# Module SelectDivproof

Correctness of instruction selection for integer division

Require Import Zquot Coqlib Zbits.
Require Import AST Integers Floats Values Memory Globalenvs Events.
Require Import Cminor Op CminorSel.
Require Import OpHelpers OpHelpersproof.
Require Import SelectOp SelectOpproof SplitLong SplitLongproof SelectLong SelectLongproof SelectDiv.

Local Open Scope cminorsel_scope.

# Main approximation theorems

Section Z_DIV_MUL.

Variable N: Z. (* number of relevant bits *)
Hypothesis N_pos: N >= 0.
Variable d: Z. (* divisor *)
Hypothesis d_pos: d > 0.

This is theorem 4.2 from Granlund and Montgomery, PLDI 1994.

Lemma Zdiv_mul_pos:
forall m l,
l >= 0 ->
two_p (N+l) <= m * d <= two_p (N+l) + two_p l ->
forall n,
0 <= n < two_p N ->
Z.div n d = Z.div (m * n) (two_p (N + l)).
Proof.
intros m l l_pos [LO HI] n RANGE.
exploit (Z_div_mod_eq n d). auto.
set (q := n / d).
set (r := n mod d).
intro EUCL.
assert (0 <= r <= d - 1).
unfold r. generalize (Z_mod_lt n d d_pos). lia.
assert (0 <= m).
apply Zmult_le_0_reg_r with d. auto.
exploit (two_p_gt_ZERO (N + l)). lia. lia.
set (k := m * d - two_p (N + l)).
assert (0 <= k <= two_p l).
unfold k; lia.
assert ((m * n - two_p (N + l) * q) * d = k * n + two_p (N + l) * r).
unfold k. rewrite EUCL. ring.
assert (0 <= k * n).
apply Z.mul_nonneg_nonneg; lia.
assert (k * n <= two_p (N + l) - two_p l).
apply Z.le_trans with (two_p l * n).
apply Z.mul_le_mono_nonneg_r; lia.
replace (N + l) with (l + N) by lia.
rewrite two_p_is_exp.
replace (two_p l * two_p N - two_p l)
with (two_p l * (two_p N - 1))
by ring.
apply Z.mul_le_mono_nonneg_l. lia. exploit (two_p_gt_ZERO l). lia. lia.
lia. lia.
assert (0 <= two_p (N + l) * r).
apply Z.mul_nonneg_nonneg.
exploit (two_p_gt_ZERO (N + l)). lia. lia.
lia.
assert (two_p (N + l) * r <= two_p (N + l) * d - two_p (N + l)).
replace (two_p (N + l) * d - two_p (N + l))
with (two_p (N + l) * (d - 1)) by ring.
apply Z.mul_le_mono_nonneg_l.
lia.
exploit (two_p_gt_ZERO (N + l)). lia. lia.
assert (0 <= m * n - two_p (N + l) * q).
apply Zmult_le_reg_r with d. auto.
replace (0 * d) with 0 by ring. rewrite H2. lia.
assert (m * n - two_p (N + l) * q < two_p (N + l)).
apply Zmult_lt_reg_r with d. lia.
rewrite H2.
apply Z.le_lt_trans with (two_p (N + l) * d - two_p l).
lia.
exploit (two_p_gt_ZERO l). lia. lia.
symmetry. apply Zdiv_unique with (m * n - two_p (N + l) * q).
ring. lia.
Qed.

Lemma Zdiv_unique_2:
forall x y q, y > 0 -> 0 < y * q - x <= y -> Z.div x y = q - 1.
Proof.
intros. apply Zdiv_unique with (x - (q - 1) * y). ring.
replace ((q - 1) * y) with (y * q - y) by ring. lia.
Qed.

Lemma Zdiv_mul_opp:
forall m l,
l >= 0 ->
two_p (N+l) < m * d <= two_p (N+l) + two_p l ->
forall n,
0 < n <= two_p N ->
Z.div n d = - Z.div (m * (-n)) (two_p (N + l)) - 1.
Proof.
intros m l l_pos [LO HI] n RANGE.
replace (m * (-n)) with (- (m * n)) by ring.
exploit (Z_div_mod_eq n d). auto.
set (q := n / d).
set (r := n mod d).
intro EUCL.
assert (0 <= r <= d - 1).
unfold r. generalize (Z_mod_lt n d d_pos). lia.
assert (0 <= m).
apply Zmult_le_0_reg_r with d. auto.
exploit (two_p_gt_ZERO (N + l)). lia. lia.
cut (Z.div (- (m * n)) (two_p (N + l)) = -q - 1).
lia.
apply Zdiv_unique_2.
apply two_p_gt_ZERO. lia.
replace (two_p (N + l) * - q - - (m * n))
with (m * n - two_p (N + l) * q)
by ring.
set (k := m * d - two_p (N + l)).
assert (0 < k <= two_p l).
unfold k; lia.
assert ((m * n - two_p (N + l) * q) * d = k * n + two_p (N + l) * r).
unfold k. rewrite EUCL. ring.
split.
apply Zmult_lt_reg_r with d. lia.
replace (0 * d) with 0 by lia.
rewrite H2.
assert (0 < k * n). apply Z.mul_pos_pos; lia.
assert (0 <= two_p (N + l) * r).
apply Z.mul_nonneg_nonneg. exploit (two_p_gt_ZERO (N + l)); lia. lia.
lia.
apply Zmult_le_reg_r with d. lia.
rewrite H2.
assert (k * n <= two_p (N + l)).
rewrite Z.add_comm. rewrite two_p_is_exp; try lia.
apply Z.le_trans with (two_p l * n). apply Z.mul_le_mono_nonneg_r; lia.
apply Z.mul_le_mono_nonneg_l. lia. exploit (two_p_gt_ZERO l). lia. lia.
assert (two_p (N + l) * r <= two_p (N + l) * d - two_p (N + l)).
replace (two_p (N + l) * d - two_p (N + l))
with (two_p (N + l) * (d - 1))
by ring.
apply Z.mul_le_mono_nonneg_l. exploit (two_p_gt_ZERO (N + l)). lia. lia. lia.
lia.
Qed.

This is theorem 5.1 from Granlund and Montgomery, PLDI 1994.

Lemma Zquot_mul:
forall m l,
l >= 0 ->
two_p (N+l) < m * d <= two_p (N+l) + two_p l ->
forall n,
- two_p N <= n < two_p N ->
Z.quot n d = Z.div (m * n) (two_p (N + l)) + (if zlt n 0 then 1 else 0).
Proof.
intros. destruct (zlt n 0).
exploit (Zdiv_mul_opp m l H H0 (-n)). lia.
replace (- - n) with n by ring.
replace (Z.quot n d) with (- Z.quot (-n) d).
rewrite Zquot_Zdiv_pos by lia. lia.
rewrite Z.quot_opp_l by lia. ring.
rewrite Z.add_0_r. rewrite Zquot_Zdiv_pos by lia.
apply Zdiv_mul_pos; lia.
Qed.

End Z_DIV_MUL.

# Correctness of the division parameters

Lemma divs_mul_params_sound:
forall d m p,
divs_mul_params d = Some(p, m) ->
0 <= m < Int.modulus /\ 0 <= p < 32 /\
forall n,
Int.min_signed <= n <= Int.max_signed ->
Z.quot n d = Z.div (m * n) (two_p (32 + p)) + (if zlt n 0 then 1 else 0).
Proof with
(try discriminate).
unfold divs_mul_params; intros d m' p'.
destruct (find_div_mul_params Int.wordsize
(Int.half_modulus - Int.half_modulus mod d - 1) d 32)
as [[p m] | ]...
generalize (p - 32). intro p1.
destruct (zlt 0 d)...
destruct (zlt (two_p (32 + p1)) (m * d))...
destruct (zle (m * d) (two_p (32 + p1) + two_p (p1 + 1)))...
destruct (zle 0 m)...
destruct (zlt m Int.modulus)...
destruct (zle 0 p1)...
destruct (zlt p1 32)...
intros EQ; inv EQ.
split. auto. split. auto. intros.
replace (32 + p') with (31 + (p' + 1)) by lia.
apply Zquot_mul; try lia.
replace (31 + (p' + 1)) with (32 + p') by lia. lia.
change (Int.min_signed <= n < Int.half_modulus).
unfold Int.max_signed in H. lia.
Qed.

Lemma divu_mul_params_sound:
forall d m p,
divu_mul_params d = Some(p, m) ->
0 <= m < Int.modulus /\ 0 <= p < 32 /\
forall n,
0 <= n < Int.modulus ->
Z.div n d = Z.div (m * n) (two_p (32 + p)).
Proof with
(try discriminate).
unfold divu_mul_params; intros d m' p'.
destruct (find_div_mul_params Int.wordsize
(Int.modulus - Int.modulus mod d - 1) d 32)
as [[p m] | ]...
generalize (p - 32); intro p1.
destruct (zlt 0 d)...
destruct (zle (two_p (32 + p1)) (m * d))...
destruct (zle (m * d) (two_p (32 + p1) + two_p p1))...
destruct (zle 0 m)...
destruct (zlt m Int.modulus)...
destruct (zle 0 p1)...
destruct (zlt p1 32)...
intros EQ; inv EQ.
split. auto. split. auto. intros.
apply Zdiv_mul_pos; try lia. assumption.
Qed.

Lemma divs_mul_shift_gen:
forall x y m p,
divs_mul_params (Int.signed y) = Some(p, m) ->
0 <= m < Int.modulus /\ 0 <= p < 32 /\
Int.divs x y = Int.add (Int.shr (Int.repr ((Int.signed x * m) / Int.modulus)) (Int.repr p))
(Int.shru x (Int.repr 31)).
Proof.
intros. set (n := Int.signed x). set (d := Int.signed y) in *.
exploit divs_mul_params_sound; eauto. intros (A & B & C).
split. auto. split. auto.
unfold Int.divs. fold n; fold d. rewrite C by (apply Int.signed_range).
rewrite two_p_is_exp by lia. rewrite <- Zdiv_Zdiv.
rewrite Int.shr_div_two_p. apply Int.eqm_unsigned_repr_r. apply Int.eqm_refl2.
rewrite Int.unsigned_repr. f_equal.
rewrite Int.signed_repr. rewrite Int.modulus_power. f_equal. ring.
cut (Int.min_signed <= n * m / Int.modulus < Int.half_modulus).
unfold Int.max_signed; lia.
apply Zdiv_interval_1. generalize Int.min_signed_neg; lia. apply Int.half_modulus_pos.
apply Int.modulus_pos.
split. apply Z.le_trans with (Int.min_signed * m).
apply Z.mul_le_mono_nonpos_l. generalize Int.min_signed_neg; lia. lia.
apply Z.mul_le_mono_nonneg_r. lia. unfold n; generalize (Int.signed_range x); tauto.
apply Z.le_lt_trans with (Int.half_modulus * m).
apply Z.mul_le_mono_nonneg_r. tauto. generalize (Int.signed_range x); unfold n, Int.max_signed; lia.
apply Zmult_lt_compat_l. generalize Int.half_modulus_pos; lia. tauto.
assert (32 < Int.max_unsigned) by (compute; auto). lia.
unfold Int.lt; fold n. rewrite Int.signed_zero. destruct (zlt n 0); apply Int.eqm_unsigned_repr.
apply two_p_gt_ZERO. lia.
apply two_p_gt_ZERO. lia.
Qed.

Theorem divs_mul_shift_1:
forall x y m p,
divs_mul_params (Int.signed y) = Some(p, m) ->
m < Int.half_modulus ->
0 <= p < 32 /\
Int.divs x y = Int.add (Int.shr (Int.mulhs x (Int.repr m)) (Int.repr p))
(Int.shru x (Int.repr 31)).
Proof.
intros. exploit divs_mul_shift_gen; eauto. instantiate (1 := x).
intros (A & B & C). split. auto. rewrite C.
unfold Int.mulhs. rewrite Int.signed_repr. auto.
generalize Int.min_signed_neg; unfold Int.max_signed; lia.
Qed.

Theorem divs_mul_shift_2:
forall x y m p,
divs_mul_params (Int.signed y) = Some(p, m) ->
m >= Int.half_modulus ->
0 <= p < 32 /\
Int.divs x y = Int.add (Int.shr (Int.add (Int.mulhs x (Int.repr m)) x) (Int.repr p))
(Int.shru x (Int.repr 31)).
Proof.
intros. exploit divs_mul_shift_gen; eauto. instantiate (1 := x).
intros (A & B & C). split. auto. rewrite C. f_equal. f_equal.
rewrite Int.add_signed. unfold Int.mulhs. set (n := Int.signed x).
transitivity (Int.repr (n * (m - Int.modulus) / Int.modulus + n)).
apply f_equal.
replace (n * (m - Int.modulus)) with (n * m + (-n) * Int.modulus) by ring.
rewrite Z_div_plus. ring. apply Int.modulus_pos.
apply Int.eqm_samerepr. apply Int.eqm_add; auto with ints.
apply Int.eqm_sym. eapply Int.eqm_trans. apply Int.eqm_signed_unsigned.
apply Int.eqm_unsigned_repr_l. apply Int.eqm_refl2.
apply (f_equal (fun x => n * x / Int.modulus)).
rewrite Int.signed_repr_eq. rewrite Z.mod_small by assumption.
apply zlt_false. assumption.
Qed.

Theorem divu_mul_shift:
forall x y m p,
divu_mul_params (Int.unsigned y) = Some(p, m) ->
0 <= p < 32 /\
Int.divu x y = Int.shru (Int.mulhu x (Int.repr m)) (Int.repr p).
Proof.
intros. exploit divu_mul_params_sound; eauto. intros (A & B & C).
split. auto.
rewrite Int.shru_div_two_p. rewrite Int.unsigned_repr.
unfold Int.divu, Int.mulhu. f_equal. rewrite C by apply Int.unsigned_range.
rewrite two_p_is_exp by lia. rewrite <- Zdiv_Zdiv by (apply two_p_gt_ZERO; lia).
f_equal. rewrite (Int.unsigned_repr m).
rewrite Int.unsigned_repr. f_equal. ring.
cut (0 <= Int.unsigned x * m / Int.modulus < Int.modulus).
unfold Int.max_unsigned; lia.
apply Zdiv_interval_1. lia. compute; auto. compute; auto.
split. simpl. apply Z.mul_nonneg_nonneg. generalize (Int.unsigned_range x); lia. lia.
apply Z.le_lt_trans with (Int.modulus * m).
apply Zmult_le_compat_r. generalize (Int.unsigned_range x); lia. lia.
apply Zmult_lt_compat_l. compute; auto. lia.
unfold Int.max_unsigned; lia.
assert (32 < Int.max_unsigned) by (compute; auto). lia.
Qed.

Same, for 64-bit integers

Lemma divls_mul_params_sound:
forall d m p,
divls_mul_params d = Some(p, m) ->
0 <= m < Int64.modulus /\ 0 <= p < 64 /\
forall n,
Int64.min_signed <= n <= Int64.max_signed ->
Z.quot n d = Z.div (m * n) (two_p (64 + p)) + (if zlt n 0 then 1 else 0).
Proof with
(try discriminate).
unfold divls_mul_params; intros d m' p'.
destruct (find_div_mul_params Int64.wordsize
(Int64.half_modulus - Int64.half_modulus mod d - 1) d 64)
as [[p m] | ]...
generalize (p - 64). intro p1.
destruct (zlt 0 d)...
destruct (zlt (two_p (64 + p1)) (m * d))...
destruct (zle (m * d) (two_p (64 + p1) + two_p (p1 + 1)))...
destruct (zle 0 m)...
destruct (zlt m Int64.modulus)...
destruct (zle 0 p1)...
destruct (zlt p1 64)...
intros EQ; inv EQ.
split. auto. split. auto. intros.
replace (64 + p') with (63 + (p' + 1)) by lia.
apply Zquot_mul; try lia.
replace (63 + (p' + 1)) with (64 + p') by lia. lia.
change (Int64.min_signed <= n < Int64.half_modulus).
unfold Int64.max_signed in H. lia.
Qed.

Lemma divlu_mul_params_sound:
forall d m p,
divlu_mul_params d = Some(p, m) ->
0 <= m < Int64.modulus /\ 0 <= p < 64 /\
forall n,
0 <= n < Int64.modulus ->
Z.div n d = Z.div (m * n) (two_p (64 + p)).
Proof with
(try discriminate).
unfold divlu_mul_params; intros d m' p'.
destruct (find_div_mul_params Int64.wordsize
(Int64.modulus - Int64.modulus mod d - 1) d 64)
as [[p m] | ]...
generalize (p - 64); intro p1.
destruct (zlt 0 d)...
destruct (zle (two_p (64 + p1)) (m * d))...
destruct (zle (m * d) (two_p (64 + p1) + two_p p1))...
destruct (zle 0 m)...
destruct (zlt m Int64.modulus)...
destruct (zle 0 p1)...
destruct (zlt p1 64)...
intros EQ; inv EQ.
split. auto. split. auto. intros.
apply Zdiv_mul_pos; try lia. assumption.
Qed.

Remark int64_shr'_div_two_p:
forall x y, Int64.shr' x y = Int64.repr (Int64.signed x / two_p (Int.unsigned y)).
Proof.
intros; unfold Int64.shr'. rewrite Zshiftr_div_two_p; auto. generalize (Int.unsigned_range y); lia.
Qed.

Lemma divls_mul_shift_gen:
forall x y m p,
divls_mul_params (Int64.signed y) = Some(p, m) ->
0 <= m < Int64.modulus /\ 0 <= p < 64 /\
Int64.divs x y = Int64.add (Int64.shr' (Int64.repr ((Int64.signed x * m) / Int64.modulus)) (Int.repr p))
(Int64.shru x (Int64.repr 63)).
Proof.
intros. set (n := Int64.signed x). set (d := Int64.signed y) in *.
exploit divls_mul_params_sound; eauto. intros (A & B & C).
split. auto. split. auto.
unfold Int64.divs. fold n; fold d. rewrite C by (apply Int64.signed_range).
rewrite two_p_is_exp by lia. rewrite <- Zdiv_Zdiv.
rewrite int64_shr'_div_two_p. apply Int64.eqm_unsigned_repr_r. apply Int64.eqm_refl2.
rewrite Int.unsigned_repr. f_equal.
rewrite Int64.signed_repr. rewrite Int64.modulus_power. f_equal. ring.
cut (Int64.min_signed <= n * m / Int64.modulus < Int64.half_modulus).
unfold Int64.max_signed; lia.
apply Zdiv_interval_1. generalize Int64.min_signed_neg; lia. apply Int64.half_modulus_pos.
apply Int64.modulus_pos.
split. apply Z.le_trans with (Int64.min_signed * m).
apply Z.mul_le_mono_nonpos_l. generalize Int64.min_signed_neg; lia. lia.
apply Z.mul_le_mono_nonneg_r. tauto. unfold n; generalize (Int64.signed_range x); tauto.
apply Z.le_lt_trans with (Int64.half_modulus * m).
apply Zmult_le_compat_r. generalize (Int64.signed_range x); unfold n, Int64.max_signed; lia. tauto.
apply Zmult_lt_compat_l. generalize Int64.half_modulus_pos; lia. tauto.
assert (64 < Int.max_unsigned) by (compute; auto). lia.
unfold Int64.lt; fold n. rewrite Int64.signed_zero. destruct (zlt n 0); apply Int64.eqm_unsigned_repr.
apply two_p_gt_ZERO. lia.
apply two_p_gt_ZERO. lia.
Qed.

Theorem divls_mul_shift_1:
forall x y m p,
divls_mul_params (Int64.signed y) = Some(p, m) ->
m < Int64.half_modulus ->
0 <= p < 64 /\
Int64.divs x y = Int64.add (Int64.shr' (Int64.mulhs x (Int64.repr m)) (Int.repr p))
(Int64.shru' x (Int.repr 63)).
Proof.
intros. exploit divls_mul_shift_gen; eauto. instantiate (1 := x).
intros (A & B & C). split. auto. rewrite C.
unfold Int64.mulhs. rewrite Int64.signed_repr. auto.
generalize Int64.min_signed_neg; unfold Int64.max_signed; lia.
Qed.

Theorem divls_mul_shift_2:
forall x y m p,
divls_mul_params (Int64.signed y) = Some(p, m) ->
m >= Int64.half_modulus ->
0 <= p < 64 /\
Int64.divs x y = Int64.add (Int64.shr' (Int64.add (Int64.mulhs x (Int64.repr m)) x) (Int.repr p))
(Int64.shru' x (Int.repr 63)).
Proof.
intros. exploit divls_mul_shift_gen; eauto. instantiate (1 := x).
intros (A & B & C). split. auto. rewrite C. f_equal. f_equal.
rewrite Int64.add_signed. unfold Int64.mulhs. set (n := Int64.signed x).
transitivity (Int64.repr (n * (m - Int64.modulus) / Int64.modulus + n)).
apply f_equal.
replace (n * (m - Int64.modulus)) with (n * m + (-n) * Int64.modulus) by ring.
rewrite Z_div_plus. ring. apply Int64.modulus_pos.
apply Int64.eqm_samerepr. apply Int64.eqm_add; auto with ints.
apply Int64.eqm_sym. eapply Int64.eqm_trans. apply Int64.eqm_signed_unsigned.
apply Int64.eqm_unsigned_repr_l. apply Int64.eqm_refl2.
apply (f_equal (fun x => n * x / Int64.modulus)).
rewrite Int64.signed_repr_eq. rewrite Z.mod_small by assumption.
apply zlt_false. assumption.
Qed.

Remark int64_shru'_div_two_p:
forall x y, Int64.shru' x y = Int64.repr (Int64.unsigned x / two_p (Int.unsigned y)).
Proof.
intros; unfold Int64.shru'. rewrite Zshiftr_div_two_p; auto. generalize (Int.unsigned_range y); lia.
Qed.

Theorem divlu_mul_shift:
forall x y m p,
divlu_mul_params (Int64.unsigned y) = Some(p, m) ->
0 <= p < 64 /\
Int64.divu x y = Int64.shru' (Int64.mulhu x (Int64.repr m)) (Int.repr p).
Proof.
intros. exploit divlu_mul_params_sound; eauto. intros (A & B & C).
split. auto.
rewrite int64_shru'_div_two_p. rewrite Int.unsigned_repr.
unfold Int64.divu, Int64.mulhu. f_equal. rewrite C by apply Int64.unsigned_range.
rewrite two_p_is_exp by lia. rewrite <- Zdiv_Zdiv by (apply two_p_gt_ZERO; lia).
f_equal. rewrite (Int64.unsigned_repr m).
rewrite Int64.unsigned_repr. f_equal. ring.
cut (0 <= Int64.unsigned x * m / Int64.modulus < Int64.modulus).
unfold Int64.max_unsigned; lia.
apply Zdiv_interval_1. lia. compute; auto. compute; auto.
split. simpl. apply Z.mul_nonneg_nonneg. generalize (Int64.unsigned_range x); lia. lia.
apply Z.le_lt_trans with (Int64.modulus * m).
apply Zmult_le_compat_r. generalize (Int64.unsigned_range x); lia. lia.
apply Zmult_lt_compat_l. compute; auto. lia.
unfold Int64.max_unsigned; lia.
assert (64 < Int.max_unsigned) by (compute; auto). lia.
Qed.

# Correctness of the smart constructors for division and modulus

Section CMCONSTRS.

Variable prog: program.
Variable hf: helper_functions.
Hypothesis HELPERS: helper_functions_declared prog hf.
Let ge := Genv.globalenv prog.
Variable sp: val.
Variable e: env.
Variable m: mem.

Lemma is_intconst_sound:
forall v a n le,
is_intconst a = Some n -> eval_expr ge sp e m le a v -> v = Vint n.
Proof with
(try discriminate).
intros. unfold is_intconst in *.
destruct a... destruct o... inv H. inv H0. destruct vl; inv H5. auto.
Qed.

Lemma eval_divu_mul:
forall le x y p M,
divu_mul_params (Int.unsigned y) = Some(p, M) ->
nth_error le O = Some (Vint x) ->
eval_expr ge sp e m le (divu_mul p M) (Vint (Int.divu x y)).
Proof.
intros. unfold divu_mul. exploit (divu_mul_shift x); eauto. intros [A B].
assert (C: eval_expr ge sp e m le (Eletvar 0) (Vint x)) by (apply eval_Eletvar; eauto).
assert (D: eval_expr ge sp e m le (Eop (Ointconst (Int.repr M)) Enil) (Vint (Int.repr M))) by EvalOp.
exploit eval_mulhu. eexact C. eexact D. intros (v & E & F). simpl in F. inv F.
exploit eval_shruimm. eexact E. instantiate (1 := Int.repr p).
intros [v [P Q]]. simpl in Q.
replace (Int.ltu (Int.repr p) Int.iwordsize) with true in Q.
inv Q. rewrite B. auto.
unfold Int.ltu. rewrite Int.unsigned_repr. rewrite zlt_true; auto. tauto.
assert (32 < Int.max_unsigned) by (compute; auto). lia.
Qed.

Theorem eval_divuimm:
forall le e1 x n2 z,
eval_expr ge sp e m le e1 x ->
Val.divu x (Vint n2) = Some z ->
exists v, eval_expr ge sp e m le (divuimm e1 n2) v /\ Val.lessdef z v.
Proof.
unfold divuimm; intros. generalize H0; intros DIV.
destruct x; simpl in DIV; try discriminate.
destruct (Int.eq n2 Int.zero) eqn:Z2; inv DIV.
destruct (Int.is_power2 n2) as [l | ] eqn:P2.
- erewrite Int.divu_pow2 by eauto.
replace (Vint (Int.shru i l)) with (Val.shru (Vint i) (Vint l)).
apply eval_shruimm; auto.
simpl. erewrite Int.is_power2_range; eauto.
- destruct (Compopts.optim_for_size tt).
+ eapply eval_divu_base; eauto. EvalOp.
+ destruct (divu_mul_params (Int.unsigned n2)) as [[p M] | ] eqn:PARAMS.
* exists (Vint (Int.divu i n2)); split; auto.
econstructor; eauto. eapply eval_divu_mul; eauto.
* eapply eval_divu_base; eauto. EvalOp.
Qed.

Theorem eval_divu:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.divu x y = Some z ->
exists v, eval_expr ge sp e m le (divu a b) v /\ Val.lessdef z v.
Proof.
unfold divu; intros.
destruct (is_intconst b) as [n2|] eqn:B.
- exploit is_intconst_sound; eauto. intros EB; clear B.
destruct (is_intconst a) as [n1|] eqn:A.
+ exploit is_intconst_sound; eauto. intros EA; clear A.
destruct (Int.eq n2 Int.zero) eqn:Z. eapply eval_divu_base; eauto.
subst. simpl in H1. rewrite Z in H1; inv H1.
TrivialExists.
+ subst. eapply eval_divuimm; eauto.
- eapply eval_divu_base; eauto.
Qed.

Lemma eval_mod_from_div:
forall le a n x y,
eval_expr ge sp e m le a (Vint y) ->
nth_error le O = Some (Vint x) ->
eval_expr ge sp e m le (mod_from_div a n) (Vint (Int.sub x (Int.mul y n))).
Proof.
unfold mod_from_div; intros.
exploit eval_mulimm; eauto. instantiate (1 := n). intros [v [A B]].
simpl in B. inv B. EvalOp.
Qed.

Theorem eval_moduimm:
forall le e1 x n2 z,
eval_expr ge sp e m le e1 x ->
Val.modu x (Vint n2) = Some z ->
exists v, eval_expr ge sp e m le (moduimm e1 n2) v /\ Val.lessdef z v.
Proof.
unfold moduimm; intros. generalize H0; intros MOD.
destruct x; simpl in MOD; try discriminate.
destruct (Int.eq n2 Int.zero) eqn:Z2; inv MOD.
destruct (Int.is_power2 n2) as [l | ] eqn:P2.
- erewrite Int.modu_and by eauto.
change (Vint (Int.and i (Int.sub n2 Int.one)))
with (Val.and (Vint i) (Vint (Int.sub n2 Int.one))).
apply eval_andimm. auto.
- destruct (Compopts.optim_for_size tt).
+ eapply eval_modu_base; eauto. EvalOp.
+ destruct (divu_mul_params (Int.unsigned n2)) as [[p M] | ] eqn:PARAMS.
* econstructor; split.
econstructor; eauto. eapply eval_mod_from_div.
eapply eval_divu_mul; eauto. simpl; eauto. simpl; eauto.
rewrite Int.modu_divu. auto.
red; intros; subst n2; discriminate.
* eapply eval_modu_base; eauto. EvalOp.
Qed.

Theorem eval_modu:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.modu x y = Some z ->
exists v, eval_expr ge sp e m le (modu a b) v /\ Val.lessdef z v.
Proof.
unfold modu; intros.
destruct (is_intconst b) as [n2|] eqn:B.
- exploit is_intconst_sound; eauto. intros EB; clear B.
destruct (is_intconst a) as [n1|] eqn:A.
+ exploit is_intconst_sound; eauto. intros EA; clear A.
destruct (Int.eq n2 Int.zero) eqn:Z. eapply eval_modu_base; eauto.
subst. simpl in H1. rewrite Z in H1; inv H1.
TrivialExists.
+ subst. eapply eval_moduimm; eauto.
- eapply eval_modu_base; eauto.
Qed.

Lemma eval_divs_mul:
forall le x y p M,
divs_mul_params (Int.signed y) = Some(p, M) ->
nth_error le O = Some (Vint x) ->
eval_expr ge sp e m le (divs_mul p M) (Vint (Int.divs x y)).
Proof.
intros. unfold divs_mul.
assert (C: eval_expr ge sp e m le (Eletvar 0) (Vint x)) by (apply eval_Eletvar; eauto).
assert (D: eval_expr ge sp e m le (Eop (Ointconst (Int.repr M)) Enil) (Vint (Int.repr M))) by EvalOp.
exploit eval_mulhs. eexact C. eexact D. intros (v & X & F). simpl in F; inv F.
exploit eval_shruimm. eexact C. instantiate (1 := Int.repr (Int.zwordsize - 1)).
intros [v1 [Y LD]]. simpl in LD.
change (Int.ltu (Int.repr 31) Int.iwordsize) with true in LD.
simpl in LD. inv LD.
assert (RANGE: 0 <= p < 32 -> Int.ltu (Int.repr p) Int.iwordsize = true).
{ intros. unfold Int.ltu. rewrite Int.unsigned_repr. rewrite zlt_true by tauto. auto.
assert (32 < Int.max_unsigned) by (compute; auto). lia. }
destruct (zlt M Int.half_modulus).
- exploit (divs_mul_shift_1 x); eauto. intros [A B].
exploit eval_shrimm. eexact X. instantiate (1 := Int.repr p). intros [v1 [Z LD]].
simpl in LD. rewrite RANGE in LD by auto. inv LD.
exploit eval_add. eexact Z. eexact Y. intros [v1 [W LD]].
simpl in LD. inv LD.
rewrite B. exact W.
- exploit (divs_mul_shift_2 x); eauto. intros [A B].
exploit eval_add. eexact X. eexact C. intros [v1 [Z LD]].
simpl in LD. inv LD.
exploit eval_shrimm. eexact Z. instantiate (1 := Int.repr p). intros [v1 [U LD]].
simpl in LD. rewrite RANGE in LD by auto. inv LD.
exploit eval_add. eexact U. eexact Y. intros [v1 [W LD]].
simpl in LD. inv LD.
rewrite B. exact W.
Qed.

Theorem eval_divsimm:
forall le e1 x n2 z,
eval_expr ge sp e m le e1 x ->
Val.divs x (Vint n2) = Some z ->
exists v, eval_expr ge sp e m le (divsimm e1 n2) v /\ Val.lessdef z v.
Proof.
unfold divsimm; intros. generalize H0; intros DIV.
destruct x; simpl in DIV; try discriminate.
destruct (Int.eq n2 Int.zero
|| Int.eq i (Int.repr Int.min_signed) && Int.eq n2 Int.mone) eqn:Z2; inv DIV.
destruct (Int.is_power2 n2) as [l | ] eqn:P2.
- destruct (Int.ltu l (Int.repr 31)) eqn:LT31.
+ eapply eval_shrximm; eauto. eapply Val.divs_pow2; eauto.
+ eapply eval_divs_base; eauto. EvalOp.
- destruct (Compopts.optim_for_size tt).
+ eapply eval_divs_base; eauto. EvalOp.
+ destruct (divs_mul_params (Int.signed n2)) as [[p M] | ] eqn:PARAMS.
* exists (Vint (Int.divs i n2)); split; auto.
econstructor; eauto. eapply eval_divs_mul; eauto.
* eapply eval_divs_base; eauto. EvalOp.
Qed.

Theorem eval_divs:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.divs x y = Some z ->
exists v, eval_expr ge sp e m le (divs a b) v /\ Val.lessdef z v.
Proof.
unfold divs; intros.
destruct (is_intconst b) as [n2|] eqn:B.
- exploit is_intconst_sound; eauto. intros EB; clear B.
destruct (is_intconst a) as [n1|] eqn:A.
+ exploit is_intconst_sound; eauto. intros EA; clear A.
destruct (Int.eq n2 Int.zero) eqn:Z. eapply eval_divs_base; eauto.
subst. simpl in H1.
destruct (Int.eq n2 Int.zero || Int.eq n1 (Int.repr Int.min_signed) && Int.eq n2 Int.mone); inv H1.
TrivialExists.
+ subst. eapply eval_divsimm; eauto.
- eapply eval_divs_base; eauto.
Qed.

Theorem eval_modsimm:
forall le e1 x n2 z,
eval_expr ge sp e m le e1 x ->
Val.mods x (Vint n2) = Some z ->
exists v, eval_expr ge sp e m le (modsimm e1 n2) v /\ Val.lessdef z v.
Proof.
unfold modsimm; intros.
exploit Val.mods_divs; eauto. intros [y [A B]].
generalize A; intros DIV.
destruct x; simpl in DIV; try discriminate.
destruct (Int.eq n2 Int.zero
|| Int.eq i (Int.repr Int.min_signed) && Int.eq n2 Int.mone) eqn:Z2; inv DIV.
destruct (Int.is_power2 n2) as [l | ] eqn:P2.
- destruct (Int.ltu l (Int.repr 31)) eqn:LT31.
+ exploit (eval_shrximm prog sp e m (Vint i :: le) (Eletvar O)).
constructor. simpl; eauto. eapply Val.divs_pow2; eauto.
intros [v1 [X LD]]. inv LD.
econstructor; split. econstructor. eauto.
apply eval_mod_from_div. eexact X. simpl; eauto.
simpl. auto.
+ eapply eval_mods_base; eauto. EvalOp.
- destruct (Compopts.optim_for_size tt).
+ eapply eval_mods_base; eauto. EvalOp.
+ destruct (divs_mul_params (Int.signed n2)) as [[p M] | ] eqn:PARAMS.
* econstructor; split.
econstructor. eauto. apply eval_mod_from_div with (x := i); auto.
eapply eval_divs_mul with (x := i); eauto.
simpl. auto.
* eapply eval_mods_base; eauto. EvalOp.
Qed.

Theorem eval_mods:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.mods x y = Some z ->
exists v, eval_expr ge sp e m le (mods a b) v /\ Val.lessdef z v.
Proof.
unfold mods; intros.
destruct (is_intconst b) as [n2|] eqn:B.
- exploit is_intconst_sound; eauto. intros EB; clear B.
destruct (is_intconst a) as [n1|] eqn:A.
+ exploit is_intconst_sound; eauto. intros EA; clear A.
destruct (Int.eq n2 Int.zero) eqn:Z. eapply eval_mods_base; eauto.
subst. simpl in H1.
destruct (Int.eq n2 Int.zero || Int.eq n1 (Int.repr Int.min_signed) && Int.eq n2 Int.mone); inv H1.
TrivialExists.
+ subst. eapply eval_modsimm; eauto.
- eapply eval_mods_base; eauto.
Qed.

Lemma eval_modl_from_divl:
forall le a n x y,
eval_expr ge sp e m le a (Vlong y) ->
nth_error le O = Some (Vlong x) ->
eval_expr ge sp e m le (modl_from_divl a n) (Vlong (Int64.sub x (Int64.mul y n))).
Proof.
unfold modl_from_divl; intros.
exploit eval_mullimm; eauto. instantiate (1 := n). intros (v1 & A1 & B1).
assert (A0: eval_expr ge sp e m le (Eletvar O) (Vlong x)) by (constructor; auto).
exploit eval_subl ; auto ; try apply HELPERS. exact A0. exact A1.
intros (v2 & A2 & B2).
simpl in B1; inv B1. simpl in B2; inv B2. exact A2.
Qed.

Lemma eval_divlu_mull:
forall le x y p M,
divlu_mul_params (Int64.unsigned y) = Some(p, M) ->
nth_error le O = Some (Vlong x) ->
eval_expr ge sp e m le (divlu_mull p M) (Vlong (Int64.divu x y)).
Proof.
intros. unfold divlu_mull. exploit (divlu_mul_shift x); eauto. intros [A B].
assert (A0: eval_expr ge sp e m le (Eletvar O) (Vlong x)) by (constructor; auto).
exploit eval_mullhu. try apply HELPERS. eexact A0. instantiate (1 := Int64.repr M). intros (v1 & A1 & B1).
exploit eval_shrluimm. try apply HELPERS. eexact A1. instantiate (1 := Int.repr p). intros (v2 & A2 & B2).
simpl in B1; inv B1. simpl in B2. replace (Int.ltu (Int.repr p) Int64.iwordsize') with true in B2. inv B2.
rewrite B. assumption.
unfold Int.ltu. rewrite Int.unsigned_repr. rewrite zlt_true; auto. tauto.
assert (64 < Int.max_unsigned) by (compute; auto). lia.
Qed.

Theorem eval_divlu:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.divlu x y = Some z ->
exists v, eval_expr ge sp e m le (divlu a b) v /\ Val.lessdef z v.
Proof.
unfold divlu; intros.
destruct (is_longconst b) as [n2|] eqn:N2.
- assert (y = Vlong n2) by (eapply is_longconst_sound; eauto). subst y.
destruct (is_longconst a) as [n1|] eqn:N1.
+ assert (x = Vlong n1) by (eapply is_longconst_sound; eauto). subst x.
simpl in H1. destruct (Int64.eq n2 Int64.zero); inv H1.
econstructor; split. apply eval_longconst. constructor.
+ destruct (Int64.is_power2' n2) as [l|] eqn:POW.
* exploit Val.divlu_pow2; eauto. intros EQ; subst z. apply eval_shrluimm; auto.
* destruct (Compopts.optim_for_size tt || _). eapply eval_divlu_base; eauto.
destruct (divlu_mul_params (Int64.unsigned n2)) as [[p M]|] eqn:PARAMS.
** destruct x; simpl in H1; try discriminate.
destruct (Int64.eq n2 Int64.zero); inv H1.
econstructor; split; eauto. econstructor. eauto. eapply eval_divlu_mull; eauto.
** eapply eval_divlu_base; eauto.
- eapply eval_divlu_base; eauto.
Qed.

Theorem eval_modlu:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.modlu x y = Some z ->
exists v, eval_expr ge sp e m le (modlu a b) v /\ Val.lessdef z v.
Proof.
unfold modlu; intros.
destruct (is_longconst b) as [n2|] eqn:N2.
- assert (y = Vlong n2) by (eapply is_longconst_sound; eauto). subst y.
destruct (is_longconst a) as [n1|] eqn:N1.
+ assert (x = Vlong n1) by (eapply is_longconst_sound; eauto). subst x.
simpl in H1. destruct (Int64.eq n2 Int64.zero); inv H1.
econstructor; split. apply eval_longconst. constructor.
+ destruct (Int64.is_power2 n2) as [l|] eqn:POW.
* exploit Val.modlu_pow2; eauto. intros EQ; subst z. eapply eval_andl; eauto. apply eval_longconst.
* destruct (Compopts.optim_for_size tt || _). eapply eval_modlu_base; eauto.
destruct (divlu_mul_params (Int64.unsigned n2)) as [[p M]|] eqn:PARAMS.
** destruct x; simpl in H1; try discriminate.
destruct (Int64.eq n2 Int64.zero) eqn:Z; inv H1.
rewrite Int64.modu_divu.
econstructor; split; eauto. econstructor. eauto.
eapply eval_modl_from_divl; eauto.
eapply eval_divlu_mull; eauto.
red; intros; subst n2; discriminate Z.
** eapply eval_modlu_base; eauto.
- eapply eval_modlu_base; eauto.
Qed.

Lemma eval_divls_mull:
forall le x y p M,
divls_mul_params (Int64.signed y) = Some(p, M) ->
nth_error le O = Some (Vlong x) ->
eval_expr ge sp e m le (divls_mull p M) (Vlong (Int64.divs x y)).
Proof.
intros. unfold divls_mull.
assert (A0: eval_expr ge sp e m le (Eletvar O) (Vlong x)).
{ constructor; auto. }
exploit eval_mullhs. try apply HELPERS. eexact A0. instantiate (1 := Int64.repr M). intros (v1 & A1 & B1).
exploit eval_addl. auto. eexact A1. eexact A0. intros (v2 & A2 & B2).
exploit eval_shrluimm. try apply HELPERS. eexact A0. instantiate (1 := Int.repr 63). intros (v3 & A3 & B3).
set (a4 := if zlt M Int64.half_modulus
then mullhs (Eletvar 0) (Int64.repr M)
else addl (mullhs (Eletvar 0) (Int64.repr M)) (Eletvar 0)).
set (v4 := if zlt M Int64.half_modulus then v1 else v2).
assert (A4: eval_expr ge sp e m le a4 v4).
{ unfold a4, v4; destruct (zlt M Int64.half_modulus); auto. }
exploit eval_shrlimm. try apply HELPERS. eexact A4. instantiate (1 := Int.repr p). intros (v5 & A5 & B5).
exploit eval_addl. auto. eexact A5. eexact A3. intros (v6 & A6 & B6).
assert (RANGE: forall x, 0 <= x < 64 -> Int.ltu (Int.repr x) Int64.iwordsize' = true).
{ intros. unfold Int.ltu. rewrite Int.unsigned_repr. rewrite zlt_true by tauto. auto.
assert (64 < Int.max_unsigned) by (compute; auto). lia. }
simpl in B1; inv B1.
simpl in B2; inv B2.
simpl in B3; rewrite RANGE in B3 by lia; inv B3.
destruct (zlt M Int64.half_modulus).
- exploit (divls_mul_shift_1 x); eauto. intros [A B].
simpl in B5; rewrite RANGE in B5 by auto; inv B5.
simpl in B6; inv B6.
rewrite B; exact A6.
- exploit (divls_mul_shift_2 x); eauto. intros [A B].
simpl in B5; rewrite RANGE in B5 by auto; inv B5.
simpl in B6; inv B6.
rewrite B; exact A6.
Qed.

Theorem eval_divls:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.divls x y = Some z ->
exists v, eval_expr ge sp e m le (divls a b) v /\ Val.lessdef z v.
Proof.
unfold divls; intros.
destruct (is_longconst b) as [n2|] eqn:N2.
- assert (y = Vlong n2) by (eapply is_longconst_sound; eauto). subst y.
destruct (is_longconst a) as [n1|] eqn:N1.
+ assert (x = Vlong n1) by (eapply is_longconst_sound; eauto). subst x.
simpl in H1.
destruct (Int64.eq n2 Int64.zero
|| Int64.eq n1 (Int64.repr Int64.min_signed) && Int64.eq n2 Int64.mone); inv H1.
econstructor; split. apply eval_longconst. constructor.
+ destruct (Int64.is_power2' n2) as [l|] eqn:POW.
* destruct (Int.ltu l (Int.repr 63)) eqn:LT.
** exploit Val.divls_pow2; eauto. intros EQ. eapply eval_shrxlimm; eauto.
** eapply eval_divls_base; eauto.
* destruct (Compopts.optim_for_size tt || _). eapply eval_divls_base; eauto.
destruct (divls_mul_params (Int64.signed n2)) as [[p M]|] eqn:PARAMS.
** destruct x; simpl in H1; try discriminate.
destruct (Int64.eq n2 Int64.zero
|| Int64.eq i (Int64.repr Int64.min_signed) && Int64.eq n2 Int64.mone); inv H1.
econstructor; split; eauto. econstructor. eauto.
eapply eval_divls_mull; eauto.
** eapply eval_divls_base; eauto.
- eapply eval_divls_base; eauto.
Qed.

Theorem eval_modls:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.modls x y = Some z ->
exists v, eval_expr ge sp e m le (modls a b) v /\ Val.lessdef z v.
Proof.
unfold modls; intros.
destruct (is_longconst b) as [n2|] eqn:N2.
- assert (y = Vlong n2) by (eapply is_longconst_sound; eauto). subst y.
destruct (is_longconst a) as [n1|] eqn:N1.
+ assert (x = Vlong n1) by (eapply is_longconst_sound; eauto). subst x.
simpl in H1.
destruct (Int64.eq n2 Int64.zero
|| Int64.eq n1 (Int64.repr Int64.min_signed) && Int64.eq n2 Int64.mone); inv H1.
econstructor; split. apply eval_longconst. constructor.
+ destruct (Int64.is_power2' n2) as [l|] eqn:POW.
* destruct (Int.ltu l (Int.repr 63)) eqn:LT.
**destruct x; simpl in H1; try discriminate.
destruct (Int64.eq n2 Int64.zero
|| Int64.eq i (Int64.repr Int64.min_signed) && Int64.eq n2 Int64.mone) eqn:D; inv H1.
assert (Val.divls (Vlong i) (Vlong n2) = Some (Vlong (Int64.divs i n2))).
{ simpl; rewrite D; auto. }
exploit Val.divls_pow2; eauto. intros EQ.
set (le' := Vlong i :: le).
assert (A: eval_expr ge sp e m le' (Eletvar O) (Vlong i)) by (constructor; auto).
exploit eval_shrxlimm; eauto. intros (v1 & A1 & B1). inv B1.
econstructor; split.
econstructor. eauto. eapply eval_modl_from_divl. eexact A1. reflexivity.
rewrite Int64.mods_divs. auto.
**eapply eval_modls_base; eauto.
* destruct (Compopts.optim_for_size tt || _). eapply eval_modls_base; eauto.
destruct (divls_mul_params (Int64.signed n2)) as [[p M]|] eqn:PARAMS.
** destruct x; simpl in H1; try discriminate.
destruct (Int64.eq n2 Int64.zero
|| Int64.eq i (Int64.repr Int64.min_signed) && Int64.eq n2 Int64.mone); inv H1.
econstructor; split; eauto. econstructor. eauto.
rewrite Int64.mods_divs.
eapply eval_modl_from_divl; auto.
eapply eval_divls_mull; eauto.
** eapply eval_modls_base; eauto.
- eapply eval_modls_base; eauto.
Qed.

# Floating-point division

Theorem eval_divf:
forall le a b x y,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
exists v, eval_expr ge sp e m le (divf a b) v /\ Val.lessdef (Val.divf x y) v.
Proof.
intros until y. unfold divf. destruct (divf_match b); intros.
- unfold divfimm. destruct (Float.exact_inverse n2) as [n2' | ] eqn:EINV.
+ inv H0. inv H4. simpl in H6. inv H6. econstructor; split.
repeat (econstructor; eauto).
destruct x; simpl; auto. erewrite Float.div_mul_inverse; eauto.
+ apply eval_divf_base; trivial.
- apply eval_divf_base; trivial.
Qed.

Theorem eval_divfs:
forall le a b x y,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
exists v, eval_expr ge sp e m le (divfs a b) v /\ Val.lessdef (Val.divfs x y) v.
Proof.
intros until y. unfold divfs. destruct (divfs_match b); intros.
- unfold divfsimm. destruct (Float32.exact_inverse n2) as [n2' | ] eqn:EINV.
+ inv H0. inv H4. simpl in H6. inv H6. econstructor; split.
repeat (econstructor; eauto).
destruct x; simpl; auto. erewrite Float32.div_mul_inverse; eauto.
+ apply eval_divfs_base; trivial.
- apply eval_divfs_base; trivial.
Qed.

Lemma divu_exact_is_divu:
forall x y z,
Val.divu_exact x y = Some z -> Val.divu x y = Some z.
Proof.
destruct x; cbn; intros; try discriminate.
destruct y; cbn; intros; try discriminate.
unfold Int.divu_exact in *.
unfold Int.eq. change (Int.unsigned Int.zero) with 0.
destruct zeq; cbn in *. discriminate.
destruct zeq; cbn in *. 2: discriminate.
exact H.
Qed.

Theorem eval_divu_exact_imm:
forall le a x n2 z,
eval_expr ge sp e m le a x ->
Val.divu_exact x (Vint n2) = Some z ->
exists v : val,
eval_expr ge sp e m le (divu_exact_imm a n2) v /\ Val.lessdef z v.
Proof.
intros.
destruct x; cbn in H0; try discriminate.
unfold divu_exact_imm.
pose proof (Int.divu_exact_expand i n2) as EXPAND.
unfold Int.divu_exact in *.
destruct zeq as [ZERO | NONZERO]; cbn in *. discriminate.
destruct zeq; cbn in *. 2: discriminate.
inv H0.
assert (- two_power_nat Int.wordsize < Int.unsigned n2 < two_power_nat Int.wordsize) as RANGE.
{ pose proof (Int.unsigned_range n2).
unfold Int.modulus in *. lia. }
pose proof (Zmax_two_power_range (Int.unsigned n2) _ NONZERO RANGE) as PWR_RANGE.
clear RANGE.
destruct Zmax_two_power. cbn in PWR_RANGE.
set (inv := (multiplicative_inverse Int.modulus z0)).
exploit (eval_shruimm prog sp e m (Int.repr z)). exact H.
intros (v1 & EVAL1 & LESSDEF1).
cbn in LESSDEF1.
unfold Int.ltu in LESSDEF1.
change (Int.unsigned Int.iwordsize) with 32 in LESSDEF1.
destruct zlt in LESSDEF1; cycle 1.
{ rewrite Int.unsigned_repr in g; cycle 1.
{ change Int.max_unsigned with 4294967295. lia. }
lia.
}
inv LESSDEF1.
exploit (eval_mulimm prog sp e m (Int.repr inv)). exact EVAL1.
intros (v& EVAL2 & LESSDEF2). cbn in LESSDEF2.
fold inv in EXPAND. rewrite <- EXPAND in LESSDEF2.
exists v. auto.
Qed.

Theorem eval_divu_exact:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.divu_exact x y = Some z ->
exists v, eval_expr ge sp e m le (divu_exact a b) v /\ Val.lessdef z v.
Proof.
intros.
unfold divu_exact.
destruct (divu_exact_match a b); cycle 1.
{ eapply eval_divu. eassumption. eassumption.
apply divu_exact_is_divu. assumption. }
inv H0. inv H5. inv H7.
exploit eval_divu_exact_imm. exact H. exact H1. auto.
Qed.

Lemma exact_div_rounding_indifferent:
forall x y (MOD : x mod y = 0), (x รท y) = (x / y).
Proof.
intros.
destruct (zlt 0 y).
- destruct (zle 0 x).
+ apply Zquot_Zdiv_pos; lia.
+ replace x with (- - x) at 1 by lia.
rewrite Zquot_opp_l.
rewrite Zquot_Zdiv_pos by lia.
rewrite Z_div_zero_opp_full by assumption.
lia.
- replace y with (- - y) at 1 by lia.
rewrite Zquot_opp_r.
destruct (zle 0 x).
+ rewrite Zquot_Zdiv_pos by lia.
rewrite Z_div_zero_opp_r by lia.
lia.
+ replace x with (- - x) at 1 by lia.
rewrite Zquot_opp_l.
rewrite Zquot_Zdiv_pos by lia.
rewrite Zdiv_opp_opp. lia.
Qed.

Lemma divs_exact_is_divs:
forall x y z,
Val.divs_exact x y = Some z -> Val.divs x y = Some z.
Proof.
destruct x; cbn; intros; try discriminate.
destruct y; cbn; intros; try discriminate.
unfold Int.divs_exact in *.
unfold Int.eq in *.
destruct (_ && _) eqn:BAD. discriminate.
change (Int.unsigned Int.zero) with 0.
destruct (zeq (Int.unsigned i0) 0).
{ destruct (zeq (Int.signed i0) 0). discriminate.
apply Int.signed_0_unsigned_0 in e0. contradiction. }
destruct (zeq (Int.signed i0) 0); cbn in H. discriminate.
cbn. destruct zeq in H; cbn in H. 2: discriminate.
inv H. unfold Int.divs.
f_equal. f_equal. f_equal.
apply exact_div_rounding_indifferent. assumption.
Qed.

Theorem eval_divs_exact_imm:
forall le a x n2 z,
eval_expr ge sp e m le a x ->
Val.divs_exact x (Vint n2) = Some z ->
exists v : val,
eval_expr ge sp e m le (divs_exact_imm a n2) v /\ Val.lessdef z v.
Proof.
intros.
destruct x; cbn in H0; try discriminate.
unfold divs_exact_imm.
pose proof (Int.divs_exact_expand i n2) as EXPAND.
unfold Int.divs_exact in *.
destruct (_ && _) eqn:BAD in H0. discriminate.
destruct (zeq (Int.signed n2) 0) as [ZERO | NONZERO]; cbn in *. discriminate.
destruct zeq; cbn in *. 2: discriminate.
inv H0.
assert (- two_power_nat Int.wordsize < Int.signed n2 < two_power_nat Int.wordsize) as RANGE.
{ pose proof (Int.signed_range n2).
unfold Int.min_signed, Int.max_signed in *.
change Int.half_modulus with 2147483648 in *.
change (two_power_nat Int.wordsize) with 4294967296. lia. }
pose proof (Zmax_two_power_range (Int.signed n2) _ NONZERO RANGE) as PWR_RANGE.
clear RANGE.
destruct Zmax_two_power. cbn in PWR_RANGE.
set (inv := (multiplicative_inverse Int.modulus z0)).
exploit (eval_shrimm prog sp e m (Int.repr z)). exact H.
intros (v1 & EVAL1 & LESSDEF1).
cbn in LESSDEF1.
unfold Int.ltu in LESSDEF1.
change (Int.unsigned Int.iwordsize) with 32 in LESSDEF1.
destruct zlt in LESSDEF1; cycle 1.
{ rewrite Int.unsigned_repr in g; cycle 1.
{ change Int.max_unsigned with 4294967295. lia. }
lia.
}
inv LESSDEF1.
exploit (eval_mulimm prog sp e m (Int.repr inv)). exact EVAL1.
intros (v& EVAL2 & LESSDEF2). cbn in LESSDEF2.
fold inv in EXPAND. rewrite <- EXPAND in LESSDEF2.
exists v; auto.
Qed.

Theorem eval_divs_exact:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.divs_exact x y = Some z ->
exists v, eval_expr ge sp e m le (divs_exact a b) v /\ Val.lessdef z v.
Proof.
intros.
unfold divs_exact.
destruct (divs_exact_match a b); cycle 1.
{ eapply eval_divs. eassumption. eassumption.
apply divs_exact_is_divs. assumption. }
inv H0. inv H5. inv H7.
exploit eval_divs_exact_imm. exact H. exact H1. auto.
Qed.

Lemma divlu_exact_is_divlu:
forall x y z,
Val.divlu_exact x y = Some z -> Val.divlu x y = Some z.
Proof.
destruct x; cbn; intros; try discriminate.
destruct y; cbn; intros; try discriminate.
unfold Int64.divu_exact in *.
unfold Int64.eq. change (Int64.unsigned Int64.zero) with 0.
destruct zeq; cbn in *. discriminate.
destruct zeq; cbn in *. 2: discriminate.
exact H.
Qed.

Theorem eval_divlu_exact_imm:
forall le a x n2 z,
eval_expr ge sp e m le a x ->
Val.divlu_exact x (Vlong n2) = Some z ->
exists v : val,
eval_expr ge sp e m le (divlu_exact_imm a n2) v /\ Val.lessdef z v.
Proof.
intros.
destruct x; cbn in H0; try discriminate.
unfold divlu_exact_imm.
pose proof (Int64.divu_exact_expand i n2) as EXPAND.
unfold Int64.divu_exact in *.
destruct zeq as [ZERO | NONZERO]; cbn in *. discriminate.
destruct zeq; cbn in *. 2: discriminate.
inv H0.
assert (- two_power_nat Int64.wordsize < Int64.unsigned n2 < two_power_nat Int64.wordsize) as RANGE.
{ pose proof (Int64.unsigned_range n2).
unfold Int64.modulus in *. lia. }
pose proof (Zmax_two_power_range (Int64.unsigned n2) _ NONZERO RANGE) as PWR_RANGE.
clear RANGE.
destruct Zmax_two_power. cbn in PWR_RANGE.
set (inv := (multiplicative_inverse Int64.modulus z0)).
exploit eval_shrluimm; try eassumption.
instantiate (1 := (Int.repr z)).
intros (v1 & EVAL1 & LESSDEF1).
cbn in LESSDEF1.
unfold Int.ltu in LESSDEF1.
change (Int.unsigned Int64.iwordsize') with 64 in LESSDEF1.
destruct zlt in LESSDEF1; cycle 1.
{ rewrite Int.unsigned_repr in g; cycle 1.
{ change Int.max_unsigned with 4294967295. lia. }
lia.
}
inv LESSDEF1.
exploit eval_mullimm; try eassumption.
instantiate (1 := Int64.repr inv).
intros (v& EVAL2 & LESSDEF2). cbn in LESSDEF2.
fold inv in EXPAND.
unfold Int64.shru in EXPAND.
rewrite Int64.unsigned_repr in EXPAND; cycle 1.
{ change Int64.max_unsigned with 18446744073709551615. lia. }
unfold Int64.shru' in LESSDEF2.
rewrite Int.unsigned_repr in LESSDEF2; cycle 1.
{ change Int.max_unsigned with 4294967295. lia. }
fold inv in EXPAND.
rewrite <- EXPAND in LESSDEF2.
exists v. auto.
Qed.

Theorem eval_divlu_exact:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.divlu_exact x y = Some z ->
exists v, eval_expr ge sp e m le (divlu_exact a b) v /\ Val.lessdef z v.
Proof.
intros. unfold divlu_exact.
destruct is_longconst eqn:CONST.
{ exploit is_longconst_sound. exact CONST. exact H0.
intro EQy. subst y.
exploit eval_divlu_exact_imm. exact H. eassumption.
auto.
}
pose proof (divlu_exact_is_divlu _ _ _ H1) as DIV.
exploit eval_divlu. exact H. exact H0. eassumption.
auto.
Qed.

Lemma divls_exact_is_divls:
forall x y z,
Val.divls_exact x y = Some z -> Val.divls x y = Some z.
Proof.
destruct x; cbn; intros; try discriminate.
destruct y; cbn; intros; try discriminate.
unfold Int64.divs_exact in *.
unfold Int64.eq in *.
destruct (_ && _) eqn:BAD. discriminate.
change (Int64.unsigned Int64.zero) with 0.
destruct (zeq (Int64.unsigned i0) 0).
{ destruct (zeq (Int64.signed i0) 0). discriminate.
apply Int64.signed_0_unsigned_0 in e0. contradiction. }
destruct (zeq (Int64.signed i0) 0); cbn in H. discriminate.
cbn. destruct zeq in H; cbn in H. 2: discriminate.
inv H. unfold Int64.divs.
f_equal. f_equal. f_equal.
apply exact_div_rounding_indifferent. assumption.
Qed.

Theorem eval_divls_exact_imm:
forall le a x n2 z,
eval_expr ge sp e m le a x ->
Val.divls_exact x (Vlong n2) = Some z ->
exists v : val,
eval_expr ge sp e m le (divls_exact_imm a n2) v /\ Val.lessdef z v.
Proof.
intros.
destruct x; cbn in H0; try discriminate.
unfold divls_exact_imm.
pose proof (Int64.divs_exact_expand i n2) as EXPAND.
unfold Int64.divs_exact in *.
destruct (_ && _) eqn:BAD in H0. discriminate.
destruct (zeq (Int64.signed n2) 0) as [ZERO | NONZERO]; cbn in *. discriminate.
destruct zeq; cbn in *. 2: discriminate.
inv H0.
assert (- two_power_nat Int64.wordsize < Int64.signed n2 < two_power_nat Int64.wordsize) as RANGE.
{ pose proof (Int64.signed_range n2).
unfold Int64.min_signed, Int64.max_signed in *.
change Int64.half_modulus with 9223372036854775808 in *.
change (two_power_nat Int64.wordsize) with 18446744073709551616. lia. }
pose proof (Zmax_two_power_range (Int64.signed n2) _ NONZERO RANGE) as PWR_RANGE.
clear RANGE.
destruct Zmax_two_power. cbn in PWR_RANGE.
set (inv := (multiplicative_inverse Int64.modulus z0)).
exploit eval_shrlimm; try eassumption.
instantiate (1 := Int.repr z).
intros (v1 & EVAL1 & LESSDEF1).
cbn in LESSDEF1.
unfold Int.ltu in LESSDEF1.
change (Int.unsigned Int64.iwordsize') with 64 in LESSDEF1.
destruct zlt in LESSDEF1; cycle 1.
{ rewrite Int.unsigned_repr in g; cycle 1.
{ change Int.max_unsigned with 4294967295. lia. }
lia.
}
inv LESSDEF1.
exploit eval_mullimm; try eassumption.
instantiate (1 := Int64.repr inv).
intros (v& EVAL2 & LESSDEF2). cbn in LESSDEF2.
fold inv in EXPAND. fold inv.
unfold Int64.shr in EXPAND.
rewrite Int64.unsigned_repr in EXPAND; cycle 1.
{ change Int64.max_unsigned with 18446744073709551615. lia. }
unfold Int64.shr' in LESSDEF2.
rewrite Int.unsigned_repr in LESSDEF2; cycle 1.
{ change Int.max_unsigned with 4294967295. lia. }
rewrite <- EXPAND in LESSDEF2.
exists v; auto.
Qed.

Theorem eval_divls_exact:
forall le a b x y z,
eval_expr ge sp e m le a x ->
eval_expr ge sp e m le b y ->
Val.divls_exact x y = Some z ->
exists v, eval_expr ge sp e m le (divls_exact a b) v /\ Val.lessdef z v.
Proof.
intros. unfold divls_exact.
destruct is_longconst eqn:CONST.
{ exploit is_longconst_sound. exact CONST. exact H0.
intro EQy. subst y.
exploit eval_divls_exact_imm. exact H. eassumption.
auto.
}
pose proof (divls_exact_is_divls _ _ _ H1) as DIV.
exploit eval_divls. exact H. exact H0. eassumption.
auto.
Qed.

End CMCONSTRS.