import Mt.Reservation
import Mt.Task
import Mt.Utils.Nat
import Mt.Thread

namespace Sample

structure State: Type
State where
  x: State → Nat
x : Nat: Type
Nat
  y: State → Nat
y : Nat: Type
Nat

structure Reservation: Type
Reservation where
  luft: Reservation → Nat
luft  : Nat: Type
Nat               -- invariant : `x ≥ y + luft`
  min_x: Reservation → Mt.LowerBound
min_x : Mt.LowerBound: Type
Mt.LowerBound     -- invariant : `x ≥ min_x`

-- [begin] this block will be provided by a `derive` handler in the future --
-----------------------------------------------------------------------------
instance: Add Reservation
instance : Add: Type ?u.642 → Type ?u.642
Add Reservation: Type
Reservation :=⟨fun ⟨luft: Nat
luft, min_x: Mt.LowerBound
min_x⟩ ⟨luft': Nat
luft', min_x': Mt.LowerBound
min_x'⟩ => ⟨luft: Nat
luft + luft': Nat
luft', min_x: Mt.LowerBound
min_x + min_x': Mt.LowerBound
min_x'⟩⟩

private theorem Reservation.add_rw: ∀ (a b : Reservation), a + b = { luft := a.luft + b.luft, min_x := a.min_x + b.min_x }
Reservation.add_rw : ∀ a: Reservation
a b: Reservation
b : Reservation: Type
Reservation, a: Reservation
a + b: Reservation
b = ⟨a: Reservation
a.luft: Reservation → Nat
luft + b: Reservation
b.luft: Reservation → Nat
luft, a: Reservation
a.min_x: Reservation → Mt.LowerBound
min_x + b: Reservation
b.min_x: Reservation → Mt.LowerBound
min_x⟩ :=
  by 
∀ (a b : Reservation), a + b = { luft := a.luft + b.luft, min_x := a.min_x + b.min_x }introsa✝, b✝: Reservation

a✝ + b✝ = { luft := a✝.luft + b✝.luft, min_x := a✝.min_x + b✝.min_x } 
∀ (a b : Reservation), a + b = { luft := a.luft + b.luft, min_x := a.min_x + b.min_x };a✝, b✝: Reservation

a✝ + b✝ = { luft := a✝.luft + b✝.luft, min_x := a✝.min_x + b✝.min_x } 
∀ (a b : Reservation), a + b = { luft := a.luft + b.luft, min_x := a.min_x + b.min_x }rfl
Goals accomplished! 🐙

instance ReservationInstance: Mt.IsReservation Reservation
ReservationInstance : Mt.IsReservation: Type → Type
Mt.IsReservation Reservation: Type
Reservation where
  empty := ⟨Mt.IsReservation.empty: {T : Type} → [self : Mt.IsReservation T] → T
Mt.IsReservation.empty, Mt.IsReservation.empty: {T : Type} → [self : Mt.IsReservation T] → T
Mt.IsReservation.empty⟩
  assoc :=by 
∀ (a b c : Reservation), a + b + c = a + (b + c)introsa✝, b✝, c✝: Reservation

a✝ + b✝ + c✝ = a✝ + (b✝ + c✝) 
∀ (a b c : Reservation), a + b + c = a + (b + c);a✝, b✝, c✝: Reservation

a✝ + b✝ + c✝ = a✝ + (b✝ + c✝) 
∀ (a b c : Reservation), a + b + c = a + (b + c)simp only [Reservation.add_rw: ∀ (a b : Reservation), a + b = { luft := a.luft + b.luft, min_x := a.min_x + b.min_x }
Reservation.add_rw, Mt.IsReservation.toIsAssociative: {T : Type} → [self : Mt.IsReservation T] → Lean.IsAssociative HAdd.hAdd
Mt.IsReservation.toIsAssociative.assoc: ∀ {α : Sort ?u.1177} {op : α → α → α} [self : Lean.IsAssociative op] (a b c : α), op (op a b) c = op a (op b c)
assoc]
Goals accomplished! 🐙
  comm :=by 
∀ (a b : Reservation), a + b = b + aintrosa✝, b✝: Reservation

a✝ + b✝ = b✝ + a✝ 
∀ (a b : Reservation), a + b = b + a;a✝, b✝: Reservation

a✝ + b✝ = b✝ + a✝ 
∀ (a b : Reservation), a + b = b + asimp only [Reservation.add_rw: ∀ (a b : Reservation), a + b = { luft := a.luft + b.luft, min_x := a.min_x + b.min_x }
Reservation.add_rw, Mt.IsReservation.toIsCommutative: {T : Type} → [self : Mt.IsReservation T] → Lean.IsCommutative HAdd.hAdd
Mt.IsReservation.toIsCommutative.comm: ∀ {α : Sort ?u.1330} {op : α → α → α} [self : Lean.IsCommutative op] (a b : α), op a b = op b a
comm]
Goals accomplished! 🐙
  empty_add :=by 
∀ (t : Reservation), { luft := Mt.IsReservation.empty, min_x := Mt.IsReservation.empty } + t = tintrost✝: Reservation

{ luft := Mt.IsReservation.empty, min_x := Mt.IsReservation.empty } + t✝ = t✝ 
∀ (t : Reservation), { luft := Mt.IsReservation.empty, min_x := Mt.IsReservation.empty } + t = t;t✝: Reservation

{ luft := Mt.IsReservation.empty, min_x := Mt.IsReservation.empty } + t✝ = t✝ 
∀ (t : Reservation), { luft := Mt.IsReservation.empty, min_x := Mt.IsReservation.empty } + t = tsimp only [Reservation.add_rw: ∀ (a b : Reservation), a + b = { luft := a.luft + b.luft, min_x := a.min_x + b.min_x }
Reservation.add_rw, Mt.IsReservation.empty_add: ∀ {T : Type} [self : Mt.IsReservation T] (t : T), Mt.IsReservation.empty + t = t
Mt.IsReservation.empty_add]
Goals accomplished! 🐙

-----------------------------------------------------------------------------
-- [end] --------------------------------------------------------------------

def spec: Mt.Spec
spec : Mt.Spec: Type 1
Mt.Spec :={
  State: Type
State
  Reservation: Type
Reservation
  validate := fun ⟨luft: Nat
luft, min_x: Mt.LowerBound
min_x⟩ ⟨x: Nat
x, y: Nat
y⟩ => x: Nat
x ≥ y: Nat
y + luft: Nat
luft ∧ x: Nat
x ≥ min_x: Mt.LowerBound
min_x
}

open Mt
open Mt.TaskM

def thread1: Thread spec
thread1 : Thread: Spec → Type 1
Thread spec: Spec
spec :=mk_thread: {spec : Spec} → {T : Type} → TaskM spec T → Thread spec
mk_thread do
  -- increase x atomically
  atomic_read_modify: {spec : Spec} → (spec.State → spec.State) → TaskM spec Unit
atomic_read_modify λ s: ?m.2140
s => { s: ?m.2140
s with x := s: ?m.2140
s.x: State → Nat
x + 1: ?m.2146
1 }
  
  -- increase y atomically
  atomic_read_modify: {spec : Spec} → (spec.State → spec.State) → TaskM spec Unit
atomic_read_modify λ s: ?m.2212
s => { s: ?m.2212
s with y := s: ?m.2212
s.y: State → Nat
y + 1: ?m.2218
1 }

  let py: ?m.2274
py <- atomic_read: {spec : Spec} → {T : Type} → (spec.State → T) → TaskM spec T
atomic_read λ ⟨_, y: Nat
y⟩ => y: Nat
y
  let px: ?m.2297
px <- atomic_read: {spec : Spec} → {T : Type} → (spec.State → T) → TaskM spec T
atomic_read λ ⟨x: Nat
x, _⟩ => x: Nat
x

  atomic_assert: {spec : Spec} → (spec.State → Bool) → TaskM spec Unit
atomic_assert fun _: ?m.2302
_ => px: ?m.2297
px ≥ py: ?m.2274
py

theorem thread1_valid: Thread.valid thread1
thread1_valid : thread1: Thread spec
thread1.valid: {spec : Spec} → Thread spec → Prop
valid :=by
  
Thread.valid thread1rw [
Thread.valid thread1Thread.valid: {spec : Spec} → Thread spec → Prop
Thread.valid
valid thread1.task IsReservation.empty thread1.block_until fun x r => r = IsReservation.empty]
valid thread1.task IsReservation.empty thread1.block_until fun x r => r = IsReservation.empty
  
Thread.valid thread1apply valid_bind: ∀ {spec : Spec} {U V : Type} {mu : TaskM spec U} {f : U → TaskM spec V} {r : spec.Reservation}
  {assuming : spec.State → Bool} {motive : V → spec.Reservation → Prop} (motive_u : U → spec.Reservation → Prop),
  valid mu r assuming motive_u →
    (∀ (r' : spec.Reservation) (u : U), motive_u u r' → valid (f u) r' (fun x => true) motive) →
      valid (mu >>= f) r assuming motive
valid_bind λ _: ?m.2912
_ (r: spec.Reservation
r : spec: Spec
spec.Reservation: Spec → Type
Reservation) => r: spec.Reservation
r.luft: Reservation → Nat
luft = 1: ?m.2919
1
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1.
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1 -- validate ++x
    ---------------
    
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyapply valid_rm: ∀ {spec : Spec} {f : spec.State → spec.State} {r : spec.Reservation} {assuming : spec.State → Bool}
  {motive : Unit → spec.Reservation → Prop},
  (∀ (env_r : spec.Reservation) (s : spec.State),
      assuming s = true →
        Spec.validate spec (env_r + r) s →
          ∃ r',
            let s' := f s;
            Spec.validate spec (env_r + r') s' ∧ motive PUnit.unit r') →
    valid (atomic_read_modify f) r assuming motive
valid_rm
mu_valid.f_valid∀ (env_r : spec.Reservation) (s : spec.State),
  Thread.block_until thread1 s = true →
    Spec.validate spec (env_r + IsReservation.empty) s →
      ∃ r',
        let s' := { x := s.x + 1, y := s.y };
        Spec.validate spec (env_r + r') s' ∧ r'.luft = 1
    
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyintro ⟨env_luft: Nat
env_luft, env_min_x: LowerBound
env_min_x⟩ ⟨x: Nat
x, y: Nat
y⟩ _: Thread.block_until thread1 { x := x, y := y } = true
_ initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }
initial_validenv_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid∃ r',
  let s' := { x := { x := x, y := y }.x + 1, y := { x := x, y := y }.y };
  Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + r') s' ∧ r'.luft = 1
    
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyexists ⟨1: ?m.3202
1, (0: ?m.3212
0 : Nat: Type
Nat)⟩env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_validlet s' := { x := { x := x, y := y }.x + 1, y := { x := x, y := y }.y };
Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := 0 }) s' ∧   { luft := 1, min_x := 0 }.luft = 1
    
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptysimp only [and_true: ∀ (p : Prop), (p ∧ True) = p
and_true]env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := 0 }) { x := x + 1, y := y }

    
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyhave : x: Nat
x ≥ y: Nat
y + env_luft: Nat
env_luft ∧ x: Nat
x ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: LowerBound
env_min_x 0: ?m.3548
0 :=initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }
initial_validenv_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

this: x ≥ y + env_luft ∧ x ≥ Nat.max env_min_x 0

mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := 0 }) { x := x + 1, y := y }
    
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyshow x: Nat
x + 1: ?m.3580
1 ≥ y: Nat
y + (env_luft: Nat
env_luft + 1: ?m.3598
1) ∧ x: Nat
x + 1: ?m.3673
1 ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: LowerBound
env_min_x 0: ?m.3685
0env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

this: x ≥ y + env_luft ∧ x ≥ Nat.max env_min_x 0

mu_valid.f_validx + 1 ≥ y + (env_luft + 1) ∧ x + 1 ≥ Nat.max env_min_x 0

    
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptycases this: x ≥ y + env_luft ∧ x ≥ Nat.max env_min_x 0
thisenv_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.introx + 1 ≥ y + (env_luft + 1) ∧ x + 1 ≥ Nat.max env_min_x 0 
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.empty;env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.introx + 1 ≥ y + (env_luft + 1) ∧ x + 1 ≥ Nat.max env_min_x 0 
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyconstructorenv_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.leftx + 1 ≥ y + (env_luft + 1)
env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.rightx + 1 ≥ Nat.max env_min_x 0
    
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.empty.env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.leftx + 1 ≥ y + (env_luft + 1) env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.leftx + 1 ≥ y + (env_luft + 1)
env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.rightx + 1 ≥ Nat.max env_min_x 0show y: Nat
y + (env_luft: Nat
env_luft + 1: ?m.3785
1) ≤ x: Nat
x + 1: ?m.3800
1env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.lefty + (env_luft + 1) ≤ x + 1
      env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.leftx + 1 ≥ y + (env_luft + 1)
env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.rightx + 1 ≥ Nat.max env_min_x 0calc
        _: ?m.3876
_ = y: Nat
y + env_luft: Nat
env_luft + 1: ?m.3885
1 :=rfl: ∀ {α : Sort ?u.3933} {a : α}, a = a
rfl
        _: ?m.3942
_ ≤ x: Nat
x + 1: ?m.3948
1            :=Nat.succ_le_succ: ∀ {n m : Nat}, n ≤ m → Nat.succ n ≤ Nat.succ m
Nat.succ_le_succ (env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.lefty + (env_luft + 1) ≤ x + 1by env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

Nat.add (y + env_luft) 0 ≤ xassumption
Goals accomplished! 🐙)
Goals accomplished! 🐙
    
mu_validvalid (atomic_read_modify fun s => { x := s.x + 1, y := s.y }) IsReservation.empty thread1.block_until fun x r =>
  r.luft = 1
f_valid∀ (r' : spec.Reservation),
  Unit →
    r'.luft = 1 →
      valid
        (do
          atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.empty.env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.rightx + 1 ≥ Nat.max env_min_x 0 env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.rightx + 1 ≥ Nat.max env_min_x 0show Nat.max: Nat → Nat → Nat
Nat.max env_min_x: LowerBound
env_min_x 0: ?m.4225
0 ≤ x: Nat
x + 1: ?m.4231
1env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.rightNat.max env_min_x 0 ≤ x + 1
      env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.rightx + 1 ≥ Nat.max env_min_x 0exact calc
        _: ?m.4268
_ ≤ x: Nat
x     :=env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

mu_valid.f_valid.intro.rightNat.max env_min_x 0 ≤ x + 1by env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + IsReservation.empty) { x := x, y := y }

Nat.max env_min_x 0 ≤ xassumption
Goals accomplished! 🐙
        x: Nat
x ≤ x: Nat
x + 1: ?m.4279
1 :=Nat.le_succ: ∀ (n : Nat), n ≤ Nat.succ n
Nat.le_succ _: Nat
_
Goals accomplished! 🐙
  
  
Thread.valid thread1intro ⟨luft: Nat
luft, min_x: LowerBound
min_x⟩ ⟨⟩ luft_def: { luft := luft, min_x := min_x }.luft = 1
luft_defluft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_validvalid
  (do
    atomic_read_modify fun s => { x := s.x, y := s.y + 1 }
    let py ←
      atomic_read fun x =>
          match x with
          | { x := x, y := y } => y
    let px ←
      atomic_read fun x =>
          match x with
          | { x := x, y := y } => x
    atomic_assert fun x => decide (px ≥ py))
  { luft := luft, min_x := min_x } (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1apply valid_bind: ∀ {spec : Spec} {U V : Type} {mu : TaskM spec U} {f : U → TaskM spec V} {r : spec.Reservation}
  {assuming : spec.State → Bool} {motive : V → spec.Reservation → Prop} (motive_u : U → spec.Reservation → Prop),
  valid mu r assuming motive_u →
    (∀ (r' : spec.Reservation) (u : U), motive_u u r' → valid (f u) r' (fun x => true) motive) →
      valid (mu >>= f) r assuming motive
valid_bind λ _: ?m.4510
_ _: ?m.4513
_ => True: Prop
Trueluft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1.luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True -- validate ++y knowing luft = 1
    --------------------------------
    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyhave luft_def: luft = 1
luft_def : luft: Nat
luft = 1: ?m.4556
1 :=luft_def: { luft := luft, min_x := min_x }.luft = 1
luft_defluft: Nat

min_x: LowerBound

luft_def: luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyapply valid_rm: ∀ {spec : Spec} {f : spec.State → spec.State} {r : spec.Reservation} {assuming : spec.State → Bool}
  {motive : Unit → spec.Reservation → Prop},
  (∀ (env_r : spec.Reservation) (s : spec.State),
      assuming s = true →
        Spec.validate spec (env_r + r) s →
          ∃ r',
            let s' := f s;
            Spec.validate spec (env_r + r') s' ∧ motive PUnit.unit r') →
    valid (atomic_read_modify f) r assuming motive
valid_rmluft: Nat

min_x: LowerBound

luft_def: luft = 1

f_valid.mu_valid.f_valid∀ (env_r : spec.Reservation) (s : spec.State),
  true = true →
    Spec.validate spec (env_r + { luft := luft, min_x := min_x }) s →
      ∃ r',
        let s' := { x := s.x, y := s.y + 1 };
        Spec.validate spec (env_r + r') s' ∧ True
    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyintro ⟨env_luft: Nat
env_luft, env_min_x: LowerBound
env_min_x⟩ ⟨x: Nat
x, y: Nat
y⟩ _: true = true
_ initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }
initial_validluft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid∃ r',
  let s' := { x := { x := x, y := y }.x, y := { x := x, y := y }.y + 1 };
  Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + r') s' ∧ True
    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyexists ⟨0: ?m.4778
0, min_x: LowerBound
min_x⟩luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_validlet s' := { x := { x := x, y := y }.x, y := { x := x, y := y }.y + 1 };
Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := min_x }) s' ∧ True
    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptysimp only [and_true: ∀ (p : Prop), (p ∧ True) = p
and_true]luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := min_x }) { x := x, y := y + 1 }
    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyrw [luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := min_x }) { x := x, y := y + 1 }luft_def: luft = 1
luft_defluft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := min_x }) { x := x, y := y + 1 }]luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := min_x }) { x := x, y := y + 1 } at initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }
initial_validluft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := min_x }) { x := x, y := y + 1 }

    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyhave : x: Nat
x ≥ y: Nat
y + env_luft: Nat
env_luft + 1: ?m.5027
1 ∧ x: Nat
x ≥ env_min_x: LowerBound
env_min_x + min_x: LowerBound
min_x :=initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }
initial_validluft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

this: x ≥ y + env_luft + 1 ∧ x ≥ env_min_x + min_x

f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := min_x }) { x := x, y := y + 1 }
    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyshow x: Nat
x ≥ y: Nat
y + 1: ?m.5169
1 + env_luft: Nat
env_luft ∧ x: Nat
x ≥ env_min_x: LowerBound
env_min_x + min_x: LowerBound
min_xluft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

this: x ≥ y + env_luft + 1 ∧ x ≥ env_min_x + min_x

f_valid.mu_valid.f_validx ≥ y + 1 + env_luft ∧ x ≥ env_min_x + min_x

    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptycases this: x ≥ y + env_luft + 1 ∧ x ≥ env_min_x + min_x
thisluft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.introx ≥ y + 1 + env_luft ∧ x ≥ env_min_x + min_x luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.empty;luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.introx ≥ y + 1 + env_luft ∧ x ≥ env_min_x + min_x luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.emptyconstructorluft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luft
luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.rightx ≥ env_min_x + min_x luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.introx ≥ y + 1 + env_luft ∧ x ≥ env_min_x + min_x<;>luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luft
luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.rightx ≥ env_min_x + min_x luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.introx ≥ y + 1 + env_luft ∧ x ≥ env_min_x + min_xtry luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luftassumption
Goals accomplished! 🐙
    luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.mu_validvalid (atomic_read_modify fun s => { x := s.x, y := s.y + 1 }) { luft := luft, min_x := min_x } (fun x => true)
  fun x x => True
luft: Nat

min_x: LowerBound

luft_def: { luft := luft, min_x := min_x }.luft = 1

f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.empty.luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luft luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luftshow x: Nat
x ≥ y: Nat
y + 1: ?m.5483
1 + env_luft: Nat
env_luftluft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luft
      luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luftrw [luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luftNat.add_right_comm: ∀ (n m k : Nat), n + m + k = n + k + m
Nat.add_right_commluft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + env_luft + 1]luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + env_luft + 1 luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luft;luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + env_luft + 1 luft: Nat

min_x: LowerBound

luft_def: luft = 1

env_luft: Nat

env_min_x: LowerBound

x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 1, min_x := min_x }) { x := x, y := y }

f_valid.mu_valid.f_valid.intro.leftx ≥ y + 1 + env_luftassumption
Goals accomplished! 🐙
  
  
Thread.valid thread1clear luft: Nat
luft min_x: LowerBound
min_x luft_def: { luft := luft, min_x := min_x }.luft = 1
luft_def
f_valid.f_valid∀ (r' : spec.Reservation),
  Unit →
    True →
      valid
        (do
          let py ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => y
          let px ←
            atomic_read fun x =>
                match x with
                | { x := x, y := y } => x
          atomic_assert fun x => decide (px ≥ py))
        r' (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1intro ⟨luft: Nat
luft, min_x: LowerBound
min_x⟩ ⟨⟩ ⟨⟩luft: Nat

min_x: LowerBound

f_valid.f_validvalid
  (do
    let py ←
      atomic_read fun x =>
          match x with
          | { x := x, y := y } => y
    let px ←
      atomic_read fun x =>
          match x with
          | { x := x, y := y } => x
    atomic_assert fun x => decide (px ≥ py))
  { luft := luft, min_x := min_x } (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1apply valid_bind: ∀ {spec : Spec} {U V : Type} {mu : TaskM spec U} {f : U → TaskM spec V} {r : spec.Reservation}
  {assuming : spec.State → Bool} {motive : V → spec.Reservation → Prop} (motive_u : U → spec.Reservation → Prop),
  valid mu r assuming motive_u →
    (∀ (r' : spec.Reservation) (u : U), motive_u u r' → valid (f u) r' (fun x => true) motive) →
      valid (mu >>= f) r assuming motive
valid_bind (spec :=spec: Spec
spec) λ y: ?m.5852
y ⟨_, min_x: LowerBound
min_x⟩ => min_x: LowerBound
min_x = y: ?m.5852
yluft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1.luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y -- validate `let py = y` with `min_x := py`
    -------------------------------------------
    luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.emptyapply valid_read: ∀ {spec : Spec} {T : Type} {f : spec.State → T} {r : spec.Reservation} {assuming : spec.State → Bool}
  {motive : T → spec.Reservation → Prop},
  (∀ (env_r : spec.Reservation) (s : spec.State),
      assuming s = true →
        Spec.validate spec (env_r + r) s →
          ∃ r',
            let t := f s;
            Spec.validate spec (env_r + r') s ∧ motive t r') →
    valid (atomic_read f) r assuming motive
valid_readluft: Nat

min_x: LowerBound

f_valid.f_valid.mu_valid.f_valid∀ (env_r : spec.Reservation) (s : spec.State),
  true = true →
    Spec.validate spec (env_r + { luft := luft, min_x := min_x }) s →
      ∃ r',
        let t :=
          match s with
          | { x := x, y := y } => y;
        Spec.validate spec (env_r + r') s ∧           match r' with
          | { luft := luft, min_x := min_x } => min_x = t
    luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.emptyintro ⟨env_luft: Nat
env_luft, (env_min_x: Nat
env_min_x : Nat)⟩ ⟨x: Nat
x, y: Nat
y⟩ _: true = true
_ initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }
initial_validluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid∃ r',
  let t :=
    match { x := x, y := y } with
    | { x := x, y := y } => y;
  Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + r') { x := x, y := y } ∧     match r' with
    | { luft := luft, min_x := min_x } => min_x = t
    luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.emptyexists ⟨0: ?m.6220
0, y: Nat
y⟩luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_validlet t :=
  match { x := x, y := y } with
  | { x := x, y := y } => y;
Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := y }) { x := x, y := y } ∧   match { luft := 0, min_x := y } with
  | { luft := luft, min_x := min_x } => min_x = t
    luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.emptysimp only [and_true: ∀ (p : Prop), (p ∧ True) = p
and_true]luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := y }) { x := x, y := y }

    luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.emptyhave : x: Nat
x ≥ y: Nat
y + (env_luft: Nat
env_luft + luft: Nat
luft) ∧ x: Nat
x ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: Nat
env_min_x min_x: LowerBound
min_x :=initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }
initial_validluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ y + (env_luft + luft) ∧ x ≥ Nat.max env_min_x min_x

f_valid.f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := y }) { x := x, y := y }
    luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.emptyshow x: Nat
x ≥ y: Nat
y + env_luft: Nat
env_luft ∧ x: Nat
x ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: Nat
env_min_x y: Nat
yluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ y + (env_luft + luft) ∧ x ≥ Nat.max env_min_x min_x

f_valid.f_valid.mu_valid.f_validx ≥ y + env_luft ∧ x ≥ Nat.max env_min_x y

    luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.emptycases this: x ≥ y + (env_luft + luft) ∧ x ≥ Nat.max env_min_x min_x
thisluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.introx ≥ y + env_luft ∧ x ≥ Nat.max env_min_x y luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.empty;luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.introx ≥ y + env_luft ∧ x ≥ Nat.max env_min_x y luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.emptyconstructorluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.leftx ≥ y + env_luft
luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x y
    luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.empty.luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.leftx ≥ y + env_luft luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.leftx ≥ y + env_luft
luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x yshow y: Nat
y + env_luft: Nat
env_luft ≤ x: Nat
xluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.lefty + env_luft ≤ x
      luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.leftx ≥ y + env_luft
luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x yexact calc
        y: Nat
y + env_luft: Nat
env_luft ≤ y: Nat
y + (env_luft: Nat
env_luft + luft: Nat
luft) :=luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.lefty + env_luft ≤ xby luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

y + env_luft ≤ y + (env_luft + luft)simp_arith
Goals accomplished! 🐙
                   _: ?m.6867
_ ≤ x: Nat
x                     :=luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.lefty + env_luft ≤ xby luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

y + (env_luft + luft) ≤ xassumption
Goals accomplished! 🐙
    luft: Nat

min_x: LowerBound

f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => y)
  { luft := luft, min_x := min_x } (fun x => true) fun y x =>
  match x with
  | { luft := luft, min_x := min_x } => min_x = y
luft: Nat

min_x: LowerBound

f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.empty.luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x y luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x yshow Nat.max: Nat → Nat → Nat
Nat.max env_min_x: Nat
env_min_x y: Nat
y ≤ x: Nat
xluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightNat.max env_min_x y ≤ x
      luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x yapply Utils.Nat.max_le: ∀ {a b c : Nat}, Nat.max a b ≤ c ↔ a ≤ c ∧ b ≤ c
Utils.Nat.max_le.mpr: ∀ {a b : Prop}, (a ↔ b) → b → a
mprluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightenv_min_x ≤ x ∧ y ≤ x luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x y;luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightenv_min_x ≤ x ∧ y ≤ x luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x yconstructorluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.leftenv_min_x ≤ x
luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ x
      luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x y.luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.leftenv_min_x ≤ x luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.leftenv_min_x ≤ x
luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ xshow env_min_x: Nat
env_min_x ≤ x: Nat
xluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.leftenv_min_x ≤ x
        luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.leftenv_min_x ≤ x
luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ xrename x: Nat
x ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: Nat
env_min_x min_x: LowerBound
min_x => hluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

h: x ≥ Nat.max env_min_x min_x

f_valid.f_valid.mu_valid.f_valid.intro.right.leftenv_min_x ≤ x
        luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.leftenv_min_x ≤ x
luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ xexact (Utils.Nat.max_le: ∀ {a b c : Nat}, Nat.max a b ≤ c ↔ a ≤ c ∧ b ≤ c
Utils.Nat.max_le.mp: ∀ {a b : Prop}, (a ↔ b) → a → b
mp h: ?m.6732
h).left: ∀ {a b : Prop}, a ∧ b → a
left
Goals accomplished! 🐙
      luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ Nat.max env_min_x y.luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ x luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ xshow y: Nat
y ≤ x: Nat
xluft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ x
        luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ xexact calc
          y: Nat
y ≤ y: Nat
y + (env_luft: Nat
env_luft + luft: Nat
luft) :=luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ xby luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

y ≤ y + (env_luft + luft)simp_arith
Goals accomplished! 🐙
          _: ?m.7336
_ ≤ x: Nat
x                     :=luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.mu_valid.f_valid.intro.right.righty ≤ xby luft: Nat

min_x: LowerBound

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

y + (env_luft + luft) ≤ xassumption
Goals accomplished! 🐙

  
Thread.valid thread1clear luft: Nat
luft min_x: LowerBound
min_x
f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : LowerBound),
  (match r' with
    | { luft := luft, min_x := min_x } => min_x = u) →
    valid
      (do
        let px ←
          atomic_read fun x =>
              match x with
              | { x := x, y := y } => x
        atomic_assert fun x => decide (px ≥ u))
      r' (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1intro ⟨luft: Nat
luft, min_x: LowerBound
min_x⟩ (py: Nat
py : Nat) min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py
min_x_defluft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_validvalid
  (do
    let px ←
      atomic_read fun x =>
          match x with
          | { x := x, y := y } => x
    atomic_assert fun x => decide (px ≥ py))
  { luft := luft, min_x := min_x } (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1apply valid_bind: ∀ {spec : Spec} {U V : Type} {mu : TaskM spec U} {f : U → TaskM spec V} {r : spec.Reservation}
  {assuming : spec.State → Bool} {motive : V → spec.Reservation → Prop} (motive_u : U → spec.Reservation → Prop),
  valid mu r assuming motive_u →
    (∀ (r' : spec.Reservation) (u : U), motive_u u r' → valid (f u) r' (fun x => true) motive) →
      valid (mu >>= f) r assuming motive
valid_bind (spec :=spec: Spec
spec)
    λ x: ?m.7881
x (r: Reservation
r : Reservation: Type
Reservation) => x: ?m.7881
x ≥ py: Nat
py ∧ r: Reservation
r = IsReservation.empty: {T : Type} → [self : IsReservation T] → T
IsReservation.emptyluft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1.luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty -- validate `let px = x` knowing min_x = py
    -------------------------------------------
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptyhave min_x_def: min_x = py
min_x_def : min_x: LowerBound
min_x = py: Nat
py :=min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py
min_x_defluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptyapply valid_read: ∀ {spec : Spec} {T : Type} {f : spec.State → T} {r : spec.Reservation} {assuming : spec.State → Bool}
  {motive : T → spec.Reservation → Prop},
  (∀ (env_r : spec.Reservation) (s : spec.State),
      assuming s = true →
        Spec.validate spec (env_r + r) s →
          ∃ r',
            let t := f s;
            Spec.validate spec (env_r + r') s ∧ motive t r') →
    valid (atomic_read f) r assuming motive
valid_readluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

f_valid.f_valid.f_valid.mu_valid.f_valid∀ (env_r : spec.Reservation) (s : spec.State),
  true = true →
    Spec.validate spec (env_r + { luft := luft, min_x := min_x }) s →
      ∃ r',
        let t :=
          match s with
          | { x := x, y := y } => x;
        Spec.validate spec (env_r + r') s ∧ t ≥ py ∧ r' = IsReservation.empty
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptyintro ⟨env_luft: Nat
env_luft, (env_min_x: Nat
env_min_x : Nat)⟩ ⟨x: Nat
x, y: Nat
y⟩ _: true = true
_ initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }
initial_validluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid∃ r',
  let t :=
    match { x := x, y := y } with
    | { x := x, y := y } => x;
  Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + r') { x := x, y := y } ∧     t ≥ py ∧ r' = IsReservation.empty
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptyexists ⟨0: ?m.8178
0, (0: ?m.8188
0 : Nat: Type
Nat)⟩luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_validlet t :=
  match { x := x, y := y } with
  | { x := x, y := y } => x;
Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := 0 }) { x := x, y := y } ∧   t ≥ py ∧ { luft := 0, min_x := 0 } = IsReservation.empty
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptysimp only [and_true: ∀ (p : Prop), (p ∧ True) = p
and_true, IsReservation.empty: {T : Type} → [self : IsReservation T] → T
IsReservation.empty]luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := 0 }) { x := x, y := y } ∧ x ≥ py

    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptyhave : x: Nat
x ≥ y: Nat
y + (env_luft: Nat
env_luft + luft: Nat
luft) ∧ x: Nat
x ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: Nat
env_min_x min_x: LowerBound
min_x :=initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }
initial_validluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ y + (env_luft + luft) ∧ x ≥ Nat.max env_min_x min_x

f_valid.f_valid.f_valid.mu_valid.f_validSpec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := 0, min_x := 0 }) { x := x, y := y } ∧ x ≥ py
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptyshow (x: Nat
x ≥ y: Nat
y + env_luft: Nat
env_luft ∧ x: Nat
x ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: Nat
env_min_x 0: ?m.8693
0) ∧ x: Nat
x ≥ py: Nat
pyluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ y + (env_luft + luft) ∧ x ≥ Nat.max env_min_x min_x

f_valid.f_valid.f_valid.mu_valid.f_valid(x ≥ y + env_luft ∧ x ≥ Nat.max env_min_x 0) ∧ x ≥ py
    
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptycases this: x ≥ y + (env_luft + luft) ∧ x ≥ Nat.max env_min_x min_x
thisluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro(x ≥ y + env_luft ∧ x ≥ Nat.max env_min_x 0) ∧ x ≥ py luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.empty;luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro(x ≥ y + env_luft ∧ x ≥ Nat.max env_min_x 0) ∧ x ≥ py luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptyconstructorluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.leftx ≥ y + env_luft ∧ x ≥ Nat.max env_min_x 0
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ py luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.empty;luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.leftx ≥ y + env_luft ∧ x ≥ Nat.max env_min_x 0
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ py luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.emptyconstructorluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.leftx ≥ y + env_luft
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ py
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.empty.luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.leftx ≥ y + env_luft luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.leftx ≥ y + env_luft
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pyshow y: Nat
y + env_luft: Nat
env_luft ≤ x: Nat
xluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.lefty + env_luft ≤ x
      luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.leftx ≥ y + env_luft
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pycalc
        y: Nat
y + env_luft: Nat
env_luft ≤ y: Nat
y + (env_luft: Nat
env_luft + luft: Nat
luft) :=luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.lefty + env_luft ≤ xby luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

y + env_luft ≤ y + (env_luft + luft)simp_arith
Goals accomplished! 🐙
                   _: ?m.8879
_ ≤ x: Nat
x                     :=luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.lefty + env_luft ≤ xby luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

y + (env_luft + luft) ≤ xassumption
Goals accomplished! 🐙
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.empty.luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0 luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pyshow x: Nat
x ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: Nat
env_min_x 0: ?m.9228
0luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0
      luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pyrw [luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0Utils.Nat.max_zero: ∀ (a : Nat), Nat.max a 0 = a
Utils.Nat.max_zeroluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ env_min_x]luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ env_min_x
      luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pyrename x: Nat
x ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: Nat
env_min_x min_x: LowerBound
min_x => hluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

h: x ≥ Nat.max env_min_x min_x

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ env_min_x
      luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.left.rightx ≥ Nat.max env_min_x 0
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pyexact (Utils.Nat.max_le: ∀ {a b c : Nat}, Nat.max a b ≤ c ↔ a ≤ c ∧ b ≤ c
Utils.Nat.max_le.mp: ∀ {a b : Prop}, (a ↔ b) → a → b
mp h: ?m.8736
h).left: ∀ {a b : Prop}, a ∧ b → a
left
Goals accomplished! 🐙
    luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.mu_validvalid
  (atomic_read fun x =>
    match x with
    | { x := x, y := y } => x)
  { luft := luft, min_x := min_x } (fun x => true) fun x r => x ≥ py ∧ r = IsReservation.empty
luft: Nat

min_x: LowerBound

py: Nat

min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.empty.luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ py luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pyshow x: Nat
x ≥ py: Nat
pyluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ py
      luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pysuffices x: Nat
x ≥ min_x: LowerBound
min_x by luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pyrw [luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ min_x

x ≥ py<- min_x_def: min_x = py
min_x_defluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ min_x

x ≥ min_x]luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ min_x

x ≥ min_x luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ min_x

x ≥ py;luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ min_x

x ≥ min_x luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

this: x ≥ min_x

x ≥ pyassumption
Goals accomplished! 🐙
      luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pyrename x: Nat
x ≥ Nat.max: Nat → Nat → Nat
Nat.max env_min_x: Nat
env_min_x min_x: LowerBound
min_x => hluft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

h: x ≥ Nat.max env_min_x min_x

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ min_x
      luft: Nat

min_x: LowerBound

py: Nat

min_x_def: min_x = py

env_luft, env_min_x, x, y: Nat

initial_valid: Spec.validate spec ({ luft := env_luft, min_x := env_min_x } + { luft := luft, min_x := min_x }) { x := x, y := y }

f_valid.f_valid.f_valid.mu_valid.f_valid.intro.rightx ≥ pyexact (Utils.Nat.max_le: ∀ {a b c : Nat}, Nat.max a b ≤ c ↔ a ≤ c ∧ b ≤ c
Utils.Nat.max_le.mp: ∀ {a b : Prop}, (a ↔ b) → a → b
mp h: ?m.8736
h).right: ∀ {a b : Prop}, a ∧ b → b
right
Goals accomplished! 🐙
  
  
Thread.valid thread1clear luft: Nat
luft min_x: LowerBound
min_x min_x_def: match { luft := luft, min_x := min_x } with
| { luft := luft, min_x := min_x } => min_x = py
min_x_defpy: Nat

f_valid.f_valid.f_valid.f_valid∀ (r' : spec.Reservation) (u : Nat),
  u ≥ py ∧ r' = IsReservation.empty →
    valid (atomic_assert fun x => decide (u ≥ py)) r' (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1intro ⟨luft: Nat
luft, min_x: LowerBound
min_x⟩ (px: Nat
px : Nat) ⟨px_gt_py: px ≥ py
px_gt_py, final_check: { luft := luft, min_x := min_x } = IsReservation.empty
final_check⟩py, luft: Nat

min_x: LowerBound

px: Nat

px_gt_py: px ≥ py

final_check: { luft := luft, min_x := min_x } = IsReservation.empty

f_valid.f_valid.f_valid.f_validvalid (atomic_assert fun x => decide (px ≥ py)) { luft := luft, min_x := min_x } (fun x => true) fun x r =>
  r = IsReservation.empty

  
Thread.valid thread1rw [py, luft: Nat

min_x: LowerBound

px: Nat

px_gt_py: px ≥ py

final_check: { luft := luft, min_x := min_x } = IsReservation.empty

f_valid.f_valid.f_valid.f_validvalid (atomic_assert fun x => decide (px ≥ py)) { luft := luft, min_x := min_x } (fun x => true) fun x r =>
  r = IsReservation.emptyfinal_check: { luft := luft, min_x := min_x } = IsReservation.empty
final_checkpy, luft: Nat

min_x: LowerBound

px: Nat

px_gt_py: px ≥ py

final_check: { luft := luft, min_x := min_x } = IsReservation.empty

f_valid.f_valid.f_valid.f_validvalid (atomic_assert fun x => decide (px ≥ py)) IsReservation.empty (fun x => true) fun x r => r = IsReservation.empty]py, luft: Nat

min_x: LowerBound

px: Nat

px_gt_py: px ≥ py

final_check: { luft := luft, min_x := min_x } = IsReservation.empty

f_valid.f_valid.f_valid.f_validvalid (atomic_assert fun x => decide (px ≥ py)) IsReservation.empty (fun x => true) fun x r => r = IsReservation.empty
  
Thread.valid thread1apply valid_assert: ∀ {spec : Spec} {cond : spec.State → Bool} {r : spec.Reservation} {assuming : spec.State → Bool}
  {motive : Unit → spec.Reservation → Prop},
  motive PUnit.unit r →
    (∀ (env_r : spec.Reservation) (s : spec.State),
        assuming s = true → Spec.validate spec (env_r + r) s → cond s = true) →
      valid (atomic_assert cond) r assuming motive
valid_assert (spec :=spec: Spec
spec) rfl: ∀ {α : Sort ?u.9561} {a : α}, a = a
rflpy, luft: Nat

min_x: LowerBound

px: Nat

px_gt_py: px ≥ py

final_check: { luft := luft, min_x := min_x } = IsReservation.empty

f_valid.f_valid.f_valid.f_valid∀ (env_r : spec.Reservation) (s : spec.State),
  true = true → Spec.validate spec (env_r + IsReservation.empty) s → decide (px ≥ py) = true
  
Thread.valid thread1.py, luft: Nat

min_x: LowerBound

px: Nat

px_gt_py: px ≥ py

final_check: { luft := luft, min_x := min_x } = IsReservation.empty

f_valid.f_valid.f_valid.f_valid∀ (env_r : spec.Reservation) (s : spec.State),
  true = true → Spec.validate spec (env_r + IsReservation.empty) s → decide (px ≥ py) = true -- validate `assert px ≥ py`
    ----------------------------
    py, luft: Nat

min_x: LowerBound

px: Nat

px_gt_py: px ≥ py

final_check: { luft := luft, min_x := min_x } = IsReservation.empty

f_valid.f_valid.f_valid.f_valid∀ (env_r : spec.Reservation) (s : spec.State),
  true = true → Spec.validate spec (env_r + IsReservation.empty) s → decide (px ≥ py) = trueintrospy, luft: Nat

min_x: LowerBound

px: Nat

px_gt_py: px ≥ py

final_check: { luft := luft, min_x := min_x } = IsReservation.empty

env_r✝: spec.Reservation

s✝: spec.State

f_valid.f_valid.f_valid.f_validdecide (px ≥ py) = true
    py, luft: Nat

min_x: LowerBound

px: Nat

px_gt_py: px ≥ py

final_check: { luft := luft, min_x := min_x } = IsReservation.empty

f_valid.f_valid.f_valid.f_valid∀ (env_r : spec.Reservation) (s : spec.State),
  true = true → Spec.validate spec (env_r + IsReservation.empty) s → decide (px ≥ py) = truesimp only [px_gt_py: px ≥ py
px_gt_py]
Goals accomplished! 🐙

end Sample