Incomplete coq proofs from why3

[acsl-example] / proof / find3 / interactive / lemma_Find_MissHit.v

(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require bool.Bool.
Require int.Int.
Require int.Abs.
Require int.ComputerDivision.
Require real.Real.
Require real.RealInfix.
Require real.FromInt.
Require map.Map.

Parameter eqb:
  forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.

Axiom eqb'def :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a),
  ((x = y) -> ((eqb x y) = Init.Datatypes.true)) /\
  (~ (x = y) -> ((eqb x y) = Init.Datatypes.false)).

Parameter neqb:
  forall {a:Type} {a_WT:WhyType a}, a -> a -> Init.Datatypes.bool.

Axiom neqb'def :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a),
  (~ (x = y) -> ((neqb x y) = Init.Datatypes.true)) /\
  ((x = y) -> ((neqb x y) = Init.Datatypes.false)).

Parameter zlt: Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.

Axiom zlt'def :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((x < y)%Z -> ((zlt x y) = Init.Datatypes.true)) /\
  (~ (x < y)%Z -> ((zlt x y) = Init.Datatypes.false)).

Parameter zleq:
  Numbers.BinNums.Z -> Numbers.BinNums.Z -> Init.Datatypes.bool.

Axiom zleq'def :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((x <= y)%Z -> ((zleq x y) = Init.Datatypes.true)) /\
  (~ (x <= y)%Z -> ((zleq x y) = Init.Datatypes.false)).

Parameter rlt:
  Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.

Axiom rlt'def :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x < y)%R -> ((rlt x y) = Init.Datatypes.true)) /\
  (~ (x < y)%R -> ((rlt x y) = Init.Datatypes.false)).

Parameter rleq:
  Reals.Rdefinitions.R -> Reals.Rdefinitions.R -> Init.Datatypes.bool.

Axiom rleq'def :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x <= y)%R -> ((rleq x y) = Init.Datatypes.true)) /\
  (~ (x <= y)%R -> ((rleq x y) = Init.Datatypes.false)).

(* Why3 assumption *)
Definition real_of_int (x:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
  BuiltIn.IZR x.

Axiom c_euclidian :
  forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z), ~ (d = 0%Z) ->
  (n = (((ZArith.BinInt.Z.quot n d) * d)%Z + (ZArith.BinInt.Z.rem n d))%Z).

Axiom cmod_remainder :
  forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
  ((0%Z <= n)%Z -> (0%Z < d)%Z ->
   (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) < d)%Z) /\
  ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
   ((-d)%Z < (ZArith.BinInt.Z.rem n d))%Z /\
   ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z) /\
  ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
   (0%Z <= (ZArith.BinInt.Z.rem n d))%Z /\
   ((ZArith.BinInt.Z.rem n d) < (-d)%Z)%Z) /\
  ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
   (d < (ZArith.BinInt.Z.rem n d))%Z /\ ((ZArith.BinInt.Z.rem n d) <= 0%Z)%Z).

Axiom cdiv_neutral :
  forall (a:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot a 1%Z) = a).

Axiom cdiv_inv :
  forall (a:Numbers.BinNums.Z), ~ (a = 0%Z) ->
  ((ZArith.BinInt.Z.quot a a) = 1%Z).

Axiom cdiv_closed_remainder :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (0%Z <= a)%Z -> (0%Z <= b)%Z ->
  (0%Z <= (b - a)%Z)%Z /\ ((b - a)%Z < n)%Z ->
  ((ZArith.BinInt.Z.rem a n) = (ZArith.BinInt.Z.rem b n)) -> (a = b).

(* Why3 assumption *)
Inductive addr :=
  | addr'mk : Numbers.BinNums.Z -> Numbers.BinNums.Z -> addr.
Axiom addr_WhyType : WhyType addr.
Existing Instance addr_WhyType.

(* Why3 assumption *)
Definition base (v:addr) : Numbers.BinNums.Z :=
  match v with
  | addr'mk x x1 => x
  end.

(* Why3 assumption *)
Definition offset (v:addr) : Numbers.BinNums.Z :=
  match v with
  | addr'mk x x1 => x1
  end.

(* Why3 assumption *)
Definition malloc := Numbers.BinNums.Z -> Numbers.BinNums.Z.

(* Why3 assumption *)
Definition null : addr := addr'mk 0%Z 0%Z.

(* Why3 assumption *)
Definition global (b:Numbers.BinNums.Z) : addr := addr'mk b 0%Z.

Parameter addr_le: addr -> addr -> Prop.

Parameter addr_lt: addr -> addr -> Prop.

Parameter addr_le_bool: addr -> addr -> Init.Datatypes.bool.

Parameter addr_lt_bool: addr -> addr -> Init.Datatypes.bool.

Axiom addr_le_def :
  forall (p:addr) (q:addr), ((base p) = (base q)) ->
  addr_le p q <-> ((offset p) <= (offset q))%Z.

Axiom addr_lt_def :
  forall (p:addr) (q:addr), ((base p) = (base q)) ->
  addr_lt p q <-> ((offset p) < (offset q))%Z.

Axiom addr_le_bool_def :
  forall (p:addr) (q:addr),
  addr_le p q <-> ((addr_le_bool p q) = Init.Datatypes.true).

Axiom addr_lt_bool_def :
  forall (p:addr) (q:addr),
  addr_lt p q <-> ((addr_lt_bool p q) = Init.Datatypes.true).

(* Why3 assumption *)
Definition shift (p:addr) (k:Numbers.BinNums.Z) : addr :=
  addr'mk (base p) ((offset p) + k)%Z.

(* Why3 assumption *)
Definition valid_rw (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
    (n:Numbers.BinNums.Z) : Prop :=
  (0%Z < n)%Z ->
  (0%Z < (base p))%Z /\
  (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.

(* Why3 assumption *)
Definition valid_rd (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
    (n:Numbers.BinNums.Z) : Prop :=
  (0%Z < n)%Z ->
  ~ (0%Z = (base p)) /\
  (0%Z <= (offset p))%Z /\ (((offset p) + n)%Z <= (m (base p)))%Z.

(* Why3 assumption *)
Definition valid_obj (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr) :
    Prop :=
  ~ (0%Z = (base p)) /\
  (0%Z <= (offset p))%Z /\
  ((offset p) <= (m (base p)))%Z /\ (0%Z < (m (base p)))%Z.

(* Why3 assumption *)
Definition invalid (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (p:addr)
    (n:Numbers.BinNums.Z) : Prop :=
  (n <= 0%Z)%Z \/
  ((base p) = 0%Z) \/
  ((m (base p)) <= (offset p))%Z \/ (((offset p) + n)%Z <= 0%Z)%Z.

Axiom valid_rw_rd :
  forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
  forall (n:Numbers.BinNums.Z), valid_rw m p n -> valid_rd m p n.

Axiom valid_string :
  forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z), forall (p:addr),
  ((base p) < 0%Z)%Z ->
  (0%Z <= (offset p))%Z /\ ((offset p) < (m (base p)))%Z ->
  valid_rd m p 1%Z /\ ~ valid_rw m p 1%Z.

(* Why3 assumption *)
Definition included (p:addr) (lp:Numbers.BinNums.Z) (q:addr)
    (lq:Numbers.BinNums.Z) : Prop :=
  (0%Z < lp)%Z ->
  (0%Z <= lq)%Z /\
  ((base p) = (base q)) /\
  ((offset q) <= (offset p))%Z /\
  (((offset p) + lp)%Z <= ((offset q) + lq)%Z)%Z.

(* Why3 assumption *)
Definition separated (p:addr) (lp:Numbers.BinNums.Z) (q:addr)
    (lq:Numbers.BinNums.Z) : Prop :=
  (lp <= 0%Z)%Z \/
  (lq <= 0%Z)%Z \/
  ~ ((base p) = (base q)) \/
  (((offset q) + lq)%Z <= (offset p))%Z \/
  (((offset p) + lp)%Z <= (offset q))%Z.

Axiom separated_1 :
  forall (p:addr) (q:addr),
  forall (lp:Numbers.BinNums.Z) (lq:Numbers.BinNums.Z) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z),
  separated p lp q lq ->
  ((offset p) <= i)%Z /\ (i < ((offset p) + lp)%Z)%Z ->
  ((offset q) <= j)%Z /\ (j < ((offset q) + lq)%Z)%Z ->
  ~ ((addr'mk (base p) i) = (addr'mk (base q) j)).

Axiom separated_included :
  forall (p:addr) (q:addr),
  forall (lp:Numbers.BinNums.Z) (lq:Numbers.BinNums.Z), (0%Z < lp)%Z ->
  (0%Z < lq)%Z -> separated p lp q lq -> ~ included p lp q lq.

Axiom included_trans :
  forall (p:addr) (q:addr) (r:addr),
  forall (lp:Numbers.BinNums.Z) (lq:Numbers.BinNums.Z) (lr:Numbers.BinNums.Z),
  included p lp q lq -> included q lq r lr -> included p lp r lr.

Axiom separated_trans :
  forall (p:addr) (q:addr) (r:addr),
  forall (lp:Numbers.BinNums.Z) (lq:Numbers.BinNums.Z) (lr:Numbers.BinNums.Z),
  included p lp q lq -> separated q lq r lr -> separated p lp r lr.

Axiom separated_sym :
  forall (p:addr) (q:addr),
  forall (lp:Numbers.BinNums.Z) (lq:Numbers.BinNums.Z),
  separated p lp q lq <-> separated q lq p lp.

Parameter binit: Numbers.BinNums.Z -> Prop.

Parameter region: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Parameter linked: (Numbers.BinNums.Z -> Numbers.BinNums.Z) -> Prop.

Parameter static_malloc: Numbers.BinNums.Z -> Numbers.BinNums.Z.

(* Why3 assumption *)
Definition statically_allocated (base1:Numbers.BinNums.Z) : Prop :=
  (base1 = 0%Z) \/ (0%Z < (static_malloc base1))%Z.

Axiom valid_pointers_are_statically_allocated :
  forall (a:addr) (m:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z),
  (0%Z < n)%Z -> valid_rd m a n -> statically_allocated (base a).

Parameter int_of_addr: addr -> Numbers.BinNums.Z.

Parameter addr_of_int: Numbers.BinNums.Z -> addr.

Axiom addr_of_null : ((int_of_addr null) = 0%Z).

Axiom addr_of_int_bijection :
  forall (p:addr), statically_allocated (base p) ->
  ((addr_of_int (int_of_addr p)) = p).

Axiom table : Type.
Parameter table_WhyType : WhyType table.
Existing Instance table_WhyType.

Parameter table_of_base: Numbers.BinNums.Z -> table.

Parameter table_to_offset: table -> Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom table_to_offset_zero :
  forall (t:table), ((table_to_offset t 0%Z) = 0%Z).

Axiom table_to_offset_monotonic :
  forall (t:table), forall (o1:Numbers.BinNums.Z) (o2:Numbers.BinNums.Z),
  (o1 <= o2)%Z <-> ((table_to_offset t o1) <= (table_to_offset t o2))%Z.

Parameter L_Find_1_:
  (addr -> Numbers.BinNums.Z) -> addr -> Numbers.BinNums.Z ->
  Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom L_Find_1__def :
  forall (Mint:addr -> Numbers.BinNums.Z) (a:addr) (m:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) (v:Numbers.BinNums.Z),
  let x := ((-1%Z)%Z + n)%Z in
  let x1 := L_Find_1_ Mint a m x v in
  let x2 := ((-1%Z)%Z * m)%Z in
  ((n <= m)%Z -> ((L_Find_1_ Mint a m n v) = 0%Z)) /\
  (~ (n <= m)%Z ->
   ((0%Z <= x1)%Z /\ (((2%Z + m)%Z + x1)%Z <= n)%Z ->
    ((L_Find_1_ Mint a m n v) = x1)) /\
   (~ ((0%Z <= x1)%Z /\ (((2%Z + m)%Z + x1)%Z <= n)%Z) ->
    (((Mint (shift a x)) = v) ->
     ((L_Find_1_ Mint a m n v) = (((-1%Z)%Z + n)%Z + x2)%Z)) /\
    (~ ((Mint (shift a x)) = v) -> ((L_Find_1_ Mint a m n v) = (n + x2)%Z)))).

(* Why3 assumption *)
Definition is_bool (x:Numbers.BinNums.Z) : Prop := (x = 0%Z) \/ (x = 1%Z).

(* Why3 assumption *)
Definition is_uint8 (x:Numbers.BinNums.Z) : Prop :=
  (0%Z <= x)%Z /\ (x < 256%Z)%Z.

(* Why3 assumption *)
Definition is_sint8 (x:Numbers.BinNums.Z) : Prop :=
  ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z.

(* Why3 assumption *)
Definition is_uint16 (x:Numbers.BinNums.Z) : Prop :=
  (0%Z <= x)%Z /\ (x < 65536%Z)%Z.

(* Why3 assumption *)
Definition is_sint16 (x:Numbers.BinNums.Z) : Prop :=
  ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z.

(* Why3 assumption *)
Definition is_uint32 (x:Numbers.BinNums.Z) : Prop :=
  (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z.

(* Why3 assumption *)
Definition is_sint32 (x:Numbers.BinNums.Z) : Prop :=
  ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z.

(* Why3 assumption *)
Definition is_uint64 (x:Numbers.BinNums.Z) : Prop :=
  (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z.

(* Why3 assumption *)
Definition is_sint64 (x:Numbers.BinNums.Z) : Prop :=
  ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z.

Axiom is_bool0 : is_bool 0%Z.

Axiom is_bool1 : is_bool 1%Z.

Parameter to_bool: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom to_bool'def :
  forall (x:Numbers.BinNums.Z),
  ((x = 0%Z) -> ((to_bool x) = 0%Z)) /\ (~ (x = 0%Z) -> ((to_bool x) = 1%Z)).

Parameter to_uint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom to_uint8'def :
  forall (x:Numbers.BinNums.Z),
  ((x < 0%Z)%Z -> ((to_uint8 x) = (to_uint8 (x + 256%Z)%Z))) /\
  (~ (x < 0%Z)%Z ->
   ((256%Z <= x)%Z -> ((to_uint8 x) = (to_uint8 (x - 256%Z)%Z))) /\
   (~ (256%Z <= x)%Z -> ((to_uint8 x) = x))).

Parameter to_sint8: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom to_sint8'def :
  forall (x:Numbers.BinNums.Z),
  ((x < (-128%Z)%Z)%Z -> ((to_sint8 x) = (to_sint8 (x + 256%Z)%Z))) /\
  (~ (x < (-128%Z)%Z)%Z ->
   ((128%Z <= x)%Z -> ((to_sint8 x) = (to_sint8 (x - 256%Z)%Z))) /\
   (~ (128%Z <= x)%Z -> ((to_sint8 x) = x))).

Parameter to_uint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom to_uint16'def :
  forall (x:Numbers.BinNums.Z),
  ((x < 0%Z)%Z -> ((to_uint16 x) = (to_uint16 (x + 65536%Z)%Z))) /\
  (~ (x < 0%Z)%Z ->
   ((65536%Z <= x)%Z -> ((to_uint16 x) = (to_uint16 (x - 65536%Z)%Z))) /\
   (~ (65536%Z <= x)%Z -> ((to_uint16 x) = x))).

Parameter to_sint16: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom to_sint16'def :
  forall (x:Numbers.BinNums.Z),
  ((x < (-32768%Z)%Z)%Z -> ((to_sint16 x) = (to_sint16 (x + 65536%Z)%Z))) /\
  (~ (x < (-32768%Z)%Z)%Z ->
   ((32768%Z <= x)%Z -> ((to_sint16 x) = (to_sint16 (x - 65536%Z)%Z))) /\
   (~ (32768%Z <= x)%Z -> ((to_sint16 x) = x))).

Parameter to_uint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom to_uint32'def :
  forall (x:Numbers.BinNums.Z),
  ((x < 0%Z)%Z -> ((to_uint32 x) = (to_uint32 (x + 4294967296%Z)%Z))) /\
  (~ (x < 0%Z)%Z ->
   ((4294967296%Z <= x)%Z ->
    ((to_uint32 x) = (to_uint32 (x - 4294967296%Z)%Z))) /\
   (~ (4294967296%Z <= x)%Z -> ((to_uint32 x) = x))).

Parameter to_sint32: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom to_sint32'def :
  forall (x:Numbers.BinNums.Z),
  ((x < (-2147483648%Z)%Z)%Z ->
   ((to_sint32 x) = (to_sint32 (x + 4294967296%Z)%Z))) /\
  (~ (x < (-2147483648%Z)%Z)%Z ->
   ((2147483648%Z <= x)%Z ->
    ((to_sint32 x) = (to_sint32 (x - 4294967296%Z)%Z))) /\
   (~ (2147483648%Z <= x)%Z -> ((to_sint32 x) = x))).

Parameter to_uint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom to_uint64'def :
  forall (x:Numbers.BinNums.Z),
  ((x < 0%Z)%Z ->
   ((to_uint64 x) = (to_uint64 (x + 18446744073709551616%Z)%Z))) /\
  (~ (x < 0%Z)%Z ->
   ((18446744073709551616%Z <= x)%Z ->
    ((to_uint64 x) = (to_uint64 (x - 18446744073709551616%Z)%Z))) /\
   (~ (18446744073709551616%Z <= x)%Z -> ((to_uint64 x) = x))).

Parameter to_sint64: Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom to_sint64'def :
  forall (x:Numbers.BinNums.Z),
  ((x < (-9223372036854775808%Z)%Z)%Z ->
   ((to_sint64 x) = (to_sint64 (x + 18446744073709551616%Z)%Z))) /\
  (~ (x < (-9223372036854775808%Z)%Z)%Z ->
   ((9223372036854775808%Z <= x)%Z ->
    ((to_sint64 x) = (to_sint64 (x - 18446744073709551616%Z)%Z))) /\
   (~ (9223372036854775808%Z <= x)%Z -> ((to_sint64 x) = x))).

Parameter two_power_abs: Numbers.BinNums.Z -> Numbers.BinNums.Z.

(* Why3 assumption *)
Definition is_uint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
  (0%Z <= x)%Z /\ (x < (two_power_abs n))%Z.

(* Why3 assumption *)
Definition is_sint (n:Numbers.BinNums.Z) (x:Numbers.BinNums.Z) : Prop :=
  ((-(two_power_abs n))%Z <= x)%Z /\ (x < (two_power_abs n))%Z.

Parameter to_uint:
  Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.

Parameter to_sint:
  Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.

Axiom is_to_uint8 : forall (x:Numbers.BinNums.Z), is_uint8 (to_uint8 x).

Axiom is_to_sint8 : forall (x:Numbers.BinNums.Z), is_sint8 (to_sint8 x).

Axiom is_to_uint16 : forall (x:Numbers.BinNums.Z), is_uint16 (to_uint16 x).

Axiom is_to_sint16 : forall (x:Numbers.BinNums.Z), is_sint16 (to_sint16 x).

Axiom is_to_uint32 : forall (x:Numbers.BinNums.Z), is_uint32 (to_uint32 x).

Axiom is_to_sint32 : forall (x:Numbers.BinNums.Z), is_sint32 (to_sint32 x).

Axiom is_to_uint64 : forall (x:Numbers.BinNums.Z), is_uint64 (to_uint64 x).

Axiom is_to_sint64 : forall (x:Numbers.BinNums.Z), is_sint64 (to_sint64 x).

Axiom id_uint8 :
  forall (x:Numbers.BinNums.Z), is_uint8 x -> ((to_uint8 x) = x).

Axiom id_sint8 :
  forall (x:Numbers.BinNums.Z), is_sint8 x -> ((to_sint8 x) = x).

Axiom id_uint16 :
  forall (x:Numbers.BinNums.Z), is_uint16 x -> ((to_uint16 x) = x).

Axiom id_sint16 :
  forall (x:Numbers.BinNums.Z), is_sint16 x -> ((to_sint16 x) = x).

Axiom id_uint32 :
  forall (x:Numbers.BinNums.Z), is_uint32 x -> ((to_uint32 x) = x).

Axiom id_sint32 :
  forall (x:Numbers.BinNums.Z), is_sint32 x -> ((to_sint32 x) = x).

Axiom id_uint64 :
  forall (x:Numbers.BinNums.Z), is_uint64 x -> ((to_uint64 x) = x).

Axiom id_sint64 :
  forall (x:Numbers.BinNums.Z), is_sint64 x -> ((to_sint64 x) = x).

Axiom id_uint8_inl :
  forall (x:Numbers.BinNums.Z), (0%Z <= x)%Z /\ (x < 256%Z)%Z ->
  ((to_uint8 x) = x).

Axiom id_sint8_inl :
  forall (x:Numbers.BinNums.Z), ((-128%Z)%Z <= x)%Z /\ (x < 128%Z)%Z ->
  ((to_sint8 x) = x).

Axiom id_uint16_inl :
  forall (x:Numbers.BinNums.Z), (0%Z <= x)%Z /\ (x < 65536%Z)%Z ->
  ((to_uint16 x) = x).

Axiom id_sint16_inl :
  forall (x:Numbers.BinNums.Z), ((-32768%Z)%Z <= x)%Z /\ (x < 32768%Z)%Z ->
  ((to_sint16 x) = x).

Axiom id_uint32_inl :
  forall (x:Numbers.BinNums.Z), (0%Z <= x)%Z /\ (x < 4294967296%Z)%Z ->
  ((to_uint32 x) = x).

Axiom id_sint32_inl :
  forall (x:Numbers.BinNums.Z),
  ((-2147483648%Z)%Z <= x)%Z /\ (x < 2147483648%Z)%Z -> ((to_sint32 x) = x).

Axiom id_uint64_inl :
  forall (x:Numbers.BinNums.Z),
  (0%Z <= x)%Z /\ (x < 18446744073709551616%Z)%Z -> ((to_uint64 x) = x).

Axiom id_sint64_inl :
  forall (x:Numbers.BinNums.Z),
  ((-9223372036854775808%Z)%Z <= x)%Z /\ (x < 9223372036854775808%Z)%Z ->
  ((to_sint64 x) = x).

Axiom proj_int8 :
  forall (x:Numbers.BinNums.Z), ((to_sint8 (to_uint8 x)) = (to_sint8 x)).

Axiom proj_int16 :
  forall (x:Numbers.BinNums.Z), ((to_sint16 (to_uint16 x)) = (to_sint16 x)).

Axiom proj_int32 :
  forall (x:Numbers.BinNums.Z), ((to_sint32 (to_uint32 x)) = (to_sint32 x)).

Axiom proj_int64 :
  forall (x:Numbers.BinNums.Z), ((to_sint64 (to_uint64 x)) = (to_sint64 x)).

Axiom Q_Find_Hit :
  forall (Mint:addr -> Numbers.BinNums.Z) (a:addr) (v:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  let x := L_Find_1_ Mint a m n v in
  (m <= n)%Z -> ((m + x)%Z < n)%Z -> is_sint32 v ->
  ((L_Find_1_ Mint a m (1%Z + n)%Z v) = x).

Axiom Q_Find_Empty :
  forall (Mint:addr -> Numbers.BinNums.Z) (a:addr) (v:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (n <= m)%Z -> is_sint32 v -> ((L_Find_1_ Mint a m n v) = 0%Z).

(* Why3 goal *)
Theorem wp_goal :
  forall (t:addr -> Numbers.BinNums.Z) (a:addr) (i:Numbers.BinNums.Z)
    (i1:Numbers.BinNums.Z),
  let x := t (shift a i1) in
  ((i + (L_Find_1_ t a i i1 x))%Z = i1) -> (i <= i1)%Z -> is_sint32 x ->
  ((i + (L_Find_1_ t a i (1%Z + i1)%Z x))%Z = i1).
Proof.
intros t a i i1 x h1 h2 h3.

Qed.