forked from mit-pdos/perennial
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathModArith.v
88 lines (78 loc) · 2.14 KB
/
ModArith.v
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
From Coq Require Import ZArith.
From Coq Require Import ssreflect.
From stdpp Require Import base numbers.
From Perennial.Helpers Require Import Integers.
Open Scope Z_scope.
Set Default Goal Selector "!".
Set Default Proof Using "Type".
Local Ltac Zify.zify_post_hook ::= Z.div_mod_to_equations.
Lemma mod_add_modulus a k :
k ≠ 0 ->
a `mod` k = (a + k) `mod` k.
Proof.
intros.
rewrite -> Z.add_mod by auto.
rewrite -> Z.mod_same by auto.
rewrite Z.add_0_r.
rewrite -> Z.mod_mod by auto.
auto.
Qed.
Lemma mod_sub_modulus a k :
k ≠ 0 ->
a `mod` k = (a - k) `mod` k.
Proof.
intros.
rewrite -> Zminus_mod by auto.
rewrite -> Z.mod_same by auto.
rewrite Z.sub_0_r.
rewrite -> Z.mod_mod by auto.
auto.
Qed.
Theorem sum_overflow_check (x y: u64) :
uint.Z (word.add x y) < uint.Z x <-> uint.Z x + uint.Z y >= 2^64.
Proof.
split; intros.
- revert H; word_cleanup; intros.
rewrite /word.wrap in H1.
destruct (decide (uint.Z x + uint.Z y >= 2^64)); [ auto | exfalso ].
lia.
- word_cleanup.
rewrite /word.wrap.
lia.
Qed.
Lemma sum_nooverflow_l (x y : u64) :
uint.Z x ≤ uint.Z (word.add x y) →
uint.Z (word.add x y) = (uint.Z x) + (uint.Z y).
Proof.
intros. word_cleanup. rewrite wrap_small //.
split; first word.
destruct (Z_lt_ge_dec (uint.Z x + uint.Z y) (2 ^ 64)) as [Hlt|Hge]; first done.
apply sum_overflow_check in Hge.
lia.
Qed.
Lemma word_add_comm (x y : u64) :
word.add x y = word.add y x.
Proof.
specialize (@word.ring_theory _ w64_word_instance _). intros W.
rewrite W.(Radd_comm). done.
Qed.
Lemma sum_nooverflow_r (x y : u64) :
uint.Z y ≤ uint.Z (word.add x y) →
uint.Z (word.add x y) = (uint.Z x) + (uint.Z y).
Proof.
rewrite word_add_comm. intros ?%sum_nooverflow_l.
rewrite Z.add_comm //.
Qed.
Theorem word_add1_neq (x: u64) :
uint.Z x ≠ uint.Z (word.add x (W64 1)).
Proof.
simpl.
destruct (decide (uint.Z x + 1 < 2^64)%Z); [ word | ].
rewrite word.unsigned_add.
change (uint.Z (W64 1)) with 1%Z.
rewrite /word.wrap.
lia.
Qed.
(* avoid leaving it at div_mod_to_equations since it causes some backwards
incompatibility *)
Ltac Zify.zify_post_hook ::= idtac.