Module CExprPedraZ

    intros e m z h.
    induction h.
    - constructor.
      assumption.
    - constructor.
    - destruct i;
      [contradiction H|idtac].
      destruct low;
        [constructor;assumption|constructor;assumption|idtac].
      destruct up;
        [constructor;assumption|constructor;assumption|idtac].
      unfold itv2z.
      destruct (ZNum.eqDec t t0) as [ht|ht];
        [idtac|constructor;assumption].
      unfold ZItv.sat, ZItv.satLower, ZItv.satUpper in H.
      subst.
      apply ZNum.LeLeEq in H.
      subst.
      constructor.
    - constructor.
    - apply Expr.EvalEunop with (z1 := z1);
      assumption.
    - apply Expr.EvalEbinop with (z1 := z1) (z2 := z2);
      assumption.
  Qed.

    intros e m z h.
    induction h;
      try (constructor; assumption).
    - simpl.
      constructor 5 with (z1 := z1);
        assumption.
    - destruct op;
      try (constructor 6 with (z1 := z1) (z2 := z2);assumption).
      inversion H.
      simpl.
      constructor 6 with (z1 := z1) (z2 := -z2).
      assumption.
      constructor 5 with (z1 := z2).
      assumption.
      constructor.
      constructor.
  Qed.

    intros.
    apply sub2add_correct, itv2z_correct.
    assumption.
  Qed.

    intros m e z hden.
    induction hden as [x z h|z|z i h|
                       |op e0 z1 z2 hden hind heval
                       |op e1 e2 z1 z2 z3 hden1 hind1 hden2 hind2 heval];
      intros e' hr.
    - (* Evar *)
      inversion hr.
      assumption.
    - (* Econst *)
      inversion hr.
      reflexivity.
    - (* Eitv *)
      discriminate hr.
    - (* Eunknown *)
      discriminate hr.
    - (* Eunop *)
      destruct op;
      [idtac|discriminate hr].
      simpl in hr.
      destruct (expr_aux e0);
        [idtac|discriminate hr].
      inversion hr.
      inversion heval.
      subst.
      simpl.
      rewrite hind;
        reflexivity.
    - (* Ebinop *)
      destruct op;
      try discriminate hr ;
      ( (* NB two cases: Oadd / Omul *)
        simpl in hr;
        destruct (expr_aux e1) as [e1'|];
          [idtac|discriminate hr];
        destruct (expr_aux e2) as [e2'|];
          [idtac|discriminate hr];
        inversion hr;
        inversion heval;
        subst;
        simpl;
        rewrite hind1, hind2;
          reflexivity ).
 OLD Omul case: 
      + simpl in hr.
        destruct e1;
          try (
              apply expr_aux_correct_mul1 with (e2 := e2) (z1 := z1) (z2 := z2);
              [assumption|assumption|assumption|idtac];
              inversion hden1;
              subst;
              assumption);
        destruct e2;
          try discriminate hr;
          match goal with
            | h: Expr.denote m ?e z1 |- _ =>
              apply expr_aux_correct_mul2
              with (e2 := e) (z1 := z2) (z2 := z1);
                [assumption|assumption|assumption|idtac];
                  inversion hden2;
                  subst;
                  assumption
            | _ => idtac
          end.
     *)  Qed.

    intros m e z h e' hr.
    unfold expr in hr.
    apply simplify_correct in h.
    apply expr_aux_correct with (e := simplify e);
      assumption.
  Qed.

    intros r e1 e2 m.
    split;
      intro h;
      destruct r;
      assumption.
  Qed.

    intros e m z hden.
    induction hden as [| | | | |op e1 e2 z1 z2 z3 hden1 hind1 hden2 hind2 heval];
      intros c hr.
    - discriminate hr.
    - discriminate hr.
    - discriminate hr.
    - discriminate hr.
    - discriminate hr.
    - destruct op as [| | | | | | | | | |op];
      try discriminate hr.
      simpl in hr.
      assert (pf1 := expr_correct m e1 z1 hden1).
      assert (pf2 := expr_correct m e2 z2 hden2).
      destruct (expr e1) as [e1'|];
        [idtac|discriminate hr].
      destruct (expr e2) as [e2'|];
        [idtac|discriminate hr].
      inversion hr.
      inversion heval.
      subst.
      destruct (Cmp.dec op z1 z2) as [h|h];
      destruct (ZCond.sat_dec (cmp op e1' e2') m) as [h'|h'].
      + reflexivity.
      + contradiction h'.
        apply cmp_correct.
        rewrite pf1, pf2.
        assumption.
        reflexivity.
        reflexivity.
      + contradiction h.
        rewrite <- pf1 with (e' := e1'), <- pf2 with (e' := e2').
        apply cmp_correct.
        assumption.
        reflexivity.
        reflexivity.
      + reflexivity.
  Qed.

    intros;
    match goal with
      | h : Expr.denote _ (Expr.Ebinop (Expr.Ocmp _) _ _) _ |- _ => inversion h
    end;
      match goal with
        | h : Expr.EvalBinop (Expr.Ocmp _) _ _ _ |- _ => inversion h
      end;
      match goal with
        | |- (if Cmp.dec ?r ?z1 ?z2 then 1 else 0) = 1 \/
             (if Cmp.dec ?r ?z1 ?z2 then 1 else 0) = 0 =>
          destruct (Cmp.dec r z1 z2); [left|right]; reflexivity
      end.
  Qed.

    intros ? ? ? ? h;
    inversion h; subst; clear h;
    inline_const;
    match goal with
      | h : Expr.denote _ _ ?z |- Expr.denote _ _ 1 =>
        replace 1 with z; [assumption|]
    end;
    match goal with
      | h : Expr.EvalBinop (Expr.Ocmp Cmp.Eq) ?z1 1 1 |- _ =>
        inversion h; destruct (ZNum.eqDec z1 1)
    end;
    solve [assumption|discriminate].
  Qed.

    intros ? ? ? ? h;
    inversion h; subst; clear h;
    inline_const;
    match goal with
      | h : Expr.denote _ _ ?z |- Expr.denote _ _ 0 =>
        replace 0 with z; [assumption|apply comparison_result in h];
        match goal with
          | h' : Expr.EvalBinop (Expr.Ocmp Cmp.Eq) ?z1 1 0 |- _ =>
            inversion h'; subst; clear h'
        end;
        destruct (ZNum.eqDec z1 1); destruct h
    end;
    solve [assumption|discriminate|contradiction].
  Qed.

    intros ? ? ? ? h;
    inversion h; subst; clear h;
    inline_const;
    match goal with
      | h : Expr.denote _ _ ?z |- Expr.denote _ _ 0 =>
        replace 0 with z; [assumption|]
    end;
    match goal with
      | h : Expr.EvalBinop (Expr.Ocmp Cmp.Eq) ?z1 0 1 |- _ =>
        inversion h; destruct (ZNum.eqDec z1 0)
    end;
    solve [assumption|discriminate].
  Qed.

    intros ? ? ? ? h;
    inversion h; subst; clear h;
    inline_const.
    match goal with
      | h : Expr.denote _ _ ?z |- Expr.denote _ _ 1 =>
        replace 1 with z; [assumption|apply comparison_result in h];
        match goal with
          | h' : Expr.EvalBinop (Expr.Ocmp Cmp.Eq) ?z1 0 0 |- _ =>
            inversion h'; subst; clear h'
        end;
        destruct (ZNum.eqDec z1 0); destruct h
    end;
    solve [assumption|discriminate|contradiction].
  Qed.

    unfold MatchingCorrect.
    intros e m z hden c hres.
    destruct e; try discriminate hres.
    destruct b; try discriminate hres.
    destruct t; try discriminate hres.
    simpl in hres.
    unfold is_const in hres.
    destruct e2; try discriminate hres.
    destruct (ZNum.eqDec 1 t); [subst|clear n].
    - assert (hsimpl := simpl_cond_correct e1).
      destruct e1; try discriminate hres.
      destruct b; try discriminate hres.
      destruct (comparison_result _ _ _ _ _ hden); subst.
      + apply valued_test_simplify_true_true in hden.
        apply hsimpl; assumption.
      + apply valued_test_simplify_true_false in hden.
        apply hsimpl; assumption.
    - destruct (ZNum.eqDec 0 t); [subst|discriminate].
      assert (hsimpl := simpl_cond_correct e1).
      destruct e1; try discriminate.
      destruct b; try discriminate.
      destruct (simpl_cond (Expr.Ebinop (Expr.Ocmp t) e1_1 e1_2)); try discriminate.
      inversion hres; subst; clear hres.
      destruct (comparison_result _ _ _ _ _ hden); subst.
      + apply valued_test_simplify_false_true in hden.
        specialize (hsimpl m 0 hden t0 (eq_refl _)).
        destruct (ZCond.sat_dec t0 m); try discriminate.
        destruct (ZCond.sat_dec (ZCond.Not t0) m).
        reflexivity.
        contradiction n0.
      + apply valued_test_simplify_false_false in hden.
        specialize (hsimpl m 1 hden t0 (eq_refl _)).
        destruct (ZCond.sat_dec t0 m); try discriminate.
        destruct (ZCond.sat_dec (ZCond.Not t0) m).
        contradiction s0.
        reflexivity.
  Qed.

    intro e.
    assert (h := valued_cond_correct (simplify e)).
    unfold cond.
    destruct (valued_cond (simplify e));
      unfold MatchingCorrect; intros.
    - apply h; [apply simplify_correct|]; assumption.
    - clear h.
      eapply simpl_cond_correct.
      apply simplify_correct.
      eassumption.
      assumption.
  Qed.

    intros c rho h.
    destruct (ZCond.sat_dec c rho).
    assumption.
    discriminate h.
  Qed.

    intros c rho h.
    destruct (ZCond.sat_dec c rho).
    discriminate h.
    assumption.
  Qed.

    intros x i m z hsat c hr.
    destruct i as [|lbnd ubnd pfbnd];
      [discriminate hr|idtac].
    unfold ZItv.sat, ZItv.satUpper, ZItv.satLower in hsat.
    destruct hsat as [hsatl hsatu].
    destruct lbnd as [|l|l];
      destruct ubnd as [|u|u];
      inversion hr;
      simpl;
      rewrite Mem.assign_in;
      match goal with
        | |- _ /\ _ => split; assumption
        | _ => assumption
      end.
  Qed.

    intros x e m z hden c hasg.
    apply simplify_correct in hden.
    unfold asg in hasg.
    assert (pfexpr := expr_aux_correct m (simplify e) z hden).
    destruct (simplify e);
    match goal with
      | h: Expr.denote m (Expr.Eitv _) z |- _ =>
        inversion h;
        apply asg_itv_correct with (i := i);
        subst;
        assumption
      | h: Expr.denote m ?e z |- _ =>
        destruct (expr_aux e) as [e'|];
          [idtac|discriminate hasg];
          specialize (pfexpr e' (eq_refl _));
          inversion hasg as [hasg'];
          subst;
          apply Mem.assign_in
      | _ => idtac
    end.
  Qed.

    intros ab1 ab2 hleb.
    assert (pf := TrustedPedraZ.FullDom.isIncl_correct ab1 ab2).
    unfold OptionMonad.ifprop in pf.
    unfold leb in hleb.
    rewrite hleb in pf.
    assumption.
  Qed.

    exact TrustedPedraZ.FullDom.top_correct.
  Qed.

    intros ab hyp m.
    assert (pf := TrustedPedraZ.FullDom.isBottom_correct ab).
    unfold OptionMonad.ifprop in pf.
    unfold isBottom in hyp.
    destruct TrustedPedraZ.FullDom.isBottom.
    exact (pf m).
    discriminate hyp.
  Qed.

    intros ab1 ab2 x [h|h].
    apply TrustedPedraZ.FullDom.join_correct1.
    assumption.
    apply TrustedPedraZ.FullDom.join_correct2.
    assumption.
  Qed.

    constructor; apply ZNum.LeRefl.
  Qed.

    constructor; apply ZNum.LeRefl.
  Qed.

    constructor.
    apply ZNum.LeRefl.
    apply Z.le_0_1.
  Qed.

    constructor.
    apply Z.le_0_1.
    apply ZNum.LeRefl.
  Qed.

    intros c ab rho hgamma.
    unfold get_itv_cond.
    assert (pf := TrustedPedraZ.FullDom.assert_correct c ab).
    destruct (TrustedPedraZ.FullDom.assert c ab).
    - simpl in pf.
      specialize (pf rho hgamma).
      destruct (ASCond.ZCond.sat_dec c rho) as [pfc|pfc].
      apply itv_one_sat.
      contradiction pfc.
    - clear pf.
      assert (pf := TrustedPedraZ.FullDom.assert_correct
                      (ASCond.ZCond.Not c) ab).
      destruct (TrustedPedraZ.FullDom.assert
                      (ASCond.ZCond.Not c) ab).
      + simpl in pf.
        specialize (pf rho hgamma).
        destruct (ASCond.ZCond.sat_dec c rho) as [pfc|pfc].
        contradiction pf.
        apply itv_zero_sat.
      + destruct (ASCond.ZCond.sat_dec c rho).
        apply itv_unit_sat1.
        apply itv_unit_sat0.
  Qed.

    intros e rho ab hgamma z hden.
    assert (pfe := Tr.expr_correct rho e z hden).
    unfold get_itv.
    destruct (Tr.expr e) as [e'|].
    - specialize (pfe e' (eq_refl _)).
      rewrite <- pfe.
      apply TrustedPedraZ.FullDom.get_itv_correct.
      assumption.
    - clear pfe.
      assert (pfc := Tr.cond_correct e rho z hden).
      destruct (Tr.cond e) as [c|];
        [idtac|constructor;constructor].
      specialize (pfc c (eq_refl _)).
      rewrite <- pfc.
      apply get_itv_cond_correct.
      assumption.
  Qed.

    exact TrustedPedraZ.FullDom.project_correct.
  Qed.

    intros x e m z ab h1 h2.
    unfold assign.
    assert (pfa := Tr.asg_correct x e m z h2).
    destruct (Tr.asg x e) as [c|];
      [idtac|apply project_correct;assumption].
    specialize (pfa c (eq_refl _)).
    unfold gamma.
    apply TrustedPedraZ.FullDom.guassign_correct; [idtac|assumption].
    assumption.
  Qed.