From 273b7540b2ad6288344869a7e2324de376aada5a Mon Sep 17 00:00:00 2001 From: Siddharth Date: Thu, 12 Sep 2024 08:19:39 -0500 Subject: [PATCH] feat: toNat_sub_of_le (#5314) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This adds a simplification lemma for `(x - y).toNat` when the subtraction is known to not overflow (i.e., `y ≤ x`). We make a new section for this for two reasons: 1. Definitions of subtraction occur before the definition of `BitVec.le_def`, so we cannot directly place this lemma at `sub`. 2. There are other theorems of this kind, for addition and multiplication, which can morally live in the same section. --- src/Init/Data/BitVec/Lemmas.lean | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/Init/Data/BitVec/Lemmas.lean b/src/Init/Data/BitVec/Lemmas.lean index 31d2235808..4873b07e3b 100644 --- a/src/Init/Data/BitVec/Lemmas.lean +++ b/src/Init/Data/BitVec/Lemmas.lean @@ -2046,4 +2046,20 @@ theorem getLsbD_intMax (w : Nat) : (intMax w).getLsbD i = decide (i + 1 < w) := · simp [h] · rw [Nat.sub_add_cancel (Nat.two_pow_pos (w - 1)), Nat.two_pow_pred_mod_two_pow (by omega)] + +/-! ### Non-overflow theorems -/ + +/-- +If `y ≤ x`, then the subtraction `(x - y)` does not overflow. +Thus, `(x - y).toNat = x.toNat - y.toNat` +-/ +theorem toNat_sub_of_le {x y : BitVec n} (h : y ≤ x) : + (x - y).toNat = x.toNat - y.toNat := by + simp only [toNat_sub] + rw [BitVec.le_def] at h + by_cases h' : x.toNat = y.toNat + · rw [h', Nat.sub_self, Nat.sub_add_cancel (by omega), Nat.mod_self] + · have : 2 ^ n - y.toNat + x.toNat = 2 ^ n + (x.toNat - y.toNat) := by omega + rw [this, Nat.add_mod_left, Nat.mod_eq_of_lt (by omega)] + end BitVec