finite.Finite Acceptor}
  (ASet : Type) `{FinSet Acceptor ASet}
  (Quorum : ASet -> Prop) (QDec : forall Q, Decision (Quorum Q))
  (QA : forall (Q1 Q2 : sig Quorum), exists a, a ∈ `Q1 ∩ `Q2)
  (QClosed : Proper (subseteq ==> impl) Quorum)
  (VV := voting_vlsm V VSet Acceptor ASet Quorum)
  .

Lemma check_quorum (Q : ASet) : {Quorum Q} + {forall Q', Q' ⊆ Q -> ¬ Quorum Q'}.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
Q: ASet
{Quorum Q} + {∀ Q' : ASet, Q' ⊆ Q → ¬ Quorum Q'}
Proof.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
Q: ASet
{Quorum Q} + {∀ Q' : ASet, Q' ⊆ Q → ¬ Quorum Q'}
  by destruct (QDec Q); [left | right; intros Q' ->].
Defined.

Definition state_project (s : state VV) : state CV :=
  chosen V VSet Acceptor ASet Quorum QDec QClosed s.

Definition label_state_project (s : state VV) (l : label VV) : label CV :=
  let cs := state_project s in
  if decide (elements cs = [])
  then
    let s' := fst (transition VV l (s, None)) in
    match elements (state_project s') with
    | v :: _ => Some (Decided _ v)
    | _ => None
    end
  else None.

Context
  (H_VSet_L : LeibnizEquiv VSet)
  .

Lemma voting_step_in_consensus :
  forall l s om s' om',
    input_valid_transition (voting_vlsm _ VSet _ ASet Quorum) l (s, om) (s', om') ->
    valid_state_prop (consensus_vlsm _ VSet) (state_project s) ->
    input_valid_transition (consensus_vlsm _ VSet)
      (label_state_project s l) (state_project s, om) (state_project s', om').V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
∀ (l : label (voting_vlsm V VSet Acceptor ASet Quorum)) 
  (s : state (voting_vlsm V VSet Acceptor ASet Quorum)) 
  (om : option False) (s' : state
                              (voting_vlsm V VSet
                                 Acceptor ASet Quorum)) 
  (om' : option False),
  input_valid_transition
    (voting_vlsm V VSet Acceptor ASet Quorum) l
    (s, om) (s', om')
  → valid_state_prop (consensus_vlsm V VSet)
      (state_project s)
    → input_valid_transition (consensus_vlsm V VSet)
        (label_state_project s l)
        (state_project s, om) (state_project s', om')
Proof.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
∀ (l : label (voting_vlsm V VSet Acceptor ASet Quorum)) 
  (s : state (voting_vlsm V VSet Acceptor ASet Quorum)) 
  (om : option False) (s' : state
                              (voting_vlsm V VSet
                                 Acceptor ASet Quorum)) 
  (om' : option False),
  input_valid_transition
    (voting_vlsm V VSet Acceptor ASet Quorum) l
    (s, om) (s', om')
  → valid_state_prop (consensus_vlsm V VSet)
      (state_project s)
    → input_valid_transition (consensus_vlsm V VSet)
        (label_state_project s l)
        (state_project s, om) (state_project s', om')
  intros l s [] s' [] Ht H_proj_s; [done.. |].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
input_valid_transition (consensus_vlsm V VSet)
  (label_state_project s l) (state_project s, None)
  (state_project s', None)
  cut (let lc := label_state_project s l in
       match lc with Some (Decided _ _) => state_project s ≡ ∅ | None => True end
       /\ consensus_transition _ VSet lc (state_project s, None) = (state_project s', None)).V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
(let lc := label_state_project s l in
 match lc with
 | Some (Decided _ _) => state_project s ≡ ∅
 | None => True
 end
 ∧ consensus_transition V VSet lc
     (state_project s, None) =
   (state_project s', None))
→ input_valid_transition (consensus_vlsm V VSet)
    (label_state_project s l) (state_project s, None)
    (state_project s', None)
V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
let lc := label_state_project s l in
match lc with
| Some (Decided _ _) => state_project s ≡ ∅
| None => True
end
∧ consensus_transition V VSet lc
    (state_project s, None) = (
  state_project s', None)
  {V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
(let lc := label_state_project s l in
 match lc with
 | Some (Decided _ _) => state_project s ≡ ∅
 | None => True
 end
 ∧ consensus_transition V VSet lc
     (state_project s, None) =
   (state_project s', None))
→ input_valid_transition (consensus_vlsm V VSet)
    (label_state_project s l) (state_project s, None)
    (state_project s', None)
    pose proof (option_valid_message_None (consensus_vlsm V VSet)).V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
H16: option_valid_message_prop
  (consensus_vlsm V VSet) None
(let lc := label_state_project s l in
 match lc with
 | Some (Decided _ _) => state_project s ≡ ∅
 | None => True
 end
 ∧ consensus_transition V VSet lc
     (state_project s, None) =
   (state_project s', None))
→ input_valid_transition (consensus_vlsm V VSet)
    (label_state_project s l) (state_project s, None)
    (state_project s', None)
    by intros NewGoal; repeat split; [| | apply NewGoal..].
  }V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
let lc := label_state_project s l in
match lc with
| Some (Decided _ _) => state_project s ≡ ∅
| None => True
end
∧ consensus_transition V VSet lc
    (state_project s, None) = (state_project s', None)
  apply input_valid_transition_origin in Ht as Hs.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
let lc := label_state_project s l in
match lc with
| Some (Decided _ _) => state_project s ≡ ∅
| None => True
end
∧ consensus_transition V VSet lc
    (state_project s, None) = (state_project s', None)
  apply input_valid_transition_destination in Ht as Hs'.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
let lc := label_state_project s l in
match lc with
| Some (Decided _ _) => state_project s ≡ ∅
| None => True
end
∧ consensus_transition V VSet lc
    (state_project s, None) = (state_project s', None)
  pose proof (Hs_safe := voting_safe _ VSet _ ASet Quorum QA QClosed s Hs).V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
let lc := label_state_project s l in
match lc with
| Some (Decided _ _) => state_project s ≡ ∅
| None => True
end
∧ consensus_transition V VSet lc
    (state_project s, None) = (state_project s', None)
  pose proof (Hs'_safe := voting_safe _ VSet _ ASet Quorum QA QClosed s' Hs').V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
let lc := label_state_project s l in
match lc with
| Some (Decided _ _) => state_project s ≡ ∅
| None => True
end
∧ consensus_transition V VSet lc
    (state_project s, None) = (state_project s', None)
  pose proof (Hchoice_stable := choice_stable _ VSet _ ASet Quorum _ _ _ _ _ Ht).V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
let lc := label_state_project s l in
match lc with
| Some (Decided _ _) => state_project s ≡ ∅
| None => True
end
∧ consensus_transition V VSet lc
    (state_project s, None) = (state_project s', None)
  intro lc_def; remember lc_def as lc; subst lc_def; revert Heqlc.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
lc = label_state_project s l
→ match lc with
  | Some (Decided _ _) => state_project s ≡ ∅
  | None => True
  end
  ∧ consensus_transition V VSet lc
      (state_project s, None) =
    (state_project s', None)
  unfold label_state_project.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
lc =
(if decide (elements (state_project s) = [])
 then
  match
    elements
      (state_project (transition l (s, None)).1)
  with
  | [] => None
  | v :: _ => Some (Decided V v)
  end
 else None)
→ match lc with
  | Some (Decided _ _) => state_project s ≡ ∅
  | None => True
  end
  ∧ consensus_transition V VSet lc
      (state_project s, None) =
    (state_project s', None)
  replace (transition VV l _) with (s', @None False) by (symmetry; apply Ht).V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
lc =
(if decide (elements (state_project s) = [])
 then
  match elements (state_project (s', None).1) with
  | [] => None
  | v :: _ => Some (Decided V v)
  end
 else None)
→ match lc with
  | Some (Decided _ _) => state_project s ≡ ∅
  | None => True
  end
  ∧ consensus_transition V VSet lc
      (state_project s, None) =
    (state_project s', None)
  simpl.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
lc =
(if decide (elements (state_project s) = [])
 then
  match elements (state_project s') with
  | [] => None
  | v :: _ => Some (Decided V v)
  end
 else None)
→ match lc with
  | Some (Decided _ _) => state_project s ≡ ∅
  | None => True
  end
  ∧ match lc with
    | Some (Decided _ v) =>
        ({[v]} ∪ state_project s, None)
    | None => (state_project s, None)
    end = (state_project s', None)
  remember (state_project s) as cs eqn:H_eqn_cs; cbn in cs.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
lc =
(if decide (elements cs = [])
 then
  match elements (state_project s') with
  | [] => None
  | v :: _ => Some (Decided V v)
  end
 else None)
→ match lc with
  | Some (Decided _ _) => cs ≡ ∅
  | None => True
  end
  ∧ match lc with
    | Some (Decided _ v) => ({[v]} ∪ cs, None)
    | None => (cs, None)
    end = (state_project s', None)
  remember (state_project s') as cs' eqn:H_eqn_cs'; cbn in cs'.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
lc =
(if decide (elements cs = [])
 then
  match elements cs' with
  | [] => None
  | v :: _ => Some (Decided V v)
  end
 else None)
→ match lc with
  | Some (Decided _ _) => cs ≡ ∅
  | None => True
  end
  ∧ match lc with
    | Some (Decided _ v) => ({[v]} ∪ cs, None)
    | None => (cs, None)
    end = (cs', None)
  destruct (decide (elements cs = [])) as [Hcs | Hcs]; [destruct (elements cs') eqn: Hcs' |].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs = []
Hcs': elements cs' = []
lc = None
→ match lc with
  | Some (Decided _ _) => cs ≡ ∅
  | None => True
  end
  ∧ match lc with
    | Some (Decided _ v) => ({[v]} ∪ cs, None)
    | None => (cs, None)
    end = (cs', None)
V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs = []
v: V
l0: list V
Hcs': elements cs' = v :: l0
lc = Some (Decided V v)
→ match lc with
  | Some (Decided _ _) => cs ≡ ∅
  | None => True
  end
  ∧ match lc with
    | Some (Decided _ v) => ({[v]} ∪ cs, None)
    | None => (cs, None)
    end = (cs', None)
V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs ≠ []
lc = None
→ match lc with
  | Some (Decided _ _) => cs ≡ ∅
  | None => True
  end
  ∧ match lc with
    | Some (Decided _ v) => ({[v]} ∪ cs, None)
    | None => (cs, None)
    end = (cs', None)
  -V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs = []
Hcs': elements cs' = []
lc = None
→ match lc with
  | Some (Decided _ _) => cs ≡ ∅
  | None => True
  end
  ∧ match lc with
    | Some (Decided _ v) => ({[v]} ∪ cs, None)
    | None => (cs, None)
    end = (cs', None) intros ->; simpl.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs = []
Hcs': elements cs' = []
True ∧ (cs, None) = (cs', None)
    split; [done |].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs = []
Hcs': elements cs' = []
(cs, None) = (cs', None)
    simpl; f_equal; apply leibniz_equiv_iff.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs = []
Hcs': elements cs' = []
cs ≡ cs'
    apply elements_empty_iff in Hcs, Hcs'.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
Hcs': cs' ≡ ∅
cs ≡ cs'
    by etransitivity.
  -V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs = []
v: V
l0: list V
Hcs': elements cs' = v :: l0
lc = Some (Decided V v)
→ match lc with
  | Some (Decided _ _) => cs ≡ ∅
  | None => True
  end
  ∧ match lc with
    | Some (Decided _ v) => ({[v]} ∪ cs, None)
    | None => (cs, None)
    end = (cs', None) intros ->; simpl.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs = []
v: V
l0: list V
Hcs': elements cs' = v :: l0
cs ≡ ∅ ∧ ({[v]} ∪ cs, None) = (cs', None)
    apply elements_empty_iff in Hcs.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
cs ≡ ∅ ∧ ({[v]} ∪ cs, None) = (cs', None)
    split; [done |].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
({[v]} ∪ cs, None) = (cs', None)
    f_equal; apply leibniz_equiv_iff.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
{[v]} ∪ cs ≡ cs'
    rewrite Hcs, right_id by (apply union_empty_r).V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
{[v]} ≡ cs'
    assert (v ∈ cs') as Hv_cs'.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
v ∈ cs'
V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
Hv_cs': v ∈ cs'
{[v]} ≡ cs'
    {V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
v ∈ cs'
      apply elem_of_elements.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
v ∈ elements cs'
      rewrite Hcs'.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
v ∈ v :: l0
      by apply elem_of_list_here.
    }V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
Hv_cs': v ∈ cs'
{[v]} ≡ cs'
    symmetry.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
Hv_cs': v ∈ cs'
cs' ≡ {[v]}
    unfold state_project in H_eqn_cs'.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' =
chosen V VSet Acceptor ASet Quorum QDec
  QClosed s'
Hcs: cs ≡ ∅
v: V
l0: list V
Hcs': elements cs' = v :: l0
Hv_cs': v ∈ cs'
cs' ≡ {[v]}
    subst cs'.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
Hcs: cs ≡ ∅
v: V
l0: list V
Hv_cs': v
∈ chosen V VSet Acceptor ASet Quorum QDec
    QClosed s'
Hcs': elements
  (chosen V VSet Acceptor ASet Quorum QDec
     QClosed s') = v :: l0
chosen V VSet Acceptor ASet Quorum QDec QClosed s'
≡ {[v]}
    by apply chosen_subsingleton.
  -V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
lc: label CV
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs ≠ []
lc = None
→ match lc with
  | Some (Decided _ _) => cs ≡ ∅
  | None => True
  end
  ∧ match lc with
    | Some (Decided _ v) => ({[v]} ∪ cs, None)
    | None => (cs, None)
    end = (cs', None) intros ->; simpl.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs ≠ []
True ∧ (cs, None) = (cs', None)
    split; [done |].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs ≠ []
(cs, None) = (cs', None)
    f_equal; apply leibniz_equiv_iff.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: elements cs ≠ []
cs ≡ cs'
    rewrite elements_empty_iff in Hcs.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
Hcs: cs ≢ ∅
cs ≡ cs'
    apply set_choose in Hcs as [v Hv].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
v: V
Hv: v ∈ cs
cs ≡ cs'
    assert (v ∈ cs') as Hv'.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
v: V
Hv: v ∈ cs
v ∈ cs'
V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
v: V
Hv: v ∈ cs
Hv': v ∈ cs'
cs ≡ cs'
    {V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
v: V
Hv: v ∈ cs
v ∈ cs'
      subst cs cs'; unfold state_project in *.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (chosen V VSet Acceptor ASet Quorum QDec
     QClosed s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
v: V
Hv: v
∈ chosen V VSet Acceptor ASet Quorum QDec QClosed
    s
v ∈ chosen V VSet Acceptor ASet Quorum QDec QClosed s'
      apply chosen_iff in Hv as [bv Hv]; [| done].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (chosen V VSet Acceptor ASet Quorum QDec
     QClosed s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
v: V
bv: Ballot
Hv: ballot_chose V VSet Acceptor ASet Quorum s bv v
v ∈ chosen V VSet Acceptor ASet Quorum QDec QClosed s'
      apply Hchoice_stable in Hv.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (chosen V VSet Acceptor ASet Quorum QDec
     QClosed s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
v: V
bv: Ballot
Hv: ballot_chose V VSet Acceptor ASet Quorum s' bv v
v ∈ chosen V VSet Acceptor ASet Quorum QDec QClosed s'
      apply chosen_iff; [done |].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
H_proj_s: valid_state_prop (consensus_vlsm V VSet)
  (chosen V VSet Acceptor ASet Quorum QDec
     QClosed s)
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
v: V
bv: Ballot
Hv: ballot_chose V VSet Acceptor ASet Quorum s' bv v
∃ b : Ballot,
  ballot_chose V VSet Acceptor ASet Quorum s' b v
      by exists bv.
    }V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
v: V
Hv: v ∈ cs
Hv': v ∈ cs'
cs ≡ cs'
    transitivity (@singleton _ _ H1 v); [| symmetry].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
v: V
Hv: v ∈ cs
Hv': v ∈ cs'
cs ≡ {[v]}
V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
v: V
Hv: v ∈ cs
Hv': v ∈ cs'
cs' ≡ {[v]}
    +V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
v: V
Hv: v ∈ cs
Hv': v ∈ cs'
cs ≡ {[v]} by subst cs; apply chosen_subsingleton.
    +V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
s, s': state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, None) (s', None)
cs: consensus_state VSet
H_eqn_cs: cs = state_project s
H_proj_s: valid_state_prop (consensus_vlsm V VSet) cs
Hs: valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s
Hs': valid_state_prop
  (voting_vlsm V VSet Acceptor ASet Quorum) s'
Hs_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum s
    b1 v1
  → ballot_chose V VSet Acceptor ASet Quorum
      s b2 v2 → v1 = v2
Hs'_safe: ∀ (b1 : Ballot) (v1 : V) 
  (b2 : Ballot) (v2 : V),
  ballot_chose V VSet Acceptor ASet Quorum
    s' b1 v1
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b2 v2 → v1 = v2
Hchoice_stable: ∀ (b : Ballot) (v : V),
  ballot_chose V VSet Acceptor ASet
    Quorum s b v
  → ballot_chose V VSet Acceptor ASet
      Quorum s' b v
cs': consensus_state VSet
H_eqn_cs': cs' = state_project s'
v: V
Hv: v ∈ cs
Hv': v ∈ cs'
cs' ≡ {[v]} by subst cs'; apply chosen_subsingleton.
Qed.

Lemma voting_initial_in_consensus :
  forall s,
    initial_state_prop (voting_vlsm _ VSet _ ASet Quorum) s ->
    initial_state_prop (consensus_vlsm _ VSet) (state_project s).V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
∀ s : state (voting_vlsm V VSet Acceptor ASet Quorum),
  initial_state_prop s
  → initial_state_prop (state_project s)
Proof.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
∀ s : state (voting_vlsm V VSet Acceptor ASet Quorum),
  initial_state_prop s
  → initial_state_prop (state_project s)
  intros s Hs.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
initial_state_prop (state_project s)
  change (state_project s ≡ ∅).V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
state_project s ≡ ∅
  apply elem_of_equiv_empty; intros v Hv.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
v: V
Hv: v ∈ state_project s
False
  apply chosen_iff in Hv as [bv Hv]; [| done].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
v: V
bv: Ballot
Hv: ballot_chose V VSet Acceptor ASet Quorum s bv v
False
  destruct Hv as [Q HvQ], (QA Q Q) as [a Ha].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
v: V
bv: Ballot
Q: {x : ASet | Quorum x}
HvQ: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor, voted_for V VSet (s a) bv v)
a: Acceptor
Ha: a ∈ `Q ∩ `Q
False
  lapply (HvQ a); [| by set_solver].V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
v: V
bv: Ballot
Q: {x : ASet | Quorum x}
HvQ: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor, voted_for V VSet (s a) bv v)
a: Acceptor
Ha: a ∈ `Q ∩ `Q
voted_for V VSet (s a) bv v → False
  unfold voted_for.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
v: V
bv: Ballot
Q: {x : ASet | Quorum x}
HvQ: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor, voted_for V VSet (s a) bv v)
a: Acceptor
Ha: a ∈ `Q ∩ `Q
v ∈ votes VSet (s a) !!! bv → False
  rewrite (Hs a); cbn.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
v: V
bv: Ballot
Q: {x : ASet | Quorum x}
HvQ: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor, voted_for V VSet (s a) bv v)
a: Acceptor
Ha: a ∈ `Q ∩ `Q
v ∈ ∅ !!! bv → False
  rewrite lookup_total_empty.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
v: V
bv: Ballot
Q: {x : ASet | Quorum x}
HvQ: allQuorum Acceptor ASet Quorum Q
  (λ a : Acceptor, voted_for V VSet (s a) bv v)
a: Acceptor
Ha: a ∈ `Q ∩ `Q
v ∈ inhabitant → False
  by apply elem_of_empty.
Qed.

Lemma voting_simulates_consensus :
  forall s,
    valid_state_prop (voting_vlsm _ VSet _ ASet Quorum) s ->
    valid_state_prop (consensus_vlsm _ VSet) (state_project s).V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
∀ s : state (voting_vlsm V VSet Acceptor ASet Quorum),
  valid_state_prop
    (voting_vlsm V VSet Acceptor ASet Quorum) s
  → valid_state_prop (consensus_vlsm V VSet)
      (state_project s)
Proof.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
∀ s : state (voting_vlsm V VSet Acceptor ASet Quorum),
  valid_state_prop
    (voting_vlsm V VSet Acceptor ASet Quorum) s
  → valid_state_prop (consensus_vlsm V VSet)
      (state_project s)
  intros s Hs; induction Hs using valid_state_prop_ind.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s': state (voting_vlsm V VSet Acceptor ASet Quorum)
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
om, om': option False
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, om) (s', om')
IHHs: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
valid_state_prop (consensus_vlsm V VSet)
  (state_project s')
  -V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
valid_state_prop (consensus_vlsm V VSet)
  (state_project s) apply initial_state_is_valid.V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Hs: initial_state_prop s
initial_state_prop (state_project s)
    by apply voting_initial_in_consensus.
  -V, VSet: Type
H: ElemOf V VSet
H0: Empty VSet
H1: Singleton V VSet
H2: Union VSet
H3: Intersection VSet
H4: Difference VSet
H5: Elements V VSet
EqDecision0: EqDecision V
H6: FinSet V VSet
VSDec: RelDecision elem_of
CV:= consensus_vlsm V VSet: VLSM False
Acceptor: Type
EqDecision1: EqDecision Acceptor
H7: finite.Finite Acceptor
ASet: Type
H8: ElemOf Acceptor ASet
H9: Empty ASet
H10: Singleton Acceptor ASet
H11: Union ASet
H12: Intersection ASet
H13: Difference ASet
H14: Elements Acceptor ASet
EqDecision2: EqDecision Acceptor
H15: FinSet Acceptor ASet
Quorum: ASet → Prop
QDec: ∀ Q : ASet, Decision (Quorum Q)
QA: ∀ Q1 Q2 : {x : ASet | Quorum x},
  ∃ a : Acceptor, a ∈ `Q1 ∩ `Q2
QClosed: Proper (subseteq ==> impl) Quorum
VV:= voting_vlsm V VSet Acceptor ASet Quorum: VLSM False
H_VSet_L: LeibnizEquiv VSet
s': state (voting_vlsm V VSet Acceptor ASet Quorum)
l: label (voting_vlsm V VSet Acceptor ASet Quorum)
om, om': option False
s: state (voting_vlsm V VSet Acceptor ASet Quorum)
Ht: input_valid_transition
  (voting_vlsm V VSet Acceptor ASet Quorum) l
  (s, om) (s', om')
IHHs: valid_state_prop (consensus_vlsm V VSet)
  (state_project s)
valid_state_prop (consensus_vlsm V VSet)
  (state_project s') by eapply input_valid_transition_destination, voting_step_in_consensus.
Qed.

End sec_voting_simulates_consensus.