chore: fix test

oops, add missing file

missing prelude

.github/workflows/actionlint.yml

@@ -0,0 +1,22 @@
+name: Actionlint
+on:
+  push:
+    branches:
+      - 'master'
+    paths:
+      - '.github/**'
+  pull_request:
+    paths:
+      - '.github/**'
+  merge_group:
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: actionlint
+      uses: raven-actions/actionlint@v1
+      with:
+        pyflakes: false # we do not use python scripts

.github/workflows/ci.yml

@@ -46,7 +46,7 @@ jobs:
             github.event_name == 'pull_request' && !contains( github.event.pull_request.labels.*.name, 'full-ci')
            }}
         run: |
-          echo "quick=${{env.quick}}" >> $GITHUB_OUTPUT
+          echo "quick=${{env.quick}}" >> "$GITHUB_OUTPUT"
 
       - name: Configure build matrix
         id: set-matrix
@@ -124,10 +124,11 @@ jobs:
                 "release": true,
                 "quick": false,
                 "cross": true,
+                "cross_target": "aarch64-apple-darwin",
                 "shell": "bash -euxo pipefail {0}",
                 "CMAKE_OPTIONS": "-DUSE_GMP=OFF -DLEAN_INSTALL_SUFFIX=-darwin_aarch64",
                 "llvm-url": "https://github.com/leanprover/lean-llvm/releases/download/15.0.1/lean-llvm-aarch64-apple-darwin.tar.zst https://github.com/leanprover/lean-llvm/releases/download/15.0.1/lean-llvm-x86_64-apple-darwin.tar.zst",
-                "prepare-llvm": "EXTRA_FLAGS=--target=aarch64-apple-darwin ../script/prepare-llvm-macos.sh lean-llvm-aarch64-* lean-llvm-x86_64-*",
+                "prepare-llvm": "../script/prepare-llvm-macos.sh lean-llvm-aarch64-* lean-llvm-x86_64-*",
                 "binary-check": "otool -L",
                 "tar": "gtar" // https://github.com/actions/runner-images/issues/2619
               },
@@ -151,9 +152,10 @@ jobs:
                 "release": true,
                 "quick": false,
                 "cross": true,
+                "cross_target": "aarch64-unknown-linux-gnu",
                 "shell": "nix-shell --arg pkgsDist \"import (fetchTarball \\\"channel:nixos-19.03\\\") {{ localSystem.config = \\\"aarch64-unknown-linux-gnu\\\"; }}\" --run \"bash -euxo pipefail {0}\"",
                 "llvm-url": "https://github.com/leanprover/lean-llvm/releases/download/15.0.1/lean-llvm-x86_64-linux-gnu.tar.zst https://github.com/leanprover/lean-llvm/releases/download/15.0.1/lean-llvm-aarch64-linux-gnu.tar.zst",
-                "prepare-llvm": "EXTRA_FLAGS=--target=aarch64-unknown-linux-gnu ../script/prepare-llvm-linux.sh lean-llvm-aarch64-* lean-llvm-x86_64-*"
+                "prepare-llvm": "../script/prepare-llvm-linux.sh lean-llvm-aarch64-* lean-llvm-x86_64-*"
               },
               {
                 "name": "Linux 32bit",
@@ -201,8 +203,8 @@ jobs:
             git fetch nightly --tags
             LEAN_VERSION_STRING="nightly-$(date -u +%F)"
             # do nothing if commit already has a different tag
-            if [[ $(git name-rev --name-only --tags --no-undefined HEAD 2> /dev/null || echo $LEAN_VERSION_STRING) == $LEAN_VERSION_STRING ]]; then
-              echo "nightly=$LEAN_VERSION_STRING" >> $GITHUB_OUTPUT
+            if [[ "$(git name-rev --name-only --tags --no-undefined HEAD 2> /dev/null || echo "$LEAN_VERSION_STRING")" == "$LEAN_VERSION_STRING" ]]; then
+              echo "nightly=$LEAN_VERSION_STRING" >> "$GITHUB_OUTPUT"
             fi
           fi
 
@@ -210,7 +212,7 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/') && github.repository == 'leanprover/lean4'
         id: set-release
         run: |
-          TAG_NAME=${GITHUB_REF##*/}
+          TAG_NAME="${GITHUB_REF##*/}"
 
           # From https://github.com/fsaintjacques/semver-tool/blob/master/src/semver
 
@@ -227,11 +229,13 @@ jobs:
 
           if [[ ${TAG_NAME} =~ ${SEMVER_REGEX} ]]; then
             echo "Tag ${TAG_NAME} matches SemVer regex, with groups ${BASH_REMATCH[1]} ${BASH_REMATCH[2]} ${BASH_REMATCH[3]} ${BASH_REMATCH[4]}"
-            echo "LEAN_VERSION_MAJOR=${BASH_REMATCH[1]}" >> $GITHUB_OUTPUT
-            echo "LEAN_VERSION_MINOR=${BASH_REMATCH[2]}" >> $GITHUB_OUTPUT
-            echo "LEAN_VERSION_PATCH=${BASH_REMATCH[3]}" >> $GITHUB_OUTPUT
-            echo "LEAN_SPECIAL_VERSION_DESC=${BASH_REMATCH[4]##-}" >> $GITHUB_OUTPUT
-            echo "RELEASE_TAG=$TAG_NAME" >> $GITHUB_OUTPUT
+            {
+              echo "LEAN_VERSION_MAJOR=${BASH_REMATCH[1]}"
+              echo "LEAN_VERSION_MINOR=${BASH_REMATCH[2]}"
+              echo "LEAN_VERSION_PATCH=${BASH_REMATCH[3]}"
+              echo "LEAN_SPECIAL_VERSION_DESC=${BASH_REMATCH[4]##-}"
+              echo "RELEASE_TAG=$TAG_NAME"
+            } >> "$GITHUB_OUTPUT"
           else
             echo "Tag ${TAG_NAME} did not match SemVer regex."
           fi
@@ -319,9 +323,15 @@ jobs:
           mkdir build
           cd build
           ulimit -c unlimited # coredumps
+          # arguments passed to `cmake`
           # this also enables githash embedding into stage 1 library
           OPTIONS=(-DCHECK_OLEAN_VERSION=ON)
           OPTIONS+=(-DLEAN_EXTRA_MAKE_OPTS=-DwarningAsError=true)
+          if [[ -n '${{ matrix.cross_target }}' ]]; then
+            # used by `prepare-llvm`
+            export EXTRA_FLAGS=--target=${{ matrix.cross_target }}
+            OPTIONS+=(-DLEAN_PLATFORM_TARGET=${{ matrix.cross_target }})
+          fi
           if [[ -n '${{ matrix.prepare-llvm }}' ]]; then
             wget -q ${{ matrix.llvm-url }}
             PREPARE="$(${{ matrix.prepare-llvm }})"
@@ -405,7 +415,7 @@ jobs:
       - name: CCache stats
         run: ccache -s
       - name: Show stacktrace for coredumps
-        if: ${{ failure() }} && matrix.os == 'ubuntu-latest'
+        if: ${{ failure() && matrix.os == 'ubuntu-latest' }}
         run: |
           for c in coredumps/*; do
             progbin="$(file $c | sed "s/.*execfn: '\([^']*\)'.*/\1/")"
@@ -413,7 +423,7 @@ jobs:
           done
       - name: Upload coredumps
         uses: actions/upload-artifact@v3
-        if: ${{ failure() }} && matrix.os == 'ubuntu-latest'
+        if: ${{ failure() && matrix.os == 'ubuntu-latest' }}
         with:
           name: coredumps-${{ matrix.name }}
           path: |
@@ -480,16 +490,16 @@ jobs:
         run: |
           git remote add nightly https://foo:'${{ secrets.PUSH_NIGHTLY_TOKEN }}'@github.com/${{ github.repository_owner }}/lean4-nightly.git
           git fetch nightly --tags
-          git tag ${{ needs.configure.outputs.nightly }}
-          git push nightly ${{ needs.configure.outputs.nightly }}
+          git tag "${{ needs.configure.outputs.nightly }}"
+          git push nightly "${{ needs.configure.outputs.nightly }}"
           git push -f origin refs/tags/${{ needs.configure.outputs.nightly }}:refs/heads/nightly
-          last_tag=$(git log HEAD^ --simplify-by-decoration --pretty="format:%d" | grep -o "nightly-[-0-9]*" | head -n 1)
+          last_tag="$(git log HEAD^ --simplify-by-decoration --pretty="format:%d" | grep -o "nightly-[-0-9]*" | head -n 1)"
           echo -e "*Changes since ${last_tag}:*\n\n" > diff.md
-          git show $last_tag:RELEASES.md > old.md
+          git show "$last_tag":RELEASES.md > old.md
           #./script/diff_changelogs.py old.md doc/changes.md >> diff.md
           diff --changed-group-format='%>' --unchanged-group-format='' old.md RELEASES.md >> diff.md || true
           echo -e "\n*Full commit log*\n" >> diff.md
-          git log --oneline $last_tag..HEAD | sed 's/^/* /' >> diff.md
+          git log --oneline "$last_tag"..HEAD | sed 's/^/* /' >> diff.md
       - name: Release Nightly
         uses: softprops/action-gh-release@v1
         with:

.github/workflows/nix-ci.yml

@@ -90,6 +90,14 @@ jobs:
           # https://github.com/netlify/cli/issues/1809
           cp -r --dereference ./result ./dist
         if: matrix.name == 'Nix Linux'
+      - name: Check manual for broken links
+        id: lychee
+        uses: lycheeverse/lychee-action@v1.9.0
+        with:
+          fail: false  # report errors but do not block CI on temporary failures
+          # gmplib.org consistently times out from GH actions
+          # the GitHub token is to avoid rate limiting
+          args: --base './dist' --no-progress --github-token ${{ secrets.GITHUB_TOKEN }} --exclude 'gmplib.org' './dist/**/*.html'
       - name: Push to Cachix
         run: |
           [ -z "${{ secrets.CACHIX_AUTH_TOKEN }}" ] || cachix push -j4 lean4 ./push-* || true
@@ -97,13 +105,6 @@ jobs:
         run: |
           rm -rf nix-store-cache || true
           nix copy ./push-* --to file://$PWD/nix-store-cache?compression=none
-      - name: Publish manual to GH Pages
-        uses: peaceiris/actions-gh-pages@v3
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: ./result
-          destination_dir: ./doc
-        if: matrix.name == 'Nix Linux' && github.ref == 'refs/heads/master' && github.event_name == 'push'
       - id: deploy-info
         name: Compute Deployment Metadata
         run: |
@@ -112,6 +113,7 @@ jobs:
           echo "message=`git log -1 --pretty=format:"%s"`" >> "$GITHUB_OUTPUT"
       - name: Publish manual to Netlify
         uses: nwtgck/actions-netlify@v2.0
+        id: publish-manual
         with:
           publish-dir: ./dist
           production-branch: master

.github/workflows/pr-release.yml

@@ -6,6 +6,10 @@
 # Instead we use `workflow_run`, which essentially allows us to escalate privileges
 # (but only runs the CI as described in the `master` branch, not in the PR branch).
 
+# The main specification/documentation for this workflow is at
+# https://leanprover-community.github.io/contribute/tags_and_branches.html
+# Keep that in sync!
+
 name: PR release
 
 on:
@@ -37,7 +41,7 @@ jobs:
           name: build-.*
           name_is_regexp: true
 
-      - name: Push branch and tag
+      - name: Push tag
         if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' }}
         run: |
           git init --bare lean4.git
@@ -69,6 +73,20 @@ jobs:
           # The token used here must have `workflow` privileges.
           GITHUB_TOKEN: ${{ secrets.PR_RELEASES_TOKEN }}
 
+      - name: Report release status
+        if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' }}
+        uses: actions/github-script@v6
+        with:
+          script: |
+            await github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: "${{ steps.workflow-info.outputs.sourceHeadSha }}",
+              state: "success",
+              context: "PR toolchain",
+              description: "${{ github.repository_owner }}/lean4-pr-releases:pr-release-${{ steps.workflow-info.outputs.pullRequestNumber }}",
+            });
+
       - name: Add label
         if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' }}
         uses: actions/github-script@v7
@@ -89,7 +107,7 @@ jobs:
           git -C lean4.git remote add nightly https://github.com/leanprover/lean4-nightly.git
           git -C lean4.git fetch nightly '+refs/tags/nightly-*:refs/tags/nightly-*'
           git -C lean4.git tag --merged "${{ steps.workflow-info.outputs.sourceHeadSha }}" --list "nightly-*" \
-            | sort -rV | head -n 1 | sed "s/^nightly-*/MOST_RECENT_NIGHTLY=/" | tee -a $GITHUB_ENV
+            | sort -rV | head -n 1 | sed "s/^nightly-*/MOST_RECENT_NIGHTLY=/" | tee -a "$GITHUB_ENV"
 
       - name: 'Setup jq'
         if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' }}
@@ -100,22 +118,32 @@ jobs:
         if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' }}
         id: ready
         run: |
-          echo "Most recent nightly in your branch: $MOST_RECENT_NIGHTLY"
+          echo "Most recent nightly release in your branch: $MOST_RECENT_NIGHTLY"
           NIGHTLY_SHA=$(git -C lean4.git rev-parse "nightly-$MOST_RECENT_NIGHTLY^{commit}")
-          echo "SHA of most recent nightly: $NIGHTLY_SHA"
+          echo "SHA of most recent nightly release: $NIGHTLY_SHA"
           MERGE_BASE_SHA=$(git -C lean4.git merge-base origin/master "${{ steps.workflow-info.outputs.sourceHeadSha }}")
           echo "SHA of merge-base: $MERGE_BASE_SHA"
           if [ "$NIGHTLY_SHA" = "$MERGE_BASE_SHA" ]; then
-            echo "Most recent nightly tag agrees with the merge base."
+            echo "The merge base of this PR coincides with the nightly release"
 
-            REMOTE_BRANCHES=$(git ls-remote -h https://github.com/leanprover-community/mathlib4.git nightly-testing-$MOST_RECENT_NIGHTLY)
+            MATHLIB_REMOTE_TAGS="$(git ls-remote https://github.com/leanprover-community/mathlib4.git nightly-testing-"$MOST_RECENT_NIGHTLY")"
 
-            if [[ -n "$REMOTE_BRANCHES" ]]; then
-              echo "... and Mathlib has a 'nightly-testing-$MOST_RECENT_NIGHTLY' branch."
+            if [[ -n "$MATHLIB_REMOTE_TAGS" ]]; then
+              echo "... and Mathlib has a 'nightly-testing-$MOST_RECENT_NIGHTLY' tag."
               MESSAGE=""
             else
-              echo "... but Mathlib does not yet have a 'nightly-testing-$MOST_RECENT_NIGHTLY' branch."
-              MESSAGE="- ❗ Mathlib CI can not be attempted yet, as the 'nightly-testing-$MOST_RECENT_NIGHTLY' branch does not exist there yet. We will retry when you push more commits. It may be necessary to rebase onto 'nightly' tomorrow."
+              echo "... but Mathlib does not yet have a 'nightly-testing-$MOST_RECENT_NIGHTLY' tag."
+              MESSAGE="- ❗ Mathlib CI can not be attempted yet, as the \`nightly-testing-$MOST_RECENT_NIGHTLY\` tag does not exist there yet. We will retry when you push more commits. If you rebase your branch onto \`nightly-with-mathlib\`, Mathlib CI should run now."
+            fi
+
+            STD_REMOTE_TAGS="$(git ls-remote https://github.com/leanprover/std4.git nightly-testing-"$MOST_RECENT_NIGHTLY")"
+
+            if [[ -n "$STD_REMOTE_TAGS" ]]; then
+              echo "... and Std has a 'nightly-testing-$MOST_RECENT_NIGHTLY' tag."
+              MESSAGE=""
+            else
+              echo "... but Std does not yet have a 'nightly-testing-$MOST_RECENT_NIGHTLY' tag."
+              MESSAGE="- ❗ Std CI can not be attempted yet, as the \`nightly-testing-$MOST_RECENT_NIGHTLY\` tag does not exist there yet. We will retry when you push more commits. If you rebase your branch onto \`nightly-with-mathlib\`, Std CI should run now."
             fi
 
           else
@@ -123,20 +151,24 @@ jobs:
             echo "but 'git merge-base origin/master HEAD' reported: $MERGE_BASE_SHA"
             git -C lean4.git log -10 origin/master
 
-            MESSAGE="- ❗ Mathlib CI will not be attempted unless you rebase your PR onto the 'nightly' branch."
+            MESSAGE="- ❗ Std/Mathlib CI will not be attempted unless your PR branches off the \`nightly-with-mathlib\` branch."
           fi
 
           if [[ -n "$MESSAGE" ]]; then
 
             echo "Checking existing messages"
 
+            # The code for updating comments is duplicated in mathlib's
+            # scripts/lean-pr-testing-comments.sh
+            # so keep in sync
+
             # Use GitHub API to check if a comment already exists
-            existing_comment=$(curl -L -s -H "Authorization: token ${{ secrets.MATHLIB4_BOT }}" \
+            existing_comment="$(curl -L -s -H "Authorization: token ${{ secrets.MATHLIB4_BOT }}" \
                                     -H "Accept: application/vnd.github.v3+json" \
                                     "https://api.github.com/repos/leanprover/lean4/issues/${{ steps.workflow-info.outputs.pullRequestNumber }}/comments" \
-                                    | jq '.[] | select(.body | startswith("- ❗ Mathlib") or startswith("- ✅ Mathlib") or startswith("- ❌ Mathlib") or startswith("- 💥 Mathlib") or startswith("- 🟡 Mathlib"))')
-            existing_comment_id=$(echo "$existing_comment" | jq -r .id)
-            existing_comment_body=$(echo "$existing_comment" | jq -r .body)
+                                    | jq 'first(.[] | select(.body | test("^- . Mathlib") or startswith("Mathlib CI status")) | select(.user.login == "leanprover-community-mathlib4-bot"))')"
+            existing_comment_id="$(echo "$existing_comment" | jq -r .id)"
+            existing_comment_body="$(echo "$existing_comment" | jq -r .body)"
 
             if [[ "$existing_comment_body" != *"$MESSAGE"* ]]; then
               MESSAGE="$MESSAGE ($(date "+%Y-%m-%d %H:%M:%S"))"
@@ -146,13 +178,14 @@ jobs:
               # Append new result to the existing comment or post a new comment
               # It's essential we use the MATHLIB4_BOT token here, so that Mathlib CI can subsequently edit the comment.
               if [ -z "$existing_comment_id" ]; then
+                INTRO="Mathlib CI status ([docs](https://leanprover-community.github.io/contribute/tags_and_branches.html)):"
                 # Post new comment with a bullet point
                 echo "Posting as new comment at leanprover/lean4/issues/${{ steps.workflow-info.outputs.pullRequestNumber }}/comments"
                 curl -L -s \
                   -X POST \
                   -H "Authorization: token ${{ secrets.MATHLIB4_BOT }}" \
                   -H "Accept: application/vnd.github.v3+json" \
-                  -d "$(jq --null-input --arg val "$MESSAGE" '{"body": $val}')" \
+                  -d "$(jq --null-input --arg intro "$INTRO" --arg val "$MESSAGE" '{"body":($intro + "\n" + $val)}')" \
                   "https://api.github.com/repos/leanprover/lean4/issues/${{ steps.workflow-info.outputs.pullRequestNumber }}/comments"
               else
                 # Append new result to the existing comment
@@ -167,18 +200,93 @@ jobs:
             else
               echo "The message already exists in the comment body."
             fi
-            echo "mathlib_ready=false" >> $GITHUB_OUTPUT
+            echo "mathlib_ready=false" >> "$GITHUB_OUTPUT"
           else
-            echo "mathlib_ready=true" >> $GITHUB_OUTPUT
+            echo "mathlib_ready=true" >> "$GITHUB_OUTPUT"
           fi
 
+      - name: Report mathlib base
+        if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' && steps.ready.outputs.mathlib_ready == 'true' }}
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const description =
+              process.env.MOST_RECENT_NIGHTLY ?
+              "nightly-" + process.env.MOST_RECENT_NIGHTLY :
+              "not branched off nightly";
+            await github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: "${{ steps.workflow-info.outputs.sourceHeadSha }}",
+              state: "success",
+              context: "PR branched off:",
+              description: description,
+            });
+
+      # We next automatically create a Std branch using this toolchain.
+      # Std doesn't itself have a mechanism to report results of CI from this branch back to Lean
+      # Instead this is taken care of by Mathlib CI, which will fail if Std fails.
+      - name: Cleanup workspace
+        if: steps.workflow-info.outputs.pullRequestNumber != '' && steps.ready.outputs.mathlib_ready == 'true'
+        run: |
+          sudo rm -rf ./*
+
+      # Checkout the Std repository with all branches
+      - name: Checkout Std repository
+        if: steps.workflow-info.outputs.pullRequestNumber != '' && steps.ready.outputs.mathlib_ready == 'true'
+        uses: actions/checkout@v3
+        with:
+          repository: leanprover/std4
+          token: ${{ secrets.MATHLIB4_BOT }}
+          ref: nightly-testing
+          fetch-depth: 0 # This ensures we check out all tags and branches.
+
+      - name: Check if tag exists
+        if: steps.workflow-info.outputs.pullRequestNumber != '' && steps.ready.outputs.mathlib_ready == 'true'
+        id: check_std_tag
+        run: |
+          git config user.name "leanprover-community-mathlib4-bot"
+          git config user.email "leanprover-community-mathlib4-bot@users.noreply.github.com"
+
+          if git ls-remote --heads --tags --exit-code origin "nightly-testing-${MOST_RECENT_NIGHTLY}" >/dev/null; then
+            BASE="nightly-testing-${MOST_RECENT_NIGHTLY}"
+          else
+            echo "This shouldn't be possible: couldn't find a 'nightly-testing-${MOST_RECENT_NIGHTLY}' tag at Std. Falling back to 'nightly-testing'."
+            BASE=nightly-testing
+          fi
+
+          echo "Using base branch: $BASE"
+
+          EXISTS="$(git ls-remote --heads origin lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }} | wc -l)"
+          echo "Branch exists: $EXISTS"
+          if [ "$EXISTS" = "0" ]; then
+            echo "Branch does not exist, creating it."
+            git switch -c lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }} "$BASE"
+            echo "leanprover/lean4-pr-releases:pr-release-${{ steps.workflow-info.outputs.pullRequestNumber }}" > lean-toolchain
+            git add lean-toolchain
+            git commit -m "Update lean-toolchain for testing https://github.com/leanprover/lean4/pull/${{ steps.workflow-info.outputs.pullRequestNumber }}"
+          else
+            echo "Branch already exists, pushing an empty commit."
+            git switch lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }}
+            # The Std `nightly-testing` or `nightly-testing-YYYY-MM-DD` branch may have moved since this branch was created, so merge their changes.
+            # (This should no longer be possible once `nightly-testing-YYYY-MM-DD` is a tag, but it is still safe to merge.)
+            git merge "$BASE" --strategy-option ours --no-commit --allow-unrelated-histories
+            git commit --allow-empty -m "Trigger CI for https://github.com/leanprover/lean4/pull/${{ steps.workflow-info.outputs.pullRequestNumber }}"
+          fi
+
+      - name: Push changes
+        if: steps.workflow-info.outputs.pullRequestNumber != '' && steps.ready.outputs.mathlib_ready == 'true'
+        run: |
+          git push origin lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }}
+
+
       # We next automatically create a Mathlib branch using this toolchain.
       # Mathlib CI will be responsible for reporting back success or failure
       # to the PR comments asynchronously.
       - name: Cleanup workspace
         if: steps.workflow-info.outputs.pullRequestNumber != '' && steps.ready.outputs.mathlib_ready == 'true'
         run: |
-          sudo rm -rf *
+          sudo rm -rf ./*
 
       # Checkout the mathlib4 repository with all branches
       - name: Checkout mathlib4 repository
@@ -190,37 +298,38 @@ jobs:
           ref: nightly-testing
           fetch-depth: 0 # This ensures we check out all tags and branches.
 
-      - name: Check if branch exists
+      - name: Check if tag exists
         if: steps.workflow-info.outputs.pullRequestNumber != '' && steps.ready.outputs.mathlib_ready == 'true'
-        id: check_branch
+        id: check_mathlib_tag
         run: |
           git config user.name "leanprover-community-mathlib4-bot"
           git config user.email "leanprover-community-mathlib4-bot@users.noreply.github.com"
 
-          if git branch -r | grep -q "nightly-testing-${MOST_RECENT_NIGHTLY}"; then
-            BASE=nightly-testing-${MOST_RECENT_NIGHTLY}
+          if git ls-remote --heads --tags --exit-code origin "nightly-testing-${MOST_RECENT_NIGHTLY}" >/dev/null; then
+            BASE="nightly-testing-${MOST_RECENT_NIGHTLY}"
           else
             echo "This shouldn't be possible: couldn't find a 'nightly-testing-${MOST_RECENT_NIGHTLY}' branch at Mathlib. Falling back to 'nightly-testing'."
             BASE=nightly-testing
           fi
 
-          echo "Using base branch: $BASE"
+          echo "Using base tag: $BASE"
 
-          git checkout $BASE
-
-          EXISTS=$(git ls-remote --heads origin lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }} | wc -l)
+          EXISTS="$(git ls-remote --heads origin lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }} | wc -l)"
           echo "Branch exists: $EXISTS"
           if [ "$EXISTS" = "0" ]; then
             echo "Branch does not exist, creating it."
-            git checkout -b lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }}
+            git switch -c lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }} "$BASE"
             echo "leanprover/lean4-pr-releases:pr-release-${{ steps.workflow-info.outputs.pullRequestNumber }}" > lean-toolchain
             git add lean-toolchain
+            sed -i "s/require std from git \"https:\/\/github.com\/leanprover\/std4\" @ \".\+\"/require std from git \"https:\/\/github.com\/leanprover\/std4\" @ \"nightly-testing-${MOST_RECENT_NIGHTLY}\"/" lakefile.lean
+            git add lakefile.lean
             git commit -m "Update lean-toolchain for testing https://github.com/leanprover/lean4/pull/${{ steps.workflow-info.outputs.pullRequestNumber }}"
           else
             echo "Branch already exists, pushing an empty commit."
-            git checkout lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }}
-            # The Mathlib `nightly-testing` or `nightly-testing-YYYY-MM-DD` branch may have moved since this branch was created, so merge their changes.
-            git merge $BASE --strategy-option ours --no-commit --allow-unrelated-histories
+            git switch lean-pr-testing-${{ steps.workflow-info.outputs.pullRequestNumber }}
+            # The Mathlib `nightly-testing` branch or `nightly-testing-YYYY-MM-DD` tag may have moved since this branch was created, so merge their changes.
+            # (This should no longer be possible once `nightly-testing-YYYY-MM-DD` is a tag, but it is still safe to merge.)
+            git merge "$BASE" --strategy-option ours --no-commit --allow-unrelated-histories
             git commit --allow-empty -m "Trigger CI for https://github.com/leanprover/lean4/pull/${{ steps.workflow-info.outputs.pullRequestNumber }}"
           fi
 

CODEOWNERS

@@ -6,7 +6,6 @@
 
 /.github/ @Kha @semorrison
 /RELEASES.md @semorrison
-/src/ @leodemoura @Kha
 /src/Init/IO.lean @joehendrix
 /src/kernel/ @leodemoura
 /src/lake/ @tydeu
@@ -17,6 +16,7 @@
 /src/Lean/Meta/Tactic/ @leodemoura
 /src/Lean/Parser/ @Kha
 /src/Lean/PrettyPrinter/ @Kha
+/src/Lean/PrettyPrinter/Delaborator/ @kmill
 /src/Lean/Server/ @mhuisi
 /src/Lean/Widget/ @Vtec234
 /src/runtime/io.cpp @joehendrix

README.md

@@ -1,13 +1,8 @@
 This is the repository for **Lean 4**.
 
-We provide [nightly releases](https://github.com/leanprover/lean4-nightly/releases)
-and have just begun regular [stable point releases](https://github.com/leanprover/lean4/releases).
-
 # About
 
-- [Quickstart](https://github.com/leanprover/lean4/blob/master/doc/quickstart.md)
-- [Walkthrough installation video](https://www.youtube.com/watch?v=yZo6k48L0VY)
-- [Quick tour video](https://youtu.be/zyXtbb_eYbY)
+- [Quickstart](https://lean-lang.org/lean4/doc/quickstart.html)
 - [Homepage](https://lean-lang.org)
 - [Theorem Proving Tutorial](https://lean-lang.org/theorem_proving_in_lean4/)
 - [Functional Programming in Lean](https://lean-lang.org/functional_programming_in_lean/)

RELEASES.md

@@ -8,9 +8,300 @@ This file contains work-in-progress notes for the upcoming release, as well as p
 Please check the [releases](https://github.com/leanprover/lean4/releases) page for the current status
 of each version.
 
-v4.6.0 (development in progress)
+v4.7.0 (development in progress)
 ---------
 
+* When the `pp.proofs` is false, now omitted proofs use `⋯` rather than `_`,
+  which gives a more helpful error message when copied from the Infoview.
+  The `pp.proofs.threshold` option lets small proofs always be pretty printed.
+  [#3241](https://github.com/leanprover/lean4/pull/3241).
+
+* `pp.proofs.withType` is now set to false by default to reduce noise in the info view.
+
+* New `simp` (and `dsimp`) configuration option: `zetaDelta`. It is `false` by default.
+  The `zeta` option is still `true` by default, but their meaning has changed.
+  - When `zeta := true`, `simp` and `dsimp` reduce terms of the form
+    `let x := val; e[x]` into `e[val]`.
+  - When `zetaDelta := true`, `simp` and `dsimp` will expand let-variables in
+    the context. For example, suppose the context contains `x := val`. Then,
+    any occurrence of `x` is replaced with `val`.
+
+  See issue [#2682](https://github.com/leanprover/lean4/pull/2682) for additional details. Here are some examples:
+  ```
+  example (h : z = 9) : let x := 5; let y := 4; x + y = z := by
+    intro x
+    simp
+    /-
+    New goal:
+    h : z = 9; x := 5 |- x + 4 = z
+    -/
+    rw [h]
+
+  example (h : z = 9) : let x := 5; let y := 4; x + y = z := by
+    intro x
+    -- Using both `zeta` and `zetaDelta`.
+    simp (config := { zetaDelta := true })
+    /-
+    New goal:
+    h : z = 9; x := 5 |- 9 = z
+    -/
+    rw [h]
+
+  example (h : z = 9) : let x := 5; let y := 4; x + y = z := by
+    intro x
+    simp [x] -- asks `simp` to unfold `x`
+    /-
+    New goal:
+    h : z = 9; x := 5 |- 9 = z
+    -/
+    rw [h]
+
+  example (h : z = 9) : let x := 5; let y := 4; x + y = z := by
+    intro x
+    simp (config := { zetaDelta := true, zeta := false })
+    /-
+    New goal:
+    h : z = 9; x := 5 |- let y := 4; 5 + y = z
+    -/
+    rw [h]
+  ```
+
+Breaking changes:
+* `Lean.withTraceNode` and variants got a stronger `MonadAlwaysExcept` assumption to
+  fix trace trees not being built on elaboration runtime exceptions. Instances for most elaboration
+  monads built on `EIO Exception` should be synthesized automatically.
+
+v4.6.0
+---------
+
+* Add custom simplification procedures (aka `simproc`s) to `simp`. Simprocs can be triggered by the simplifier on a specified term-pattern. Here is an small example:
+```lean
+import Lean.Meta.Tactic.Simp.BuiltinSimprocs.Nat
+
+def foo (x : Nat) : Nat :=
+  x + 10
+
+/--
+The `simproc` `reduceFoo` is invoked on terms that match the pattern `foo _`.
+-/
+simproc reduceFoo (foo _) :=
+  /- A term of type `Expr → SimpM Step -/
+  fun e => do
+    /-
+    The `Step` type has three constructors: `.done`, `.visit`, `.continue`.
+    * The constructor `.done` instructs `simp` that the result does
+      not need to be simplied further.
+    * The constructor `.visit` instructs `simp` to visit the resulting expression.
+    * The constructor `.continue` instructs `simp` to try other simplification procedures.
+
+    All three constructors take a `Result`. The `.continue` contructor may also take `none`.
+    `Result` has two fields `expr` (the new expression), and `proof?` (an optional proof).
+     If the new expression is definitionally equal to the input one, then `proof?` can be omitted or set to `none`.
+    -/
+    /- `simp` uses matching modulo reducibility. So, we ensure the term is a `foo`-application. -/
+    unless e.isAppOfArity ``foo 1 do
+      return .continue
+    /- `Nat.fromExpr?` tries to convert an expression into a `Nat` value -/
+    let some n ← Nat.fromExpr? e.appArg!
+      | return .continue
+    return .done { expr := Lean.mkNatLit (n+10) }
+```
+We disable simprocs support by using the command `set_option simprocs false`. This command is particularly useful when porting files to v4.6.0.
+Simprocs can be scoped, manually added to `simp` commands, and suppressed using `-`. They are also supported by `simp?`. `simp only` does not execute any `simproc`. Here are some examples for the `simproc` defined above.
+```lean
+example : x + foo 2 = 12 + x := by
+  set_option simprocs false in
+    /- This `simp` command does not make progress since `simproc`s are disabled. -/
+    fail_if_success simp
+  simp_arith
+
+example : x + foo 2 = 12 + x := by
+  /- `simp only` must not use the default simproc set. -/
+  fail_if_success simp only
+  simp_arith
+
+example : x + foo 2 = 12 + x := by
+  /-
+  `simp only` does not use the default simproc set,
+  but we can provide simprocs as arguments. -/
+  simp only [reduceFoo]
+  simp_arith
+
+example : x + foo 2 = 12 + x := by
+  /- We can use `-` to disable `simproc`s. -/
+  fail_if_success simp [-reduceFoo]
+  simp_arith
+```
+The command `register_simp_attr <id>` now creates a `simp` **and** a `simproc` set with the name `<id>`. The following command instructs Lean to insert the `reduceFoo` simplification procedure into the set `my_simp`. If no set is specified, Lean uses the default `simp` set.
+```lean
+simproc [my_simp] reduceFoo (foo _) := ...
+```
+
+* The syntax of the `termination_by` and `decreasing_by` termination hints is overhauled:
+
+  * They are now placed directly after the function they apply to, instead of
+    after the whole `mutual` block.
+  * Therefore, the function name no longer has to be mentioned in the hint.
+  * If the function has a `where` clause, the `termination_by` and
+    `decreasing_by` for that function come before the `where`. The
+    functions in the `where` clause can have their own termination hints, each
+    following the corresponding definition.
+  * The `termination_by` clause can only bind “extra parameters”, that are not
+    already bound by the function header, but are bound in a lambda (`:= fun x
+    y z =>`) or in patterns (`| x, n + 1 => …`). These extra parameters used to
+    be understood as a suffix of the function parameters; now it is a prefix.
+
+  Migration guide: In simple cases just remove the function name, and any
+  variables already bound at the header.
+  ```diff
+   def foo : Nat → Nat → Nat := …
+  -termination_by foo a b => a - b
+  +termination_by a b => a - b
+  ```
+  or
+  ```diff
+   def foo : Nat → Nat → Nat := …
+  -termination_by _ a b => a - b
+  +termination_by a b => a - b
+  ```
+
+  If the parameters are bound in the function header (before the `:`), remove them as well:
+  ```diff
+   def foo (a b : Nat) : Nat := …
+  -termination_by foo a b => a - b
+  +termination_by a - b
+  ```
+
+  Else, if there are multiple extra parameters, make sure to refer to the right
+  ones; the bound variables are interpreted from left to right, no longer from
+  right to left:
+  ```diff
+   def foo : Nat → Nat → Nat → Nat
+     | a, b, c => …
+  -termination_by foo b c => b
+  +termination_by a b => b
+  ```
+
+  In the case of a `mutual` block, place the termination arguments (without the
+  function name) next to the function definition:
+  ```diff
+  -mutual
+  -def foo : Nat → Nat → Nat := …
+  -def bar : Nat → Nat := …
+  -end
+  -termination_by
+  -  foo a b => a - b
+  -  bar a => a
+  +mutual
+  +def foo : Nat → Nat → Nat := …
+  +termination_by a b => a - b
+  +def bar : Nat → Nat := …
+  +termination_by a => a
+  +end
+  ```
+
+  Similarly, if you have (mutual) recursion through `where` or `let rec`, the
+  termination hints are now placed directly after the function they apply to:
+  ```diff
+  -def foo (a b : Nat) : Nat := …
+  -  where bar (x : Nat) : Nat := …
+  -termination_by
+  -  foo a b => a - b
+  -  bar x => x
+  +def foo (a b : Nat) : Nat := …
+  +termination_by a - b
+  +  where
+  +    bar (x : Nat) : Nat := …
+  +    termination_by x
+
+  -def foo (a b : Nat) : Nat :=
+  -  let rec bar (x : Nat) :  Nat := …
+  -  …
+  -termination_by
+  -  foo a b => a - b
+  -  bar x => x
+  +def foo (a b : Nat) : Nat :=
+  +  let rec bar (x : Nat) : Nat := …
+  +    termination_by x
+  +  …
+  +termination_by a - b
+  ```
+
+  In cases where a single `decreasing_by` clause applied to multiple mutually
+  recursive functions before, the tactic now has to be duplicated.
+
+* The semantics of `decreasing_by` changed; the tactic is applied to all
+  termination proof goals together, not individually.
+
+  This helps when writing termination proofs interactively, as one can focus
+  each subgoal individually, for example using `·`. Previously, the given
+  tactic script had to work for _all_ goals, and one had to resort to tactic
+  combinators like `first`:
+
+  ```diff
+   def foo (n : Nat) := … foo e1 … foo e2 …
+  -decreasing_by
+  -simp_wf
+  -first | apply something_about_e1; …
+  -      | apply something_about_e2; …
+  +decreasing_by
+  +all_goals simp_wf
+  +· apply something_about_e1; …
+  +· apply something_about_e2; …
+  ```
+
+  To obtain the old behaviour of applying a tactic to each goal individually,
+  use `all_goals`:
+  ```diff
+   def foo (n : Nat) := …
+  -decreasing_by some_tactic
+  +decreasing_by all_goals some_tactic
+  ```
+
+  In the case of mutual recursion each `decreasing_by` now applies to just its
+  function. If some functions in a recursive group do not have their own
+  `decreasing_by`, the default `decreasing_tactic` is used. If the same tactic
+  ought to be applied to multiple functions, the `decreasing_by` clause has to
+  be repeated at each of these functions.
+
+* Modify `InfoTree.context` to facilitate augmenting it with partial contexts while elaborating a command. This breaks backwards compatibility with all downstream projects that traverse the `InfoTree` manually instead of going through the functions in `InfoUtils.lean`, as well as those manually creating and saving `InfoTree`s. See [PR #3159](https://github.com/leanprover/lean4/pull/3159) for how to migrate your code.
+
+* Add language server support for [call hierarchy requests](https://www.youtube.com/watch?v=r5LA7ivUb2c) ([PR #3082](https://github.com/leanprover/lean4/pull/3082)). The change to the .ilean format in this PR means that projects must be fully rebuilt once in order to generate .ilean files with the new format before features like "find references" work correctly again.
+
+* Structure instances with multiple sources (for example `{a, b, c with x := 0}`) now have their fields filled from these sources
+  in strict left-to-right order. Furthermore, the structure instance elaborator now aggressively use sources to fill in subobject
+  fields, which prevents unnecessary eta expansion of the sources,
+  and hence greatly reduces the reliance on costly structure eta reduction. This has a large impact on mathlib,
+  reducing total CPU instructions by 3% and enabling impactful refactors like leanprover-community/mathlib4#8386
+  which reduces the build time by almost 20%.
+  See PR [#2478](https://github.com/leanprover/lean4/pull/2478) and RFC [#2451](https://github.com/leanprover/lean4/issues/2451).
+
+* Add pretty printer settings to omit deeply nested terms (`pp.deepTerms false` and `pp.deepTerms.threshold`) ([PR #3201](https://github.com/leanprover/lean4/pull/3201))
+
+* Add pretty printer options `pp.numeralTypes` and `pp.natLit`.
+  When `pp.numeralTypes` is true, then natural number literals, integer literals, and rational number literals
+  are pretty printed with type ascriptions, such as `(2 : Rat)`, `(-2 : Rat)`, and `(-2 / 3 : Rat)`.
+  When `pp.natLit` is true, then raw natural number literals are pretty printed as `nat_lit 2`.
+  [PR #2933](https://github.com/leanprover/lean4/pull/2933) and [RFC #3021](https://github.com/leanprover/lean4/issues/3021).
+
+Lake updates:
+* improved platform information & control [#3226](https://github.com/leanprover/lean4/pull/3226)
+* `lake update` from unsupported manifest versions [#3149](https://github.com/leanprover/lean4/pull/3149)
+
+Other improvements:
+* make `intro` be aware of `let_fun` [#3115](https://github.com/leanprover/lean4/pull/3115)
+* produce simpler proof terms in `rw` [#3121](https://github.com/leanprover/lean4/pull/3121)
+* fuse nested `mkCongrArg` calls in proofs generated by `simp` [#3203](https://github.com/leanprover/lean4/pull/3203)
+* `induction using` followed by a general term [#3188](https://github.com/leanprover/lean4/pull/3188)
+* allow generalization in `let` [#3060](https://github.com/leanprover/lean4/pull/3060, fixing [#3065](https://github.com/leanprover/lean4/issues/3065)
+* reducing out-of-bounds `swap!` should return `a`, not `default`` [#3197](https://github.com/leanprover/lean4/pull/3197), fixing [#3196](https://github.com/leanprover/lean4/issues/3196)
+* derive `BEq` on structure with `Prop`-fields [#3191](https://github.com/leanprover/lean4/pull/3191), fixing [#3140](https://github.com/leanprover/lean4/issues/3140)
+* refine through more `casesOnApp`/`matcherApp` [#3176](https://github.com/leanprover/lean4/pull/3176), fixing [#3175](https://github.com/leanprover/lean4/pull/3175)
+* do not strip dotted components from lean module names [#2994](https://github.com/leanprover/lean4/pull/2994), fixing [#2999](https://github.com/leanprover/lean4/issues/2999)
+* fix `deriving` only deriving the first declaration for some handlers [#3058](https://github.com/leanprover/lean4/pull/3058), fixing [#3057](https://github.com/leanprover/lean4/issues/3057)
+* do not instantiate metavariables in kabstract/rw for disallowed occurrences [#2539](https://github.com/leanprover/lean4/pull/2539), fixing [#2538](https://github.com/leanprover/lean4/issues/2538)
+* hover info for `cases h : ...` [#3084](https://github.com/leanprover/lean4/pull/3084)
+
 v4.5.0
 ---------
 
@@ -33,7 +324,7 @@ v4.5.0
   Migration guide: Use `termination_by` instead, e.g.:
   ```diff
   -termination_by' measure (fun ⟨i, _⟩ => as.size - i)
-  +termination_by go i _ => as.size - i
+  +termination_by i _ => as.size - i
   ```
 
   If the well-founded relation you want to use is not the one that the
@@ -41,7 +332,7 @@ v4.5.0
   you can use `WellFounded.wrap` from the std libarary to explicitly give one:
   ```diff
   -termination_by' ⟨r, hwf⟩
-  +termination_by _ x => hwf.wrap x
+  +termination_by x => hwf.wrap x
   ```
 
 * Support snippet edits in LSP `TextEdit`s. See `Lean.Lsp.SnippetString` for more details.
@@ -50,7 +341,7 @@ v4.5.0
   - `Widget.UserWidgetDefinition` is deprecated in favour of `Widget.Module`. The annotation `@[widget]` is deprecated in favour of `@[widget_module]`. To migrate a definition of type `UserWidgetDefinition`, remove the `name` field and replace the type with `Widget.Module`. Removing the `name` results in a title bar no longer being drawn above your panel widget. To add it back, draw it as part of the component using `<details open=true><summary class='mv2 pointer'>{name}</summary>{rest_of_widget}</details>`. See an example migration [here](https://github.com/leanprover/std4/pull/475/files#diff-857376079661a0c28a53b7ff84701afabbdf529836a6944d106c5294f0e68109R43-R83).
   - The new command `show_panel_widgets` allows displaying always-on and locally-on panel widgets.
   - `RpcEncodable` widget props can now be stored in the infotree.
-  - See [RFC 2963](https://github.com/leanprover/lean4/issues/2963) for more details and motivation. 
+  - See [RFC 2963](https://github.com/leanprover/lean4/issues/2963) for more details and motivation.
 
 * If no usable lexicographic order can be found automatically for a termination proof, explain why.
   See [feat: GuessLex: if no measure is found, explain why](https://github.com/leanprover/lean4/pull/2960).
@@ -71,7 +362,7 @@ v4.5.0
 * Tactics with `withLocation *` [no longer fail](https://github.com/leanprover/lean4/pull/2917) if they close the main goal.
 
 * Implementation of a `test_extern` command for writing tests for `@[extern]` and `@[implemented_by]` functions.
-  Usage is 
+  Usage is
   ```
   import Lean.Util.TestExtern
 
@@ -79,8 +370,8 @@ v4.5.0
   ```
   The head symbol must be the constant with the `@[extern]` or `@[implemented_by]` attribute. The return type must have a `DecidableEq` instance.
 
-Bug fixes for 
-[#2853](https://github.com/leanprover/lean4/issues/2853), [#2953](https://github.com/leanprover/lean4/issues/2953), [#2966](https://github.com/leanprover/lean4/issues/2966), 
+Bug fixes for
+[#2853](https://github.com/leanprover/lean4/issues/2853), [#2953](https://github.com/leanprover/lean4/issues/2953), [#2966](https://github.com/leanprover/lean4/issues/2966),
 [#2971](https://github.com/leanprover/lean4/issues/2971), [#2990](https://github.com/leanprover/lean4/issues/2990), [#3094](https://github.com/leanprover/lean4/issues/3094).
 
 Bug fix for [eager evaluation of default value](https://github.com/leanprover/lean4/pull/3043) in `Option.getD`.
@@ -93,19 +384,19 @@ v4.4.0
 ---------
 
 * Lake and the language server now support per-package server options using the `moreServerOptions` config field, as well as options that apply to both the language server and `lean` using the `leanOptions` config field. Setting either of these fields instead of `moreServerArgs` ensures that viewing files from a dependency uses the options for that dependency. Additionally, `moreServerArgs` is being deprecated in favor of the `moreGlobalServerArgs` field. See PR [#2858](https://github.com/leanprover/lean4/pull/2858).
-  
+
   A Lakefile with the following deprecated package declaration:
   ```lean
   def moreServerArgs := #[
     "-Dpp.unicode.fun=true"
   ]
   def moreLeanArgs := moreServerArgs
-  
+
   package SomePackage where
     moreServerArgs := moreServerArgs
     moreLeanArgs := moreLeanArgs
   ```
-  
+
   ... can be updated to the following package declaration to use per-package options:
   ```lean
   package SomePackage where

doc/declarations.md

@@ -483,7 +483,43 @@ def baz : Char → Nat
 | _   => 3
 ```
 
-If any of the terms ``tᵢ`` in the template above contain a recursive call to ``foo``, the equation compiler tries to interpret the definition as a structural recursion. In order for that to succeed, the recursive arguments must be subterms of the corresponding arguments on the left-hand side. The function is then defined using a *course of values* recursion, using automatically generated functions ``below`` and ``brec`` in the namespace corresponding to the inductive type of the recursive argument. In this case the defining equations hold definitionally, possibly with additional case splits.
+The case where patterns are matched against an argument whose type is an inductive family is known as *dependent pattern matching*. This is more complicated, because the type of the function being defined can impose constraints on the patterns that are matched. In this case, the equation compiler will detect inconsistent cases and rule them out.
+
+```lean
+universe u
+
+inductive Vector (α : Type u) : Nat → Type u
+  | nil  : Vector α 0
+  | cons : α → Vector α n → Vector α (n+1)
+
+namespace Vector
+
+def head : Vector α (n+1) → α
+  | cons h t => h
+
+def tail : Vector α (n+1) → Vector α n
+  | cons h t => t
+
+def map (f : α → β → γ) : Vector α n → Vector β n → Vector γ n
+  | nil, nil => nil
+  | cons a va, cons b vb => cons (f a b) (map f va vb)
+
+end Vector
+```
+
+.. _recursive_functions:
+
+Recursive functions
+===================
+
+Lean must ensure that a recursive function terminates, for which there are two strategies: _structural recursion_, in which all recursive calls are made on smaller parts of the input data, and _well-founded recursion_, in which recursive calls are justified by showing that arguments to recursive calls are smaller according to some other measure.
+
+Structural recursion
+--------------------
+
+If the definition of a function contains recursive calls, Lean first tries to interpret the definition as a structural recursion. In order for that to succeed, the recursive arguments must be subterms of the corresponding arguments on the left-hand side.
+
+The function is then defined using a *course of values* recursion, using automatically generated functions ``below`` and ``brec`` in the namespace corresponding to the inductive type of the recursive argument. In this case the defining equations hold definitionally, possibly with additional case splits.
 
 ```lean
 namespace Hide
@@ -504,7 +540,12 @@ example : append [(1 : Nat), 2, 3] [4, 5] = [1, 2, 3, 4, 5] => rfl
 end Hide
 ```
 
-If structural recursion fails, the equation compiler falls back on well-founded recursion. It tries to infer an instance of ``SizeOf`` for the type of each argument, and then show that each recursive call is decreasing under the lexicographic order of the arguments with respect to ``sizeOf`` measure. If it fails, the error message provides information as to the goal that Lean tried to prove. Lean uses information in the local context, so you can often provide the relevant proof manually using ``have`` in the body of the definition. In this case of well-founded recursion, the defining equations hold only propositionally, and can be accessed using ``simp`` and ``rewrite`` with the name ``foo``.
+Well-founded recursion
+---------------------
+
+If structural recursion fails, the equation compiler falls back on well-founded recursion. It tries to infer an instance of ``SizeOf`` for the type of each argument, and then tries to find a permutation of the arguments such that each recursive call is decreasing under the lexicographic order with respect to ``sizeOf`` measures.  Lean uses information in the local context, so you can often provide the relevant proof manually using ``have`` in the body of the definition.
+
+In the case of well-founded recursion, the equation used to declare the function holds only propositionally, but not definitionally, and can be accessed using ``unfold``, ``simp`` and ``rewrite`` with the function name (for example ``unfold foo`` or ``simp [foo]``, where ``foo`` is the function defined with well-founded recursion).
 
 ```lean
 namespace Hide
@@ -528,9 +569,53 @@ by rw [div]; rfl
 end Hide
 ```
 
+If Lean cannot find a permutation of the arguments for which all recursive calls are decreasing, it will print a table that contains, for every recursive call, which arguments Lean could prove to be decreasing. For example, a function with three recursive calls and four parameters might cause the following message to be printed
+
+```
+example.lean:37:0-43:31: error: Could not find a decreasing measure.
+The arguments relate at each recursive call as follows:
+(<, ≤, =: relation proved, ? all proofs failed, _: no proof attempted)
+           x1 x2 x3 x4
+1) 39:6-27  =  =  _  =
+2) 40:6-25  =  ?  _  <
+3) 41:6-25  <  _  _  _
+Please use `termination_by` to specify a decreasing measure.
+```
+
+This table should be read as follows:
+
+ * In the first recursive call, in line 39, arguments 1, 2 and 4 are equal to the function's parameters.
+ * The second recursive call, in line 40, has an equal first argument, a smaller fourth argument, and nothing could be inferred for the second argument.
+ * The third recursive call, in line 41, has a decreasing first argument.
+ * No other proofs were attempted, either because the parameter has a type without a non-trivial ``WellFounded`` instance (parameter 3), or because it is already clear that no decreasing measure can be found.
+
+
+Lean will print the termination argument it found if ``set_option showInferredTerminationBy true`` is set.
+
+If Lean does not find the termination argument, or if you want to be explicit, you can append a `termination_by` clause to the function definition, after the function's body, but before the `where` clause if present. It is of the form
+```
+termination_by e
+```
+where ``e`` is an expression that depends on the parameters of the function and should be decreasing at each recursive call. The type of `e` should be an instance of the class ``WellFoundedRelation``, which determines how to compare two values of that type.
+
+If ``f`` has parameters “after the ``:``” (for example when defining functions via patterns using `|`), then these can be brought into scope using the syntax
+```
+termination_by a₁ … aₙ => e
+```
+
+By default, Lean uses the tactic ``decreasing_tactic`` when proving that an argument is decreasing; see its documentation for how to globally extend it. You can also choose to use a different tactic for a given function definition with the clause
+```
+decreasing_by <tac>
+```
+which should come after ``termination_by`, if present.
+
+
 Note that recursive definitions can in general require nested recursions, that is, recursion on different arguments of ``foo`` in the template above. The equation compiler handles this by abstracting later arguments, and recursively defining higher-order functions to meet the specification.
 
-The equation compiler also allows mutual recursive definitions, with a syntax similar to that of [Mutual and Nested Inductive Definitions](#mutual-and-nested-inductive-definitions). They are compiled using well-founded recursion, and so once again the defining equations hold only propositionally.
+Mutual recursion
+----------------
+
+The equation compiler also allows mutual recursive definitions, with a syntax similar to that of [Mutual and Nested Inductive Definitions](#mutual-and-nested-inductive-definitions). Mutual definitions are always compiled using well-founded recursion, and so once again the defining equations hold only propositionally.
 
 ```lean
 mutual
@@ -587,29 +672,31 @@ def num_consts_lst : List Term → Nat
 end
 ```
 
-The case where patterns are matched against an argument whose type is an inductive family is known as *dependent pattern matching*. This is more complicated, because the type of the function being defined can impose constraints on the patterns that are matched. In this case, the equation compiler will detect inconsistent cases and rule them out.
+In a set of mutually recursive function, either all or no functions must have an explicit termination argument (``termination_by``). A change of the default termination tactic (``decreasing_by``) only affects the proofs about the recursive calls of that function, not the other functions in the group.
 
-```lean
-universe u
+```
+mutual
+theorem even_of_odd_succ : ∀ n, Odd (n + 1) → Even n
+| _, odd_succ n h => h
+termination_by n h => h
+decreasing_by decreasing_tactic
 
-inductive Vector (α : Type u) : Nat → Type u
-| nil  : Vector α 0
-| cons : α → Vector α n → Vector α (n+1)
+theorem odd_of_even_succ : ∀ n, Even (n + 1) → Odd n
+| _, even_succ n h => h
+termination_by n h => h
+end
+```
 
-namespace Vector
+Another way to express mutual recursion is using local function definitions in ``where`` or ``let rec`` clauses: these can be mutually recursive with each other and their containing function:
 
-def head {α : Type} : Vector α (n+1) → α
-| cons h t => h
-
-def tail {α : Type} : Vector α (n+1) → Vector α n
-| cons h t => t
-
-def map {α β γ : Type} (f : α → β → γ) :
-  ∀ {n}, Vector α n → Vector β n → Vector γ n
-| 0,   nil,       nil       => nil
-| n+1, cons a va, cons b vb => cons (f a b) (map f va vb)
-
-end Vector
+```
+theorem even_of_odd_succ : ∀ n, Odd (n + 1) → Even n
+  | _, odd_succ n h => h
+termination_by n h => h
+  where
+    theorem odd_of_even_succ : ∀ n, Even (n + 1) → Odd n
+      | _, even_succ n h => h
+    termination_by n h => h
 ```
 
 .. _match_expressions:

doc/dev/ffi.md

@@ -121,4 +121,4 @@ Thus to e.g. run `#eval` on such a declaration, you need to
 Note that it is not sufficient to load the foreign library containing the external symbol because the interpreter depends on code that is emitted for each `@[extern]` declaration.
 Thus it is not possible to interpret an `@[extern]` declaration in the same file.
 
-See `tests/compiler/foreign` for an example.
+See [`tests/compiler/foreign`](https://github.com/leanprover/lean4/tree/master/tests/compiler/foreign/) for an example.

doc/dev/testing.md

@@ -41,17 +41,17 @@ information is displayed. This option will show all test output.
 
 All these tests are included by [src/shell/CMakeLists.txt](https://github.com/leanprover/lean4/blob/master/src/shell/CMakeLists.txt):
 
-- `tests/lean`: contains tests that come equipped with a
-  .lean.expected.out file. The driver script `test_single.sh` runs
+- [`tests/lean`](https://github.com/leanprover/lean4/tree/master/tests/lean/): contains tests that come equipped with a
+  .lean.expected.out file. The driver script [`test_single.sh`](https://github.com/leanprover/lean4/tree/master/tests/lean/test_single.sh) runs
   each test and checks the actual output (*.produced.out) with the
   checked in expected output.
 
-- `tests/lean/run`: contains tests that are run through the lean
+- [`tests/lean/run`](https://github.com/leanprover/lean4/tree/master/tests/lean/run/): contains tests that are run through the lean
   command line one file at a time. These tests only look for error
   codes and do not check the expected output even though output is
   produced, it is ignored.
 
-- `tests/lean/interactive`: are designed to test server requests at a
+- [`tests/lean/interactive`](https://github.com/leanprover/lean4/tree/master/tests/lean/interactive/): are designed to test server requests at a
   given position in the input file. Each .lean file contains comments
   that indicate how to simulate a client request at that position.
   using a `--^` point to the line position. Example:
@@ -61,7 +61,7 @@ All these tests are included by [src/shell/CMakeLists.txt](https://github.com/le
     Bla.
       --^ textDocument/completion
     ```
-    In this example, the test driver `test_single.sh` will simulate an
+    In this example, the test driver [`test_single.sh`](https://github.com/leanprover/lean4/tree/master/tests/lean/interactive/test_single.sh) will simulate an
     auto-completion request at `Bla.`. The expected output is stored in
     a .lean.expected.out in the json format that is part of the
     [Language Server
@@ -78,21 +78,21 @@ All these tests are included by [src/shell/CMakeLists.txt](https://github.com/le
     --^ collectDiagnostics
     ```
 
-- `tests/lean/server`: Tests more of the Lean `--server` protocol.
+- [`tests/lean/server`](https://github.com/leanprover/lean4/tree/master/tests/lean/server/): Tests more of the Lean `--server` protocol.
   There are just a few of them, and it uses .log files containing
   JSON.
 
-- `tests/compiler`: contains tests that will run the Lean compiler and
+- [`tests/compiler`](https://github.com/leanprover/lean4/tree/master/tests/compiler/): contains tests that will run the Lean compiler and
   build an executable that is executed and the output is compared to
   the .lean.expected.out file. This test also contains a subfolder
-  `foreign` which shows how to extend Lean using C++.
+  [`foreign`](https://github.com/leanprover/lean4/tree/master/tests/compiler/foreign/) which shows how to extend Lean using C++.
 
-- `tests/lean/trust0`: tests that run Lean in a mode that Lean doesn't
+- [`tests/lean/trust0`](https://github.com/leanprover/lean4/tree/master/tests/lean/trust0): tests that run Lean in a mode that Lean doesn't
   even trust the .olean files (i.e., trust 0).
 
-- `tests/bench`: contains performance tests.
+- [`tests/bench`](https://github.com/leanprover/lean4/tree/master/tests/bench/): contains performance tests.
 
-- `tests/plugin`: tests that compiled Lean code can be loaded into
+- [`tests/plugin`](https://github.com/leanprover/lean4/tree/master/tests/plugin/): tests that compiled Lean code can be loaded into
   `lean` via the `--plugin` command line option.
 
 ## Writing Good Tests
@@ -103,7 +103,7 @@ Every test file should contain:
   and, if not 100% clear, why that is the desirable behavior
 
 At the time of writing, most tests do not follow these new guidelines yet.
-For an example of a conforming test, see `tests/lean/1971.lean`.
+For an example of a conforming test, see [`tests/lean/1971.lean`](https://github.com/leanprover/lean4/tree/master/tests/lean/1971.lean).
 
 ## Fixing Tests
 
@@ -119,7 +119,7 @@ First, we must install [meld](http://meldmerge.org/). On Ubuntu, we can do it by
 sudo apt-get install meld
 ```
 
-Now, suppose `bad_class.lean` test is broken. We can see the problem by going to `tests/lean` directory and
+Now, suppose `bad_class.lean` test is broken. We can see the problem by going to [`tests/lean`](https://github.com/leanprover/lean4/tree/master/tests/lean) directory and
 executing
 
 ```

doc/examples/bintree.lean

@@ -282,7 +282,7 @@ theorem BinTree.find_insert_of_ne (b : BinTree β) (h : k ≠ k') (v : β)
   let ⟨t, h⟩ := b; simp
   induction t with simp
   | leaf =>
-    split <;> (try simp) <;> split <;> (try simp)
+    intros
     have_eq k k'
     contradiction
   | node left key value right ihl ihr =>

doc/examples/palindromes.lean

@@ -82,7 +82,7 @@ theorem List.palindrome_ind (motive : List α → Prop)
     have ih := palindrome_ind motive h₁ h₂ h₃ (a₂::as').dropLast
     have : [a₁] ++ (a₂::as').dropLast ++ [(a₂::as').last (by simp)] = a₁::a₂::as' := by simp
     this ▸ h₃ _ _ _ ih
-termination_by _ as => as.length
+termination_by as.length
 
 /-!
 We use our new induction principle to prove that if `as.reverse = as`, then `Palindrome as` holds.

doc/flake.lock

@@ -69,15 +69,16 @@
     "leanInk": {
       "flake": false,
       "locked": {
-        "lastModified": 1666154782,
-        "narHash": "sha256-0ELqEca6jZT4BW/mqkDD+uYuxW5QlZUFlNwZkvugsg8=",
-        "owner": "digama0",
+        "lastModified": 1704976501,
+        "narHash": "sha256-FSBUsbX0HxakSnYRYzRBDN2YKmH9EkA0q9p7TSPEJTI=",
+        "owner": "leanprover",
         "repo": "LeanInk",
-        "rev": "12a2aec9b5f4aa84e84fb01a9af1da00d8aaff4e",
+        "rev": "51821e3c2c032c88e4b2956483899d373ec090c4",
         "type": "github"
       },
       "original": {
         "owner": "leanprover",
+        "ref": "refs/pull/57/merge",
         "repo": "LeanInk",
         "type": "github"
       }

doc/flake.nix

@@ -12,7 +12,7 @@
     flake = false;
   };
   inputs.leanInk = {
-    url = "github:leanprover/LeanInk";
+    url = "github:leanprover/LeanInk/refs/pull/57/merge";
     flake = false;
   };
 

doc/functions.md

@@ -32,8 +32,8 @@ def fact x :=
 
 #eval fact 100
 ```
-By default, Lean only accepts total functions. The `partial` keyword should be used when Lean cannot
-establish that a function always terminates.
+By default, Lean only accepts total functions.
+The `partial` keyword may be used to define a recursive function without a termination proof; `partial` functions compute in compiled programs, but are opaque in proofs and during type checking.
 ```lean
 partial def g (x : Nat) (p : Nat -> Bool) : Nat :=
   if p x then

doc/make/index.md

@@ -10,7 +10,6 @@ Platform-Specific Setup
 
 - [Linux (Ubuntu)](ubuntu.md)
 - [Windows (msys2)](msys2.md)
-- [Windows (Visual Studio)](msvc.md)
 - [Windows (WSL)](wsl.md)
 - [macOS (homebrew)](osx-10.9.md)
 - Linux/macOS/WSL via [Nix](https://nixos.org/nix/): Call `nix-shell` in the project root. That's it.

doc/metaprogramming-arith.md

@@ -60,7 +60,7 @@ While parsing `a * (b + c)`, `(b + c)` is assigned a precedence `60` by the addi
 the right argument to have precedence **at least** 71. Thus, this parse is invalid. In contrast, `(a * b) + c` assigns
 a precedence of `70` to `(a * b)`. This is compatible with addition which expects the left argument to have precedence
 **at least `60` ** (`70` is greater than `60`). Thus, the string `a * b + c` is parsed as `(a * b) + c`.
-For more details, please look at the [Lean manual on syntax extensions](../syntax.md#notations-and-precedence).
+For more details, please look at the [Lean manual on syntax extensions](./notation.md#notations-and-precedence).
 
 To go from strings into `Arith`, we define a macro to
 translate the syntax category `arith` into an `Arith` inductive value that

doc/setup.md

@@ -2,7 +2,7 @@
 
 ### Tier 1
 
-Platforms built & tested by our CI, available as nightly releases via elan (see below)
+Platforms built & tested by our CI, available as binary releases via elan (see below)
 
 * x86-64 Linux with glibc 2.27+
 * x86-64 macOS 10.15+
@@ -10,7 +10,7 @@ Platforms built & tested by our CI, available as nightly releases via elan (see
 
 ### Tier 2
 
-Platforms cross-compiled but not tested by our CI, available as nightly releases
+Platforms cross-compiled but not tested by our CI, available as binary releases
 
 Releases may be silently broken due to the lack of automated testing.
 Issue reports and fixes are welcome.

doc/tour.md

@@ -15,7 +15,7 @@ The most fundamental pieces of any Lean program are functions organized into nam
 [Functions](./functions.md) perform work on inputs to produce outputs,
 and they are organized under [namespaces](./namespaces.md),
 which are the primary way you group things in Lean.
-They are defined using the [`def`](./definitions.md) command,
+They are defined using the `def` command,
 which give the function a name and define its arguments.
 
 ```lean

doc/whatIsLean.md

@@ -37,6 +37,6 @@ Lean has numerous features, including:
 - [Extensible syntax](./syntax.md)
 - Hygienic macros
 - [Dependent types](https://lean-lang.org/theorem_proving_in_lean4/dependent_type_theory.html)
-- [Metaprogramming](./metaprogramming.md)
+- [Metaprogramming](./macro_overview.md)
 - Multithreading
 - Verification: you can prove properties of your functions using Lean itself

src/CMakeLists.txt

@@ -9,7 +9,7 @@ endif()
 include(ExternalProject)
 project(LEAN CXX C)
 set(LEAN_VERSION_MAJOR 4)
-set(LEAN_VERSION_MINOR 6)
+set(LEAN_VERSION_MINOR 7)
 set(LEAN_VERSION_PATCH 0)
 set(LEAN_VERSION_IS_RELEASE 0)  # This number is 1 in the release revision, and 0 otherwise.
 set(LEAN_SPECIAL_VERSION_DESC "" CACHE STRING "Additional version description like 'nightly-2018-03-11'")
@@ -18,6 +18,14 @@ if (LEAN_SPECIAL_VERSION_DESC)
   string(APPEND LEAN_VERSION_STRING "-${LEAN_SPECIAL_VERSION_DESC}")
 endif()
 
+set(LEAN_PLATFORM_TARGET "" CACHE STRING "LLVM triple of the target platform")
+if (NOT LEAN_PLATFORM_TARGET)
+  # this may fail when the compiler is not clang, but this should only happen in local builds where
+  # the value of the variable is not of immediate relevance
+  execute_process(COMMAND ${CMAKE_C_COMPILER} --print-target-triple
+    OUTPUT_VARIABLE LEAN_PLATFORM_TARGET OUTPUT_STRIP_TRAILING_WHITESPACE)
+endif()
+
 set(LEAN_EXTRA_LINKER_FLAGS "" CACHE STRING "Additional flags used by the linker")
 set(LEAN_EXTRA_CXX_FLAGS "" CACHE STRING "Additional flags used by the C++ compiler")
 set(LEAN_TEST_VARS "LEAN_CC=${CMAKE_C_COMPILER}" CACHE STRING "Additional environment variables used when running tests")

src/Init.lean

@@ -7,6 +7,9 @@ prelude
 import Init.Prelude
 import Init.Notation
 import Init.Tactics
+import Init.TacticsExtra
+import Init.ByCases
+import Init.RCases
 import Init.Core
 import Init.Control
 import Init.Data.Basic
@@ -21,6 +24,12 @@ import Init.MetaTypes
 import Init.Meta
 import Init.NotationExtra
 import Init.SimpLemmas
+import Init.PropLemmas
 import Init.Hints
 import Init.Conv
+import Init.Guard
+import Init.Simproc
 import Init.SizeOfLemmas
+import Init.BinderPredicates
+import Init.Ext
+import Init.Omega

src/Init/BinderPredicates.lean

@@ -0,0 +1,82 @@
+/-
+Copyright (c) 2021 Microsoft Corporation. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Gabriel Ebner
+-/
+prelude
+import Init.NotationExtra
+
+namespace Lean
+
+/--
+The syntax category of binder predicates contains predicates like `> 0`, `∈ s`, etc.
+(`: t` should not be a binder predicate because it would clash with the built-in syntax for ∀/∃.)
+-/
+declare_syntax_cat binderPred
+
+/--
+`satisfies_binder_pred% t pred` expands to a proposition expressing that `t` satisfies `pred`.
+-/
+syntax "satisfies_binder_pred% " term:max binderPred : term
+
+-- Extend ∀ and ∃ to binder predicates.
+
+/--
+The notation `∃ x < 2, p x` is shorthand for `∃ x, x < 2 ∧ p x`,
+and similarly for other binary operators.
+-/
+syntax "∃ " binderIdent binderPred ", " term : term
+/--
+The notation `∀ x < 2, p x` is shorthand for `∀ x, x < 2 → p x`,
+and similarly for other binary operators.
+-/
+syntax "∀ " binderIdent binderPred ", " term : term
+
+macro_rules
+  | `(∃ $x:ident $pred:binderPred, $p) =>
+    `(∃ $x:ident, satisfies_binder_pred% $x $pred ∧ $p)
+  | `(∃ _ $pred:binderPred, $p) =>
+    `(∃ x, satisfies_binder_pred% x $pred ∧ $p)
+
+macro_rules
+  | `(∀ $x:ident $pred:binderPred, $p) =>
+    `(∀ $x:ident, satisfies_binder_pred% $x $pred → $p)
+  | `(∀ _ $pred:binderPred, $p) =>
+    `(∀ x, satisfies_binder_pred% x $pred → $p)
+
+/-- Declare `∃ x > y, ...` as syntax for `∃ x, x > y ∧ ...` -/
+binder_predicate x " > " y:term => `($x > $y)
+/-- Declare `∃ x ≥ y, ...` as syntax for `∃ x, x ≥ y ∧ ...` -/
+binder_predicate x " ≥ " y:term => `($x ≥ $y)
+/-- Declare `∃ x < y, ...` as syntax for `∃ x, x < y ∧ ...` -/
+binder_predicate x " < " y:term => `($x < $y)
+/-- Declare `∃ x ≤ y, ...` as syntax for `∃ x, x ≤ y ∧ ...` -/
+binder_predicate x " ≤ " y:term => `($x ≤ $y)
+/-- Declare `∃ x ≠ y, ...` as syntax for `∃ x, x ≠ y ∧ ...` -/
+binder_predicate x " ≠ " y:term => `($x ≠ $y)
+
+/-- Declare `∀ x ∈ y, ...` as syntax for `∀ x, x ∈ y → ...` and `∃ x ∈ y, ...` as syntax for
+`∃ x, x ∈ y ∧ ...` -/
+binder_predicate x " ∈ " y:term => `($x ∈ $y)
+
+/-- Declare `∀ x ∉ y, ...` as syntax for `∀ x, x ∉ y → ...` and `∃ x ∉ y, ...` as syntax for
+`∃ x, x ∉ y ∧ ...` -/
+binder_predicate x " ∉ " y:term => `($x ∉ $y)
+
+/-- Declare `∀ x ⊆ y, ...` as syntax for `∀ x, x ⊆ y → ...` and `∃ x ⊆ y, ...` as syntax for
+`∃ x, x ⊆ y ∧ ...` -/
+binder_predicate x " ⊆ " y:term => `($x ⊆ $y)
+
+/-- Declare `∀ x ⊂ y, ...` as syntax for `∀ x, x ⊂ y → ...` and `∃ x ⊂ y, ...` as syntax for
+`∃ x, x ⊂ y ∧ ...` -/
+binder_predicate x " ⊂ " y:term => `($x ⊂ $y)
+
+/-- Declare `∀ x ⊇ y, ...` as syntax for `∀ x, x ⊇ y → ...` and `∃ x ⊇ y, ...` as syntax for
+`∃ x, x ⊇ y ∧ ...` -/
+binder_predicate x " ⊇ " y:term => `($x ⊇ $y)
+
+/-- Declare `∀ x ⊃ y, ...` as syntax for `∀ x, x ⊃ y → ...` and `∃ x ⊃ y, ...` as syntax for
+`∃ x, x ⊃ y ∧ ...` -/
+binder_predicate x " ⊃ " y:term => `($x ⊃ $y)
+
+end Lean

src/Init/ByCases.lean

@@ -0,0 +1,74 @@
+/-
+Copyright (c) 2024 Lean FRO. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Leonardo de Moura, Mario Carneiro
+-/
+prelude
+import Init.Classical
+
+/-! # by_cases tactic and if-then-else support -/
+
+/--
+`by_cases (h :)? p` splits the main goal into two cases, assuming `h : p` in the first branch, and `h : ¬ p` in the second branch.
+-/
+syntax "by_cases " (atomic(ident " : "))? term : tactic
+
+macro_rules
+  | `(tactic| by_cases $e) => `(tactic| by_cases h : $e)
+macro_rules
+  | `(tactic| by_cases $h : $e) =>
+    `(tactic| open Classical in refine if $h:ident : $e then ?pos else ?neg)
+
+/-! ## if-then-else -/
+
+@[simp] theorem if_true {h : Decidable True} (t e : α) : ite True t e = t := if_pos trivial
+
+@[simp] theorem if_false {h : Decidable False} (t e : α) : ite False t e = e := if_neg id
+
+theorem ite_id [Decidable c] {α} (t : α) : (if c then t else t) = t := by split <;> rfl
+
+/-- A function applied to a `dite` is a `dite` of that function applied to each of the branches. -/
+theorem apply_dite (f : α → β) (P : Prop) [Decidable P] (x : P → α) (y : ¬P → α) :
+    f (dite P x y) = dite P (fun h => f (x h)) (fun h => f (y h)) := by
+  by_cases h : P <;> simp [h]
+
+/-- A function applied to a `ite` is a `ite` of that function applied to each of the branches. -/
+theorem apply_ite (f : α → β) (P : Prop) [Decidable P] (x y : α) :
+    f (ite P x y) = ite P (f x) (f y) :=
+  apply_dite f P (fun _ => x) (fun _ => y)
+
+/-- Negation of the condition `P : Prop` in a `dite` is the same as swapping the branches. -/
+@[simp] theorem dite_not (P : Prop) {_ : Decidable P}  (x : ¬P → α) (y : ¬¬P → α) :
+    dite (¬P) x y = dite P (fun h => y (not_not_intro h)) x := by
+  by_cases h : P <;> simp [h]
+
+/-- Negation of the condition `P : Prop` in a `ite` is the same as swapping the branches. -/
+@[simp] theorem ite_not (P : Prop) {_ : Decidable P} (x y : α) : ite (¬P) x y = ite P y x :=
+  dite_not P (fun _ => x) (fun _ => y)
+
+@[simp] theorem dite_eq_left_iff {P : Prop} [Decidable P] {B : ¬ P → α} :
+    dite P (fun _ => a) B = a ↔ ∀ h, B h = a := by
+  by_cases P <;> simp [*, forall_prop_of_true, forall_prop_of_false]
+
+@[simp] theorem dite_eq_right_iff {P : Prop} [Decidable P] {A : P → α} :
+    (dite P A fun _ => b) = b ↔ ∀ h, A h = b := by
+  by_cases P <;> simp [*, forall_prop_of_true, forall_prop_of_false]
+
+@[simp] theorem ite_eq_left_iff {P : Prop} [Decidable P] : ite P a b = a ↔ ¬P → b = a :=
+  dite_eq_left_iff
+
+@[simp] theorem ite_eq_right_iff {P : Prop} [Decidable P] : ite P a b = b ↔ P → a = b :=
+  dite_eq_right_iff
+
+/-- A `dite` whose results do not actually depend on the condition may be reduced to an `ite`. -/
+@[simp] theorem dite_eq_ite [Decidable P] : (dite P (fun _ => a) fun _ => b) = ite P a b := rfl
+
+-- We don't mark this as `simp` as it is already handled by `ite_eq_right_iff`.
+theorem ite_some_none_eq_none [Decidable P] :
+    (if P then some x else none) = none ↔ ¬ P := by
+  simp only [ite_eq_right_iff]
+  rfl
+
+@[simp] theorem ite_some_none_eq_some [Decidable P] :
+    (if P then some x else none) = some y ↔ P ∧ x = y := by
+  split <;> simp_all

src/Init/Classical.lean

@@ -1,11 +1,10 @@
 /-
 Copyright (c) 2020 Microsoft Corporation. All rights reserved.
 Released under Apache 2.0 license as described in the file LICENSE.
-Authors: Leonardo de Moura
+Authors: Leonardo de Moura, Mario Carneiro
 -/
 prelude
-import Init.Core
-import Init.NotationExtra
+import Init.PropLemmas
 
 universe u v
 
@@ -112,8 +111,8 @@ theorem skolem {α : Sort u} {b : α → Sort v} {p : ∀ x, b x → Prop} : (
 
 theorem propComplete (a : Prop) : a = True ∨ a = False :=
   match em a with
-  | Or.inl ha => Or.inl (propext (Iff.intro (fun _ => ⟨⟩) (fun _ => ha)))
-  | Or.inr hn => Or.inr (propext (Iff.intro (fun h => hn h) (fun h => False.elim h)))
+  | Or.inl ha => Or.inl (eq_true ha)
+  | Or.inr hn => Or.inr (eq_false hn)
 
 -- this supercedes byCases in Decidable
 theorem byCases {p q : Prop} (hpq : p → q) (hnpq : ¬p → q) : q :=
@@ -123,21 +122,36 @@ theorem byCases {p q : Prop} (hpq : p → q) (hnpq : ¬p → q) : q :=
 theorem byContradiction {p : Prop} (h : ¬p → False) : p :=
   Decidable.byContradiction (dec := propDecidable _) h
 
-/--
-`by_cases (h :)? p` splits the main goal into two cases, assuming `h : p` in the first branch, and `h : ¬ p` in the second branch.
--/
-syntax "by_cases " (atomic(ident " : "))? term : tactic
+/-- The Double Negation Theorem: `¬¬P` is equivalent to `P`.
+The left-to-right direction, double negation elimination (DNE),
+is classically true but not constructively. -/
+@[scoped simp] theorem not_not : ¬¬a ↔ a := Decidable.not_not
 
-macro_rules
-  | `(tactic| by_cases $h : $e) =>
-    `(tactic|
-      cases em $e with
-      | inl $h => _
-      | inr $h => _)
-  | `(tactic| by_cases $e) =>
-    `(tactic|
-      cases em $e with
-      | inl h => _
-      | inr h => _)
+@[simp] theorem not_forall {p : α → Prop} : (¬∀ x, p x) ↔ ∃ x, ¬p x := Decidable.not_forall
+
+theorem not_forall_not {p : α → Prop} : (¬∀ x, ¬p x) ↔ ∃ x, p x := Decidable.not_forall_not
+theorem not_exists_not {p : α → Prop} : (¬∃ x, ¬p x) ↔ ∀ x, p x := Decidable.not_exists_not
+
+theorem forall_or_exists_not (P : α → Prop) : (∀ a, P a) ∨ ∃ a, ¬ P a := by
+  rw [← not_forall]; exact em _
+
+theorem exists_or_forall_not (P : α → Prop) : (∃ a, P a) ∨ ∀ a, ¬ P a := by
+  rw [← not_exists]; exact em _
+
+theorem or_iff_not_imp_left  : a ∨ b ↔ (¬a → b) := Decidable.or_iff_not_imp_left
+theorem or_iff_not_imp_right : a ∨ b ↔ (¬b → a) := Decidable.or_iff_not_imp_right
+
+theorem not_imp_iff_and_not : ¬(a → b) ↔ a ∧ ¬b := Decidable.not_imp_iff_and_not
+
+theorem not_and_iff_or_not_not : ¬(a ∧ b) ↔ ¬a ∨ ¬b := Decidable.not_and_iff_or_not_not
+
+theorem not_iff : ¬(a ↔ b) ↔ (¬a ↔ b) := Decidable.not_iff
 
 end Classical
+
+/-- Extract an element from a existential statement, using `Classical.choose`. -/
+-- This enables projection notation.
+@[reducible] noncomputable def Exists.choose {p : α → Prop} (P : ∃ a, p a) : α := Classical.choose P
+
+/-- Show that an element extracted from `P : ∃ a, p a` using `P.choose` satisfies `p`. -/
+theorem Exists.choose_spec {p : α → Prop} (P : ∃ a, p a) : p P.choose := Classical.choose_spec P

src/Init/Coe.lean

@@ -290,6 +290,12 @@ between e.g. `↑x + ↑y` and `↑(x + y)`.
 -/
 syntax:1024 (name := coeNotation) "↑" term:1024 : term
 
+/-- `⇑ t` coerces `t` to a function. -/
+syntax:1024 (name := coeFunNotation) "⇑" term:1024 : term
+
+/-- `↥ t` coerces `t` to a type. -/
+syntax:1024 (name := coeSortNotation) "↥" term:1024 : term
+
 /-! # Basic instances -/
 
 instance boolToProp : Coe Bool Prop where

src/Init/Control/Lawful.lean

@@ -1,7 +1,7 @@
 /-
 Copyright (c) 2021 Microsoft Corporation. All rights reserved.
 Released under Apache 2.0 license as described in the file LICENSE.
-Authors: Sebastian Ullrich, Leonardo de Moura
+Authors: Sebastian Ullrich, Leonardo de Moura, Mario Carneiro
 -/
 prelude
 import Init.SimpLemmas
@@ -84,6 +84,36 @@ theorem seqRight_eq_bind [Monad m] [LawfulMonad m] (x : m α) (y : m β) : x *>
 theorem seqLeft_eq_bind [Monad m] [LawfulMonad m] (x : m α) (y : m β) : x <* y = x >>= fun a => y >>= fun _ => pure a := by
   rw [seqLeft_eq]; simp [map_eq_pure_bind, seq_eq_bind_map]
 
+/--
+An alternative constructor for `LawfulMonad` which has more
+defaultable fields in the common case.
+-/
+theorem LawfulMonad.mk' (m : Type u → Type v) [Monad m]
+    (id_map : ∀ {α} (x : m α), id <$> x = x)
+    (pure_bind : ∀ {α β} (x : α) (f : α → m β), pure x >>= f = f x)
+    (bind_assoc : ∀ {α β γ} (x : m α) (f : α → m β) (g : β → m γ),
+      x >>= f >>= g = x >>= fun x => f x >>= g)
+    (map_const : ∀ {α β} (x : α) (y : m β),
+      Functor.mapConst x y = Function.const β x <$> y := by intros; rfl)
+    (seqLeft_eq : ∀ {α β} (x : m α) (y : m β),
+      x <* y = (x >>= fun a => y >>= fun _ => pure a) := by intros; rfl)
+    (seqRight_eq : ∀ {α β} (x : m α) (y : m β), x *> y = (x >>= fun _ => y) := by intros; rfl)
+    (bind_pure_comp : ∀ {α β} (f : α → β) (x : m α),
+      x >>= (fun y => pure (f y)) = f <$> x := by intros; rfl)
+    (bind_map : ∀ {α β} (f : m (α → β)) (x : m α), f >>= (. <$> x) = f <*> x := by intros; rfl)
+    : LawfulMonad m :=
+  have map_pure {α β} (g : α → β) (x : α) : g <$> (pure x : m α) = pure (g x) := by
+    rw [← bind_pure_comp]; simp [pure_bind]
+  { id_map, bind_pure_comp, bind_map, pure_bind, bind_assoc, map_pure,
+    comp_map := by simp [← bind_pure_comp, bind_assoc, pure_bind]
+    pure_seq := by intros; rw [← bind_map]; simp [pure_bind]
+    seq_pure := by intros; rw [← bind_map]; simp [map_pure, bind_pure_comp]
+    seq_assoc := by simp [← bind_pure_comp, ← bind_map, bind_assoc, pure_bind]
+    map_const := funext fun x => funext (map_const x)
+    seqLeft_eq := by simp [seqLeft_eq, ← bind_map, ← bind_pure_comp, pure_bind, bind_assoc]
+    seqRight_eq := fun x y => by
+      rw [seqRight_eq, ← bind_map, ← bind_pure_comp, bind_assoc]; simp [pure_bind, id_map] }
+
 /-! # Id -/
 
 namespace Id
@@ -173,6 +203,16 @@ instance [Monad m] [LawfulMonad m] : LawfulMonad (ExceptT ε m) where
 
 end ExceptT
 
+/-! # Except -/
+
+instance : LawfulMonad (Except ε) := LawfulMonad.mk'
+  (id_map := fun x => by cases x <;> rfl)
+  (pure_bind := fun a f => rfl)
+  (bind_assoc := fun a f g => by cases a <;> rfl)
+
+instance : LawfulApplicative (Except ε) := inferInstance
+instance : LawfulFunctor (Except ε) := inferInstance
+
 /-! # ReaderT -/
 
 namespace ReaderT
@@ -307,3 +347,30 @@ instance [Monad m] [LawfulMonad m] : LawfulMonad (StateT σ m) where
   bind_assoc     := by intros; apply ext; intros; simp
 
 end StateT
+
+/-! # EStateM -/
+
+instance : LawfulMonad (EStateM ε σ) := .mk'
+  (id_map := fun x => funext <| fun s => by
+    dsimp only [EStateM.instMonadEStateM, EStateM.map]
+    match x s with
+    | .ok _ _ => rfl
+    | .error _ _ => rfl)
+  (pure_bind := fun _ _ => rfl)
+  (bind_assoc := fun x _ _ => funext <| fun s => by
+    dsimp only [EStateM.instMonadEStateM, EStateM.bind]
+    match x s with
+    | .ok _ _ => rfl
+    | .error _ _ => rfl)
+  (map_const := fun _ _ => rfl)
+
+/-! # Option -/
+
+instance : LawfulMonad Option := LawfulMonad.mk'
+  (id_map := fun x => by cases x <;> rfl)
+  (pure_bind := fun x f => rfl)
+  (bind_assoc := fun x f g => by cases x <;> rfl)
+  (bind_pure_comp := fun f x => by cases x <;> rfl)
+
+instance : LawfulApplicative Option := inferInstance
+instance : LawfulFunctor Option := inferInstance

src/Init/Conv.lean

@@ -54,6 +54,10 @@ syntax (name := lhs) "lhs" : conv
 (In general, for an `n`-ary operator, it traverses into the last argument.) -/
 syntax (name := rhs) "rhs" : conv
 
+/-- Traverses into the function of a (unary) function application.
+For example, `| f a b` turns into `| f a`. (Use `arg 0` to traverse into `f`.)  -/
+syntax (name := «fun») "fun" : conv
+
 /-- Reduces the target to Weak Head Normal Form. This reduces definitions
 in "head position" until a constructor is exposed. For example, `List.map f [a, b, c]`
 weak head normalizes to `f a :: List.map f [b, c]`. -/
@@ -74,7 +78,8 @@ syntax (name := congr) "congr" : conv
 * `arg i` traverses into the `i`'th argument of the target. For example if the
   target is `f a b c d` then `arg 1` traverses to `a` and `arg 3` traverses to `c`.
 * `arg @i` is the same as `arg i` but it counts all arguments instead of just the
-  explicit arguments. -/
+  explicit arguments.
+* `arg 0` traverses into the function. If the target is `f a b c d`, `arg 0` traverses into `f`. -/
 syntax (name := arg) "arg " "@"? num : conv
 
 /-- `ext x` traverses into a binder (a `fun x => e` or `∀ x, e` expression)

src/Init/Core.lean

@@ -17,7 +17,9 @@ universe u v w
 at the application site itself (by comparison to the `@[inline]` attribute,
 which applies to all applications of the function).
 -/
-def inline {α : Sort u} (a : α) : α := a
+@[simp] def inline {α : Sort u} (a : α) : α := a
+
+theorem id.def {α : Sort u} (a : α) : id a = a := rfl
 
 /--
 `flip f a b` is `f b a`. It is useful for "point-free" programming,
@@ -32,8 +34,32 @@ and `flip (·<·)` is the greater-than relation.
 
 @[simp] theorem Function.comp_apply {f : β → δ} {g : α → β} {x : α} : comp f g x = f (g x) := rfl
 
+theorem Function.comp_def {α β δ} (f : β → δ) (g : α → β) : f ∘ g = fun x => f (g x) := rfl
+
 attribute [simp] namedPattern
 
+/--
+`Empty.elim : Empty → C` says that a value of any type can be constructed from
+`Empty`. This can be thought of as a compiler-checked assertion that a code path is unreachable.
+
+This is a non-dependent variant of `Empty.rec`.
+-/
+@[macro_inline] def Empty.elim {C : Sort u} : Empty → C := Empty.rec
+
+/-- Decidable equality for Empty -/
+instance : DecidableEq Empty := fun a => a.elim
+
+/--
+`PEmpty.elim : Empty → C` says that a value of any type can be constructed from
+`PEmpty`. This can be thought of as a compiler-checked assertion that a code path is unreachable.
+
+This is a non-dependent variant of `PEmpty.rec`.
+-/
+@[macro_inline] def PEmpty.elim {C : Sort _} : PEmpty → C := fun a => nomatch a
+
+/-- Decidable equality for PEmpty -/
+instance : DecidableEq PEmpty := fun a => a.elim
+
 /--
   Thunks are "lazy" values that are evaluated when first accessed using `Thunk.get/map/bind`.
   The value is then stored and not recomputed for all further accesses. -/
@@ -78,6 +104,8 @@ instance thunkCoe : CoeTail α (Thunk α) where
 abbrev Eq.ndrecOn.{u1, u2} {α : Sort u2} {a : α} {motive : α → Sort u1} {b : α} (h : a = b) (m : motive a) : motive b :=
   Eq.ndrec m h
 
+/-! # definitions  -/
+
 /--
 If and only if, or logical bi-implication. `a ↔ b` means that `a` implies `b` and vice versa.
 By `propext`, this implies that `a` and `b` are equal and hence any expression involving `a`
@@ -126,6 +154,10 @@ inductive PSum (α : Sort u) (β : Sort v) where
 
 @[inherit_doc] infixr:30 " ⊕' " => PSum
 
+instance {α β} [Inhabited α] : Inhabited (PSum α β) := ⟨PSum.inl default⟩
+
+instance {α β} [Inhabited β] : Inhabited (PSum α β) := ⟨PSum.inr default⟩
+
 /--
 `Sigma β`, also denoted `Σ a : α, β a` or `(a : α) × β a`, is the type of dependent pairs
 whose first component is `a : α` and whose second component is `b : β a`
@@ -342,6 +374,70 @@ class HasEquiv (α : Sort u) where
 
 @[inherit_doc] infix:50 " ≈ "  => HasEquiv.Equiv
 
+/-! # set notation  -/
+
+/-- Notation type class for the subset relation `⊆`. -/
+class HasSubset (α : Type u) where
+  /-- Subset relation: `a ⊆ b`  -/
+  Subset : α → α → Prop
+export HasSubset (Subset)
+
+/-- Notation type class for the strict subset relation `⊂`. -/
+class HasSSubset (α : Type u) where
+  /-- Strict subset relation: `a ⊂ b`  -/
+  SSubset : α → α → Prop
+export HasSSubset (SSubset)
+
+/-- Superset relation: `a ⊇ b`  -/
+abbrev Superset [HasSubset α] (a b : α) := Subset b a
+
+/-- Strict superset relation: `a ⊃ b`  -/
+abbrev SSuperset [HasSSubset α] (a b : α) := SSubset b a
+
+/-- Notation type class for the union operation `∪`. -/
+class Union (α : Type u) where
+  /-- `a ∪ b` is the union of`a` and `b`. -/
+  union : α → α → α
+
+/-- Notation type class for the intersection operation `∩`. -/
+class Inter (α : Type u) where
+  /-- `a ∩ b` is the intersection of`a` and `b`. -/
+  inter : α → α → α
+
+/-- Notation type class for the set difference `\`. -/
+class SDiff (α : Type u) where
+  /--
+  `a \ b` is the set difference of `a` and `b`,
+  consisting of all elements in `a` that are not in `b`.
+  -/
+  sdiff : α → α → α
+
+/-- Subset relation: `a ⊆ b`  -/
+infix:50 " ⊆ " => Subset
+
+/-- Strict subset relation: `a ⊂ b`  -/
+infix:50 " ⊂ " => SSubset
+
+/-- Superset relation: `a ⊇ b`  -/
+infix:50 " ⊇ " => Superset
+
+/-- Strict superset relation: `a ⊃ b`  -/
+infix:50 " ⊃ " => SSuperset
+
+/-- `a ∪ b` is the union of`a` and `b`. -/
+infixl:65 " ∪ " => Union.union
+
+/-- `a ∩ b` is the intersection of`a` and `b`. -/
+infixl:70 " ∩ " => Inter.inter
+
+/--
+`a \ b` is the set difference of `a` and `b`,
+consisting of all elements in `a` that are not in `b`.
+-/
+infix:70 " \\ " => SDiff.sdiff
+
+/-! # collections  -/
+
 /-- `EmptyCollection α` is the typeclass which supports the notation `∅`, also written as `{}`. -/
 class EmptyCollection (α : Type u) where
   /-- `∅` or `{}` is the empty set or empty collection.
@@ -351,6 +447,36 @@ class EmptyCollection (α : Type u) where
 @[inherit_doc] notation "{" "}" => EmptyCollection.emptyCollection
 @[inherit_doc] notation "∅"     => EmptyCollection.emptyCollection
 
+/--
+Type class for the `insert` operation.
+Used to implement the `{ a, b, c }` syntax.
+-/
+class Insert (α : outParam <| Type u) (γ : Type v) where
+  /-- `insert x xs` inserts the element `x` into the collection `xs`. -/
+  insert : α → γ → γ
+export Insert (insert)
+
+/--
+Type class for the `singleton` operation.
+Used to implement the `{ a, b, c }` syntax.
+-/
+class Singleton (α : outParam <| Type u) (β : Type v) where
+  /-- `singleton x` is a collection with the single element `x` (notation: `{x}`). -/
+  singleton : α → β
+export Singleton (singleton)
+
+/-- `insert x ∅ = {x}` -/
+class IsLawfulSingleton (α : Type u) (β : Type v) [EmptyCollection β] [Insert α β] [Singleton α β] :
+    Prop where
+  /-- `insert x ∅ = {x}` -/
+  insert_emptyc_eq (x : α) : (insert x ∅ : β) = singleton x
+export IsLawfulSingleton (insert_emptyc_eq)
+
+/-- Type class used to implement the notation `{ a ∈ c | p a }` -/
+class Sep (α : outParam <| Type u) (γ : Type v) where
+  /-- Computes `{ a ∈ c | p a }`. -/
+  sep : (α → Prop) → γ → γ
+
 /--
 `Task α` is a primitive for asynchronous computation.
 It represents a computation that will resolve to a value of type `α`,
@@ -411,9 +537,10 @@ set_option linter.unusedVariables.funArgs false in
 be available and then calls `f` on the result.
 
 `prio`, if provided, is the priority of the task.
+If `sync` is set to true, `f` is executed on the current thread if `x` has already finished.
 -/
 @[noinline, extern "lean_task_map"]
-protected def map {α : Type u} {β : Type v} (f : α → β) (x : Task α) (prio := Priority.default) : Task β :=
+protected def map (f : α → β) (x : Task α) (prio := Priority.default) (sync := false) : Task β :=
   ⟨f x.get⟩
 
 set_option linter.unusedVariables.funArgs false in
@@ -424,9 +551,11 @@ for the value of `x` to be available and then calls `f` on the result,
 resulting in a new task which is then run for a result.
 
 `prio`, if provided, is the priority of the task.
+If `sync` is set to true, `f` is executed on the current thread if `x` has already finished.
 -/
 @[noinline, extern "lean_task_bind"]
-protected def bind {α : Type u} {β : Type v} (x : Task α) (f : α → Task β) (prio := Priority.default) : Task β :=
+protected def bind (x : Task α) (f : α → Task β) (prio := Priority.default) (sync := false) :
+    Task β :=
   ⟨(f x.get).get⟩
 
 end Task
@@ -522,9 +651,7 @@ theorem not_not_intro {p : Prop} (h : p) : ¬ ¬ p :=
   fun hn : ¬ p => hn h
 
 -- proof irrelevance is built in
-theorem proofIrrel {a : Prop} (h₁ h₂ : a) : h₁ = h₂ := rfl
-
-theorem id.def {α : Sort u} (a : α) : id a = a := rfl
+theorem proof_irrel {a : Prop} (h₁ h₂ : a) : h₁ = h₂ := rfl
 
 /--
 If `h : α = β` is a proof of type equality, then `h.mp : α → β` is the induced
@@ -572,8 +699,9 @@ theorem Ne.elim (h : a ≠ b) : a = b → False := h
 
 theorem Ne.irrefl (h : a ≠ a) : False := h rfl
 
-theorem Ne.symm (h : a ≠ b) : b ≠ a :=
-  fun h₁ => h (h₁.symm)
+theorem Ne.symm (h : a ≠ b) : b ≠ a := fun h₁ => h (h₁.symm)
+
+theorem ne_comm {α} {a b : α} : a ≠ b ↔ b ≠ a := ⟨Ne.symm, Ne.symm⟩
 
 theorem false_of_ne : a ≠ a → False := Ne.irrefl
 
@@ -585,8 +713,8 @@ theorem ne_true_of_not : ¬p → p ≠ True :=
     have : ¬True := h ▸ hnp
     this trivial
 
-theorem true_ne_false : ¬True = False :=
-  ne_false_of_self trivial
+theorem true_ne_false : ¬True = False := ne_false_of_self trivial
+theorem false_ne_true : False ≠ True := fun h => h.symm ▸ trivial
 
 end Ne
 
@@ -663,22 +791,31 @@ theorem Iff.refl (a : Prop) : a ↔ a :=
 protected theorem Iff.rfl {a : Prop} : a ↔ a :=
   Iff.refl a
 
+macro_rules | `(tactic| rfl) => `(tactic| exact Iff.rfl)
+
+theorem Iff.of_eq (h : a = b) : a ↔ b := h ▸ Iff.rfl
+
 theorem Iff.trans (h₁ : a ↔ b) (h₂ : b ↔ c) : a ↔ c :=
-  Iff.intro
-    (fun ha => Iff.mp h₂ (Iff.mp h₁ ha))
-    (fun hc => Iff.mpr h₁ (Iff.mpr h₂ hc))
+  Iff.intro (h₂.mp ∘ h₁.mp) (h₁.mpr ∘ h₂.mpr)
 
-theorem Iff.symm (h : a ↔ b) : b ↔ a :=
-  Iff.intro (Iff.mpr h) (Iff.mp h)
+-- This is needed for `calc` to work with `iff`.
+instance : Trans Iff Iff Iff where
+  trans := Iff.trans
 
-theorem Iff.comm : (a ↔ b) ↔ (b ↔ a) :=
-  Iff.intro Iff.symm Iff.symm
+theorem Eq.comm {a b : α} : a = b ↔ b = a := Iff.intro Eq.symm Eq.symm
+theorem eq_comm {a b : α} : a = b ↔ b = a := Eq.comm
 
-theorem Iff.of_eq (h : a = b) : a ↔ b :=
-  h ▸ Iff.refl _
+theorem Iff.symm (h : a ↔ b) : b ↔ a := Iff.intro h.mpr h.mp
+theorem Iff.comm: (a ↔ b) ↔ (b ↔ a) := Iff.intro Iff.symm Iff.symm
+theorem iff_comm : (a ↔ b) ↔ (b ↔ a) := Iff.comm
 
-theorem And.comm : a ∧ b ↔ b ∧ a := by
-  constructor <;> intro ⟨h₁, h₂⟩ <;> exact ⟨h₂, h₁⟩
+theorem And.symm : a ∧ b → b ∧ a := fun ⟨ha, hb⟩ => ⟨hb, ha⟩
+theorem And.comm : a ∧ b ↔ b ∧ a := Iff.intro And.symm And.symm
+theorem and_comm : a ∧ b ↔ b ∧ a := And.comm
+
+theorem Or.symm : a ∨ b → b ∨ a := .rec .inr .inl
+theorem Or.comm : a ∨ b ↔ b ∨ a := Iff.intro Or.symm Or.symm
+theorem or_comm : a ∨ b ↔ b ∨ a := Or.comm
 
 /-! # Exists -/
 
@@ -878,8 +1015,13 @@ protected theorem Subsingleton.helim {α β : Sort u} [h₁ : Subsingleton α] (
   apply heq_of_eq
   apply Subsingleton.elim
 
-instance (p : Prop) : Subsingleton p :=
-  ⟨fun a b => proofIrrel a b⟩
+instance (p : Prop) : Subsingleton p := ⟨fun a b => proof_irrel a b⟩
+
+instance : Subsingleton Empty  := ⟨(·.elim)⟩
+instance : Subsingleton PEmpty := ⟨(·.elim)⟩
+
+instance [Subsingleton α] [Subsingleton β] : Subsingleton (α × β) :=
+  ⟨fun {..} {..} => by congr <;> apply Subsingleton.elim⟩
 
 instance (p : Prop) : Subsingleton (Decidable p) :=
   Subsingleton.intro fun
@@ -890,6 +1032,9 @@ instance (p : Prop) : Subsingleton (Decidable p) :=
       | isTrue t₂  => absurd t₂ f₁
       | isFalse _  => rfl
 
+example [Subsingleton α] (p : α → Prop) : Subsingleton (Subtype p) :=
+  ⟨fun ⟨x, _⟩ ⟨y, _⟩ => by congr; exact Subsingleton.elim x y⟩
+
 theorem recSubsingleton
      {p : Prop} [h : Decidable p]
      {h₁ : p → Sort u}
@@ -1169,12 +1314,117 @@ gen_injective_theorems% Lean.Syntax
 @[simp] theorem beq_iff_eq [BEq α] [LawfulBEq α] (a b : α) : a == b ↔ a = b :=
   ⟨eq_of_beq, by intro h; subst h; exact LawfulBEq.rfl⟩
 
-/-! # Quotients -/
+/-! # Prop lemmas -/
+
+/-- *Ex falso* for negation: from `¬a` and `a` anything follows. This is the same as `absurd` with
+the arguments flipped, but it is in the `Not` namespace so that projection notation can be used. -/
+def Not.elim {α : Sort _} (H1 : ¬a) (H2 : a) : α := absurd H2 H1
+
+/-- Non-dependent eliminator for `And`. -/
+abbrev And.elim (f : a → b → α) (h : a ∧ b) : α := f h.left h.right
+
+/-- Non-dependent eliminator for `Iff`. -/
+def Iff.elim (f : (a → b) → (b → a) → α) (h : a ↔ b) : α := f h.mp h.mpr
 
 /-- Iff can now be used to do substitutions in a calculation -/
 theorem Iff.subst {a b : Prop} {p : Prop → Prop} (h₁ : a ↔ b) (h₂ : p a) : p b :=
   Eq.subst (propext h₁) h₂
 
+theorem Not.intro {a : Prop} (h : a → False) : ¬a := h
+
+theorem Not.imp {a b : Prop} (H2 : ¬b) (H1 : a → b) : ¬a := mt H1 H2
+
+theorem not_congr (h : a ↔ b) : ¬a ↔ ¬b := ⟨mt h.2, mt h.1⟩
+
+theorem not_not_not : ¬¬¬a ↔ ¬a := ⟨mt not_not_intro, not_not_intro⟩
+
+theorem iff_of_true (ha : a) (hb : b) : a ↔ b := Iff.intro (fun _ => hb) (fun _ => ha)
+theorem iff_of_false (ha : ¬a) (hb : ¬b) : a ↔ b := Iff.intro ha.elim hb.elim
+
+theorem iff_true_left  (ha : a) : (a ↔ b) ↔ b := Iff.intro (·.mp ha) (iff_of_true ha)
+theorem iff_true_right (ha : a) : (b ↔ a) ↔ b := Iff.comm.trans (iff_true_left ha)
+
+theorem iff_false_left  (ha : ¬a) : (a ↔ b) ↔ ¬b := Iff.intro (mt ·.mpr ha) (iff_of_false ha)
+theorem iff_false_right (ha : ¬a) : (b ↔ a) ↔ ¬b := Iff.comm.trans (iff_false_left ha)
+
+theorem of_iff_true    (h : a ↔ True) : a := h.mpr trivial
+theorem iff_true_intro (h : a) : a ↔ True := iff_of_true h trivial
+
+theorem not_of_iff_false : (p ↔ False) → ¬p := Iff.mp
+theorem iff_false_intro (h : ¬a) : a ↔ False := iff_of_false h id
+
+theorem not_iff_false_intro (h : a) : ¬a ↔ False := iff_false_intro (not_not_intro h)
+theorem not_true : (¬True) ↔ False := iff_false_intro (not_not_intro trivial)
+
+theorem not_false_iff : (¬False) ↔ True := iff_true_intro not_false
+
+theorem Eq.to_iff : a = b → (a ↔ b) := Iff.of_eq
+theorem iff_of_eq : a = b → (a ↔ b) := Iff.of_eq
+theorem neq_of_not_iff : ¬(a ↔ b) → a ≠ b := mt Iff.of_eq
+
+theorem iff_iff_eq : (a ↔ b) ↔ a = b := Iff.intro propext Iff.of_eq
+@[simp] theorem eq_iff_iff : (a = b) ↔ (a ↔ b) := iff_iff_eq.symm
+
+theorem eq_self_iff_true (a : α)  : a = a ↔ True  := iff_true_intro rfl
+theorem ne_self_iff_false (a : α) : a ≠ a ↔ False := not_iff_false_intro rfl
+
+theorem false_of_true_iff_false (h : True ↔ False) : False := h.mp trivial
+theorem false_of_true_eq_false  (h : True = False) : False := false_of_true_iff_false (Iff.of_eq h)
+
+theorem true_eq_false_of_false : False → (True = False) := False.elim
+
+theorem iff_def  : (a ↔ b) ↔ (a → b) ∧ (b → a) := iff_iff_implies_and_implies a b
+theorem iff_def' : (a ↔ b) ↔ (b → a) ∧ (a → b) := Iff.trans iff_def And.comm
+
+theorem true_iff_false : (True ↔ False) ↔ False := iff_false_intro (·.mp  True.intro)
+theorem false_iff_true : (False ↔ True) ↔ False := iff_false_intro (·.mpr True.intro)
+
+theorem iff_not_self : ¬(a ↔ ¬a) | H => let f h := H.1 h h; f (H.2 f)
+theorem heq_self_iff_true (a : α) : HEq a a ↔ True := iff_true_intro HEq.rfl
+
+/-! ## implies -/
+
+theorem not_not_of_not_imp : ¬(a → b) → ¬¬a := mt Not.elim
+
+theorem not_of_not_imp {a : Prop} : ¬(a → b) → ¬b := mt fun h _ => h
+
+@[simp] theorem imp_not_self : (a → ¬a) ↔ ¬a := Iff.intro (fun h ha => h ha ha) (fun h _ => h)
+
+theorem imp_intro {α β : Prop} (h : α) : β → α := fun _ => h
+
+theorem imp_imp_imp {a b c d : Prop} (h₀ : c → a) (h₁ : b → d) : (a → b) → (c → d) := (h₁ ∘ · ∘ h₀)
+
+theorem imp_iff_right {a : Prop} (ha : a) : (a → b) ↔ b := Iff.intro (· ha) (fun a _ => a)
+
+-- This is not marked `@[simp]` because we have `implies_true : (α → True) = True`
+theorem imp_true_iff (α : Sort u) : (α → True) ↔ True := iff_true_intro (fun _ => trivial)
+
+theorem false_imp_iff (a : Prop) : (False → a) ↔ True := iff_true_intro False.elim
+
+theorem true_imp_iff (α : Prop) : (True → α) ↔ α := imp_iff_right True.intro
+
+@[simp] theorem imp_self : (a → a) ↔ True := iff_true_intro id
+
+theorem imp_false : (a → False) ↔ ¬a := Iff.rfl
+
+theorem imp.swap : (a → b → c) ↔ (b → a → c) := Iff.intro flip flip
+
+theorem imp_not_comm : (a → ¬b) ↔ (b → ¬a) := imp.swap
+
+theorem imp_congr_left (h : a ↔ b) : (a → c) ↔ (b → c) := Iff.intro (· ∘ h.mpr) (· ∘ h.mp)
+
+theorem imp_congr_right (h : a → (b ↔ c)) : (a → b) ↔ (a → c) :=
+  Iff.intro (fun hab ha => (h ha).mp (hab ha)) (fun hcd ha => (h ha).mpr (hcd ha))
+
+theorem imp_congr_ctx (h₁ : a ↔ c) (h₂ : c → (b ↔ d)) : (a → b) ↔ (c → d) :=
+  Iff.trans (imp_congr_left h₁) (imp_congr_right h₂)
+
+theorem imp_congr (h₁ : a ↔ c) (h₂ : b ↔ d) : (a → b) ↔ (c → d) := imp_congr_ctx h₁ fun _ => h₂
+
+theorem imp_iff_not (hb : ¬b) : a → b ↔ ¬a := imp_congr_right fun _ => iff_false_intro hb
+
+/-! # Quotients -/
+
 namespace Quot
 /--
 The **quotient axiom**, or at least the nontrivial part of the quotient
@@ -1680,40 +1930,104 @@ So, you are mainly losing the capability of type checking your development using
 -/
 axiom ofReduceNat (a b : Nat) (h : reduceNat a = b) : a = b
 
+end Lean
+
+@[simp] theorem ge_iff_le [LE α] {x y : α} : x ≥ y ↔ y ≤ x := Iff.rfl
+
+@[simp] theorem gt_iff_lt [LT α] {x y : α} : x > y ↔ y < x := Iff.rfl
+
+theorem le_of_eq_of_le {a b c : α} [LE α] (h₁ : a = b) (h₂ : b ≤ c) : a ≤ c := h₁ ▸ h₂
+
+theorem le_of_le_of_eq {a b c : α} [LE α] (h₁ : a ≤ b) (h₂ : b = c) : a ≤ c := h₂ ▸ h₁
+
+theorem lt_of_eq_of_lt {a b c : α} [LT α] (h₁ : a = b) (h₂ : b < c) : a < c := h₁ ▸ h₂
+
+theorem lt_of_lt_of_eq {a b c : α} [LT α] (h₁ : a < b) (h₂ : b = c) : a < c := h₂ ▸ h₁
+
+namespace Std
+variable {α : Sort u}
+
 /--
-`IsAssociative op` says that `op` is an associative operation,
-i.e. `(a ∘ b) ∘ c = a ∘ (b ∘ c)`. It is used by the `ac_rfl` tactic.
+`Associative op` indicates `op` is an associative operation,
+i.e. `(a ∘ b) ∘ c = a ∘ (b ∘ c)`.
 -/
-class IsAssociative {α : Sort u} (op : α → α → α) where
+class Associative (op : α → α → α) : Prop where
   /-- An associative operation satisfies `(a ∘ b) ∘ c = a ∘ (b ∘ c)`. -/
   assoc : (a b c : α) → op (op a b) c = op a (op b c)
 
 /--
-`IsCommutative op` says that `op` is a commutative operation,
-i.e. `a ∘ b = b ∘ a`. It is used by the `ac_rfl` tactic.
+`Commutative op` says that `op` is a commutative operation,
+i.e. `a ∘ b = b ∘ a`.
 -/
-class IsCommutative {α : Sort u} (op : α → α → α) where
+class Commutative (op : α → α → α) : Prop where
   /-- A commutative operation satisfies `a ∘ b = b ∘ a`. -/
   comm : (a b : α) → op a b = op b a
 
 /--
-`IsIdempotent op` says that `op` is an idempotent operation,
-i.e. `a ∘ a = a`. It is used by the `ac_rfl` tactic
-(which also simplifies up to idempotence when available).
+`IdempotentOp op` indicates `op` is an idempotent binary operation.
+i.e. `a ∘ a = a`.
 -/
-class IsIdempotent {α : Sort u} (op : α → α → α) where
+class IdempotentOp (op : α → α → α) : Prop where
   /-- An idempotent operation satisfies `a ∘ a = a`. -/
   idempotent : (x : α) → op x x = x
 
 /--
-`IsNeutral op e` says that `e` is a neutral operation for `op`,
-i.e. `a ∘ e = a = e ∘ a`. It is used by the `ac_rfl` tactic
-(which also simplifies neutral elements when available).
--/
-class IsNeutral {α : Sort u} (op : α → α → α) (neutral : α) where
-  /-- A neutral element can be cancelled on the left: `e ∘ a = a`. -/
-  left_neutral : (a : α) → op neutral a = a
-  /-- A neutral element can be cancelled on the right: `a ∘ e = a`. -/
-  right_neutral : (a : α) → op a neutral = a
+`LeftIdentify op o` indicates `o` is a left identity of `op`.
 
-end Lean
+This class does not require a proof that `o` is an identity, and
+is used primarily for infering the identity using class resoluton.
+-/
+class LeftIdentity (op : α → β → β) (o : outParam α) : Prop
+
+/--
+`LawfulLeftIdentify op o` indicates `o` is a verified left identity of
+`op`.
+-/
+class LawfulLeftIdentity (op : α → β → β) (o : outParam α) extends LeftIdentity op o : Prop where
+  /-- Left identity `o` is an identity. -/
+  left_id : ∀ a, op o a = a
+
+/--
+`RightIdentify op o` indicates `o` is a right identity `o` of `op`.
+
+This class does not require a proof that `o` is an identity, and is used
+primarily for infering the identity using class resoluton.
+-/
+class RightIdentity (op : α → β → α) (o : outParam β) : Prop
+
+/--
+`LawfulRightIdentify op o` indicates `o` is a verified right identity of
+`op`.
+-/
+class LawfulRightIdentity (op : α → β → α) (o : outParam β) extends RightIdentity op o : Prop where
+  /-- Right identity `o` is an identity. -/
+  right_id : ∀ a, op a o = a
+
+/--
+`Identity op o` indicates `o` is a left and right identity of `op`.
+
+This class does not require a proof that `o` is an identity, and is used
+primarily for infering the identity using class resoluton.
+-/
+class Identity (op : α → α → α) (o : outParam α) extends LeftIdentity op o, RightIdentity op o : Prop
+
+/--
+`LawfulIdentity op o` indicates `o` is a verified left and right
+identity of `op`.
+-/
+class LawfulIdentity (op : α → α → α) (o : outParam α) extends Identity op o, LawfulLeftIdentity op o, LawfulRightIdentity op o : Prop
+
+/--
+`LawfulCommIdentity` can simplify defining instances of `LawfulIdentity`
+on commutative functions by requiring only a left or right identity
+proof.
+
+This class is intended for simplifying defining instances of
+`LawfulIdentity` and functions needed commutative operations with
+identity should just add a `LawfulIdentity` constraint.
+-/
+class LawfulCommIdentity (op : α → α → α) (o : outParam α) [hc : Commutative op] extends LawfulIdentity op o : Prop where
+  left_id a := Eq.trans (hc.comm o a) (right_id a)
+  right_id a := Eq.trans (hc.comm a o) (left_id a)
+
+end Std

src/Init/Data.lean

@@ -6,6 +6,9 @@ Authors: Leonardo de Moura
 prelude
 import Init.Data.Basic
 import Init.Data.Nat
+import Init.Data.Bool
+import Init.Data.BitVec
+import Init.Data.Cast
 import Init.Data.Char
 import Init.Data.String
 import Init.Data.List

src/Init/Data/AC.lean

@@ -14,15 +14,17 @@ inductive Expr
   | op (lhs rhs : Expr)
   deriving Inhabited, Repr, BEq
 
+open Std
+
 structure Variable {α : Sort u} (op : α → α → α) : Type u where
   value : α
-  neutral : Option $ IsNeutral op value
+  neutral : Option $ PLift (LawfulIdentity op value)
 
 structure Context (α : Sort u) where
   op : α → α → α
-  assoc : IsAssociative op
-  comm : Option $ IsCommutative op
-  idem : Option $ IsIdempotent op
+  assoc : Associative op
+  comm : Option $ PLift $ Commutative op
+  idem : Option $ PLift $ IdempotentOp op
   vars : List (Variable op)
   arbitrary : α
 
@@ -128,7 +130,14 @@ theorem Context.mergeIdem_head2 (h : x ≠ y) : mergeIdem (x :: y :: ys) = x ::
   simp [mergeIdem, mergeIdem.loop, h]
 
 theorem Context.evalList_mergeIdem (ctx : Context α) (h : ContextInformation.isIdem ctx) (e : List Nat) : evalList α ctx (mergeIdem e) = evalList α ctx e := by
-  have h : IsIdempotent ctx.op := by simp [ContextInformation.isIdem, Option.isSome] at h; cases h₂ : ctx.idem <;> simp [h₂] at h; assumption
+  have h : IdempotentOp ctx.op := by
+    simp [ContextInformation.isIdem, Option.isSome] at h;
+    match h₂ : ctx.idem with
+    | none =>
+      simp [h₂] at h
+    | some val =>
+      simp [h₂] at h
+      exact val.down
   induction e using List.two_step_induction with
   | empty => rfl
   | single => rfl
@@ -141,18 +150,18 @@ theorem Context.evalList_mergeIdem (ctx : Context α) (h : ContextInformation.is
       rfl
     | cons z zs =>
       by_cases h₂ : x = y
-      case inl =>
+      case pos =>
         rw [h₂, mergeIdem_head, ih]
         simp [evalList, ←ctx.assoc.1, h.1, EvalInformation.evalOp]
-      case inr =>
+      case neg =>
         rw [mergeIdem_head2]
         by_cases h₃ : y = z
-        case inl =>
+        case pos =>
           simp [mergeIdem_head, h₃, evalList]
           cases h₄ : mergeIdem (z :: zs) with
           | nil => apply absurd h₄; apply mergeIdem_nonEmpty; simp
           | cons u us => simp_all [mergeIdem, mergeIdem.loop, evalList]
-        case inr =>
+        case neg =>
           simp [mergeIdem_head2, h₃, evalList] at *
           rw [ih]
         assumption
@@ -169,7 +178,7 @@ theorem Context.sort_loop_nonEmpty (xs : List Nat) (h : xs ≠ []) : sort.loop x
 
 theorem Context.evalList_insert
   (ctx : Context α)
-  (h : IsCommutative ctx.op)
+  (h : Commutative ctx.op)
   (x : Nat)
   (xs : List Nat)
   : evalList α ctx (insert x xs) = evalList α ctx (x::xs) := by
@@ -190,7 +199,7 @@ theorem Context.evalList_insert
 
 theorem Context.evalList_sort_congr
   (ctx : Context α)
-  (h : IsCommutative ctx.op)
+  (h : Commutative ctx.op)
   (h₂ : evalList α ctx a = evalList α ctx b)
   (h₃ : a ≠ [])
   (h₄ : b ≠ [])
@@ -209,7 +218,7 @@ theorem Context.evalList_sort_congr
 
 theorem Context.evalList_sort_loop_swap
   (ctx : Context α)
-  (h : IsCommutative ctx.op)
+  (h : Commutative ctx.op)
   (xs ys : List Nat)
   : evalList α ctx (sort.loop xs (y::ys)) = evalList α ctx (sort.loop (y::xs) ys) := by
   induction ys generalizing y xs with
@@ -224,7 +233,7 @@ theorem Context.evalList_sort_loop_swap
 
 theorem Context.evalList_sort_cons
   (ctx : Context α)
-  (h : IsCommutative ctx.op)
+  (h : Commutative ctx.op)
   (x : Nat)
   (xs : List Nat)
   : evalList α ctx (sort (x :: xs)) = evalList α ctx (x :: sort xs) := by
@@ -247,7 +256,14 @@ theorem Context.evalList_sort_cons
     all_goals simp [insert_nonEmpty]
 
 theorem Context.evalList_sort (ctx : Context α) (h : ContextInformation.isComm ctx) (e : List Nat) : evalList α ctx (sort e) = evalList α ctx e := by
-  have h : IsCommutative ctx.op := by simp [ContextInformation.isComm, Option.isSome] at h; cases h₂ : ctx.comm <;> simp [h₂] at h; assumption
+  have h : Commutative ctx.op := by
+    simp [ContextInformation.isComm, Option.isSome] at h
+    match h₂ : ctx.comm with
+    | none =>
+      simp only [h₂] at h
+    | some val =>
+      simp [h₂] at h
+      exact val.down
   induction e using List.two_step_induction with
   | empty => rfl
   | single => rfl
@@ -269,10 +285,12 @@ theorem Context.toList_nonEmpty (e : Expr) : e.toList ≠ [] := by
 theorem Context.unwrap_isNeutral
   {ctx : Context α}
   {x : Nat}
-  : ContextInformation.isNeutral ctx x = true → IsNeutral (EvalInformation.evalOp ctx) (EvalInformation.evalVar (β := α) ctx x) := by
+  : ContextInformation.isNeutral ctx x = true → LawfulIdentity (EvalInformation.evalOp ctx) (EvalInformation.evalVar (β := α) ctx x) := by
   simp [ContextInformation.isNeutral, Option.isSome, EvalInformation.evalOp, EvalInformation.evalVar]
   match (var ctx x).neutral with
-  | some hn => intro; assumption
+  | some hn =>
+    intro
+    exact hn.down
   | none => intro; contradiction
 
 theorem Context.evalList_removeNeutrals (ctx : Context α) (e : List Nat) : evalList α ctx (removeNeutrals ctx e) = evalList α ctx e := by
@@ -283,10 +301,12 @@ theorem Context.evalList_removeNeutrals (ctx : Context α) (e : List Nat) : eval
     case h_1 => rfl
     case h_2 h => split at h <;> simp_all
   | step x y ys ih =>
-    cases h₁ : ContextInformation.isNeutral ctx x <;> cases h₂ : ContextInformation.isNeutral ctx y <;> cases h₃ : removeNeutrals.loop ctx ys
+    cases h₁ : ContextInformation.isNeutral ctx x <;>
+    cases h₂ : ContextInformation.isNeutral ctx y <;>
+    cases h₃ : removeNeutrals.loop ctx ys
     <;> simp [removeNeutrals, removeNeutrals.loop, h₁, h₂, h₃, evalList, ←ih]
-    <;> (try simp [unwrap_isNeutral h₂ |>.2])
-    <;> (try simp [unwrap_isNeutral h₁ |>.1])
+    <;> (try simp [unwrap_isNeutral h₂ |>.right_id])
+    <;> (try simp [unwrap_isNeutral h₁ |>.left_id])
 
 theorem Context.evalList_append
   (ctx : Context α)

src/Init/Data/Array.lean

@@ -11,3 +11,4 @@ import Init.Data.Array.InsertionSort
 import Init.Data.Array.DecidableEq
 import Init.Data.Array.Mem
 import Init.Data.Array.BasicAux
+import Init.Data.Array.Lemmas

src/Init/Data/Array/Basic.lean

@@ -21,6 +21,21 @@ def mkArray {α : Type u} (n : Nat) (v : α) : Array α := {
   data := List.replicate n v
 }
 
+/--
+`ofFn f` with `f : Fin n → α` returns the list whose ith element is `f i`.
+```
+ofFn f = #[f 0, f 1, ... , f(n - 1)]
+``` -/
+def ofFn {n} (f : Fin n → α) : Array α := go 0 (mkEmpty n) where
+  /-- Auxiliary for `ofFn`. `ofFn.go f i acc = acc ++ #[f i, ..., f(n - 1)]` -/
+  go (i : Nat) (acc : Array α) : Array α :=
+    if h : i < n then go (i+1) (acc.push (f ⟨i, h⟩)) else acc
+termination_by n - i
+
+/-- The array `#[0, 1, ..., n - 1]`. -/
+def range (n : Nat) : Array Nat :=
+  n.fold (flip Array.push) (mkEmpty n)
+
 @[simp] theorem size_mkArray (n : Nat) (v : α) : (mkArray n v).size = n :=
   List.length_replicate ..
 
@@ -71,6 +86,12 @@ abbrev getLit {α : Type u} {n : Nat} (a : Array α) (i : Nat) (h₁ : a.size =
 def uset (a : Array α) (i : USize) (v : α) (h : i.toNat < a.size) : Array α :=
   a.set ⟨i.toNat, h⟩ v
 
+/--
+Swaps two entries in an array.
+
+This will perform the update destructively provided that `a` has a reference
+count of 1 when called.
+-/
 @[extern "lean_array_fswap"]
 def swap (a : Array α) (i j : @& Fin a.size) : Array α :=
   let v₁ := a.get i
@@ -78,12 +99,18 @@ def swap (a : Array α) (i j : @& Fin a.size) : Array α :=
   let a'  := a.set i v₂
   a'.set (size_set a i v₂ ▸ j) v₁
 
+/--
+Swaps two entries in an array, or panics if either index is out of bounds.
+
+This will perform the update destructively provided that `a` has a reference
+count of 1 when called.
+-/
 @[extern "lean_array_swap"]
 def swap! (a : Array α) (i j : @& Nat) : Array α :=
   if h₁ : i < a.size then
   if h₂ : j < a.size then swap a ⟨i, h₁⟩ ⟨j, h₂⟩
-  else panic! "index out of bounds"
-  else panic! "index out of bounds"
+  else a
+  else a
 
 @[inline] def swapAt (a : Array α) (i : Fin a.size) (v : α) : α × Array α :=
   let e := a.get i
@@ -276,8 +303,8 @@ def mapM {α : Type u} {β : Type v} {m : Type v → Type w} [Monad m] (f : α
       map (i+1) (r.push (← f as[i]))
     else
       pure r
+  termination_by as.size - i
   map 0 (mkEmpty as.size)
-termination_by map => as.size - i
 
 @[inline]
 def mapIdxM {α : Type u} {β : Type v} {m : Type v → Type w} [Monad m] (as : Array α) (f : Fin as.size → α → m β) : m (Array β) :=
@@ -348,12 +375,12 @@ def anyM {α : Type u} {m : Type → Type w} [Monad m] (p : α → m Bool) (as :
           loop (j+1)
       else
         pure false
+      termination_by stop - j
     loop start
   if h : stop ≤ as.size then
     any stop h
   else
     any as.size (Nat.le_refl _)
-termination_by loop i j => stop - j
 
 @[inline]
 def allM {α : Type u} {m : Type → Type w} [Monad m] (p : α → m Bool) (as : Array α) (start := 0) (stop := as.size) : m Bool :=
@@ -401,6 +428,10 @@ def map {α : Type u} {β : Type v} (f : α → β) (as : Array α) : Array β :
 def mapIdx {α : Type u} {β : Type v} (as : Array α) (f : Fin as.size → α → β) : Array β :=
   Id.run <| as.mapIdxM f
 
+/-- Turns `#[a, b]` into `#[(a, 0), (b, 1)]`. -/
+def zipWithIndex (arr : Array α) : Array (α × Nat) :=
+  arr.mapIdx fun i a => (a, i)
+
 @[inline]
 def find? {α : Type} (as : Array α) (p : α → Bool) : Option α :=
   Id.run <| as.findM? p
@@ -475,6 +506,11 @@ def elem [BEq α] (a : α) (as : Array α) : Bool :=
 def toList (as : Array α) : List α :=
   as.foldr List.cons []
 
+/-- Prepends an `Array α` onto the front of a list.  Equivalent to `as.toList ++ l`. -/
+@[inline]
+def toListAppend (as : Array α) (l : List α) : List α :=
+  as.foldr List.cons l
+
 instance {α : Type u} [Repr α] : Repr (Array α) where
   reprPrec a _ :=
     let _ : Std.ToFormat α := ⟨repr⟩
@@ -504,6 +540,13 @@ def concatMapM [Monad m] (f : α → m (Array β)) (as : Array α) : m (Array β
 def concatMap (f : α → Array β) (as : Array α) : Array β :=
   as.foldl (init := empty) fun bs a => bs ++ f a
 
+/-- Joins array of array into a single array.
+
+`flatten #[#[a₁, a₂, ⋯], #[b₁, b₂, ⋯], ⋯]` = `#[a₁, a₂, ⋯, b₁, b₂, ⋯]`
+-/
+def flatten (as : Array (Array α)) : Array α :=
+  as.foldl (init := empty) fun r a => r ++ a
+
 end Array
 
 export Array (mkArray)
@@ -523,7 +566,7 @@ def isEqvAux (a b : Array α) (hsz : a.size = b.size) (p : α → α → Bool) (
      p a[i] b[i] && isEqvAux a b hsz p (i+1)
   else
     true
-termination_by _ => a.size - i
+termination_by a.size - i
 
 @[inline] def isEqv (a b : Array α) (p : α → α → Bool) : Bool :=
   if h : a.size = b.size then
@@ -627,7 +670,7 @@ def indexOfAux [BEq α] (a : Array α) (v : α) (i : Nat) : Option (Fin a.size)
     if a.get idx == v then some idx
     else indexOfAux a v (i+1)
   else none
-termination_by _ => a.size - i
+termination_by a.size - i
 
 def indexOf? [BEq α] (a : Array α) (v : α) : Option (Fin a.size) :=
   indexOfAux a v 0
@@ -659,7 +702,7 @@ where
       loop as (i+1) ⟨j-1, this⟩
     else
       as
-termination_by _ => j - i
+termination_by j - i
 
 def popWhile (p : α → Bool) (as : Array α) : Array α :=
   if h : as.size > 0 then
@@ -669,7 +712,7 @@ def popWhile (p : α → Bool) (as : Array α) : Array α :=
       as
   else
     as
-termination_by popWhile as => as.size
+termination_by as.size
 
 def takeWhile (p : α → Bool) (as : Array α) : Array α :=
   let rec go (i : Nat) (r : Array α) : Array α :=
@@ -681,8 +724,8 @@ def takeWhile (p : α → Bool) (as : Array α) : Array α :=
         r
     else
       r
+    termination_by as.size - i
   go 0 #[]
-termination_by go i r => as.size - i
 
 def eraseIdxAux (i : Nat) (a : Array α) : Array α :=
   if h : i < a.size then
@@ -692,7 +735,7 @@ def eraseIdxAux (i : Nat) (a : Array α) : Array α :=
     eraseIdxAux (i+1) a'
   else
     a.pop
-termination_by _ => a.size - i
+termination_by a.size - i
 
 def feraseIdx (a : Array α) (i : Fin a.size) : Array α :=
   eraseIdxAux (i.val + 1) a
@@ -707,7 +750,7 @@ def eraseIdxSzAux (a : Array α) (i : Nat) (r : Array α) (heq : r.size = a.size
     eraseIdxSzAux a (i+1) (r.swap idx idx1) ((size_swap r idx idx1).trans heq)
   else
     ⟨r.pop, (size_pop r).trans (heq ▸ rfl)⟩
-termination_by _ => r.size - i
+termination_by r.size - i
 
 def eraseIdx' (a : Array α) (i : Fin a.size) : { r : Array α // r.size = a.size - 1 } :=
   eraseIdxSzAux a (i.val + 1) a rfl
@@ -726,10 +769,10 @@ def erase [BEq α] (as : Array α) (a : α) : Array α :=
       loop as ⟨j', by rw [size_swap]; exact j'.2⟩
     else
       as
+    termination_by j.1
   let j := as.size
   let as := as.push a
   loop as ⟨j, size_push .. ▸ j.lt_succ_self⟩
-termination_by loop j => j.1
 
 /-- Insert element `a` at position `i`. Panics if `i` is not `i ≤ as.size`. -/
 def insertAt! (as : Array α) (i : Nat) (a : α) : Array α :=
@@ -779,7 +822,7 @@ def isPrefixOfAux [BEq α] (as bs : Array α) (hle : as.size ≤ bs.size) (i : N
       false
   else
     true
-termination_by _ => as.size - i
+termination_by as.size - i
 
 /-- Return true iff `as` is a prefix of `bs`.
 That is, `bs = as ++ t` for some `t : List α`.-/
@@ -800,7 +843,7 @@ private def allDiffAux [BEq α] (as : Array α) (i : Nat) : Bool :=
     allDiffAuxAux as as[i] i h && allDiffAux as (i+1)
   else
     true
-termination_by _ => as.size - i
+termination_by as.size - i
 
 def allDiff [BEq α] (as : Array α) : Bool :=
   allDiffAux as 0
@@ -815,7 +858,7 @@ def allDiff [BEq α] (as : Array α) : Bool :=
       cs
   else
     cs
-termination_by _ => as.size - i
+termination_by as.size - i
 
 @[inline] def zipWith (as : Array α) (bs : Array β) (f : α → β → γ) : Array γ :=
   zipWithAux f as bs 0 #[]

src/Init/Data/Array/BasicAux.lean

@@ -47,7 +47,7 @@ where
       have hlt : i < as.size := Nat.lt_of_le_of_ne hle h
       let b ← f as[i]
       go (i+1) ⟨acc.val.push b, by simp [acc.property]⟩ hlt
-termination_by go i _ _ => as.size - i
+  termination_by as.size - i
 
 @[inline] private unsafe def mapMonoMImp [Monad m] (as : Array α) (f : α → m α) : m (Array α) :=
   go 0 as

src/Init/Data/Array/DecidableEq.lean

@@ -5,7 +5,7 @@ Authors: Leonardo de Moura
 -/
 prelude
 import Init.Data.Array.Basic
-import Init.Classical
+import Init.ByCases
 
 namespace Array
 
@@ -20,7 +20,7 @@ theorem eq_of_isEqvAux [DecidableEq α] (a b : Array α) (hsz : a.size = b.size)
   · have heq : i = a.size := Nat.le_antisymm hi (Nat.ge_of_not_lt h)
     subst heq
     exact absurd (Nat.lt_of_lt_of_le high low) (Nat.lt_irrefl j)
-termination_by _ => a.size - i
+termination_by a.size - i
 
 theorem eq_of_isEqv [DecidableEq α] (a b : Array α) : Array.isEqv a b (fun x y => x = y) → a = b := by
   simp [Array.isEqv]
@@ -36,7 +36,7 @@ theorem isEqvAux_self [DecidableEq α] (a : Array α) (i : Nat) : Array.isEqvAux
   split
   case inl h => simp [h, isEqvAux_self a (i+1)]
   case inr h => simp [h]
-termination_by _ => a.size - i
+termination_by a.size - i
 
 theorem isEqv_self [DecidableEq α] (a : Array α) : Array.isEqv a a (fun x y => x = y) = true := by
   simp [isEqv, isEqvAux_self]

src/Init/Data/Array/Lemmas.lean

@@ -0,0 +1,187 @@
+/-
+Copyright (c) 2022 Mario Carneiro. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Mario Carneiro
+-/
+prelude
+import Init.Data.Nat.MinMax
+import Init.Data.List.Lemmas
+import Init.Data.Fin.Basic
+import Init.Data.Array.Mem
+
+/-!
+## Bootstrapping theorems about arrays
+
+This file contains some theorems about `Array` and `List` needed for `Std.List.Basic`.
+-/
+
+namespace Array
+
+attribute [simp] data_toArray uset
+
+@[simp] theorem mkEmpty_eq (α n) : @mkEmpty α n = #[] := rfl
+
+@[simp] theorem size_toArray (as : List α) : as.toArray.size = as.length := by simp [size]
+
+@[simp] theorem size_mk (as : List α) : (Array.mk as).size = as.length := by simp [size]
+
+theorem getElem_eq_data_get (a : Array α) (h : i < a.size) : a[i] = a.data.get ⟨i, h⟩ := by
+  by_cases i < a.size <;> (try simp [*]) <;> rfl
+
+theorem foldlM_eq_foldlM_data.aux [Monad m]
+    (f : β → α → m β) (arr : Array α) (i j) (H : arr.size ≤ i + j) (b) :
+    foldlM.loop f arr arr.size (Nat.le_refl _) i j b = (arr.data.drop j).foldlM f b := by
+  unfold foldlM.loop
+  split; split
+  · cases Nat.not_le_of_gt ‹_› (Nat.zero_add _ ▸ H)
+  · rename_i i; rw [Nat.succ_add] at H
+    simp [foldlM_eq_foldlM_data.aux f arr i (j+1) H]
+    rw (config := {occs := .pos [2]}) [← List.get_drop_eq_drop _ _ ‹_›]
+    rfl
+  · rw [List.drop_length_le (Nat.ge_of_not_lt ‹_›)]; rfl
+
+theorem foldlM_eq_foldlM_data [Monad m]
+    (f : β → α → m β) (init : β) (arr : Array α) :
+    arr.foldlM f init = arr.data.foldlM f init := by
+  simp [foldlM, foldlM_eq_foldlM_data.aux]
+
+theorem foldl_eq_foldl_data (f : β → α → β) (init : β) (arr : Array α) :
+    arr.foldl f init = arr.data.foldl f init :=
+  List.foldl_eq_foldlM .. ▸ foldlM_eq_foldlM_data ..
+
+theorem foldrM_eq_reverse_foldlM_data.aux [Monad m]
+    (f : α → β → m β) (arr : Array α) (init : β) (i h) :
+    (arr.data.take i).reverse.foldlM (fun x y => f y x) init = foldrM.fold f arr 0 i h init := by
+  unfold foldrM.fold
+  match i with
+  | 0 => simp [List.foldlM, List.take]
+  | i+1 => rw [← List.take_concat_get _ _ h]; simp [← (aux f arr · i)]; rfl
+
+theorem foldrM_eq_reverse_foldlM_data [Monad m] (f : α → β → m β) (init : β) (arr : Array α) :
+    arr.foldrM f init = arr.data.reverse.foldlM (fun x y => f y x) init := by
+  have : arr = #[] ∨ 0 < arr.size :=
+    match arr with | ⟨[]⟩ => .inl rfl | ⟨a::l⟩ => .inr (Nat.zero_lt_succ _)
+  match arr, this with | _, .inl rfl => rfl | arr, .inr h => ?_
+  simp [foldrM, h, ← foldrM_eq_reverse_foldlM_data.aux, List.take_length]
+
+theorem foldrM_eq_foldrM_data [Monad m]
+    (f : α → β → m β) (init : β) (arr : Array α) :
+    arr.foldrM f init = arr.data.foldrM f init := by
+  rw [foldrM_eq_reverse_foldlM_data, List.foldlM_reverse]
+
+theorem foldr_eq_foldr_data (f : α → β → β) (init : β) (arr : Array α) :
+    arr.foldr f init = arr.data.foldr f init :=
+  List.foldr_eq_foldrM .. ▸ foldrM_eq_foldrM_data ..
+
+@[simp] theorem push_data (arr : Array α) (a : α) : (arr.push a).data = arr.data ++ [a] := by
+  simp [push, List.concat_eq_append]
+
+theorem foldrM_push [Monad m] (f : α → β → m β) (init : β) (arr : Array α) (a : α) :
+    (arr.push a).foldrM f init = f a init >>= arr.foldrM f := by
+  simp [foldrM_eq_reverse_foldlM_data, -size_push]
+
+@[simp] theorem foldrM_push' [Monad m] (f : α → β → m β) (init : β) (arr : Array α) (a : α) :
+    (arr.push a).foldrM f init (start := arr.size + 1) = f a init >>= arr.foldrM f := by
+  simp [← foldrM_push]
+
+theorem foldr_push (f : α → β → β) (init : β) (arr : Array α) (a : α) :
+    (arr.push a).foldr f init = arr.foldr f (f a init) := foldrM_push ..
+
+@[simp] theorem foldr_push' (f : α → β → β) (init : β) (arr : Array α) (a : α) :
+    (arr.push a).foldr f init (start := arr.size + 1) = arr.foldr f (f a init) := foldrM_push' ..
+
+@[simp] theorem toListAppend_eq (arr : Array α) (l) : arr.toListAppend l = arr.data ++ l := by
+  simp [toListAppend, foldr_eq_foldr_data]
+
+@[simp] theorem toList_eq (arr : Array α) : arr.toList = arr.data := by
+  simp [toList, foldr_eq_foldr_data]
+
+/-- A more efficient version of `arr.toList.reverse`. -/
+@[inline] def toListRev (arr : Array α) : List α := arr.foldl (fun l t => t :: l) []
+
+@[simp] theorem toListRev_eq (arr : Array α) : arr.toListRev = arr.data.reverse := by
+  rw [toListRev, foldl_eq_foldl_data, ← List.foldr_reverse, List.foldr_self]
+
+theorem get_push_lt (a : Array α) (x : α) (i : Nat) (h : i < a.size) :
+    have : i < (a.push x).size := by simp [*, Nat.lt_succ_of_le, Nat.le_of_lt]
+    (a.push x)[i] = a[i] := by
+  simp only [push, getElem_eq_data_get, List.concat_eq_append, List.get_append_left, h]
+
+@[simp] theorem get_push_eq (a : Array α) (x : α) : (a.push x)[a.size] = x := by
+  simp only [push, getElem_eq_data_get, List.concat_eq_append]
+  rw [List.get_append_right] <;> simp [getElem_eq_data_get, Nat.zero_lt_one]
+
+theorem get_push (a : Array α) (x : α) (i : Nat) (h : i < (a.push x).size) :
+    (a.push x)[i] = if h : i < a.size then a[i] else x := by
+  by_cases h' : i < a.size
+  · simp [get_push_lt, h']
+  · simp at h
+    simp [get_push_lt, Nat.le_antisymm (Nat.le_of_lt_succ h) (Nat.ge_of_not_lt h')]
+
+theorem mapM_eq_foldlM [Monad m] [LawfulMonad m] (f : α → m β) (arr : Array α) :
+    arr.mapM f = arr.foldlM (fun bs a => bs.push <$> f a) #[] := by
+  rw [mapM, aux, foldlM_eq_foldlM_data]; rfl
+where
+  aux (i r) :
+      mapM.map f arr i r = (arr.data.drop i).foldlM (fun bs a => bs.push <$> f a) r := by
+    unfold mapM.map; split
+    · rw [← List.get_drop_eq_drop _ i ‹_›]
+      simp [aux (i+1), map_eq_pure_bind]; rfl
+    · rw [List.drop_length_le (Nat.ge_of_not_lt ‹_›)]; rfl
+  termination_by arr.size - i
+
+@[simp] theorem map_data (f : α → β) (arr : Array α) : (arr.map f).data = arr.data.map f := by
+  rw [map, mapM_eq_foldlM]
+  apply congrArg data (foldl_eq_foldl_data (fun bs a => push bs (f a)) #[] arr) |>.trans
+  have H (l arr) : List.foldl (fun bs a => push bs (f a)) arr l = ⟨arr.data ++ l.map f⟩ := by
+    induction l generalizing arr <;> simp [*]
+  simp [H]
+
+@[simp] theorem size_map (f : α → β) (arr : Array α) : (arr.map f).size = arr.size := by
+  simp [size]
+
+@[simp] theorem pop_data (arr : Array α) : arr.pop.data = arr.data.dropLast := rfl
+
+@[simp] theorem append_eq_append (arr arr' : Array α) : arr.append arr' = arr ++ arr' := rfl
+
+@[simp] theorem append_data (arr arr' : Array α) :
+    (arr ++ arr').data = arr.data ++ arr'.data := by
+  rw [← append_eq_append]; unfold Array.append
+  rw [foldl_eq_foldl_data]
+  induction arr'.data generalizing arr <;> simp [*]
+
+@[simp] theorem appendList_eq_append
+    (arr : Array α) (l : List α) : arr.appendList l = arr ++ l := rfl
+
+@[simp] theorem appendList_data (arr : Array α) (l : List α) :
+    (arr ++ l).data = arr.data ++ l := by
+  rw [← appendList_eq_append]; unfold Array.appendList
+  induction l generalizing arr <;> simp [*]
+
+@[simp] theorem appendList_nil (arr : Array α) : arr ++ ([] : List α) = arr := Array.ext' (by simp)
+
+@[simp] theorem appendList_cons (arr : Array α) (a : α) (l : List α) :
+    arr ++ (a :: l) = arr.push a ++ l := Array.ext' (by simp)
+
+theorem foldl_data_eq_bind (l : List α) (acc : Array β)
+    (F : Array β → α → Array β) (G : α → List β)
+    (H : ∀ acc a, (F acc a).data = acc.data ++ G a) :
+    (l.foldl F acc).data = acc.data ++ l.bind G := by
+  induction l generalizing acc <;> simp [*, List.bind]
+
+theorem foldl_data_eq_map (l : List α) (acc : Array β) (G : α → β) :
+    (l.foldl (fun acc a => acc.push (G a)) acc).data = acc.data ++ l.map G := by
+  induction l generalizing acc <;> simp [*]
+
+theorem size_uset (a : Array α) (v i h) : (uset a i v h).size = a.size := by simp
+
+theorem anyM_eq_anyM_loop [Monad m] (p : α → m Bool) (as : Array α) (start stop) :
+    anyM p as start stop = anyM.loop p as (min stop as.size) (Nat.min_le_right ..) start := by
+  simp only [anyM, Nat.min_def]; split <;> rfl
+
+theorem anyM_stop_le_start [Monad m] (p : α → m Bool) (as : Array α) (start stop)
+    (h : min stop as.size ≤ start) : anyM p as start stop = pure false := by
+  rw [anyM_eq_anyM_loop, anyM.loop, dif_neg (Nat.not_lt.2 h)]
+
+theorem mem_def (a : α) (as : Array α) : a ∈ as ↔ a ∈ as.data :=
+  ⟨fun | .mk h => h, Array.Mem.mk⟩

src/Init/Data/Array/QSort.lean

@@ -26,8 +26,8 @@ def qpartition (as : Array α) (lt : α → α → Bool) (lo hi : Nat) : Nat ×
     else
       let as := as.swap! i hi
       (i, as)
+    termination_by hi - j
   loop as lo lo
-termination_by _ => hi - j
 
 @[inline] partial def qsort (as : Array α) (lt : α → α → Bool) (low := 0) (high := as.size - 1) : Array α :=
   let rec @[specialize] sort (as : Array α) (low high : Nat) :=

src/Init/Data/BitVec.lean

@@ -0,0 +1,5 @@
+prelude
+import Init.Data.BitVec.Basic
+import Init.Data.BitVec.Bitblast
+import Init.Data.BitVec.Folds
+import Init.Data.BitVec.Lemmas

src/Init/Data/BitVec/Basic.lean

@@ -0,0 +1,535 @@
+/-
+Copyright (c) 2022 by the authors listed in the file AUTHORS and their
+institutional affiliations. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Joe Hendrix, Wojciech Nawrocki, Leonardo de Moura, Mario Carneiro, Alex Keizer
+-/
+prelude
+import Init.Data.Fin.Basic
+import Init.Data.Nat.Bitwise.Lemmas
+import Init.Data.Nat.Power2
+
+namespace Std
+
+/-!
+We define bitvectors. We choose the `Fin` representation over others for its relative efficiency
+(Lean has special support for `Nat`), alignment with `UIntXY` types which are also represented
+with `Fin`, and the fact that bitwise operations on `Fin` are already defined. Some other possible
+representations are `List Bool`, `{ l : List Bool // l.length = w }`, `Fin w → Bool`.
+
+We define many of the bitvector operations from the
+[`QF_BV` logic](https://smtlib.cs.uiowa.edu/logics-all.shtml#QF_BV).
+of SMT-LIBv2.
+-/
+
+/--
+A bitvector of the specified width. This is represented as the underlying `Nat` number
+in both the runtime and the kernel, inheriting all the special support for `Nat`.
+-/
+structure BitVec (w : Nat) where
+  /-- Construct a `BitVec w` from a number less than `2^w`.
+  O(1), because we use `Fin` as the internal representation of a bitvector. -/
+  ofFin ::
+  /-- Interpret a bitvector as a number less than `2^w`.
+  O(1), because we use `Fin` as the internal representation of a bitvector. -/
+  toFin : Fin (2^w)
+  deriving DecidableEq
+
+namespace BitVec
+
+/-- `cast eq i` embeds `i` into an equal `BitVec` type. -/
+@[inline] def cast (eq : n = m) (i : BitVec n) : BitVec m :=
+  .ofFin (Fin.cast (congrArg _ eq) i.toFin)
+
+/-- The `BitVec` with value `i mod 2^n`. Treated as an operation on bitvectors,
+this is truncation of the high bits when downcasting and zero-extension when upcasting. -/
+protected def ofNat (n : Nat) (i : Nat) : BitVec n where
+  toFin := Fin.ofNat' i (Nat.two_pow_pos n)
+
+instance : NatCast (BitVec w) := ⟨BitVec.ofNat w⟩
+
+/-- Given a bitvector `a`, return the underlying `Nat`. This is O(1) because `BitVec` is a
+(zero-cost) wrapper around a `Nat`. -/
+protected def toNat (a : BitVec n) : Nat := a.toFin.val
+
+/-- Return the bound in terms of toNat. -/
+theorem isLt (x : BitVec w) : x.toNat < 2^w := x.toFin.isLt
+
+/-- Return the `i`-th least significant bit or `false` if `i ≥ w`. -/
+@[inline] def getLsb (x : BitVec w) (i : Nat) : Bool := x.toNat.testBit i
+
+/-- Return the `i`-th most significant bit or `false` if `i ≥ w`. -/
+@[inline] def getMsb (x : BitVec w) (i : Nat) : Bool := i < w && getLsb x (w-1-i)
+
+/-- Return most-significant bit in bitvector. -/
+@[inline] protected def msb (a : BitVec n) : Bool := getMsb a 0
+
+/-- Interpret the bitvector as an integer stored in two's complement form. -/
+protected def toInt (a : BitVec n) : Int :=
+  if a.msb then Int.ofNat a.toNat - Int.ofNat (2^n) else a.toNat
+
+/-- Return a bitvector `0` of size `n`. This is the bitvector with all zero bits. -/
+protected def zero (n : Nat) : BitVec n := ⟨0, Nat.two_pow_pos n⟩
+
+instance : Inhabited (BitVec n) where default := .zero n
+
+instance instOfNat : OfNat (BitVec n) i where ofNat := .ofNat n i
+
+/-- Notation for bit vector literals. `i#n` is a shorthand for `BitVec.ofNat n i`. -/
+scoped syntax:max term:max noWs "#" noWs term:max : term
+macro_rules | `($i#$n) => `(BitVec.ofNat $n $i)
+
+/- Support for `i#n` notation in patterns.  -/
+attribute [match_pattern] BitVec.ofNat
+
+/-- Unexpander for bit vector literals. -/
+@[app_unexpander BitVec.ofNat] def unexpandBitVecOfNat : Lean.PrettyPrinter.Unexpander
+  | `($(_) $n $i) => `($i#$n)
+  | _ => throw ()
+
+/-- Convert bitvector into a fixed-width hex number. -/
+protected def toHex {n : Nat} (x : BitVec n) : String :=
+  let s := (Nat.toDigits 16 x.toNat).asString
+  let t := (List.replicate ((n+3) / 4 - s.length) '0').asString
+  t ++ s
+
+instance : Repr (BitVec n) where reprPrec a _ := "0x" ++ (a.toHex : Format) ++ "#" ++ repr n
+
+instance : ToString (BitVec n) where toString a := toString (repr a)
+
+/-- Theorem for normalizing the bit vector literal representation. -/
+-- TODO: This needs more usage data to assess which direction the simp should go.
+@[simp] theorem ofNat_eq_ofNat : @OfNat.ofNat (BitVec n) i _ = BitVec.ofNat n i := rfl
+@[simp] theorem natCast_eq_ofNat : Nat.cast x = x#w := rfl
+
+/--
+Addition for bit vectors. This can be interpreted as either signed or unsigned addition
+modulo `2^n`.
+
+SMT-Lib name: `bvadd`.
+-/
+protected def add (x y : BitVec n) : BitVec n where toFin := x.toFin + y.toFin
+instance : Add (BitVec n) := ⟨BitVec.add⟩
+
+/--
+Subtraction for bit vectors. This can be interpreted as either signed or unsigned subtraction
+modulo `2^n`.
+-/
+protected def sub (x y : BitVec n) : BitVec n where toFin := x.toFin - y.toFin
+instance : Sub (BitVec n) := ⟨BitVec.sub⟩
+
+/--
+Negation for bit vectors. This can be interpreted as either signed or unsigned negation
+modulo `2^n`.
+
+SMT-Lib name: `bvneg`.
+-/
+protected def neg (x : BitVec n) : BitVec n := .sub 0 x
+instance : Neg (BitVec n) := ⟨.neg⟩
+
+/-- Bit vector of size `n` where all bits are `1`s -/
+def allOnes (n : Nat) : BitVec n := -1
+
+/--
+Return the absolute value of a signed bitvector.
+-/
+protected def abs (s : BitVec n) : BitVec n := if s.msb then .neg s else s
+
+/--
+Multiplication for bit vectors. This can be interpreted as either signed or unsigned negation
+modulo `2^n`.
+
+SMT-Lib name: `bvmul`.
+-/
+protected def mul (x y : BitVec n) : BitVec n := ofFin <| x.toFin * y.toFin
+instance : Mul (BitVec n) := ⟨.mul⟩
+
+/--
+Unsigned division for bit vectors using the Lean convention where division by zero returns zero.
+-/
+def udiv (x y : BitVec n) : BitVec n := ofFin <| x.toFin / y.toFin
+instance : Div (BitVec n) := ⟨.udiv⟩
+
+/--
+Unsigned modulo for bit vectors.
+
+SMT-Lib name: `bvurem`.
+-/
+def umod (x y : BitVec n) : BitVec n := ofFin <| x.toFin % y.toFin
+instance : Mod (BitVec n) := ⟨.umod⟩
+
+/--
+Unsigned division for bit vectors using the
+[SMT-Lib convention](http://smtlib.cs.uiowa.edu/theories-FixedSizeBitVectors.shtml)
+where division by zero returns the `allOnes` bitvector.
+
+SMT-Lib name: `bvudiv`.
+-/
+def smtUDiv (x y : BitVec n) : BitVec n := if y = 0 then -1 else .udiv x y
+
+/--
+Signed t-division for bit vectors using the Lean convention where division
+by zero returns zero.
+
+```lean
+sdiv 7#4 2 = 3#4
+sdiv (-9#4) 2 = -4#4
+sdiv 5#4 -2 = -2#4
+sdiv (-7#4) (-2) = 3#4
+```
+-/
+def sdiv (s t : BitVec n) : BitVec n :=
+  match s.msb, t.msb with
+  | false, false => udiv s t
+  | false, true  => .neg (udiv s (.neg t))
+  | true,  false => .neg (udiv (.neg s) t)
+  | true,  true  => udiv (.neg s) (.neg t)
+
+/--
+Signed division for bit vectors using SMTLIB rules for division by zero.
+
+Specifically, `smtSDiv x 0 = if x >= 0 then -1 else 1`
+
+SMT-Lib name: `bvsdiv`.
+-/
+def smtSDiv (s t : BitVec n) : BitVec n :=
+  match s.msb, t.msb with
+  | false, false => smtUDiv s t
+  | false, true  => .neg (smtUDiv s (.neg t))
+  | true,  false => .neg (smtUDiv (.neg s) t)
+  | true,  true  => smtUDiv (.neg s) (.neg t)
+
+/--
+Remainder for signed division rounding to zero.
+
+SMT_Lib name: `bvsrem`.
+-/
+def srem (s t : BitVec n) : BitVec n :=
+  match s.msb, t.msb with
+  | false, false => umod s t
+  | false, true  => umod s (.neg t)
+  | true,  false => .neg (umod (.neg s) t)
+  | true,  true  => .neg (umod (.neg s) (.neg t))
+
+/--
+Remainder for signed division rounded to negative infinity.
+
+SMT_Lib name: `bvsmod`.
+-/
+def smod (s t : BitVec m) : BitVec m :=
+  match s.msb, t.msb with
+  | false, false => .umod s t
+  | false, true =>
+    let u := .umod s (.neg t)
+    (if u = BitVec.ofNat m 0 then u else .add u t)
+  | true, false =>
+    let u := .umod (.neg s) t
+    (if u = BitVec.ofNat m 0 then u else .sub t u)
+  | true, true => .neg (.umod (.neg s) (.neg t))
+
+/--
+Unsigned less-than for bit vectors.
+
+SMT-Lib name: `bvult`.
+-/
+protected def ult (x y : BitVec n) : Bool := x.toFin < y.toFin
+instance : LT (BitVec n) where lt x y := x.toFin < y.toFin
+instance (x y : BitVec n) : Decidable (x < y) :=
+  inferInstanceAs (Decidable (x.toFin < y.toFin))
+
+/--
+Unsigned less-than-or-equal-to for bit vectors.
+
+SMT-Lib name: `bvule`.
+-/
+protected def ule (x y : BitVec n) : Bool := x.toFin ≤ y.toFin
+
+instance : LE (BitVec n) where le x y := x.toFin ≤ y.toFin
+instance (x y : BitVec n) : Decidable (x ≤ y) :=
+  inferInstanceAs (Decidable (x.toFin ≤ y.toFin))
+
+/--
+Signed less-than for bit vectors.
+
+```lean
+BitVec.slt 6#4 7 = true
+BitVec.slt 7#4 8 = false
+```
+SMT-Lib name: `bvslt`.
+-/
+protected def slt (x y : BitVec n) : Bool := x.toInt < y.toInt
+
+/--
+Signed less-than-or-equal-to for bit vectors.
+
+SMT-Lib name: `bvsle`.
+-/
+protected def sle (x y : BitVec n) : Bool := x.toInt ≤ y.toInt
+
+/--
+Bitwise AND for bit vectors.
+
+```lean
+0b1010#4 &&& 0b0110#4 = 0b0010#4
+```
+
+SMT-Lib name: `bvand`.
+-/
+protected def and (x y : BitVec n) : BitVec n where toFin :=
+   ⟨x.toNat &&& y.toNat, Nat.and_lt_two_pow x.toNat y.isLt⟩
+instance : AndOp (BitVec w) := ⟨.and⟩
+
+/--
+Bitwise OR for bit vectors.
+
+```lean
+0b1010#4 ||| 0b0110#4 = 0b1110#4
+```
+
+SMT-Lib name: `bvor`.
+-/
+protected def or (x y : BitVec n) : BitVec n where toFin :=
+   ⟨x.toNat ||| y.toNat, Nat.or_lt_two_pow x.isLt y.isLt⟩
+instance : OrOp (BitVec w) := ⟨.or⟩
+
+/--
+ Bitwise XOR for bit vectors.
+
+```lean
+0b1010#4 ^^^ 0b0110#4 = 0b1100#4
+```
+
+SMT-Lib name: `bvxor`.
+-/
+protected def xor (x y : BitVec n) : BitVec n where toFin :=
+   ⟨x.toNat ^^^ y.toNat, Nat.xor_lt_two_pow x.isLt y.isLt⟩
+instance : Xor (BitVec w) := ⟨.xor⟩
+
+/--
+Bitwise NOT for bit vectors.
+
+```lean
+~~~(0b0101#4) == 0b1010
+```
+SMT-Lib name: `bvnot`.
+-/
+protected def not (x : BitVec n) : BitVec n :=
+  allOnes n ^^^ x
+instance : Complement (BitVec w) := ⟨.not⟩
+
+/-- The `BitVec` with value `(2^n + (i mod 2^n)) mod 2^n`.  -/
+protected def ofInt (n : Nat) (i : Int) : BitVec n :=
+  match i with
+  | Int.ofNat a => .ofNat n a
+  | Int.negSucc a => ~~~.ofNat n a
+
+instance : IntCast (BitVec w) := ⟨BitVec.ofInt w⟩
+
+/--
+Left shift for bit vectors. The low bits are filled with zeros. As a numeric operation, this is
+equivalent to `a * 2^s`, modulo `2^n`.
+
+SMT-Lib name: `bvshl` except this operator uses a `Nat` shift value.
+-/
+protected def shiftLeft (a : BitVec n) (s : Nat) : BitVec n := .ofNat n (a.toNat <<< s)
+instance : HShiftLeft (BitVec w) Nat (BitVec w) := ⟨.shiftLeft⟩
+
+/--
+(Logical) right shift for bit vectors. The high bits are filled with zeros.
+As a numeric operation, this is equivalent to `a / 2^s`, rounding down.
+
+SMT-Lib name: `bvlshr` except this operator uses a `Nat` shift value.
+-/
+def ushiftRight (a : BitVec n) (s : Nat) : BitVec n :=
+  ⟨a.toNat >>> s, by
+  let ⟨a, lt⟩ := a
+  simp only [BitVec.toNat, Nat.shiftRight_eq_div_pow, Nat.div_lt_iff_lt_mul (Nat.two_pow_pos s)]
+  rw [←Nat.mul_one a]
+  exact Nat.mul_lt_mul_of_lt_of_le' lt (Nat.two_pow_pos s) (Nat.le_refl 1)⟩
+
+instance : HShiftRight (BitVec w) Nat (BitVec w) := ⟨.ushiftRight⟩
+
+/--
+Arithmetic right shift for bit vectors. The high bits are filled with the
+most-significant bit.
+As a numeric operation, this is equivalent to `a.toInt >>> s`.
+
+SMT-Lib name: `bvashr` except this operator uses a `Nat` shift value.
+-/
+def sshiftRight (a : BitVec n) (s : Nat) : BitVec n := .ofInt n (a.toInt >>> s)
+
+instance {n} : HShiftLeft  (BitVec m) (BitVec n) (BitVec m) := ⟨fun x y => x <<< y.toNat⟩
+instance {n} : HShiftRight (BitVec m) (BitVec n) (BitVec m) := ⟨fun x y => x >>> y.toNat⟩
+
+/--
+Rotate left for bit vectors. All the bits of `x` are shifted to higher positions, with the top `n`
+bits wrapping around to fill the low bits.
+
+```lean
+rotateLeft  0b0011#4 3 = 0b1001
+```
+SMT-Lib name: `rotate_left` except this operator uses a `Nat` shift amount.
+-/
+def rotateLeft (x : BitVec w) (n : Nat) : BitVec w := x <<< n ||| x >>> (w - n)
+
+/--
+Rotate right for bit vectors. All the bits of `x` are shifted to lower positions, with the
+bottom `n` bits wrapping around to fill the high bits.
+
+```lean
+rotateRight 0b01001#5 1 = 0b10100
+```
+SMT-Lib name: `rotate_right` except this operator uses a `Nat` shift amount.
+-/
+def rotateRight (x : BitVec w) (n : Nat) : BitVec w := x >>> n ||| x <<< (w - n)
+
+/--
+A version of `zeroExtend` that requires a proof, but is a noop.
+-/
+def zeroExtend' {n w : Nat} (le : n ≤ w) (x : BitVec n)  : BitVec w :=
+  ⟨x.toNat, by
+    apply Nat.lt_of_lt_of_le x.isLt
+    exact Nat.pow_le_pow_of_le_right (by trivial) le⟩
+
+/--
+`shiftLeftZeroExtend x n` returns `zeroExtend (w+n) x <<< n` without
+needing to compute `x % 2^(2+n)`.
+-/
+def shiftLeftZeroExtend (msbs : BitVec w) (m : Nat) : BitVec (w+m) :=
+  let shiftLeftLt {x : Nat} (p : x < 2^w) (m : Nat) : x <<< m < 2^(w+m) := by
+        simp [Nat.shiftLeft_eq, Nat.pow_add]
+        apply Nat.mul_lt_mul_of_pos_right p
+        exact (Nat.two_pow_pos m)
+  ⟨msbs.toNat <<< m, shiftLeftLt msbs.isLt m⟩
+
+/--
+Concatenation of bitvectors. This uses the "big endian" convention that the more significant
+input is on the left, so `0xAB#8 ++ 0xCD#8 = 0xABCD#16`.
+
+SMT-Lib name: `concat`.
+-/
+def append (msbs : BitVec n) (lsbs : BitVec m) : BitVec (n+m) :=
+  shiftLeftZeroExtend msbs m ||| zeroExtend' (Nat.le_add_left m n) lsbs
+
+instance : HAppend (BitVec w) (BitVec v) (BitVec (w + v)) := ⟨.append⟩
+
+/--
+Extraction of bits `start` to `start + len - 1` from a bit vector of size `n` to yield a
+new bitvector of size `len`. If `start + len > n`, then the vector will be zero-padded in the
+high bits.
+-/
+def extractLsb' (start len : Nat) (a : BitVec n) : BitVec len := .ofNat _ (a.toNat >>> start)
+
+/--
+Extraction of bits `hi` (inclusive) down to `lo` (inclusive) from a bit vector of size `n` to
+yield a new bitvector of size `hi - lo + 1`.
+
+SMT-Lib name: `extract`.
+-/
+def extractLsb (hi lo : Nat) (a : BitVec n) : BitVec (hi - lo + 1) := extractLsb' lo _ a
+
+-- TODO: write this using multiplication
+/-- `replicate i x` concatenates `i` copies of `x` into a new vector of length `w*i`. -/
+def replicate : (i : Nat) → BitVec w → BitVec (w*i)
+  | 0,   _ => 0
+  | n+1, x =>
+    have hEq : w + w*n = w*(n + 1) := by
+      rw [Nat.mul_add, Nat.add_comm, Nat.mul_one]
+    hEq ▸ (x ++ replicate n x)
+
+/-- Fills a bitvector with `w` copies of the bit `b`. -/
+def fill (w : Nat) (b : Bool) : BitVec w := bif b then -1 else 0
+
+/--
+Zero extend vector `x` of length `w` by adding zeros in the high bits until it has length `v`.
+If `v < w` then it truncates the high bits instead.
+
+SMT-Lib name: `zero_extend`.
+-/
+def zeroExtend (v : Nat) (x : BitVec w) : BitVec v :=
+  if h : w ≤ v then
+    zeroExtend' h x
+  else
+    .ofNat v x.toNat
+
+/--
+Truncate the high bits of bitvector `x` of length `w`, resulting in a vector of length `v`.
+If `v > w` then it zero-extends the vector instead.
+-/
+abbrev truncate := @zeroExtend
+
+/--
+Sign extend a vector of length `w`, extending with `i` additional copies of the most significant
+bit in `x`. If `x` is an empty vector, then the sign is treated as zero.
+
+SMT-Lib name: `sign_extend`.
+-/
+def signExtend (v : Nat) (x : BitVec w) : BitVec v := .ofInt v x.toInt
+
+/-! We add simp-lemmas that rewrite bitvector operations into the equivalent notation -/
+@[simp] theorem append_eq (x : BitVec w) (y : BitVec v)   : BitVec.append x y = x ++ y        := rfl
+@[simp] theorem shiftLeft_eq (x : BitVec w) (n : Nat)     : BitVec.shiftLeft x n = x <<< n    := rfl
+@[simp] theorem ushiftRight_eq (x : BitVec w) (n : Nat)   : BitVec.ushiftRight x n = x >>> n  := rfl
+@[simp] theorem not_eq (x : BitVec w)                     : BitVec.not x = ~~~x               := rfl
+@[simp] theorem and_eq (x y : BitVec w)                   : BitVec.and x y = x &&& y          := rfl
+@[simp] theorem or_eq (x y : BitVec w)                    : BitVec.or x y = x ||| y           := rfl
+@[simp] theorem xor_eq (x y : BitVec w)                   : BitVec.xor x y = x ^^^ y          := rfl
+@[simp] theorem neg_eq (x : BitVec w)                     : BitVec.neg x = -x                 := rfl
+@[simp] theorem add_eq (x y : BitVec w)                   : BitVec.add x y = x + y            := rfl
+@[simp] theorem sub_eq (x y : BitVec w)                   : BitVec.sub x y = x - y            := rfl
+@[simp] theorem mul_eq (x y : BitVec w)                   : BitVec.mul x y = x * y            := rfl
+@[simp] theorem zero_eq                                   : BitVec.zero n = 0#n               := rfl
+
+@[simp] theorem cast_ofNat {n m : Nat} (h : n = m) (x : Nat) :
+    cast h (BitVec.ofNat n x) = BitVec.ofNat m x := by
+  subst h; rfl
+
+@[simp] theorem cast_cast {n m k : Nat} (h₁ : n = m) (h₂ : m = k) (x : BitVec n) :
+    cast h₂ (cast h₁ x) = cast (h₁ ▸ h₂) x :=
+  rfl
+
+@[simp] theorem cast_eq {n : Nat} (h : n = n) (x : BitVec n) :
+    cast h x = x :=
+  rfl
+
+/-- Turn a `Bool` into a bitvector of length `1` -/
+def ofBool (b : Bool) : BitVec 1 := cond b 1 0
+
+@[simp] theorem ofBool_false : ofBool false = 0 := by trivial
+@[simp] theorem ofBool_true  : ofBool true  = 1 := by trivial
+
+/-- The empty bitvector -/
+abbrev nil : BitVec 0 := 0
+
+/-!
+### Cons and Concat
+We give special names to the operations of adding a single bit to either end of a bitvector.
+We follow the precedent of `Vector.cons`/`Vector.concat` both for the name, and for the decision
+to have the resulting size be `n + 1` for both operations (rather than `1 + n`, which would be the
+result of appending a single bit to the front in the naive implementation).
+-/
+
+/-- Append a single bit to the end of a bitvector, using big endian order (see `append`).
+    That is, the new bit is the least significant bit. -/
+def concat {n} (msbs : BitVec n) (lsb : Bool) : BitVec (n+1) := msbs ++ (ofBool lsb)
+
+/-- Prepend a single bit to the front of a bitvector, using big endian order (see `append`).
+    That is, the new bit is the most significant bit. -/
+def cons {n} (msb : Bool) (lsbs : BitVec n) : BitVec (n+1) :=
+  ((ofBool msb) ++ lsbs).cast (Nat.add_comm ..)
+
+/-- All empty bitvectors are equal -/
+instance : Subsingleton (BitVec 0) where
+  allEq := by intro ⟨0, _⟩ ⟨0, _⟩; rfl
+
+/-- Every bitvector of length 0 is equal to `nil`, i.e., there is only one empty bitvector -/
+theorem eq_nil : ∀ (x : BitVec 0), x = nil
+  | ofFin ⟨0, _⟩ => rfl
+
+theorem append_ofBool (msbs : BitVec w) (lsb : Bool) :
+    msbs ++ ofBool lsb = concat msbs lsb :=
+  rfl
+
+theorem ofBool_append (msb : Bool) (lsbs : BitVec w) :
+    ofBool msb ++ lsbs = (cons msb lsbs).cast (Nat.add_comm ..) :=
+  rfl

src/Init/Data/BitVec/Bitblast.lean

@@ -0,0 +1,173 @@
+/-
+Copyright (c) 2023 by the authors listed in the file AUTHORS and their
+institutional affiliations. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Harun Khan, Abdalrhman M Mohamed, Joe Hendrix
+-/
+prelude
+import Init.Data.BitVec.Folds
+
+/-!
+# Bitblasting of bitvectors
+
+This module provides theorems for showing the equivalence between BitVec operations using
+the `Fin 2^n` representation and Boolean vectors.  It is still under development, but
+intended to provide a path for converting SAT and SMT solver proofs about BitVectors
+as vectors of bits into proofs about Lean `BitVec` values.
+
+The module is named for the bit-blasting operation in an SMT solver that converts bitvector
+expressions into expressions about individual bits in each vector.
+
+## Main results
+* `x + y : BitVec w` is `(adc x y false).2`.
+
+
+## Future work
+All other operations are to be PR'ed later and are already proved in
+https://github.com/mhk119/lean-smt/blob/bitvec/Smt/Data/Bitwise.lean.
+
+-/
+
+open Nat Bool
+
+/-! ### Preliminaries -/
+
+namespace Std.BitVec
+
+private theorem testBit_limit {x i : Nat} (x_lt_succ : x < 2^(i+1)) :
+    testBit x i = decide (x ≥ 2^i) := by
+  cases xi : testBit x i with
+  | true =>
+    simp [testBit_implies_ge xi]
+  | false =>
+    simp
+    cases Nat.lt_or_ge x (2^i) with
+    | inl x_lt =>
+      exact x_lt
+    | inr x_ge =>
+      have ⟨j, ⟨j_ge, jp⟩⟩  := ge_two_pow_implies_high_bit_true x_ge
+      cases Nat.lt_or_eq_of_le j_ge with
+      | inr x_eq =>
+        simp [x_eq, jp] at xi
+      | inl x_lt =>
+        exfalso
+        apply Nat.lt_irrefl
+        calc x < 2^(i+1) := x_lt_succ
+             _ ≤ 2 ^ j := Nat.pow_le_pow_of_le_right Nat.zero_lt_two x_lt
+             _ ≤ x := testBit_implies_ge jp
+
+private theorem mod_two_pow_succ (x i : Nat) :
+  x % 2^(i+1) = 2^i*(x.testBit i).toNat + x % (2 ^ i):= by
+  apply Nat.eq_of_testBit_eq
+  intro j
+  simp only [Nat.mul_add_lt_is_or, testBit_or, testBit_mod_two_pow, testBit_shiftLeft,
+    Nat.testBit_bool_to_nat, Nat.sub_eq_zero_iff_le, Nat.mod_lt, Nat.two_pow_pos,
+    testBit_mul_pow_two]
+  rcases Nat.lt_trichotomy i j with i_lt_j | i_eq_j | j_lt_i
+  · have i_le_j : i ≤ j := Nat.le_of_lt i_lt_j
+    have not_j_le_i : ¬(j ≤ i) := Nat.not_le_of_lt i_lt_j
+    have not_j_lt_i : ¬(j < i) := Nat.not_lt_of_le i_le_j
+    have not_j_lt_i_succ : ¬(j < i + 1) :=
+          Nat.not_le_of_lt (Nat.succ_lt_succ i_lt_j)
+    simp [i_le_j, not_j_le_i, not_j_lt_i, not_j_lt_i_succ]
+  · simp [i_eq_j]
+  · have j_le_i : j ≤ i := Nat.le_of_lt j_lt_i
+    have j_le_i_succ : j < i + 1 := Nat.succ_le_succ j_le_i
+    have not_j_ge_i : ¬(j ≥ i) := Nat.not_le_of_lt j_lt_i
+    simp [j_lt_i, j_le_i, not_j_ge_i, j_le_i_succ]
+
+private theorem mod_two_pow_lt (x i : Nat) : x % 2 ^ i < 2^i := Nat.mod_lt _ (Nat.two_pow_pos _)
+
+/-! ### Addition -/
+
+/-- carry w x y c returns true if the `w` carry bit is true when computing `x + y + c`. -/
+def carry (w x y : Nat) (c : Bool) : Bool := decide (x % 2^w + y % 2^w + c.toNat ≥ 2^w)
+
+@[simp] theorem carry_zero : carry 0 x y c = c := by
+  cases c <;> simp [carry, mod_one]
+
+/-- At least two out of three booleans are true. -/
+abbrev atLeastTwo (a b c : Bool) : Bool := a && b || a && c || b && c
+
+/-- Carry function for bitwise addition. -/
+def adcb (x y c : Bool) : Bool × Bool := (atLeastTwo x y c, Bool.xor x (Bool.xor y c))
+
+/-- Bitwise addition implemented via a ripple carry adder. -/
+def adc (x y : BitVec w) : Bool → Bool × BitVec w :=
+  iunfoldr fun (i : Fin w) c => adcb (x.getLsb i) (y.getLsb i) c
+
+theorem adc_overflow_limit (x y i : Nat) (c : Bool) : x % 2^i + (y % 2^i + c.toNat) < 2^(i+1) := by
+  have : c.toNat ≤ 1 := Bool.toNat_le_one c
+  rw [Nat.pow_succ]
+  omega
+
+theorem carry_succ (w x y : Nat) (c : Bool) :
+    carry (succ w) x y c = atLeastTwo (x.testBit w) (y.testBit w) (carry w x y c) := by
+  simp only [carry, mod_two_pow_succ, atLeastTwo]
+  simp only [Nat.pow_succ']
+  generalize testBit x w = xh
+  generalize testBit y w = yh
+  have sum_bnd : x%2^w + (y%2^w + c.toNat) < 2*2^w := by
+          simp only [← Nat.pow_succ']
+          exact adc_overflow_limit x y w c
+  cases xh <;> cases yh <;> (simp; omega)
+
+theorem getLsb_add_add_bool {i : Nat} (i_lt : i < w) (x y : BitVec w) (c : Bool) :
+    getLsb (x + y + zeroExtend w (ofBool c)) i =
+      Bool.xor (getLsb x i) (Bool.xor (getLsb y i) (carry i x.toNat y.toNat c)) := by
+  let ⟨x, x_lt⟩ := x
+  let ⟨y, y_lt⟩ := y
+  simp only [getLsb, toNat_add, toNat_zeroExtend, i_lt, toNat_ofFin, toNat_ofBool,
+    Nat.mod_add_mod, Nat.add_mod_mod]
+  apply Eq.trans
+  rw [← Nat.div_add_mod x (2^i), ← Nat.div_add_mod y (2^i)]
+  simp only
+    [ Nat.testBit_mod_two_pow,
+      Nat.testBit_mul_two_pow_add_eq,
+      i_lt,
+      decide_True,
+      Bool.true_and,
+      Nat.add_assoc,
+      Nat.add_left_comm (_%_) (_ * _) _,
+      testBit_limit (adc_overflow_limit x y i c)
+    ]
+  simp [testBit_to_div_mod, carry, Nat.add_assoc]
+
+theorem getLsb_add {i : Nat} (i_lt : i < w) (x y : BitVec w) :
+    getLsb (x + y) i =
+      Bool.xor (getLsb x i) (Bool.xor (getLsb y i) (carry i x.toNat y.toNat false)) := by
+  simpa using getLsb_add_add_bool i_lt x y false
+
+theorem adc_spec (x y : BitVec w) (c : Bool) :
+    adc x y c = (carry w x.toNat y.toNat c, x + y + zeroExtend w (ofBool c)) := by
+  simp only [adc]
+  apply iunfoldr_replace
+          (fun i => carry i x.toNat y.toNat c)
+          (x + y + zeroExtend w (ofBool c))
+          c
+  case init =>
+    simp [carry, Nat.mod_one]
+    cases c <;> rfl
+  case step =>
+    intro ⟨i, lt⟩
+    simp only [adcb, Prod.mk.injEq, carry_succ]
+    apply And.intro
+    case left =>
+      rw [testBit_toNat, testBit_toNat]
+    case right =>
+      simp [getLsb_add_add_bool lt]
+
+theorem add_eq_adc (w : Nat) (x y : BitVec w) : x + y = (adc x y false).snd := by
+  simp [adc_spec]
+
+/-! ### add -/
+
+/-- Adding a bitvector to its own complement yields the all ones bitpattern -/
+@[simp] theorem add_not_self (x : BitVec w) : x + ~~~x = allOnes w := by
+  rw [add_eq_adc, adc, iunfoldr_replace (fun _ => false) (allOnes w)]
+  · rfl
+  · simp [adcb, atLeastTwo]
+
+/-- Subtracting `x` from the all ones bitvector is equivalent to taking its complement -/
+theorem allOnes_sub_eq_not (x : BitVec w) : allOnes w - x = ~~~x := by
+  rw [← add_not_self x, BitVec.add_comm, add_sub_cancel]

src/Init/Data/BitVec/Folds.lean

@@ -0,0 +1,59 @@
+/-
+Copyright (c) 2023 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Joe Hendrix
+-/
+prelude
+import Init.Data.BitVec.Lemmas
+import Init.Data.Nat.Lemmas
+import Init.Data.Fin.Iterate
+
+namespace Std.BitVec
+
+/--
+iunfoldr is an iterative operation that applies a function `f` repeatedly.
+
+It produces a sequence of state values `[s_0, s_1 .. s_w]` and a bitvector
+`v` where `f i s_i = (s_{i+1}, b_i)` and `b_i` is bit `i`th least-significant bit
+in `v` (e.g., `getLsb v i = b_i`).
+
+Theorems involving `iunfoldr` can be eliminated using `iunfoldr_replace` below.
+-/
+def iunfoldr (f : Fin w -> α → α × Bool) (s : α) : α × BitVec w :=
+  Fin.hIterate (fun i => α × BitVec i) (s, nil) fun i q =>
+    (fun p => ⟨p.fst, cons p.snd q.snd⟩) (f i q.fst)
+
+theorem iunfoldr.fst_eq
+    {f : Fin w → α → α × Bool} (state : Nat → α) (s : α)
+    (init : s = state 0)
+    (ind : ∀(i : Fin w), (f i (state i.val)).fst = state (i.val+1)) :
+    (iunfoldr f s).fst = state w := by
+  unfold iunfoldr
+  apply Fin.hIterate_elim (fun i (p : α × BitVec i) => p.fst = state i)
+  case init =>
+    exact init
+  case step =>
+    intro i ⟨s, v⟩ p
+    simp_all [ind i]
+
+private theorem iunfoldr.eq_test
+    {f : Fin w → α → α × Bool} (state : Nat → α) (value : BitVec w) (a : α)
+    (init : state 0 = a)
+    (step : ∀(i : Fin w), f i (state i.val) = (state (i.val+1), value.getLsb i.val)) :
+    iunfoldr f a = (state w, BitVec.truncate w value) := by
+  apply Fin.hIterate_eq (fun i => ((state i, BitVec.truncate i value) : α × BitVec i))
+  case init =>
+    simp only [init, eq_nil]
+  case step =>
+    intro i
+    simp_all [truncate_succ]
+
+/--
+Correctness theorem for `iunfoldr`.
+-/
+theorem iunfoldr_replace
+    {f : Fin w → α → α × Bool} (state : Nat → α) (value : BitVec w) (a : α)
+    (init : state 0 = a)
+    (step : ∀(i : Fin w), f i (state i.val) = (state (i.val+1), value.getLsb i.val)) :
+    iunfoldr f a = (state w, value) := by
+  simp [iunfoldr.eq_test state value a init step]

src/Init/Data/BitVec/Lemmas.lean

@@ -0,0 +1,534 @@
+/-
+Copyright (c) 2023 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Joe Hendrix
+-/
+prelude
+import Init.Data.Bool
+import Init.Data.BitVec.Basic
+import Init.Data.Fin.Lemmas
+import Init.Data.Nat.Lemmas
+
+namespace Std.BitVec
+
+/--
+This normalized a bitvec using `ofFin` to `ofNat`.
+-/
+theorem ofFin_eq_ofNat : @BitVec.ofFin w (Fin.mk x lt) = BitVec.ofNat w x := by
+  simp only [BitVec.ofNat, Fin.ofNat', lt, Nat.mod_eq_of_lt]
+
+/-- Prove equality of bitvectors in terms of nat operations. -/
+theorem eq_of_toNat_eq {n} : ∀ {i j : BitVec n}, i.toNat = j.toNat → i = j
+  | ⟨_, _⟩, ⟨_, _⟩, rfl => rfl
+
+@[simp] theorem val_toFin (x : BitVec w) : x.toFin.val = x.toNat := rfl
+
+theorem toNat_eq (x y : BitVec n) : x = y ↔ x.toNat = y.toNat :=
+  Iff.intro (congrArg BitVec.toNat) eq_of_toNat_eq
+
+theorem toNat_lt (x : BitVec n) : x.toNat < 2^n := x.toFin.2
+
+theorem testBit_toNat (x : BitVec w) : x.toNat.testBit i = x.getLsb i := rfl
+
+@[simp] theorem getLsb_ofFin (x : Fin (2^n)) (i : Nat) :
+  getLsb (BitVec.ofFin x) i = x.val.testBit i := rfl
+
+@[simp] theorem getLsb_ge (x : BitVec w) (i : Nat) (ge : i ≥ w) : getLsb x i = false := by
+  let ⟨x, x_lt⟩ := x
+  simp
+  apply Nat.testBit_lt_two_pow
+  have p : 2^w ≤ 2^i := Nat.pow_le_pow_of_le_right (by omega) ge
+  omega
+
+theorem lt_of_getLsb (x : BitVec w) (i : Nat) : getLsb x i = true → i < w := by
+  if h : i < w then
+    simp [h]
+  else
+    simp [Nat.ge_of_not_lt h]
+
+-- We choose `eq_of_getLsb_eq` as the `@[ext]` theorem for `BitVec`
+-- somewhat arbitrarily over `eq_of_getMsg_eq`.
+@[ext] theorem eq_of_getLsb_eq {x y : BitVec w}
+    (pred : ∀(i : Fin w), x.getLsb i.val = y.getLsb i.val) : x = y := by
+  apply eq_of_toNat_eq
+  apply Nat.eq_of_testBit_eq
+  intro i
+  if i_lt : i < w then
+    exact pred ⟨i, i_lt⟩
+  else
+    have p : i ≥ w := Nat.le_of_not_gt i_lt
+    simp [testBit_toNat, getLsb_ge _ _ p]
+
+theorem eq_of_getMsb_eq {x y : BitVec w}
+    (pred : ∀(i : Fin w), x.getMsb i = y.getMsb i.val) : x = y := by
+  simp only [getMsb] at pred
+  apply eq_of_getLsb_eq
+  intro ⟨i, i_lt⟩
+  if w_zero : w = 0 then
+    simp [w_zero]
+  else
+    have w_pos := Nat.pos_of_ne_zero w_zero
+    have r : i ≤ w - 1 := by
+      simp [Nat.le_sub_iff_add_le w_pos, Nat.add_succ]
+      exact i_lt
+    have q_lt : w - 1 - i < w := by
+      simp only [Nat.sub_sub]
+      apply Nat.sub_lt w_pos
+      simp [Nat.succ_add]
+    have q := pred ⟨w - 1 - i, q_lt⟩
+    simpa [q_lt, Nat.sub_sub_self, r] using q
+
+theorem eq_of_toFin_eq : ∀ {x y : BitVec w}, x.toFin = y.toFin → x = y
+  | ⟨_, _⟩, ⟨_, _⟩, rfl => rfl
+
+@[simp] theorem toNat_ofBool (b : Bool) : (ofBool b).toNat = b.toNat := by
+  cases b <;> rfl
+
+theorem ofNat_one (n : Nat) : BitVec.ofNat 1 n = BitVec.ofBool (n % 2 = 1) :=  by
+  rcases (Nat.mod_two_eq_zero_or_one n) with h | h <;> simp [h, BitVec.ofNat, Fin.ofNat']
+
+theorem ofBool_eq_iff_eq : ∀(b b' : Bool), BitVec.ofBool b = BitVec.ofBool b' ↔ b = b' := by
+  decide
+
+@[simp] theorem toNat_ofFin (x : Fin (2^n)) : (BitVec.ofFin x).toNat = x.val := rfl
+
+@[simp] theorem toNat_ofNat (x w : Nat) : (x#w).toNat = x % 2^w := by
+  simp [BitVec.toNat, BitVec.ofNat, Fin.ofNat']
+
+-- Remark: we don't use `[simp]` here because simproc` subsumes it for literals.
+-- If `x` and `n` are not literals, applying this theorem eagerly may not be a good idea.
+theorem getLsb_ofNat (n : Nat) (x : Nat) (i : Nat) :
+  getLsb (x#n) i = (i < n && x.testBit i) := by
+  simp [getLsb, BitVec.ofNat, Fin.val_ofNat']
+
+@[deprecated toNat_ofNat] theorem toNat_zero (n : Nat) : (0#n).toNat = 0 := by trivial
+
+@[simp] theorem toNat_mod_cancel (x : BitVec n) : x.toNat % (2^n) = x.toNat :=
+  Nat.mod_eq_of_lt x.isLt
+
+private theorem lt_two_pow_of_le {x m n : Nat} (lt : x < 2 ^ m) (le : m ≤ n) : x < 2 ^ n :=
+  Nat.lt_of_lt_of_le lt (Nat.pow_le_pow_of_le_right (by trivial : 0 < 2) le)
+
+@[simp] theorem ofNat_toNat (m : Nat) (x : BitVec n) : x.toNat#m = truncate m x := by
+  let ⟨x, lt_n⟩ := x
+  unfold truncate
+  unfold zeroExtend
+  if h : n ≤ m then
+    unfold zeroExtend'
+    have lt_m : x < 2 ^ m := lt_two_pow_of_le lt_n h
+    simp [h, lt_m, Nat.mod_eq_of_lt, BitVec.toNat, BitVec.ofNat, Fin.ofNat']
+  else
+    simp [h]
+
+
+/-! ### msb -/
+
+theorem msb_eq_decide (x : BitVec (Nat.succ w)) : BitVec.msb x = decide (2 ^ w ≤ x.toNat) := by
+  simp only [BitVec.msb, getMsb, Nat.zero_lt_succ,
+    decide_True, getLsb, Nat.testBit, Nat.succ_sub_succ_eq_sub,
+    Nat.sub_zero, Nat.and_one_is_mod, Bool.true_and, Nat.shiftRight_eq_div_pow]
+  rcases (Nat.lt_or_ge (BitVec.toNat x) (2 ^ w)) with h | h
+  · simp [Nat.div_eq_of_lt h, h]
+  · simp only [h]
+    rw [Nat.div_eq_sub_div (Nat.two_pow_pos w) h, Nat.div_eq_of_lt]
+    · decide
+    · have : BitVec.toNat x < 2^w + 2^w := by simpa [Nat.pow_succ, Nat.mul_two] using x.isLt
+      omega
+
+/-! ### cast -/
+
+@[simp] theorem toNat_cast (h : w = v) (x : BitVec w) : (cast h x).toNat = x.toNat := rfl
+@[simp] theorem toFin_cast (h : w = v) (x : BitVec w) :
+    (cast h x).toFin = x.toFin.cast (by rw [h]) :=
+  rfl
+
+@[simp] theorem getLsb_cast (h : w = v) (x : BitVec w) : (cast h x).getLsb i = x.getLsb i := by
+  subst h; simp
+
+@[simp] theorem getMsb_cast (h : w = v) (x : BitVec w) : (cast h x).getMsb i = x.getMsb i := by
+  subst h; simp
+@[simp] theorem msb_cast (h : w = v) (x : BitVec w) : (cast h x).msb = x.msb := by
+  simp [BitVec.msb]
+
+/-! ### zeroExtend and truncate -/
+
+@[simp] theorem toNat_zeroExtend' {m n : Nat} (p : m ≤ n) (x : BitVec m) :
+    (zeroExtend' p x).toNat = x.toNat := by
+  unfold zeroExtend'
+  simp [p, x.isLt, Nat.mod_eq_of_lt]
+
+theorem toNat_zeroExtend (i : Nat) (x : BitVec n) :
+    BitVec.toNat (zeroExtend i x) = x.toNat % 2^i := by
+  let ⟨x, lt_n⟩ := x
+  simp only [zeroExtend]
+  if n_le_i : n ≤ i then
+    have x_lt_two_i : x < 2 ^ i := lt_two_pow_of_le lt_n n_le_i
+    simp [n_le_i, Nat.mod_eq_of_lt, x_lt_two_i]
+  else
+    simp [n_le_i, toNat_ofNat]
+
+@[simp] theorem zeroExtend_eq (x : BitVec n) : zeroExtend n x = x := by
+  apply eq_of_toNat_eq
+  let ⟨x, lt_n⟩ := x
+  simp [truncate, zeroExtend]
+
+@[simp] theorem zeroExtend_zero (m n : Nat) : zeroExtend m (0#n) = 0#m := by
+  apply eq_of_toNat_eq
+  simp [toNat_zeroExtend]
+
+@[simp] theorem truncate_eq (x : BitVec n) : truncate n x = x := zeroExtend_eq x
+
+@[simp] theorem toNat_truncate (x : BitVec n) : (truncate i x).toNat = x.toNat % 2^i :=
+  toNat_zeroExtend i x
+
+@[simp] theorem getLsb_zeroExtend' (ge : m ≥ n) (x : BitVec n) (i : Nat) :
+    getLsb (zeroExtend' ge x) i = getLsb x i := by
+  simp [getLsb, toNat_zeroExtend']
+
+@[simp] theorem getLsb_zeroExtend (m : Nat) (x : BitVec n) (i : Nat) :
+    getLsb (zeroExtend m x) i = (decide (i < m) && getLsb x i) := by
+  simp [getLsb, toNat_zeroExtend, Nat.testBit_mod_two_pow]
+
+@[simp] theorem getLsb_truncate (m : Nat) (x : BitVec n) (i : Nat) :
+    getLsb (truncate m x) i = (decide (i < m) && getLsb x i) :=
+  getLsb_zeroExtend m x i
+
+/-! ## extractLsb -/
+
+@[simp]
+protected theorem extractLsb_ofFin {n} (x : Fin (2^n)) (hi lo : Nat) :
+  extractLsb hi lo (@BitVec.ofFin n x) = .ofNat (hi-lo+1) (x.val >>> lo) := rfl
+
+@[simp]
+protected theorem extractLsb_ofNat (x n : Nat) (hi lo : Nat) :
+  extractLsb hi lo x#n = .ofNat (hi - lo + 1) ((x % 2^n) >>> lo) := by
+  apply eq_of_getLsb_eq
+  intro ⟨i, _lt⟩
+  simp [BitVec.ofNat]
+
+@[simp] theorem extractLsb'_toNat (s m : Nat) (x : BitVec n) :
+  (extractLsb' s m x).toNat = (x.toNat >>> s) % 2^m := rfl
+
+@[simp] theorem extractLsb_toNat (hi lo : Nat) (x : BitVec n) :
+  (extractLsb hi lo x).toNat = (x.toNat >>> lo) % 2^(hi-lo+1) := rfl
+
+@[simp] theorem getLsb_extract (hi lo : Nat) (x : BitVec n) (i : Nat) :
+    getLsb (extractLsb hi lo x) i = (i ≤ (hi-lo) && getLsb x (lo+i)) := by
+  unfold getLsb
+  simp [Nat.lt_succ]
+
+/-! ### allOnes -/
+
+private theorem allOnes_def :
+    allOnes v = .ofFin (⟨0, Nat.two_pow_pos v⟩ - ⟨1 % 2^v, Nat.mod_lt _ (Nat.two_pow_pos v)⟩) := by
+  rfl
+
+@[simp] theorem toNat_allOnes : (allOnes v).toNat = 2^v - 1 := by
+  simp only [allOnes_def, toNat_ofFin, Fin.coe_sub, Nat.zero_add]
+  by_cases h : v = 0
+  · subst h
+    rfl
+  · rw [Nat.mod_eq_of_lt (Nat.one_lt_two_pow h), Nat.mod_eq_of_lt]
+    exact Nat.pred_lt_self (Nat.two_pow_pos v)
+
+@[simp] theorem getLsb_allOnes : (allOnes v).getLsb i = decide (i < v) := by
+  simp only [allOnes_def, getLsb_ofFin, Fin.coe_sub, Nat.zero_add, Nat.testBit_mod_two_pow]
+  if h : i < v then
+    simp only [h, decide_True, Bool.true_and]
+    match i, v, h with
+    | i, (v + 1), h =>
+      rw [Nat.mod_eq_of_lt (by simp), Nat.testBit_two_pow_sub_one]
+      simp [h]
+  else
+    simp [h]
+
+@[simp] theorem negOne_eq_allOnes : -1#w = allOnes w :=
+  rfl
+
+/-! ### or -/
+
+@[simp] theorem toNat_or (x y : BitVec v) :
+    BitVec.toNat (x ||| y) = BitVec.toNat x ||| BitVec.toNat y := rfl
+
+@[simp] theorem toFin_or (x y : BitVec v) :
+    BitVec.toFin (x ||| y) = BitVec.toFin x ||| BitVec.toFin y := by
+  simp only [HOr.hOr, OrOp.or, BitVec.or, Fin.lor, val_toFin, Fin.mk.injEq]
+  exact (Nat.mod_eq_of_lt <| Nat.or_lt_two_pow x.isLt y.isLt).symm
+
+
+@[simp] theorem getLsb_or {x y : BitVec v} : (x ||| y).getLsb i = (x.getLsb i || y.getLsb i) := by
+  rw [← testBit_toNat, getLsb, getLsb]
+  simp
+
+/-! ### and -/
+
+@[simp] theorem toNat_and (x y : BitVec v) :
+    BitVec.toNat (x &&& y) = BitVec.toNat x &&& BitVec.toNat y := rfl
+
+@[simp] theorem toFin_and (x y : BitVec v) :
+    BitVec.toFin (x &&& y) = BitVec.toFin x &&& BitVec.toFin y := by
+  simp only [HAnd.hAnd, AndOp.and, BitVec.and, Fin.land, val_toFin, Fin.mk.injEq]
+  exact (Nat.mod_eq_of_lt <| Nat.and_lt_two_pow _ y.isLt).symm
+
+@[simp] theorem getLsb_and {x y : BitVec v} : (x &&& y).getLsb i = (x.getLsb i && y.getLsb i) := by
+  rw [← testBit_toNat, getLsb, getLsb]
+  simp
+
+/-! ### xor -/
+
+@[simp] theorem toNat_xor (x y : BitVec v) :
+    BitVec.toNat (x ^^^ y) = BitVec.toNat x ^^^ BitVec.toNat y := rfl
+
+@[simp] theorem toFin_xor (x y : BitVec v) :
+    BitVec.toFin (x ^^^ y) = BitVec.toFin x ^^^ BitVec.toFin y := by
+  simp only [HXor.hXor, Xor.xor, BitVec.xor, Fin.xor, val_toFin, Fin.mk.injEq]
+  exact (Nat.mod_eq_of_lt <| Nat.xor_lt_two_pow x.isLt y.isLt).symm
+
+@[simp] theorem getLsb_xor {x y : BitVec v} :
+    (x ^^^ y).getLsb i = (xor (x.getLsb i) (y.getLsb i)) := by
+  rw [← testBit_toNat, getLsb, getLsb]
+  simp
+
+/-! ### not -/
+
+theorem not_def {x : BitVec v} : ~~~x = allOnes v ^^^ x := rfl
+
+@[simp] theorem toNat_not {x : BitVec v} : (~~~x).toNat = 2^v - 1 - x.toNat := by
+  rw [Nat.sub_sub, Nat.add_comm, not_def, toNat_xor]
+  apply Nat.eq_of_testBit_eq
+  intro i
+  simp only [toNat_allOnes, Nat.testBit_xor, Nat.testBit_two_pow_sub_one]
+  match h : BitVec.toNat x with
+  | 0 => simp
+  | y+1 =>
+    rw [Nat.succ_eq_add_one] at h
+    rw [← h]
+    rw [Nat.testBit_two_pow_sub_succ (toNat_lt _)]
+    · cases w : decide (i < v)
+      · simp at w
+        simp [w]
+        rw [Nat.testBit_lt_two_pow]
+        calc BitVec.toNat x < 2 ^ v := toNat_lt _
+          _ ≤ 2 ^ i := Nat.pow_le_pow_of_le_right Nat.zero_lt_two w
+      · simp
+
+@[simp] theorem toFin_not (x : BitVec w) :
+    (~~~x).toFin = x.toFin.rev := by
+  apply Fin.val_inj.mp
+  simp only [val_toFin, toNat_not, Fin.val_rev]
+  omega
+
+@[simp] theorem getLsb_not {x : BitVec v} : (~~~x).getLsb i = (decide (i < v) && ! x.getLsb i) := by
+  by_cases h' : i < v <;> simp_all [not_def]
+
+/-! ### shiftLeft -/
+
+@[simp] theorem toNat_shiftLeft {x : BitVec v} :
+    BitVec.toNat (x <<< n) = BitVec.toNat x <<< n % 2^v :=
+  BitVec.toNat_ofNat _ _
+
+@[simp] theorem toFin_shiftLeft {n : Nat} (x : BitVec w) :
+    BitVec.toFin (x <<< n) = Fin.ofNat' (x.toNat <<< n) (Nat.two_pow_pos w) := rfl
+
+@[simp] theorem getLsb_shiftLeft (x : BitVec m) (n) :
+    getLsb (x <<< n) i = (decide (i < m) && !decide (i < n) && getLsb x (i - n)) := by
+  rw [← testBit_toNat, getLsb]
+  simp only [toNat_shiftLeft, Nat.testBit_mod_two_pow, Nat.testBit_shiftLeft, ge_iff_le]
+  -- This step could be a case bashing tactic.
+  cases h₁ : decide (i < m) <;> cases h₂ : decide (n ≤ i) <;> cases h₃ : decide (i < n)
+  all_goals { simp_all <;> omega }
+
+theorem shiftLeftZeroExtend_eq {x : BitVec w} :
+    shiftLeftZeroExtend x n = zeroExtend (w+n) x <<< n := by
+  apply eq_of_toNat_eq
+  rw [shiftLeftZeroExtend, zeroExtend]
+  split
+  · simp
+    rw [Nat.mod_eq_of_lt]
+    rw [Nat.shiftLeft_eq, Nat.pow_add]
+    exact Nat.mul_lt_mul_of_pos_right (BitVec.toNat_lt x) (Nat.two_pow_pos _)
+  · omega
+
+@[simp] theorem getLsb_shiftLeftZeroExtend (x : BitVec m) (n : Nat) :
+    getLsb (shiftLeftZeroExtend x n) i = ((! decide (i < n)) && getLsb x (i - n)) := by
+  rw [shiftLeftZeroExtend_eq]
+  simp only [getLsb_shiftLeft, getLsb_zeroExtend]
+  cases h₁ : decide (i < n) <;> cases h₂ : decide (i - n < m + n) <;> cases h₃ : decide (i < m + n)
+    <;> simp_all
+    <;> (rw [getLsb_ge]; omega)
+
+/-! ### ushiftRight -/
+
+@[simp] theorem toNat_ushiftRight (x : BitVec n) (i : Nat) :
+    (x >>> i).toNat = x.toNat >>> i := rfl
+
+@[simp] theorem getLsb_ushiftRight (x : BitVec n) (i j : Nat) :
+    getLsb (x >>> i) j = getLsb x (i+j) := by
+  unfold getLsb ; simp
+
+/-! ### append -/
+
+theorem append_def (x : BitVec v) (y : BitVec w) :
+    x ++ y = (shiftLeftZeroExtend x w ||| zeroExtend' (Nat.le_add_left w v) y) := rfl
+
+@[simp] theorem toNat_append (x : BitVec m) (y : BitVec n) :
+    (x ++ y).toNat = x.toNat <<< n ||| y.toNat :=
+  rfl
+
+@[simp] theorem getLsb_append {v : BitVec n} {w : BitVec m} :
+    getLsb (v ++ w) i = bif i < m then getLsb w i else getLsb v (i - m) := by
+  simp [append_def]
+  by_cases h : i < m
+  · simp [h]
+  · simp [h]; simp_all
+
+/-! ### rev -/
+
+theorem getLsb_rev (x : BitVec w) (i : Fin w) :
+    x.getLsb i.rev = x.getMsb i := by
+  simp [getLsb, getMsb]
+  congr 1
+  omega
+
+theorem getMsb_rev (x : BitVec w) (i : Fin w) :
+    x.getMsb i.rev = x.getLsb i := by
+  simp only [← getLsb_rev]
+  simp only [Fin.rev]
+  congr
+  omega
+
+/-! ### cons -/
+
+@[simp] theorem toNat_cons (b : Bool) (x : BitVec w) :
+    (cons b x).toNat = (b.toNat <<< w) ||| x.toNat := by
+  let ⟨x, _⟩ := x
+  simp [cons, toNat_append, toNat_ofBool]
+
+@[simp] theorem getLsb_cons (b : Bool) {n} (x : BitVec n) (i : Nat) :
+    getLsb (cons b x) i = if i = n then b else getLsb x i := by
+  simp only [getLsb, toNat_cons, Nat.testBit_or]
+  rw [Nat.testBit_shiftLeft]
+  rcases Nat.lt_trichotomy i n with i_lt_n | i_eq_n | n_lt_i
+  · have p1 : ¬(n ≤ i) := by omega
+    have p2 : i ≠ n := by omega
+    simp [p1, p2]
+  · simp [i_eq_n, testBit_toNat]
+    cases b <;> trivial
+  · have p1 : i ≠ n := by omega
+    have p2 : i - n ≠ 0 := by omega
+    simp [p1, p2, Nat.testBit_bool_to_nat]
+
+theorem truncate_succ (x : BitVec w) :
+    truncate (i+1) x = cons (getLsb x i) (truncate i x) := by
+  apply eq_of_getLsb_eq
+  intro j
+  simp only [getLsb_truncate, getLsb_cons, j.isLt, decide_True, Bool.true_and]
+  if j_eq : j.val = i then
+    simp [j_eq]
+  else
+    have j_lt : j.val < i := Nat.lt_of_le_of_ne (Nat.le_of_succ_le_succ j.isLt) j_eq
+    simp [j_eq, j_lt]
+
+/-! ### add -/
+
+theorem add_def {n} (x y : BitVec n) : x + y = .ofNat n (x.toNat + y.toNat) := rfl
+
+/--
+Definition of bitvector addition as a nat.
+-/
+@[simp] theorem toNat_add (x y : BitVec w) : (x + y).toNat = (x.toNat + y.toNat) % 2^w := rfl
+@[simp] theorem toFin_add (x y : BitVec w) : (x + y).toFin = toFin x + toFin y := rfl
+@[simp] theorem ofFin_add (x : Fin (2^n)) (y : BitVec n) :
+  .ofFin x + y = .ofFin (x + y.toFin) := rfl
+@[simp] theorem add_ofFin (x : BitVec n) (y : Fin (2^n)) :
+  x + .ofFin y = .ofFin (x.toFin + y) := rfl
+@[simp] theorem ofNat_add_ofNat {n} (x y : Nat) : x#n + y#n = (x + y)#n := by
+  apply eq_of_toNat_eq ; simp [BitVec.ofNat]
+
+protected theorem add_assoc (x y z : BitVec n) : x + y + z = x + (y + z) := by
+  apply eq_of_toNat_eq ; simp [Nat.add_assoc]
+
+protected theorem add_comm (x y : BitVec n) : x + y = y + x := by
+  simp [add_def, Nat.add_comm]
+
+@[simp] protected theorem add_zero (x : BitVec n) : x + 0#n = x := by simp [add_def]
+
+@[simp] protected theorem zero_add (x : BitVec n) : 0#n + x = x := by simp [add_def]
+
+
+/-! ### sub/neg -/
+
+theorem sub_def {n} (x y : BitVec n) : x - y = .ofNat n (x.toNat + (2^n - y.toNat)) := by rfl
+
+@[simp] theorem toNat_sub {n} (x y : BitVec n) :
+  (x - y).toNat = ((x.toNat + (2^n - y.toNat)) % 2^n) := rfl
+@[simp] theorem toFin_sub (x y : BitVec n) : (x - y).toFin = toFin x - toFin y := rfl
+
+@[simp] theorem ofFin_sub (x : Fin (2^n)) (y : BitVec n) : .ofFin x - y = .ofFin (x - y.toFin) :=
+  rfl
+@[simp] theorem sub_ofFin (x : BitVec n) (y : Fin (2^n)) : x - .ofFin y = .ofFin (x.toFin - y) :=
+  rfl
+-- Remark: we don't use `[simp]` here because simproc` subsumes it for literals.
+-- If `x` and `n` are not literals, applying this theorem eagerly may not be a good idea.
+theorem ofNat_sub_ofNat {n} (x y : Nat) : x#n - y#n = .ofNat n (x + (2^n - y % 2^n)) := by
+  apply eq_of_toNat_eq ; simp [BitVec.ofNat]
+
+@[simp] protected theorem sub_zero (x : BitVec n) : x - (0#n) = x := by apply eq_of_toNat_eq ; simp
+
+@[simp] protected theorem sub_self (x : BitVec n) : x - x = 0#n := by
+  apply eq_of_toNat_eq
+  simp only [toNat_sub]
+  rw [Nat.add_sub_of_le]
+  · simp
+  · exact Nat.le_of_lt x.isLt
+
+@[simp] theorem toNat_neg (x : BitVec n) : (- x).toNat = (2^n - x.toNat) % 2^n := by
+  simp [Neg.neg, BitVec.neg]
+
+theorem sub_toAdd {n} (x y : BitVec n) : x - y = x + - y := by
+  apply eq_of_toNat_eq
+  simp
+
+@[simp] theorem neg_zero (n:Nat) : -0#n = 0#n := by apply eq_of_toNat_eq ; simp
+
+theorem add_sub_cancel (x y : BitVec w) : x + y - y = x := by
+  apply eq_of_toNat_eq
+  have y_toNat_le := Nat.le_of_lt y.toNat_lt
+  rw [toNat_sub, toNat_add, Nat.mod_add_mod, Nat.add_assoc, ← Nat.add_sub_assoc y_toNat_le,
+    Nat.add_sub_cancel_left, Nat.add_mod_right, toNat_mod_cancel]
+
+/-! ### mul -/
+
+theorem mul_def {n} {x y : BitVec n} : x * y = (ofFin <| x.toFin * y.toFin) := by rfl
+
+theorem toNat_mul (x y : BitVec n) : (x * y).toNat = (x.toNat * y.toNat) % 2 ^ n := rfl
+@[simp] theorem toFin_mul (x y : BitVec n) : (x * y).toFin = (x.toFin * y.toFin) := rfl
+
+/-! ### le and lt -/
+
+theorem le_def (x y : BitVec n) :
+  x ≤ y ↔ x.toNat ≤ y.toNat := Iff.rfl
+
+@[simp] theorem le_ofFin (x : BitVec n) (y : Fin (2^n)) :
+  x ≤ BitVec.ofFin y ↔ x.toFin ≤ y := Iff.rfl
+@[simp] theorem ofFin_le (x : Fin (2^n)) (y : BitVec n) :
+  BitVec.ofFin x ≤ y ↔ x ≤ y.toFin := Iff.rfl
+@[simp] theorem ofNat_le_ofNat {n} (x y : Nat) : (x#n) ≤ (y#n) ↔ x % 2^n ≤ y % 2^n := by
+  simp [le_def]
+
+theorem lt_def (x y : BitVec n) :
+  x < y ↔ x.toNat < y.toNat := Iff.rfl
+
+@[simp] theorem lt_ofFin (x : BitVec n) (y : Fin (2^n)) :
+  x < BitVec.ofFin y ↔ x.toFin < y := Iff.rfl
+@[simp] theorem ofFin_lt (x : Fin (2^n)) (y : BitVec n) :
+  BitVec.ofFin x < y ↔ x < y.toFin := Iff.rfl
+@[simp] theorem ofNat_lt_ofNat {n} (x y : Nat) : (x#n) < (y#n) ↔ x % 2^n < y % 2^n := by
+  simp [lt_def]
+
+protected theorem lt_of_le_ne (x y : BitVec n) (h1 : x <= y) (h2 : ¬ x = y) : x < y := by
+  revert h1 h2
+  let ⟨x, lt⟩ := x
+  let ⟨y, lt⟩ := y
+  simp
+  exact Nat.lt_of_le_of_ne

src/Init/Data/Bool.lean

@@ -0,0 +1,231 @@
+/-
+Copyright (c) 2023 F. G. Dorais. No rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: F. G. Dorais
+-/
+prelude
+import Init.BinderPredicates
+
+/-- Boolean exclusive or -/
+abbrev xor : Bool → Bool → Bool := bne
+
+namespace Bool
+
+/- Namespaced versions that can be used instead of prefixing `_root_` -/
+@[inherit_doc not] protected abbrev not := not
+@[inherit_doc or]  protected abbrev or  := or
+@[inherit_doc and] protected abbrev and := and
+@[inherit_doc xor] protected abbrev xor := xor
+
+instance (p : Bool → Prop) [inst : DecidablePred p] : Decidable (∀ x, p x) :=
+  match inst true, inst false with
+  | isFalse ht, _ => isFalse fun h => absurd (h _) ht
+  | _, isFalse hf => isFalse fun h => absurd (h _) hf
+  | isTrue ht, isTrue hf => isTrue fun | true => ht | false => hf
+
+instance (p : Bool → Prop) [inst : DecidablePred p] : Decidable (∃ x, p x) :=
+  match inst true, inst false with
+  | isTrue ht, _ => isTrue ⟨_, ht⟩
+  | _, isTrue hf => isTrue ⟨_, hf⟩
+  | isFalse ht, isFalse hf => isFalse fun | ⟨true, h⟩ => absurd h ht | ⟨false, h⟩ => absurd h hf
+
+instance : LE Bool := ⟨(. → .)⟩
+instance : LT Bool := ⟨(!. && .)⟩
+
+instance (x y : Bool) : Decidable (x ≤ y) := inferInstanceAs (Decidable (x → y))
+instance (x y : Bool) : Decidable (x < y) := inferInstanceAs (Decidable (!x && y))
+
+instance : Max Bool := ⟨or⟩
+instance : Min Bool := ⟨and⟩
+
+theorem false_ne_true : false ≠ true := Bool.noConfusion
+
+theorem eq_false_or_eq_true : (b : Bool) → b = true ∨ b = false := by decide
+
+theorem eq_false_iff : {b : Bool} → b = false ↔ b ≠ true := by decide
+
+theorem ne_false_iff : {b : Bool} → b ≠ false ↔ b = true := by decide
+
+theorem eq_iff_iff {a b : Bool} : a = b ↔ (a ↔ b) := by cases b <;> simp
+
+/-! ### and -/
+
+@[simp] theorem not_and_self : ∀ (x : Bool), (!x && x) = false := by decide
+
+@[simp] theorem and_not_self : ∀ (x : Bool), (x && !x) = false := by decide
+
+theorem and_comm : ∀ (x y : Bool), (x && y) = (y && x) := by decide
+
+theorem and_left_comm : ∀ (x y z : Bool), (x && (y && z)) = (y && (x && z)) := by decide
+
+theorem and_right_comm : ∀ (x y z : Bool), ((x && y) && z) = ((x && z) && y) := by decide
+
+theorem and_or_distrib_left : ∀ (x y z : Bool), (x && (y || z)) = ((x && y) || (x && z)) := by
+  decide
+
+theorem and_or_distrib_right : ∀ (x y z : Bool), ((x || y) && z) = ((x && z) || (y && z)) := by
+  decide
+
+theorem and_xor_distrib_left : ∀ (x y z : Bool), (x && xor y z) = xor (x && y) (x && z) := by decide
+
+theorem and_xor_distrib_right : ∀ (x y z : Bool), (xor x y && z) = xor (x && z) (y && z) := by
+  decide
+
+/-- De Morgan's law for boolean and -/
+theorem not_and : ∀ (x y : Bool), (!(x && y)) = (!x || !y) := by decide
+
+theorem and_eq_true_iff : ∀ (x y : Bool), (x && y) = true ↔ x = true ∧ y = true := by decide
+
+theorem and_eq_false_iff : ∀ (x y : Bool), (x && y) = false ↔ x = false ∨ y = false := by decide
+
+/-! ### or -/
+
+@[simp] theorem not_or_self : ∀ (x : Bool), (!x || x) = true := by decide
+
+@[simp] theorem or_not_self : ∀ (x : Bool), (x || !x) = true := by decide
+
+theorem or_comm : ∀ (x y : Bool), (x || y) = (y || x) := by decide
+
+theorem or_left_comm : ∀ (x y z : Bool), (x || (y || z)) = (y || (x || z)) := by decide
+
+theorem or_right_comm : ∀ (x y z : Bool), ((x || y) || z) = ((x || z) || y) := by decide
+
+theorem or_and_distrib_left : ∀ (x y z : Bool), (x || (y && z)) = ((x || y) && (x || z)) := by
+  decide
+
+theorem or_and_distrib_right : ∀ (x y z : Bool), ((x && y) || z) = ((x || z) && (y || z)) := by
+  decide
+
+/-- De Morgan's law for boolean or -/
+theorem not_or : ∀ (x y : Bool), (!(x || y)) = (!x && !y) := by decide
+
+theorem or_eq_true_iff : ∀ (x y : Bool), (x || y) = true ↔ x = true ∨ y = true := by decide
+
+theorem or_eq_false_iff : ∀ (x y : Bool), (x || y) = false ↔ x = false ∧ y = false := by decide
+
+/-! ### xor -/
+
+@[simp] theorem false_xor : ∀ (x : Bool), xor false x = x := by decide
+
+@[simp] theorem xor_false : ∀ (x : Bool), xor x false = x := by decide
+
+@[simp] theorem true_xor : ∀ (x : Bool), xor true x = !x := by decide
+
+@[simp] theorem xor_true : ∀ (x : Bool), xor x true = !x := by decide
+
+@[simp] theorem not_xor_self : ∀ (x : Bool), xor (!x) x = true := by decide
+
+@[simp] theorem xor_not_self : ∀ (x : Bool), xor x (!x) = true := by decide
+
+theorem not_xor : ∀ (x y : Bool), xor (!x) y = !(xor x y) := by decide
+
+theorem xor_not : ∀ (x y : Bool), xor x (!y) = !(xor x y) := by decide
+
+@[simp] theorem not_xor_not : ∀ (x y : Bool), xor (!x) (!y) = (xor x y) := by decide
+
+theorem xor_self : ∀ (x : Bool), xor x x = false := by decide
+
+theorem xor_comm : ∀ (x y : Bool), xor x y = xor y x := by decide
+
+theorem xor_left_comm : ∀ (x y z : Bool), xor x (xor y z) = xor y (xor x z) := by decide
+
+theorem xor_right_comm : ∀ (x y z : Bool), xor (xor x y) z = xor (xor x z) y := by decide
+
+theorem xor_assoc : ∀ (x y z : Bool), xor (xor x y) z = xor x (xor y z) := by decide
+
+@[simp]
+theorem xor_left_inj : ∀ (x y z : Bool), xor x y = xor x z ↔ y = z := by decide
+
+@[simp]
+theorem xor_right_inj : ∀ (x y z : Bool), xor x z = xor y z ↔ x = y := by decide
+
+/-! ### le/lt -/
+
+@[simp] protected theorem le_true : ∀ (x : Bool), x ≤ true := by decide
+
+@[simp] protected theorem false_le : ∀ (x : Bool), false ≤ x := by decide
+
+@[simp] protected theorem le_refl : ∀ (x : Bool), x ≤ x := by decide
+
+@[simp] protected theorem lt_irrefl : ∀ (x : Bool), ¬ x < x := by decide
+
+protected theorem le_trans : ∀ {x y z : Bool}, x ≤ y → y ≤ z → x ≤ z := by decide
+
+protected theorem le_antisymm : ∀ {x y : Bool}, x ≤ y → y ≤ x → x = y := by decide
+
+protected theorem le_total : ∀ (x y : Bool), x ≤ y ∨ y ≤ x := by decide
+
+protected theorem lt_asymm : ∀ {x y : Bool}, x < y → ¬ y < x := by decide
+
+protected theorem lt_trans : ∀ {x y z : Bool}, x < y → y < z → x < z := by decide
+
+protected theorem lt_iff_le_not_le : ∀ {x y : Bool}, x < y ↔ x ≤ y ∧ ¬ y ≤ x := by decide
+
+protected theorem lt_of_le_of_lt : ∀ {x y z : Bool}, x ≤ y → y < z → x < z := by decide
+
+protected theorem lt_of_lt_of_le : ∀ {x y z : Bool}, x < y → y ≤ z → x < z := by decide
+
+protected theorem le_of_lt : ∀ {x y : Bool}, x < y → x ≤ y := by decide
+
+protected theorem le_of_eq : ∀ {x y : Bool}, x = y → x ≤ y := by decide
+
+protected theorem ne_of_lt : ∀ {x y : Bool}, x < y → x ≠ y := by decide
+
+protected theorem lt_of_le_of_ne : ∀ {x y : Bool}, x ≤ y → x ≠ y → x < y := by decide
+
+protected theorem le_of_lt_or_eq : ∀ {x y : Bool}, x < y ∨ x = y → x ≤ y := by decide
+
+protected theorem eq_true_of_true_le : ∀ {x : Bool}, true ≤ x → x = true := by decide
+
+protected theorem eq_false_of_le_false : ∀ {x : Bool}, x ≤ false → x = false := by decide
+
+/-! ### min/max -/
+
+@[simp] protected theorem max_eq_or : max = or := rfl
+
+@[simp] protected theorem min_eq_and : min = and := rfl
+
+/-! ### injectivity lemmas -/
+
+theorem not_inj : ∀ {x y : Bool}, (!x) = (!y) → x = y := by decide
+
+theorem not_inj_iff : ∀ {x y : Bool}, (!x) = (!y) ↔ x = y := by decide
+
+theorem and_or_inj_right : ∀ {m x y : Bool}, (x && m) = (y && m) → (x || m) = (y || m) → x = y := by
+  decide
+
+theorem and_or_inj_right_iff :
+    ∀ {m x y : Bool}, (x && m) = (y && m) ∧ (x || m) = (y || m) ↔ x = y := by decide
+
+theorem and_or_inj_left : ∀ {m x y : Bool}, (m && x) = (m && y) → (m || x) = (m || y) → x = y := by
+  decide
+
+theorem and_or_inj_left_iff :
+    ∀ {m x y : Bool}, (m && x) = (m && y) ∧ (m || x) = (m || y) ↔ x = y := by decide
+
+/-! ## toNat -/
+
+/-- convert a `Bool` to a `Nat`, `false -> 0`, `true -> 1` -/
+def toNat (b:Bool) : Nat := cond b 1 0
+
+@[simp] theorem toNat_false : false.toNat = 0 := rfl
+
+@[simp] theorem toNat_true : true.toNat = 1 := rfl
+
+theorem toNat_le_one (c:Bool) : c.toNat ≤ 1 := by
+  cases c <;> trivial
+
+end Bool
+
+/-! ### cond -/
+
+theorem cond_eq_if : (bif b then x else y) = (if b then x else y) := by
+  cases b <;> simp
+
+/-! ### decide -/
+
+@[simp] theorem false_eq_decide_iff {p : Prop} [h : Decidable p] : false = decide p ↔ ¬p := by
+  cases h with | _ q => simp [q]
+
+@[simp] theorem true_eq_decide_iff {p : Prop} [h : Decidable p] : true = decide p ↔ p := by
+  cases h with | _ q => simp [q]

src/Init/Data/Cast.lean

@@ -0,0 +1,72 @@
+/-
+Copyright (c) 2014 Mario Carneiro. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Mario Carneiro, Gabriel Ebner
+-/
+prelude
+import Init.Coe
+
+/-!
+# `NatCast`
+
+We introduce the typeclass `NatCast R` for a type `R` with a "canonical
+homomorphism" `Nat → R`. The typeclass carries the data of the function,
+but no required axioms.
+
+This typeclass was introduced to support a uniform `simp` normal form
+for such morphisms.
+
+Without such a typeclass, we would have specific coercions such as
+`Int.ofNat`, but also later the generic coercion from `Nat` into any
+Mathlib semiring (including `Int`), and we would need to use `simp` to
+move between them. However `simp` lemmas expressed using a non-normal
+form on the LHS would then not fire.
+
+Typically different instances of this class for the same target type `R`
+are definitionally equal, and so differences in the instance do not
+block `simp` or `rw`.
+
+This logic also applies to `Int` and so we also introduce `IntCast` alongside
+`Int.
+
+## Note about coercions into arbitrary types:
+
+Coercions such as `Nat.cast` that go from a concrete structure such as
+`Nat` to an arbitrary type `R` should be set up as follows:
+```lean
+instance : CoeTail Nat R where coe := ...
+instance : CoeHTCT Nat R where coe := ...
+```
+
+It needs to be `CoeTail` instead of `Coe` because otherwise type-class
+inference would loop when constructing the transitive coercion `Nat →
+Nat → Nat → ...`. Sometimes we also need to declare the `CoeHTCT`
+instance if we need to shadow another coercion.
+-/
+
+/-- Type class for the canonical homomorphism `Nat → R`. -/
+class NatCast (R : Type u) where
+  /-- The canonical map `Nat → R`. -/
+  protected natCast : Nat → R
+
+instance : NatCast Nat where natCast n := n
+
+/--
+Canonical homomorphism from `Nat` to a type `R`.
+
+It contains just the function, with no axioms.
+In practice, the target type will likely have a (semi)ring structure,
+and this homomorphism should be a ring homomorphism.
+
+The prototypical example is `Int.ofNat`.
+
+This class and `IntCast` exist to allow different libraries with their own types that can be notated as natural numbers to have consistent `simp` normal forms without needing to create coercion simplification sets that are aware of all combinations. Libraries should make it easy to work with `NatCast` where possible. For instance, in Mathlib there will be such a homomorphism (and thus a `NatCast R` instance) whenever `R` is an additive monoid with a `1`.
+-/
+@[coe, reducible, match_pattern] protected def Nat.cast {R : Type u} [NatCast R] : Nat → R :=
+  NatCast.natCast
+
+-- see the notes about coercions into arbitrary types in the module doc-string
+instance [NatCast R] : CoeTail Nat R where coe := Nat.cast
+
+-- see the notes about coercions into arbitrary types in the module doc-string
+instance [NatCast R] : CoeHTCT Nat R where coe := Nat.cast

src/Init/Data/Fin.lean

@@ -6,3 +6,6 @@ Author: Leonardo de Moura
 prelude
 import Init.Data.Fin.Basic
 import Init.Data.Fin.Log2
+import Init.Data.Fin.Iterate
+import Init.Data.Fin.Fold
+import Init.Data.Fin.Lemmas

src/Init/Data/Fin/Basic.lean

@@ -1,11 +1,11 @@
 /-
 Copyright (c) 2016 Microsoft Corporation. All rights reserved.
 Released under Apache 2.0 license as described in the file LICENSE.
-Author: Leonardo de Moura
+Author: Leonardo de Moura, Robert Y. Lewis, Keeley Hoek, Mario Carneiro
 -/
 prelude
 import Init.Data.Nat.Div
-import Init.Data.Nat.Bitwise
+import Init.Data.Nat.Bitwise.Basic
 import Init.Coe
 
 open Nat
@@ -100,12 +100,14 @@ instance : ShiftLeft (Fin n) where
 instance : ShiftRight (Fin n) where
   shiftRight := Fin.shiftRight
 
-instance : OfNat (Fin (no_index (n+1))) i where
+instance instOfNat : OfNat (Fin (no_index (n+1))) i where
   ofNat := Fin.ofNat i
 
 instance : Inhabited (Fin (no_index (n+1))) where
   default := 0
 
+@[simp] theorem zero_eta : (⟨0, Nat.zero_lt_succ _⟩ : Fin (n + 1)) = 0 := rfl
+
 theorem val_ne_of_ne {i j : Fin n} (h : i ≠ j) : val i ≠ val j :=
   fun h' => absurd (eq_of_val_eq h') h
 
@@ -115,6 +117,45 @@ theorem modn_lt : ∀ {m : Nat} (i : Fin n), m > 0 → (modn i m).val < m
 theorem val_lt_of_le (i : Fin b) (h : b ≤ n) : i.val < n :=
   Nat.lt_of_lt_of_le i.isLt h
 
+protected theorem pos (i : Fin n) : 0 < n :=
+  Nat.lt_of_le_of_lt (Nat.zero_le _) i.2
+
+/-- The greatest value of `Fin (n+1)`. -/
+@[inline] def last (n : Nat) : Fin (n + 1) := ⟨n, n.lt_succ_self⟩
+
+/-- `castLT i h` embeds `i` into a `Fin` where `h` proves it belongs into.  -/
+@[inline] def castLT (i : Fin m) (h : i.1 < n) : Fin n := ⟨i.1, h⟩
+
+/-- `castLE h i` embeds `i` into a larger `Fin` type.  -/
+@[inline] def castLE (h : n ≤ m) (i : Fin n) : Fin m := ⟨i, Nat.lt_of_lt_of_le i.2 h⟩
+
+/-- `cast eq i` embeds `i` into an equal `Fin` type. -/
+@[inline] def cast (eq : n = m) (i : Fin n) : Fin m := ⟨i, eq ▸ i.2⟩
+
+/-- `castAdd m i` embeds `i : Fin n` in `Fin (n+m)`. See also `Fin.natAdd` and `Fin.addNat`. -/
+@[inline] def castAdd (m) : Fin n → Fin (n + m) :=
+  castLE <| Nat.le_add_right n m
+
+/-- `castSucc i` embeds `i : Fin n` in `Fin (n+1)`. -/
+@[inline] def castSucc : Fin n → Fin (n + 1) := castAdd 1
+
+/-- `addNat m i` adds `m` to `i`, generalizes `Fin.succ`. -/
+def addNat (i : Fin n) (m) : Fin (n + m) := ⟨i + m, Nat.add_lt_add_right i.2 _⟩
+
+/-- `natAdd n i` adds `n` to `i` "on the left". -/
+def natAdd (n) (i : Fin m) : Fin (n + m) := ⟨n + i, Nat.add_lt_add_left i.2 _⟩
+
+/-- Maps `0` to `n-1`, `1` to `n-2`, ..., `n-1` to `0`. -/
+@[inline] def rev (i : Fin n) : Fin n := ⟨n - (i + 1), Nat.sub_lt i.pos (Nat.succ_pos _)⟩
+
+/-- `subNat i h` subtracts `m` from `i`, generalizes `Fin.pred`. -/
+@[inline] def subNat (m) (i : Fin (n + m)) (h : m ≤ i) : Fin n :=
+  ⟨i - m, Nat.sub_lt_right_of_lt_add h i.2⟩
+
+/-- Predecessor of a nonzero element of `Fin (n+1)`. -/
+@[inline] def pred {n : Nat} (i : Fin (n + 1)) (h : i ≠ 0) : Fin n :=
+  subNat 1 i <| Nat.pos_of_ne_zero <| mt (Fin.eq_of_val_eq (j := 0)) h
+
 end Fin
 
 instance [GetElem cont Nat elem dom] : GetElem cont (Fin n) elem fun xs i => dom xs i where

src/Init/Data/Fin/Fold.lean

@@ -0,0 +1,21 @@
+/-
+Copyright (c) 2023 François G. Dorais. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: François G. Dorais
+-/
+prelude
+import Init.Data.Nat.Linear
+
+/-- Folds over `Fin n` from the left: `foldl 3 f x = f (f (f x 0) 1) 2`. -/
+@[inline] def foldl (n) (f : α → Fin n → α) (init : α) : α := loop init 0 where
+  /-- Inner loop for `Fin.foldl`. `Fin.foldl.loop n f x i = f (f (f x i) ...) (n-1)`  -/
+  loop (x : α) (i : Nat) : α :=
+    if h : i < n then loop (f x ⟨i, h⟩) (i+1) else x
+  termination_by n - i
+
+/-- Folds over `Fin n` from the right: `foldr 3 f x = f 0 (f 1 (f 2 x))`. -/
+@[inline] def foldr (n) (f : Fin n → α → α) (init : α) : α := loop ⟨n, Nat.le_refl n⟩ init where
+  /-- Inner loop for `Fin.foldr`. `Fin.foldr.loop n f i x = f 0 (f ... (f (i-1) x))`  -/
+  loop : {i // i ≤ n} → α → α
+  | ⟨0, _⟩, x => x
+  | ⟨i+1, h⟩, x => loop ⟨i, Nat.le_of_lt h⟩ (f ⟨i, h⟩ x)

src/Init/Data/Fin/Iterate.lean

@@ -0,0 +1,96 @@
+/-
+Copyright (c) 2023 by the authors listed in the file AUTHORS and their
+institutional affiliations. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Joe Hendrix
+-/
+prelude
+import Init.PropLemmas
+import Init.Data.Fin.Basic
+
+namespace Fin
+
+/--
+`hIterateFrom f i bnd a` applies `f` over indices `[i:n]` to compute `P n`
+from `P i`.
+
+See `hIterate` below for more details.
+-/
+def hIterateFrom (P : Nat → Sort _) {n} (f : ∀(i : Fin n), P i.val → P (i.val+1))
+      (i : Nat) (ubnd : i ≤ n) (a : P i) : P n :=
+  if g : i < n then
+    hIterateFrom P f (i+1) g (f ⟨i, g⟩ a)
+  else
+    have p : i = n := (or_iff_left g).mp (Nat.eq_or_lt_of_le ubnd)
+    _root_.cast (congrArg P p) a
+  termination_by n - i
+
+/--
+`hIterate` is a heterogenous iterative operation that applies a
+index-dependent function `f` to a value `init : P start` a total of
+`stop - start` times to produce a value of type `P stop`.
+
+Concretely, `hIterate start stop f init` is equal to
+```lean
+  init |> f start _ |> f (start+1) _ ... |> f (end-1) _
+```
+
+Because it is heterogenous and must return a value of type `P stop`,
+`hIterate` requires proof that `start ≤ stop`.
+
+One can prove properties of `hIterate` using the general theorem
+`hIterate_elim` or other more specialized theorems.
+ -/
+def hIterate (P : Nat → Sort _) {n : Nat} (init : P 0) (f : ∀(i : Fin n), P i.val → P (i.val+1)) :
+    P n :=
+  hIterateFrom P f 0 (Nat.zero_le n) init
+
+private theorem hIterateFrom_elim {P : Nat → Sort _}(Q : ∀(i : Nat), P i → Prop)
+    {n  : Nat}
+    (f : ∀(i : Fin n), P i.val → P (i.val+1))
+    {i : Nat} (ubnd : i ≤ n)
+    (s : P i)
+    (init : Q i s)
+    (step : ∀(k : Fin n) (s : P k.val), Q k.val s → Q (k.val+1) (f k s)) :
+    Q n (hIterateFrom P f i ubnd s) := by
+  let ⟨j, p⟩ := Nat.le.dest ubnd
+  induction j generalizing i ubnd init with
+  | zero =>
+    unfold hIterateFrom
+    have g : ¬ (i < n) := by simp at p; simp [p]
+    have r : Q n (_root_.cast (congrArg P p) s) :=
+      @Eq.rec Nat i (fun k eq => Q k (_root_.cast (congrArg P eq) s)) init n p
+    simp only [g, r, dite_false]
+  | succ j inv =>
+    unfold hIterateFrom
+    have d : Nat.succ i + j = n := by simp [Nat.succ_add]; exact p
+    have g : i < n := Nat.le.intro d
+    simp only [g]
+    exact inv _ _ (step ⟨i,g⟩ s init) d
+
+/-
+`hIterate_elim` provides a mechanism for showing that the result of
+`hIterate` satisifies a property `Q stop` by showing that the states
+at the intermediate indices `i : start ≤ i < stop` satisfy `Q i`.
+-/
+theorem hIterate_elim {P : Nat → Sort _} (Q : ∀(i : Nat), P i → Prop)
+    {n : Nat} (f : ∀(i : Fin n), P i.val → P (i.val+1)) (s : P 0) (init : Q 0 s)
+    (step : ∀(k : Fin n) (s : P k.val), Q k.val s → Q (k.val+1) (f k s)) :
+    Q n (hIterate P s f) := by
+  exact hIterateFrom_elim _ _ _ _ init step
+
+/-
+`hIterate_eq`provides a mechanism for replacing `hIterate P s f` with a
+function `state` showing that matches the steps performed by `hIterate`.
+
+This allows rewriting incremental code using `hIterate` with a
+non-incremental state function.
+-/
+theorem hIterate_eq {P : Nat → Sort _} (state : ∀(i : Nat), P i)
+    {n : Nat} (f : ∀(i : Fin n), P i.val → P (i.val+1)) (s : P 0)
+    (init : s = state 0)
+    (step : ∀(i : Fin n), f i (state i) = state (i+1)) :
+    hIterate P s f = state n := by
+  apply hIterate_elim (fun i s => s = state i) f s init
+  intro i s s_eq
+  simp only [s_eq, step]

src/Init/Data/Fin/Lemmas.lean

@@ -0,0 +1,830 @@
+/-
+Copyright (c) 2022 Mario Carneiro. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Mario Carneiro
+-/
+prelude
+import Init.Data.Fin.Basic
+import Init.Data.Nat.Lemmas
+import Init.Ext
+import Init.ByCases
+import Init.Conv
+import Init.Omega
+
+namespace Fin
+
+/-- If you actually have an element of `Fin n`, then the `n` is always positive -/
+theorem size_pos (i : Fin n) : 0 < n := Nat.lt_of_le_of_lt (Nat.zero_le _) i.2
+
+theorem mod_def (a m : Fin n) : a % m = Fin.mk (a % m) (Nat.lt_of_le_of_lt (Nat.mod_le _ _) a.2) :=
+  rfl
+
+theorem mul_def (a b : Fin n) : a * b = Fin.mk ((a * b) % n) (Nat.mod_lt _ a.size_pos) := rfl
+
+theorem sub_def (a b : Fin n) : a - b = Fin.mk ((a + (n - b)) % n) (Nat.mod_lt _ a.size_pos) := rfl
+
+theorem size_pos' : ∀ [Nonempty (Fin n)], 0 < n | ⟨i⟩ => i.size_pos
+
+@[simp] theorem is_lt (a : Fin n) : (a : Nat) < n := a.2
+
+theorem pos_iff_nonempty {n : Nat} : 0 < n ↔ Nonempty (Fin n) :=
+  ⟨fun h => ⟨⟨0, h⟩⟩, fun ⟨i⟩ => i.pos⟩
+
+/-! ### coercions and constructions -/
+
+@[simp] protected theorem eta (a : Fin n) (h : a < n) : (⟨a, h⟩ : Fin n) = a := rfl
+
+@[ext] theorem ext {a b : Fin n} (h : (a : Nat) = b) : a = b := eq_of_val_eq h
+
+theorem val_inj {a b : Fin n} : a.1 = b.1 ↔ a = b := ⟨Fin.eq_of_val_eq, Fin.val_eq_of_eq⟩
+
+theorem ext_iff {a b : Fin n} : a = b ↔ a.1 = b.1 := val_inj.symm
+
+theorem val_ne_iff {a b : Fin n} : a.1 ≠ b.1 ↔ a ≠ b := not_congr val_inj
+
+theorem exists_iff {p : Fin n → Prop} : (∃ i, p i) ↔ ∃ i h, p ⟨i, h⟩ :=
+  ⟨fun ⟨⟨i, hi⟩, hpi⟩ => ⟨i, hi, hpi⟩, fun ⟨i, hi, hpi⟩ => ⟨⟨i, hi⟩, hpi⟩⟩
+
+theorem forall_iff {p : Fin n → Prop} : (∀ i, p i) ↔ ∀ i h, p ⟨i, h⟩ :=
+  ⟨fun h i hi => h ⟨i, hi⟩, fun h ⟨i, hi⟩ => h i hi⟩
+
+protected theorem mk.inj_iff {n a b : Nat} {ha : a < n} {hb : b < n} :
+    (⟨a, ha⟩ : Fin n) = ⟨b, hb⟩ ↔ a = b := ext_iff
+
+theorem val_mk {m n : Nat} (h : m < n) : (⟨m, h⟩ : Fin n).val = m := rfl
+
+theorem eq_mk_iff_val_eq {a : Fin n} {k : Nat} {hk : k < n} :
+    a = ⟨k, hk⟩ ↔ (a : Nat) = k := ext_iff
+
+theorem mk_val (i : Fin n) : (⟨i, i.isLt⟩ : Fin n) = i := Fin.eta ..
+
+@[simp] theorem val_ofNat' (a : Nat) (is_pos : n > 0) :
+  (Fin.ofNat' a is_pos).val = a % n := rfl
+
+@[deprecated ofNat'_zero_val] theorem ofNat'_zero_val : (Fin.ofNat' 0 h).val = 0 := Nat.zero_mod _
+
+@[simp] theorem mod_val (a b : Fin n) : (a % b).val = a.val % b.val :=
+  rfl
+
+@[simp] theorem div_val (a b : Fin n) : (a / b).val = a.val / b.val :=
+  rfl
+
+@[simp] theorem modn_val (a : Fin n) (b : Nat) : (a.modn b).val = a.val % b :=
+  rfl
+
+theorem ite_val {n : Nat} {c : Prop} [Decidable c] {x : c → Fin n} (y : ¬c → Fin n) :
+    (if h : c then x h else y h).val = if h : c then (x h).val else (y h).val := by
+  by_cases c <;> simp [*]
+
+theorem dite_val {n : Nat} {c : Prop} [Decidable c] {x y : Fin n} :
+    (if c then x else y).val = if c then x.val else y.val := by
+  by_cases c <;> simp [*]
+
+/-! ### order -/
+
+theorem le_def {a b : Fin n} : a ≤ b ↔ a.1 ≤ b.1 := .rfl
+
+theorem lt_def {a b : Fin n} : a < b ↔ a.1 < b.1 := .rfl
+
+theorem lt_iff_val_lt_val {a b : Fin n} : a < b ↔ a.val < b.val := Iff.rfl
+
+@[simp] protected theorem not_le {a b : Fin n} : ¬ a ≤ b ↔ b < a := Nat.not_le
+
+@[simp] protected theorem not_lt {a b : Fin n} : ¬ a < b ↔ b ≤ a := Nat.not_lt
+
+protected theorem ne_of_lt {a b : Fin n} (h : a < b) : a ≠ b := Fin.ne_of_val_ne (Nat.ne_of_lt h)
+
+protected theorem ne_of_gt {a b : Fin n} (h : a < b) : b ≠ a := Fin.ne_of_val_ne (Nat.ne_of_gt h)
+
+protected theorem le_of_lt {a b : Fin n} (h : a < b) : a ≤ b := Nat.le_of_lt h
+
+theorem is_le (i : Fin (n + 1)) : i ≤ n := Nat.le_of_lt_succ i.is_lt
+
+@[simp] theorem is_le' {a : Fin n} : a ≤ n := Nat.le_of_lt a.is_lt
+
+theorem mk_lt_of_lt_val {b : Fin n} {a : Nat} (h : a < b) :
+    (⟨a, Nat.lt_trans h b.is_lt⟩ : Fin n) < b := h
+
+theorem mk_le_of_le_val {b : Fin n} {a : Nat} (h : a ≤ b) :
+    (⟨a, Nat.lt_of_le_of_lt h b.is_lt⟩ : Fin n) ≤ b := h
+
+@[simp] theorem mk_le_mk {x y : Nat} {hx hy} : (⟨x, hx⟩ : Fin n) ≤ ⟨y, hy⟩ ↔ x ≤ y := .rfl
+
+@[simp] theorem mk_lt_mk {x y : Nat} {hx hy} : (⟨x, hx⟩ : Fin n) < ⟨y, hy⟩ ↔ x < y := .rfl
+
+@[simp] theorem val_zero (n : Nat) : (0 : Fin (n + 1)).1 = 0 := rfl
+
+@[simp] theorem mk_zero : (⟨0, Nat.succ_pos n⟩ : Fin (n + 1)) = 0 := rfl
+
+@[simp] theorem zero_le (a : Fin (n + 1)) : 0 ≤ a := Nat.zero_le a.val
+
+theorem zero_lt_one : (0 : Fin (n + 2)) < 1 := Nat.zero_lt_one
+
+@[simp] theorem not_lt_zero (a : Fin (n + 1)) : ¬a < 0 := nofun
+
+theorem pos_iff_ne_zero {a : Fin (n + 1)} : 0 < a ↔ a ≠ 0 := by
+  rw [lt_def, val_zero, Nat.pos_iff_ne_zero, ← val_ne_iff]; rfl
+
+theorem eq_zero_or_eq_succ {n : Nat} : ∀ i : Fin (n + 1), i = 0 ∨ ∃ j : Fin n, i = j.succ
+  | 0 => .inl rfl
+  | ⟨j + 1, h⟩ => .inr ⟨⟨j, Nat.lt_of_succ_lt_succ h⟩, rfl⟩
+
+theorem eq_succ_of_ne_zero {n : Nat} {i : Fin (n + 1)} (hi : i ≠ 0) : ∃ j : Fin n, i = j.succ :=
+  (eq_zero_or_eq_succ i).resolve_left hi
+
+@[simp] theorem val_rev (i : Fin n) : rev i = n - (i + 1) := rfl
+
+@[simp] theorem rev_rev (i : Fin n) : rev (rev i) = i := ext <| by
+  rw [val_rev, val_rev, ← Nat.sub_sub, Nat.sub_sub_self (by exact i.2), Nat.add_sub_cancel]
+
+@[simp] theorem rev_le_rev {i j : Fin n} : rev i ≤ rev j ↔ j ≤ i := by
+  simp only [le_def, val_rev, Nat.sub_le_sub_iff_left (Nat.succ_le.2 j.is_lt)]
+  exact Nat.succ_le_succ_iff
+
+@[simp] theorem rev_inj {i j : Fin n} : rev i = rev j ↔ i = j :=
+  ⟨fun h => by simpa using congrArg rev h, congrArg _⟩
+
+theorem rev_eq {n a : Nat} (i : Fin (n + 1)) (h : n = a + i) :
+    rev i = ⟨a, Nat.lt_succ_of_le (h ▸ Nat.le_add_right ..)⟩ := by
+  ext; dsimp
+  conv => lhs; congr; rw [h]
+  rw [Nat.add_assoc, Nat.add_sub_cancel]
+
+@[simp] theorem rev_lt_rev {i j : Fin n} : rev i < rev j ↔ j < i := by
+  rw [← Fin.not_le, ← Fin.not_le, rev_le_rev]
+
+@[simp] theorem val_last (n : Nat) : last n = n := rfl
+
+theorem le_last (i : Fin (n + 1)) : i ≤ last n := Nat.le_of_lt_succ i.is_lt
+
+theorem last_pos : (0 : Fin (n + 2)) < last (n + 1) := Nat.succ_pos _
+
+theorem eq_last_of_not_lt {i : Fin (n + 1)} (h : ¬(i : Nat) < n) : i = last n :=
+  ext <| Nat.le_antisymm (le_last i) (Nat.not_lt.1 h)
+
+theorem val_lt_last {i : Fin (n + 1)} : i ≠ last n → (i : Nat) < n :=
+  Decidable.not_imp_comm.1 eq_last_of_not_lt
+
+@[simp] theorem rev_last (n : Nat) : rev (last n) = 0 := ext <| by simp
+
+@[simp] theorem rev_zero (n : Nat) : rev 0 = last n := by
+  rw [← rev_rev (last _), rev_last]
+
+/-! ### addition, numerals, and coercion from Nat -/
+
+@[simp] theorem val_one (n : Nat) : (1 : Fin (n + 2)).val = 1 := rfl
+
+@[simp] theorem mk_one : (⟨1, Nat.succ_lt_succ (Nat.succ_pos n)⟩ : Fin (n + 2)) = (1 : Fin _) := rfl
+
+theorem subsingleton_iff_le_one : Subsingleton (Fin n) ↔ n ≤ 1 := by
+  (match n with | 0 | 1 | n+2 => ?_) <;> try simp
+  · exact ⟨nofun⟩
+  · exact ⟨fun ⟨0, _⟩ ⟨0, _⟩ => rfl⟩
+  · exact iff_of_false (fun h => Fin.ne_of_lt zero_lt_one (h.elim ..)) (of_decide_eq_false rfl)
+
+instance subsingleton_zero : Subsingleton (Fin 0) := subsingleton_iff_le_one.2 (by decide)
+
+instance subsingleton_one : Subsingleton (Fin 1) := subsingleton_iff_le_one.2 (by decide)
+
+theorem fin_one_eq_zero (a : Fin 1) : a = 0 := Subsingleton.elim a 0
+
+theorem add_def (a b : Fin n) : a + b = Fin.mk ((a + b) % n) (Nat.mod_lt _ a.size_pos) := rfl
+
+theorem val_add (a b : Fin n) : (a + b).val = (a.val + b.val) % n := rfl
+
+theorem val_add_one_of_lt {n : Nat} {i : Fin n.succ} (h : i < last _) : (i + 1).1 = i + 1 := by
+  match n with
+  | 0 => cases h
+  | n+1 => rw [val_add, val_one, Nat.mod_eq_of_lt (by exact Nat.succ_lt_succ h)]
+
+@[simp] theorem last_add_one : ∀ n, last n + 1 = 0
+  | 0 => rfl
+  | n + 1 => by ext; rw [val_add, val_zero, val_last, val_one, Nat.mod_self]
+
+theorem val_add_one {n : Nat} (i : Fin (n + 1)) :
+    ((i + 1 : Fin (n + 1)) : Nat) = if i = last _ then (0 : Nat) else i + 1 := by
+  match Nat.eq_or_lt_of_le (le_last i) with
+  | .inl h => cases Fin.eq_of_val_eq h; simp
+  | .inr h => simpa [Fin.ne_of_lt h] using val_add_one_of_lt h
+
+@[simp] theorem val_two {n : Nat} : (2 : Fin (n + 3)).val = 2 := rfl
+
+theorem add_one_pos (i : Fin (n + 1)) (h : i < Fin.last n) : (0 : Fin (n + 1)) < i + 1 := by
+  match n with
+  | 0 => cases h
+  | n+1 =>
+    rw [Fin.lt_def, val_last, ← Nat.add_lt_add_iff_right] at h
+    rw [Fin.lt_def, val_add, val_zero, val_one, Nat.mod_eq_of_lt h]
+    exact Nat.zero_lt_succ _
+
+theorem one_pos : (0 : Fin (n + 2)) < 1 := Nat.succ_pos 0
+
+theorem zero_ne_one : (0 : Fin (n + 2)) ≠ 1 := Fin.ne_of_lt one_pos
+
+/-! ### succ and casts into larger Fin types -/
+
+@[simp] theorem val_succ (j : Fin n) : (j.succ : Nat) = j + 1 := rfl
+
+@[simp] theorem succ_pos (a : Fin n) : (0 : Fin (n + 1)) < a.succ := by
+  simp [Fin.lt_def, Nat.succ_pos]
+
+@[simp] theorem succ_le_succ_iff {a b : Fin n} : a.succ ≤ b.succ ↔ a ≤ b := Nat.succ_le_succ_iff
+
+@[simp] theorem succ_lt_succ_iff {a b : Fin n} : a.succ < b.succ ↔ a < b := Nat.succ_lt_succ_iff
+
+@[simp] theorem succ_inj {a b : Fin n} : a.succ = b.succ ↔ a = b := by
+  refine ⟨fun h => ext ?_, congrArg _⟩
+  apply Nat.le_antisymm <;> exact succ_le_succ_iff.1 (h ▸ Nat.le_refl _)
+
+theorem succ_ne_zero {n} : ∀ k : Fin n, Fin.succ k ≠ 0
+  | ⟨k, _⟩, heq => Nat.succ_ne_zero k <| ext_iff.1 heq
+
+@[simp] theorem succ_zero_eq_one : Fin.succ (0 : Fin (n + 1)) = 1 := rfl
+
+/-- Version of `succ_one_eq_two` to be used by `dsimp` -/
+@[simp] theorem succ_one_eq_two : Fin.succ (1 : Fin (n + 2)) = 2 := rfl
+
+@[simp] theorem succ_mk (n i : Nat) (h : i < n) :
+    Fin.succ ⟨i, h⟩ = ⟨i + 1, Nat.succ_lt_succ h⟩ := rfl
+
+theorem mk_succ_pos (i : Nat) (h : i < n) :
+    (0 : Fin (n + 1)) < ⟨i.succ, Nat.add_lt_add_right h 1⟩ := by
+  rw [lt_def, val_zero]; exact Nat.succ_pos i
+
+theorem one_lt_succ_succ (a : Fin n) : (1 : Fin (n + 2)) < a.succ.succ := by
+  let n+1 := n
+  rw [← succ_zero_eq_one, succ_lt_succ_iff]; exact succ_pos a
+
+@[simp] theorem add_one_lt_iff {n : Nat} {k : Fin (n + 2)} : k + 1 < k ↔ k = last _ := by
+  simp only [lt_def, val_add, val_last, ext_iff]
+  let ⟨k, hk⟩ := k
+  match Nat.eq_or_lt_of_le (Nat.le_of_lt_succ hk) with
+  | .inl h => cases h; simp [Nat.succ_pos]
+  | .inr hk' => simp [Nat.ne_of_lt hk', Nat.mod_eq_of_lt (Nat.succ_lt_succ hk'), Nat.le_succ]
+
+@[simp] theorem add_one_le_iff {n : Nat} : ∀ {k : Fin (n + 1)}, k + 1 ≤ k ↔ k = last _ := by
+  match n with
+  | 0 =>
+    intro (k : Fin 1)
+    exact iff_of_true (Subsingleton.elim (α := Fin 1) (k+1) _ ▸ Nat.le_refl _) (fin_one_eq_zero ..)
+  | n + 1 =>
+    intro (k : Fin (n+2))
+    rw [← add_one_lt_iff, lt_def, le_def, Nat.lt_iff_le_and_ne, and_iff_left]
+    rw [val_add_one]
+    split <;> simp [*, (Nat.succ_ne_zero _).symm, Nat.ne_of_gt (Nat.lt_succ_self _)]
+
+@[simp] theorem last_le_iff {n : Nat} {k : Fin (n + 1)} : last n ≤ k ↔ k = last n := by
+  rw [ext_iff, Nat.le_antisymm_iff, le_def, and_iff_right (by apply le_last)]
+
+@[simp] theorem lt_add_one_iff {n : Nat} {k : Fin (n + 1)} : k < k + 1 ↔ k < last n := by
+  rw [← Decidable.not_iff_not]; simp
+
+@[simp] theorem le_zero_iff {n : Nat} {k : Fin (n + 1)} : k ≤ 0 ↔ k = 0 :=
+  ⟨fun h => Fin.eq_of_val_eq <| Nat.eq_zero_of_le_zero h, (· ▸ Nat.le_refl _)⟩
+
+theorem succ_succ_ne_one (a : Fin n) : Fin.succ (Fin.succ a) ≠ 1 :=
+  Fin.ne_of_gt (one_lt_succ_succ a)
+
+@[simp] theorem coe_castLT (i : Fin m) (h : i.1 < n) : (castLT i h : Nat) = i := rfl
+
+@[simp] theorem castLT_mk (i n m : Nat) (hn : i < n) (hm : i < m) : castLT ⟨i, hn⟩ hm = ⟨i, hm⟩ :=
+  rfl
+
+@[simp] theorem coe_castLE (h : n ≤ m) (i : Fin n) : (castLE h i : Nat) = i := rfl
+
+@[simp] theorem castLE_mk (i n m : Nat) (hn : i < n) (h : n ≤ m) :
+    castLE h ⟨i, hn⟩ = ⟨i, Nat.lt_of_lt_of_le hn h⟩ := rfl
+
+@[simp] theorem castLE_zero {n m : Nat} (h : n.succ ≤ m.succ) : castLE h 0 = 0 := by simp [ext_iff]
+
+@[simp] theorem castLE_succ {m n : Nat} (h : m + 1 ≤ n + 1) (i : Fin m) :
+    castLE h i.succ = (castLE (Nat.succ_le_succ_iff.mp h) i).succ := by simp [ext_iff]
+
+@[simp] theorem castLE_castLE {k m n} (km : k ≤ m) (mn : m ≤ n) (i : Fin k) :
+    Fin.castLE mn (Fin.castLE km i) = Fin.castLE (Nat.le_trans km mn) i :=
+  Fin.ext (by simp only [coe_castLE])
+
+@[simp] theorem castLE_comp_castLE {k m n} (km : k ≤ m) (mn : m ≤ n) :
+    Fin.castLE mn ∘ Fin.castLE km = Fin.castLE (Nat.le_trans km mn) :=
+  funext (castLE_castLE km mn)
+
+@[simp] theorem coe_cast (h : n = m) (i : Fin n) : (cast h i : Nat) = i := rfl
+
+@[simp] theorem cast_last {n' : Nat} {h : n + 1 = n' + 1} : cast h (last n) = last n' :=
+  ext (by rw [coe_cast, val_last, val_last, Nat.succ.inj h])
+
+@[simp] theorem cast_mk (h : n = m) (i : Nat) (hn : i < n) : cast h ⟨i, hn⟩ = ⟨i, h ▸ hn⟩ := rfl
+
+@[simp] theorem cast_trans {k : Nat} (h : n = m) (h' : m = k) {i : Fin n} :
+    cast h' (cast h i) = cast (Eq.trans h h') i := rfl
+
+theorem castLE_of_eq {m n : Nat} (h : m = n) {h' : m ≤ n} : castLE h' = Fin.cast h := rfl
+
+@[simp] theorem coe_castAdd (m : Nat) (i : Fin n) : (castAdd m i : Nat) = i := rfl
+
+@[simp] theorem castAdd_zero : (castAdd 0 : Fin n → Fin (n + 0)) = cast rfl := rfl
+
+theorem castAdd_lt {m : Nat} (n : Nat) (i : Fin m) : (castAdd n i : Nat) < m := by simp
+
+@[simp] theorem castAdd_mk (m : Nat) (i : Nat) (h : i < n) :
+    castAdd m ⟨i, h⟩ = ⟨i, Nat.lt_add_right m h⟩ := rfl
+
+@[simp] theorem castAdd_castLT (m : Nat) (i : Fin (n + m)) (hi : i.val < n) :
+    castAdd m (castLT i hi) = i := rfl
+
+@[simp] theorem castLT_castAdd (m : Nat) (i : Fin n) :
+    castLT (castAdd m i) (castAdd_lt m i) = i := rfl
+
+/-- For rewriting in the reverse direction, see `Fin.cast_castAdd_left`. -/
+theorem castAdd_cast {n n' : Nat} (m : Nat) (i : Fin n') (h : n' = n) :
+    castAdd m (Fin.cast h i) = Fin.cast (congrArg (. + m) h) (castAdd m i) := ext rfl
+
+theorem cast_castAdd_left {n n' m : Nat} (i : Fin n') (h : n' + m = n + m) :
+    cast h (castAdd m i) = castAdd m (cast (Nat.add_right_cancel h) i) := rfl
+
+@[simp] theorem cast_castAdd_right {n m m' : Nat} (i : Fin n) (h : n + m' = n + m) :
+    cast h (castAdd m' i) = castAdd m i := rfl
+
+theorem castAdd_castAdd {m n p : Nat} (i : Fin m) :
+    castAdd p (castAdd n i) = cast (Nat.add_assoc ..).symm (castAdd (n + p) i) := rfl
+
+/-- The cast of the successor is the successor of the cast. See `Fin.succ_cast_eq` for rewriting in
+the reverse direction. -/
+@[simp] theorem cast_succ_eq {n' : Nat} (i : Fin n) (h : n.succ = n'.succ) :
+    cast h i.succ = (cast (Nat.succ.inj h) i).succ := rfl
+
+theorem succ_cast_eq {n' : Nat} (i : Fin n) (h : n = n') :
+    (cast h i).succ = cast (by rw [h]) i.succ := rfl
+
+@[simp] theorem coe_castSucc (i : Fin n) : (Fin.castSucc i : Nat) = i := rfl
+
+@[simp] theorem castSucc_mk (n i : Nat) (h : i < n) : castSucc ⟨i, h⟩ = ⟨i, Nat.lt.step h⟩ := rfl
+
+@[simp] theorem cast_castSucc {n' : Nat} {h : n + 1 = n' + 1} {i : Fin n} :
+    cast h (castSucc i) = castSucc (cast (Nat.succ.inj h) i) := rfl
+
+theorem castSucc_lt_succ (i : Fin n) : Fin.castSucc i < i.succ :=
+  lt_def.2 <| by simp only [coe_castSucc, val_succ, Nat.lt_succ_self]
+
+theorem le_castSucc_iff {i : Fin (n + 1)} {j : Fin n} : i ≤ Fin.castSucc j ↔ i < j.succ := by
+  simpa [lt_def, le_def] using Nat.succ_le_succ_iff.symm
+
+theorem castSucc_lt_iff_succ_le {n : Nat} {i : Fin n} {j : Fin (n + 1)} :
+    Fin.castSucc i < j ↔ i.succ ≤ j := .rfl
+
+@[simp] theorem succ_last (n : Nat) : (last n).succ = last n.succ := rfl
+
+@[simp] theorem succ_eq_last_succ {n : Nat} (i : Fin n.succ) :
+    i.succ = last (n + 1) ↔ i = last n := by rw [← succ_last, succ_inj]
+
+@[simp] theorem castSucc_castLT (i : Fin (n + 1)) (h : (i : Nat) < n) :
+    castSucc (castLT i h) = i := rfl
+
+@[simp] theorem castLT_castSucc {n : Nat} (a : Fin n) (h : (a : Nat) < n) :
+    castLT (castSucc a) h = a := rfl
+
+@[simp] theorem castSucc_lt_castSucc_iff {a b : Fin n} :
+    Fin.castSucc a < Fin.castSucc b ↔ a < b := .rfl
+
+theorem castSucc_inj {a b : Fin n} : castSucc a = castSucc b ↔ a = b := by simp [ext_iff]
+
+theorem castSucc_lt_last (a : Fin n) : castSucc a < last n := a.is_lt
+
+@[simp] theorem castSucc_zero : castSucc (0 : Fin (n + 1)) = 0 := rfl
+
+@[simp] theorem castSucc_one {n : Nat} : castSucc (1 : Fin (n + 2)) = 1 := rfl
+
+/-- `castSucc i` is positive when `i` is positive -/
+theorem castSucc_pos {i : Fin (n + 1)} (h : 0 < i) : 0 < castSucc i := by
+  simpa [lt_def] using h
+
+@[simp] theorem castSucc_eq_zero_iff (a : Fin (n + 1)) : castSucc a = 0 ↔ a = 0 := by simp [ext_iff]
+
+theorem castSucc_ne_zero_iff (a : Fin (n + 1)) : castSucc a ≠ 0 ↔ a ≠ 0 :=
+  not_congr <| castSucc_eq_zero_iff a
+
+theorem castSucc_fin_succ (n : Nat) (j : Fin n) :
+    castSucc (Fin.succ j) = Fin.succ (castSucc j) := by simp [Fin.ext_iff]
+
+@[simp]
+theorem coeSucc_eq_succ {a : Fin n} : castSucc a + 1 = a.succ := by
+  cases n
+  · exact a.elim0
+  · simp [ext_iff, add_def, Nat.mod_eq_of_lt (Nat.succ_lt_succ a.is_lt)]
+
+theorem lt_succ {a : Fin n} : castSucc a < a.succ := by
+  rw [castSucc, lt_def, coe_castAdd, val_succ]; exact Nat.lt_succ_self a.val
+
+theorem exists_castSucc_eq {n : Nat} {i : Fin (n + 1)} : (∃ j, castSucc j = i) ↔ i ≠ last n :=
+  ⟨fun ⟨j, hj⟩ => hj ▸ Fin.ne_of_lt j.castSucc_lt_last,
+   fun hi => ⟨i.castLT <| Fin.val_lt_last hi, rfl⟩⟩
+
+theorem succ_castSucc {n : Nat} (i : Fin n) : i.castSucc.succ = castSucc i.succ := rfl
+
+@[simp] theorem coe_addNat (m : Nat) (i : Fin n) : (addNat i m : Nat) = i + m := rfl
+
+@[simp] theorem addNat_one {i : Fin n} : addNat i 1 = i.succ := rfl
+
+theorem le_coe_addNat (m : Nat) (i : Fin n) : m ≤ addNat i m :=
+  Nat.le_add_left _ _
+
+@[simp] theorem addNat_mk (n i : Nat) (hi : i < m) :
+    addNat ⟨i, hi⟩ n = ⟨i + n, Nat.add_lt_add_right hi n⟩ := rfl
+
+@[simp] theorem cast_addNat_zero {n n' : Nat} (i : Fin n) (h : n + 0 = n') :
+    cast h (addNat i 0) = cast ((Nat.add_zero _).symm.trans h) i := rfl
+
+/-- For rewriting in the reverse direction, see `Fin.cast_addNat_left`. -/
+theorem addNat_cast {n n' m : Nat} (i : Fin n') (h : n' = n) :
+    addNat (cast h i) m = cast (congrArg (. + m) h) (addNat i m) := rfl
+
+theorem cast_addNat_left {n n' m : Nat} (i : Fin n') (h : n' + m = n + m) :
+    cast h (addNat i m) = addNat (cast (Nat.add_right_cancel h) i) m := rfl
+
+@[simp] theorem cast_addNat_right {n m m' : Nat} (i : Fin n) (h : n + m' = n + m) :
+    cast h (addNat i m') = addNat i m :=
+  ext <| (congrArg ((· + ·) (i : Nat)) (Nat.add_left_cancel h) : _)
+
+@[simp] theorem coe_natAdd (n : Nat) {m : Nat} (i : Fin m) : (natAdd n i : Nat) = n + i := rfl
+
+@[simp] theorem natAdd_mk (n i : Nat) (hi : i < m) :
+    natAdd n ⟨i, hi⟩ = ⟨n + i, Nat.add_lt_add_left hi n⟩ := rfl
+
+theorem le_coe_natAdd (m : Nat) (i : Fin n) : m ≤ natAdd m i := Nat.le_add_right ..
+
+theorem natAdd_zero {n : Nat} : natAdd 0 = cast (Nat.zero_add n).symm := by ext; simp
+
+/-- For rewriting in the reverse direction, see `Fin.cast_natAdd_right`. -/
+theorem natAdd_cast {n n' : Nat} (m : Nat) (i : Fin n') (h : n' = n) :
+    natAdd m (cast h i) = cast (congrArg _ h) (natAdd m i) := rfl
+
+theorem cast_natAdd_right {n n' m : Nat} (i : Fin n') (h : m + n' = m + n) :
+    cast h (natAdd m i) = natAdd m (cast (Nat.add_left_cancel h) i) := rfl
+
+@[simp] theorem cast_natAdd_left {n m m' : Nat} (i : Fin n) (h : m' + n = m + n) :
+    cast h (natAdd m' i) = natAdd m i :=
+  ext <| (congrArg (· + (i : Nat)) (Nat.add_right_cancel h) : _)
+
+theorem castAdd_natAdd (p m : Nat) {n : Nat} (i : Fin n) :
+    castAdd p (natAdd m i) = cast (Nat.add_assoc ..).symm (natAdd m (castAdd p i)) := rfl
+
+theorem natAdd_castAdd (p m : Nat) {n : Nat} (i : Fin n) :
+    natAdd m (castAdd p i) = cast (Nat.add_assoc ..) (castAdd p (natAdd m i)) := rfl
+
+theorem natAdd_natAdd (m n : Nat) {p : Nat} (i : Fin p) :
+    natAdd m (natAdd n i) = cast (Nat.add_assoc ..) (natAdd (m + n) i) :=
+  ext <| (Nat.add_assoc ..).symm
+
+@[simp]
+theorem cast_natAdd_zero {n n' : Nat} (i : Fin n) (h : 0 + n = n') :
+    cast h (natAdd 0 i) = cast ((Nat.zero_add _).symm.trans h) i :=
+  ext <| Nat.zero_add _
+
+@[simp]
+theorem cast_natAdd (n : Nat) {m : Nat} (i : Fin m) :
+    cast (Nat.add_comm ..) (natAdd n i) = addNat i n := ext <| Nat.add_comm ..
+
+@[simp]
+theorem cast_addNat {n : Nat} (m : Nat) (i : Fin n) :
+    cast (Nat.add_comm ..) (addNat i m) = natAdd m i := ext <| Nat.add_comm ..
+
+@[simp] theorem natAdd_last {m n : Nat} : natAdd n (last m) = last (n + m) := rfl
+
+theorem natAdd_castSucc {m n : Nat} {i : Fin m} : natAdd n (castSucc i) = castSucc (natAdd n i) :=
+  rfl
+
+theorem rev_castAdd (k : Fin n) (m : Nat) : rev (castAdd m k) = addNat (rev k) m := ext <| by
+  rw [val_rev, coe_castAdd, coe_addNat, val_rev, Nat.sub_add_comm (Nat.succ_le_of_lt k.is_lt)]
+
+theorem rev_addNat (k : Fin n) (m : Nat) : rev (addNat k m) = castAdd m (rev k) := by
+  rw [← rev_rev (castAdd ..), rev_castAdd, rev_rev]
+
+theorem rev_castSucc (k : Fin n) : rev (castSucc k) = succ (rev k) := k.rev_castAdd 1
+
+theorem rev_succ (k : Fin n) : rev (succ k) = castSucc (rev k) := k.rev_addNat 1
+
+/-! ### pred -/
+
+@[simp] theorem coe_pred (j : Fin (n + 1)) (h : j ≠ 0) : (j.pred h : Nat) = j - 1 := rfl
+
+@[simp] theorem succ_pred : ∀ (i : Fin (n + 1)) (h : i ≠ 0), (i.pred h).succ = i
+  | ⟨0, h⟩, hi => by simp only [mk_zero, ne_eq, not_true] at hi
+  | ⟨n + 1, h⟩, hi => rfl
+
+@[simp]
+theorem pred_succ (i : Fin n) {h : i.succ ≠ 0} : i.succ.pred h = i := by
+  cases i
+  rfl
+
+theorem pred_eq_iff_eq_succ {n : Nat} (i : Fin (n + 1)) (hi : i ≠ 0) (j : Fin n) :
+    i.pred hi = j ↔ i = j.succ :=
+  ⟨fun h => by simp only [← h, Fin.succ_pred], fun h => by simp only [h, Fin.pred_succ]⟩
+
+theorem pred_mk_succ (i : Nat) (h : i < n + 1) :
+    Fin.pred ⟨i + 1, Nat.add_lt_add_right h 1⟩ (ne_of_val_ne (Nat.ne_of_gt (mk_succ_pos i h))) =
+      ⟨i, h⟩ := by
+  simp only [ext_iff, coe_pred, Nat.add_sub_cancel]
+
+@[simp] theorem pred_mk_succ' (i : Nat) (h₁ : i + 1 < n + 1 + 1) (h₂) :
+    Fin.pred ⟨i + 1, h₁⟩ h₂ = ⟨i, Nat.lt_of_succ_lt_succ h₁⟩ := pred_mk_succ i _
+
+-- This is not a simp theorem by default, because `pred_mk_succ` is nicer when it applies.
+theorem pred_mk {n : Nat} (i : Nat) (h : i < n + 1) (w) : Fin.pred ⟨i, h⟩ w =
+    ⟨i - 1, Nat.sub_lt_right_of_lt_add (Nat.pos_iff_ne_zero.2 (Fin.val_ne_of_ne w)) h⟩ :=
+  rfl
+
+@[simp] theorem pred_le_pred_iff {n : Nat} {a b : Fin n.succ} {ha : a ≠ 0} {hb : b ≠ 0} :
+    a.pred ha ≤ b.pred hb ↔ a ≤ b := by rw [← succ_le_succ_iff, succ_pred, succ_pred]
+
+@[simp] theorem pred_lt_pred_iff {n : Nat} {a b : Fin n.succ} {ha : a ≠ 0} {hb : b ≠ 0} :
+    a.pred ha < b.pred hb ↔ a < b := by rw [← succ_lt_succ_iff, succ_pred, succ_pred]
+
+@[simp] theorem pred_inj :
+    ∀ {a b : Fin (n + 1)} {ha : a ≠ 0} {hb : b ≠ 0}, a.pred ha = b.pred hb ↔ a = b
+  | ⟨0, _⟩, _, ha, _ => by simp only [mk_zero, ne_eq, not_true] at ha
+  | ⟨i + 1, _⟩, ⟨0, _⟩, _, hb => by simp only [mk_zero, ne_eq, not_true] at hb
+  | ⟨i + 1, hi⟩, ⟨j + 1, hj⟩, ha, hb => by simp [ext_iff]
+
+@[simp] theorem pred_one {n : Nat} :
+    Fin.pred (1 : Fin (n + 2)) (Ne.symm (Fin.ne_of_lt one_pos)) = 0 := rfl
+
+theorem pred_add_one (i : Fin (n + 2)) (h : (i : Nat) < n + 1) :
+    pred (i + 1) (Fin.ne_of_gt (add_one_pos _ (lt_def.2 h))) = castLT i h := by
+  rw [ext_iff, coe_pred, coe_castLT, val_add, val_one, Nat.mod_eq_of_lt, Nat.add_sub_cancel]
+  exact Nat.add_lt_add_right h 1
+
+@[simp] theorem coe_subNat (i : Fin (n + m)) (h : m ≤ i) : (i.subNat m h : Nat) = i - m := rfl
+
+@[simp] theorem subNat_mk {i : Nat} (h₁ : i < n + m) (h₂ : m ≤ i) :
+    subNat m ⟨i, h₁⟩ h₂ = ⟨i - m, Nat.sub_lt_right_of_lt_add h₂ h₁⟩ := rfl
+
+@[simp] theorem pred_castSucc_succ (i : Fin n) :
+    pred (castSucc i.succ) (Fin.ne_of_gt (castSucc_pos i.succ_pos)) = castSucc i := rfl
+
+@[simp] theorem addNat_subNat {i : Fin (n + m)} (h : m ≤ i) : addNat (subNat m i h) m = i :=
+  ext <| Nat.sub_add_cancel h
+
+@[simp] theorem subNat_addNat (i : Fin n) (m : Nat) (h : m ≤ addNat i m := le_coe_addNat m i) :
+    subNat m (addNat i m) h = i := ext <| Nat.add_sub_cancel i m
+
+@[simp] theorem natAdd_subNat_cast {i : Fin (n + m)} (h : n ≤ i) :
+    natAdd n (subNat n (cast (Nat.add_comm ..) i) h) = i := by simp [← cast_addNat]; rfl
+
+/-! ### recursion and induction principles -/
+
+/-- Define `motive n i` by induction on `i : Fin n` interpreted as `(0 : Fin (n - i)).succ.succ…`.
+This function has two arguments: `zero n` defines `0`-th element `motive (n+1) 0` of an
+`(n+1)`-tuple, and `succ n i` defines `(i+1)`-st element of `(n+1)`-tuple based on `n`, `i`, and
+`i`-th element of `n`-tuple. -/
+-- FIXME: Performance review
+@[elab_as_elim] def succRec {motive : ∀ n, Fin n → Sort _}
+    (zero : ∀ n, motive n.succ (0 : Fin (n + 1)))
+    (succ : ∀ n i, motive n i → motive n.succ i.succ) : ∀ {n : Nat} (i : Fin n), motive n i
+  | 0, i => i.elim0
+  | Nat.succ n, ⟨0, _⟩ => by rw [mk_zero]; exact zero n
+  | Nat.succ _, ⟨Nat.succ i, h⟩ => succ _ _ (succRec zero succ ⟨i, Nat.lt_of_succ_lt_succ h⟩)
+
+/-- Define `motive n i` by induction on `i : Fin n` interpreted as `(0 : Fin (n - i)).succ.succ…`.
+This function has two arguments:
+`zero n` defines the `0`-th element `motive (n+1) 0` of an `(n+1)`-tuple, and
+`succ n i` defines the `(i+1)`-st element of an `(n+1)`-tuple based on `n`, `i`,
+and the `i`-th element of an `n`-tuple.
+
+A version of `Fin.succRec` taking `i : Fin n` as the first argument. -/
+-- FIXME: Performance review
+@[elab_as_elim] def succRecOn {n : Nat} (i : Fin n) {motive : ∀ n, Fin n → Sort _}
+    (zero : ∀ n, motive (n + 1) 0) (succ : ∀ n i, motive n i → motive (Nat.succ n) i.succ) :
+    motive n i := i.succRec zero succ
+
+@[simp] theorem succRecOn_zero {motive : ∀ n, Fin n → Sort _} {zero succ} (n) :
+    @Fin.succRecOn (n + 1) 0 motive zero succ = zero n := by
+  cases n <;> rfl
+
+@[simp] theorem succRecOn_succ {motive : ∀ n, Fin n → Sort _} {zero succ} {n} (i : Fin n) :
+    @Fin.succRecOn (n + 1) i.succ motive zero succ = succ n i (Fin.succRecOn i zero succ) := by
+  cases i; rfl
+
+/-- Define `motive i` by induction on `i : Fin (n + 1)` via induction on the underlying `Nat` value.
+This function has two arguments: `zero` handles the base case on `motive 0`,
+and `succ` defines the inductive step using `motive i.castSucc`.
+-/
+-- FIXME: Performance review
+@[elab_as_elim] def induction {motive : Fin (n + 1) → Sort _} (zero : motive 0)
+    (succ : ∀ i : Fin n, motive (castSucc i) → motive i.succ) :
+    ∀ i : Fin (n + 1), motive i
+  | ⟨0, hi⟩ => by rwa [Fin.mk_zero]
+  | ⟨i+1, hi⟩ => succ ⟨i, Nat.lt_of_succ_lt_succ hi⟩ (induction zero succ ⟨i, Nat.lt_of_succ_lt hi⟩)
+
+@[simp] theorem induction_zero {motive : Fin (n + 1) → Sort _} (zero : motive 0)
+    (hs : ∀ i : Fin n, motive (castSucc i) → motive i.succ) :
+    (induction zero hs : ∀ i : Fin (n + 1), motive i) 0 = zero := rfl
+
+@[simp] theorem induction_succ {motive : Fin (n + 1) → Sort _} (zero : motive 0)
+    (succ : ∀ i : Fin n, motive (castSucc i) → motive i.succ) (i : Fin n) :
+    induction (motive := motive) zero succ i.succ = succ i (induction zero succ (castSucc i)) := rfl
+
+/-- Define `motive i` by induction on `i : Fin (n + 1)` via induction on the underlying `Nat` value.
+This function has two arguments: `zero` handles the base case on `motive 0`,
+and `succ` defines the inductive step using `motive i.castSucc`.
+
+A version of `Fin.induction` taking `i : Fin (n + 1)` as the first argument.
+-/
+-- FIXME: Performance review
+@[elab_as_elim] def inductionOn (i : Fin (n + 1)) {motive : Fin (n + 1) → Sort _} (zero : motive 0)
+    (succ : ∀ i : Fin n, motive (castSucc i) → motive i.succ) : motive i := induction zero succ i
+
+/-- Define `f : Π i : Fin n.succ, motive i` by separately handling the cases `i = 0` and
+`i = j.succ`, `j : Fin n`. -/
+@[elab_as_elim] def cases {motive : Fin (n + 1) → Sort _}
+    (zero : motive 0) (succ : ∀ i : Fin n, motive i.succ) :
+    ∀ i : Fin (n + 1), motive i := induction zero fun i _ => succ i
+
+@[simp] theorem cases_zero {n} {motive : Fin (n + 1) → Sort _} {zero succ} :
+    @Fin.cases n motive zero succ 0 = zero := rfl
+
+@[simp] theorem cases_succ {n} {motive : Fin (n + 1) → Sort _} {zero succ} (i : Fin n) :
+    @Fin.cases n motive zero succ i.succ = succ i := rfl
+
+@[simp] theorem cases_succ' {n} {motive : Fin (n + 1) → Sort _} {zero succ}
+    {i : Nat} (h : i + 1 < n + 1) :
+    @Fin.cases n motive zero succ ⟨i.succ, h⟩ = succ ⟨i, Nat.lt_of_succ_lt_succ h⟩ := rfl
+
+theorem forall_fin_succ {P : Fin (n + 1) → Prop} : (∀ i, P i) ↔ P 0 ∧ ∀ i : Fin n, P i.succ :=
+  ⟨fun H => ⟨H 0, fun _ => H _⟩, fun ⟨H0, H1⟩ i => Fin.cases H0 H1 i⟩
+
+theorem exists_fin_succ {P : Fin (n + 1) → Prop} : (∃ i, P i) ↔ P 0 ∨ ∃ i : Fin n, P i.succ :=
+  ⟨fun ⟨i, h⟩ => Fin.cases Or.inl (fun i hi => Or.inr ⟨i, hi⟩) i h, fun h =>
+    (h.elim fun h => ⟨0, h⟩) fun ⟨i, hi⟩ => ⟨i.succ, hi⟩⟩
+
+theorem forall_fin_one {p : Fin 1 → Prop} : (∀ i, p i) ↔ p 0 :=
+  ⟨fun h => h _, fun h i => Subsingleton.elim i 0 ▸ h⟩
+
+theorem exists_fin_one {p : Fin 1 → Prop} : (∃ i, p i) ↔ p 0 :=
+  ⟨fun ⟨i, h⟩ => Subsingleton.elim i 0 ▸ h, fun h => ⟨_, h⟩⟩
+
+theorem forall_fin_two {p : Fin 2 → Prop} : (∀ i, p i) ↔ p 0 ∧ p 1 :=
+  forall_fin_succ.trans <| and_congr_right fun _ => forall_fin_one
+
+theorem exists_fin_two {p : Fin 2 → Prop} : (∃ i, p i) ↔ p 0 ∨ p 1 :=
+  exists_fin_succ.trans <| or_congr_right exists_fin_one
+
+theorem fin_two_eq_of_eq_zero_iff : ∀ {a b : Fin 2}, (a = 0 ↔ b = 0) → a = b := by
+  simp only [forall_fin_two]; decide
+
+/--
+Define `motive i` by reverse induction on `i : Fin (n + 1)` via induction on the underlying `Nat`
+value. This function has two arguments: `last` handles the base case on `motive (Fin.last n)`,
+and `cast` defines the inductive step using `motive i.succ`, inducting downwards.
+-/
+@[elab_as_elim] def reverseInduction {motive : Fin (n + 1) → Sort _} (last : motive (Fin.last n))
+    (cast : ∀ i : Fin n, motive i.succ → motive (castSucc i)) (i : Fin (n + 1)) : motive i :=
+  if hi : i = Fin.last n then _root_.cast (congrArg motive hi.symm) last
+  else
+    let j : Fin n := ⟨i, Nat.lt_of_le_of_ne (Nat.le_of_lt_succ i.2) fun h => hi (Fin.ext h)⟩
+    cast _ (reverseInduction last cast j.succ)
+termination_by n + 1 - i
+decreasing_by decreasing_with
+  -- FIXME: we put the proof down here to avoid getting a dummy `have` in the definition
+  exact Nat.add_sub_add_right .. ▸ Nat.sub_lt_sub_left i.2 (Nat.lt_succ_self i)
+
+@[simp] theorem reverseInduction_last {n : Nat} {motive : Fin (n + 1) → Sort _} {zero succ} :
+    (reverseInduction zero succ (Fin.last n) : motive (Fin.last n)) = zero := by
+  rw [reverseInduction]; simp; rfl
+
+@[simp] theorem reverseInduction_castSucc {n : Nat} {motive : Fin (n + 1) → Sort _} {zero succ}
+    (i : Fin n) : reverseInduction (motive := motive) zero succ (castSucc i) =
+      succ i (reverseInduction zero succ i.succ) := by
+  rw [reverseInduction, dif_neg (Fin.ne_of_lt (Fin.castSucc_lt_last i))]; rfl
+
+/-- Define `f : Π i : Fin n.succ, motive i` by separately handling the cases `i = Fin.last n` and
+`i = j.castSucc`, `j : Fin n`. -/
+@[elab_as_elim] def lastCases {n : Nat} {motive : Fin (n + 1) → Sort _} (last : motive (Fin.last n))
+    (cast : ∀ i : Fin n, motive (castSucc i)) (i : Fin (n + 1)) : motive i :=
+  reverseInduction last (fun i _ => cast i) i
+
+@[simp] theorem lastCases_last {n : Nat} {motive : Fin (n + 1) → Sort _} {last cast} :
+    (Fin.lastCases last cast (Fin.last n) : motive (Fin.last n)) = last :=
+  reverseInduction_last ..
+
+@[simp] theorem lastCases_castSucc {n : Nat} {motive : Fin (n + 1) → Sort _} {last cast}
+    (i : Fin n) : (Fin.lastCases last cast (Fin.castSucc i) : motive (Fin.castSucc i)) = cast i :=
+  reverseInduction_castSucc ..
+
+/-- Define `f : Π i : Fin (m + n), motive i` by separately handling the cases `i = castAdd n i`,
+`j : Fin m` and `i = natAdd m j`, `j : Fin n`. -/
+@[elab_as_elim] def addCases {m n : Nat} {motive : Fin (m + n) → Sort u}
+    (left : ∀ i, motive (castAdd n i)) (right : ∀ i, motive (natAdd m i))
+    (i : Fin (m + n)) : motive i :=
+  if hi : (i : Nat) < m then (castAdd_castLT n i hi) ▸ (left (castLT i hi))
+  else (natAdd_subNat_cast (Nat.le_of_not_lt hi)) ▸ (right _)
+
+@[simp] theorem addCases_left {m n : Nat} {motive : Fin (m + n) → Sort _} {left right} (i : Fin m) :
+    addCases (motive := motive) left right (Fin.castAdd n i) = left i := by
+  rw [addCases, dif_pos (castAdd_lt _ _)]; rfl
+
+@[simp]
+theorem addCases_right {m n : Nat} {motive : Fin (m + n) → Sort _} {left right} (i : Fin n) :
+    addCases (motive := motive) left right (natAdd m i) = right i := by
+  have : ¬(natAdd m i : Nat) < m := Nat.not_lt.2 (le_coe_natAdd ..)
+  rw [addCases, dif_neg this]; exact eq_of_heq <| (eqRec_heq _ _).trans (by congr 1; simp)
+
+/-! ### add -/
+
+@[simp] theorem ofNat'_add (x : Nat) (lt : 0 < n) (y : Fin n) :
+    Fin.ofNat' x lt + y = Fin.ofNat' (x + y.val) lt := by
+  apply Fin.eq_of_val_eq
+  simp [Fin.ofNat', Fin.add_def]
+
+@[simp] theorem add_ofNat' (x : Fin n) (y : Nat) (lt : 0 < n) :
+    x + Fin.ofNat' y lt = Fin.ofNat' (x.val + y) lt := by
+  apply Fin.eq_of_val_eq
+  simp [Fin.ofNat', Fin.add_def]
+
+/-! ### sub -/
+
+protected theorem coe_sub (a b : Fin n) : ((a - b : Fin n) : Nat) = (a + (n - b)) % n := by
+  cases a; cases b; rfl
+
+@[simp] theorem ofNat'_sub (x : Nat) (lt : 0 < n) (y : Fin n) :
+    Fin.ofNat' x lt - y = Fin.ofNat' (x + (n - y.val)) lt := by
+  apply Fin.eq_of_val_eq
+  simp [Fin.ofNat', Fin.sub_def]
+
+@[simp] theorem sub_ofNat' (x : Fin n) (y : Nat) (lt : 0 < n) :
+    x - Fin.ofNat' y lt = Fin.ofNat' (x.val + (n - y % n)) lt := by
+  apply Fin.eq_of_val_eq
+  simp [Fin.ofNat', Fin.sub_def]
+
+private theorem _root_.Nat.mod_eq_sub_of_lt_two_mul {x n} (h₁ : n ≤ x) (h₂ : x < 2 * n) :
+    x % n = x - n := by
+  rw [Nat.mod_eq, if_pos (by omega), Nat.mod_eq_of_lt (by omega)]
+
+theorem coe_sub_iff_le {a b : Fin n} : (↑(a - b) : Nat) = a - b ↔ b ≤ a := by
+  rw [sub_def, le_def]
+  dsimp only
+  if h : n ≤ a + (n - b) then
+    rw [Nat.mod_eq_sub_of_lt_two_mul h]
+    all_goals omega
+  else
+    rw [Nat.mod_eq_of_lt]
+    all_goals omega
+
+theorem coe_sub_iff_lt {a b : Fin n} : (↑(a - b) : Nat) = n + a - b ↔ a < b := by
+  rw [sub_def, lt_def]
+  dsimp only
+  if h : n ≤ a + (n - b) then
+    rw [Nat.mod_eq_sub_of_lt_two_mul h]
+    all_goals omega
+  else
+    rw [Nat.mod_eq_of_lt]
+    all_goals omega
+
+/-! ### mul -/
+
+theorem val_mul {n : Nat} : ∀ a b : Fin n, (a * b).val = a.val * b.val % n
+  | ⟨_, _⟩, ⟨_, _⟩ => rfl
+
+theorem coe_mul {n : Nat} : ∀ a b : Fin n, ((a * b : Fin n) : Nat) = a * b % n
+  | ⟨_, _⟩, ⟨_, _⟩ => rfl
+
+protected theorem mul_one (k : Fin (n + 1)) : k * 1 = k := by
+  match n with
+  | 0 => exact Subsingleton.elim (α := Fin 1) ..
+  | n+1 => simp [ext_iff, mul_def, Nat.mod_eq_of_lt (is_lt k)]
+
+protected theorem mul_comm (a b : Fin n) : a * b = b * a :=
+  ext <| by rw [mul_def, mul_def, Nat.mul_comm]
+
+protected theorem one_mul (k : Fin (n + 1)) : (1 : Fin (n + 1)) * k = k := by
+  rw [Fin.mul_comm, Fin.mul_one]
+
+protected theorem mul_zero (k : Fin (n + 1)) : k * 0 = 0 := by simp [ext_iff, mul_def]
+
+protected theorem zero_mul (k : Fin (n + 1)) : (0 : Fin (n + 1)) * k = 0 := by
+  simp [ext_iff, mul_def]
+
+end Fin
+
+namespace USize
+
+@[simp] theorem lt_def {a b : USize} : a < b ↔ a.toNat < b.toNat := .rfl
+
+@[simp] theorem le_def {a b : USize} : a ≤ b ↔ a.toNat ≤ b.toNat := .rfl
+
+@[simp] theorem zero_toNat : (0 : USize).toNat = 0 := Nat.zero_mod _
+
+@[simp] theorem mod_toNat (a b : USize) : (a % b).toNat = a.toNat % b.toNat :=
+  Fin.mod_val ..
+
+@[simp] theorem div_toNat (a b : USize) : (a / b).toNat = a.toNat / b.toNat :=
+  Fin.div_val ..
+
+@[simp] theorem modn_toNat (a : USize) (b : Nat) : (a.modn b).toNat = a.toNat % b :=
+  Fin.modn_val ..
+
+theorem mod_lt (a b : USize) (h : 0 < b) : a % b < b := USize.modn_lt _ (by simp at h; exact h)
+
+theorem toNat.inj : ∀ {a b : USize}, a.toNat = b.toNat → a = b
+  | ⟨_, _⟩, ⟨_, _⟩, rfl => rfl
+
+end USize

src/Init/Data/Float.lean

@@ -26,6 +26,8 @@ opaque floatSpec : FloatSpec := {
   decLe := fun _ _ => inferInstanceAs (Decidable True)
 }
 
+/-- Native floating point type, corresponding to the IEEE 754 *binary64* format
+(`double` in C or `f64` in Rust). -/
 structure Float where
   val : floatSpec.float
 

src/Init/Data/Format/Basic.lean

@@ -300,11 +300,18 @@ instance : MonadPrettyFormat (StateM State) where
   startTag _         := return ()
   endTags _          := return ()
 
-/-- Pretty-print a `Format` object as a string with expected width `w`. -/
+/--
+Renders a `Format` to a string.
+* `width`: the total width
+* `indent`: the initial indentation to use for wrapped lines
+  (subsequent wrapping may increase the indentation)
+* `column`: begin the first line wrap `column` characters earlier than usual
+  (this is useful when the output String will be printed starting at `column`)
+-/
 @[export lean_format_pretty]
-def pretty (f : Format) (w : Nat := defWidth) : String :=
-  let act: StateM State Unit := prettyM f w
-  act {} |>.snd.out
+def pretty (f : Format) (width : Nat := defWidth) (indent : Nat := 0) (column := 0) : String :=
+  let act : StateM State Unit := prettyM f width indent
+  State.out <| act (State.mk "" column) |>.snd
 
 end Format
 

src/Init/Data/Int.lean

@@ -5,3 +5,9 @@ Authors: Leonardo de Moura
 -/
 prelude
 import Init.Data.Int.Basic
+import Init.Data.Int.Bitwise
+import Init.Data.Int.DivMod
+import Init.Data.Int.DivModLemmas
+import Init.Data.Int.Gcd
+import Init.Data.Int.Lemmas
+import Init.Data.Int.Order

src/Init/Data/Int/Basic.lean

@@ -6,7 +6,7 @@ Authors: Jeremy Avigad, Leonardo de Moura
 The integers, with addition, multiplication, and subtraction.
 -/
 prelude
-import Init.Coe
+import Init.Data.Cast
 import Init.Data.Nat.Div
 import Init.Data.List.Basic
 set_option linter.missingDocs true -- keep it documented
@@ -47,14 +47,35 @@ inductive Int : Type where
 attribute [extern "lean_nat_to_int"] Int.ofNat
 attribute [extern "lean_int_neg_succ_of_nat"] Int.negSucc
 
-instance : Coe Nat Int := ⟨Int.ofNat⟩
+instance : NatCast Int where natCast n := Int.ofNat n
 
-instance : OfNat Int n where
+instance instOfNat : OfNat Int n where
   ofNat := Int.ofNat n
 
 namespace Int
+
+/--
+`-[n+1]` is suggestive notation for `negSucc n`, which is the second constructor of
+`Int` for making strictly negative numbers by mapping `n : Nat` to `-(n + 1)`.
+-/
+scoped notation "-[" n "+1]" => negSucc n
+
 instance : Inhabited Int := ⟨ofNat 0⟩
 
+@[simp] theorem default_eq_zero : default = (0 : Int) := rfl
+
+protected theorem zero_ne_one : (0 : Int) ≠ 1 := nofun
+
+/-! ## Coercions -/
+
+@[simp] theorem ofNat_eq_coe : Int.ofNat n = Nat.cast n := rfl
+
+@[simp] theorem ofNat_zero : ((0 : Nat) : Int) = 0 := rfl
+
+@[simp] theorem ofNat_one  : ((1 : Nat) : Int) = 1 := rfl
+
+theorem ofNat_two : ((2 : Nat) : Int) = 2 := rfl
+
 /-- Negation of a natural number. -/
 def negOfNat : Nat → Int
   | 0      => 0
@@ -100,10 +121,10 @@ set_option bootstrap.genMatcherCode false in
 @[extern "lean_int_add"]
 protected def add (m n : @& Int) : Int :=
   match m, n with
-  | ofNat m,   ofNat n   => ofNat (m + n)
-  | ofNat m,   negSucc n => subNatNat m (succ n)
-  | negSucc m, ofNat n   => subNatNat n (succ m)
-  | negSucc m, negSucc n => negSucc (succ (m + n))
+  | ofNat m, ofNat n => ofNat (m + n)
+  | ofNat m, -[n +1] => subNatNat m (succ n)
+  | -[m +1], ofNat n => subNatNat n (succ m)
+  | -[m +1], -[n +1] => negSucc (succ (m + n))
 
 instance : Add Int where
   add := Int.add
@@ -121,10 +142,10 @@ set_option bootstrap.genMatcherCode false in
 @[extern "lean_int_mul"]
 protected def mul (m n : @& Int) : Int :=
   match m, n with
-  | ofNat m,   ofNat n   => ofNat (m * n)
-  | ofNat m,   negSucc n => negOfNat (m * succ n)
-  | negSucc m, ofNat n   => negOfNat (succ m * n)
-  | negSucc m, negSucc n => ofNat (succ m * succ n)
+  | ofNat m, ofNat n => ofNat (m * n)
+  | ofNat m, -[n +1] => negOfNat (m * succ n)
+  | -[m +1], ofNat n => negOfNat (succ m * n)
+  | -[m +1], -[n +1] => ofNat (succ m * succ n)
 
 instance : Mul Int where
   mul := Int.mul
@@ -139,8 +160,7 @@ instance : Mul Int where
 
   Implemented by efficient native code. -/
 @[extern "lean_int_sub"]
-protected def sub (m n : @& Int) : Int :=
-  m + (- n)
+protected def sub (m n : @& Int) : Int := m + (- n)
 
 instance : Sub Int where
   sub := Int.sub
@@ -178,11 +198,11 @@ protected def decEq (a b : @& Int) : Decidable (a = b) :=
   | ofNat a, ofNat b => match decEq a b with
     | isTrue h  => isTrue  <| h ▸ rfl
     | isFalse h => isFalse <| fun h' => Int.noConfusion h' (fun h' => absurd h' h)
-  | negSucc a, negSucc b => match decEq a b with
+  | ofNat _, -[_ +1] => isFalse <| fun h => Int.noConfusion h
+  | -[_ +1], ofNat _ => isFalse <| fun h => Int.noConfusion h
+  | -[a +1], -[b +1] => match decEq a b with
     | isTrue h  => isTrue  <| h ▸ rfl
     | isFalse h => isFalse <| fun h' => Int.noConfusion h' (fun h' => absurd h' h)
-  | ofNat _, negSucc _ => isFalse <| fun h => Int.noConfusion h
-  | negSucc _, ofNat _ => isFalse <| fun h => Int.noConfusion h
 
 instance : DecidableEq Int := Int.decEq
 
@@ -199,8 +219,8 @@ set_option bootstrap.genMatcherCode false in
 @[extern "lean_int_dec_nonneg"]
 private def decNonneg (m : @& Int) : Decidable (NonNeg m) :=
   match m with
-  | ofNat m   => isTrue <| NonNeg.mk m
-  | negSucc _ => isFalse <| fun h => nomatch h
+  | ofNat m => isTrue <| NonNeg.mk m
+  | -[_ +1] => isFalse <| fun h => nomatch h
 
 /-- Decides whether `a ≤ b`.
 
@@ -241,85 +261,21 @@ set_option bootstrap.genMatcherCode false in
 @[extern "lean_nat_abs"]
 def natAbs (m : @& Int) : Nat :=
   match m with
-  | ofNat m   => m
-  | negSucc m => m.succ
+  | ofNat m => m
+  | -[m +1] => m.succ
 
-/-- Integer division. This function uses the
-  [*"T-rounding"*][t-rounding] (**T**runcation-rounding) convention,
-  meaning that it rounds toward zero. Also note that division by zero
-  is defined to equal zero.
+/-! ## sign -/
 
-  The relation between integer division and modulo is found in [the
-  `Int.mod_add_div` theorem in std][theo mod_add_div] which states
-  that `a % b + b * (a / b) = a`, unconditionally.
+/--
+Returns the "sign" of the integer as another integer: `1` for positive numbers,
+`-1` for negative numbers, and `0` for `0`.
+-/
+def sign : Int → Int
+  | Int.ofNat (succ _) => 1
+  | Int.ofNat 0 => 0
+  | -[_+1]      => -1
 
-  [t-rounding]: https://dl.acm.org/doi/pdf/10.1145/128861.128862
-  [theo mod_add_div]: https://leanprover-community.github.io/mathlib4_docs/find/?pattern=Int.mod_add_div#doc
-
-  Examples:
-
-  ```
-  #eval (7 : Int) / (0 : Int) -- 0
-  #eval (0 : Int) / (7 : Int) -- 0
-
-  #eval (12 : Int) / (6 : Int) -- 2
-  #eval (12 : Int) / (-6 : Int) -- -2
-  #eval (-12 : Int) / (6 : Int) -- -2
-  #eval (-12 : Int) / (-6 : Int) -- 2
-
-  #eval (12 : Int) / (7 : Int) -- 1
-  #eval (12 : Int) / (-7 : Int) -- -1
-  #eval (-12 : Int) / (7 : Int) -- -1
-  #eval (-12 : Int) / (-7 : Int) -- 1
-  ```
-
-  Implemented by efficient native code. -/
-@[extern "lean_int_div"]
-def div : (@& Int) → (@& Int) → Int
-  | ofNat m,   ofNat n   => ofNat (m / n)
-  | ofNat m,   negSucc n => -ofNat (m / succ n)
-  | negSucc m, ofNat n   => -ofNat (succ m / n)
-  | negSucc m, negSucc n => ofNat (succ m / succ n)
-
-instance : Div Int where
-  div := Int.div
-
-/-- Integer modulo. This function uses the
-  [*"T-rounding"*][t-rounding] (**T**runcation-rounding) convention
-  to pair with `Int.div`, meaning that `a % b + b * (a / b) = a`
-  unconditionally (see [`Int.mod_add_div`][theo mod_add_div]). In
-  particular, `a % 0 = a`.
-
-  [t-rounding]: https://dl.acm.org/doi/pdf/10.1145/128861.128862
-  [theo mod_add_div]: https://leanprover-community.github.io/mathlib4_docs/find/?pattern=Int.mod_add_div#doc
-
-  Examples:
-
-  ```
-  #eval (7 : Int) % (0 : Int) -- 7
-  #eval (0 : Int) % (7 : Int) -- 0
-
-  #eval (12 : Int) % (6 : Int) -- 0
-  #eval (12 : Int) % (-6 : Int) -- 0
-  #eval (-12 : Int) % (6 : Int) -- 0
-  #eval (-12 : Int) % (-6 : Int) -- 0
-
-  #eval (12 : Int) % (7 : Int) -- 5
-  #eval (12 : Int) % (-7 : Int) -- 5
-  #eval (-12 : Int) % (7 : Int) -- 2
-  #eval (-12 : Int) % (-7 : Int) -- 2
-  ```
-
-  Implemented by efficient native code. -/
-@[extern "lean_int_mod"]
-def mod : (@& Int) → (@& Int) → Int
-  | ofNat m,   ofNat n   => ofNat (m % n)
-  | ofNat m,   negSucc n => ofNat (m % succ n)
-  | negSucc m, ofNat n   => -ofNat (succ m % n)
-  | negSucc m, negSucc n => -ofNat (succ m % succ n)
-
-instance : Mod Int where
-  mod := Int.mod
+/-! ## Conversion -/
 
 /-- Turns an integer into a natural number, negative numbers become
   `0`.
@@ -334,6 +290,25 @@ def toNat : Int → Nat
   | ofNat n   => n
   | negSucc _ => 0
 
+/--
+* If `n : Nat`, then `int.toNat' n = some n`
+* If `n : Int` is negative, then `int.toNat' n = none`.
+-/
+def toNat' : Int → Option Nat
+  | (n : Nat) => some n
+  | -[_+1] => none
+
+/-! ## divisibility -/
+
+/--
+Divisibility of integers. `a ∣ b` (typed as `\|`) says that
+there is some `c` such that `b = a * c`.
+-/
+instance : Dvd Int where
+  dvd a b := Exists (fun c => b = a * c)
+
+/-! ## Powers -/
+
 /-- Power of an integer to some natural number.
 
   ```
@@ -359,3 +334,27 @@ instance : Min Int := minOfLe
 instance : Max Int := maxOfLe
 
 end Int
+
+/--
+The canonical homomorphism `Int → R`.
+In most use cases `R` will have a ring structure and this will be a ring homomorphism.
+-/
+class IntCast (R : Type u) where
+  /-- The canonical map `Int → R`. -/
+  protected intCast : Int → R
+
+instance : IntCast Int where intCast n := n
+
+/--
+Apply the canonical homomorphism from `Int` to a type `R` from an `IntCast R` instance.
+
+In Mathlib there will be such a homomorphism whenever `R` is an additive group with a `1`.
+-/
+@[coe, reducible, match_pattern] protected def Int.cast {R : Type u} [IntCast R] : Int → R :=
+  IntCast.intCast
+
+-- see the notes about coercions into arbitrary types in the module doc-string
+instance [IntCast R] : CoeTail Int R where coe := Int.cast
+
+-- see the notes about coercions into arbitrary types in the module doc-string
+instance [IntCast R] : CoeHTCT Int R where coe := Int.cast

src/Init/Data/Int/Bitwise.lean

@@ -0,0 +1,50 @@
+/-
+Copyright (c) 2022 Mario Carneiro. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Mario Carneiro
+-/
+prelude
+import Init.Data.Int.Basic
+import Init.Data.Nat.Bitwise.Basic
+
+namespace Int
+
+/-! ## bit operations -/
+
+/--
+Bitwise not
+
+Interprets the integer as an infinite sequence of bits in two's complement
+and complements each bit.
+```
+~~~(0:Int) = -1
+~~~(1:Int) = -2
+~~~(-1:Int) = 0
+```
+-/
+protected def not : Int -> Int
+  | Int.ofNat n => Int.negSucc n
+  | Int.negSucc n => Int.ofNat n
+
+instance : Complement Int := ⟨.not⟩
+
+/--
+Bitwise shift right.
+
+Conceptually, this treats the integer as an infinite sequence of bits in two's
+complement and shifts the value to the right.
+
+```lean
+( 0b0111:Int) >>> 1 =  0b0011
+( 0b1000:Int) >>> 1 =  0b0100
+(-0b1000:Int) >>> 1 = -0b0100
+(-0b0111:Int) >>> 1 = -0b0100
+```
+-/
+protected def shiftRight : Int → Nat → Int
+  | Int.ofNat n, s => Int.ofNat (n >>> s)
+  | Int.negSucc n, s => Int.negSucc (n >>> s)
+
+instance : HShiftRight Int Nat Int := ⟨.shiftRight⟩
+
+end Int

src/Init/Data/Int/DivMod.lean

@@ -0,0 +1,161 @@
+/-
+Copyright (c) 2016 Jeremy Avigad. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Jeremy Avigad, Mario Carneiro
+-/
+prelude
+import Init.Data.Int.Basic
+
+open Nat
+
+namespace Int
+
+/-! ## Quotient and remainder
+
+There are three main conventions for integer division,
+referred here as the E, F, T rounding conventions.
+All three pairs satisfy the identity `x % y + (x / y) * y = x` unconditionally,
+and satisfy `x / 0 = 0` and `x % 0 = x`.
+-/
+
+/-! ### T-rounding division -/
+
+/--
+`div` uses the [*"T-rounding"*][t-rounding]
+(**T**runcation-rounding) convention, meaning that it rounds toward
+zero. Also note that division by zero is defined to equal zero.
+
+  The relation between integer division and modulo is found in
+  `Int.mod_add_div` which states that
+  `a % b + b * (a / b) = a`, unconditionally.
+
+  [t-rounding]: https://dl.acm.org/doi/pdf/10.1145/128861.128862 [theo
+  mod_add_div]:
+  https://leanprover-community.github.io/mathlib4_docs/find/?pattern=Int.mod_add_div#doc
+
+  Examples:
+
+  ```
+  #eval (7 : Int) / (0 : Int) -- 0
+  #eval (0 : Int) / (7 : Int) -- 0
+
+  #eval (12 : Int) / (6 : Int) -- 2
+  #eval (12 : Int) / (-6 : Int) -- -2
+  #eval (-12 : Int) / (6 : Int) -- -2
+  #eval (-12 : Int) / (-6 : Int) -- 2
+
+  #eval (12 : Int) / (7 : Int) -- 1
+  #eval (12 : Int) / (-7 : Int) -- -1
+  #eval (-12 : Int) / (7 : Int) -- -1
+  #eval (-12 : Int) / (-7 : Int) -- 1
+  ```
+
+  Implemented by efficient native code.
+-/
+@[extern "lean_int_div"]
+def div : (@& Int) → (@& Int) → Int
+  | ofNat m, ofNat n =>  ofNat (m / n)
+  | ofNat m, -[n +1] => -ofNat (m / succ n)
+  | -[m +1], ofNat n => -ofNat (succ m / n)
+  | -[m +1], -[n +1] =>  ofNat (succ m / succ n)
+
+/-- Integer modulo. This function uses the
+  [*"T-rounding"*][t-rounding] (**T**runcation-rounding) convention
+  to pair with `Int.div`, meaning that `a % b + b * (a / b) = a`
+  unconditionally (see [`Int.mod_add_div`][theo mod_add_div]). In
+  particular, `a % 0 = a`.
+
+  [t-rounding]: https://dl.acm.org/doi/pdf/10.1145/128861.128862
+  [theo mod_add_div]: https://leanprover-community.github.io/mathlib4_docs/find/?pattern=Int.mod_add_div#doc
+
+  Examples:
+
+  ```
+  #eval (7 : Int) % (0 : Int) -- 7
+  #eval (0 : Int) % (7 : Int) -- 0
+
+  #eval (12 : Int) % (6 : Int) -- 0
+  #eval (12 : Int) % (-6 : Int) -- 0
+  #eval (-12 : Int) % (6 : Int) -- 0
+  #eval (-12 : Int) % (-6 : Int) -- 0
+
+  #eval (12 : Int) % (7 : Int) -- 5
+  #eval (12 : Int) % (-7 : Int) -- 5
+  #eval (-12 : Int) % (7 : Int) -- 2
+  #eval (-12 : Int) % (-7 : Int) -- 2
+  ```
+
+  Implemented by efficient native code. -/
+@[extern "lean_int_mod"]
+def mod : (@& Int) → (@& Int) → Int
+  | ofNat m, ofNat n =>  ofNat (m % n)
+  | ofNat m, -[n +1] =>  ofNat (m % succ n)
+  | -[m +1], ofNat n => -ofNat (succ m % n)
+  | -[m +1], -[n +1] => -ofNat (succ m % succ n)
+
+/-! ### F-rounding division
+This pair satisfies `fdiv x y = floor (x / y)`.
+-/
+
+/--
+Integer division. This version of division uses the F-rounding convention
+(flooring division), in which `Int.fdiv x y` satisfies `fdiv x y = floor (x / y)`
+and `Int.fmod` is the unique function satisfying `fmod x y + (fdiv x y) * y = x`.
+-/
+def fdiv : Int → Int → Int
+  | 0,       _       => 0
+  | ofNat m, ofNat n => ofNat (m / n)
+  | ofNat (succ m), -[n+1] => -[m / succ n +1]
+  | -[_+1],  0       => 0
+  | -[m+1],  ofNat (succ n) => -[m / succ n +1]
+  | -[m+1],  -[n+1]  => ofNat (succ m / succ n)
+
+/--
+Integer modulus. This version of `Int.mod` uses the F-rounding convention
+(flooring division), in which `Int.fdiv x y` satisfies `fdiv x y = floor (x / y)`
+and `Int.fmod` is the unique function satisfying `fmod x y + (fdiv x y) * y = x`.
+-/
+def fmod : Int → Int → Int
+  | 0,       _       => 0
+  | ofNat m, ofNat n => ofNat (m % n)
+  | ofNat (succ m),  -[n+1]  => subNatNat (m % succ n) n
+  | -[m+1],  ofNat n => subNatNat n (succ (m % n))
+  | -[m+1],  -[n+1]  => -ofNat (succ m % succ n)
+
+/-! ### E-rounding division
+This pair satisfies `0 ≤ mod x y < natAbs y` for `y ≠ 0`.
+-/
+
+/--
+Integer division. This version of `Int.div` uses the E-rounding convention
+(euclidean division), in which `Int.emod x y` satisfies `0 ≤ mod x y < natAbs y` for `y ≠ 0`
+and `Int.ediv` is the unique function satisfying `emod x y + (ediv x y) * y = x`.
+-/
+@[extern "lean_int_ediv"]
+def ediv : (@& Int) → (@& Int) → Int
+  | ofNat m, ofNat n => ofNat (m / n)
+  | ofNat m, -[n+1]  => -ofNat (m / succ n)
+  | -[_+1],  0       => 0
+  | -[m+1],  ofNat (succ n) => -[m / succ n +1]
+  | -[m+1],  -[n+1]  => ofNat (succ (m / succ n))
+
+/--
+Integer modulus. This version of `Int.mod` uses the E-rounding convention
+(euclidean division), in which `Int.emod x y` satisfies `0 ≤ emod x y < natAbs y` for `y ≠ 0`
+and `Int.ediv` is the unique function satisfying `emod x y + (ediv x y) * y = x`.
+-/
+@[extern "lean_int_emod"]
+def emod : (@& Int) → (@& Int) → Int
+  | ofNat m, n => ofNat (m % natAbs n)
+  | -[m+1],  n => subNatNat (natAbs n) (succ (m % natAbs n))
+
+/--
+The Div and Mod syntax uses ediv and emod for compatibility with SMTLIb and mathematical
+reasoning tends to be easier.
+-/
+instance : Div Int where
+  div := Int.ediv
+instance : Mod Int where
+  mod := Int.emod
+
+end Int

src/Init/Data/Int/DivModLemmas.lean

@@ -0,0 +1,347 @@
+/-
+Copyright (c) 2016 Jeremy Avigad. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Jeremy Avigad, Mario Carneiro
+-/
+
+prelude
+import Init.Data.Int.DivMod
+import Init.Data.Int.Order
+import Init.Data.Nat.Dvd
+import Init.RCases
+import Init.TacticsExtra
+
+/-!
+# Lemmas about integer division needed to bootstrap `omega`.
+-/
+
+
+open Nat (succ)
+
+namespace Int
+
+/-! ### `/`  -/
+
+@[simp] theorem ofNat_ediv (m n : Nat) : (↑(m / n) : Int) = ↑m / ↑n := rfl
+
+@[simp] theorem zero_ediv : ∀ b : Int, 0 / b = 0
+  | ofNat _ => show ofNat _ = _ by simp
+  | -[_+1] => show -ofNat _ = _ by simp
+
+@[simp] protected theorem ediv_zero : ∀ a : Int, a / 0 = 0
+  | ofNat _ => show ofNat _ = _ by simp
+  | -[_+1] => rfl
+
+
+@[simp] protected theorem ediv_neg : ∀ a b : Int, a / (-b) = -(a / b)
+  | ofNat m, 0 => show ofNat (m / 0) = -↑(m / 0) by rw [Nat.div_zero]; rfl
+  | ofNat m, -[n+1] => (Int.neg_neg _).symm
+  | ofNat m, succ n | -[m+1], 0 | -[m+1], succ n | -[m+1], -[n+1] => rfl
+
+protected theorem div_def (a b : Int) : a / b = Int.ediv a b := rfl
+
+theorem add_mul_ediv_right (a b : Int) {c : Int} (H : c ≠ 0) : (a + b * c) / c = a / c + b :=
+  suffices ∀ {{a b c : Int}}, 0 < c → (a + b * c).ediv c = a.ediv c + b from
+    match Int.lt_trichotomy c 0 with
+    | Or.inl hlt => by
+      rw [← Int.neg_inj, ← Int.ediv_neg, Int.neg_add, ← Int.ediv_neg, ← Int.neg_mul_neg]
+      exact this (Int.neg_pos_of_neg hlt)
+    | Or.inr (Or.inl HEq) => absurd HEq H
+    | Or.inr (Or.inr hgt) => this hgt
+  suffices ∀ {k n : Nat} {a : Int}, (a + n * k.succ).ediv k.succ = a.ediv k.succ + n from
+    fun a b c H => match c, eq_succ_of_zero_lt H, b with
+      | _, ⟨_, rfl⟩, ofNat _ => this
+      | _, ⟨k, rfl⟩, -[n+1] => show (a - n.succ * k.succ).ediv k.succ = a.ediv k.succ - n.succ by
+        rw [← Int.add_sub_cancel (ediv ..), ← this, Int.sub_add_cancel]
+  fun {k n} => @fun
+  | ofNat m => congrArg ofNat <| Nat.add_mul_div_right _ _ k.succ_pos
+  | -[m+1] => by
+    show ((n * k.succ : Nat) - m.succ : Int).ediv k.succ = n - (m / k.succ + 1 : Nat)
+    if h : m < n * k.succ then
+      rw [← Int.ofNat_sub h, ← Int.ofNat_sub ((Nat.div_lt_iff_lt_mul k.succ_pos).2 h)]
+      apply congrArg ofNat
+      rw [Nat.mul_comm, Nat.mul_sub_div]; rwa [Nat.mul_comm]
+    else
+      have h := Nat.not_lt.1 h
+      have H {a b : Nat} (h : a ≤ b) : (a : Int) + -((b : Int) + 1) = -[b - a +1] := by
+        rw [negSucc_eq, Int.ofNat_sub h]
+        simp only [Int.sub_eq_add_neg, Int.neg_add, Int.neg_neg, Int.add_left_comm, Int.add_assoc]
+      show ediv (↑(n * succ k) + -((m : Int) + 1)) (succ k) = n + -(↑(m / succ k) + 1 : Int)
+      rw [H h, H ((Nat.le_div_iff_mul_le k.succ_pos).2 h)]
+      apply congrArg negSucc
+      rw [Nat.mul_comm, Nat.sub_mul_div]; rwa [Nat.mul_comm]
+
+theorem add_ediv_of_dvd_right {a b c : Int} (H : c ∣ b) : (a + b) / c = a / c + b / c :=
+  if h : c = 0 then by simp [h] else by
+    let ⟨k, hk⟩ := H
+    rw [hk, Int.mul_comm c k, Int.add_mul_ediv_right _ _ h,
+      ← Int.zero_add (k * c), Int.add_mul_ediv_right _ _ h, Int.zero_ediv, Int.zero_add]
+
+theorem add_ediv_of_dvd_left {a b c : Int} (H : c ∣ a) : (a + b) / c = a / c + b / c := by
+  rw [Int.add_comm, Int.add_ediv_of_dvd_right H, Int.add_comm]
+
+@[simp] theorem mul_ediv_cancel (a : Int) {b : Int} (H : b ≠ 0) : (a * b) / b = a := by
+  have := Int.add_mul_ediv_right 0 a H
+  rwa [Int.zero_add, Int.zero_ediv, Int.zero_add] at this
+
+@[simp] theorem mul_ediv_cancel_left (b : Int) (H : a ≠ 0) : (a * b) / a = b :=
+  Int.mul_comm .. ▸ Int.mul_ediv_cancel _ H
+
+theorem div_nonneg_iff_of_pos {a b : Int} (h : 0 < b) : a / b ≥ 0 ↔ a ≥ 0 := by
+  rw [Int.div_def]
+  match b, h with
+  | Int.ofNat (b+1), _ =>
+    rcases a with ⟨a⟩ <;> simp [Int.ediv]
+    exact decide_eq_decide.mp rfl
+
+/-! ### mod -/
+
+theorem mod_def' (m n : Int) : m % n = emod m n := rfl
+
+theorem ofNat_mod (m n : Nat) : (↑(m % n) : Int) = mod m n := rfl
+
+theorem ofNat_mod_ofNat (m n : Nat) : (m % n : Int) = ↑(m % n) := rfl
+
+@[simp] theorem ofNat_emod (m n : Nat) : (↑(m % n) : Int) = m % n := rfl
+
+@[simp] theorem zero_emod (b : Int) : 0 % b = 0 := by simp [mod_def', emod]
+
+@[simp] theorem emod_zero : ∀ a : Int, a % 0 = a
+  | ofNat _ => congrArg ofNat <| Nat.mod_zero _
+  | -[_+1]  => congrArg negSucc <| Nat.mod_zero _
+
+theorem emod_add_ediv : ∀ a b : Int, a % b + b * (a / b) = a
+  | ofNat _, ofNat _ => congrArg ofNat <| Nat.mod_add_div ..
+  | ofNat m, -[n+1] => by
+    show (m % succ n + -↑(succ n) * -↑(m / succ n) : Int) = m
+    rw [Int.neg_mul_neg]; exact congrArg ofNat <| Nat.mod_add_div ..
+  | -[_+1], 0 => by rw [emod_zero]; rfl
+  | -[m+1], succ n => aux m n.succ
+  | -[m+1], -[n+1] => aux m n.succ
+where
+  aux (m n : Nat) : n - (m % n + 1) - (n * (m / n) + n) = -[m+1] := by
+    rw [← ofNat_emod, ← ofNat_ediv, ← Int.sub_sub, negSucc_eq, Int.sub_sub n,
+      ← Int.neg_neg (_-_), Int.neg_sub, Int.sub_sub_self, Int.add_right_comm]
+    exact congrArg (fun x => -(ofNat x + 1)) (Nat.mod_add_div ..)
+
+theorem ediv_add_emod (a b : Int) : b * (a / b) + a % b = a :=
+  (Int.add_comm ..).trans (emod_add_ediv ..)
+
+theorem emod_def (a b : Int) : a % b = a - b * (a / b) := by
+  rw [← Int.add_sub_cancel (a % b), emod_add_ediv]
+
+theorem emod_nonneg : ∀ (a : Int) {b : Int}, b ≠ 0 → 0 ≤ a % b
+  | ofNat _, _, _ => ofNat_zero_le _
+  | -[_+1], _, H => Int.sub_nonneg_of_le <| ofNat_le.2 <| Nat.mod_lt _ (natAbs_pos.2 H)
+
+theorem emod_lt_of_pos (a : Int) {b : Int} (H : 0 < b) : a % b < b :=
+  match a, b, eq_succ_of_zero_lt H with
+  | ofNat _, _, ⟨_, rfl⟩ => ofNat_lt.2 (Nat.mod_lt _ (Nat.succ_pos _))
+  | -[_+1], _, ⟨_, rfl⟩ => Int.sub_lt_self _ (ofNat_lt.2 <| Nat.succ_pos _)
+
+theorem mul_ediv_self_le {x k : Int} (h : k ≠ 0) : k * (x / k) ≤ x :=
+  calc k * (x / k)
+    _ ≤ k * (x / k) + x % k := Int.le_add_of_nonneg_right (emod_nonneg x h)
+    _ = x                   := ediv_add_emod _ _
+
+theorem lt_mul_ediv_self_add {x k : Int} (h : 0 < k) : x < k * (x / k) + k :=
+  calc x
+    _ = k * (x / k) + x % k := (ediv_add_emod _ _).symm
+    _ < k * (x / k) + k     := Int.add_lt_add_left (emod_lt_of_pos x h) _
+
+theorem emod_add_ediv' (m k : Int) : m % k + m / k * k = m := by
+  rw [Int.mul_comm]; apply emod_add_ediv
+
+@[simp] theorem add_mul_emod_self {a b c : Int} : (a + b * c) % c = a % c :=
+  if cz : c = 0 then by
+    rw [cz, Int.mul_zero, Int.add_zero]
+  else by
+    rw [Int.emod_def, Int.emod_def, Int.add_mul_ediv_right _ _ cz, Int.add_comm _ b,
+      Int.mul_add, Int.mul_comm, ← Int.sub_sub, Int.add_sub_cancel]
+
+@[simp] theorem add_mul_emod_self_left (a b c : Int) : (a + b * c) % b = a % b := by
+  rw [Int.mul_comm, Int.add_mul_emod_self]
+
+@[simp] theorem add_emod_self {a b : Int} : (a + b) % b = a % b := by
+  have := add_mul_emod_self_left a b 1; rwa [Int.mul_one] at this
+
+@[simp] theorem add_emod_self_left {a b : Int} : (a + b) % a = b % a := by
+  rw [Int.add_comm, Int.add_emod_self]
+
+theorem neg_emod {a b : Int} : -a % b = (b - a) % b := by
+  rw [← add_emod_self_left]; rfl
+
+@[simp] theorem emod_add_emod (m n k : Int) : (m % n + k) % n = (m + k) % n := by
+  have := (add_mul_emod_self_left (m % n + k) n (m / n)).symm
+  rwa [Int.add_right_comm, emod_add_ediv] at this
+
+@[simp] theorem add_emod_emod (m n k : Int) : (m + n % k) % k = (m + n) % k := by
+  rw [Int.add_comm, emod_add_emod, Int.add_comm]
+
+theorem add_emod (a b n : Int) : (a + b) % n = (a % n + b % n) % n := by
+  rw [add_emod_emod, emod_add_emod]
+
+theorem add_emod_eq_add_emod_right {m n k : Int} (i : Int)
+    (H : m % n = k % n) : (m + i) % n = (k + i) % n := by
+  rw [← emod_add_emod, ← emod_add_emod k, H]
+
+theorem emod_add_cancel_right {m n k : Int} (i) : (m + i) % n = (k + i) % n ↔ m % n = k % n :=
+  ⟨fun H => by
+    have := add_emod_eq_add_emod_right (-i) H
+    rwa [Int.add_neg_cancel_right, Int.add_neg_cancel_right] at this,
+  add_emod_eq_add_emod_right _⟩
+
+@[simp] theorem mul_emod_left (a b : Int) : (a * b) % b = 0 := by
+  rw [← Int.zero_add (a * b), Int.add_mul_emod_self, Int.zero_emod]
+
+@[simp] theorem mul_emod_right (a b : Int) : (a * b) % a = 0 := by
+  rw [Int.mul_comm, mul_emod_left]
+
+theorem mul_emod (a b n : Int) : (a * b) % n = (a % n) * (b % n) % n := by
+  conv => lhs; rw [
+    ← emod_add_ediv a n, ← emod_add_ediv' b n, Int.add_mul, Int.mul_add, Int.mul_add,
+    Int.mul_assoc, Int.mul_assoc, ← Int.mul_add n _ _, add_mul_emod_self_left,
+    ← Int.mul_assoc, add_mul_emod_self]
+
+@[local simp] theorem emod_self {a : Int} : a % a = 0 := by
+  have := mul_emod_left 1 a; rwa [Int.one_mul] at this
+
+@[simp] theorem emod_emod_of_dvd (n : Int) {m k : Int}
+    (h : m ∣ k) : (n % k) % m = n % m := by
+  conv => rhs; rw [← emod_add_ediv n k]
+  match k, h with
+  | _, ⟨t, rfl⟩ => rw [Int.mul_assoc, add_mul_emod_self_left]
+
+@[simp] theorem emod_emod (a b : Int) : (a % b) % b = a % b := by
+  conv => rhs; rw [← emod_add_ediv a b, add_mul_emod_self_left]
+
+theorem sub_emod (a b n : Int) : (a - b) % n = (a % n - b % n) % n := by
+  apply (emod_add_cancel_right b).mp
+  rw [Int.sub_add_cancel, ← Int.add_emod_emod, Int.sub_add_cancel, emod_emod]
+
+/-! ### properties of `/` and `%` -/
+
+theorem mul_ediv_cancel_of_emod_eq_zero {a b : Int} (H : a % b = 0) : b * (a / b) = a := by
+  have := emod_add_ediv a b; rwa [H, Int.zero_add] at this
+
+theorem ediv_mul_cancel_of_emod_eq_zero {a b : Int} (H : a % b = 0) : a / b * b = a := by
+  rw [Int.mul_comm, mul_ediv_cancel_of_emod_eq_zero H]
+
+/-! ### dvd -/
+
+protected theorem dvd_zero (n : Int) : n ∣ 0 := ⟨0, (Int.mul_zero _).symm⟩
+
+protected theorem dvd_refl (n : Int) : n ∣ n := ⟨1, (Int.mul_one _).symm⟩
+
+protected theorem one_dvd (n : Int) : 1 ∣ n := ⟨n, (Int.one_mul n).symm⟩
+
+protected theorem dvd_trans : ∀ {a b c : Int}, a ∣ b → b ∣ c → a ∣ c
+  | _, _, _, ⟨d, rfl⟩, ⟨e, rfl⟩ => ⟨d * e, by rw [Int.mul_assoc]⟩
+
+@[simp] protected theorem zero_dvd {n : Int} : 0 ∣ n ↔ n = 0 :=
+  ⟨fun ⟨k, e⟩ => by rw [e, Int.zero_mul], fun h => h.symm ▸ Int.dvd_refl _⟩
+
+protected theorem neg_dvd {a b : Int} : -a ∣ b ↔ a ∣ b := by
+  constructor <;> exact fun ⟨k, e⟩ =>
+    ⟨-k, by simp [e, Int.neg_mul, Int.mul_neg, Int.neg_neg]⟩
+
+protected theorem dvd_neg {a b : Int} : a ∣ -b ↔ a ∣ b := by
+  constructor <;> exact fun ⟨k, e⟩ =>
+    ⟨-k, by simp [← e, Int.neg_mul, Int.mul_neg, Int.neg_neg]⟩
+
+protected theorem dvd_mul_right (a b : Int) : a ∣ a * b := ⟨_, rfl⟩
+
+protected theorem dvd_mul_left (a b : Int) : b ∣ a * b := ⟨_, Int.mul_comm ..⟩
+
+protected theorem dvd_add : ∀ {a b c : Int}, a ∣ b → a ∣ c → a ∣ b + c
+  | _, _, _, ⟨d, rfl⟩, ⟨e, rfl⟩ => ⟨d + e, by rw [Int.mul_add]⟩
+
+protected theorem dvd_sub : ∀ {a b c : Int}, a ∣ b → a ∣ c → a ∣ b - c
+  | _, _, _, ⟨d, rfl⟩, ⟨e, rfl⟩ => ⟨d - e, by rw [Int.mul_sub]⟩
+
+
+theorem ofNat_dvd {m n : Nat} : (↑m : Int) ∣ ↑n ↔ m ∣ n := by
+  refine ⟨fun ⟨a, ae⟩ => ?_, fun ⟨k, e⟩ => ⟨k, by rw [e, Int.ofNat_mul]⟩⟩
+  match Int.le_total a 0 with
+  | .inl h =>
+    have := ae.symm ▸ Int.mul_nonpos_of_nonneg_of_nonpos (ofNat_zero_le _) h
+    rw [Nat.le_antisymm (ofNat_le.1 this) (Nat.zero_le _)]
+    apply Nat.dvd_zero
+  | .inr h => match a, eq_ofNat_of_zero_le h with
+    | _, ⟨k, rfl⟩ => exact ⟨k, Int.ofNat.inj ae⟩
+
+@[simp] theorem natAbs_dvd_natAbs {a b : Int} : natAbs a ∣ natAbs b ↔ a ∣ b := by
+  refine ⟨fun ⟨k, hk⟩ => ?_, fun ⟨k, hk⟩ => ⟨natAbs k, hk.symm ▸ natAbs_mul a k⟩⟩
+  rw [← natAbs_ofNat k, ← natAbs_mul, natAbs_eq_natAbs_iff] at hk
+  cases hk <;> subst b
+  · apply Int.dvd_mul_right
+  · rw [← Int.mul_neg]; apply Int.dvd_mul_right
+
+theorem ofNat_dvd_left {n : Nat} {z : Int} : (↑n : Int) ∣ z ↔ n ∣ z.natAbs := by
+  rw [← natAbs_dvd_natAbs, natAbs_ofNat]
+
+theorem dvd_of_emod_eq_zero {a b : Int} (H : b % a = 0) : a ∣ b :=
+  ⟨b / a, (mul_ediv_cancel_of_emod_eq_zero H).symm⟩
+
+theorem dvd_emod_sub_self {x : Int} {m : Nat} : (m : Int) ∣ x % m - x := by
+  apply dvd_of_emod_eq_zero
+  simp [sub_emod]
+
+theorem emod_eq_zero_of_dvd : ∀ {a b : Int}, a ∣ b → b % a = 0
+  | _, _, ⟨_, rfl⟩ => mul_emod_right ..
+
+theorem dvd_iff_emod_eq_zero (a b : Int) : a ∣ b ↔ b % a = 0 :=
+  ⟨emod_eq_zero_of_dvd, dvd_of_emod_eq_zero⟩
+
+theorem emod_pos_of_not_dvd {a b : Int} (h : ¬ a ∣ b) : a = 0 ∨ 0 < b % a := by
+  rw [dvd_iff_emod_eq_zero] at h
+  if w : a = 0 then simp_all
+  else exact Or.inr (Int.lt_iff_le_and_ne.mpr ⟨emod_nonneg b w, Ne.symm h⟩)
+
+instance decidableDvd : DecidableRel (α := Int) (· ∣ ·) := fun _ _ =>
+  decidable_of_decidable_of_iff (dvd_iff_emod_eq_zero ..).symm
+
+protected theorem ediv_mul_cancel {a b : Int} (H : b ∣ a) : a / b * b = a :=
+  ediv_mul_cancel_of_emod_eq_zero (emod_eq_zero_of_dvd H)
+
+protected theorem mul_ediv_cancel' {a b : Int} (H : a ∣ b) : a * (b / a) = b := by
+  rw [Int.mul_comm, Int.ediv_mul_cancel H]
+
+protected theorem mul_ediv_assoc (a : Int) : ∀ {b c : Int}, c ∣ b → (a * b) / c = a * (b / c)
+  | _, c, ⟨d, rfl⟩ =>
+    if cz : c = 0 then by simp [cz, Int.mul_zero] else by
+      rw [Int.mul_left_comm, Int.mul_ediv_cancel_left _ cz, Int.mul_ediv_cancel_left _ cz]
+
+protected theorem mul_ediv_assoc' (b : Int) {a c : Int}
+    (h : c ∣ a) : (a * b) / c = a / c * b := by
+  rw [Int.mul_comm, Int.mul_ediv_assoc _ h, Int.mul_comm]
+
+theorem neg_ediv_of_dvd : ∀ {a b : Int}, b ∣ a → (-a) / b = -(a / b)
+  | _, b, ⟨c, rfl⟩ => by if bz : b = 0 then simp [bz] else
+    rw [Int.neg_mul_eq_mul_neg, Int.mul_ediv_cancel_left _ bz, Int.mul_ediv_cancel_left _ bz]
+
+theorem sub_ediv_of_dvd (a : Int) {b c : Int}
+    (hcb : c ∣ b) : (a - b) / c = a / c - b / c := by
+  rw [Int.sub_eq_add_neg, Int.sub_eq_add_neg, Int.add_ediv_of_dvd_right (Int.dvd_neg.2 hcb)]
+  congr; exact Int.neg_ediv_of_dvd hcb
+
+/-!
+# `bmod` ("balanced" mod)
+
+We use balanced mod in the omega algorithm,
+to make ±1 coefficients appear in equations without them.
+-/
+
+/--
+Balanced mod, taking values in the range [- m/2, (m - 1)/2].
+-/
+def bmod (x : Int) (m : Nat) : Int :=
+  let r := x % m
+  if r < (m + 1) / 2 then
+    r
+  else
+    r - m
+
+@[simp] theorem bmod_emod : bmod x m % m = x % m := by
+  dsimp [bmod]
+  split <;> simp [Int.sub_emod]

src/Init/Data/Int/Gcd.lean

@@ -0,0 +1,17 @@
+/-
+Copyright (c) 2022 Mario Carneiro. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Mario Carneiro
+-/
+prelude
+import Init.Data.Int.Basic
+import Init.Data.Nat.Gcd
+
+namespace Int
+
+/-! ## gcd -/
+
+/-- Computes the greatest common divisor of two integers, as a `Nat`. -/
+def gcd (m n : Int) : Nat := m.natAbs.gcd n.natAbs
+
+end Int

src/Init/Data/Int/Lemmas.lean

@@ -0,0 +1,500 @@
+/-
+Copyright (c) 2016 Jeremy Avigad. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Jeremy Avigad, Deniz Aydin, Floris van Doorn, Mario Carneiro
+-/
+prelude
+import Init.Data.Int.Basic
+import Init.Conv
+import Init.PropLemmas
+
+namespace Int
+
+open Nat
+
+/-! ## Definitions of basic functions -/
+
+theorem subNatNat_of_sub_eq_zero {m n : Nat} (h : n - m = 0) : subNatNat m n = ↑(m - n) := by
+  rw [subNatNat, h, ofNat_eq_coe]
+
+theorem subNatNat_of_sub_eq_succ {m n k : Nat} (h : n - m = succ k) : subNatNat m n = -[k+1] := by
+  rw [subNatNat, h]
+
+@[simp] protected theorem neg_zero : -(0:Int) = 0 := rfl
+
+theorem ofNat_add (n m : Nat) : (↑(n + m) : Int) = n + m := rfl
+theorem ofNat_mul (n m : Nat) : (↑(n * m) : Int) = n * m := rfl
+theorem ofNat_succ (n : Nat) : (succ n : Int) = n + 1 := rfl
+
+@[local simp] theorem neg_ofNat_zero : -((0 : Nat) : Int) = 0 := rfl
+@[local simp] theorem neg_ofNat_succ (n : Nat) : -(succ n : Int) = -[n+1] := rfl
+@[local simp] theorem neg_negSucc (n : Nat) : -(-[n+1]) = succ n := rfl
+
+theorem negSucc_coe (n : Nat) : -[n+1] = -↑(n + 1) := rfl
+
+theorem negOfNat_eq : negOfNat n = -ofNat n := rfl
+
+/-! ## These are only for internal use -/
+
+@[simp] theorem add_def {a b : Int} : Int.add a b = a + b := rfl
+
+@[local simp] theorem ofNat_add_ofNat (m n : Nat) : (↑m + ↑n : Int) = ↑(m + n) := rfl
+@[local simp] theorem ofNat_add_negSucc (m n : Nat) : ↑m + -[n+1] = subNatNat m (succ n) := rfl
+@[local simp] theorem negSucc_add_ofNat (m n : Nat) : -[m+1] + ↑n = subNatNat n (succ m) := rfl
+@[local simp] theorem negSucc_add_negSucc (m n : Nat) : -[m+1] + -[n+1] = -[succ (m + n) +1] := rfl
+
+@[simp] theorem mul_def {a b : Int} : Int.mul a b = a * b := rfl
+
+@[local simp] theorem ofNat_mul_ofNat (m n : Nat) : (↑m * ↑n : Int) = ↑(m * n) := rfl
+@[local simp] theorem ofNat_mul_negSucc' (m n : Nat) : ↑m * -[n+1] = negOfNat (m * succ n) := rfl
+@[local simp] theorem negSucc_mul_ofNat' (m n : Nat) : -[m+1] * ↑n = negOfNat (succ m * n) := rfl
+@[local simp] theorem negSucc_mul_negSucc' (m n : Nat) :
+    -[m+1] * -[n+1] = ofNat (succ m * succ n) := rfl
+
+/- ## some basic functions and properties -/
+
+theorem ofNat_inj : ((m : Nat) : Int) = (n : Nat) ↔ m = n := ⟨ofNat.inj, congrArg _⟩
+
+theorem ofNat_eq_zero : ((n : Nat) : Int) = 0 ↔ n = 0 := ofNat_inj
+
+theorem ofNat_ne_zero : ((n : Nat) : Int) ≠ 0 ↔ n ≠ 0 := not_congr ofNat_eq_zero
+
+theorem negSucc_inj : negSucc m = negSucc n ↔ m = n := ⟨negSucc.inj, fun H => by simp [H]⟩
+
+theorem negSucc_eq (n : Nat) : -[n+1] = -((n : Int) + 1) := rfl
+
+@[simp] theorem negSucc_ne_zero (n : Nat) : -[n+1] ≠ 0 := nofun
+
+@[simp] theorem zero_ne_negSucc (n : Nat) : 0 ≠ -[n+1] := nofun
+
+@[simp] theorem Nat.cast_ofNat_Int :
+  (Nat.cast (no_index (OfNat.ofNat n)) : Int) = OfNat.ofNat n := rfl
+
+/- ## neg -/
+
+@[simp] protected theorem neg_neg : ∀ a : Int, -(-a) = a
+  | 0      => rfl
+  | succ _ => rfl
+  | -[_+1] => rfl
+
+protected theorem neg_inj {a b : Int} : -a = -b ↔ a = b :=
+  ⟨fun h => by rw [← Int.neg_neg a, ← Int.neg_neg b, h], congrArg _⟩
+
+@[simp] protected theorem neg_eq_zero : -a = 0 ↔ a = 0 := Int.neg_inj (b := 0)
+
+protected theorem neg_ne_zero : -a ≠ 0 ↔ a ≠ 0 := not_congr Int.neg_eq_zero
+
+protected theorem sub_eq_add_neg {a b : Int} : a - b = a + -b := rfl
+
+theorem add_neg_one (i : Int) : i + -1 = i - 1 := rfl
+
+/- ## basic properties of subNatNat -/
+
+-- @[elabAsElim] -- TODO(Mario): unexpected eliminator resulting type
+theorem subNatNat_elim (m n : Nat) (motive : Nat → Nat → Int → Prop)
+    (hp : ∀ i n, motive (n + i) n i)
+    (hn : ∀ i m, motive m (m + i + 1) -[i+1]) :
+    motive m n (subNatNat m n) := by
+  unfold subNatNat
+  match h : n - m with
+  | 0 =>
+    have ⟨k, h⟩ := Nat.le.dest (Nat.le_of_sub_eq_zero h)
+    rw [h.symm, Nat.add_sub_cancel_left]; apply hp
+  | succ k =>
+    rw [Nat.sub_eq_iff_eq_add (Nat.le_of_lt (Nat.lt_of_sub_eq_succ h))] at h
+    rw [h, Nat.add_comm]; apply hn
+
+theorem subNatNat_add_left : subNatNat (m + n) m = n := by
+  unfold subNatNat
+  rw [Nat.sub_eq_zero_of_le (Nat.le_add_right ..), Nat.add_sub_cancel_left, ofNat_eq_coe]
+
+theorem subNatNat_add_right : subNatNat m (m + n + 1) = negSucc n := by
+  simp [subNatNat, Nat.add_assoc, Nat.add_sub_cancel_left]
+
+theorem subNatNat_add_add (m n k : Nat) : subNatNat (m + k) (n + k) = subNatNat m n := by
+  apply subNatNat_elim m n (fun m n i => subNatNat (m + k) (n + k) = i)
+  focus
+    intro i j
+    rw [Nat.add_assoc, Nat.add_comm i k, ← Nat.add_assoc]
+    exact subNatNat_add_left
+  focus
+    intro i j
+    rw [Nat.add_assoc j i 1, Nat.add_comm j (i+1), Nat.add_assoc, Nat.add_comm (i+1) (j+k)]
+    exact subNatNat_add_right
+
+theorem subNatNat_of_le {m n : Nat} (h : n ≤ m) : subNatNat m n = ↑(m - n) :=
+  subNatNat_of_sub_eq_zero (Nat.sub_eq_zero_of_le h)
+
+theorem subNatNat_of_lt {m n : Nat} (h : m < n) : subNatNat m n = -[pred (n - m) +1] :=
+  subNatNat_of_sub_eq_succ <| (Nat.succ_pred_eq_of_pos (Nat.sub_pos_of_lt h)).symm
+
+/- # Additive group properties -/
+
+/- addition -/
+
+protected theorem add_comm : ∀ a b : Int, a + b = b + a
+  | ofNat n, ofNat m => by simp [Nat.add_comm]
+  | ofNat _, -[_+1]  => rfl
+  | -[_+1],  ofNat _ => rfl
+  | -[_+1],  -[_+1]  => by simp [Nat.add_comm]
+
+@[simp] protected theorem add_zero : ∀ a : Int, a + 0 = a
+  | ofNat _ => rfl
+  | -[_+1]  => rfl
+
+@[simp] protected theorem zero_add (a : Int) : 0 + a = a := Int.add_comm .. ▸ a.add_zero
+
+theorem ofNat_add_negSucc_of_lt (h : m < n.succ) : ofNat m + -[n+1] = -[n - m+1] :=
+  show subNatNat .. = _ by simp [succ_sub (le_of_lt_succ h), subNatNat]
+
+theorem subNatNat_sub (h : n ≤ m) (k : Nat) : subNatNat (m - n) k = subNatNat m (k + n) := by
+  rwa [← subNatNat_add_add _ _ n, Nat.sub_add_cancel]
+
+theorem subNatNat_add (m n k : Nat) : subNatNat (m + n) k = m + subNatNat n k := by
+  cases n.lt_or_ge k with
+  | inl h' =>
+    simp [subNatNat_of_lt h', succ_pred_eq_of_pos (Nat.sub_pos_of_lt h')]
+    conv => lhs; rw [← Nat.sub_add_cancel (Nat.le_of_lt h')]
+    apply subNatNat_add_add
+  | inr h' => simp [subNatNat_of_le h',
+      subNatNat_of_le (Nat.le_trans h' (le_add_left ..)), Nat.add_sub_assoc h']
+
+theorem subNatNat_add_negSucc (m n k : Nat) :
+    subNatNat m n + -[k+1] = subNatNat m (n + succ k) := by
+  have h := Nat.lt_or_ge m n
+  cases h with
+  | inr h' =>
+    rw [subNatNat_of_le h']
+    simp
+    rw [subNatNat_sub h', Nat.add_comm]
+  | inl h' =>
+    have h₂ : m < n + succ k := Nat.lt_of_lt_of_le h' (le_add_right _ _)
+    have h₃ : m ≤ n + k := le_of_succ_le_succ h₂
+    rw [subNatNat_of_lt h', subNatNat_of_lt h₂]
+    simp [Nat.add_comm]
+    rw [← add_succ, succ_pred_eq_of_pos (Nat.sub_pos_of_lt h'), add_succ, succ_sub h₃,
+      Nat.pred_succ]
+    rw [Nat.add_comm n, Nat.add_sub_assoc (Nat.le_of_lt h')]
+
+protected theorem add_assoc : ∀ a b c : Int, a + b + c = a + (b + c)
+  | (m:Nat), (n:Nat), c => aux1 ..
+  | Nat.cast m, b, Nat.cast k => by
+    rw [Int.add_comm, ← aux1, Int.add_comm k, aux1, Int.add_comm b]
+  | a, (n:Nat), (k:Nat) => by
+    rw [Int.add_comm, Int.add_comm a, ← aux1, Int.add_comm a, Int.add_comm k]
+  | -[m+1], -[n+1], (k:Nat) => aux2 ..
+  | -[m+1], (n:Nat), -[k+1] => by
+    rw [Int.add_comm, ← aux2, Int.add_comm n, ← aux2, Int.add_comm -[m+1]]
+  | (m:Nat), -[n+1], -[k+1] => by
+    rw [Int.add_comm, Int.add_comm m, Int.add_comm m, ← aux2, Int.add_comm -[k+1]]
+  | -[m+1], -[n+1], -[k+1] => by
+    simp [add_succ, Nat.add_comm, Nat.add_left_comm, neg_ofNat_succ]
+where
+  aux1 (m n : Nat) : ∀ c : Int, m + n + c = m + (n + c)
+    | (k:Nat) => by simp [Nat.add_assoc]
+    | -[k+1]  => by simp [subNatNat_add]
+  aux2 (m n k : Nat) : -[m+1] + -[n+1] + k = -[m+1] + (-[n+1] + k) := by
+    simp [add_succ]
+    rw [Int.add_comm, subNatNat_add_negSucc]
+    simp [add_succ, succ_add, Nat.add_comm]
+
+protected theorem add_left_comm (a b c : Int) : a + (b + c) = b + (a + c) := by
+  rw [← Int.add_assoc, Int.add_comm a, Int.add_assoc]
+
+protected theorem add_right_comm (a b c : Int) : a + b + c = a + c + b := by
+  rw [Int.add_assoc, Int.add_comm b, ← Int.add_assoc]
+
+/- ## negation -/
+
+theorem subNatNat_self : ∀ n, subNatNat n n = 0
+  | 0      => rfl
+  | succ m => by rw [subNatNat_of_sub_eq_zero (Nat.sub_self ..), Nat.sub_self, ofNat_zero]
+
+attribute [local simp] subNatNat_self
+
+@[local simp] protected theorem add_left_neg : ∀ a : Int, -a + a = 0
+  | 0      => rfl
+  | succ m => by simp
+  | -[m+1] => by simp
+
+@[local simp] protected theorem add_right_neg (a : Int) : a + -a = 0 := by
+  rw [Int.add_comm, Int.add_left_neg]
+
+@[simp] protected theorem neg_eq_of_add_eq_zero {a b : Int} (h : a + b = 0) : -a = b := by
+  rw [← Int.add_zero (-a), ← h, ← Int.add_assoc, Int.add_left_neg, Int.zero_add]
+
+protected theorem eq_neg_of_eq_neg {a b : Int} (h : a = -b) : b = -a := by
+  rw [h, Int.neg_neg]
+
+protected theorem eq_neg_comm {a b : Int} : a = -b ↔ b = -a :=
+  ⟨Int.eq_neg_of_eq_neg, Int.eq_neg_of_eq_neg⟩
+
+protected theorem neg_eq_comm {a b : Int} : -a = b ↔ -b = a := by
+  rw [eq_comm, Int.eq_neg_comm, eq_comm]
+
+protected theorem neg_add_cancel_left (a b : Int) : -a + (a + b) = b := by
+  rw [← Int.add_assoc, Int.add_left_neg, Int.zero_add]
+
+protected theorem add_neg_cancel_left (a b : Int) : a + (-a + b) = b := by
+  rw [← Int.add_assoc, Int.add_right_neg, Int.zero_add]
+
+protected theorem add_neg_cancel_right (a b : Int) : a + b + -b = a := by
+  rw [Int.add_assoc, Int.add_right_neg, Int.add_zero]
+
+protected theorem neg_add_cancel_right (a b : Int) : a + -b + b = a := by
+  rw [Int.add_assoc, Int.add_left_neg, Int.add_zero]
+
+protected theorem add_left_cancel {a b c : Int} (h : a + b = a + c) : b = c := by
+  have h₁ : -a + (a + b) = -a + (a + c) := by rw [h]
+  simp [← Int.add_assoc, Int.add_left_neg, Int.zero_add] at h₁; exact h₁
+
+@[local simp] protected theorem neg_add {a b : Int} : -(a + b) = -a + -b := by
+  apply Int.add_left_cancel (a := a + b)
+  rw [Int.add_right_neg, Int.add_comm a, ← Int.add_assoc, Int.add_assoc b,
+    Int.add_right_neg, Int.add_zero, Int.add_right_neg]
+
+/- ## subtraction -/
+
+@[simp] theorem negSucc_sub_one (n : Nat) : -[n+1] - 1 = -[n + 1 +1] := rfl
+
+@[simp] protected theorem sub_self (a : Int) : a - a = 0 := by
+  rw [Int.sub_eq_add_neg, Int.add_right_neg]
+
+@[simp] protected theorem sub_zero (a : Int) : a - 0 = a := by simp [Int.sub_eq_add_neg]
+
+@[simp] protected theorem zero_sub (a : Int) : 0 - a = -a := by simp [Int.sub_eq_add_neg]
+
+protected theorem sub_eq_zero_of_eq {a b : Int} (h : a = b) : a - b = 0 := by
+  rw [h, Int.sub_self]
+
+protected theorem eq_of_sub_eq_zero {a b : Int} (h : a - b = 0) : a = b := by
+  have : 0 + b = b := by rw [Int.zero_add]
+  have : a - b + b = b := by rwa [h]
+  rwa [Int.sub_eq_add_neg, Int.neg_add_cancel_right] at this
+
+protected theorem sub_eq_zero {a b : Int} : a - b = 0 ↔ a = b :=
+  ⟨Int.eq_of_sub_eq_zero, Int.sub_eq_zero_of_eq⟩
+
+protected theorem sub_sub (a b c : Int) : a - b - c = a - (b + c) := by
+  simp [Int.sub_eq_add_neg, Int.add_assoc]
+
+protected theorem neg_sub (a b : Int) : -(a - b) = b - a := by
+  simp [Int.sub_eq_add_neg, Int.add_comm]
+
+protected theorem sub_sub_self (a b : Int) : a - (a - b) = b := by
+  simp [Int.sub_eq_add_neg, ← Int.add_assoc]
+
+protected theorem sub_neg (a b : Int) : a - -b = a + b := by simp [Int.sub_eq_add_neg]
+
+@[simp] protected theorem sub_add_cancel (a b : Int) : a - b + b = a :=
+  Int.neg_add_cancel_right a b
+
+@[simp] protected theorem add_sub_cancel (a b : Int) : a + b - b = a :=
+  Int.add_neg_cancel_right a b
+
+protected theorem add_sub_assoc (a b c : Int) : a + b - c = a + (b - c) := by
+  rw [Int.sub_eq_add_neg, Int.add_assoc, ← Int.sub_eq_add_neg]
+
+theorem ofNat_sub (h : m ≤ n) : ((n - m : Nat) : Int) = n - m := by
+  match m with
+  | 0 => rfl
+  | succ m =>
+    show ofNat (n - succ m) = subNatNat n (succ m)
+    rw [subNatNat, Nat.sub_eq_zero_of_le h]
+
+theorem negSucc_coe' (n : Nat) : -[n+1] = -↑n - 1 := by
+  rw [Int.sub_eq_add_neg, ← Int.neg_add]; rfl
+
+protected theorem subNatNat_eq_coe {m n : Nat} : subNatNat m n = ↑m - ↑n := by
+  apply subNatNat_elim m n fun m n i => i = m - n
+  · intros i n
+    rw [Int.ofNat_add, Int.sub_eq_add_neg, Int.add_assoc, Int.add_left_comm,
+      Int.add_right_neg, Int.add_zero]
+  · intros i n
+    simp only [negSucc_coe, ofNat_add, Int.sub_eq_add_neg, Int.neg_add, ← Int.add_assoc]
+    rw [← @Int.sub_eq_add_neg n, ← ofNat_sub, Nat.sub_self, ofNat_zero, Int.zero_add]
+    apply Nat.le_refl
+
+theorem toNat_sub (m n : Nat) : toNat (m - n) = m - n := by
+  rw [← Int.subNatNat_eq_coe]
+  refine subNatNat_elim m n (fun m n i => toNat i = m - n) (fun i n => ?_) (fun i n => ?_)
+  · exact (Nat.add_sub_cancel_left ..).symm
+  · dsimp; rw [Nat.add_assoc, Nat.sub_eq_zero_of_le (Nat.le_add_right ..)]; rfl
+
+/- ## Ring properties -/
+
+@[simp] theorem ofNat_mul_negSucc (m n : Nat) : (m : Int) * -[n+1] = -↑(m * succ n) := rfl
+
+@[simp] theorem negSucc_mul_ofNat (m n : Nat) : -[m+1] * n = -↑(succ m * n) := rfl
+
+@[simp] theorem negSucc_mul_negSucc (m n : Nat) : -[m+1] * -[n+1] = succ m * succ n := rfl
+
+protected theorem mul_comm (a b : Int) : a * b = b * a := by
+  cases a <;> cases b <;> simp [Nat.mul_comm]
+
+theorem ofNat_mul_negOfNat (m n : Nat) : (m : Nat) * negOfNat n = negOfNat (m * n) := by
+  cases n <;> rfl
+
+theorem negOfNat_mul_ofNat (m n : Nat) : negOfNat m * (n : Nat) = negOfNat (m * n) := by
+  rw [Int.mul_comm]; simp [ofNat_mul_negOfNat, Nat.mul_comm]
+
+theorem negSucc_mul_negOfNat (m n : Nat) : -[m+1] * negOfNat n = ofNat (succ m * n) := by
+  cases n <;> rfl
+
+theorem negOfNat_mul_negSucc (m n : Nat) : negOfNat n * -[m+1] = ofNat (n * succ m) := by
+  rw [Int.mul_comm, negSucc_mul_negOfNat, Nat.mul_comm]
+
+attribute [local simp] ofNat_mul_negOfNat negOfNat_mul_ofNat
+  negSucc_mul_negOfNat negOfNat_mul_negSucc
+
+protected theorem mul_assoc (a b c : Int) : a * b * c = a * (b * c) := by
+  cases a <;> cases b <;> cases c <;> simp [Nat.mul_assoc]
+
+protected theorem mul_left_comm (a b c : Int) : a * (b * c) = b * (a * c) := by
+  rw [← Int.mul_assoc, ← Int.mul_assoc, Int.mul_comm a]
+
+protected theorem mul_right_comm (a b c : Int) : a * b * c = a * c * b := by
+  rw [Int.mul_assoc, Int.mul_assoc, Int.mul_comm b]
+
+@[simp] protected theorem mul_zero (a : Int) : a * 0 = 0 := by cases a <;> rfl
+
+@[simp] protected theorem zero_mul (a : Int) : 0 * a = 0 := Int.mul_comm .. ▸ a.mul_zero
+
+theorem negOfNat_eq_subNatNat_zero (n) : negOfNat n = subNatNat 0 n := by cases n <;> rfl
+
+theorem ofNat_mul_subNatNat (m n k : Nat) :
+    m * subNatNat n k = subNatNat (m * n) (m * k) := by
+  cases m with
+  | zero => simp [ofNat_zero, Int.zero_mul, Nat.zero_mul]
+  | succ m => cases n.lt_or_ge k with
+    | inl h =>
+      have h' : succ m * n < succ m * k := Nat.mul_lt_mul_of_pos_left h (Nat.succ_pos m)
+      simp [subNatNat_of_lt h, subNatNat_of_lt h']
+      rw [succ_pred_eq_of_pos (Nat.sub_pos_of_lt h), ← neg_ofNat_succ, Nat.mul_sub_left_distrib,
+        ← succ_pred_eq_of_pos (Nat.sub_pos_of_lt h')]; rfl
+    | inr h =>
+      have h' : succ m * k ≤ succ m * n := Nat.mul_le_mul_left _ h
+      simp [subNatNat_of_le h, subNatNat_of_le h', Nat.mul_sub_left_distrib]
+
+theorem negOfNat_add (m n : Nat) : negOfNat m + negOfNat n = negOfNat (m + n) := by
+  cases m <;> cases n <;> simp [Nat.succ_add] <;> rfl
+
+theorem negSucc_mul_subNatNat (m n k : Nat) :
+    -[m+1] * subNatNat n k = subNatNat (succ m * k) (succ m * n) := by
+  cases n.lt_or_ge k with
+  | inl h =>
+    have h' : succ m * n < succ m * k := Nat.mul_lt_mul_of_pos_left h (Nat.succ_pos m)
+    rw [subNatNat_of_lt h, subNatNat_of_le (Nat.le_of_lt h')]
+    simp [succ_pred_eq_of_pos (Nat.sub_pos_of_lt h), Nat.mul_sub_left_distrib]
+  | inr h => cases Nat.lt_or_ge k n with
+    | inl h' =>
+      have h₁ : succ m * n > succ m * k := Nat.mul_lt_mul_of_pos_left h' (Nat.succ_pos m)
+      rw [subNatNat_of_le h, subNatNat_of_lt h₁, negSucc_mul_ofNat,
+        Nat.mul_sub_left_distrib, ← succ_pred_eq_of_pos (Nat.sub_pos_of_lt h₁)]; rfl
+    | inr h' => rw [Nat.le_antisymm h h', subNatNat_self, subNatNat_self, Int.mul_zero]
+
+attribute [local simp] ofNat_mul_subNatNat negOfNat_add negSucc_mul_subNatNat
+
+protected theorem mul_add : ∀ a b c : Int, a * (b + c) = a * b + a * c
+  | (m:Nat), (n:Nat), (k:Nat) => by simp [Nat.left_distrib]
+  | (m:Nat), (n:Nat), -[k+1]  => by
+    simp [negOfNat_eq_subNatNat_zero]; rw [← subNatNat_add]; rfl
+  | (m:Nat), -[n+1],  (k:Nat) => by
+    simp [negOfNat_eq_subNatNat_zero]; rw [Int.add_comm, ← subNatNat_add]; rfl
+  | (m:Nat), -[n+1],  -[k+1]  => by simp; rw [← Nat.left_distrib, succ_add]; rfl
+  | -[m+1],  (n:Nat), (k:Nat) => by simp [Nat.mul_comm]; rw [← Nat.right_distrib, Nat.mul_comm]
+  | -[m+1],  (n:Nat), -[k+1]  => by
+    simp [negOfNat_eq_subNatNat_zero]; rw [Int.add_comm, ← subNatNat_add]; rfl
+  | -[m+1],  -[n+1],  (k:Nat) => by simp [negOfNat_eq_subNatNat_zero]; rw [← subNatNat_add]; rfl
+  | -[m+1],  -[n+1],  -[k+1]  => by simp; rw [← Nat.left_distrib, succ_add]; rfl
+
+protected theorem add_mul (a b c : Int) : (a + b) * c = a * c + b * c := by
+  simp [Int.mul_comm, Int.mul_add]
+
+protected theorem neg_mul_eq_neg_mul (a b : Int) : -(a * b) = -a * b :=
+  Int.neg_eq_of_add_eq_zero <| by rw [← Int.add_mul, Int.add_right_neg, Int.zero_mul]
+
+protected theorem neg_mul_eq_mul_neg (a b : Int) : -(a * b) = a * -b :=
+  Int.neg_eq_of_add_eq_zero <| by rw [← Int.mul_add, Int.add_right_neg, Int.mul_zero]
+
+@[local simp] protected theorem neg_mul (a b : Int) : -a * b = -(a * b) :=
+  (Int.neg_mul_eq_neg_mul a b).symm
+
+@[local simp] protected theorem mul_neg (a b : Int) : a * -b = -(a * b) :=
+  (Int.neg_mul_eq_mul_neg a b).symm
+
+protected theorem neg_mul_neg (a b : Int) : -a * -b = a * b := by simp
+
+protected theorem neg_mul_comm (a b : Int) : -a * b = a * -b := by simp
+
+protected theorem mul_sub (a b c : Int) : a * (b - c) = a * b - a * c := by
+  simp [Int.sub_eq_add_neg, Int.mul_add]
+
+protected theorem sub_mul (a b c : Int) : (a - b) * c = a * c - b * c := by
+  simp [Int.sub_eq_add_neg, Int.add_mul]
+
+@[simp] protected theorem one_mul : ∀ a : Int, 1 * a = a
+  | ofNat n => show ofNat (1 * n) = ofNat n by rw [Nat.one_mul]
+  | -[n+1]  => show -[1 * n +1] = -[n+1] by rw [Nat.one_mul]
+
+@[simp] protected theorem mul_one (a : Int) : a * 1 = a := by rw [Int.mul_comm, Int.one_mul]
+
+protected theorem mul_neg_one (a : Int) : a * -1 = -a := by rw [Int.mul_neg, Int.mul_one]
+
+protected theorem neg_eq_neg_one_mul : ∀ a : Int, -a = -1 * a
+  | 0      => rfl
+  | succ n => show _ = -[1 * n +1] by rw [Nat.one_mul]; rfl
+  | -[n+1] => show _ = ofNat _ by rw [Nat.one_mul]; rfl
+
+protected theorem mul_eq_zero {a b : Int} : a * b = 0 ↔ a = 0 ∨ b = 0 := by
+  refine ⟨fun h => ?_, fun h => h.elim (by simp [·, Int.zero_mul]) (by simp [·, Int.mul_zero])⟩
+  exact match a, b, h with
+  | .ofNat 0, _, _ => by simp
+  | _, .ofNat 0, _ => by simp
+  | .ofNat (a+1), .negSucc b, h => by cases h
+
+protected theorem mul_ne_zero {a b : Int} (a0 : a ≠ 0) (b0 : b ≠ 0) : a * b ≠ 0 :=
+  Or.rec a0 b0 ∘ Int.mul_eq_zero.mp
+
+protected theorem eq_of_mul_eq_mul_right {a b c : Int} (ha : a ≠ 0) (h : b * a = c * a) : b = c :=
+  have : (b - c) * a = 0 := by rwa [Int.sub_mul, Int.sub_eq_zero]
+  Int.sub_eq_zero.1 <| (Int.mul_eq_zero.mp this).resolve_right ha
+
+protected theorem eq_of_mul_eq_mul_left {a b c : Int} (ha : a ≠ 0) (h : a * b = a * c) : b = c :=
+  have : a * b - a * c = 0 := Int.sub_eq_zero_of_eq h
+  have : a * (b - c) = 0 := by rw [Int.mul_sub, this]
+  have : b - c = 0 := (Int.mul_eq_zero.1 this).resolve_left ha
+  Int.eq_of_sub_eq_zero this
+
+theorem mul_eq_mul_left_iff {a b c : Int} (h : c ≠ 0) : c * a = c * b ↔ a = b :=
+  ⟨Int.eq_of_mul_eq_mul_left h, fun w => congrArg (fun x => c * x) w⟩
+
+theorem mul_eq_mul_right_iff {a b c : Int} (h : c ≠ 0) : a * c = b * c ↔ a = b :=
+  ⟨Int.eq_of_mul_eq_mul_right h, fun w => congrArg (fun x => x * c) w⟩
+
+theorem eq_one_of_mul_eq_self_left {a b : Int} (Hpos : a ≠ 0) (H : b * a = a) : b = 1 :=
+  Int.eq_of_mul_eq_mul_right Hpos <| by rw [Int.one_mul, H]
+
+theorem eq_one_of_mul_eq_self_right {a b : Int} (Hpos : b ≠ 0) (H : b * a = b) : a = 1 :=
+  Int.eq_of_mul_eq_mul_left Hpos <| by rw [Int.mul_one, H]
+
+/-! NatCast lemmas -/
+
+/-!
+The following lemmas are later subsumed by e.g. `Nat.cast_add` and `Nat.cast_mul` in Mathlib
+but it is convenient to have these earlier, for users who only need `Nat` and `Int`.
+-/
+
+theorem natCast_zero : ((0 : Nat) : Int) = (0 : Int) := rfl
+
+theorem natCast_one : ((1 : Nat) : Int) = (1 : Int) := rfl
+
+@[simp] theorem natCast_add (a b : Nat) : ((a + b : Nat) : Int) = (a : Int) + (b : Int) := by
+  -- Note this only works because of local simp attributes in this file,
+  -- so it still makes sense to tag the lemmas with `@[simp]`.
+  simp
+
+@[simp] theorem natCast_mul (a b : Nat) : ((a * b : Nat) : Int) = (a : Int) * (b : Int) := by
+  simp
+
+end Int

src/Init/Data/Int/Order.lean

@@ -0,0 +1,438 @@
+/-
+Copyright (c) 2016 Jeremy Avigad. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Jeremy Avigad, Deniz Aydin, Floris van Doorn, Mario Carneiro
+-/
+prelude
+import Init.Data.Int.Lemmas
+import Init.ByCases
+
+/-!
+# Results about the order properties of the integers, and the integers as an ordered ring.
+-/
+
+open Nat
+
+namespace Int
+
+/-! ## Order properties of the integers -/
+
+theorem nonneg_def {a : Int} : NonNeg a ↔ ∃ n : Nat, a = n :=
+  ⟨fun ⟨n⟩ => ⟨n, rfl⟩, fun h => match a, h with | _, ⟨n, rfl⟩ => ⟨n⟩⟩
+
+theorem NonNeg.elim {a : Int} : NonNeg a → ∃ n : Nat, a = n := nonneg_def.1
+
+theorem nonneg_or_nonneg_neg : ∀ (a : Int), NonNeg a ∨ NonNeg (-a)
+  | (_:Nat) => .inl ⟨_⟩
+  | -[_+1]  => .inr ⟨_⟩
+
+theorem le_def (a b : Int) : a ≤ b ↔ NonNeg (b - a) := .rfl
+
+theorem lt_iff_add_one_le (a b : Int) : a < b ↔ a + 1 ≤ b := .rfl
+
+theorem le.intro_sub {a b : Int} (n : Nat) (h : b - a = n) : a ≤ b := by
+  simp [le_def, h]; constructor
+
+attribute [local simp] Int.add_left_neg Int.add_right_neg Int.neg_add
+
+theorem le.intro {a b : Int} (n : Nat) (h : a + n = b) : a ≤ b :=
+  le.intro_sub n <| by rw [← h, Int.add_comm]; simp [Int.sub_eq_add_neg, Int.add_assoc]
+
+theorem le.dest_sub {a b : Int} (h : a ≤ b) : ∃ n : Nat, b - a = n := nonneg_def.1 h
+
+theorem le.dest {a b : Int} (h : a ≤ b) : ∃ n : Nat, a + n = b :=
+  let ⟨n, h₁⟩ := le.dest_sub h
+  ⟨n, by rw [← h₁, Int.add_comm]; simp [Int.sub_eq_add_neg, Int.add_assoc]⟩
+
+protected theorem le_total (a b : Int) : a ≤ b ∨ b ≤ a :=
+  (nonneg_or_nonneg_neg (b - a)).imp_right fun H => by
+    rwa [show -(b - a) = a - b by simp [Int.add_comm, Int.sub_eq_add_neg]] at H
+
+@[simp] theorem ofNat_le {m n : Nat} : (↑m : Int) ≤ ↑n ↔ m ≤ n :=
+  ⟨fun h =>
+    let ⟨k, hk⟩ := le.dest h
+    Nat.le.intro <| Int.ofNat.inj <| (Int.ofNat_add m k).trans hk,
+  fun h =>
+    let ⟨k, (hk : m + k = n)⟩ := Nat.le.dest h
+    le.intro k (by rw [← hk]; rfl)⟩
+
+theorem ofNat_zero_le (n : Nat) : 0 ≤ (↑n : Int) := ofNat_le.2 n.zero_le
+
+theorem eq_ofNat_of_zero_le {a : Int} (h : 0 ≤ a) : ∃ n : Nat, a = n := by
+  have t := le.dest_sub h; rwa [Int.sub_zero] at t
+
+theorem eq_succ_of_zero_lt {a : Int} (h : 0 < a) : ∃ n : Nat, a = n.succ :=
+  let ⟨n, (h : ↑(1 + n) = a)⟩ := le.dest h
+  ⟨n, by rw [Nat.add_comm] at h; exact h.symm⟩
+
+theorem lt_add_succ (a : Int) (n : Nat) : a < a + Nat.succ n :=
+  le.intro n <| by rw [Int.add_comm, Int.add_left_comm]; rfl
+
+theorem lt.intro {a b : Int} {n : Nat} (h : a + Nat.succ n = b) : a < b :=
+  h ▸ lt_add_succ a n
+
+theorem lt.dest {a b : Int} (h : a < b) : ∃ n : Nat, a + Nat.succ n = b :=
+  let ⟨n, h⟩ := le.dest h; ⟨n, by rwa [Int.add_comm, Int.add_left_comm] at h⟩
+
+@[simp] theorem ofNat_lt {n m : Nat} : (↑n : Int) < ↑m ↔ n < m := by
+  rw [lt_iff_add_one_le, ← ofNat_succ, ofNat_le]; rfl
+
+@[simp] theorem ofNat_pos {n : Nat} : 0 < (↑n : Int) ↔ 0 < n := ofNat_lt
+
+theorem ofNat_nonneg (n : Nat) : 0 ≤ (n : Int) := ⟨_⟩
+
+theorem ofNat_succ_pos (n : Nat) : 0 < (succ n : Int) := ofNat_lt.2 <| Nat.succ_pos _
+
+@[simp] protected theorem le_refl (a : Int) : a ≤ a :=
+  le.intro _ (Int.add_zero a)
+
+protected theorem le_trans {a b c : Int} (h₁ : a ≤ b) (h₂ : b ≤ c) : a ≤ c :=
+  let ⟨n, hn⟩ := le.dest h₁; let ⟨m, hm⟩ := le.dest h₂
+  le.intro (n + m) <| by rw [← hm, ← hn, Int.add_assoc, ofNat_add]
+
+protected theorem le_antisymm {a b : Int} (h₁ : a ≤ b) (h₂ : b ≤ a) : a = b := by
+  let ⟨n, hn⟩ := le.dest h₁; let ⟨m, hm⟩ := le.dest h₂
+  have := hn; rw [← hm, Int.add_assoc, ← ofNat_add] at this
+  have := Int.ofNat.inj <| Int.add_left_cancel <| this.trans (Int.add_zero _).symm
+  rw [← hn, Nat.eq_zero_of_add_eq_zero_left this, ofNat_zero, Int.add_zero a]
+
+protected theorem lt_irrefl (a : Int) : ¬a < a := fun H =>
+  let ⟨n, hn⟩ := lt.dest H
+  have : (a+Nat.succ n) = a+0 := by
+    rw [hn, Int.add_zero]
+  have : Nat.succ n = 0 := Int.ofNat.inj (Int.add_left_cancel this)
+  show False from Nat.succ_ne_zero _ this
+
+protected theorem ne_of_lt {a b : Int} (h : a < b) : a ≠ b := fun e => by
+  cases e; exact Int.lt_irrefl _ h
+
+protected theorem ne_of_gt {a b : Int} (h : b < a) : a ≠ b := (Int.ne_of_lt h).symm
+
+protected theorem le_of_lt {a b : Int} (h : a < b) : a ≤ b :=
+  let ⟨_, hn⟩ := lt.dest h; le.intro _ hn
+
+protected theorem lt_iff_le_and_ne {a b : Int} : a < b ↔ a ≤ b ∧ a ≠ b := by
+  refine ⟨fun h => ⟨Int.le_of_lt h, Int.ne_of_lt h⟩, fun ⟨aleb, aneb⟩ => ?_⟩
+  let ⟨n, hn⟩ := le.dest aleb
+  have : n ≠ 0 := aneb.imp fun eq => by rw [← hn, eq, ofNat_zero, Int.add_zero]
+  apply lt.intro; rwa [← Nat.succ_pred_eq_of_pos (Nat.pos_of_ne_zero this)] at hn
+
+theorem lt_succ (a : Int) : a < a + 1 := Int.le_refl _
+
+protected theorem zero_lt_one : (0 : Int) < 1 := ⟨_⟩
+
+protected theorem lt_iff_le_not_le {a b : Int} : a < b ↔ a ≤ b ∧ ¬b ≤ a := by
+  rw [Int.lt_iff_le_and_ne]
+  constructor <;> refine fun ⟨h, h'⟩ => ⟨h, h'.imp fun h' => ?_⟩
+  · exact Int.le_antisymm h h'
+  · subst h'; apply Int.le_refl
+
+protected theorem not_le {a b : Int} : ¬a ≤ b ↔ b < a :=
+  ⟨fun h => Int.lt_iff_le_not_le.2 ⟨(Int.le_total ..).resolve_right h, h⟩,
+   fun h => (Int.lt_iff_le_not_le.1 h).2⟩
+
+protected theorem not_lt {a b : Int} : ¬a < b ↔ b ≤ a :=
+  by rw [← Int.not_le, Decidable.not_not]
+
+protected theorem lt_trichotomy (a b : Int) : a < b ∨ a = b ∨ b < a :=
+  if eq : a = b then .inr <| .inl eq else
+  if le : a ≤ b then .inl <| Int.lt_iff_le_and_ne.2 ⟨le, eq⟩ else
+  .inr <| .inr <| Int.not_le.1 le
+
+protected theorem ne_iff_lt_or_gt {a b : Int} : a ≠ b ↔ a < b ∨ b < a := by
+  constructor
+  · intro h
+    cases Int.lt_trichotomy a b
+    case inl lt => exact Or.inl lt
+    case inr h =>
+      cases h
+      case inl =>simp_all
+      case inr gt => exact Or.inr gt
+  · intro h
+    cases h
+    case inl lt => exact Int.ne_of_lt lt
+    case inr gt => exact Int.ne_of_gt gt
+
+protected theorem lt_or_gt_of_ne {a b : Int} : a ≠ b →  a < b ∨ b < a:= Int.ne_iff_lt_or_gt.mp
+
+protected theorem eq_iff_le_and_ge {x y : Int} : x = y ↔ x ≤ y ∧ y ≤ x := by
+  constructor
+  · simp_all
+  · intro ⟨h₁, h₂⟩
+    exact Int.le_antisymm h₁ h₂
+
+protected theorem lt_of_le_of_lt {a b c : Int} (h₁ : a ≤ b) (h₂ : b < c) : a < c :=
+  Int.not_le.1 fun h => Int.not_le.2 h₂ (Int.le_trans h h₁)
+
+protected theorem lt_of_lt_of_le {a b c : Int} (h₁ : a < b) (h₂ : b ≤ c) : a < c :=
+  Int.not_le.1 fun h => Int.not_le.2 h₁ (Int.le_trans h₂ h)
+
+protected theorem lt_trans {a b c : Int} (h₁ : a < b) (h₂ : b < c) : a < c :=
+  Int.lt_of_le_of_lt (Int.le_of_lt h₁) h₂
+
+instance : Trans (α := Int) (· ≤ ·) (· ≤ ·) (· ≤ ·) := ⟨Int.le_trans⟩
+
+instance : Trans (α := Int) (· < ·) (· ≤ ·) (· < ·) := ⟨Int.lt_of_lt_of_le⟩
+
+instance : Trans (α := Int) (· ≤ ·) (· < ·) (· < ·) := ⟨Int.lt_of_le_of_lt⟩
+
+instance : Trans (α := Int) (· < ·) (· < ·) (· < ·) := ⟨Int.lt_trans⟩
+
+protected theorem min_def (n m : Int) : min n m = if n ≤ m then n else m := rfl
+
+protected theorem max_def (n m : Int) : max n m = if n ≤ m then m else n := rfl
+
+protected theorem min_comm (a b : Int) : min a b = min b a := by
+  simp [Int.min_def]
+  by_cases h₁ : a ≤ b <;> by_cases h₂ : b ≤ a <;> simp [h₁, h₂]
+  · exact Int.le_antisymm h₁ h₂
+  · cases not_or_intro h₁ h₂ <| Int.le_total ..
+
+protected theorem min_le_right (a b : Int) : min a b ≤ b := by rw [Int.min_def]; split <;> simp [*]
+
+protected theorem min_le_left (a b : Int) : min a b ≤ a := Int.min_comm .. ▸ Int.min_le_right ..
+
+protected theorem le_min {a b c : Int} : a ≤ min b c ↔ a ≤ b ∧ a ≤ c :=
+  ⟨fun h => ⟨Int.le_trans h (Int.min_le_left ..), Int.le_trans h (Int.min_le_right ..)⟩,
+   fun ⟨h₁, h₂⟩ => by rw [Int.min_def]; split <;> assumption⟩
+
+protected theorem max_comm (a b : Int) : max a b = max b a := by
+  simp only [Int.max_def]
+  by_cases h₁ : a ≤ b <;> by_cases h₂ : b ≤ a <;> simp [h₁, h₂]
+  · exact Int.le_antisymm h₂ h₁
+  · cases not_or_intro h₁ h₂ <| Int.le_total ..
+
+protected theorem le_max_left (a b : Int) : a ≤ max a b := by rw [Int.max_def]; split <;> simp [*]
+
+protected theorem le_max_right (a b : Int) : b ≤ max a b := Int.max_comm .. ▸ Int.le_max_left ..
+
+protected theorem max_le {a b c : Int} : max a b ≤ c ↔ a ≤ c ∧ b ≤ c :=
+  ⟨fun h => ⟨Int.le_trans (Int.le_max_left ..) h, Int.le_trans (Int.le_max_right ..) h⟩,
+   fun ⟨h₁, h₂⟩ => by rw [Int.max_def]; split <;> assumption⟩
+
+theorem eq_natAbs_of_zero_le {a : Int} (h : 0 ≤ a) : a = natAbs a := by
+  let ⟨n, e⟩ := eq_ofNat_of_zero_le h
+  rw [e]; rfl
+
+theorem le_natAbs {a : Int} : a ≤ natAbs a :=
+  match Int.le_total 0 a with
+  | .inl h => by rw [eq_natAbs_of_zero_le h]; apply Int.le_refl
+  | .inr h => Int.le_trans h (ofNat_zero_le _)
+
+theorem negSucc_lt_zero (n : Nat) : -[n+1] < 0 :=
+  Int.not_le.1 fun h => let ⟨_, h⟩ := eq_ofNat_of_zero_le h; nomatch h
+
+@[simp] theorem negSucc_not_nonneg (n : Nat) : 0 ≤ -[n+1] ↔ False := by
+  simp only [Int.not_le, iff_false]; exact Int.negSucc_lt_zero n
+
+protected theorem add_le_add_left {a b : Int} (h : a ≤ b) (c : Int) : c + a ≤ c + b :=
+  let ⟨n, hn⟩ := le.dest h; le.intro n <| by rw [Int.add_assoc, hn]
+
+protected theorem add_lt_add_left {a b : Int} (h : a < b) (c : Int) : c + a < c + b :=
+  Int.lt_iff_le_and_ne.2 ⟨Int.add_le_add_left (Int.le_of_lt h) _, fun heq =>
+    b.lt_irrefl <| by rwa [Int.add_left_cancel heq] at h⟩
+
+protected theorem add_le_add_right {a b : Int} (h : a ≤ b) (c : Int) : a + c ≤ b + c :=
+  Int.add_comm c a ▸ Int.add_comm c b ▸ Int.add_le_add_left h c
+
+protected theorem add_lt_add_right {a b : Int} (h : a < b) (c : Int) : a + c < b + c :=
+  Int.add_comm c a ▸ Int.add_comm c b ▸ Int.add_lt_add_left h c
+
+protected theorem le_of_add_le_add_left {a b c : Int} (h : a + b ≤ a + c) : b ≤ c := by
+  have : -a + (a + b) ≤ -a + (a + c) := Int.add_le_add_left h _
+  simp [Int.neg_add_cancel_left] at this
+  assumption
+
+protected theorem le_of_add_le_add_right {a b c : Int} (h : a + b ≤ c + b) : a ≤ c :=
+  Int.le_of_add_le_add_left (a := b) <| by rwa [Int.add_comm b a, Int.add_comm b c]
+
+protected theorem add_le_add_iff_left (a : Int) : a + b ≤ a + c ↔ b ≤ c :=
+  ⟨Int.le_of_add_le_add_left, (Int.add_le_add_left · _)⟩
+
+protected theorem add_le_add_iff_right (c : Int) : a + c ≤ b + c ↔ a ≤ b :=
+  ⟨Int.le_of_add_le_add_right, (Int.add_le_add_right · _)⟩
+
+protected theorem add_le_add {a b c d : Int} (h₁ : a ≤ b) (h₂ : c ≤ d) : a + c ≤ b + d :=
+  Int.le_trans (Int.add_le_add_right h₁ c) (Int.add_le_add_left h₂ b)
+
+protected theorem le_add_of_nonneg_right {a b : Int} (h : 0 ≤ b) : a ≤ a + b := by
+  have : a + b ≥ a + 0 := Int.add_le_add_left h a
+  rwa [Int.add_zero] at this
+
+protected theorem le_add_of_nonneg_left {a b : Int} (h : 0 ≤ b) : a ≤ b + a := by
+  have : 0 + a ≤ b + a := Int.add_le_add_right h a
+  rwa [Int.zero_add] at this
+
+protected theorem neg_le_neg {a b : Int} (h : a ≤ b) : -b ≤ -a := by
+  have : 0 ≤ -a + b := Int.add_left_neg a ▸ Int.add_le_add_left h (-a)
+  have : 0 + -b ≤ -a + b + -b := Int.add_le_add_right this (-b)
+  rwa [Int.add_neg_cancel_right, Int.zero_add] at this
+
+protected theorem le_of_neg_le_neg {a b : Int} (h : -b ≤ -a) : a ≤ b :=
+  suffices - -a ≤ - -b by simp [Int.neg_neg] at this; assumption
+  Int.neg_le_neg h
+
+protected theorem neg_nonpos_of_nonneg {a : Int} (h : 0 ≤ a) : -a ≤ 0 := by
+  have : -a ≤ -0 := Int.neg_le_neg h
+  rwa [Int.neg_zero] at this
+
+protected theorem neg_nonneg_of_nonpos {a : Int} (h : a ≤ 0) : 0 ≤ -a := by
+  have : -0 ≤ -a := Int.neg_le_neg h
+  rwa [Int.neg_zero] at this
+
+protected theorem neg_lt_neg {a b : Int} (h : a < b) : -b < -a := by
+  have : 0 < -a + b := Int.add_left_neg a ▸ Int.add_lt_add_left h (-a)
+  have : 0 + -b < -a + b + -b := Int.add_lt_add_right this (-b)
+  rwa [Int.add_neg_cancel_right, Int.zero_add] at this
+
+protected theorem neg_neg_of_pos {a : Int} (h : 0 < a) : -a < 0 := by
+  have : -a < -0 := Int.neg_lt_neg h
+  rwa [Int.neg_zero] at this
+
+protected theorem neg_pos_of_neg {a : Int} (h : a < 0) : 0 < -a := by
+  have : -0 < -a := Int.neg_lt_neg h
+  rwa [Int.neg_zero] at this
+
+protected theorem sub_nonneg_of_le {a b : Int} (h : b ≤ a) : 0 ≤ a - b := by
+  have h := Int.add_le_add_right h (-b)
+  rwa [Int.add_right_neg] at h
+
+protected theorem le_of_sub_nonneg {a b : Int} (h : 0 ≤ a - b) : b ≤ a := by
+  have h := Int.add_le_add_right h b
+  rwa [Int.sub_add_cancel, Int.zero_add] at h
+
+protected theorem sub_pos_of_lt {a b : Int} (h : b < a) : 0 < a - b := by
+  have h := Int.add_lt_add_right h (-b)
+  rwa [Int.add_right_neg] at h
+
+protected theorem lt_of_sub_pos {a b : Int} (h : 0 < a - b) : b < a := by
+  have h := Int.add_lt_add_right h b
+  rwa [Int.sub_add_cancel, Int.zero_add] at h
+
+protected theorem sub_left_le_of_le_add {a b c : Int} (h : a ≤ b + c) : a - b ≤ c := by
+  have h := Int.add_le_add_right h (-b)
+  rwa [Int.add_comm b c, Int.add_neg_cancel_right] at h
+
+protected theorem sub_le_self (a : Int) {b : Int} (h : 0 ≤ b) : a - b ≤ a :=
+  calc  a + -b
+    _ ≤ a + 0 := Int.add_le_add_left (Int.neg_nonpos_of_nonneg h) _
+    _ = a     := by rw [Int.add_zero]
+
+protected theorem sub_lt_self (a : Int) {b : Int} (h : 0 < b) : a - b < a :=
+  calc  a + -b
+    _ < a + 0 := Int.add_lt_add_left (Int.neg_neg_of_pos h) _
+    _ = a     := by rw [Int.add_zero]
+
+theorem add_one_le_of_lt {a b : Int} (H : a < b) : a + 1 ≤ b := H
+
+/- ### Order properties and multiplication -/
+
+
+protected theorem mul_nonneg {a b : Int} (ha : 0 ≤ a) (hb : 0 ≤ b) : 0 ≤ a * b := by
+  let ⟨n, hn⟩ := eq_ofNat_of_zero_le ha
+  let ⟨m, hm⟩ := eq_ofNat_of_zero_le hb
+  rw [hn, hm, ← ofNat_mul]; apply ofNat_nonneg
+
+protected theorem mul_pos {a b : Int} (ha : 0 < a) (hb : 0 < b) : 0 < a * b := by
+  let ⟨n, hn⟩ := eq_succ_of_zero_lt ha
+  let ⟨m, hm⟩ := eq_succ_of_zero_lt hb
+  rw [hn, hm, ← ofNat_mul]; apply ofNat_succ_pos
+
+protected theorem mul_lt_mul_of_pos_left {a b c : Int}
+  (h₁ : a < b) (h₂ : 0 < c) : c * a < c * b := by
+  have : 0 < c * (b - a) := Int.mul_pos h₂ (Int.sub_pos_of_lt h₁)
+  rw [Int.mul_sub] at this
+  exact Int.lt_of_sub_pos this
+
+protected theorem mul_lt_mul_of_pos_right {a b c : Int}
+  (h₁ : a < b) (h₂ : 0 < c) : a * c < b * c := by
+  have : 0 < b - a := Int.sub_pos_of_lt h₁
+  have : 0 < (b - a) * c := Int.mul_pos this h₂
+  rw [Int.sub_mul] at this
+  exact Int.lt_of_sub_pos this
+
+protected theorem mul_le_mul_of_nonneg_left {a b c : Int}
+    (h₁ : a ≤ b) (h₂ : 0 ≤ c) : c * a ≤ c * b :=
+  if hba : b ≤ a then by
+    rw [Int.le_antisymm hba h₁]; apply Int.le_refl
+  else if hc0 : c ≤ 0 then by
+    simp [Int.le_antisymm hc0 h₂, Int.zero_mul]
+  else by
+    exact Int.le_of_lt <| Int.mul_lt_mul_of_pos_left
+      (Int.lt_iff_le_not_le.2 ⟨h₁, hba⟩) (Int.lt_iff_le_not_le.2 ⟨h₂, hc0⟩)
+
+protected theorem mul_le_mul_of_nonneg_right {a b c : Int}
+    (h₁ : a ≤ b) (h₂ : 0 ≤ c) : a * c ≤ b * c := by
+  rw [Int.mul_comm, Int.mul_comm b]; exact Int.mul_le_mul_of_nonneg_left h₁ h₂
+
+protected theorem mul_le_mul {a b c d : Int}
+    (hac : a ≤ c) (hbd : b ≤ d) (nn_b : 0 ≤ b) (nn_c : 0 ≤ c) : a * b ≤ c * d :=
+  Int.le_trans (Int.mul_le_mul_of_nonneg_right hac nn_b) (Int.mul_le_mul_of_nonneg_left hbd nn_c)
+
+protected theorem mul_nonpos_of_nonneg_of_nonpos {a b : Int}
+  (ha : 0 ≤ a) (hb : b ≤ 0) : a * b ≤ 0 := by
+  have h : a * b ≤ a * 0 := Int.mul_le_mul_of_nonneg_left hb ha
+  rwa [Int.mul_zero] at h
+
+protected theorem mul_nonpos_of_nonpos_of_nonneg {a b : Int}
+  (ha : a ≤ 0) (hb : 0 ≤ b) : a * b ≤ 0 := by
+  have h : a * b ≤ 0 * b := Int.mul_le_mul_of_nonneg_right ha hb
+  rwa [Int.zero_mul] at h
+
+protected theorem mul_le_mul_of_nonpos_right {a b c : Int}
+    (h : b ≤ a) (hc : c ≤ 0) : a * c ≤ b * c :=
+  have : -c ≥ 0 := Int.neg_nonneg_of_nonpos hc
+  have : b * -c ≤ a * -c := Int.mul_le_mul_of_nonneg_right h this
+  Int.le_of_neg_le_neg <| by rwa [← Int.neg_mul_eq_mul_neg, ← Int.neg_mul_eq_mul_neg] at this
+
+protected theorem mul_le_mul_of_nonpos_left {a b c : Int}
+    (ha : a ≤ 0) (h : c ≤ b) : a * b ≤ a * c := by
+  rw [Int.mul_comm a b, Int.mul_comm a c]
+  apply Int.mul_le_mul_of_nonpos_right h ha
+
+/- ## natAbs -/
+
+@[simp] theorem natAbs_ofNat (n : Nat) : natAbs ↑n = n := rfl
+@[simp] theorem natAbs_negSucc (n : Nat) : natAbs -[n+1] = n.succ := rfl
+@[simp] theorem natAbs_zero : natAbs (0 : Int) = (0 : Nat) := rfl
+@[simp] theorem natAbs_one : natAbs (1 : Int) = (1 : Nat) := rfl
+
+@[simp] theorem natAbs_eq_zero : natAbs a = 0 ↔ a = 0 :=
+  ⟨fun H => match a with
+    | ofNat _ => congrArg ofNat H
+    | -[_+1]  => absurd H (succ_ne_zero _),
+  fun e => e ▸ rfl⟩
+
+theorem natAbs_pos : 0 < natAbs a ↔ a ≠ 0 := by rw [Nat.pos_iff_ne_zero, Ne, natAbs_eq_zero]
+
+@[simp] theorem natAbs_neg : ∀ (a : Int), natAbs (-a) = natAbs a
+  | 0      => rfl
+  | succ _ => rfl
+  | -[_+1] => rfl
+
+theorem natAbs_eq : ∀ (a : Int), a = natAbs a ∨ a = -↑(natAbs a)
+  | ofNat _ => Or.inl rfl
+  | -[_+1]  => Or.inr rfl
+
+theorem natAbs_negOfNat (n : Nat) : natAbs (negOfNat n) = n := by
+  cases n <;> rfl
+
+theorem natAbs_mul (a b : Int) : natAbs (a * b) = natAbs a * natAbs b := by
+  cases a <;> cases b <;>
+    simp only [← Int.mul_def, Int.mul, natAbs_negOfNat] <;> simp only [natAbs]
+
+theorem natAbs_eq_natAbs_iff {a b : Int} : a.natAbs = b.natAbs ↔ a = b ∨ a = -b := by
+  constructor <;> intro h
+  · cases Int.natAbs_eq a with
+    | inl h₁ | inr h₁ =>
+      cases Int.natAbs_eq b with
+      | inl h₂ | inr h₂ => rw [h₁, h₂]; simp [h]
+  · cases h with (subst a; try rfl)
+    | inr h => rw [Int.natAbs_neg]
+
+theorem natAbs_of_nonneg {a : Int} (H : 0 ≤ a) : (natAbs a : Int) = a :=
+  match a, eq_ofNat_of_zero_le H with
+  | _, ⟨_, rfl⟩ => rfl
+
+theorem ofNat_natAbs_of_nonpos {a : Int} (H : a ≤ 0) : (natAbs a : Int) = -a := by
+  rw [← natAbs_neg, natAbs_of_nonneg (Int.neg_nonneg_of_nonpos H)]

src/Init/Data/List.lean

@@ -7,3 +7,4 @@ prelude
 import Init.Data.List.Basic
 import Init.Data.List.BasicAux
 import Init.Data.List.Control
+import Init.Data.List.Lemmas

src/Init/Data/List/Basic.lean

@@ -124,7 +124,8 @@ def appendTR (as bs : List α) : List α :=
   induction as with
   | nil  => rfl
   | cons a as ih =>
-    simp [reverseAux, List.append, ih, reverseAux_reverseAux]
+    rw [reverseAux, reverseAux_reverseAux]
+    simp [List.append, ih, reverseAux]
 
 instance : Append (List α) := ⟨List.append⟩
 
@@ -602,6 +603,27 @@ The longer list is truncated to match the shorter list.
 def zip : List α → List β → List (Prod α β) :=
   zipWith Prod.mk
 
+/--
+`O(max |xs| |ys|)`.
+Version of `List.zipWith` that continues to the end of both lists,
+passing `none` to one argument once the shorter list has run out.
+-/
+def zipWithAll (f : Option α → Option β → γ) : List α → List β → List γ
+  | [], bs => bs.map fun b => f none (some b)
+  | a :: as, [] => (a :: as).map fun a => f (some a) none
+  | a :: as, b :: bs => f a b :: zipWithAll f as bs
+
+@[simp] theorem zipWithAll_nil_right :
+    zipWithAll f as [] = as.map fun a => f (some a) none := by
+  cases as <;> rfl
+
+@[simp] theorem zipWithAll_nil_left :
+    zipWithAll f [] bs = bs.map fun b => f none (some b) := by
+  rfl
+
+@[simp] theorem zipWithAll_cons_cons :
+    zipWithAll f (a :: as) (b :: bs) = f (some a) (some b) :: zipWithAll f as bs := rfl
+
 /--
 `O(|l|)`. Separates a list of pairs into two lists containing the first components and second components.
 * `unzip [(x₁, y₁), (x₂, y₂), (x₃, y₃)] = ([x₁, x₂, x₃], [y₁, y₂, y₃])`
@@ -867,6 +889,33 @@ def minimum? [Min α] : List α → Option α
   | []    => none
   | a::as => some <| as.foldl min a
 
+/-- Inserts an element into a list without duplication. -/
+@[inline] protected def insert [BEq α] (a : α) (l : List α) : List α :=
+  if l.elem a then l else a :: l
+
+instance decidableBEx (p : α → Prop) [DecidablePred p] :
+    ∀ l : List α, Decidable (Exists fun x => x ∈ l ∧ p x)
+  | [] => isFalse nofun
+  | x :: xs =>
+    if h₁ : p x then isTrue ⟨x, .head .., h₁⟩ else
+      match decidableBEx p xs with
+      | isTrue h₂ => isTrue <| let ⟨y, hm, hp⟩ := h₂; ⟨y, .tail _ hm, hp⟩
+      | isFalse h₂ => isFalse fun
+        | ⟨y, .tail _ h, hp⟩ => h₂ ⟨y, h, hp⟩
+        | ⟨_, .head .., hp⟩ => h₁ hp
+
+instance decidableBAll (p : α → Prop) [DecidablePred p] :
+    ∀ l : List α, Decidable (∀ x, x ∈ l → p x)
+  | [] => isTrue nofun
+  | x :: xs =>
+    if h₁ : p x then
+      match decidableBAll p xs with
+      | isTrue h₂ => isTrue fun
+        | y, .tail _ h => h₂ y h
+        | _, .head .. => h₁
+      | isFalse h₂ => isFalse fun H => h₂ fun y hm => H y (.tail _ hm)
+    else isFalse fun H => h₁ <| H x (.head ..)
+
 instance [BEq α] [LawfulBEq α] : LawfulBEq (List α) where
   eq_of_beq {as bs} := by
     induction as generalizing bs with
@@ -875,7 +924,7 @@ instance [BEq α] [LawfulBEq α] : LawfulBEq (List α) where
       cases bs with
       | nil => intro h; contradiction
       | cons b bs =>
-        simp [show (a::as == b::bs) = (a == b && as == bs) from rfl]
+        simp [show (a::as == b::bs) = (a == b && as == bs) from rfl, -and_imp]
         intro ⟨h₁, h₂⟩
         exact ⟨h₁, ih h₂⟩
   rfl {as} := by

src/Init/Data/List/Lemmas.lean

@@ -0,0 +1,630 @@
+/-
+Copyright (c) 2014 Parikshit Khanna. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Parikshit Khanna, Jeremy Avigad, Leonardo de Moura, Floris van Doorn, Mario Carneiro
+-/
+prelude
+import Init.Data.List.BasicAux
+import Init.Data.List.Control
+import Init.PropLemmas
+import Init.Control.Lawful
+import Init.Hints
+
+namespace List
+
+open Nat
+
+/-!
+# Bootstrapping theorems for lists
+
+These are theorems used in the definitions of `Std.Data.List.Basic` and tactics.
+New theorems should be added to `Std.Data.List.Lemmas` if they are not needed by the bootstrap.
+-/
+
+attribute [simp] concat_eq_append append_assoc
+
+@[simp] theorem get?_nil : @get? α [] n = none := rfl
+@[simp] theorem get?_cons_zero : @get? α (a::l) 0 = some a := rfl
+@[simp] theorem get?_cons_succ : @get? α (a::l) (n+1) = get? l n := rfl
+@[simp] theorem get_cons_zero : get (a::l) (0 : Fin (l.length + 1)) = a := rfl
+@[simp] theorem head?_nil : @head? α [] = none := rfl
+@[simp] theorem head?_cons : @head? α (a::l) = some a := rfl
+@[simp 1100] theorem headD_nil : @headD α [] d = d := rfl
+@[simp 1100] theorem headD_cons : @headD α (a::l) d = a := rfl
+@[simp] theorem head_cons : @head α (a::l) h = a := rfl
+@[simp] theorem tail?_nil : @tail? α [] = none := rfl
+@[simp] theorem tail?_cons : @tail? α (a::l) = some l := rfl
+@[simp] theorem tail!_cons : @tail! α (a::l) = l := rfl
+@[simp 1100] theorem tailD_nil : @tailD α [] l' = l' := rfl
+@[simp 1100] theorem tailD_cons : @tailD α (a::l) l' = l := rfl
+@[simp] theorem any_nil : [].any f = false := rfl
+@[simp] theorem any_cons : (a::l).any f = (f a || l.any f) := rfl
+@[simp] theorem all_nil : [].all f = true := rfl
+@[simp] theorem all_cons : (a::l).all f = (f a && l.all f) := rfl
+@[simp] theorem or_nil : [].or = false := rfl
+@[simp] theorem or_cons : (a::l).or = (a || l.or) := rfl
+@[simp] theorem and_nil : [].and = true := rfl
+@[simp] theorem and_cons : (a::l).and = (a && l.and) := rfl
+
+/-! ### length -/
+
+theorem eq_nil_of_length_eq_zero (_ : length l = 0) : l = [] := match l with | [] => rfl
+
+theorem ne_nil_of_length_eq_succ (_ : length l = succ n) : l ≠ [] := fun _ => nomatch l
+
+theorem length_eq_zero : length l = 0 ↔ l = [] :=
+  ⟨eq_nil_of_length_eq_zero, fun h => h ▸ rfl⟩
+
+/-! ### mem -/
+
+@[simp] theorem not_mem_nil (a : α) : ¬ a ∈ [] := nofun
+
+@[simp] theorem mem_cons : a ∈ (b :: l) ↔ a = b ∨ a ∈ l :=
+  ⟨fun h => by cases h <;> simp [Membership.mem, *],
+   fun | Or.inl rfl => by constructor | Or.inr h => by constructor; assumption⟩
+
+theorem mem_cons_self (a : α) (l : List α) : a ∈ a :: l := .head ..
+
+theorem mem_cons_of_mem (y : α) {a : α} {l : List α} : a ∈ l → a ∈ y :: l := .tail _
+
+theorem eq_nil_iff_forall_not_mem {l : List α} : l = [] ↔ ∀ a, a ∉ l := by
+  cases l <;> simp
+
+/-! ### append -/
+
+@[simp 1100] theorem singleton_append : [x] ++ l = x :: l := rfl
+
+theorem append_inj :
+    ∀ {s₁ s₂ t₁ t₂ : List α}, s₁ ++ t₁ = s₂ ++ t₂ → length s₁ = length s₂ → s₁ = s₂ ∧ t₁ = t₂
+  | [], [], t₁, t₂, h, _ => ⟨rfl, h⟩
+  | a :: s₁, b :: s₂, t₁, t₂, h, hl => by
+    simp [append_inj (cons.inj h).2 (Nat.succ.inj hl)] at h ⊢; exact h
+
+theorem append_inj_right (h : s₁ ++ t₁ = s₂ ++ t₂) (hl : length s₁ = length s₂) : t₁ = t₂ :=
+  (append_inj h hl).right
+
+theorem append_inj_left (h : s₁ ++ t₁ = s₂ ++ t₂) (hl : length s₁ = length s₂) : s₁ = s₂ :=
+  (append_inj h hl).left
+
+theorem append_inj' (h : s₁ ++ t₁ = s₂ ++ t₂) (hl : length t₁ = length t₂) : s₁ = s₂ ∧ t₁ = t₂ :=
+  append_inj h <| @Nat.add_right_cancel _ (length t₁) _ <| by
+  let hap := congrArg length h; simp only [length_append, ← hl] at hap; exact hap
+
+theorem append_inj_right' (h : s₁ ++ t₁ = s₂ ++ t₂) (hl : length t₁ = length t₂) : t₁ = t₂ :=
+  (append_inj' h hl).right
+
+theorem append_inj_left' (h : s₁ ++ t₁ = s₂ ++ t₂) (hl : length t₁ = length t₂) : s₁ = s₂ :=
+  (append_inj' h hl).left
+
+theorem append_right_inj {t₁ t₂ : List α} (s) : s ++ t₁ = s ++ t₂ ↔ t₁ = t₂ :=
+  ⟨fun h => append_inj_right h rfl, congrArg _⟩
+
+theorem append_left_inj {s₁ s₂ : List α} (t) : s₁ ++ t = s₂ ++ t ↔ s₁ = s₂ :=
+  ⟨fun h => append_inj_left' h rfl, congrArg (· ++ _)⟩
+
+@[simp] theorem append_eq_nil : p ++ q = [] ↔ p = [] ∧ q = [] := by
+  cases p <;> simp
+
+/-! ### map -/
+
+@[simp] theorem map_nil {f : α → β} : map f [] = [] := rfl
+
+@[simp] theorem map_cons (f : α → β) a l : map f (a :: l) = f a :: map f l := rfl
+
+@[simp] theorem map_append (f : α → β) : ∀ l₁ l₂, map f (l₁ ++ l₂) = map f l₁ ++ map f l₂ := by
+  intro l₁; induction l₁ <;> intros <;> simp_all
+
+@[simp] theorem map_id (l : List α) : map id l = l := by induction l <;> simp_all
+
+@[simp] theorem map_id' (l : List α) : map (fun a => a) l = l := by induction l <;> simp_all
+
+@[simp] theorem mem_map {f : α → β} : ∀ {l : List α}, b ∈ l.map f ↔ ∃ a, a ∈ l ∧ f a = b
+  | [] => by simp
+  | _ :: l => by simp [mem_map (l := l), eq_comm (a := b)]
+
+theorem mem_map_of_mem (f : α → β) (h : a ∈ l) : f a ∈ map f l := mem_map.2 ⟨_, h, rfl⟩
+
+@[simp] theorem map_map (g : β → γ) (f : α → β) (l : List α) :
+  map g (map f l) = map (g ∘ f) l := by induction l <;> simp_all
+
+/-! ### bind -/
+
+@[simp] theorem nil_bind (f : α → List β) : List.bind [] f = [] := by simp [join, List.bind]
+
+@[simp] theorem cons_bind x xs (f : α → List β) :
+  List.bind (x :: xs) f = f x ++ List.bind xs f := by simp [join, List.bind]
+
+@[simp] theorem append_bind xs ys (f : α → List β) :
+  List.bind (xs ++ ys) f = List.bind xs f ++ List.bind ys f := by
+  induction xs; {rfl}; simp_all [cons_bind, append_assoc]
+
+@[simp] theorem bind_id (l : List (List α)) : List.bind l id = l.join := by simp [List.bind]
+
+/-! ### join -/
+
+@[simp] theorem join_nil : List.join ([] : List (List α)) = [] := rfl
+
+@[simp] theorem join_cons : (l :: ls).join = l ++ ls.join := rfl
+
+/-! ### bounded quantifiers over Lists -/
+
+theorem forall_mem_cons {p : α → Prop} {a : α} {l : List α} :
+    (∀ x, x ∈ a :: l → p x) ↔ p a ∧ ∀ x, x ∈ l → p x :=
+  ⟨fun H => ⟨H _ (.head ..), fun _ h => H _ (.tail _ h)⟩,
+   fun ⟨H₁, H₂⟩ _ => fun | .head .. => H₁ | .tail _ h => H₂ _ h⟩
+
+/-! ### reverse -/
+
+@[simp] theorem reverseAux_nil : reverseAux [] r = r := rfl
+@[simp] theorem reverseAux_cons : reverseAux (a::l) r = reverseAux l (a::r) := rfl
+
+theorem reverseAux_eq (as bs : List α) : reverseAux as bs = reverse as ++ bs :=
+  reverseAux_eq_append ..
+
+theorem reverse_map (f : α → β) (l : List α) : (l.map f).reverse = l.reverse.map f := by
+  induction l <;> simp [*]
+
+@[simp] theorem reverse_eq_nil_iff {xs : List α} : xs.reverse = [] ↔ xs = [] := by
+  match xs with
+  | [] => simp
+  | x :: xs => simp
+
+/-! ### nth element -/
+
+theorem get_of_mem : ∀ {a} {l : List α}, a ∈ l → ∃ n, get l n = a
+  | _, _ :: _, .head .. => ⟨⟨0, Nat.succ_pos _⟩, rfl⟩
+  | _, _ :: _, .tail _ m => let ⟨⟨n, h⟩, e⟩ := get_of_mem m; ⟨⟨n+1, Nat.succ_lt_succ h⟩, e⟩
+
+theorem get_mem : ∀ (l : List α) n h, get l ⟨n, h⟩ ∈ l
+  | _ :: _, 0, _ => .head ..
+  | _ :: l, _+1, _ => .tail _ (get_mem l ..)
+
+theorem mem_iff_get {a} {l : List α} : a ∈ l ↔ ∃ n, get l n = a :=
+  ⟨get_of_mem, fun ⟨_, e⟩ => e ▸ get_mem ..⟩
+
+theorem get?_len_le : ∀ {l : List α} {n}, length l ≤ n → l.get? n = none
+  | [], _, _ => rfl
+  | _ :: l, _+1, h => get?_len_le (l := l) <| Nat.le_of_succ_le_succ h
+
+theorem get?_eq_get : ∀ {l : List α} {n} (h : n < l.length), l.get? n = some (get l ⟨n, h⟩)
+  | _ :: _, 0, _ => rfl
+  | _ :: l, _+1, _ => get?_eq_get (l := l) _
+
+theorem get?_eq_some : l.get? n = some a ↔ ∃ h, get l ⟨n, h⟩ = a :=
+  ⟨fun e =>
+    have : n < length l := Nat.gt_of_not_le fun hn => by cases get?_len_le hn ▸ e
+    ⟨this, by rwa [get?_eq_get this, Option.some.injEq] at e⟩,
+  fun ⟨h, e⟩ => e ▸ get?_eq_get _⟩
+
+@[simp] theorem get?_eq_none : l.get? n = none ↔ length l ≤ n :=
+  ⟨fun e => Nat.ge_of_not_lt (fun h' => by cases e ▸ get?_eq_some.2 ⟨h', rfl⟩), get?_len_le⟩
+
+@[simp] theorem get?_map (f : α → β) : ∀ l n, (map f l).get? n = (l.get? n).map f
+  | [], _ => rfl
+  | _ :: _, 0 => rfl
+  | _ :: l, n+1 => get?_map f l n
+
+@[simp] theorem get?_concat_length : ∀ (l : List α) (a : α), (l ++ [a]).get? l.length = some a
+  | [], a => rfl
+  | b :: l, a => by rw [cons_append, length_cons]; simp only [get?, get?_concat_length]
+
+theorem getLast_eq_get : ∀ (l : List α) (h : l ≠ []),
+    getLast l h = l.get ⟨l.length - 1, by
+      match l with
+      | [] => contradiction
+      | a :: l => exact Nat.le_refl _⟩
+  | [a], h => rfl
+  | a :: b :: l, h => by
+    simp [getLast, get, Nat.succ_sub_succ, getLast_eq_get]
+
+@[simp] theorem getLast?_nil : @getLast? α [] = none := rfl
+
+theorem getLast?_eq_getLast : ∀ l h, @getLast? α l = some (getLast l h)
+  | [], h => nomatch h rfl
+  | _::_, _ => rfl
+
+theorem getLast?_eq_get? : ∀ (l : List α), getLast? l = l.get? (l.length - 1)
+  | [] => rfl
+  | a::l => by rw [getLast?_eq_getLast (a::l) nofun, getLast_eq_get, get?_eq_get]
+
+@[simp] theorem getLast?_concat (l : List α) : getLast? (l ++ [a]) = some a := by
+  simp [getLast?_eq_get?, Nat.succ_sub_succ]
+
+/-! ### take and drop -/
+
+@[simp] theorem take_append_drop : ∀ (n : Nat) (l : List α), take n l ++ drop n l = l
+  | 0, _ => rfl
+  | _+1, [] => rfl
+  | n+1, x :: xs => congrArg (cons x) <| take_append_drop n xs
+
+@[simp] theorem length_drop : ∀ (i : Nat) (l : List α), length (drop i l) = length l - i
+  | 0, _ => rfl
+  | succ i, [] => Eq.symm (Nat.zero_sub (succ i))
+  | succ i, x :: l => calc
+    length (drop (succ i) (x :: l)) = length l - i := length_drop i l
+    _ = succ (length l) - succ i := (Nat.succ_sub_succ_eq_sub (length l) i).symm
+
+theorem drop_length_le {l : List α} (h : l.length ≤ i) : drop i l = [] :=
+  length_eq_zero.1 (length_drop .. ▸ Nat.sub_eq_zero_of_le h)
+
+theorem take_length_le {l : List α} (h : l.length ≤ i) : take i l = l := by
+  have := take_append_drop i l
+  rw [drop_length_le h, append_nil] at this; exact this
+
+@[simp] theorem take_zero (l : List α) : l.take 0 = [] := rfl
+
+@[simp] theorem take_nil : ([] : List α).take i = [] := by cases i <;> rfl
+
+@[simp] theorem take_cons_succ : (a::as).take (i+1) = a :: as.take i := rfl
+
+@[simp] theorem drop_zero (l : List α) : l.drop 0 = l := rfl
+
+@[simp] theorem drop_succ_cons : (a :: l).drop (n + 1) = l.drop n := rfl
+
+@[simp] theorem drop_length (l : List α) : drop l.length l = [] := drop_length_le (Nat.le_refl _)
+
+@[simp] theorem take_length (l : List α) : take l.length l = l := take_length_le (Nat.le_refl _)
+
+theorem take_concat_get (l : List α) (i : Nat) (h : i < l.length) :
+    (l.take i).concat l[i] = l.take (i+1) :=
+  Eq.symm <| (append_left_inj _).1 <| (take_append_drop (i+1) l).trans <| by
+    rw [concat_eq_append, append_assoc, singleton_append, get_drop_eq_drop, take_append_drop]
+
+theorem reverse_concat (l : List α) (a : α) : (l.concat a).reverse = a :: l.reverse := by
+  rw [concat_eq_append, reverse_append]; rfl
+
+/-! ### takeWhile and dropWhile -/
+
+@[simp] theorem dropWhile_nil : ([] : List α).dropWhile p = [] := rfl
+
+theorem dropWhile_cons :
+    (x :: xs : List α).dropWhile p = if p x then xs.dropWhile p else x :: xs := by
+  split <;> simp_all [dropWhile]
+
+/-! ### foldlM and foldrM -/
+
+@[simp] theorem foldlM_reverse [Monad m] (l : List α) (f : β → α → m β) (b) :
+    l.reverse.foldlM f b = l.foldrM (fun x y => f y x) b := rfl
+
+@[simp] theorem foldlM_nil [Monad m] (f : β → α → m β) (b) : [].foldlM f b = pure b := rfl
+
+@[simp] theorem foldlM_cons [Monad m] (f : β → α → m β) (b) (a) (l : List α) :
+    (a :: l).foldlM f b = f b a >>= l.foldlM f := by
+  simp [List.foldlM]
+
+@[simp] theorem foldlM_append [Monad m] [LawfulMonad m] (f : β → α → m β) (b) (l l' : List α) :
+    (l ++ l').foldlM f b = l.foldlM f b >>= l'.foldlM f := by
+  induction l generalizing b <;> simp [*]
+
+@[simp] theorem foldrM_nil [Monad m] (f : α → β → m β) (b) : [].foldrM f b = pure b := rfl
+
+@[simp] theorem foldrM_cons [Monad m] [LawfulMonad m] (a : α) (l) (f : α → β → m β) (b) :
+    (a :: l).foldrM f b = l.foldrM f b >>= f a := by
+  simp only [foldrM]
+  induction l <;> simp_all
+
+@[simp] theorem foldrM_reverse [Monad m] (l : List α) (f : α → β → m β) (b) :
+    l.reverse.foldrM f b = l.foldlM (fun x y => f y x) b :=
+  (foldlM_reverse ..).symm.trans <| by simp
+
+theorem foldl_eq_foldlM (f : β → α → β) (b) (l : List α) :
+    l.foldl f b = l.foldlM (m := Id) f b := by
+  induction l generalizing b <;> simp [*, foldl]
+
+theorem foldr_eq_foldrM (f : α → β → β) (b) (l : List α) :
+    l.foldr f b = l.foldrM (m := Id) f b := by
+  induction l <;> simp [*, foldr]
+
+/-! ### foldl and foldr -/
+
+@[simp] theorem foldl_reverse (l : List α) (f : β → α → β) (b) :
+    l.reverse.foldl f b = l.foldr (fun x y => f y x) b := by simp [foldl_eq_foldlM, foldr_eq_foldrM]
+
+@[simp] theorem foldr_reverse (l : List α) (f : α → β → β) (b) :
+    l.reverse.foldr f b = l.foldl (fun x y => f y x) b :=
+  (foldl_reverse ..).symm.trans <| by simp
+
+@[simp] theorem foldrM_append [Monad m] [LawfulMonad m] (f : α → β → m β) (b) (l l' : List α) :
+    (l ++ l').foldrM f b = l'.foldrM f b >>= l.foldrM f := by
+  induction l <;> simp [*]
+
+@[simp] theorem foldl_append {β : Type _} (f : β → α → β) (b) (l l' : List α) :
+    (l ++ l').foldl f b = l'.foldl f (l.foldl f b) := by simp [foldl_eq_foldlM]
+
+@[simp] theorem foldr_append (f : α → β → β) (b) (l l' : List α) :
+    (l ++ l').foldr f b = l.foldr f (l'.foldr f b) := by simp [foldr_eq_foldrM]
+
+@[simp] theorem foldl_nil : [].foldl f b = b := rfl
+
+@[simp] theorem foldl_cons (l : List α) (b : β) : (a :: l).foldl f b = l.foldl f (f b a) := rfl
+
+@[simp] theorem foldr_nil : [].foldr f b = b := rfl
+
+@[simp] theorem foldr_cons (l : List α) : (a :: l).foldr f b = f a (l.foldr f b) := rfl
+
+@[simp] theorem foldr_self_append (l : List α) : l.foldr cons l' = l ++ l' := by
+  induction l <;> simp [*]
+
+theorem foldr_self (l : List α) : l.foldr cons [] = l := by simp
+
+/-! ### mapM -/
+
+/-- Alternate (non-tail-recursive) form of mapM for proofs. -/
+def mapM' [Monad m] (f : α → m β) : List α → m (List β)
+  | [] => pure []
+  | a :: l => return (← f a) :: (← l.mapM' f)
+
+@[simp] theorem mapM'_nil [Monad m] {f : α → m β} : mapM' f [] = pure [] := rfl
+@[simp] theorem mapM'_cons [Monad m] {f : α → m β} :
+    mapM' f (a :: l) = return ((← f a) :: (← l.mapM' f)) :=
+  rfl
+
+theorem mapM'_eq_mapM [Monad m] [LawfulMonad m] (f : α → m β) (l : List α) :
+    mapM' f l = mapM f l := by simp [go, mapM] where
+  go : ∀ l acc, mapM.loop f l acc = return acc.reverse ++ (← mapM' f l)
+    | [], acc => by simp [mapM.loop, mapM']
+    | a::l, acc => by simp [go l, mapM.loop, mapM']
+
+@[simp] theorem mapM_nil [Monad m] (f : α → m β) : [].mapM f = pure [] := rfl
+
+@[simp] theorem mapM_cons [Monad m] [LawfulMonad m] (f : α → m β) :
+    (a :: l).mapM f = (return (← f a) :: (← l.mapM f)) := by simp [← mapM'_eq_mapM, mapM']
+
+@[simp] theorem mapM_append [Monad m] [LawfulMonad m] (f : α → m β) {l₁ l₂ : List α} :
+    (l₁ ++ l₂).mapM f = (return (← l₁.mapM f) ++ (← l₂.mapM f)) := by induction l₁ <;> simp [*]
+
+/-! ### forM -/
+
+-- We use `List.forM` as the simp normal form, rather that `ForM.forM`.
+-- As such we need to replace `List.forM_nil` and `List.forM_cons` from Lean:
+
+@[simp] theorem forM_nil' [Monad m] : ([] : List α).forM f = (pure .unit : m PUnit) := rfl
+
+@[simp] theorem forM_cons' [Monad m] :
+    (a::as).forM f = (f a >>= fun _ => as.forM f : m PUnit) :=
+  List.forM_cons _ _ _
+
+/-! ### eraseIdx -/
+
+@[simp] theorem eraseIdx_nil : ([] : List α).eraseIdx i = [] := rfl
+@[simp] theorem eraseIdx_cons_zero : (a::as).eraseIdx 0 = as := rfl
+@[simp] theorem eraseIdx_cons_succ : (a::as).eraseIdx (i+1) = a :: as.eraseIdx i := rfl
+
+/-! ### find? -/
+
+@[simp] theorem find?_nil : ([] : List α).find? p = none := rfl
+theorem find?_cons : (a::as).find? p = match p a with | true => some a | false => as.find? p :=
+  rfl
+
+/-! ### filter -/
+
+@[simp] theorem filter_nil (p : α → Bool) : filter p [] = [] := rfl
+
+@[simp] theorem filter_cons_of_pos {p : α → Bool} {a : α} (l) (pa : p a) :
+    filter p (a :: l) = a :: filter p l := by rw [filter, pa]
+
+@[simp] theorem filter_cons_of_neg {p : α → Bool} {a : α} (l) (pa : ¬ p a) :
+    filter p (a :: l) = filter p l := by rw [filter, eq_false_of_ne_true pa]
+
+theorem filter_cons :
+    (x :: xs : List α).filter p = if p x then x :: (xs.filter p) else xs.filter p := by
+  split <;> simp [*]
+
+theorem mem_filter : x ∈ filter p as ↔ x ∈ as ∧ p x := by
+  induction as with
+  | nil => simp [filter]
+  | cons a as ih =>
+    by_cases h : p a <;> simp [*, or_and_right]
+    · exact or_congr_left (and_iff_left_of_imp fun | rfl => h).symm
+    · exact (or_iff_right fun ⟨rfl, h'⟩ => h h').symm
+
+theorem filter_eq_nil {l} : filter p l = [] ↔ ∀ a, a ∈ l → ¬p a := by
+  simp only [eq_nil_iff_forall_not_mem, mem_filter, not_and]
+
+/-! ### findSome? -/
+
+@[simp] theorem findSome?_nil : ([] : List α).findSome? f = none := rfl
+theorem findSome?_cons {f : α → Option β} :
+    (a::as).findSome? f = match f a with | some b => some b | none => as.findSome? f :=
+  rfl
+
+/-! ### replace -/
+
+@[simp] theorem replace_nil [BEq α] : ([] : List α).replace a b = [] := rfl
+theorem replace_cons [BEq α] {a : α} :
+    (a::as).replace b c = match a == b with | true => c::as | false => a :: replace as b c :=
+  rfl
+@[simp] theorem replace_cons_self [BEq α] [LawfulBEq α] {a : α} : (a::as).replace a b = b::as := by
+  simp [replace_cons]
+
+/-! ### elem -/
+
+@[simp] theorem elem_nil [BEq α] : ([] : List α).elem a = false := rfl
+theorem elem_cons [BEq α] {a : α} :
+    (a::as).elem b = match b == a with | true => true | false => as.elem b :=
+  rfl
+@[simp] theorem elem_cons_self [BEq α] [LawfulBEq α] {a : α} : (a::as).elem a = true := by
+  simp [elem_cons]
+
+/-! ### lookup -/
+
+@[simp] theorem lookup_nil [BEq α] : ([] : List (α × β)).lookup a = none := rfl
+theorem lookup_cons [BEq α] {k : α} :
+    ((k,b)::es).lookup a = match a == k with | true => some b | false => es.lookup a :=
+  rfl
+@[simp] theorem lookup_cons_self [BEq α] [LawfulBEq α] {k : α} : ((k,b)::es).lookup k = some b := by
+  simp [lookup_cons]
+
+/-! ### zipWith -/
+
+@[simp] theorem zipWith_nil_left {f : α → β → γ} : zipWith f [] l = [] := by
+  rfl
+
+@[simp] theorem zipWith_nil_right {f : α → β → γ} : zipWith f l [] = [] := by
+  simp [zipWith]
+
+@[simp] theorem zipWith_cons_cons {f : α → β → γ} :
+    zipWith f (a :: as) (b :: bs) = f a b :: zipWith f as bs := by
+  rfl
+
+theorem zipWith_get? {f : α → β → γ} :
+    (List.zipWith f as bs).get? i = match as.get? i, bs.get? i with
+      | some a, some b => some (f a b) | _, _ => none := by
+  induction as generalizing bs i with
+  | nil => cases bs with
+    | nil => simp
+    | cons b bs => simp
+  | cons a as aih => cases bs with
+    | nil => simp
+    | cons b bs => cases i <;> simp_all
+
+/-! ### zipWithAll -/
+
+theorem zipWithAll_get? {f : Option α → Option β → γ} :
+    (zipWithAll f as bs).get? i = match as.get? i, bs.get? i with
+      | none, none => .none | a?, b? => some (f a? b?) := by
+  induction as generalizing bs i with
+  | nil => induction bs generalizing i with
+    | nil => simp
+    | cons b bs bih => cases i <;> simp_all
+  | cons a as aih => cases bs with
+    | nil =>
+      specialize @aih []
+      cases i <;> simp_all
+    | cons b bs => cases i <;> simp_all
+
+/-! ### zip -/
+
+@[simp] theorem zip_nil_left : zip ([] : List α) (l : List β)  = [] := by
+  rfl
+
+@[simp] theorem zip_nil_right : zip (l : List α) ([] : List β)  = [] := by
+  simp [zip]
+
+@[simp] theorem zip_cons_cons : zip (a :: as) (b :: bs) = (a, b) :: zip as bs := by
+  rfl
+
+/-! ### unzip -/
+
+@[simp] theorem unzip_nil : ([] : List (α × β)).unzip = ([], []) := rfl
+@[simp] theorem unzip_cons {h : α × β} :
+    (h :: t).unzip = match unzip t with | (al, bl) => (h.1::al, h.2::bl) := rfl
+
+/-! ### all / any -/
+
+@[simp] theorem all_eq_true {l : List α} : l.all p ↔ ∀ x, x ∈ l →  p x := by induction l <;> simp [*]
+
+@[simp] theorem any_eq_true {l : List α} : l.any p ↔ ∃ x, x ∈ l ∧ p x := by induction l <;> simp [*]
+
+/-! ### enumFrom -/
+
+@[simp] theorem enumFrom_nil : ([] : List α).enumFrom i = [] := rfl
+@[simp] theorem enumFrom_cons : (a::as).enumFrom i = (i, a) :: as.enumFrom (i+1) := rfl
+
+/-! ### iota -/
+
+@[simp] theorem iota_zero : iota 0 = [] := rfl
+@[simp] theorem iota_succ : iota (i+1) = (i+1) :: iota i := rfl
+
+/-! ### intersperse -/
+
+@[simp] theorem intersperse_nil (sep : α) : ([] : List α).intersperse sep = [] := rfl
+@[simp] theorem intersperse_single (sep : α) : [x].intersperse sep = [x] := rfl
+@[simp] theorem intersperse_cons₂ (sep : α) :
+    (x::y::zs).intersperse sep = x::sep::((y::zs).intersperse sep) := rfl
+
+/-! ### isPrefixOf -/
+
+@[simp] theorem isPrefixOf_nil_left [BEq α] : isPrefixOf ([] : List α) l = true := by
+  simp [isPrefixOf]
+@[simp] theorem isPrefixOf_cons_nil [BEq α] : isPrefixOf (a::as) ([] : List α) = false := rfl
+theorem isPrefixOf_cons₂ [BEq α] {a : α} :
+    isPrefixOf (a::as) (b::bs) = (a == b && isPrefixOf as bs) := rfl
+@[simp] theorem isPrefixOf_cons₂_self [BEq α] [LawfulBEq α] {a : α} :
+    isPrefixOf (a::as) (a::bs) = isPrefixOf as bs := by simp [isPrefixOf_cons₂]
+
+/-! ### isEqv -/
+
+@[simp] theorem isEqv_nil_nil : isEqv ([] : List α) [] eqv = true := rfl
+@[simp] theorem isEqv_nil_cons : isEqv ([] : List α) (a::as) eqv = false := rfl
+@[simp] theorem isEqv_cons_nil : isEqv (a::as : List α) [] eqv = false := rfl
+theorem isEqv_cons₂ : isEqv (a::as) (b::bs) eqv = (eqv a b && isEqv as bs eqv) := rfl
+
+/-! ### dropLast -/
+
+@[simp] theorem dropLast_nil : ([] : List α).dropLast = [] := rfl
+@[simp] theorem dropLast_single : [x].dropLast = [] := rfl
+@[simp] theorem dropLast_cons₂ :
+    (x::y::zs).dropLast = x :: (y::zs).dropLast := rfl
+
+-- We may want to replace these `simp` attributes with explicit equational lemmas,
+-- as we already have for all the non-monadic functions.
+attribute [simp] mapA forA filterAuxM firstM anyM allM findM? findSomeM?
+
+-- Previously `range.loop`, `mapM.loop`, `filterMapM.loop`, `forIn.loop`, `forIn'.loop`
+-- had attribute `@[simp]`.
+-- We don't currently provide simp lemmas,
+-- as this is an internal implementation and they don't seem to be needed.
+
+/-! ### minimum? -/
+
+@[simp] theorem minimum?_nil [Min α] : ([] : List α).minimum? = none := rfl
+
+-- We don't put `@[simp]` on `minimum?_cons`,
+-- because the definition in terms of `foldl` is not useful for proofs.
+theorem minimum?_cons [Min α] {xs : List α} : (x :: xs).minimum? = foldl min x xs := rfl
+
+@[simp] theorem minimum?_eq_none_iff {xs : List α} [Min α] : xs.minimum? = none ↔ xs = [] := by
+  cases xs <;> simp [minimum?]
+
+theorem minimum?_mem [Min α] (min_eq_or : ∀ a b : α, min a b = a ∨ min a b = b) :
+    {xs : List α} → xs.minimum? = some a → a ∈ xs := by
+  intro xs
+  match xs with
+  | nil => simp
+  | x :: xs =>
+    simp only [minimum?_cons, Option.some.injEq, List.mem_cons]
+    intro eq
+    induction xs generalizing x with
+    | nil =>
+      simp at eq
+      simp [eq]
+    | cons y xs ind =>
+      simp at eq
+      have p := ind _ eq
+      cases p with
+      | inl p =>
+        cases min_eq_or x y with | _ q => simp [p, q]
+      | inr p => simp [p, mem_cons]
+
+theorem le_minimum?_iff [Min α] [LE α]
+    (le_min_iff : ∀ a b c : α, a ≤ min b c ↔ a ≤ b ∧ a ≤ c) :
+    {xs : List α} → xs.minimum? = some a → ∀ x, x ≤ a ↔ ∀ b, b ∈ xs → x ≤ b
+  | nil => by simp
+  | cons x xs => by
+    rw [minimum?]
+    intro eq y
+    simp only [Option.some.injEq] at eq
+    induction xs generalizing x with
+    | nil =>
+      simp at eq
+      simp [eq]
+    | cons z xs ih =>
+      simp at eq
+      simp [ih _ eq, le_min_iff, and_assoc]
+
+-- This could be refactored by designing appropriate typeclasses to replace `le_refl`, `min_eq_or`,
+-- and `le_min_iff`.
+theorem minimum?_eq_some_iff [Min α] [LE α] [anti : Antisymm ((· : α) ≤ ·)]
+    (le_refl : ∀ a : α, a ≤ a)
+    (min_eq_or : ∀ a b : α, min a b = a ∨ min a b = b)
+    (le_min_iff : ∀ a b c : α, a ≤ min b c ↔ a ≤ b ∧ a ≤ c) {xs : List α} :
+    xs.minimum? = some a ↔ a ∈ xs ∧ ∀ b, b ∈ xs → a ≤ b := by
+  refine ⟨fun h => ⟨minimum?_mem min_eq_or h, (le_minimum?_iff le_min_iff h _).1 (le_refl _)⟩, ?_⟩
+  intro ⟨h₁, h₂⟩
+  cases xs with
+  | nil => simp at h₁
+  | cons x xs =>
+    exact congrArg some <| anti.1
+      ((le_minimum?_iff le_min_iff (xs := x::xs) rfl _).1 (le_refl _) _ h₁)
+      (h₂ _ (minimum?_mem min_eq_or (xs := x::xs) rfl))

src/Init/Data/Nat.lean

@@ -6,10 +6,13 @@ Authors: Leonardo de Moura
 prelude
 import Init.Data.Nat.Basic
 import Init.Data.Nat.Div
+import Init.Data.Nat.Dvd
 import Init.Data.Nat.Gcd
+import Init.Data.Nat.MinMax
 import Init.Data.Nat.Bitwise
 import Init.Data.Nat.Control
 import Init.Data.Nat.Log2
 import Init.Data.Nat.Power2
 import Init.Data.Nat.Linear
 import Init.Data.Nat.SOM
+import Init.Data.Nat.Lemmas

src/Init/Data/Nat/Basic.lean

@@ -147,13 +147,20 @@ protected theorem add_right_comm (n m k : Nat) : (n + m) + k = (n + k) + m := by
 
 protected theorem add_left_cancel {n m k : Nat} : n + m = n + k → m = k := by
   induction n with
-  | zero => simp; intros; assumption
+  | zero => simp
   | succ n ih => simp [succ_add]; intro h; apply ih h
 
 protected theorem add_right_cancel {n m k : Nat} (h : n + m = k + m) : n = k := by
   rw [Nat.add_comm n m, Nat.add_comm k m] at h
   apply Nat.add_left_cancel h
 
+theorem eq_zero_of_add_eq_zero : ∀ {n m}, n + m = 0 → n = 0 ∧ m = 0
+  | 0, 0, _ => ⟨rfl, rfl⟩
+  | _+1, 0, h => Nat.noConfusion h
+
+protected theorem eq_zero_of_add_eq_zero_left (h : n + m = 0) : m = 0 :=
+  (Nat.eq_zero_of_add_eq_zero h).2
+
 /-! # Nat.mul theorems -/
 
 @[simp] protected theorem mul_zero (n : Nat) : n * 0 = 0 :=
@@ -206,16 +213,13 @@ protected theorem mul_left_comm (n m k : Nat) : n * (m * k) = m * (n * k) := by
 
 attribute [simp] Nat.le_refl
 
-theorem succ_lt_succ {n m : Nat} : n < m → succ n < succ m :=
-  succ_le_succ
+theorem succ_lt_succ {n m : Nat} : n < m → succ n < succ m := succ_le_succ
 
-theorem lt_succ_of_le {n m : Nat} : n ≤ m → n < succ m :=
-  succ_le_succ
+theorem lt_succ_of_le {n m : Nat} : n ≤ m → n < succ m := succ_le_succ
 
-@[simp] protected theorem sub_zero (n : Nat) : n - 0 = n :=
-  rfl
+@[simp] protected theorem sub_zero (n : Nat) : n - 0 = n := rfl
 
-theorem succ_sub_succ_eq_sub (n m : Nat) : succ n - succ m = n - m := by
+@[simp] theorem succ_sub_succ_eq_sub (n m : Nat) : succ n - succ m = n - m := by
   induction m with
   | zero      => exact rfl
   | succ m ih => apply congrArg pred ih
@@ -241,8 +245,7 @@ theorem sub_lt : ∀ {n m : Nat}, 0 < n → 0 < m → n - m < n
       show n - m < succ n from
       lt_succ_of_le (sub_le n m)
 
-theorem sub_succ (n m : Nat) : n - succ m = pred (n - m) :=
-  rfl
+theorem sub_succ (n m : Nat) : n - succ m = pred (n - m) := rfl
 
 theorem succ_sub_succ (n m : Nat) : succ n - succ m = n - m :=
   succ_sub_succ_eq_sub n m
@@ -277,20 +280,24 @@ instance : Trans (. ≤ . : Nat → Nat → Prop) (. < . : Nat → Nat → Prop)
 protected theorem le_of_eq {n m : Nat} (p : n = m) : n ≤ m :=
   p ▸ Nat.le_refl n
 
-theorem le_of_succ_le {n m : Nat} (h : succ n ≤ m) : n ≤ m :=
-  Nat.le_trans (le_succ n) h
-
-protected theorem le_of_lt {n m : Nat} (h : n < m) : n ≤ m :=
-  le_of_succ_le h
-
 theorem lt.step {n m : Nat} : n < m → n < succ m := le_step
 
+theorem le_of_succ_le {n m : Nat} (h : succ n ≤ m) : n ≤ m := Nat.le_trans (le_succ n) h
+theorem lt_of_succ_lt      {n m : Nat} : succ n < m → n < m := le_of_succ_le
+protected theorem le_of_lt {n m : Nat} : n < m → n ≤ m := le_of_succ_le
+
+theorem lt_of_succ_lt_succ {n m : Nat} : succ n < succ m → n < m := le_of_succ_le_succ
+
+theorem lt_of_succ_le {n m : Nat} (h : succ n ≤ m) : n < m := h
+theorem succ_le_of_lt {n m : Nat} (h : n < m) : succ n ≤ m := h
+
 theorem eq_zero_or_pos : ∀ (n : Nat), n = 0 ∨ n > 0
   | 0   => Or.inl rfl
   | _+1 => Or.inr (succ_pos _)
 
-theorem lt.base (n : Nat) : n < succ n := Nat.le_refl (succ n)
+protected theorem pos_of_ne_zero {n : Nat} : n ≠ 0 → 0 < n := (eq_zero_or_pos n).resolve_left
 
+theorem lt.base (n : Nat) : n < succ n := Nat.le_refl (succ n)
 theorem lt_succ_self (n : Nat) : n < succ n := lt.base n
 
 protected theorem le_total (m n : Nat) : m ≤ n ∨ n ≤ m :=
@@ -298,20 +305,7 @@ protected theorem le_total (m n : Nat) : m ≤ n ∨ n ≤ m :=
   | Or.inl h => Or.inl (Nat.le_of_lt h)
   | Or.inr h => Or.inr h
 
-theorem eq_zero_of_le_zero {n : Nat} (h : n ≤ 0) : n = 0 :=
-  Nat.le_antisymm h (zero_le _)
-
-theorem lt_of_succ_lt {n m : Nat} : succ n < m → n < m :=
-  le_of_succ_le
-
-theorem lt_of_succ_lt_succ {n m : Nat} : succ n < succ m → n < m :=
-  le_of_succ_le_succ
-
-theorem lt_of_succ_le {n m : Nat} (h : succ n ≤ m) : n < m :=
-  h
-
-theorem succ_le_of_lt {n m : Nat} (h : n < m) : succ n ≤ m :=
-  h
+theorem eq_zero_of_le_zero {n : Nat} (h : n ≤ 0) : n = 0 := Nat.le_antisymm h (zero_le _)
 
 theorem zero_lt_of_lt : {a b : Nat} → a < b → 0 < b
   | 0,   _, h => h
@@ -326,8 +320,7 @@ theorem zero_lt_of_ne_zero {a : Nat} (h : a ≠ 0) : 0 < a := by
 
 attribute [simp] Nat.lt_irrefl
 
-theorem ne_of_lt {a b : Nat} (h : a < b) : a ≠ b :=
-  fun he => absurd (he ▸ h) (Nat.lt_irrefl a)
+theorem ne_of_lt {a b : Nat} (h : a < b) : a ≠ b := fun he => absurd (he ▸ h) (Nat.lt_irrefl a)
 
 theorem le_or_eq_of_le_succ {m n : Nat} (h : m ≤ succ n) : m ≤ n ∨ m = succ n :=
   Decidable.byCases
@@ -363,16 +356,51 @@ protected theorem not_le_of_gt {n m : Nat} (h : n > m) : ¬ n ≤ m := fun h₁
   | Or.inr h₂ =>
     have Heq : n = m := Nat.le_antisymm h₁ h₂
     absurd (@Eq.subst _ _ _ _ Heq h) (Nat.lt_irrefl m)
+protected theorem not_le_of_lt : ∀{a b : Nat}, a < b → ¬(b ≤ a) := Nat.not_le_of_gt
+protected theorem not_lt_of_ge : ∀{a b : Nat}, b ≥ a → ¬(b < a) := flip Nat.not_le_of_gt
+protected theorem not_lt_of_le : ∀{a b : Nat}, a ≤ b → ¬(b < a) := flip Nat.not_le_of_gt
+protected theorem lt_le_asymm : ∀{a b : Nat}, a < b → ¬(b ≤ a) := Nat.not_le_of_gt
+protected theorem le_lt_asymm : ∀{a b : Nat}, a ≤ b → ¬(b < a) := flip Nat.not_le_of_gt
 
-theorem gt_of_not_le {n m : Nat} (h : ¬ n ≤ m) : n > m :=
-  match Nat.lt_or_ge m n with
-  | Or.inl h₁ => h₁
-  | Or.inr h₁ => absurd h₁ h
+theorem gt_of_not_le {n m : Nat} (h : ¬ n ≤ m) : n > m := (Nat.lt_or_ge m n).resolve_right h
+protected theorem lt_of_not_ge : ∀{a b : Nat}, ¬(b ≥ a) → b < a := Nat.gt_of_not_le
+protected theorem lt_of_not_le : ∀{a b : Nat}, ¬(a ≤ b) → b < a := Nat.gt_of_not_le
 
-theorem ge_of_not_lt {n m : Nat} (h : ¬ n < m) : n ≥ m :=
-  match Nat.lt_or_ge n m with
-  | Or.inl h₁ => absurd h₁ h
-  | Or.inr h₁ => h₁
+theorem ge_of_not_lt {n m : Nat} (h : ¬ n < m) : n ≥ m := (Nat.lt_or_ge n m).resolve_left h
+protected theorem le_of_not_gt : ∀{a b : Nat}, ¬(b > a) → b ≤ a := Nat.ge_of_not_lt
+protected theorem le_of_not_lt : ∀{a b : Nat}, ¬(a < b) → b ≤ a := Nat.ge_of_not_lt
+
+theorem ne_of_gt {a b : Nat} (h : b < a) : a ≠ b := (ne_of_lt h).symm
+protected theorem ne_of_lt' : ∀{a b : Nat}, a < b → b ≠ a := ne_of_gt
+
+@[simp] protected theorem not_le {a b : Nat} : ¬ a ≤ b ↔ b < a :=
+  Iff.intro Nat.gt_of_not_le Nat.not_le_of_gt
+@[simp] protected theorem not_lt {a b : Nat} : ¬ a < b ↔ b ≤ a :=
+  Iff.intro Nat.ge_of_not_lt (flip Nat.not_le_of_gt)
+
+protected theorem le_of_not_le {a b : Nat} (h : ¬ b ≤ a) : a ≤ b := Nat.le_of_lt (Nat.not_le.1 h)
+protected theorem le_of_not_ge : ∀{a b : Nat}, ¬(a ≥ b) → a ≤ b:= @Nat.le_of_not_le
+
+protected theorem lt_trichotomy (a b : Nat) : a < b ∨ a = b ∨ b < a :=
+  match Nat.lt_or_ge a b with
+  | .inl h => .inl h
+  | .inr h =>
+    match Nat.eq_or_lt_of_le h with
+    | .inl h => .inr (.inl h.symm)
+    | .inr h => .inr (.inr h)
+
+protected theorem lt_or_gt_of_ne {a b : Nat} (ne : a ≠ b) : a < b ∨ a > b :=
+  match Nat.lt_trichotomy a b with
+  | .inl h => .inl h
+  | .inr (.inl e) => False.elim (ne e)
+  | .inr (.inr h) => .inr h
+
+protected theorem lt_or_lt_of_ne : ∀{a b : Nat}, a ≠ b → a < b ∨ b < a := Nat.lt_or_gt_of_ne
+
+protected theorem le_antisymm_iff {a b : Nat} : a = b ↔ a ≤ b ∧ b ≤ a :=
+  Iff.intro (fun p => And.intro (Nat.le_of_eq p) (Nat.le_of_eq p.symm))
+            (fun ⟨hle, hge⟩ => Nat.le_antisymm hle hge)
+protected theorem eq_iff_le_and_ge : ∀{a b : Nat}, a = b ↔ a ≤ b ∧ b ≤ a := @Nat.le_antisymm_iff
 
 instance : Antisymm ( . ≤ . : Nat → Nat → Prop) where
   antisymm h₁ h₂ := Nat.le_antisymm h₁ h₂
@@ -401,6 +429,8 @@ protected theorem add_lt_add_right {n m : Nat} (h : n < m) (k : Nat) : n + k < m
 protected theorem zero_lt_one : 0 < (1:Nat) :=
   zero_lt_succ 0
 
+protected theorem pos_iff_ne_zero : 0 < n ↔ n ≠ 0 := ⟨ne_of_gt, Nat.pos_of_ne_zero⟩
+
 theorem add_le_add {a b c d : Nat} (h₁ : a ≤ b) (h₂ : c ≤ d) : a + c ≤ b + d :=
   Nat.le_trans (Nat.add_le_add_right h₁ c) (Nat.add_le_add_left h₂ b)
 
@@ -418,6 +448,9 @@ protected theorem le_of_add_le_add_right {a b c : Nat} : a + b ≤ c + b → a
   rw [Nat.add_comm _ b, Nat.add_comm _ b]
   apply Nat.le_of_add_le_add_left
 
+protected theorem add_le_add_iff_right {n : Nat} : m + n ≤ k + n ↔ m ≤ k :=
+  ⟨Nat.le_of_add_le_add_right, fun h => Nat.add_le_add_right h _⟩
+
 /-! # Basic theorems for comparing numerals -/
 
 theorem ctor_eq_zero : Nat.zero = 0 :=
@@ -527,7 +560,20 @@ theorem not_eq_zero_of_lt (h : b < a) : a ≠ 0 := by
 theorem pred_lt' {n m : Nat} (h : m < n) : pred n < n :=
   pred_lt (not_eq_zero_of_lt h)
 
-/-! # sub/pred theorems -/
+/-! # pred theorems -/
+
+@[simp] protected theorem pred_zero : pred 0 = 0 := rfl
+@[simp] protected theorem pred_succ (n : Nat) : pred n.succ = n := rfl
+
+theorem succ_pred {a : Nat} (h : a ≠ 0) : a.pred.succ = a := by
+  induction a with
+  | zero => contradiction
+  | succ => rfl
+
+theorem succ_pred_eq_of_pos : ∀ {n}, 0 < n → succ (pred n) = n
+  | _+1, _ => rfl
+
+/-! # sub theorems -/
 
 theorem add_sub_self_left (a b : Nat) : (a + b) - a = b := by
   induction a with
@@ -561,11 +607,6 @@ theorem sub_succ_lt_self (a i : Nat) (h : i < a) : a - (i + 1) < a - i := by
   apply Nat.zero_lt_sub_of_lt
   assumption
 
-theorem succ_pred {a : Nat} (h : a ≠ 0) : a.pred.succ = a := by
-  induction a with
-  | zero => contradiction
-  | succ => rfl
-
 theorem sub_ne_zero_of_lt : {a b : Nat} → a < b → b - a ≠ 0
   | 0, 0, h      => absurd h (Nat.lt_irrefl 0)
   | 0, succ b, _ => by simp
@@ -580,7 +621,7 @@ theorem add_sub_of_le {a b : Nat} (h : a ≤ b) : a + (b - a) = b := by
     have : a ≤ b := Nat.le_of_succ_le h
     rw [sub_succ, Nat.succ_add, ← Nat.add_succ, Nat.succ_pred hne, ih this]
 
-protected theorem sub_add_cancel {n m : Nat} (h : m ≤ n) : n - m + m = n := by
+@[simp] protected theorem sub_add_cancel {n m : Nat} (h : m ≤ n) : n - m + m = n := by
   rw [Nat.add_comm, Nat.add_sub_of_le h]
 
 protected theorem add_sub_add_right (n k m : Nat) : (n + k) - (m + k) = n - m := by
@@ -591,7 +632,7 @@ protected theorem add_sub_add_right (n k m : Nat) : (n + k) - (m + k) = n - m :=
 protected theorem add_sub_add_left (k n m : Nat) : (k + n) - (k + m) = n - m := by
   rw [Nat.add_comm k n, Nat.add_comm k m, Nat.add_sub_add_right]
 
-protected theorem add_sub_cancel (n m : Nat) : n + m - m = n :=
+@[simp] protected theorem add_sub_cancel (n m : Nat) : n + m - m = n :=
   suffices n + m - (0 + m) = n by rw [Nat.zero_add] at this; assumption
   by rw [Nat.add_sub_add_right, Nat.sub_zero]
 
@@ -680,12 +721,6 @@ theorem lt_sub_of_add_lt {a b c : Nat} (h : a + b < c) : a < c - b :=
   have : a.succ + b ≤ c := by simp [Nat.succ_add]; exact h
   le_sub_of_add_le this
 
-@[simp] protected theorem pred_zero : pred 0 = 0 :=
-  rfl
-
-@[simp] protected theorem pred_succ (n : Nat) : pred n.succ = n :=
-  rfl
-
 theorem sub.elim {motive : Nat → Prop}
     (x y : Nat)
     (h₁ : y ≤ x → (k : Nat) → x = y + k → motive k)
@@ -695,19 +730,76 @@ theorem sub.elim {motive : Nat → Prop}
   | inl hlt => rw [Nat.sub_eq_zero_of_le (Nat.le_of_lt hlt)]; exact h₂ hlt
   | inr hle => exact h₁ hle (x - y) (Nat.add_sub_of_le hle).symm
 
-theorem mul_pred_left (n m : Nat) : pred n * m = n * m - m := by
-  cases n with
-  | zero   => simp
-  | succ n => rw [Nat.pred_succ, succ_mul, Nat.add_sub_cancel]
+theorem succ_sub {m n : Nat} (h : n ≤ m) : succ m - n = succ (m - n) := by
+  let ⟨k, hk⟩ := Nat.le.dest h
+  rw [← hk, Nat.add_sub_cancel_left, ← add_succ, Nat.add_sub_cancel_left]
 
-theorem mul_pred_right (n m : Nat) : n * pred m = n * m - n := by
-  rw [Nat.mul_comm, mul_pred_left, Nat.mul_comm]
+protected theorem sub_pos_of_lt (h : m < n) : 0 < n - m :=
+  Nat.pos_iff_ne_zero.2 (Nat.sub_ne_zero_of_lt h)
 
 protected theorem sub_sub (n m k : Nat) : n - m - k = n - (m + k) := by
   induction k with
   | zero => simp
   | succ k ih => rw [Nat.add_succ, Nat.sub_succ, Nat.sub_succ, ih]
 
+protected theorem sub_le_sub_left (h : n ≤ m) (k : Nat) : k - m ≤ k - n :=
+  match m, le.dest h with
+  | _, ⟨a, rfl⟩ => by rw [← Nat.sub_sub]; apply sub_le
+
+protected theorem sub_le_sub_right {n m : Nat} (h : n ≤ m) : ∀ k, n - k ≤ m - k
+  | 0   => h
+  | z+1 => pred_le_pred (Nat.sub_le_sub_right h z)
+
+protected theorem lt_of_sub_ne_zero (h : n - m ≠ 0) : m < n :=
+  Nat.not_le.1 (mt Nat.sub_eq_zero_of_le h)
+
+protected theorem sub_ne_zero_iff_lt : n - m ≠ 0 ↔ m < n :=
+  ⟨Nat.lt_of_sub_ne_zero, Nat.sub_ne_zero_of_lt⟩
+
+protected theorem lt_of_sub_pos (h : 0 < n - m) : m < n :=
+  Nat.lt_of_sub_ne_zero (Nat.pos_iff_ne_zero.1 h)
+
+protected theorem lt_of_sub_eq_succ (h : m - n = succ l) : n < m :=
+  Nat.lt_of_sub_pos (h ▸ Nat.zero_lt_succ _)
+
+protected theorem sub_lt_left_of_lt_add {n k m : Nat} (H : n ≤ k) (h : k < n + m) : k - n < m := by
+  have := Nat.sub_le_sub_right (succ_le_of_lt h) n
+  rwa [Nat.add_sub_cancel_left, Nat.succ_sub H] at this
+
+protected theorem sub_lt_right_of_lt_add {n k m : Nat} (H : n ≤ k) (h : k < m + n) : k - n < m :=
+  Nat.sub_lt_left_of_lt_add H (Nat.add_comm .. ▸ h)
+
+protected theorem le_of_sub_eq_zero : ∀ {n m}, n - m = 0 → n ≤ m
+  | 0, _, _ => Nat.zero_le ..
+  | _+1, _+1, h => Nat.succ_le_succ <| Nat.le_of_sub_eq_zero (Nat.succ_sub_succ .. ▸ h)
+
+protected theorem le_of_sub_le_sub_right : ∀ {n m k : Nat}, k ≤ m → n - k ≤ m - k → n ≤ m
+  | 0, _, _, _, _ => Nat.zero_le ..
+  | _+1, _, 0, _, h₁ => h₁
+  | _+1, _+1, _+1, h₀, h₁ => by
+    simp only [Nat.succ_sub_succ] at h₁
+    exact succ_le_succ <| Nat.le_of_sub_le_sub_right (le_of_succ_le_succ h₀) h₁
+
+protected theorem sub_le_sub_iff_right {n : Nat} (h : k ≤ m) : n - k ≤ m - k ↔ n ≤ m :=
+  ⟨Nat.le_of_sub_le_sub_right h, fun h => Nat.sub_le_sub_right h _⟩
+
+protected theorem sub_eq_iff_eq_add {c : Nat} (h : b ≤ a) : a - b = c ↔ a = c + b :=
+  ⟨fun | rfl => by rw [Nat.sub_add_cancel h], fun heq => by rw [heq, Nat.add_sub_cancel]⟩
+
+protected theorem sub_eq_iff_eq_add' {c : Nat} (h : b ≤ a) : a - b = c ↔ a = b + c := by
+  rw [Nat.add_comm, Nat.sub_eq_iff_eq_add h]
+
+theorem mul_pred_left (n m : Nat) : pred n * m = n * m - m := by
+  cases n with
+  | zero   => simp
+  | succ n => rw [Nat.pred_succ, succ_mul, Nat.add_sub_cancel]
+
+/-! ## Mul sub distrib -/
+
+theorem mul_pred_right (n m : Nat) : n * pred m = n * m - n := by
+  rw [Nat.mul_comm, mul_pred_left, Nat.mul_comm]
+
+
 protected theorem mul_sub_right_distrib (n m k : Nat) : (n - m) * k = n * k - m * k := by
   induction m with
   | zero => simp
@@ -719,14 +811,12 @@ protected theorem mul_sub_left_distrib (n m k : Nat) : n * (m - k) = n * m - n *
 /-! # Helper normalization theorems -/
 
 theorem not_le_eq (a b : Nat) : (¬ (a ≤ b)) = (b + 1 ≤ a) :=
-  propext <| Iff.intro (fun h => Nat.gt_of_not_le h) (fun h => Nat.not_le_of_gt h)
-
+  Eq.propIntro Nat.gt_of_not_le Nat.not_le_of_gt
 theorem not_ge_eq (a b : Nat) : (¬ (a ≥ b)) = (a + 1 ≤ b) :=
   not_le_eq b a
 
 theorem not_lt_eq (a b : Nat) : (¬ (a < b)) = (b ≤ a) :=
-  propext <| Iff.intro (fun h => have h := Nat.succ_le_of_lt (Nat.gt_of_not_le h); Nat.le_of_succ_le_succ h) (fun h => Nat.not_le_of_gt (Nat.succ_le_succ h))
-
+  Eq.propIntro Nat.le_of_not_lt Nat.not_lt_of_le
 theorem not_gt_eq (a b : Nat) : (¬ (a > b)) = (a ≤ b) :=
   not_lt_eq b a
 

src/Init/Data/Nat/Bitwise.lean

@@ -1,54 +1,3 @@
-/-
-Copyright (c) 2019 Microsoft Corporation. All rights reserved.
-Released under Apache 2.0 license as described in the file LICENSE.
-Authors: Leonardo de Moura
--/
 prelude
-import Init.Data.Nat.Basic
-import Init.Data.Nat.Div
-import Init.Coe
-
-namespace Nat
-
-theorem bitwise_rec_lemma {n : Nat} (hNe : n ≠ 0) : n / 2 < n :=
-  Nat.div_lt_self (Nat.zero_lt_of_ne_zero hNe) (Nat.lt_succ_self _)
-
-def bitwise (f : Bool → Bool → Bool) (n m : Nat) : Nat :=
-  if n = 0 then
-    if f false true then m else 0
-  else if m = 0 then
-    if f true false then n else 0
-  else
-    let n' := n / 2
-    let m' := m / 2
-    let b₁ := n % 2 = 1
-    let b₂ := m % 2 = 1
-    let r  := bitwise f n' m'
-    if f b₁ b₂ then
-      r+r+1
-    else
-      r+r
-decreasing_by apply bitwise_rec_lemma; assumption
-
-@[extern "lean_nat_land"]
-def land : @& Nat → @& Nat → Nat := bitwise and
-@[extern "lean_nat_lor"]
-def lor  : @& Nat → @& Nat → Nat := bitwise or
-@[extern "lean_nat_lxor"]
-def xor  : @& Nat → @& Nat → Nat := bitwise bne
-@[extern "lean_nat_shiftl"]
-def shiftLeft : @& Nat → @& Nat → Nat
-  | n, 0 => n
-  | n, succ m => shiftLeft (2*n) m
-@[extern "lean_nat_shiftr"]
-def shiftRight : @& Nat → @& Nat → Nat
-  | n, 0 => n
-  | n, succ m => shiftRight n m / 2
-
-instance : AndOp Nat := ⟨Nat.land⟩
-instance : OrOp Nat := ⟨Nat.lor⟩
-instance : Xor Nat := ⟨Nat.xor⟩
-instance : ShiftLeft Nat := ⟨Nat.shiftLeft⟩
-instance : ShiftRight Nat := ⟨Nat.shiftRight⟩
-
-end Nat
+import Init.Data.Nat.Bitwise.Basic
+import Init.Data.Nat.Bitwise.Lemmas

src/Init/Data/Nat/Bitwise/Basic.lean

@@ -0,0 +1,63 @@
+/-
+Copyright (c) 2019 Microsoft Corporation. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Leonardo de Moura
+-/
+prelude
+import Init.Data.Nat.Basic
+import Init.Data.Nat.Div
+import Init.Coe
+
+namespace Nat
+
+theorem bitwise_rec_lemma {n : Nat} (hNe : n ≠ 0) : n / 2 < n :=
+  Nat.div_lt_self (Nat.zero_lt_of_ne_zero hNe) (Nat.lt_succ_self _)
+
+def bitwise (f : Bool → Bool → Bool) (n m : Nat) : Nat :=
+  if n = 0 then
+    if f false true then m else 0
+  else if m = 0 then
+    if f true false then n else 0
+  else
+    let n' := n / 2
+    let m' := m / 2
+    let b₁ := n % 2 = 1
+    let b₂ := m % 2 = 1
+    let r  := bitwise f n' m'
+    if f b₁ b₂ then
+      r+r+1
+    else
+      r+r
+decreasing_by apply bitwise_rec_lemma; assumption
+
+@[extern "lean_nat_land"]
+def land : @& Nat → @& Nat → Nat := bitwise and
+@[extern "lean_nat_lor"]
+def lor  : @& Nat → @& Nat → Nat := bitwise or
+@[extern "lean_nat_lxor"]
+def xor  : @& Nat → @& Nat → Nat := bitwise bne
+@[extern "lean_nat_shiftl"]
+def shiftLeft : @& Nat → @& Nat → Nat
+  | n, 0 => n
+  | n, succ m => shiftLeft (2*n) m
+@[extern "lean_nat_shiftr"]
+def shiftRight : @& Nat → @& Nat → Nat
+  | n, 0 => n
+  | n, succ m => shiftRight n m / 2
+
+instance : AndOp Nat := ⟨Nat.land⟩
+instance : OrOp Nat := ⟨Nat.lor⟩
+instance : Xor Nat := ⟨Nat.xor⟩
+instance : ShiftLeft Nat := ⟨Nat.shiftLeft⟩
+instance : ShiftRight Nat := ⟨Nat.shiftRight⟩
+
+/-!
+### testBit
+We define an operation for testing individual bits in the binary representation
+of a number.
+-/
+
+/-- `testBit m n` returns whether the `(n+1)` least significant bit is `1` or `0`-/
+def testBit (m n : Nat) : Bool := (m >>> n) &&& 1 != 0
+
+end Nat

src/Init/Data/Nat/Bitwise/Lemmas.lean

@@ -0,0 +1,503 @@
+/-
+Copyright (c) 2023 by the authors listed in the file AUTHORS and their
+institutional affiliations. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Joe Hendrix
+-/
+
+prelude
+import Init.Data.Bool
+import Init.Data.Nat.Bitwise.Basic
+import Init.Data.Nat.Lemmas
+import Init.TacticsExtra
+import Init.Omega
+
+/-
+This module defines properties of the bitwise operations on Natural numbers.
+
+It is primarily intended to support the bitvector library.
+-/
+
+namespace Nat
+
+@[local simp]
+private theorem one_div_two : 1/2 = 0 := by trivial
+
+private theorem two_pow_succ_sub_succ_div_two : (2 ^ (n+1) - (x + 1)) / 2 = 2^n - (x/2 + 1) := by
+  if h : x + 1 ≤ 2 ^ (n + 1) then
+    apply fun x => (Nat.sub_eq_of_eq_add x).symm
+    apply Eq.trans _
+    apply Nat.add_mul_div_left _ _ Nat.zero_lt_two
+    rw [← Nat.sub_add_comm h]
+    rw [Nat.add_sub_assoc (by omega)]
+    rw [Nat.pow_succ']
+    rw [Nat.mul_add_div Nat.zero_lt_two]
+    simp [show (2 * (x / 2 + 1) - (x + 1)) / 2 = 0 by omega]
+  else
+    rw [Nat.pow_succ'] at *
+    omega
+
+private theorem two_pow_succ_sub_one_div_two : (2 ^ (n+1) - 1) / 2 = 2^n - 1 :=
+  two_pow_succ_sub_succ_div_two
+
+private theorem two_mul_sub_one {n : Nat} (n_pos : n > 0) : (2*n - 1) % 2 = 1 := by
+  match n with
+  | 0 => contradiction
+  | n + 1 => simp [Nat.mul_succ, Nat.mul_add_mod, mod_eq_of_lt]
+
+/-! ### Preliminaries -/
+
+/--
+An induction principal that works on divison by two.
+-/
+noncomputable def div2Induction {motive : Nat → Sort u}
+    (n : Nat) (ind : ∀(n : Nat), (n > 0 → motive (n/2)) → motive n) : motive n := by
+  induction n using Nat.strongInductionOn with
+  | ind n hyp =>
+    apply ind
+    intro n_pos
+    if n_eq : n = 0 then
+      simp [n_eq] at n_pos
+    else
+      apply hyp
+      exact Nat.div_lt_self n_pos (Nat.le_refl _)
+
+@[simp] theorem zero_and (x : Nat) : 0 &&& x = 0 := by rfl
+
+@[simp] theorem and_zero (x : Nat) : x &&& 0 = 0 := by
+  simp only [HAnd.hAnd, AndOp.and, land]
+  unfold bitwise
+  simp
+
+@[simp] theorem and_one_is_mod (x : Nat) : x &&& 1 = x % 2 := by
+  if xz : x = 0 then
+    simp [xz, zero_and]
+  else
+    have andz := and_zero (x/2)
+    simp only [HAnd.hAnd, AndOp.and, land] at andz
+    simp only [HAnd.hAnd, AndOp.and, land]
+    unfold bitwise
+    cases mod_two_eq_zero_or_one x with | _ p =>
+      simp [xz, p, andz, one_div_two, mod_eq_of_lt]
+
+/-! ### testBit -/
+
+@[simp] theorem zero_testBit (i : Nat) : testBit 0 i = false := by
+  simp only [testBit, zero_shiftRight, zero_and, bne_self_eq_false]
+
+@[simp] theorem testBit_zero (x : Nat) : testBit x 0 = decide (x % 2 = 1) := by
+  cases mod_two_eq_zero_or_one x with | _ p => simp [testBit, p]
+
+@[simp] theorem testBit_succ (x i : Nat) : testBit x (succ i) = testBit (x/2) i := by
+  unfold testBit
+  simp [shiftRight_succ_inside]
+
+theorem testBit_to_div_mod {x : Nat} : testBit x i = decide (x / 2^i % 2 = 1) := by
+  induction i generalizing x with
+  | zero =>
+    unfold testBit
+    cases mod_two_eq_zero_or_one x with | _ xz => simp [xz]
+  | succ i hyp =>
+    simp [hyp, Nat.div_div_eq_div_mul, Nat.pow_succ']
+
+theorem ne_zero_implies_bit_true {x : Nat} (xnz : x ≠ 0) : ∃ i, testBit x i := by
+  induction x using div2Induction with
+  | ind x hyp =>
+    have x_pos : x > 0 := Nat.pos_of_ne_zero xnz
+    match mod_two_eq_zero_or_one x with
+    | Or.inl mod2_eq =>
+      rw [←div_add_mod x 2] at xnz
+      simp only [mod2_eq, ne_eq, Nat.mul_eq_zero, Nat.add_zero, false_or] at xnz
+      have ⟨d, dif⟩   := hyp x_pos xnz
+      apply Exists.intro (d+1)
+      simp_all
+    | Or.inr mod2_eq =>
+      apply Exists.intro 0
+      simp_all
+
+theorem ne_implies_bit_diff {x y : Nat} (p : x ≠ y) : ∃ i, testBit x i ≠ testBit y i := by
+  induction y using Nat.div2Induction generalizing x with
+  | ind y hyp =>
+    cases Nat.eq_zero_or_pos y with
+    | inl yz =>
+      simp only [yz, Nat.zero_testBit, Bool.eq_false_iff]
+      simp only [yz] at p
+      have ⟨i,ip⟩  := ne_zero_implies_bit_true p
+      apply Exists.intro i
+      simp [ip]
+    | inr ypos =>
+      if lsb_diff : x % 2 = y % 2 then
+        rw [←Nat.div_add_mod x 2, ←Nat.div_add_mod y 2] at p
+        simp only [ne_eq, lsb_diff, Nat.add_right_cancel_iff,
+          Nat.zero_lt_succ, Nat.mul_left_cancel_iff] at p
+        have ⟨i, ieq⟩  := hyp ypos p
+        apply Exists.intro (i+1)
+        simpa
+      else
+        apply Exists.intro 0
+        simp only [testBit_zero]
+        revert lsb_diff
+        cases mod_two_eq_zero_or_one x with | _ p =>
+          cases mod_two_eq_zero_or_one y with | _ q =>
+            simp [p,q]
+
+/--
+`eq_of_testBit_eq` allows proving two natural numbers are equal
+if their bits are all equal.
+-/
+theorem eq_of_testBit_eq {x y : Nat} (pred : ∀i, testBit x i = testBit y i) : x = y := by
+  if h : x = y then
+    exact h
+  else
+    let ⟨i,eq⟩ := ne_implies_bit_diff h
+    have p := pred i
+    contradiction
+
+theorem ge_two_pow_implies_high_bit_true {x : Nat} (p : x ≥ 2^n) : ∃ i, i ≥ n ∧ testBit x i := by
+  induction x using div2Induction generalizing n with
+  | ind x hyp =>
+    have x_pos : x > 0 := Nat.lt_of_lt_of_le (Nat.two_pow_pos n) p
+    have x_ne_zero : x ≠ 0 := Nat.ne_of_gt x_pos
+    match n with
+    | zero =>
+      let ⟨j, jp⟩ := ne_zero_implies_bit_true x_ne_zero
+      exact Exists.intro j (And.intro (Nat.zero_le _) jp)
+    | succ n =>
+      have x_ge_n : x / 2 ≥ 2 ^ n := by
+          simpa [le_div_iff_mul_le, ← Nat.pow_succ'] using p
+      have ⟨j, jp⟩ := @hyp x_pos n x_ge_n
+      apply Exists.intro (j+1)
+      apply And.intro
+      case left =>
+        exact (Nat.succ_le_succ jp.left)
+      case right =>
+        simpa using jp.right
+
+theorem testBit_implies_ge {x : Nat} (p : testBit x i = true) : x ≥ 2^i := by
+  simp only [testBit_to_div_mod] at p
+  apply Decidable.by_contra
+  intro not_ge
+  have x_lt : x < 2^i := Nat.lt_of_not_le not_ge
+  simp [div_eq_of_lt x_lt] at p
+
+theorem testBit_lt_two_pow {x i : Nat} (lt : x < 2^i) : x.testBit i = false := by
+  match p : x.testBit i with
+  | false => trivial
+  | true =>
+    exfalso
+    exact Nat.not_le_of_gt lt (testBit_implies_ge p)
+
+theorem lt_pow_two_of_testBit (x : Nat) (p : ∀i, i ≥ n → testBit x i = false) : x < 2^n := by
+  apply Decidable.by_contra
+  intro not_lt
+  have x_ge_n := Nat.ge_of_not_lt not_lt
+  have ⟨i, ⟨i_ge_n, test_true⟩⟩ := ge_two_pow_implies_high_bit_true x_ge_n
+  have test_false := p _ i_ge_n
+  simp only [test_true] at test_false
+
+/-! ### testBit -/
+
+private theorem succ_mod_two : succ x % 2 = 1 - x % 2 := by
+  induction x with
+  | zero =>
+    trivial
+  | succ x hyp =>
+    have p : 2 ≤ x + 2 := Nat.le_add_left _ _
+    simp [Nat.mod_eq (x+2) 2, p, hyp]
+    cases Nat.mod_two_eq_zero_or_one x with | _ p => simp [p]
+
+private theorem testBit_succ_zero : testBit (x + 1) 0 = not (testBit x 0) := by
+  simp [testBit_to_div_mod, succ_mod_two]
+  cases Nat.mod_two_eq_zero_or_one x with | _ p =>
+    simp [p]
+
+theorem testBit_two_pow_add_eq (x i : Nat) : testBit (2^i + x) i = not (testBit x i) := by
+  simp [testBit_to_div_mod, add_div_left, Nat.two_pow_pos, succ_mod_two]
+  cases mod_two_eq_zero_or_one (x / 2 ^ i) with
+  | _ p => simp [p]
+
+theorem testBit_mul_two_pow_add_eq (a b i : Nat) :
+    testBit (2^i*a + b) i = Bool.xor (a%2 = 1) (testBit b i) := by
+  match a with
+  | 0 => simp
+  | a+1 =>
+    simp [Nat.mul_succ, Nat.add_assoc,
+          testBit_mul_two_pow_add_eq a,
+          testBit_two_pow_add_eq,
+          Nat.succ_mod_two]
+    cases mod_two_eq_zero_or_one a with
+    | _ p => simp [p]
+
+theorem testBit_two_pow_add_gt {i j : Nat} (j_lt_i : j < i) (x : Nat) :
+    testBit (2^i + x) j = testBit x j := by
+  have i_def : i = j + (i-j) := (Nat.add_sub_cancel' (Nat.le_of_lt j_lt_i)).symm
+  rw [i_def]
+  simp only [testBit_to_div_mod, Nat.pow_add,
+        Nat.add_comm x, Nat.mul_add_div (Nat.two_pow_pos _)]
+  match i_sub_j_eq : i - j with
+  | 0 =>
+    exfalso
+    rw [Nat.sub_eq_zero_iff_le] at i_sub_j_eq
+    exact Nat.not_le_of_gt j_lt_i i_sub_j_eq
+  | d+1 =>
+    simp [pow_succ, Nat.mul_comm _ 2,  Nat.mul_add_mod]
+
+@[simp] theorem testBit_mod_two_pow (x j i : Nat) :
+    testBit (x % 2^j) i = (decide (i < j) && testBit x i) := by
+  induction x using Nat.strongInductionOn generalizing j i with
+  | ind x hyp =>
+    rw [mod_eq]
+    rcases Nat.lt_or_ge x (2^j) with x_lt_j | x_ge_j
+    · have not_j_le_x := Nat.not_le_of_gt x_lt_j
+      simp [not_j_le_x]
+      rcases Nat.lt_or_ge i j with i_lt_j | i_ge_j
+      · simp [i_lt_j]
+      · have x_lt : x < 2^i :=
+            calc x < 2^j := x_lt_j
+                _ ≤ 2^i := Nat.pow_le_pow_of_le_right Nat.zero_lt_two i_ge_j
+        simp [Nat.testBit_lt_two_pow x_lt]
+    · generalize y_eq : x - 2^j = y
+      have x_eq : x = y + 2^j := Nat.eq_add_of_sub_eq x_ge_j y_eq
+      simp only [Nat.two_pow_pos, x_eq, Nat.le_add_left, true_and, ite_true]
+      have y_lt_x : y < x := by
+            simp [x_eq]
+            exact Nat.lt_add_of_pos_right (Nat.two_pow_pos j)
+      simp only [hyp y y_lt_x]
+      if i_lt_j : i < j then
+        rw [ Nat.add_comm _ (2^_), testBit_two_pow_add_gt i_lt_j]
+      else
+        simp [i_lt_j]
+
+theorem testBit_one_zero : testBit 1 0 = true := by trivial
+
+theorem testBit_two_pow_sub_succ (h₂ : x < 2 ^ n) (i : Nat) :
+    testBit (2^n - (x + 1)) i = (decide (i < n) && ! testBit x i) := by
+  induction i generalizing n x with
+  | zero =>
+    simp only [testBit_zero, zero_eq, Bool.and_eq_true, decide_eq_true_eq,
+      Bool.not_eq_true']
+    match n with
+    | 0 => simp
+    | n+1 =>
+      -- just logic + omega:
+      simp only [zero_lt_succ, decide_True, Bool.true_and]
+      rw [Nat.pow_succ', ← decide_not, decide_eq_decide]
+      rw [Nat.pow_succ'] at h₂
+      omega
+  | succ i ih =>
+    simp only [testBit_succ]
+    match n with
+    | 0 =>
+      simp only [pow_zero, succ_sub_succ_eq_sub, Nat.zero_sub, Nat.zero_div, zero_testBit]
+      rw [decide_eq_false] <;> simp
+    | n+1 =>
+      rw [Nat.two_pow_succ_sub_succ_div_two, ih]
+      · simp [Nat.succ_lt_succ_iff]
+      · rw [Nat.pow_succ'] at h₂
+        omega
+
+@[simp] theorem testBit_two_pow_sub_one (n i : Nat) : testBit (2^n-1) i = decide (i < n) := by
+  rw [testBit_two_pow_sub_succ]
+  · simp
+  · exact Nat.two_pow_pos _
+
+theorem testBit_bool_to_nat (b : Bool) (i : Nat) :
+    testBit (Bool.toNat b) i = (decide (i = 0) && b) := by
+  cases b <;> cases i <;>
+  simp [testBit_to_div_mod, Nat.pow_succ, Nat.mul_comm _ 2,
+        ←Nat.div_div_eq_div_mul _ 2, one_div_two,
+        Nat.mod_eq_of_lt]
+
+/-! ### bitwise -/
+
+theorem testBit_bitwise
+  (false_false_axiom : f false false = false) (x y i : Nat)
+: (bitwise f x y).testBit i = f (x.testBit i) (y.testBit i) := by
+  induction i using Nat.strongInductionOn generalizing x y with
+  | ind i hyp =>
+    unfold bitwise
+    if x_zero : x = 0 then
+      cases p : f false true <;>
+        cases yi : testBit y i <;>
+          simp [x_zero, p, yi, false_false_axiom]
+    else if y_zero : y = 0 then
+      simp [x_zero, y_zero]
+      cases p : f true false <;>
+        cases xi : testBit x i <;>
+          simp [p, xi, false_false_axiom]
+    else
+      simp only [x_zero, y_zero, ←Nat.two_mul]
+      cases i with
+      | zero =>
+        cases p : f (decide (x % 2 = 1)) (decide (y % 2 = 1)) <;>
+          simp [p, Nat.mul_add_mod, mod_eq_of_lt]
+      | succ i =>
+        have hyp_i := hyp i (Nat.le_refl (i+1))
+        cases p : f (decide (x % 2 = 1)) (decide (y % 2 = 1)) <;>
+          simp [p, one_div_two, hyp_i, Nat.mul_add_div]
+
+/-! ### bitwise -/
+
+@[local simp]
+private theorem eq_0_of_lt_one (x : Nat) : x < 1 ↔ x = 0 :=
+  Iff.intro
+    (fun p =>
+      match x with
+      | 0 => Eq.refl 0
+      | _+1 => False.elim (not_lt_zero _ (Nat.lt_of_succ_lt_succ p)))
+    (fun p => by simp [p, Nat.zero_lt_succ])
+
+private theorem eq_0_of_lt (x : Nat) : x < 2^ 0 ↔ x = 0 := eq_0_of_lt_one x
+
+@[local simp]
+private theorem zero_lt_pow (n : Nat) : 0 < 2^n := by
+  induction n
+  case zero => simp [eq_0_of_lt]
+  case succ n hyp => simpa [pow_succ]
+
+private theorem div_two_le_of_lt_two {m n : Nat} (p : m < 2 ^ succ n) : m / 2 < 2^n := by
+  simp [div_lt_iff_lt_mul Nat.zero_lt_two]
+  exact p
+
+/-- This provides a bound on bitwise operations. -/
+theorem bitwise_lt_two_pow (left : x < 2^n) (right : y < 2^n) : (Nat.bitwise f x y) < 2^n := by
+  induction n generalizing x y with
+  | zero =>
+    simp only [eq_0_of_lt] at left right
+    unfold bitwise
+    simp [left, right]
+  | succ n hyp =>
+    unfold bitwise
+    if x_zero : x = 0 then
+      simp only [x_zero, if_pos]
+      by_cases p : f false true = true <;> simp [p, right]
+    else if y_zero : y = 0 then
+      simp only [x_zero, y_zero, if_neg, if_pos]
+      by_cases p : f true false = true <;> simp [p, left]
+    else
+      simp only [x_zero, y_zero, if_neg]
+      have hyp1 := hyp (div_two_le_of_lt_two left) (div_two_le_of_lt_two right)
+      by_cases p : f (decide (x % 2 = 1)) (decide (y % 2 = 1)) = true <;>
+        simp [p, pow_succ, mul_succ, Nat.add_assoc]
+      case pos =>
+        apply lt_of_succ_le
+        simp only [← Nat.succ_add]
+        apply Nat.add_le_add <;> exact hyp1
+      case neg =>
+        apply Nat.add_lt_add <;> exact hyp1
+
+/-! ### and -/
+
+@[simp] theorem testBit_and (x y i : Nat) : (x &&& y).testBit i = (x.testBit i && y.testBit i) := by
+  simp [HAnd.hAnd, AndOp.and, land, testBit_bitwise ]
+
+theorem and_lt_two_pow (x : Nat) {y n : Nat} (right : y < 2^n) : (x &&& y) < 2^n := by
+  apply lt_pow_two_of_testBit
+  intro i i_ge_n
+  have yf : testBit y i = false := by
+          apply Nat.testBit_lt_two_pow
+          apply Nat.lt_of_lt_of_le right
+          exact pow_le_pow_of_le_right Nat.zero_lt_two i_ge_n
+  simp [testBit_and, yf]
+
+@[simp] theorem and_pow_two_is_mod (x n : Nat) : x &&& (2^n-1) = x % 2^n := by
+  apply eq_of_testBit_eq
+  intro i
+  simp only [testBit_and, testBit_mod_two_pow]
+  cases testBit x i <;> simp
+
+theorem and_pow_two_identity {x : Nat} (lt : x < 2^n) : x &&& 2^n-1 = x := by
+  rw [and_pow_two_is_mod]
+  apply Nat.mod_eq_of_lt lt
+
+/-! ### lor -/
+
+@[simp] theorem or_zero (x : Nat) : 0 ||| x = x := by
+  simp only [HOr.hOr, OrOp.or, lor]
+  unfold bitwise
+  simp [@eq_comm _ 0]
+
+@[simp] theorem zero_or (x : Nat) : x ||| 0 = x := by
+  simp only [HOr.hOr, OrOp.or, lor]
+  unfold bitwise
+  simp [@eq_comm _ 0]
+
+@[simp] theorem testBit_or (x y i : Nat) : (x ||| y).testBit i = (x.testBit i || y.testBit i) := by
+  simp [HOr.hOr, OrOp.or, lor, testBit_bitwise ]
+
+theorem or_lt_two_pow {x y n : Nat} (left : x < 2^n) (right : y < 2^n) : x ||| y < 2^n :=
+  bitwise_lt_two_pow left right
+
+/-! ### xor -/
+
+@[simp] theorem testBit_xor (x y i : Nat) :
+    (x ^^^ y).testBit i = Bool.xor (x.testBit i) (y.testBit i) := by
+  simp [HXor.hXor, Xor.xor, xor, testBit_bitwise ]
+
+theorem xor_lt_two_pow {x y n : Nat} (left : x < 2^n) (right : y < 2^n) : x ^^^ y < 2^n :=
+  bitwise_lt_two_pow left right
+
+/-! ### Arithmetic -/
+
+theorem testBit_mul_pow_two_add (a : Nat) {b i : Nat} (b_lt : b < 2^i) (j : Nat) :
+    testBit (2 ^ i * a + b) j =
+      if j < i then
+        testBit b j
+      else
+        testBit a (j - i) := by
+  cases Nat.lt_or_ge j i with
+  | inl j_lt =>
+    simp only [j_lt]
+    have i_ge := Nat.le_of_lt j_lt
+    have i_sub_j_nez : i-j ≠ 0 := Nat.sub_ne_zero_of_lt j_lt
+    have i_def : i = j + succ (pred (i-j)) :=
+          calc i = j + (i-j) := (Nat.add_sub_cancel' i_ge).symm
+               _ = j + succ (pred (i-j)) := by
+                 rw [← congrArg (j+·) (Nat.succ_pred i_sub_j_nez)]
+    rw [i_def]
+    simp only [testBit_to_div_mod, Nat.pow_add, Nat.mul_assoc]
+    simp only [Nat.mul_add_div (Nat.two_pow_pos _), Nat.mul_add_mod]
+    simp [Nat.pow_succ, Nat.mul_comm _ 2, Nat.mul_assoc, Nat.mul_add_mod]
+  | inr j_ge =>
+    have j_def : j = i + (j-i) := (Nat.add_sub_cancel' j_ge).symm
+    simp only [
+        testBit_to_div_mod,
+        Nat.not_lt_of_le,
+        j_ge,
+        ite_false]
+    simp [congrArg (2^·) j_def, Nat.pow_add,
+          ←Nat.div_div_eq_div_mul,
+          Nat.mul_add_div,
+          Nat.div_eq_of_lt b_lt,
+          Nat.two_pow_pos i]
+
+theorem testBit_mul_pow_two :
+    testBit (2 ^ i * a) j = (decide (j ≥ i) && testBit a (j-i)) := by
+  have gen := testBit_mul_pow_two_add a (Nat.two_pow_pos i) j
+  simp at gen
+  rw [gen]
+  cases Nat.lt_or_ge j i with
+  | _ p => simp [p, Nat.not_le_of_lt, Nat.not_lt_of_le]
+
+theorem mul_add_lt_is_or {b : Nat} (b_lt : b < 2^i) (a : Nat) : 2^i * a + b = 2^i * a ||| b := by
+  apply eq_of_testBit_eq
+  intro j
+  simp only [testBit_mul_pow_two_add _ b_lt,
+        testBit_or, testBit_mul_pow_two]
+  if j_lt : j < i then
+    simp [Nat.not_le_of_lt, j_lt]
+  else
+    have i_le : i ≤ j := Nat.le_of_not_lt j_lt
+    have b_lt_j :=
+            calc b < 2 ^ i := b_lt
+                 _ ≤ 2 ^ j := Nat.pow_le_pow_of_le_right Nat.zero_lt_two i_le
+    simp [i_le, j_lt, testBit_lt_two_pow, b_lt_j]
+
+/-! ### shiftLeft and shiftRight -/
+
+@[simp] theorem testBit_shiftLeft (x : Nat) : testBit (x <<< i) j =
+    (decide (j ≥ i) && testBit x (j-i)) := by
+  simp [shiftLeft_eq, Nat.mul_comm _ (2^_), testBit_mul_pow_two]
+
+@[simp] theorem testBit_shiftRight (x : Nat) : testBit (x >>> i) j = testBit x (i+j) := by
+  simp [testBit, ←shiftRight_add]

src/Init/Data/Nat/Div.lean

@@ -7,6 +7,7 @@ prelude
 import Init.WF
 import Init.WFTactics
 import Init.Data.Nat.Basic
+
 namespace Nat
 
 theorem div_rec_lemma {x y : Nat} : 0 < y ∧ y ≤ x → x - y < x :=
@@ -174,4 +175,136 @@ theorem div_add_mod (m n : Nat) : n * (m / n) + m % n = m := by
     rw [Nat.left_distrib, Nat.mul_one, Nat.add_assoc, Nat.add_left_comm, ih, Nat.add_comm, Nat.sub_add_cancel h.2]
 decreasing_by apply div_rec_lemma; assumption
 
+theorem div_eq_sub_div (h₁ : 0 < b) (h₂ : b ≤ a) : a / b = (a - b) / b + 1 := by
+ rw [div_eq a, if_pos]; constructor <;> assumption
+
+
+theorem mod_add_div (m k : Nat) : m % k + k * (m / k) = m := by
+  induction m, k using mod.inductionOn with rw [div_eq, mod_eq]
+  | base x y h => simp [h]
+  | ind x y h IH => simp [h]; rw [Nat.mul_succ, ← Nat.add_assoc, IH, Nat.sub_add_cancel h.2]
+
+@[simp] protected theorem div_one (n : Nat) : n / 1 = n := by
+  have := mod_add_div n 1
+  rwa [mod_one, Nat.zero_add, Nat.one_mul] at this
+
+@[simp] protected theorem div_zero (n : Nat) : n / 0 = 0 := by
+  rw [div_eq]; simp [Nat.lt_irrefl]
+
+@[simp] protected theorem zero_div (b : Nat) : 0 / b = 0 :=
+  (div_eq 0 b).trans <| if_neg <| And.rec Nat.not_le_of_gt
+
+theorem le_div_iff_mul_le (k0 : 0 < k) : x ≤ y / k ↔ x * k ≤ y := by
+  induction y, k using mod.inductionOn generalizing x with
+    (rw [div_eq]; simp [h]; cases x with | zero => simp [zero_le] | succ x => ?_)
+  | base y k h =>
+    simp [not_succ_le_zero x, succ_mul, Nat.add_comm]
+    refine Nat.lt_of_lt_of_le ?_ (Nat.le_add_right ..)
+    exact Nat.not_le.1 fun h' => h ⟨k0, h'⟩
+  | ind y k h IH =>
+    rw [← add_one, Nat.add_le_add_iff_right, IH k0, succ_mul,
+        ← Nat.add_sub_cancel (x*k) k, Nat.sub_le_sub_iff_right h.2, Nat.add_sub_cancel]
+
+theorem div_mul_le_self : ∀ (m n : Nat), m / n * n ≤ m
+  | m, 0   => by simp
+  | m, n+1 => (le_div_iff_mul_le (Nat.succ_pos _)).1 (Nat.le_refl _)
+
+theorem div_lt_iff_lt_mul (Hk : 0 < k) : x / k < y ↔ x < y * k := by
+  rw [← Nat.not_le, ← Nat.not_le]; exact not_congr (le_div_iff_mul_le Hk)
+
+@[simp] theorem add_div_right (x : Nat) {z : Nat} (H : 0 < z) : (x + z) / z = succ (x / z) := by
+  rw [div_eq_sub_div H (Nat.le_add_left _ _), Nat.add_sub_cancel]
+
+@[simp] theorem add_div_left (x : Nat) {z : Nat} (H : 0 < z) : (z + x) / z = succ (x / z) := by
+  rw [Nat.add_comm, add_div_right x H]
+
+theorem add_mul_div_left (x z : Nat) {y : Nat} (H : 0 < y) : (x + y * z) / y = x / y + z := by
+  induction z with
+  | zero => rw [Nat.mul_zero, Nat.add_zero, Nat.add_zero]
+  | succ z ih => rw [mul_succ, ← Nat.add_assoc, add_div_right _ H, ih]; rfl
+
+theorem add_mul_div_right (x y : Nat) {z : Nat} (H : 0 < z) : (x + y * z) / z = x / z + y := by
+  rw [Nat.mul_comm, add_mul_div_left _ _ H]
+
+@[simp] theorem add_mod_right (x z : Nat) : (x + z) % z = x % z := by
+  rw [mod_eq_sub_mod (Nat.le_add_left ..), Nat.add_sub_cancel]
+
+@[simp] theorem add_mod_left (x z : Nat) : (x + z) % x = z % x := by
+  rw [Nat.add_comm, add_mod_right]
+
+@[simp] theorem add_mul_mod_self_left (x y z : Nat) : (x + y * z) % y = x % y := by
+  match z with
+  | 0 => rw [Nat.mul_zero, Nat.add_zero]
+  | succ z => rw [mul_succ, ← Nat.add_assoc, add_mod_right, add_mul_mod_self_left (z := z)]
+
+@[simp] theorem add_mul_mod_self_right (x y z : Nat) : (x + y * z) % z = x % z := by
+  rw [Nat.mul_comm, add_mul_mod_self_left]
+
+@[simp] theorem mul_mod_right (m n : Nat) : (m * n) % m = 0 := by
+  rw [← Nat.zero_add (m * n), add_mul_mod_self_left, zero_mod]
+
+@[simp] theorem mul_mod_left (m n : Nat) : (m * n) % n = 0 := by
+  rw [Nat.mul_comm, mul_mod_right]
+
+protected theorem div_eq_of_lt_le (lo : k * n ≤ m) (hi : m < succ k * n) : m / n = k :=
+have npos : 0 < n := (eq_zero_or_pos _).resolve_left fun hn => by
+  rw [hn, Nat.mul_zero] at hi lo; exact absurd lo (Nat.not_le_of_gt hi)
+Nat.le_antisymm
+  (le_of_lt_succ ((Nat.div_lt_iff_lt_mul npos).2 hi))
+  ((Nat.le_div_iff_mul_le npos).2 lo)
+
+theorem sub_mul_div (x n p : Nat) (h₁ : n*p ≤ x) : (x - n*p) / n = x / n - p := by
+  match eq_zero_or_pos n with
+  | .inl h₀ => rw [h₀, Nat.div_zero, Nat.div_zero, Nat.zero_sub]
+  | .inr h₀ => induction p with
+    | zero => rw [Nat.mul_zero, Nat.sub_zero, Nat.sub_zero]
+    | succ p IH =>
+      have h₂ : n * p ≤ x := Nat.le_trans (Nat.mul_le_mul_left _ (le_succ _)) h₁
+      have h₃ : x - n * p ≥ n := by
+        apply Nat.le_of_add_le_add_right
+        rw [Nat.sub_add_cancel h₂, Nat.add_comm]
+        rw [mul_succ] at h₁
+        exact h₁
+      rw [sub_succ, ← IH h₂, div_eq_sub_div h₀ h₃]
+      simp [add_one, Nat.pred_succ, mul_succ, Nat.sub_sub]
+
+theorem mul_sub_div (x n p : Nat) (h₁ : x < n*p) : (n * p - succ x) / n = p - succ (x / n) := by
+  have npos : 0 < n := (eq_zero_or_pos _).resolve_left fun n0 => by
+    rw [n0, Nat.zero_mul] at h₁; exact not_lt_zero _ h₁
+  apply Nat.div_eq_of_lt_le
+  focus
+    rw [Nat.mul_sub_right_distrib, Nat.mul_comm]
+    exact Nat.sub_le_sub_left ((div_lt_iff_lt_mul npos).1 (lt_succ_self _)) _
+  focus
+    show succ (pred (n * p - x)) ≤ (succ (pred (p - x / n))) * n
+    rw [succ_pred_eq_of_pos (Nat.sub_pos_of_lt h₁),
+      fun h => succ_pred_eq_of_pos (Nat.sub_pos_of_lt h)] -- TODO: why is the function needed?
+    focus
+      rw [Nat.mul_sub_right_distrib, Nat.mul_comm]
+      exact Nat.sub_le_sub_left (div_mul_le_self ..) _
+    focus
+      rwa [div_lt_iff_lt_mul npos, Nat.mul_comm]
+
+theorem mul_mod_mul_left (z x y : Nat) : (z * x) % (z * y) = z * (x % y) :=
+  if y0 : y = 0 then by
+    rw [y0, Nat.mul_zero, mod_zero, mod_zero]
+  else if z0 : z = 0 then by
+    rw [z0, Nat.zero_mul, Nat.zero_mul, Nat.zero_mul, mod_zero]
+  else by
+    induction x using Nat.strongInductionOn with
+    | _ n IH =>
+      have y0 : y > 0 := Nat.pos_of_ne_zero y0
+      have z0 : z > 0 := Nat.pos_of_ne_zero z0
+      cases Nat.lt_or_ge n y with
+      | inl yn => rw [mod_eq_of_lt yn, mod_eq_of_lt (Nat.mul_lt_mul_of_pos_left yn z0)]
+      | inr yn =>
+        rw [mod_eq_sub_mod yn, mod_eq_sub_mod (Nat.mul_le_mul_left z yn),
+          ← Nat.mul_sub_left_distrib]
+        exact IH _ (sub_lt (Nat.lt_of_lt_of_le y0 yn) y0)
+
+theorem div_eq_of_lt (h₀ : a < b) : a / b = 0 := by
+  rw [div_eq a, if_neg]
+  intro h₁
+  apply Nat.not_le_of_gt h₀ h₁.right
+
 end Nat

src/Init/Data/Nat/Dvd.lean

@@ -0,0 +1,96 @@
+prelude
+import Init.Data.Nat.Div
+
+namespace Nat
+
+/--
+Divisibility of natural numbers. `a ∣ b` (typed as `\|`) says that
+there is some `c` such that `b = a * c`.
+-/
+instance : Dvd Nat where
+  dvd a b := Exists (fun c => b = a * c)
+
+protected theorem dvd_refl (a : Nat) : a ∣ a := ⟨1, by simp⟩
+
+protected theorem dvd_zero (a : Nat) : a ∣ 0 := ⟨0, by simp⟩
+
+protected theorem dvd_mul_left (a b : Nat) : a ∣ b * a := ⟨b, Nat.mul_comm b a⟩
+protected theorem dvd_mul_right (a b : Nat) : a ∣ a * b := ⟨b, rfl⟩
+
+protected theorem dvd_trans {a b c : Nat} (h₁ : a ∣ b) (h₂ : b ∣ c) : a ∣ c :=
+  match h₁, h₂ with
+  | ⟨d, (h₃ : b = a * d)⟩, ⟨e, (h₄ : c = b * e)⟩ =>
+    ⟨d * e, show c = a * (d * e) by simp[h₃,h₄, Nat.mul_assoc]⟩
+
+protected theorem eq_zero_of_zero_dvd {a : Nat} (h : 0 ∣ a) : a = 0 :=
+  let ⟨c, H'⟩ := h; H'.trans c.zero_mul
+
+@[simp] protected theorem zero_dvd {n : Nat} : 0 ∣ n ↔ n = 0 :=
+  ⟨Nat.eq_zero_of_zero_dvd, fun h => h.symm ▸ Nat.dvd_zero 0⟩
+
+protected theorem dvd_add {a b c : Nat} (h₁ : a ∣ b) (h₂ : a ∣ c) : a ∣ b + c :=
+  let ⟨d, hd⟩ := h₁; let ⟨e, he⟩ := h₂; ⟨d + e, by simp [Nat.left_distrib, hd, he]⟩
+
+protected theorem dvd_add_iff_right {k m n : Nat} (h : k ∣ m) : k ∣ n ↔ k ∣ m + n :=
+  ⟨Nat.dvd_add h,
+    match m, h with
+    | _, ⟨d, rfl⟩ => fun ⟨e, he⟩ =>
+      ⟨e - d, by rw [Nat.mul_sub_left_distrib, ← he, Nat.add_sub_cancel_left]⟩⟩
+
+protected theorem dvd_add_iff_left {k m n : Nat} (h : k ∣ n) : k ∣ m ↔ k ∣ m + n := by
+  rw [Nat.add_comm]; exact Nat.dvd_add_iff_right h
+
+theorem dvd_mod_iff {k m n : Nat} (h: k ∣ n) : k ∣ m % n ↔ k ∣ m :=
+  have := Nat.dvd_add_iff_left <| Nat.dvd_trans h <| Nat.dvd_mul_right n (m / n)
+  by rwa [mod_add_div] at this
+
+theorem le_of_dvd {m n : Nat} (h : 0 < n) : m ∣ n → m ≤ n
+  | ⟨k, e⟩ => by
+    revert h
+    rw [e]
+    match k with
+    | 0 => intro hn; simp at hn
+    | pk+1 =>
+      intro
+      have := Nat.mul_le_mul_left m (succ_pos pk)
+      rwa [Nat.mul_one] at this
+
+protected theorem dvd_antisymm : ∀ {m n : Nat}, m ∣ n → n ∣ m → m = n
+  | _, 0, _, h₂ => Nat.eq_zero_of_zero_dvd h₂
+  | 0, _, h₁, _ => (Nat.eq_zero_of_zero_dvd h₁).symm
+  | _+1, _+1, h₁, h₂ => Nat.le_antisymm (le_of_dvd (succ_pos _) h₁) (le_of_dvd (succ_pos _) h₂)
+
+theorem pos_of_dvd_of_pos {m n : Nat} (H1 : m ∣ n) (H2 : 0 < n) : 0 < m :=
+  Nat.pos_of_ne_zero fun m0 => Nat.ne_of_gt H2 <| Nat.eq_zero_of_zero_dvd (m0 ▸ H1)
+
+@[simp] protected theorem one_dvd (n : Nat) : 1 ∣ n := ⟨n, n.one_mul.symm⟩
+
+theorem eq_one_of_dvd_one {n : Nat} (H : n ∣ 1) : n = 1 := Nat.dvd_antisymm H n.one_dvd
+
+theorem mod_eq_zero_of_dvd {m n : Nat} (H : m ∣ n) : n % m = 0 := by
+  let ⟨z, H⟩ := H; rw [H, mul_mod_right]
+
+theorem dvd_of_mod_eq_zero {m n : Nat} (H : n % m = 0) : m ∣ n := by
+  exists n / m
+  have := (mod_add_div n m).symm
+  rwa [H, Nat.zero_add] at this
+
+theorem dvd_iff_mod_eq_zero (m n : Nat) : m ∣ n ↔ n % m = 0 :=
+  ⟨mod_eq_zero_of_dvd, dvd_of_mod_eq_zero⟩
+
+instance decidable_dvd : @DecidableRel Nat (·∣·) :=
+  fun _ _ => decidable_of_decidable_of_iff (dvd_iff_mod_eq_zero _ _).symm
+
+theorem emod_pos_of_not_dvd {a b : Nat} (h : ¬ a ∣ b) : 0 < b % a := by
+  rw [dvd_iff_mod_eq_zero] at h
+  exact Nat.pos_of_ne_zero h
+
+
+protected theorem mul_div_cancel' {n m : Nat} (H : n ∣ m) : n * (m / n) = m := by
+  have := mod_add_div m n
+  rwa [mod_eq_zero_of_dvd H, Nat.zero_add] at this
+
+protected theorem div_mul_cancel {n m : Nat} (H : n ∣ m) : m / n * n = m := by
+  rw [Nat.mul_comm, Nat.mul_div_cancel' H]
+
+end Nat

src/Init/Data/Nat/Gcd.lean

@@ -4,18 +4,18 @@ Released under Apache 2.0 license as described in the file LICENSE.
 Authors: Leonardo de Moura
 -/
 prelude
-import Init.Data.Nat.Div
+import Init.Data.Nat.Dvd
 
 namespace Nat
 
-private def gcdF (x : Nat) : (∀ x₁, x₁ < x → Nat → Nat) → Nat → Nat :=
-  match x with
-  | 0      => fun _ y => y
-  | succ x => fun f y => f (y % succ x) (mod_lt _ (zero_lt_succ  _)) (succ x)
-
 @[extern "lean_nat_gcd"]
-def gcd (a b : @& Nat) : Nat :=
-  WellFounded.fix (measure id).wf gcdF a b
+def gcd (m n : @& Nat) : Nat :=
+  if m = 0 then
+    n
+  else
+    gcd (n % m) m
+termination_by m
+decreasing_by simp_wf; apply mod_lt _ (zero_lt_of_ne_zero _); assumption
 
 @[simp] theorem gcd_zero_left (y : Nat) : gcd 0 y = y :=
   rfl
@@ -38,4 +38,35 @@ theorem gcd_succ (x y : Nat) : gcd (succ x) y = gcd (y % succ x) (succ x) :=
 @[simp] theorem gcd_self (n : Nat) : gcd n n = n := by
   cases n <;> simp [gcd_succ]
 
+theorem gcd_rec (m n : Nat) : gcd m n = gcd (n % m) m :=
+  match m with
+  | 0 => by have := (mod_zero n).symm; rwa [gcd_zero_right]
+  | _ + 1 => by simp [gcd_succ]
+
+@[elab_as_elim] theorem gcd.induction {P : Nat → Nat → Prop} (m n : Nat)
+    (H0 : ∀n, P 0 n) (H1 : ∀ m n, 0 < m → P (n % m) m → P m n) : P m n :=
+  Nat.strongInductionOn (motive := fun m => ∀ n, P m n) m
+    (fun
+    | 0, _ => H0
+    | _+1, IH => fun _ => H1 _ _ (succ_pos _) (IH _ (mod_lt _ (succ_pos _)) _) )
+    n
+
+theorem gcd_dvd (m n : Nat) : (gcd m n ∣ m) ∧ (gcd m n ∣ n) := by
+  induction m, n using gcd.induction with
+  | H0 n => rw [gcd_zero_left]; exact ⟨Nat.dvd_zero n, Nat.dvd_refl n⟩
+  | H1 m n _ IH => rw [← gcd_rec] at IH; exact ⟨IH.2, (dvd_mod_iff IH.2).1 IH.1⟩
+
+theorem gcd_dvd_left (m n : Nat) : gcd m n ∣ m := (gcd_dvd m n).left
+
+theorem gcd_dvd_right (m n : Nat) : gcd m n ∣ n := (gcd_dvd m n).right
+
+theorem gcd_le_left (n) (h : 0 < m) : gcd m n ≤ m := le_of_dvd h <| gcd_dvd_left m n
+
+theorem gcd_le_right (n) (h : 0 < n) : gcd m n ≤ n := le_of_dvd h <| gcd_dvd_right m n
+
+theorem dvd_gcd : k ∣ m → k ∣ n → k ∣ gcd m n := by
+  induction m, n using gcd.induction with intro km kn
+  | H0 n => rw [gcd_zero_left]; exact kn
+  | H1 n m _ IH => rw [gcd_rec]; exact IH ((dvd_mod_iff km).2 kn) km
+
 end Nat

src/Init/Data/Nat/Linear.lean

@@ -5,8 +5,7 @@ Authors: Leonardo de Moura
 -/
 prelude
 import Init.Coe
-import Init.Classical
-import Init.SimpLemmas
+import Init.ByCases
 import Init.Data.Nat.Basic
 import Init.Data.List.Basic
 import Init.Data.Prod
@@ -539,13 +538,13 @@ theorem Expr.eq_of_toNormPoly (ctx : Context) (a b : Expr) (h : a.toNormPoly = b
 theorem Expr.of_cancel_eq (ctx : Context) (a b c d : Expr) (h : Poly.cancel a.toNormPoly b.toNormPoly = (c.toPoly, d.toPoly)) : (a.denote ctx = b.denote ctx) = (c.denote ctx = d.denote ctx) := by
   have := Poly.denote_eq_cancel_eq ctx a.toNormPoly b.toNormPoly
   rw [h] at this
-  simp [toNormPoly, Poly.norm, Poly.denote_eq] at this
+  simp [toNormPoly, Poly.norm, Poly.denote_eq, -eq_iff_iff] at this
   exact this.symm
 
 theorem Expr.of_cancel_le (ctx : Context) (a b c d : Expr) (h : Poly.cancel a.toNormPoly b.toNormPoly = (c.toPoly, d.toPoly)) : (a.denote ctx ≤ b.denote ctx) = (c.denote ctx ≤ d.denote ctx) := by
   have := Poly.denote_le_cancel_eq ctx a.toNormPoly b.toNormPoly
   rw [h] at this
-  simp [toNormPoly, Poly.norm,Poly.denote_le] at this
+  simp [toNormPoly, Poly.norm,Poly.denote_le, -eq_iff_iff] at this
   exact this.symm
 
 theorem Expr.of_cancel_lt (ctx : Context) (a b c d : Expr) (h : Poly.cancel a.inc.toNormPoly b.toNormPoly = (c.inc.toPoly, d.toPoly)) : (a.denote ctx < b.denote ctx) = (c.denote ctx < d.denote ctx) :=
@@ -590,7 +589,7 @@ theorem PolyCnstr.denote_mul (ctx : Context) (k : Nat) (c : PolyCnstr) : (c.mul
   have : (1 == (0 : Nat)) = false := rfl
   have : (1 == (1 : Nat)) = true  := rfl
   by_cases he : eq = true <;> simp [he, PolyCnstr.mul, PolyCnstr.denote, Poly.denote_le, Poly.denote_eq]
-     <;> by_cases hk : k == 0 <;> (try simp [eq_of_beq hk]) <;> simp [*] <;> apply propext <;> apply Iff.intro <;> intro h
+     <;> by_cases hk : k == 0 <;> (try simp [eq_of_beq hk]) <;> simp [*] <;> apply Iff.intro <;> intro h
   · exact Nat.eq_of_mul_eq_mul_left (Nat.zero_lt_succ _) h
   · rw [h]
   · exact Nat.le_of_mul_le_mul_left h (Nat.zero_lt_succ _)
@@ -637,20 +636,18 @@ theorem Poly.of_isNonZero (ctx : Context) {p : Poly} (h : isNonZero p = true) :
 theorem PolyCnstr.eq_false_of_isUnsat (ctx : Context) {c : PolyCnstr} : c.isUnsat → c.denote ctx = False := by
   cases c; rename_i eq lhs rhs
   simp [isUnsat]
-  by_cases he : eq = true <;> simp [he, denote, Poly.denote_eq, Poly.denote_le]
+  by_cases he : eq = true <;> simp [he, denote, Poly.denote_eq, Poly.denote_le, -and_imp]
   · intro
       | Or.inl ⟨h₁, h₂⟩ => simp [Poly.of_isZero, h₁]; have := Nat.not_eq_zero_of_lt (Poly.of_isNonZero ctx h₂); simp [this.symm]
       | Or.inr ⟨h₁, h₂⟩ => simp [Poly.of_isZero, h₂]; have := Nat.not_eq_zero_of_lt (Poly.of_isNonZero ctx h₁); simp [this]
   · intro ⟨h₁, h₂⟩
     simp [Poly.of_isZero, h₂]
-    have := Nat.not_eq_zero_of_lt (Poly.of_isNonZero ctx h₁)
-    simp [this]
-    done
+    exact Poly.of_isNonZero ctx h₁
 
 theorem PolyCnstr.eq_true_of_isValid (ctx : Context) {c : PolyCnstr} : c.isValid → c.denote ctx = True := by
   cases c; rename_i eq lhs rhs
   simp [isValid]
-  by_cases he : eq = true <;> simp [he, denote, Poly.denote_eq, Poly.denote_le]
+  by_cases he : eq = true <;> simp [he, denote, Poly.denote_eq, Poly.denote_le, -and_imp]
   · intro ⟨h₁, h₂⟩
     simp [Poly.of_isZero, h₁, h₂]
   · intro h
@@ -658,12 +655,12 @@ theorem PolyCnstr.eq_true_of_isValid (ctx : Context) {c : PolyCnstr} : c.isValid
 
 theorem ExprCnstr.eq_false_of_isUnsat (ctx : Context) (c : ExprCnstr) (h : c.toNormPoly.isUnsat) : c.denote ctx = False := by
   have := PolyCnstr.eq_false_of_isUnsat ctx h
-  simp at this
+  simp [-eq_iff_iff] at this
   assumption
 
 theorem ExprCnstr.eq_true_of_isValid (ctx : Context) (c : ExprCnstr) (h : c.toNormPoly.isValid) : c.denote ctx = True := by
   have := PolyCnstr.eq_true_of_isValid ctx h
-  simp at this
+  simp [-eq_iff_iff] at this
   assumption
 
 theorem Certificate.of_combineHyps (ctx : Context) (c : PolyCnstr) (cs : Certificate) (h : (combineHyps c cs).denote ctx → False) : c.denote ctx → cs.denote ctx := by
@@ -712,7 +709,7 @@ theorem Poly.denote_toExpr (ctx : Context) (p : Poly) : p.toExpr.denote ctx = p.
 
 theorem ExprCnstr.eq_of_toNormPoly_eq (ctx : Context) (c d : ExprCnstr) (h : c.toNormPoly == d.toPoly) : c.denote ctx = d.denote ctx := by
   have h := congrArg (PolyCnstr.denote ctx) (eq_of_beq h)
-  simp at h
+  simp [-eq_iff_iff] at h
   assumption
 
 theorem Expr.eq_of_toNormPoly_eq (ctx : Context) (e e' : Expr) (h : e.toNormPoly == e'.toPoly) : e.denote ctx = e'.denote ctx := by

src/Init/Data/Nat/MinMax.lean

@@ -0,0 +1,51 @@
+prelude
+import Init.ByCases
+
+namespace Nat
+
+/-! # min lemmas -/
+
+protected theorem min_eq_min (a : Nat) : Nat.min a b = min a b := rfl
+
+protected theorem min_comm (a b : Nat) : min a b = min b a := by
+  match Nat.lt_trichotomy a b with
+  | .inl h => simp [Nat.min_def, h, Nat.le_of_lt, Nat.not_le_of_lt]
+  | .inr (.inl h) => simp [Nat.min_def, h]
+  | .inr (.inr h) => simp [Nat.min_def, h, Nat.le_of_lt, Nat.not_le_of_lt]
+
+protected theorem min_le_right (a b : Nat) : min a b ≤ b := by
+  by_cases (a <= b) <;> simp [Nat.min_def, *]
+protected theorem min_le_left (a b : Nat) : min a b ≤ a :=
+  Nat.min_comm .. ▸ Nat.min_le_right ..
+
+protected theorem min_eq_left {a b : Nat} (h : a ≤ b) : min a b = a := if_pos h
+protected theorem min_eq_right {a b : Nat} (h : b ≤ a) : min a b = b :=
+  Nat.min_comm .. ▸ Nat.min_eq_left h
+
+protected theorem le_min_of_le_of_le {a b c : Nat} : a ≤ b → a ≤ c → a ≤ min b c := by
+  intros; cases Nat.le_total b c with
+  | inl h => rw [Nat.min_eq_left h]; assumption
+  | inr h => rw [Nat.min_eq_right h]; assumption
+
+protected theorem le_min {a b c : Nat} : a ≤ min b c ↔ a ≤ b ∧ a ≤ c :=
+  ⟨fun h => ⟨Nat.le_trans h (Nat.min_le_left ..), Nat.le_trans h (Nat.min_le_right ..)⟩,
+   fun ⟨h₁, h₂⟩ => Nat.le_min_of_le_of_le h₁ h₂⟩
+
+protected theorem lt_min {a b c : Nat} : a < min b c ↔ a < b ∧ a < c := Nat.le_min
+
+/-! # max lemmas -/
+
+protected theorem max_eq_max (a : Nat) : Nat.max a b = max a b := rfl
+
+protected theorem max_comm (a b : Nat) : max a b = max b a := by
+  simp only [Nat.max_def]
+  by_cases h₁ : a ≤ b <;> by_cases h₂ : b ≤ a <;> simp [h₁, h₂]
+  · exact Nat.le_antisymm h₂ h₁
+  · cases not_or_intro h₁ h₂ <| Nat.le_total ..
+
+protected theorem le_max_left ( a b : Nat) : a ≤ max a b := by
+  by_cases (a <= b) <;> simp [Nat.max_def, *]
+protected theorem le_max_right (a b : Nat) : b ≤ max a b :=
+   Nat.max_comm .. ▸ Nat.le_max_left ..
+
+end Nat

src/Init/Data/Nat/Power2.lean

@@ -8,6 +8,8 @@ import Init.Data.Nat.Linear
 
 namespace Nat
 
+protected theorem two_pow_pos (w : Nat) : 0 < 2^w := Nat.pos_pow_of_pos _ (by decide)
+
 theorem nextPowerOfTwo_dec {n power : Nat} (h₁ : power > 0) (h₂ : power < n) : n - power * 2 < n - power := by
   have : power * 2 = power + power := by simp_arith
   rw [this, Nat.sub_add_eq]
@@ -21,8 +23,8 @@ where
       go (power * 2) (Nat.mul_pos h (by decide))
     else
       power
-termination_by go p h => n - p
-decreasing_by simp_wf; apply nextPowerOfTwo_dec <;> assumption
+  termination_by n - power
+  decreasing_by simp_wf; apply nextPowerOfTwo_dec <;> assumption
 
 def isPowerOfTwo (n : Nat) := ∃ k, n = 2 ^ k
 
@@ -48,7 +50,7 @@ where
     split
     . exact isPowerOfTwo_go (power*2) (Nat.mul_pos h₁ (by decide)) (Nat.mul2_isPowerOfTwo_of_isPowerOfTwo h₂)
     . assumption
-termination_by isPowerOfTwo_go p _ _ => n - p
-decreasing_by simp_wf; apply nextPowerOfTwo_dec <;> assumption
+  termination_by n - power
+  decreasing_by simp_wf; apply nextPowerOfTwo_dec <;> assumption
 
 end Nat

src/Init/Data/OfScientific.lean

@@ -6,7 +6,7 @@ Authors: Leonardo de Moura
 prelude
 import Init.Meta
 import Init.Data.Float
-import Init.Data.Nat
+import Init.Data.Nat.Log2
 
 /-- For decimal and scientific numbers (e.g., `1.23`, `3.12e10`).
    Examples:

src/Init/Data/Option.lean

@@ -7,3 +7,4 @@ prelude
 import Init.Data.Option.Basic
 import Init.Data.Option.BasicAux
 import Init.Data.Option.Instances
+import Init.Data.Option.Lemmas

src/Init/Data/Option/Basic.lean

@@ -1,7 +1,7 @@
 /-
 Copyright (c) 2014 Microsoft Corporation. All rights reserved.
 Released under Apache 2.0 license as described in the file LICENSE.
-Authors: Leonardo de Moura
+Authors: Leonardo de Moura, Mario Carneiro
 -/
 prelude
 import Init.Core
@@ -10,6 +10,9 @@ import Init.Coe
 
 namespace Option
 
+deriving instance DecidableEq for Option
+deriving instance BEq for Option
+
 def toMonad [Monad m] [Alternative m] : Option α → m α
   | none     => failure
   | some a   => pure a
@@ -81,10 +84,131 @@ def merge (fn : α → α → α) : Option α → Option α → Option α
   | none  , some y => some y
   | some x, some y => some <| fn x y
 
-end Option
+@[simp] theorem getD_none : getD none a = a := rfl
+@[simp] theorem getD_some : getD (some a) b = a := rfl
 
-deriving instance DecidableEq for Option
-deriving instance BEq for Option
+@[simp] theorem map_none' (f : α → β) : none.map f = none := rfl
+@[simp] theorem map_some' (a) (f : α → β) : (some a).map f = some (f a) := rfl
+
+@[simp] theorem none_bind (f : α → Option β) : none.bind f = none := rfl
+@[simp] theorem some_bind (a) (f : α → Option β) : (some a).bind f = f a := rfl
+
+
+/-- An elimination principle for `Option`. It is a nondependent version of `Option.recOn`. -/
+@[simp, inline] protected def elim : Option α → β → (α → β) → β
+  | some x, _, f => f x
+  | none, y, _ => y
+
+/-- Extracts the value `a` from an option that is known to be `some a` for some `a`. -/
+@[inline] def get {α : Type u} : (o : Option α) → isSome o → α
+  | some x, _ => x
+
+/-- `guard p a` returns `some a` if `p a` holds, otherwise `none`. -/
+@[inline] def guard (p : α → Prop) [DecidablePred p] (a : α) : Option α :=
+  if p a then some a else none
+
+/--
+Cast of `Option` to `List`. Returns `[a]` if the input is `some a`, and `[]` if it is `none`.
+-/
+@[inline] def toList : Option α → List α
+  | none => .nil
+  | some a => .cons a .nil
+
+/--
+Cast of `Option` to `Array`. Returns `#[a]` if the input is `some a`, and `#[]` if it is `none`.
+-/
+@[inline] def toArray : Option α → Array α
+  | none => List.toArray .nil
+  | some a => List.toArray (.cons a .nil)
+
+/--
+Two arguments failsafe function. Returns `f a b` if the inputs are `some a` and `some b`, and
+"does nothing" otherwise.
+-/
+def liftOrGet (f : α → α → α) : Option α → Option α → Option α
+  | none, none => none
+  | some a, none => some a
+  | none, some b => some b
+  | some a, some b => some (f a b)
+
+/-- Lifts a relation `α → β → Prop` to a relation `Option α → Option β → Prop` by just adding
+`none ~ none`. -/
+inductive Rel (r : α → β → Prop) : Option α → Option β → Prop
+  /-- If `a ~ b`, then `some a ~ some b` -/
+  | some {a b} : r a b → Rel r (some a) (some b)
+  /-- `none ~ none` -/
+  | none : Rel r none none
+
+/-- Flatten an `Option` of `Option`, a specialization of `joinM`. -/
+@[simp, inline] def join (x : Option (Option α)) : Option α := x.bind id
+
+/-- Like `Option.mapM` but for applicative functors. -/
+@[inline] protected def mapA [Applicative m] {α β} (f : α → m β) : Option α → m (Option β)
+  | none => pure none
+  | some x => some <$> f x
+
+/--
+If you maybe have a monadic computation in a `[Monad m]` which produces a term of type `α`, then
+there is a naturally associated way to always perform a computation in `m` which maybe produces a
+result.
+-/
+@[inline] def sequence [Monad m] {α : Type u} : Option (m α) → m (Option α)
+  | none => pure none
+  | some fn => some <$> fn
+
+/-- A monadic analogue of `Option.elim`. -/
+@[inline] def elimM [Monad m] (x : m (Option α)) (y : m β) (z : α → m β) : m β :=
+  do (← x).elim y z
+
+/-- A monadic analogue of `Option.getD`. -/
+@[inline] def getDM [Monad m] (x : Option α) (y : m α) : m α :=
+  match x with
+  | some a => pure a
+  | none => y
+
+instance (α) [BEq α] [LawfulBEq α] : LawfulBEq (Option α) where
+  rfl {x} :=
+    match x with
+    | some x => LawfulBEq.rfl (α := α)
+    | none => rfl
+  eq_of_beq {x y h} := by
+    match x, y with
+    | some x, some y => rw [LawfulBEq.eq_of_beq (α := α) h]
+    | none, none => rfl
+
+@[simp] theorem all_none : Option.all p none = true := rfl
+@[simp] theorem all_some : Option.all p (some x) = p x := rfl
+
+/-- The minimum of two optional values. -/
+protected def min [Min α] : Option α → Option α → Option α
+  | some x, some y => some (Min.min x y)
+  | some x, none => some x
+  | none, some y => some y
+  | none, none => none
+
+instance [Min α] : Min (Option α) where min := Option.min
+
+@[simp] theorem min_some_some [Min α] {a b : α} : min (some a) (some b) = some (min a b) := rfl
+@[simp] theorem min_some_none [Min α] {a : α} : min (some a) none = some a := rfl
+@[simp] theorem min_none_some [Min α] {b : α} : min none (some b) = some b := rfl
+@[simp] theorem min_none_none [Min α] : min (none : Option α) none = none := rfl
+
+/-- The maximum of two optional values. -/
+protected def max [Max α] : Option α → Option α → Option α
+  | some x, some y => some (Max.max x y)
+  | some x, none => some x
+  | none, some y => some y
+  | none, none => none
+
+instance [Max α] : Max (Option α) where max := Option.max
+
+@[simp] theorem max_some_some [Max α] {a b : α} : max (some a) (some b) = some (max a b) := rfl
+@[simp] theorem max_some_none [Max α] {a : α} : max (some a) none = some a := rfl
+@[simp] theorem max_none_some [Max α] {b : α} : max none (some b) = some b := rfl
+@[simp] theorem max_none_none [Max α] : max (none : Option α) none = none := rfl
+
+
+end Option
 
 instance [LT α] : LT (Option α) where
   lt := Option.lt (· < ·)

src/Init/Data/Option/Instances.lean

@@ -8,11 +8,82 @@ import Init.Data.Option.Basic
 
 universe u v
 
-theorem Option.eq_of_eq_some {α : Type u} : ∀ {x y : Option α}, (∀z, x = some z ↔ y = some z) → x = y
+namespace Option
+
+theorem eq_of_eq_some {α : Type u} : ∀ {x y : Option α}, (∀z, x = some z ↔ y = some z) → x = y
   | none,   none,   _ => rfl
   | none,   some z, h => Option.noConfusion ((h z).2 rfl)
   | some z, none,   h => Option.noConfusion ((h z).1 rfl)
   | some _, some w, h => Option.noConfusion ((h w).2 rfl) (congrArg some)
 
-theorem Option.eq_none_of_isNone {α : Type u} : ∀ {o : Option α}, o.isNone → o = none
+theorem eq_none_of_isNone {α : Type u} : ∀ {o : Option α}, o.isNone → o = none
   | none, _ => rfl
+
+instance : Membership α (Option α) := ⟨fun a b => b = some a⟩
+
+@[simp] theorem mem_def {a : α} {b : Option α} : a ∈ b ↔ b = some a := .rfl
+
+instance [DecidableEq α] (j : α) (o : Option α) : Decidable (j ∈ o) :=
+  inferInstanceAs <| Decidable (o = some j)
+
+theorem isNone_iff_eq_none {o : Option α} : o.isNone ↔ o = none :=
+  ⟨Option.eq_none_of_isNone, fun e => e.symm ▸ rfl⟩
+
+theorem some_inj {a b : α} : some a = some b ↔ a = b := by simp; rfl
+
+/--
+`o = none` is decidable even if the wrapped type does not have decidable equality.
+This is not an instance because it is not definitionally equal to `instance : DecidableEq Option`.
+Try to use `o.isNone` or `o.isSome` instead.
+-/
+@[inline] def decidable_eq_none {o : Option α} : Decidable (o = none) :=
+  decidable_of_decidable_of_iff isNone_iff_eq_none
+
+instance {p : α → Prop} [DecidablePred p] : ∀ o : Option α, Decidable (∀ a, a ∈ o → p a)
+| none => isTrue nofun
+| some a =>
+  if h : p a then isTrue fun _ e => some_inj.1 e ▸ h
+  else isFalse <| mt (· _ rfl) h
+
+instance {p : α → Prop} [DecidablePred p] : ∀ o : Option α, Decidable (Exists fun a => a ∈ o ∧ p a)
+| none => isFalse nofun
+| some a => if h : p a then isTrue ⟨_, rfl, h⟩ else isFalse fun ⟨_, ⟨rfl, hn⟩⟩ => h hn
+
+/--
+Partial bind. If for some `x : Option α`, `f : Π (a : α), a ∈ x → Option β` is a
+partial function defined on `a : α` giving an `Option β`, where `some a = x`,
+then `pbind x f h` is essentially the same as `bind x f`
+but is defined only when all `x = some a`, using the proof to apply `f`.
+-/
+@[simp, inline]
+def pbind : ∀ x : Option α, (∀ a : α, a ∈ x → Option β) → Option β
+  | none, _ => none
+  | some a, f => f a rfl
+
+/--
+Partial map. If `f : Π a, p a → β` is a partial function defined on `a : α` satisfying `p`,
+then `pmap f x h` is essentially the same as `map f x` but is defined only when all members of `x`
+satisfy `p`, using the proof to apply `f`.
+-/
+@[simp, inline] def pmap {p : α → Prop} (f : ∀ a : α, p a → β) :
+    ∀ x : Option α, (∀ a, a ∈ x → p a) → Option β
+  | none, _ => none
+  | some a, H => f a (H a rfl)
+
+/-- Map a monadic function which returns `Unit` over an `Option`. -/
+@[inline] protected def forM [Pure m] : Option α → (α → m PUnit) → m PUnit
+  | none  , _ => pure ()
+  | some a, f => f a
+
+instance : ForM m (Option α) α :=
+  ⟨Option.forM⟩
+
+instance : ForIn' m (Option α) α inferInstance where
+  forIn' x init f := do
+    match x with
+    | none => return init
+    | some a =>
+      match ← f a rfl init with
+      | .done r | .yield r => return r
+
+end Option

src/Init/Data/Option/Lemmas.lean

@@ -0,0 +1,238 @@
+/-
+Copyright (c) 2017 Mario Carneiro. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Mario Carneiro
+-/
+prelude
+import Init.Data.Option.Instances
+import Init.Classical
+import Init.Ext
+
+namespace Option
+
+theorem mem_iff {a : α} {b : Option α} : a ∈ b ↔ b = a := .rfl
+
+theorem some_ne_none (x : α) : some x ≠ none := nofun
+
+protected theorem «forall» {p : Option α → Prop} : (∀ x, p x) ↔ p none ∧ ∀ x, p (some x) :=
+  ⟨fun h => ⟨h _, fun _ => h _⟩, fun h x => Option.casesOn x h.1 h.2⟩
+
+protected theorem «exists» {p : Option α → Prop} :
+    (∃ x, p x) ↔ p none ∨ ∃ x, p (some x) :=
+  ⟨fun | ⟨none, hx⟩ => .inl hx | ⟨some x, hx⟩ => .inr ⟨x, hx⟩,
+   fun | .inl h => ⟨_, h⟩ | .inr ⟨_, hx⟩ => ⟨_, hx⟩⟩
+
+theorem get_mem : ∀ {o : Option α} (h : isSome o), o.get h ∈ o
+  | some _, _ => rfl
+
+theorem get_of_mem : ∀ {o : Option α} (h : isSome o), a ∈ o → o.get h = a
+  | _, _, rfl => rfl
+
+theorem not_mem_none (a : α) : a ∉ (none : Option α) := nofun
+
+@[simp] theorem some_get : ∀ {x : Option α} (h : isSome x), some (x.get h) = x
+| some _, _ => rfl
+
+@[simp] theorem get_some (x : α) (h : isSome (some x)) : (some x).get h = x := rfl
+
+theorem getD_of_ne_none {x : Option α} (hx : x ≠ none) (y : α) : some (x.getD y) = x := by
+  cases x; {contradiction}; rw [getD_some]
+
+theorem getD_eq_iff {o : Option α} {a b} : o.getD a = b ↔ (o = some b ∨ o = none ∧ a = b) := by
+  cases o <;> simp
+
+theorem mem_unique {o : Option α} {a b : α} (ha : a ∈ o) (hb : b ∈ o) : a = b :=
+  some.inj <| ha ▸ hb
+
+@[ext] theorem ext : ∀ {o₁ o₂ : Option α}, (∀ a, a ∈ o₁ ↔ a ∈ o₂) → o₁ = o₂
+  | none, none, _ => rfl
+  | some _, _, H => ((H _).1 rfl).symm
+  | _, some _, H => (H _).2 rfl
+
+theorem eq_none_iff_forall_not_mem : o = none ↔ ∀ a, a ∉ o :=
+  ⟨fun e a h => by rw [e] at h; (cases h), fun h => ext <| by simp; exact h⟩
+
+@[simp] theorem isSome_none : @isSome α none = false := rfl
+
+@[simp] theorem isSome_some : isSome (some a) = true := rfl
+
+theorem isSome_iff_exists : isSome x ↔ ∃ a, x = some a := by cases x <;> simp [isSome]
+
+@[simp] theorem isNone_none : @isNone α none = true := rfl
+
+@[simp] theorem isNone_some : isNone (some a) = false := rfl
+
+@[simp] theorem not_isSome : isSome a = false ↔ a.isNone = true := by
+  cases a <;> simp
+
+theorem eq_some_iff_get_eq : o = some a ↔ ∃ h : o.isSome, o.get h = a := by
+  cases o <;> simp; nofun
+
+theorem eq_some_of_isSome : ∀ {o : Option α} (h : o.isSome), o = some (o.get h)
+  | some _, _ => rfl
+
+theorem not_isSome_iff_eq_none : ¬o.isSome ↔ o = none := by
+  cases o <;> simp
+
+theorem ne_none_iff_isSome : o ≠ none ↔ o.isSome := by cases o <;> simp
+
+theorem ne_none_iff_exists : o ≠ none ↔ ∃ x, some x = o := by cases o <;> simp
+
+theorem ne_none_iff_exists' : o ≠ none ↔ ∃ x, o = some x :=
+  ne_none_iff_exists.trans <| exists_congr fun _ => eq_comm
+
+theorem bex_ne_none {p : Option α → Prop} : (∃ x, ∃ (_ : x ≠ none), p x) ↔ ∃ x, p (some x) :=
+  ⟨fun ⟨x, hx, hp⟩ => ⟨x.get <| ne_none_iff_isSome.1 hx, by rwa [some_get]⟩,
+    fun ⟨x, hx⟩ => ⟨some x, some_ne_none x, hx⟩⟩
+
+theorem ball_ne_none {p : Option α → Prop} : (∀ x (_ : x ≠ none), p x) ↔ ∀ x, p (some x) :=
+  ⟨fun h x => h (some x) (some_ne_none x),
+    fun h x hx => by
+      have := h <| x.get <| ne_none_iff_isSome.1 hx
+      simp [some_get] at this ⊢
+      exact this⟩
+
+@[simp] theorem pure_def : pure = @some α := rfl
+
+@[simp] theorem bind_eq_bind : bind = @Option.bind α β := rfl
+
+@[simp] theorem bind_some (x : Option α) : x.bind some = x := by cases x <;> rfl
+
+@[simp] theorem bind_none (x : Option α) : x.bind (fun _ => none (α := β)) = none := by
+  cases x <;> rfl
+
+@[simp] theorem bind_eq_some : x.bind f = some b ↔ ∃ a, x = some a ∧ f a = some b := by
+  cases x <;> simp
+
+@[simp] theorem bind_eq_none {o : Option α} {f : α → Option β} :
+    o.bind f = none ↔ ∀ a, o = some a → f a = none := by cases o <;> simp
+
+theorem bind_eq_none' {o : Option α} {f : α → Option β} :
+    o.bind f = none ↔ ∀ b a, a ∈ o → b ∉ f a := by
+  simp only [eq_none_iff_forall_not_mem, not_exists, not_and, mem_def, bind_eq_some]
+
+theorem bind_comm {f : α → β → Option γ} (a : Option α) (b : Option β) :
+    (a.bind fun x => b.bind (f x)) = b.bind fun y => a.bind fun x => f x y := by
+  cases a <;> cases b <;> rfl
+
+theorem bind_assoc (x : Option α) (f : α → Option β) (g : β → Option γ) :
+    (x.bind f).bind g = x.bind fun y => (f y).bind g := by cases x <;> rfl
+
+theorem join_eq_some : x.join = some a ↔ x = some (some a) := by
+  simp
+
+theorem join_ne_none : x.join ≠ none ↔ ∃ z, x = some (some z) := by
+  simp only [ne_none_iff_exists', join_eq_some, iff_self]
+
+theorem join_ne_none' : ¬x.join = none ↔ ∃ z, x = some (some z) :=
+  join_ne_none
+
+theorem join_eq_none : o.join = none ↔ o = none ∨ o = some none :=
+  match o with | none | some none | some (some _) => by simp
+
+theorem bind_id_eq_join {x : Option (Option α)} : x.bind id = x.join := rfl
+
+@[simp] theorem map_eq_map : Functor.map f = Option.map f := rfl
+
+theorem map_none : f <$> none = none := rfl
+
+theorem map_some : f <$> some a = some (f a) := rfl
+
+@[simp] theorem map_eq_some' : x.map f = some b ↔ ∃ a, x = some a ∧ f a = b := by cases x <;> simp
+
+theorem map_eq_some : f <$> x = some b ↔ ∃ a, x = some a ∧ f a = b := map_eq_some'
+
+@[simp] theorem map_eq_none' : x.map f = none ↔ x = none := by
+  cases x <;> simp only [map_none', map_some', eq_self_iff_true]
+
+theorem map_eq_none : f <$> x = none ↔ x = none := map_eq_none'
+
+theorem map_eq_bind {x : Option α} : x.map f = x.bind (some ∘ f) := by
+  cases x <;> simp [Option.bind]
+
+theorem map_congr {x : Option α} (h : ∀ a, a ∈ x → f a = g a) : x.map f = x.map g := by
+  cases x <;> simp only [map_none', map_some', h, mem_def]
+
+@[simp] theorem map_id' : Option.map (@id α) = id := map_id
+@[simp] theorem map_id'' {x : Option α} : (x.map fun a => a) = x := congrFun map_id x
+
+@[simp] theorem map_map (h : β → γ) (g : α → β) (x : Option α) :
+    (x.map g).map h = x.map (h ∘ g) := by
+  cases x <;> simp only [map_none', map_some', ·∘·]
+
+theorem comp_map (h : β → γ) (g : α → β) (x : Option α) : x.map (h ∘ g) = (x.map g).map h :=
+  (map_map ..).symm
+
+@[simp] theorem map_comp_map (f : α → β) (g : β → γ) :
+    Option.map g ∘ Option.map f = Option.map (g ∘ f) := by funext x; simp
+
+theorem mem_map_of_mem (g : α → β) (h : a ∈ x) : g a ∈ Option.map g x := h.symm ▸ map_some' ..
+
+theorem bind_map_comm {α β} {x : Option (Option α)} {f : α → β} :
+    x.bind (Option.map f) = (x.map (Option.map f)).bind id := by cases x <;> simp
+
+theorem join_map_eq_map_join {f : α → β} {x : Option (Option α)} :
+    (x.map (Option.map f)).join = x.join.map f := by cases x <;> simp
+
+theorem join_join {x : Option (Option (Option α))} : x.join.join = (x.map join).join := by
+  cases x <;> simp
+
+theorem mem_of_mem_join {a : α} {x : Option (Option α)} (h : a ∈ x.join) : some a ∈ x :=
+  h.symm ▸ join_eq_some.1 h
+
+@[simp] theorem some_orElse (a : α) (x : Option α) : (some a <|> x) = some a := rfl
+
+@[simp] theorem none_orElse (x : Option α) : (none <|> x) = x := rfl
+
+@[simp] theorem orElse_none (x : Option α) : (x <|> none) = x := by cases x <;> rfl
+
+theorem map_orElse {x y : Option α} : (x <|> y).map f = (x.map f <|> y.map f) := by
+  cases x <;> simp
+
+@[simp] theorem guard_eq_some [DecidablePred p] : guard p a = some b ↔ a = b ∧ p a :=
+  if h : p a then by simp [Option.guard, h] else by simp [Option.guard, h]
+
+theorem liftOrGet_eq_or_eq {f : α → α → α} (h : ∀ a b, f a b = a ∨ f a b = b) :
+    ∀ o₁ o₂, liftOrGet f o₁ o₂ = o₁ ∨ liftOrGet f o₁ o₂ = o₂
+  | none, none => .inl rfl
+  | some a, none => .inl rfl
+  | none, some b => .inr rfl
+  | some a, some b => by have := h a b; simp [liftOrGet] at this ⊢; exact this
+
+@[simp] theorem liftOrGet_none_left {f} {b : Option α} : liftOrGet f none b = b := by
+  cases b <;> rfl
+
+@[simp] theorem liftOrGet_none_right {f} {a : Option α} : liftOrGet f a none = a := by
+  cases a <;> rfl
+
+@[simp] theorem liftOrGet_some_some {f} {a b : α} :
+  liftOrGet f (some a) (some b) = f a b := rfl
+
+theorem elim_none (x : β) (f : α → β) : none.elim x f = x := rfl
+
+theorem elim_some (x : β) (f : α → β) (a : α) : (some a).elim x f = f a := rfl
+
+@[simp] theorem getD_map (f : α → β) (x : α) (o : Option α) :
+  (o.map f).getD (f x) = f (getD o x) := by cases o <;> rfl
+
+section
+
+attribute [local instance] Classical.propDecidable
+
+/-- An arbitrary `some a` with `a : α` if `α` is nonempty, and otherwise `none`. -/
+noncomputable def choice (α : Type _) : Option α :=
+  if h : Nonempty α then some (Classical.choice h) else none
+
+theorem choice_eq {α : Type _} [Subsingleton α] (a : α) : choice α = some a := by
+  simp [choice]
+  rw [dif_pos (⟨a⟩ : Nonempty α)]
+  simp; apply Subsingleton.elim
+
+theorem choice_isSome_iff_nonempty {α : Type _} : (choice α).isSome ↔ Nonempty α :=
+  ⟨fun h => ⟨(choice α).get h⟩, fun h => by simp only [choice, dif_pos h, isSome_some]⟩
+
+end
+
+@[simp] theorem toList_some (a : α) : (a : Option α).toList = [a] := rfl
+
+@[simp] theorem toList_none (α : Type _) : (none : Option α).toList = [] := rfl

src/Init/Data/Ord.lean

@@ -12,16 +12,105 @@ inductive Ordering where
   | lt | eq | gt
 deriving Inhabited, BEq
 
+namespace Ordering
+
+deriving instance DecidableEq for Ordering
+
+/-- Swaps less and greater ordering results -/
+def swap : Ordering → Ordering
+  | .lt => .gt
+  | .eq => .eq
+  | .gt => .lt
+
+/--
+If `o₁` and `o₂` are `Ordering`, then `o₁.then o₂` returns `o₁` unless it is `.eq`,
+in which case it returns `o₂`. Additionally, it has "short-circuiting" semantics similar to
+boolean `x && y`: if `o₁` is not `.eq` then the expression for `o₂` is not evaluated.
+This is a useful primitive for constructing lexicographic comparator functions:
+```
+structure Person where
+  name : String
+  age : Nat
+
+instance : Ord Person where
+  compare a b := (compare a.name b.name).then (compare b.age a.age)
+```
+This example will sort people first by name (in ascending order) and will sort people with
+the same name by age (in descending order). (If all fields are sorted ascending and in the same
+order as they are listed in the structure, you can also use `deriving Ord` on the structure
+definition for the same effect.)
+-/
+@[macro_inline] def «then» : Ordering → Ordering → Ordering
+  | .eq, f => f
+  | o, _ => o
+
+/--
+Check whether the ordering is 'equal'.
+-/
+def isEq : Ordering → Bool
+  | eq => true
+  | _ => false
+
+/--
+Check whether the ordering is 'not equal'.
+-/
+def isNe : Ordering → Bool
+  | eq => false
+  | _ => true
+
+/--
+Check whether the ordering is 'less than or equal to'.
+-/
+def isLE : Ordering → Bool
+  | gt => false
+  | _ => true
+
+/--
+Check whether the ordering is 'less than'.
+-/
+def isLT : Ordering → Bool
+  | lt => true
+  | _ => false
+
+/--
+Check whether the ordering is 'greater than'.
+-/
+def isGT : Ordering → Bool
+  | gt => true
+  | _ => false
+
+/--
+Check whether the ordering is 'greater than or equal'.
+-/
+def isGE : Ordering → Bool
+  | lt => false
+  | _ => true
+
+end Ordering
+
+@[inline] def compareOfLessAndEq {α} (x y : α) [LT α] [Decidable (x < y)] [DecidableEq α] : Ordering :=
+  if x < y then Ordering.lt
+  else if x = y then Ordering.eq
+  else Ordering.gt
+
+/--
+Compare `a` and `b` lexicographically by `cmp₁` and `cmp₂`. `a` and `b` are
+first compared by `cmp₁`. If this returns 'equal', `a` and `b` are compared
+by `cmp₂` to break the tie.
+-/
+@[inline] def compareLex (cmp₁ cmp₂ : α → β → Ordering) (a : α) (b : β) : Ordering :=
+  (cmp₁ a b).then (cmp₂ a b)
 
 class Ord (α : Type u) where
   compare : α → α → Ordering
 
 export Ord (compare)
 
-@[inline] def compareOfLessAndEq {α} (x y : α) [LT α] [Decidable (x < y)] [DecidableEq α] : Ordering :=
-  if x < y then Ordering.lt
-  else if x = y then Ordering.eq
-  else Ordering.gt
+/--
+Compare `x` and `y` by comparing `f x` and `f y`.
+-/
+@[inline] def compareOn [ord : Ord β] (f : α → β) (x y : α) : Ordering :=
+  compare (f x) (f y)
 
 instance : Ord Nat where
   compare x y := compareOfLessAndEq x y
@@ -71,13 +160,55 @@ def ltOfOrd [Ord α] : LT α where
 instance [Ord α] : DecidableRel (@LT.lt α ltOfOrd) :=
   inferInstanceAs (DecidableRel (fun a b => compare a b == Ordering.lt))
 
-def Ordering.isLE : Ordering → Bool
-  | Ordering.lt => true
-  | Ordering.eq => true
-  | Ordering.gt => false
-
 def leOfOrd [Ord α] : LE α where
   le a b := (compare a b).isLE
 
 instance [Ord α] : DecidableRel (@LE.le α leOfOrd) :=
   inferInstanceAs (DecidableRel (fun a b => (compare a b).isLE))
+
+namespace Ord
+
+/--
+Derive a `BEq` instance from an `Ord` instance.
+-/
+protected def toBEq (ord : Ord α) : BEq α where
+  beq x y := ord.compare x y == .eq
+
+/--
+Derive an `LT` instance from an `Ord` instance.
+-/
+protected def toLT (_ : Ord α) : LT α :=
+  ltOfOrd
+
+/--
+Derive an `LE` instance from an `Ord` instance.
+-/
+protected def toLE (_ : Ord α) : LE α :=
+  leOfOrd
+
+/--
+Invert the order of an `Ord` instance.
+-/
+protected def opposite (ord : Ord α) : Ord α where
+  compare x y := ord.compare y x
+
+/--
+`ord.on f` compares `x` and `y` by comparing `f x` and `f y` according to `ord`.
+-/
+protected def on (ord : Ord β) (f : α → β) : Ord α where
+  compare := compareOn f
+
+/--
+Derive the lexicographic order on products `α × β` from orders for `α` and `β`.
+-/
+protected def lex (_ : Ord α) (_ : Ord β) : Ord (α × β) :=
+  lexOrd
+
+/--
+Create an order which compares elements first by `ord₁` and then, if this
+returns 'equal', by `ord₂`.
+-/
+protected def lex' (ord₁ ord₂ : Ord α) : Ord α where
+  compare := compareLex ord₁.compare ord₂.compare
+
+end Ord

src/Init/Data/Random.lean

@@ -42,17 +42,15 @@ instance : Repr StdGen where
 
 def stdNext : StdGen → Nat × StdGen
   | ⟨s1, s2⟩ =>
-    let s1   : Int := s1
-    let s2   : Int := s2
-    let k    : Int := s1 / 53668
-    let s1'  : Int := 40014 * ((s1 : Int) - k * 53668) - k * 12211
-    let s1'' : Int := if s1' < 0 then s1' + 2147483563 else s1'
-    let k'   : Int := s2 / 52774
-    let s2'  : Int := 40692 * ((s2 : Int) - k' * 52774) - k' * 3791
-    let s2'' : Int := if s2' < 0 then s2' + 2147483399 else s2'
-    let z    : Int := s1'' - s2''
-    let z'   : Int := if z < 1 then z + 2147483562 else z % 2147483562
-    (z'.toNat, ⟨s1''.toNat, s2''.toNat⟩)
+    let k    : Int := Int.ofNat (s1 / 53668)
+    let s1'  : Int := 40014 * (Int.ofNat s1 - k * 53668) - k * 12211
+    let s1'' : Nat := if s1' < 0 then (s1' + 2147483563).toNat else s1'.toNat
+    let k'   : Int := Int.ofNat (s2 / 52774)
+    let s2'  : Int := 40692 * (Int.ofNat s2 - k' * 52774) - k' * 3791
+    let s2'' : Nat := if s2' < 0 then (s2' + 2147483399).toNat else s2'.toNat
+    let z    : Int := Int.ofNat s1'' - Int.ofNat s2''
+    let z'   : Nat := if z < 1 then (z + 2147483562).toNat else z.toNat % 2147483562
+    (z', ⟨s1'', s2''⟩)
 
 def stdSplit : StdGen → StdGen × StdGen
   | g@⟨s1, s2⟩ =>

src/Init/Data/Range.lean

@@ -76,10 +76,12 @@ macro_rules
 end Range
 end Std
 
-theorem Membership.mem.upper {i : Nat} {r : Std.Range} (h : i ∈ r) : i < r.stop := by
-  simp [Membership.mem] at h
-  exact h.2
+theorem Membership.mem.upper {i : Nat} {r : Std.Range} (h : i ∈ r) : i < r.stop := h.2
 
-theorem Membership.mem.lower {i : Nat} {r : Std.Range} (h : i ∈ r) : r.start ≤ i := by
-  simp [Membership.mem] at h
-  exact h.1
+theorem Membership.mem.lower {i : Nat} {r : Std.Range} (h : i ∈ r) : r.start ≤ i := h.1
+
+theorem Membership.get_elem_helper {i n : Nat} {r : Std.Range} (h₁ : i ∈ r) (h₂ : r.stop = n) :
+    i < n := h₂ ▸ h₁.2
+
+macro_rules
+  | `(tactic| get_elem_tactic_trivial) => `(tactic| apply Membership.get_elem_helper; assumption; rfl)

src/Init/Data/String/Basic.lean

@@ -159,7 +159,7 @@ def posOfAux (s : String) (c : Char) (stopPos : Pos) (pos : Pos) : Pos :=
       have := Nat.sub_lt_sub_left h (lt_next s pos)
       posOfAux s c stopPos (s.next pos)
   else pos
-termination_by _ => stopPos.1 - pos.1
+termination_by stopPos.1 - pos.1
 
 @[inline] def posOf (s : String) (c : Char) : Pos :=
   posOfAux s c s.endPos 0
@@ -171,7 +171,7 @@ def revPosOfAux (s : String) (c : Char) (pos : Pos) : Option Pos :=
     let pos := s.prev pos
     if s.get pos == c then some pos
     else revPosOfAux s c pos
-termination_by _ => pos.1
+termination_by pos.1
 
 def revPosOf (s : String) (c : Char) : Option Pos :=
   revPosOfAux s c s.endPos
@@ -183,7 +183,7 @@ def findAux (s : String) (p : Char → Bool) (stopPos : Pos) (pos : Pos) : Pos :
       have := Nat.sub_lt_sub_left h (lt_next s pos)
       findAux s p stopPos (s.next pos)
   else pos
-termination_by _ => stopPos.1 - pos.1
+termination_by stopPos.1 - pos.1
 
 @[inline] def find (s : String) (p : Char → Bool) : Pos :=
   findAux s p s.endPos 0
@@ -195,7 +195,7 @@ def revFindAux (s : String) (p : Char → Bool) (pos : Pos) : Option Pos :=
     let pos := s.prev pos
     if p (s.get pos) then some pos
     else revFindAux s p pos
-termination_by _ => pos.1
+termination_by pos.1
 
 def revFind (s : String) (p : Char → Bool) : Option Pos :=
   revFindAux s p s.endPos
@@ -213,8 +213,8 @@ def firstDiffPos (a b : String) : Pos :=
         have := Nat.sub_lt_sub_left h (lt_next a i)
         loop (a.next i)
     else i
+    termination_by stopPos.1 - i.1
   loop 0
-termination_by loop => stopPos.1 - i.1
 
 @[extern "lean_string_utf8_extract"]
 def extract : (@& String) → (@& Pos) → (@& Pos) → String
@@ -240,7 +240,7 @@ where
       splitAux s p i' i' (s.extract b i :: r)
     else
       splitAux s p b (s.next i) r
-termination_by _ => s.endPos.1 - i.1
+termination_by s.endPos.1 - i.1
 
 @[specialize] def split (s : String) (p : Char → Bool) : List String :=
   splitAux s p 0 0 []
@@ -260,7 +260,7 @@ def splitOnAux (s sep : String) (b : Pos) (i : Pos) (j : Pos) (r : List String)
         splitOnAux s sep b i j r
     else
       splitOnAux s sep b (s.next i) 0 r
-termination_by _ => s.endPos.1 - i.1
+termination_by s.endPos.1 - i.1
 
 def splitOn (s : String) (sep : String := " ") : List String :=
   if sep == "" then [s] else splitOnAux s sep 0 0 0 []
@@ -369,7 +369,7 @@ def offsetOfPosAux (s : String) (pos : Pos) (i : Pos) (offset : Nat) : Nat :=
   else
     have := Nat.sub_lt_sub_left (Nat.gt_of_not_le (mt decide_eq_true h)) (lt_next s _)
     offsetOfPosAux s pos (s.next i) (offset+1)
-termination_by _ => s.endPos.1 - i.1
+termination_by s.endPos.1 - i.1
 
 def offsetOfPos (s : String) (pos : Pos) : Nat :=
   offsetOfPosAux s pos 0 0
@@ -379,7 +379,7 @@ def offsetOfPos (s : String) (pos : Pos) : Nat :=
     have := Nat.sub_lt_sub_left h (lt_next s i)
     foldlAux f s stopPos (s.next i) (f a (s.get i))
   else a
-termination_by _ => stopPos.1 - i.1
+termination_by stopPos.1 - i.1
 
 @[inline] def foldl {α : Type u} (f : α → Char → α) (init : α) (s : String) : α :=
   foldlAux f s s.endPos 0 init
@@ -392,7 +392,7 @@ termination_by _ => stopPos.1 - i.1
     let a := f (s.get i) a
     foldrAux f a s i begPos
   else a
-termination_by _ => i.1
+termination_by i.1
 
 @[inline] def foldr {α : Type u} (f : Char → α → α) (init : α) (s : String) : α :=
   foldrAux f init s s.endPos 0
@@ -404,7 +404,7 @@ termination_by _ => i.1
       have := Nat.sub_lt_sub_left h (lt_next s i)
       anyAux s stopPos p (s.next i)
   else false
-termination_by _ => stopPos.1 - i.1
+termination_by stopPos.1 - i.1
 
 @[inline] def any (s : String) (p : Char → Bool) : Bool :=
   anyAux s s.endPos p 0
@@ -463,7 +463,7 @@ theorem mapAux_lemma (s : String) (i : Pos) (c : Char) (h : ¬s.atEnd i) :
     have := mapAux_lemma s i c h
     let s := s.set i c
     mapAux f (s.next i) s
-termination_by _ => s.endPos.1 - i.1
+termination_by s.endPos.1 - i.1
 
 @[inline] def map (f : Char → Char) (s : String) : String :=
   mapAux f 0 s
@@ -490,7 +490,7 @@ where
       have := Nat.sub_lt_sub_left h (Nat.add_lt_add_left (one_le_csize c₁) off1.1)
       c₁ == c₂ && loop (off1 + c₁) (off2 + c₂) stop1
     else true
-termination_by loop => stop1.1 - off1.1
+  termination_by stop1.1 - off1.1
 
 /-- Return true iff `p` is a prefix of `s` -/
 def isPrefixOf (p : String) (s : String) : Bool :=
@@ -512,8 +512,14 @@ def replace (s pattern replacement : String) : String :=
         else
           have := Nat.sub_lt_sub_left this (lt_next s pos)
           loop acc accStop (s.next pos)
+      termination_by s.endPos.1 - pos.1
     loop "" 0 0
-termination_by loop => s.endPos.1 - pos.1
+
+/-- Return the beginning of the line that contains character `pos`. -/
+def findLineStart (s : String) (pos : String.Pos) : String.Pos :=
+  match s.revFindAux (· = '\n') pos with
+  | none => 0
+  | some n => ⟨n.byteIdx + 1⟩
 
 end String
 
@@ -612,8 +618,8 @@ def splitOn (s : Substring) (sep : String := " ") : List Substring :=
         else
           s.extract b i :: r
         r.reverse
+      termination_by s.bsize - i.1
     loop 0 0 0 []
-termination_by loop => s.bsize - i.1
 
 @[inline] def foldl {α : Type u} (f : α → Char → α) (init : α) (s : Substring) : α :=
   match s with
@@ -640,7 +646,7 @@ def contains (s : Substring) (c : Char) : Bool :=
       takeWhileAux s stopPos p (s.next i)
     else i
   else i
-termination_by _ => stopPos.1 - i.1
+termination_by stopPos.1 - i.1
 
 @[inline] def takeWhile : Substring → (Char → Bool) → Substring
   | ⟨s, b, e⟩, p =>
@@ -661,7 +667,7 @@ termination_by _ => stopPos.1 - i.1
     if !p c then i
     else takeRightWhileAux s begPos p i'
   else i
-termination_by _ => i.1
+termination_by i.1
 
 @[inline] def takeRightWhile : Substring → (Char → Bool) → Substring
   | ⟨s, b, e⟩, p =>

src/Init/Data/UInt/Basic.lean

@@ -5,7 +5,6 @@ Authors: Leonardo de Moura
 -/
 prelude
 import Init.Data.Fin.Basic
-import Init.System.Platform
 
 open Nat
 
@@ -39,7 +38,7 @@ def UInt8.shiftRight (a b : UInt8) : UInt8 := ⟨a.val >>> (modn b 8).val⟩
 def UInt8.lt (a b : UInt8) : Prop := a.val < b.val
 def UInt8.le (a b : UInt8) : Prop := a.val ≤ b.val
 
-instance : OfNat UInt8 n   := ⟨UInt8.ofNat n⟩
+instance UInt8.instOfNat : OfNat UInt8 n := ⟨UInt8.ofNat n⟩
 instance : Add UInt8       := ⟨UInt8.add⟩
 instance : Sub UInt8       := ⟨UInt8.sub⟩
 instance : Mul UInt8       := ⟨UInt8.mul⟩
@@ -110,8 +109,7 @@ def UInt16.shiftRight (a b : UInt16) : UInt16 := ⟨a.val >>> (modn b 16).val⟩
 def UInt16.lt (a b : UInt16) : Prop := a.val < b.val
 def UInt16.le (a b : UInt16) : Prop := a.val ≤ b.val
 
-
-instance : OfNat UInt16 n   := ⟨UInt16.ofNat n⟩
+instance UInt16.instOfNat : OfNat UInt16 n := ⟨UInt16.ofNat n⟩
 instance : Add UInt16       := ⟨UInt16.add⟩
 instance : Sub UInt16       := ⟨UInt16.sub⟩
 instance : Mul UInt16       := ⟨UInt16.mul⟩
@@ -152,6 +150,14 @@ instance : Min UInt16 := minOfLe
 def UInt32.ofNat (n : @& Nat) : UInt32 := ⟨Fin.ofNat n⟩
 @[extern "lean_uint32_of_nat"]
 def UInt32.ofNat' (n : Nat) (h : n < UInt32.size) : UInt32 := ⟨⟨n, h⟩⟩
+/--
+Converts the given natural number to `UInt32`, but returns `2^32 - 1` for natural numbers `>= 2^32`.
+-/
+def UInt32.ofNatTruncate (n : Nat) : UInt32 :=
+  if h : n < UInt32.size then
+    UInt32.ofNat' n h
+  else
+    UInt32.ofNat' (UInt32.size - 1) (by decide)
 abbrev Nat.toUInt32 := UInt32.ofNat
 @[extern "lean_uint32_add"]
 def UInt32.add (a b : UInt32) : UInt32 := ⟨a.val + b.val⟩
@@ -184,7 +190,7 @@ def UInt8.toUInt32 (a : UInt8) : UInt32 := a.toNat.toUInt32
 @[extern "lean_uint16_to_uint32"]
 def UInt16.toUInt32 (a : UInt16) : UInt32 := a.toNat.toUInt32
 
-instance : OfNat UInt32 n   := ⟨UInt32.ofNat n⟩
+instance UInt32.instOfNat : OfNat UInt32 n := ⟨UInt32.ofNat n⟩
 instance : Add UInt32       := ⟨UInt32.add⟩
 instance : Sub UInt32       := ⟨UInt32.sub⟩
 instance : Mul UInt32       := ⟨UInt32.mul⟩
@@ -244,7 +250,7 @@ def UInt16.toUInt64 (a : UInt16) : UInt64 := a.toNat.toUInt64
 @[extern "lean_uint32_to_uint64"]
 def UInt32.toUInt64 (a : UInt32) : UInt64 := a.toNat.toUInt64
 
-instance : OfNat UInt64 n   := ⟨UInt64.ofNat n⟩
+instance UInt64.instOfNat : OfNat UInt64 n := ⟨UInt64.ofNat n⟩
 instance : Add UInt64       := ⟨UInt64.add⟩
 instance : Sub UInt64       := ⟨UInt64.sub⟩
 instance : Mul UInt64       := ⟨UInt64.mul⟩
@@ -322,7 +328,7 @@ def USize.toUInt32 (a : USize) : UInt32 := a.toNat.toUInt32
 def USize.lt (a b : USize) : Prop := a.val < b.val
 def USize.le (a b : USize) : Prop := a.val ≤ b.val
 
-instance : OfNat USize n   := ⟨USize.ofNat n⟩
+instance USize.instOfNat : OfNat USize n := ⟨USize.ofNat n⟩
 instance : Add USize       := ⟨USize.add⟩
 instance : Sub USize       := ⟨USize.sub⟩
 instance : Mul USize       := ⟨USize.mul⟩

src/Init/Ext.lean

@@ -0,0 +1,113 @@
+/-
+Copyright (c) 2021 Gabriel Ebner. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Gabriel Ebner, Mario Carneiro
+-/
+prelude
+import Init.TacticsExtra
+import Init.RCases
+
+namespace Lean
+namespace Parser.Attr
+/-- Registers an extensionality theorem.
+
+* When `@[ext]` is applied to a structure, it generates `.ext` and `.ext_iff` theorems and registers
+  them for the `ext` tactic.
+
+* When `@[ext]` is applied to a theorem, the theorem is registered for the `ext` tactic.
+
+* An optional natural number argument, e.g. `@[ext 9000]`, specifies a priority for the lemma. Higher-priority lemmas are chosen first, and the default is `1000`.
+
+* The flag `@[ext (flat := false)]` causes generated structure extensionality theorems to show inherited fields based on their representation,
+  rather than flattening the parents' fields into the lemma's equality hypotheses.
+  structures in the generated extensionality theorems. -/
+syntax (name := ext) "ext" (" (" &"flat" " := " term ")")? (ppSpace prio)? : attr
+end Parser.Attr
+
+-- TODO: rename this namespace?
+-- Remark: `ext` has scoped syntax, Mathlib may depend on the actual namespace name.
+namespace Elab.Tactic.Ext
+/--
+Creates the type of the extensionality theorem for the given structure,
+elaborating to `x.1 = y.1 → x.2 = y.2 → x = y`, for example.
+-/
+scoped syntax (name := extType) "ext_type% " term:max ppSpace ident : term
+
+/--
+Creates the type of the iff-variant of the extensionality theorem for the given structure,
+elaborating to `x = y ↔ x.1 = y.1 ∧ x.2 = y.2`, for example.
+-/
+scoped syntax (name := extIffType) "ext_iff_type% " term:max ppSpace ident : term
+
+/--
+`declare_ext_theorems_for A` declares the extensionality theorems for the structure `A`.
+
+These theorems state that two expressions with the structure type are equal if their fields are equal.
+-/
+syntax (name := declareExtTheoremFor) "declare_ext_theorems_for " ("(" &"flat" " := " term ") ")? ident (ppSpace prio)? : command
+
+macro_rules | `(declare_ext_theorems_for $[(flat := $f)]? $struct:ident $(prio)?) => do
+  let flat := f.getD (mkIdent `true)
+  let names ← Macro.resolveGlobalName struct.getId.eraseMacroScopes
+  let name ← match names.filter (·.2.isEmpty) with
+    | [] => Macro.throwError s!"unknown constant {struct.getId}"
+    | [(name, _)] => pure name
+    | _ => Macro.throwError s!"ambiguous name {struct.getId}"
+  let extName := mkIdentFrom struct (canonical := true) <| name.mkStr "ext"
+  let extIffName := mkIdentFrom struct (canonical := true) <| name.mkStr "ext_iff"
+  `(@[ext $(prio)?] protected theorem $extName:ident : ext_type% $flat $struct:ident :=
+      fun {..} {..} => by intros; subst_eqs; rfl
+    protected theorem $extIffName:ident : ext_iff_type% $flat $struct:ident :=
+      fun {..} {..} =>
+        ⟨fun h => by cases h; and_intros <;> rfl,
+         fun _ => by (repeat cases ‹_ ∧ _›); subst_eqs; rfl⟩)
+
+/--
+Applies extensionality lemmas that are registered with the `@[ext]` attribute.
+* `ext pat*` applies extensionality theorems as much as possible,
+  using the patterns `pat*` to introduce the variables in extensionality theorems using `rintro`.
+  For example, the patterns are used to name the variables introduced by lemmas such as `funext`.
+* Without patterns,`ext` applies extensionality lemmas as much
+  as possible but introduces anonymous hypotheses whenever needed.
+* `ext pat* : n` applies ext theorems only up to depth `n`.
+
+The `ext1 pat*` tactic is like `ext pat*` except that it only applies a single extensionality theorem.
+
+Unused patterns will generate warning.
+Patterns that don't match the variables will typically result in the introduction of anonymous hypotheses.
+-/
+syntax (name := ext) "ext" (colGt ppSpace rintroPat)* (" : " num)? : tactic
+
+/-- Apply a single extensionality theorem to the current goal. -/
+syntax (name := applyExtTheorem) "apply_ext_theorem" : tactic
+
+/--
+`ext1 pat*` is like `ext pat*` except that it only applies a single extensionality theorem rather
+than recursively applying as many extensionality theorems as possible.
+
+The `pat*` patterns are processed using the `rintro` tactic.
+If no patterns are supplied, then variables are introduced anonymously using the `intros` tactic.
+-/
+macro "ext1" xs:(colGt ppSpace rintroPat)* : tactic =>
+  if xs.isEmpty then `(tactic| apply_ext_theorem <;> intros)
+  else `(tactic| apply_ext_theorem <;> rintro $xs*)
+
+end Elab.Tactic.Ext
+end Lean
+
+attribute [ext] funext propext Subtype.eq
+
+@[ext] theorem Prod.ext : {x y : Prod α β} → x.fst = y.fst → x.snd = y.snd → x = y
+  | ⟨_,_⟩, ⟨_,_⟩, rfl, rfl => rfl
+
+@[ext] theorem PProd.ext : {x y : PProd α β} → x.fst = y.fst → x.snd = y.snd → x = y
+  | ⟨_,_⟩, ⟨_,_⟩, rfl, rfl => rfl
+
+@[ext] theorem Sigma.ext : {x y : Sigma β} → x.fst = y.fst → HEq x.snd y.snd → x = y
+  | ⟨_,_⟩, ⟨_,_⟩, rfl, .rfl => rfl
+
+@[ext] theorem PSigma.ext : {x y : PSigma β} → x.fst = y.fst → HEq x.snd y.snd → x = y
+  | ⟨_,_⟩, ⟨_,_⟩, rfl, .rfl => rfl
+
+@[ext] protected theorem PUnit.ext (x y : PUnit) : x = y := rfl
+protected theorem Unit.ext (x y : Unit) : x = y := rfl

src/Init/Guard.lean

@@ -0,0 +1,129 @@
+/-
+Copyright (c) 2021 Mario Carneiro. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Mario Carneiro
+-/
+prelude
+import Init.Tactics
+import Init.Conv
+import Init.NotationExtra
+
+namespace Lean.Parser
+
+/-- Reducible defeq matching for `guard_hyp` types -/
+syntax colonR := " : "
+/-- Default-reducibility defeq matching for `guard_hyp` types -/
+syntax colonD := " :~ "
+/-- Syntactic matching for `guard_hyp` types -/
+syntax colonS := " :ₛ "
+/-- Alpha-eq matching for `guard_hyp` types -/
+syntax colonA := " :ₐ "
+/-- The `guard_hyp` type specifier, one of `:`, `:~`, `:ₛ`, `:ₐ` -/
+syntax colon := colonR <|> colonD <|> colonS <|> colonA
+
+/-- Reducible defeq matching for `guard_hyp` values -/
+syntax colonEqR := " := "
+/-- Default-reducibility defeq matching for `guard_hyp` values -/
+syntax colonEqD := " :=~ "
+/-- Syntactic matching for `guard_hyp` values -/
+syntax colonEqS := " :=ₛ "
+/-- Alpha-eq matching for `guard_hyp` values -/
+syntax colonEqA := " :=ₐ "
+/-- The `guard_hyp` value specifier, one of `:=`, `:=~`, `:=ₛ`, `:=ₐ` -/
+syntax colonEq := colonEqR <|> colonEqD <|> colonEqS <|> colonEqA
+
+/-- Reducible defeq matching for `guard_expr` -/
+syntax equalR := " = "
+/-- Default-reducibility defeq matching for `guard_expr` -/
+syntax equalD := " =~ "
+/-- Syntactic matching for `guard_expr` -/
+syntax equalS := " =ₛ "
+/-- Alpha-eq matching for `guard_expr` -/
+syntax equalA := " =ₐ "
+/-- The `guard_expr` matching specifier, one of `=`, `=~`, `=ₛ`, `=ₐ` -/
+syntax equal := equalR <|> equalD <|> equalS <|> equalA
+
+namespace Tactic
+
+/--
+Tactic to check equality of two expressions.
+* `guard_expr e = e'` checks that `e` and `e'` are defeq at reducible transparency.
+* `guard_expr e =~ e'` checks that `e` and `e'` are defeq at default transparency.
+* `guard_expr e =ₛ e'` checks that `e` and `e'` are syntactically equal.
+* `guard_expr e =ₐ e'` checks that `e` and `e'` are alpha-equivalent.
+
+Both `e` and `e'` are elaborated then have their metavariables instantiated before the equality
+check. Their types are unified (using `isDefEqGuarded`) before synthetic metavariables are
+processed, which helps with default instance handling.
+-/
+syntax (name := guardExpr) "guard_expr " term:51 equal term : tactic
+@[inherit_doc guardExpr]
+syntax (name := guardExprConv) "guard_expr " term:51 equal term : conv
+
+/--
+Tactic to check that the target agrees with a given expression.
+* `guard_target = e` checks that the target is defeq at reducible transparency to `e`.
+* `guard_target =~ e` checks that the target is defeq at default transparency to `e`.
+* `guard_target =ₛ e` checks that the target is syntactically equal to `e`.
+* `guard_target =ₐ e` checks that the target is alpha-equivalent to `e`.
+
+The term `e` is elaborated with the type of the goal as the expected type, which is mostly
+useful within `conv` mode.
+-/
+syntax (name := guardTarget) "guard_target " equal term : tactic
+@[inherit_doc guardTarget]
+syntax (name := guardTargetConv) "guard_target " equal term : conv
+
+/--
+Tactic to check that a named hypothesis has a given type and/or value.
+
+* `guard_hyp h : t` checks the type up to reducible defeq,
+* `guard_hyp h :~ t` checks the type up to default defeq,
+* `guard_hyp h :ₛ t` checks the type up to syntactic equality,
+* `guard_hyp h :ₐ t` checks the type up to alpha equality.
+* `guard_hyp h := v` checks value up to reducible defeq,
+* `guard_hyp h :=~ v` checks value up to default defeq,
+* `guard_hyp h :=ₛ v` checks value up to syntactic equality,
+* `guard_hyp h :=ₐ v` checks the value up to alpha equality.
+
+The value `v` is elaborated using the type of `h` as the expected type.
+-/
+syntax (name := guardHyp)
+  "guard_hyp " term:max (colon term)? (colonEq term)? : tactic
+@[inherit_doc guardHyp] syntax (name := guardHypConv)
+  "guard_hyp " term:max (colon term)? (colonEq term)? : conv
+
+end Tactic
+
+namespace Command
+
+/--
+Command to check equality of two expressions.
+* `#guard_expr e = e'` checks that `e` and `e'` are defeq at reducible transparency.
+* `#guard_expr e =~ e'` checks that `e` and `e'` are defeq at default transparency.
+* `#guard_expr e =ₛ e'` checks that `e` and `e'` are syntactically equal.
+* `#guard_expr e =ₐ e'` checks that `e` and `e'` are alpha-equivalent.
+
+This is a command version of the `guard_expr` tactic. -/
+syntax (name := guardExprCmd) "#guard_expr " term:51 equal term : command
+
+/--
+Command to check that an expression evaluates to `true`.
+
+`#guard e` elaborates `e` ensuring its type is `Bool` then evaluates `e` and checks that
+the result is `true`. The term is elaborated *without* variables declared using `variable`, since
+these cannot be evaluated.
+
+Since this makes use of coercions, so long as a proposition `p` is decidable, one can write
+`#guard p` rather than `#guard decide p`. A consequence to this is that if there is decidable
+equality one can write `#guard a = b`. Note that this is not exactly the same as checking
+if `a` and `b` evaluate to the same thing since it uses the `DecidableEq` instance to do
+the evaluation.
+
+Note: this uses the untrusted evaluator, so `#guard` passing is *not* a proof that the
+expression equals `true`. -/
+syntax (name := guardCmd) "#guard " term : command
+
+end Command
+
+end Lean.Parser

src/Init/Meta.lean

@@ -563,8 +563,17 @@ def SepArray.ofElemsUsingRef [Monad m] [MonadRef m] {sep} (elems : Array Syntax)
 instance : Coe (Array Syntax) (SepArray sep) where
   coe := SepArray.ofElems
 
+/--
+Constructs a typed separated array from elements.
+The given array does not include the separators.
+
+Like `Syntax.SepArray.ofElems` but for typed syntax.
+-/
+def TSepArray.ofElems {sep} (elems : Array (TSyntax k)) : TSepArray k sep :=
+  .mk (SepArray.ofElems (sep := sep) (TSyntaxArray.raw elems)).1
+
 instance : Coe (TSyntaxArray k) (TSepArray k sep) where
-  coe a := ⟨mkSepArray a.raw (mkAtom sep)⟩
+  coe := TSepArray.ofElems
 
 /-- Create syntax representing a Lean term application, but avoid degenerate empty applications. -/
 def mkApp (fn : Term) : (args : TSyntaxArray `term) → Term
@@ -578,6 +587,9 @@ def mkLit (kind : SyntaxNodeKind) (val : String) (info := SourceInfo.none) : TSy
   let atom : Syntax := Syntax.atom info val
   mkNode kind #[atom]
 
+def mkCharLit (val : Char) (info := SourceInfo.none) : CharLit :=
+  mkLit charLitKind (Char.quote val) info
+
 def mkStrLit (val : String) (info := SourceInfo.none) : StrLit :=
   mkLit strLitKind (String.quote val) info
 
@@ -995,6 +1007,7 @@ instance [Quote α k] [CoeHTCT (TSyntax k) (TSyntax [k'])] : Quote α k' := ⟨f
 
 instance : Quote Term := ⟨id⟩
 instance : Quote Bool := ⟨fun | true => mkCIdent ``Bool.true | false => mkCIdent ``Bool.false⟩
+instance : Quote Char charLitKind := ⟨Syntax.mkCharLit⟩
 instance : Quote String strLitKind := ⟨Syntax.mkStrLit⟩
 instance : Quote Nat numLitKind := ⟨fun n => Syntax.mkNumLit <| toString n⟩
 instance : Quote Substring := ⟨fun s => Syntax.mkCApp ``String.toSubstring' #[quote s.toString]⟩
@@ -1039,7 +1052,7 @@ where
       go (i+1) (args.push (quote xs[i]))
     else
       Syntax.mkCApp (Name.mkStr2 "Array" ("mkArray" ++ toString xs.size)) args
-termination_by go i _ => xs.size - i
+  termination_by xs.size - i
 
 instance [Quote α `term] : Quote (Array α) `term where
   quote := quoteArray
@@ -1272,6 +1285,41 @@ structure Config where
 
 end Rewrite
 
+namespace Omega
+
+/-- Configures the behaviour of the `omega` tactic. -/
+structure OmegaConfig where
+  /--
+  Split disjunctions in the context.
+
+  Note that with `splitDisjunctions := false` omega will not be able to solve `x = y` goals
+  as these are usually handled by introducing `¬ x = y` as a hypothesis, then replacing this with
+  `x < y ∨ x > y`.
+
+  On the other hand, `omega` does not currently detect disjunctions which, when split,
+  introduce no new useful information, so the presence of irrelevant disjunctions in the context
+  can significantly increase run time.
+  -/
+  splitDisjunctions : Bool := true
+  /--
+  Whenever `((a - b : Nat) : Int)` is found, register the disjunction
+  `b ≤ a ∧ ((a - b : Nat) : Int) = a - b ∨ a < b ∧ ((a - b : Nat) : Int) = 0`
+  for later splitting.
+  -/
+  splitNatSub : Bool := true
+  /--
+  Whenever `Int.natAbs a` is found, register the disjunction
+  `0 ≤ a ∧ Int.natAbs a = a ∨ a < 0 ∧ Int.natAbs a = - a` for later splitting.
+  -/
+  splitNatAbs : Bool := true
+  /--
+  Whenever `min a b` or `max a b` is found, rewrite in terms of the definition
+  `if a ≤ b ...`, for later case splitting.
+  -/
+  splitMinMax : Bool := true
+
+end Omega
+
 end Meta
 
 namespace Parser.Tactic

src/Init/MetaTypes.lean

@@ -43,6 +43,7 @@ inductive EtaStructMode where
 namespace DSimp
 
 structure Config where
+  /-- `let x := v; e[x]` reduces to `e[v]`. -/
   zeta              : Bool := true
   beta              : Bool := true
   eta               : Bool := true
@@ -57,6 +58,8 @@ structure Config where
   /-- If `unfoldPartialApp := true`, then calls to `simp`, `dsimp`, or `simp_all`
   will unfold even partial applications of `f` when we request `f` to be unfolded. -/
   unfoldPartialApp  : Bool := false
+  /-- Given a local context containing entry `x : t := e`, free variable `x` reduces to `e`. -/
+  zetaDelta         : Bool := false
   deriving Inhabited, BEq
 
 end DSimp
@@ -71,6 +74,7 @@ structure Config where
   contextual        : Bool := false
   memoize           : Bool := true
   singlePass        : Bool := false
+  /-- `let x := v; e[x]` reduces to `e[v]`. -/
   zeta              : Bool := true
   beta              : Bool := true
   eta               : Bool := true
@@ -95,6 +99,8 @@ structure Config where
   /-- If `unfoldPartialApp := true`, then calls to `simp`, `dsimp`, or `simp_all`
   will unfold even partial applications of `f` when we request `f` to be unfolded. -/
   unfoldPartialApp  : Bool := false
+  /-- Given a local context containing entry `x : t := e`, free variable `x` reduces to `e`. -/
+  zetaDelta         : Bool := false
   deriving Inhabited, BEq
 
 -- Configuration object for `simp_all`
@@ -111,6 +117,7 @@ def neutralConfig : Simp.Config := {
   arith             := false
   autoUnfold        := false
   ground            := false
+  zetaDelta         := false
 }
 
 end Simp

src/Init/Notation.lean

@@ -268,6 +268,7 @@ syntax (name := rawNatLit) "nat_lit " num : term
 @[inherit_doc] infixr:90 " ∘ "  => Function.comp
 @[inherit_doc] infixr:35 " × "  => Prod
 
+@[inherit_doc] infix:50  " ∣ " => Dvd.dvd
 @[inherit_doc] infixl:55 " ||| " => HOr.hOr
 @[inherit_doc] infixl:58 " ^^^ " => HXor.hXor
 @[inherit_doc] infixl:60 " &&& " => HAnd.hAnd
@@ -463,6 +464,14 @@ macro "without_expected_type " x:term : term => `(let aux := $x; aux)
 
 namespace Lean
 
+/--
+* The `by_elab doSeq` expression runs the `doSeq` as a `TermElabM Expr` to
+  synthesize the expression.
+* `by_elab fun expectedType? => do doSeq` receives the expected type (an `Option Expr`)
+  as well.
+-/
+syntax (name := byElab) "by_elab " doSeq : term
+
 /--
 Category for carrying raw syntax trees between macros; any content is printed as is by the pretty printer.
 The only accepted parser for this category is an antiquotation.
@@ -484,9 +493,39 @@ existing code. It may be removed in a future version of the library.
 -/
 syntax (name := deprecated) "deprecated" (ppSpace ident)? : attr
 
+/--
+The `@[coe]` attribute on a function (which should also appear in a
+`instance : Coe A B := ⟨myFn⟩` declaration) allows the delaborator to show
+applications of this function as `↑` when printing expressions.
+-/
+syntax (name := Attr.coe) "coe" : attr
+
 /--
 When `parent_dir` contains the current Lean file, `include_str "path" / "to" / "file"` becomes
 a string literal with the contents of the file at `"parent_dir" / "path" / "to" / "file"`. If this
 file cannot be read, elaboration fails.
 -/
 syntax (name := includeStr) "include_str " term : term
+
+/--
+The `run_cmd doSeq` command executes code in `CommandElabM Unit`.
+This is almost the same as `#eval show CommandElabM Unit from do doSeq`,
+except that it doesn't print an empty diagnostic.
+-/
+syntax (name := runCmd) "run_cmd " doSeq : command
+
+/--
+The `run_elab doSeq` command executes code in `TermElabM Unit`.
+This is almost the same as `#eval show TermElabM Unit from do doSeq`,
+except that it doesn't print an empty diagnostic.
+-/
+syntax (name := runElab) "run_elab " doSeq : command
+
+/--
+The `run_meta doSeq` command executes code in `MetaM Unit`.
+This is almost the same as `#eval show MetaM Unit from do doSeq`,
+except that it doesn't print an empty diagnostic.
+
+(This is effectively a synonym for `run_elab`.)
+-/
+syntax (name := runMeta) "run_meta " doSeq : command

src/Init/NotationExtra.lean

@@ -170,6 +170,19 @@ See [Theorem Proving in Lean 4][tpil4] for more information.
 -/
 syntax (name := calcTactic) "calc" calcSteps : tactic
 
+/--
+Denotes a term that was omitted by the pretty printer.
+This is only used for pretty printing, and it cannot be elaborated.
+The presence of `⋯` is controlled by the `pp.deepTerms` and `pp.proofs` options.
+-/
+syntax "⋯" : term
+
+macro_rules | `(⋯) => Macro.throwError "\
+  Error: The '⋯' token is used by the pretty printer to indicate omitted terms, \
+  and it cannot be elaborated.\
+  \n\nIts presence in pretty printing output is controlled by the 'pp.deepTerms' and `pp.proofs` options. \
+  These options can be further adjusted using `pp.deepTerms.threshold` and `pp.proofs.threshold`."
+
 @[app_unexpander Unit.unit] def unexpandUnit : Lean.PrettyPrinter.Unexpander
   | `($(_)) => `(())
 
@@ -177,9 +190,13 @@ syntax (name := calcTactic) "calc" calcSteps : tactic
   | `($(_)) => `([])
 
 @[app_unexpander List.cons] def unexpandListCons : Lean.PrettyPrinter.Unexpander
-  | `($(_) $x [])      => `([$x])
-  | `($(_) $x [$xs,*]) => `([$x, $xs,*])
-  | _                  => throw ()
+  | `($(_) $x $tail) =>
+    match tail with
+    | `([])      => `([$x])
+    | `([$xs,*]) => `([$x, $xs,*])
+    | `(⋯)       => `([$x, $tail]) -- Unexpands to `[x, y, z, ⋯]` for `⋯ : List α`
+    | _          => throw ()
+  | _ => throw ()
 
 @[app_unexpander List.toArray] def unexpandListToArray : Lean.PrettyPrinter.Unexpander
   | `($(_) [$xs,*]) => `(#[$xs,*])
@@ -373,6 +390,23 @@ macro_rules
     `($mods:declModifiers class $id $params* extends $parents,* $[: $ty]?
       attribute [instance] $ctor)
 
+macro_rules
+  | `(haveI $hy:hygieneInfo $bs* $[: $ty]? := $val; $body) =>
+    `(haveI $(HygieneInfo.mkIdent hy `this (canonical := true)) $bs* $[: $ty]? := $val; $body)
+  | `(haveI _ $bs* := $val; $body) => `(haveI x $bs* : _ := $val; $body)
+  | `(haveI _ $bs* : $ty := $val; $body) => `(haveI x $bs* : $ty := $val; $body)
+  | `(haveI $x:ident $bs* := $val; $body) => `(haveI $x $bs* : _ := $val; $body)
+  | `(haveI $_:ident $_* : $_ := $_; $_) => Lean.Macro.throwUnsupported -- handled by elab
+
+macro_rules
+  | `(letI $hy:hygieneInfo $bs* $[: $ty]? := $val; $body) =>
+    `(letI $(HygieneInfo.mkIdent hy `this (canonical := true)) $bs* $[: $ty]? := $val; $body)
+  | `(letI _ $bs* := $val; $body) => `(letI x $bs* : _ := $val; $body)
+  | `(letI _ $bs* : $ty := $val; $body) => `(letI x $bs* : $ty := $val; $body)
+  | `(letI $x:ident $bs* := $val; $body) => `(letI $x $bs* : _ := $val; $body)
+  | `(letI $_:ident $_* : $_ := $_; $_) => Lean.Macro.throwUnsupported -- handled by elab
+
+
 syntax cdotTk := patternIgnore("· " <|> ". ")
 /-- `· tac` focuses on the main goal and tries to solve it using `tac`, or else fails. -/
 syntax (name := cdot) cdotTk tacticSeqIndentGt : tactic

src/Init/Omega.lean

@@ -0,0 +1,6 @@
+prelude
+import Init.Omega.Int
+import Init.Omega.IntList
+import Init.Omega.LinearCombo
+import Init.Omega.Constraint
+import Init.Omega.Logic

src/Init/Omega/Coeffs.lean

@@ -0,0 +1,112 @@
+/-
+Copyright (c) 2023 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Scott Morrison
+-/
+prelude
+import Init.Omega.IntList
+
+/-!
+# `Coeffs` as a wrapper for `IntList`
+
+Currently `omega` uses a dense representation for coefficients.
+However, we can swap this out for a sparse representation.
+
+This file sets up `Coeffs` as a type synonym for `IntList`,
+and abbreviations for the functions in the `IntList` namespace which we need to use in the
+`omega` algorithm.
+
+There is an equivalent file setting up `Coeffs` as a type synonym for `AssocList Nat Int`,
+currently in a private branch.
+Not all the theorems about the algebraic operations on that representation have been proved yet.
+When they are ready, we can replace the implementation in `omega` simply by importing
+`Std.Tactic.Omega.Coeffs.IntDict` instead of `Std.Tactic.Omega.Coeffs.IntList`.
+
+For small problems, the sparse representation is actually slightly slower,
+so it is not urgent to make this replacement.
+-/
+
+namespace Lean.Omega
+
+/-- Type synonym for `IntList := List Int`. -/
+abbrev Coeffs := IntList
+
+namespace Coeffs
+
+/-- Identity, turning `Coeffs` into `List Int`. -/
+abbrev toList (xs : Coeffs) : List Int := xs
+/-- Identity, turning `List Int` into `Coeffs`. -/
+abbrev ofList (xs : List Int) : Coeffs := xs
+/-- Are the coefficients all zero? -/
+abbrev isZero (xs : Coeffs) : Prop := ∀ x, x ∈ xs → x = 0
+/-- Shim for `IntList.set`. -/
+abbrev set (xs : Coeffs) (i : Nat) (y : Int) : Coeffs := IntList.set xs i y
+/-- Shim for `IntList.get`. -/
+abbrev get (xs : Coeffs) (i : Nat) : Int := IntList.get xs i
+/-- Shim for `IntList.gcd`. -/
+abbrev gcd (xs : Coeffs) : Nat := IntList.gcd xs
+/-- Shim for `IntList.smul`. -/
+abbrev smul (xs : Coeffs) (g : Int) : Coeffs := IntList.smul xs g
+/-- Shim for `IntList.sdiv`. -/
+abbrev sdiv (xs : Coeffs) (g : Int) : Coeffs := IntList.sdiv xs g
+/-- Shim for `IntList.dot`. -/
+abbrev dot (xs ys : Coeffs) : Int := IntList.dot xs ys
+/-- Shim for `IntList.add`. -/
+abbrev add (xs ys : Coeffs) : Coeffs := IntList.add xs ys
+/-- Shim for `IntList.sub`. -/
+abbrev sub (xs ys : Coeffs) : Coeffs := IntList.sub xs ys
+/-- Shim for `IntList.neg`. -/
+abbrev neg (xs : Coeffs) : Coeffs := IntList.neg xs
+/-- Shim for `IntList.combo`. -/
+abbrev combo (a : Int) (xs : Coeffs) (b : Int) (ys : Coeffs) : Coeffs := IntList.combo a xs b ys
+/-- Shim for `List.length`. -/
+abbrev length (xs : Coeffs) := List.length xs
+/-- Shim for `IntList.leading`. -/
+abbrev leading (xs : Coeffs) : Int := IntList.leading xs
+/-- Shim for `List.map`. -/
+abbrev map (f : Int → Int) (xs : Coeffs) : Coeffs := List.map f xs
+/-- Shim for `.enum.find?`. -/
+abbrev findIdx? (f : Int → Bool) (xs : Coeffs) : Option Nat :=
+  -- List.findIdx? f xs
+  -- We could avoid `Std.Data.List.Basic` by using the less efficient:
+  xs.enum.find? (f ·.2) |>.map (·.1)
+/-- Shim for `IntList.bmod`. -/
+abbrev bmod (x : Coeffs) (m : Nat) : Coeffs := IntList.bmod x m
+/-- Shim for `IntList.bmod_dot_sub_dot_bmod`. -/
+abbrev bmod_dot_sub_dot_bmod (m : Nat) (a b : Coeffs) : Int :=
+  IntList.bmod_dot_sub_dot_bmod m a b
+theorem bmod_length (x : Coeffs) (m : Nat) : (bmod x m).length ≤ x.length :=
+  IntList.bmod_length x m
+theorem dvd_bmod_dot_sub_dot_bmod (m : Nat) (xs ys : Coeffs) :
+    (m : Int) ∣ bmod_dot_sub_dot_bmod m xs ys := IntList.dvd_bmod_dot_sub_dot_bmod m xs ys
+
+theorem get_of_length_le {i : Nat} {xs : Coeffs} (h : length xs ≤ i) : get xs i = 0 :=
+  IntList.get_of_length_le h
+theorem dot_set_left (xs ys : Coeffs) (i : Nat) (z : Int) :
+    dot (set xs i z) ys = dot xs ys + (z - get xs i) * get ys i :=
+  IntList.dot_set_left xs ys i z
+theorem dot_sdiv_left (xs ys : Coeffs) {d : Int} (h : d ∣ xs.gcd) :
+    dot (xs.sdiv d) ys = (dot xs ys) / d :=
+  IntList.dot_sdiv_left xs ys h
+theorem dot_smul_left (xs ys : Coeffs) (i : Int) : dot (i * xs) ys = i * dot xs ys :=
+  IntList.dot_smul_left xs ys i
+theorem dot_distrib_left (xs ys zs : Coeffs) : (xs + ys).dot zs = xs.dot zs + ys.dot zs :=
+  IntList.dot_distrib_left xs ys zs
+theorem sub_eq_add_neg (xs ys : Coeffs) : xs - ys = xs + -ys :=
+  IntList.sub_eq_add_neg xs ys
+theorem combo_eq_smul_add_smul (a : Int) (xs : Coeffs) (b : Int) (ys : Coeffs) :
+    combo a xs b ys = (a * xs) + (b * ys) :=
+  IntList.combo_eq_smul_add_smul a xs b ys
+theorem gcd_dvd_dot_left (xs ys : Coeffs) : (gcd xs : Int) ∣ dot xs ys :=
+  IntList.gcd_dvd_dot_left xs ys
+theorem map_length {xs : Coeffs} : (xs.map f).length ≤ xs.length :=
+  Nat.le_of_eq (List.length_map xs f)
+
+theorem dot_nil_right {xs : Coeffs} : dot xs .nil = 0 := IntList.dot_nil_right
+theorem get_nil : get .nil i = 0 := IntList.get_nil
+theorem dot_neg_left (xs ys : IntList) : dot (-xs) ys = -dot xs ys :=
+  IntList.dot_neg_left xs ys
+
+end Coeffs
+
+end Lean.Omega

src/Init/Omega/Constraint.lean

@@ -0,0 +1,395 @@
+/-
+Copyright (c) 2023 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Scott Morrison
+-/
+prelude
+import Init.Omega.LinearCombo
+import Init.Omega.Int
+
+/-!
+A `Constraint` consists of an optional lower and upper bound (inclusive),
+constraining a value to a set of the form `∅`, `{x}`, `[x, y]`, `[x, ∞)`, `(-∞, y]`, or `(-∞, ∞)`.
+-/
+
+namespace Lean.Omega
+
+/-- An optional lower bound on a integer. -/
+abbrev LowerBound : Type := Option Int
+/-- An optional upper bound on a integer. -/
+abbrev UpperBound : Type := Option Int
+
+/-- A lower bound at `x` is satisfied at `t` if `x ≤ t`. -/
+abbrev LowerBound.sat (b : LowerBound) (t : Int) := b.all fun x => x ≤ t
+/-- A upper bound at `y` is satisfied at `t` if `t ≤ y`. -/
+abbrev UpperBound.sat (b : UpperBound) (t : Int) := b.all fun y => t ≤ y
+
+/--
+A `Constraint` consists of an optional lower and upper bound (inclusive),
+constraining a value to a set of the form `∅`, `{x}`, `[x, y]`, `[x, ∞)`, `(-∞, y]`, or `(-∞, ∞)`.
+-/
+structure Constraint where
+  /-- A lower bound. -/
+  lowerBound : LowerBound
+  /-- An upper bound. -/
+  upperBound : UpperBound
+deriving BEq, DecidableEq, Repr
+
+namespace Constraint
+
+instance : ToString Constraint where
+  toString := fun
+  | ⟨none, none⟩ => "(-∞, ∞)"
+  | ⟨none, some y⟩ => s!"(-∞, {y}]"
+  | ⟨some x, none⟩ => s!"[{x}, ∞)"
+  | ⟨some x, some y⟩ =>
+    if y < x then "∅" else if x = y then s!"\{{x}}" else s!"[{x}, {y}]"
+
+/-- A constraint is satisfied at `t` is both the lower bound and upper bound are satisfied. -/
+def sat (c : Constraint) (t : Int) : Bool := c.lowerBound.sat t ∧ c.upperBound.sat t
+
+/-- Apply a function to both the lower bound and upper bound. -/
+def map (c : Constraint) (f : Int → Int) : Constraint where
+  lowerBound := c.lowerBound.map f
+  upperBound := c.upperBound.map f
+
+/-- Translate a constraint. -/
+def translate (c : Constraint) (t : Int) : Constraint := c.map (· + t)
+
+theorem translate_sat : {c : Constraint} → {v : Int} → sat c v → sat (c.translate t) (v + t) := by
+  rintro ⟨_ | l, _ | u⟩ v w <;> simp_all [sat, translate, map]
+  · exact Int.add_le_add_right w t
+  · exact Int.add_le_add_right w t
+  · rcases w with ⟨w₁, w₂⟩; constructor
+    · exact Int.add_le_add_right w₁ t
+    · exact Int.add_le_add_right w₂ t
+
+/--
+Flip a constraint.
+This operation is not useful by itself, but is used to implement `neg` and `scale`.
+-/
+def flip (c : Constraint) : Constraint where
+  lowerBound := c.upperBound
+  upperBound := c.lowerBound
+
+/--
+Negate a constraint. `[x, y]` becomes `[-y, -x]`.
+-/
+def neg (c : Constraint) : Constraint := c.flip.map (- ·)
+
+theorem neg_sat : {c : Constraint} → {v : Int} → sat c v → sat (c.neg) (-v) := by
+  rintro ⟨_ | l, _ | u⟩ v w <;> simp_all [sat, neg, flip, map]
+  · exact Int.neg_le_neg w
+  · exact Int.neg_le_neg w
+  · rcases w with ⟨w₁, w₂⟩; constructor
+    · exact Int.neg_le_neg w₂
+    · exact Int.neg_le_neg w₁
+
+/-- The trivial constraint, satisfied everywhere. -/
+def trivial : Constraint := ⟨none, none⟩
+/-- The impossible constraint, unsatisfiable. -/
+def impossible : Constraint := ⟨some 1, some 0⟩
+/-- An exact constraint. -/
+def exact (r : Int) : Constraint := ⟨some r, some r⟩
+
+@[simp] theorem trivial_say : trivial.sat t := by
+  simp [sat, trivial]
+
+@[simp] theorem exact_sat (r : Int) (t : Int) : (exact r).sat t = decide (r = t) := by
+  simp only [sat, exact, Option.all_some, decide_eq_true_eq, decide_eq_decide]
+  exact Int.eq_iff_le_and_ge.symm
+
+/-- Check if a constraint is unsatisfiable. -/
+def isImpossible : Constraint → Bool
+  | ⟨some x, some y⟩ => y < x
+  | _ => false
+
+/-- Check if a constraint requires an exact value. -/
+def isExact : Constraint → Bool
+  | ⟨some x, some y⟩ => x = y
+  | _ => false
+
+theorem not_sat_of_isImpossible (h : isImpossible c) {t} : ¬ c.sat t := by
+  rcases c with ⟨_ | l, _ | u⟩ <;> simp [isImpossible, sat] at h ⊢
+  intro w
+  rw [Int.not_le]
+  exact Int.lt_of_lt_of_le h w
+
+/--
+Scale a constraint by multiplying by an integer.
+* If `k = 0` this is either impossible, if the original constraint was impossible,
+  or the `= 0` exact constraint.
+* If `k` is positive this takes `[x, y]` to `[k * x, k * y]`
+* If `k` is negative this takes `[x, y]` to `[k * y, k * x]`.
+-/
+def scale (k : Int) (c : Constraint) : Constraint :=
+  if k = 0 then
+    if c.isImpossible then c else ⟨some 0, some 0⟩
+  else if 0 < k then
+    c.map (k * ·)
+  else
+    c.flip.map (k * ·)
+
+theorem scale_sat {c : Constraint} (k) (w : c.sat t) : (scale k c).sat (k * t) := by
+  simp [scale]
+  split
+  · split
+    · simp_all [not_sat_of_isImpossible]
+    · simp_all [sat]
+  · rcases c with ⟨_ | l, _ | u⟩ <;> split <;> rename_i h <;> simp_all [sat, flip, map]
+    · replace h := Int.le_of_lt h
+      exact Int.mul_le_mul_of_nonneg_left w h
+    · rw [Int.not_lt] at h
+      exact Int.mul_le_mul_of_nonpos_left h w
+    · replace h := Int.le_of_lt h
+      exact Int.mul_le_mul_of_nonneg_left w h
+    · rw [Int.not_lt] at h
+      exact Int.mul_le_mul_of_nonpos_left h w
+    · constructor
+      · exact Int.mul_le_mul_of_nonneg_left w.1 (Int.le_of_lt h)
+      · exact Int.mul_le_mul_of_nonneg_left w.2 (Int.le_of_lt h)
+    · replace h := Int.not_lt.mp h
+      constructor
+      · exact Int.mul_le_mul_of_nonpos_left h w.2
+      · exact Int.mul_le_mul_of_nonpos_left h w.1
+
+/-- The sum of two constraints. `[a, b] + [c, d] = [a + c, b + d]`. -/
+def add (x y : Constraint) : Constraint where
+  lowerBound := x.lowerBound.bind fun a => y.lowerBound.map fun b => a + b
+  upperBound := x.upperBound.bind fun a => y.upperBound.map fun b => a + b
+
+theorem add_sat (w₁ : c₁.sat x₁) (w₂ : c₂.sat x₂) : (add c₁ c₂).sat (x₁ + x₂) := by
+  rcases c₁ with ⟨_ | l₁, _ | u₁⟩ <;> rcases c₂ with ⟨_ | l₂, _ | u₂⟩
+    <;> simp [sat, LowerBound.sat, UpperBound.sat, add] at *
+  · exact Int.add_le_add w₁ w₂
+  · exact Int.add_le_add w₁ w₂.2
+  · exact Int.add_le_add w₁ w₂
+  · exact Int.add_le_add w₁ w₂.1
+  · exact Int.add_le_add w₁.2 w₂
+  · exact Int.add_le_add w₁.1 w₂
+  · constructor
+    · exact Int.add_le_add w₁.1 w₂.1
+    · exact Int.add_le_add w₁.2 w₂.2
+
+/-- A linear combination of two constraints. -/
+def combo (a : Int) (x : Constraint) (b : Int) (y : Constraint) : Constraint :=
+  add (scale a x) (scale b y)
+
+theorem combo_sat (a) (w₁ : c₁.sat x₁) (b) (w₂ : c₂.sat x₂) :
+    (combo a c₁ b c₂).sat (a * x₁ + b * x₂) :=
+  add_sat (scale_sat a w₁) (scale_sat b w₂)
+
+/-- The conjunction of two constraints. -/
+def combine (x y : Constraint) : Constraint where
+  lowerBound := max x.lowerBound y.lowerBound
+  upperBound := min x.upperBound y.upperBound
+
+theorem combine_sat : (c : Constraint) → (c' : Constraint) → (t : Int) →
+    (c.combine c').sat t = (c.sat t ∧ c'.sat t) := by
+  rintro ⟨_ | l₁, _ | u₁⟩ <;> rintro ⟨_ | l₂, _ | u₂⟩ t
+    <;> simp [sat, LowerBound.sat, UpperBound.sat, combine, Int.le_min, Int.max_le] at *
+  · rw [And.comm]
+  · rw [← and_assoc, And.comm (a := l₂ ≤ t), and_assoc]
+  · rw [and_assoc]
+  · rw [and_assoc]
+  · rw [and_assoc, and_assoc, And.comm (a := l₂ ≤ t)]
+  · rw [and_assoc, ← and_assoc (a := l₂ ≤ t), And.comm (a := l₂ ≤ t), and_assoc, and_assoc]
+
+/--
+Dividing a constraint by a natural number, and tightened to integer bounds.
+Thus the lower bound is rounded up, and the upper bound is rounded down.
+-/
+def div (c : Constraint) (k : Nat) : Constraint where
+  lowerBound := c.lowerBound.map fun x => (- ((- x) / k))
+  upperBound := c.upperBound.map fun y => y / k
+
+theorem div_sat (c : Constraint) (t : Int) (k : Nat) (n : k ≠ 0) (h : (k : Int) ∣ t) (w : c.sat t) :
+    (c.div k).sat (t / k) := by
+  replace n : (k : Int) > 0 := Int.ofNat_lt.mpr (Nat.pos_of_ne_zero n)
+  rcases c with ⟨_ | l, _ | u⟩
+  · simp_all [sat, div]
+  · simp [sat, div] at w ⊢
+    apply Int.le_of_sub_nonneg
+    rw [← Int.sub_ediv_of_dvd _ h, ← ge_iff_le, Int.div_nonneg_iff_of_pos n]
+    exact Int.sub_nonneg_of_le w
+  · simp [sat, div] at w ⊢
+    apply Int.le_of_sub_nonneg
+    rw [Int.sub_neg, ← Int.add_ediv_of_dvd_left h, ← ge_iff_le,
+      Int.div_nonneg_iff_of_pos n]
+    exact Int.sub_nonneg_of_le w
+  · simp [sat, div] at w ⊢
+    constructor
+    · apply Int.le_of_sub_nonneg
+      rw [Int.sub_neg, ← Int.add_ediv_of_dvd_left h, ← ge_iff_le,
+        Int.div_nonneg_iff_of_pos n]
+      exact Int.sub_nonneg_of_le w.1
+    · apply Int.le_of_sub_nonneg
+      rw [← Int.sub_ediv_of_dvd _ h, ← ge_iff_le, Int.div_nonneg_iff_of_pos n]
+      exact Int.sub_nonneg_of_le w.2
+
+/--
+It is convenient below to say that a constraint is satisfied at the dot product of two vectors,
+so we make an abbreviation `sat'` for this.
+-/
+abbrev sat' (c : Constraint) (x y : Coeffs) := c.sat (Coeffs.dot x y)
+
+theorem combine_sat' {s t : Constraint} {x y} (ws : s.sat' x y) (wt : t.sat' x y) :
+    (s.combine t).sat' x y := (combine_sat _ _ _).mpr ⟨ws, wt⟩
+
+theorem div_sat' {c : Constraint} {x y} (h : Coeffs.gcd x ≠ 0) (w : c.sat (Coeffs.dot x y)) :
+    (c.div (Coeffs.gcd x)).sat' (Coeffs.sdiv x (Coeffs.gcd x)) y := by
+  dsimp [sat']
+  rw [Coeffs.dot_sdiv_left _ _ (Int.dvd_refl _)]
+  exact div_sat c _ (Coeffs.gcd x) h (Coeffs.gcd_dvd_dot_left x y) w
+
+theorem not_sat'_of_isImpossible (h : isImpossible c) {x y} : ¬ c.sat' x y :=
+  not_sat_of_isImpossible h
+
+theorem addInequality_sat (w : c + Coeffs.dot x y ≥ 0) :
+    Constraint.sat' { lowerBound := some (-c), upperBound := none } x y := by
+  simp [Constraint.sat', Constraint.sat]
+  rw [← Int.zero_sub c]
+  exact Int.sub_left_le_of_le_add w
+
+theorem addEquality_sat (w : c + Coeffs.dot x y = 0) :
+    Constraint.sat' { lowerBound := some (-c), upperBound := some (-c) } x y := by
+  simp [Constraint.sat', Constraint.sat]
+  rw [Int.eq_iff_le_and_ge] at w
+  rwa [Int.add_le_zero_iff_le_neg', Int.add_nonnneg_iff_neg_le', and_comm] at w
+
+end Constraint
+
+/--
+Normalize a constraint, by dividing through by the GCD.
+
+Return `none` if there is nothing to do, to avoid adding unnecessary steps to the proof term.
+-/
+def normalize? : Constraint × Coeffs → Option (Constraint × Coeffs)
+  | ⟨s, x⟩ =>
+    let gcd := Coeffs.gcd x -- TODO should we be caching this?
+    if gcd = 0 then
+      if s.sat 0 then
+        some (.trivial, x)
+      else
+        some (.impossible, x)
+    else if gcd = 1 then
+      none
+    else
+      some (s.div gcd, Coeffs.sdiv x gcd)
+
+/-- Normalize a constraint, by dividing through by the GCD. -/
+def normalize (p : Constraint × Coeffs) : Constraint × Coeffs :=
+  normalize? p |>.getD p
+
+/-- Shorthand for the first component of `normalize`. -/
+-- This `noncomputable` (and others below) is a safeguard that we only use this in proofs.
+noncomputable abbrev normalizeConstraint (s : Constraint) (x : Coeffs) : Constraint :=
+  (normalize (s, x)).1
+/-- Shorthand for the second component of `normalize`. -/
+noncomputable abbrev normalizeCoeffs (s : Constraint) (x : Coeffs) : Coeffs :=
+  (normalize (s, x)).2
+
+theorem normalize?_eq_some (w : normalize? (s, x) = some (s', x')) :
+    normalizeConstraint s x = s' ∧ normalizeCoeffs s x = x' := by
+  simp_all [normalizeConstraint, normalizeCoeffs, normalize]
+
+theorem normalize_sat {s x v} (w : s.sat' x v) :
+    (normalizeConstraint s x).sat' (normalizeCoeffs s x) v := by
+  dsimp [normalizeConstraint, normalizeCoeffs, normalize, normalize?]
+  split <;> rename_i h
+  · split
+    · simp
+    · dsimp [Constraint.sat'] at w
+      simp_all
+  · split
+    · exact w
+    · exact Constraint.div_sat' h w
+
+/-- Multiply by `-1` if the leading coefficient is negative, otherwise return `none`. -/
+def positivize? : Constraint × Coeffs → Option (Constraint × Coeffs)
+  | ⟨s, x⟩ =>
+    if 0 ≤ x.leading then
+      none
+    else
+      (s.neg, Coeffs.smul x (-1))
+
+/-- Multiply by `-1` if the leading coefficient is negative, otherwise do nothing. -/
+noncomputable def positivize (p : Constraint × Coeffs) : Constraint × Coeffs :=
+  positivize? p |>.getD p
+
+/-- Shorthand for the first component of `positivize`. -/
+noncomputable abbrev positivizeConstraint (s : Constraint) (x : Coeffs) : Constraint :=
+  (positivize (s, x)).1
+/-- Shorthand for the second component of `positivize`. -/
+noncomputable abbrev positivizeCoeffs (s : Constraint) (x : Coeffs) : Coeffs :=
+  (positivize (s, x)).2
+
+theorem positivize?_eq_some (w : positivize? (s, x) = some (s', x')) :
+    positivizeConstraint s x = s' ∧ positivizeCoeffs s x = x' := by
+  simp_all [positivizeConstraint, positivizeCoeffs, positivize]
+
+theorem positivize_sat {s x v} (w : s.sat' x v) :
+    (positivizeConstraint s x).sat' (positivizeCoeffs s x) v := by
+  dsimp [positivizeConstraint, positivizeCoeffs, positivize, positivize?]
+  split
+  · exact w
+  · simp [Constraint.sat']
+    erw [Coeffs.dot_smul_left, ← Int.neg_eq_neg_one_mul]
+    exact Constraint.neg_sat w
+
+/-- `positivize` and `normalize`, returning `none` if neither does anything. -/
+def tidy? : Constraint × Coeffs → Option (Constraint × Coeffs)
+  | ⟨s, x⟩ =>
+    match positivize? (s, x) with
+    | none => match normalize? (s, x) with
+      | none => none
+      | some (s', x') => some (s', x')
+    | some (s', x') => normalize (s', x')
+
+/-- `positivize` and `normalize` -/
+def tidy (p : Constraint × Coeffs) : Constraint × Coeffs :=
+  tidy? p |>.getD p
+
+/-- Shorthand for the first component of `tidy`. -/
+abbrev tidyConstraint (s : Constraint) (x : Coeffs) : Constraint := (tidy (s, x)).1
+/-- Shorthand for the second component of `tidy`. -/
+abbrev tidyCoeffs (s : Constraint) (x : Coeffs) : Coeffs := (tidy (s, x)).2
+
+theorem tidy_sat {s x v} (w : s.sat' x v) : (tidyConstraint s x).sat' (tidyCoeffs s x) v := by
+  dsimp [tidyConstraint, tidyCoeffs, tidy, tidy?]
+  split <;> rename_i hp
+  · split <;> rename_i hn
+    · simp_all
+    · rcases normalize?_eq_some hn with ⟨rfl, rfl⟩
+      exact normalize_sat w
+  · rcases positivize?_eq_some hp with ⟨rfl, rfl⟩
+    exact normalize_sat (positivize_sat w)
+
+theorem combo_sat' (s t : Constraint)
+    (a : Int) (x : Coeffs) (b : Int) (y : Coeffs) (v : Coeffs)
+    (wx : s.sat' x v) (wy : t.sat' y v) :
+    (Constraint.combo a s b t).sat' (Coeffs.combo a x b y) v := by
+  rw [Constraint.sat', Coeffs.combo_eq_smul_add_smul, Coeffs.dot_distrib_left,
+    Coeffs.dot_smul_left, Coeffs.dot_smul_left]
+  exact Constraint.combo_sat a wx b wy
+
+/-- The value of the new variable introduced when solving a hard equality. -/
+abbrev bmod_div_term (m : Nat) (a b : Coeffs) : Int := Coeffs.bmod_dot_sub_dot_bmod m a b / m
+
+/-- The coefficients of the new equation generated when solving a hard equality. -/
+def bmod_coeffs (m : Nat) (i : Nat) (x : Coeffs) : Coeffs :=
+  Coeffs.set (Coeffs.bmod x m) i m
+
+theorem bmod_sat (m : Nat) (r : Int) (i : Nat) (x v : Coeffs)
+    (h : x.length ≤ i)  -- during proof reconstruction this will be by `decide`
+    (p : Coeffs.get v i = bmod_div_term m x v) -- and this will be by `rfl`
+    (w : (Constraint.exact r).sat' x v) :
+    (Constraint.exact (Int.bmod r m)).sat' (bmod_coeffs m i x) v := by
+  simp at w
+  simp only [p, bmod_coeffs, Constraint.exact_sat, Coeffs.dot_set_left, decide_eq_true_eq]
+  replace h := Nat.le_trans (Coeffs.bmod_length x m) h
+  rw [Coeffs.get_of_length_le h, Int.sub_zero,
+    Int.mul_ediv_cancel' (Coeffs.dvd_bmod_dot_sub_dot_bmod _ _ _), w,
+    ← Int.add_sub_assoc, Int.add_comm, Int.add_sub_assoc, Int.sub_self, Int.add_zero]
+
+end Lean.Omega

src/Init/Omega/Int.lean

@@ -0,0 +1,174 @@
+/-
+Copyright (c) 2023 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Scott Morrison
+-/
+prelude
+import Init.Data.Int.Order
+
+/-!
+# Lemmas about `Nat` and `Int` needed internally by `omega`.
+
+These statements are useful for constructing proof expressions,
+but unlikely to be widely useful, so are inside the `Std.Tactic.Omega` namespace.
+
+If you do find a use for them, please move them into the appropriate file and namespace!
+-/
+
+namespace Lean.Omega
+
+namespace Int
+
+theorem ofNat_pow (a b : Nat) : ((a ^ b : Nat) : Int) = (a : Int) ^ b := by
+  induction b with
+  | zero => rfl
+  | succ b ih => rw [Nat.pow_succ, Int.ofNat_mul, ih]; rfl
+
+theorem pos_pow_of_pos (a : Int) (b : Nat) (h : 0 < a) : 0 < a ^ b := by
+  rw [Int.eq_natAbs_of_zero_le (Int.le_of_lt h), ← Int.ofNat_zero, ← Int.ofNat_pow, Int.ofNat_lt]
+  exact Nat.pos_pow_of_pos _ (Int.natAbs_pos.mpr (Int.ne_of_gt h))
+
+theorem ofNat_pos {a : Nat} : 0 < (a : Int) ↔ 0 < a := by
+  rw [← Int.ofNat_zero, Int.ofNat_lt]
+
+theorem ofNat_pos_of_pos {a : Nat} (h : 0 < a) : 0 < (a : Int) :=
+  ofNat_pos.mpr h
+
+theorem natCast_ofNat {x : Nat} :
+    @Nat.cast Int instNatCastInt (no_index (OfNat.ofNat x)) = OfNat.ofNat x := rfl
+
+theorem ofNat_lt_of_lt {x y : Nat} (h : x < y) : (x : Int) < (y : Int) :=
+  Int.ofNat_lt.mpr h
+
+theorem ofNat_le_of_le {x y : Nat} (h : x ≤ y) : (x : Int) ≤ (y : Int) :=
+  Int.ofNat_le.mpr h
+
+-- FIXME these are insane:
+theorem lt_of_not_ge {x y : Int} (h : ¬ (x ≤ y)) : y < x := Int.not_le.mp h
+theorem lt_of_not_le {x y : Int} (h : ¬ (x ≤ y)) : y < x := Int.not_le.mp h
+theorem not_le_of_lt {x y : Int} (h : y < x) : ¬ (x ≤ y) := Int.not_le.mpr h
+theorem lt_le_asymm {x y : Int} (h₁ : y < x) (h₂ : x ≤ y) : False := Int.not_le.mpr h₁ h₂
+theorem le_lt_asymm {x y : Int} (h₁ : y ≤ x) (h₂ : x < y) : False := Int.not_lt.mpr h₁ h₂
+
+theorem le_of_not_gt {x y : Int} (h : ¬ (y > x)) : y ≤ x := Int.not_lt.mp h
+theorem not_lt_of_ge {x y : Int} (h : y ≥ x) : ¬ (y < x) := Int.not_lt.mpr h
+theorem le_of_not_lt {x y : Int} (h : ¬ (x < y)) : y ≤ x := Int.not_lt.mp h
+theorem not_lt_of_le {x y : Int} (h : y ≤ x) : ¬ (x < y) := Int.not_lt.mpr h
+
+theorem add_congr {a b c d : Int} (h₁ : a = b) (h₂ : c = d) : a + c = b + d := by
+  subst h₁; subst h₂; rfl
+
+theorem mul_congr {a b c d : Int} (h₁ : a = b) (h₂ : c = d) : a * c = b * d := by
+  subst h₁; subst h₂; rfl
+
+theorem mul_congr_left {a b : Int} (h₁ : a = b)  (c : Int) : a * c = b * c := by
+  subst h₁; rfl
+
+theorem sub_congr {a b c d : Int} (h₁ : a = b) (h₂ : c = d) : a - c = b - d := by
+  subst h₁; subst h₂; rfl
+
+theorem neg_congr {a b : Int} (h₁ : a = b) : -a = -b := by
+  subst h₁; rfl
+
+theorem lt_of_gt {x y : Int} (h : x > y) : y < x := gt_iff_lt.mp h
+theorem le_of_ge {x y : Int} (h : x ≥ y) : y ≤ x := ge_iff_le.mp h
+
+theorem ofNat_sub_eq_zero {b a : Nat} (h : ¬ b ≤ a) : ((a - b : Nat) : Int) = 0 :=
+  Int.ofNat_eq_zero.mpr (Nat.sub_eq_zero_of_le (Nat.le_of_lt (Nat.not_le.mp h)))
+
+theorem ofNat_sub_dichotomy {a b : Nat} :
+    b ≤ a ∧ ((a - b : Nat) : Int) = a - b ∨ a < b ∧ ((a - b : Nat) : Int) = 0 := by
+  by_cases h : b ≤ a
+  · left
+    have t := Int.ofNat_sub h
+    simp at t
+    exact ⟨h, t⟩
+  · right
+    have t := Nat.not_le.mp h
+    simp [Int.ofNat_sub_eq_zero h]
+    exact t
+
+theorem ofNat_congr {a b : Nat} (h : a = b) : (a : Int) = (b : Int) := congrArg _ h
+
+theorem ofNat_sub_sub {a b c : Nat} : ((a - b - c : Nat) : Int) = ((a - (b + c) : Nat) : Int) :=
+  congrArg _ (Nat.sub_sub _ _ _)
+
+theorem ofNat_min (a b : Nat) : ((min a b : Nat) : Int) = min (a : Int) (b : Int) := by
+  simp only [Nat.min_def, Int.min_def, Int.ofNat_le]
+  split <;> rfl
+
+theorem ofNat_max (a b : Nat) : ((max a b : Nat) : Int) = max (a : Int) (b : Int) := by
+  simp only [Nat.max_def, Int.max_def, Int.ofNat_le]
+  split <;> rfl
+
+theorem ofNat_natAbs (a : Int) : (a.natAbs : Int) = if 0 ≤ a then a else -a := by
+  rw [Int.natAbs]
+  split <;> rename_i n
+  · simp only [Int.ofNat_eq_coe]
+    rw [if_pos (Int.ofNat_nonneg n)]
+  · simp; rfl
+
+theorem natAbs_dichotomy {a : Int} : 0 ≤ a ∧ a.natAbs = a ∨ a < 0 ∧ a.natAbs = -a := by
+  by_cases h : 0 ≤ a
+  · left
+    simp_all [Int.natAbs_of_nonneg]
+  · right
+    rw [Int.not_le] at h
+    rw [Int.ofNat_natAbs_of_nonpos (Int.le_of_lt h)]
+    simp_all
+
+theorem neg_le_natAbs {a : Int} : -a ≤ a.natAbs := by
+  have t := Int.le_natAbs (a := -a)
+  simp at t
+  exact t
+
+theorem add_le_iff_le_sub (a b c : Int) : a + b ≤ c ↔ a ≤ c - b := by
+  conv =>
+    lhs
+    rw [← Int.add_zero c, ← Int.sub_self (-b), Int.sub_eq_add_neg, ← Int.add_assoc, Int.neg_neg,
+      Int.add_le_add_iff_right]
+
+theorem le_add_iff_sub_le (a b c : Int) : a ≤ b + c ↔ a - c ≤ b := by
+  conv =>
+    lhs
+    rw [← Int.neg_neg c, ← Int.sub_eq_add_neg, ← add_le_iff_le_sub]
+
+theorem add_le_zero_iff_le_neg (a b : Int) : a + b ≤ 0 ↔ a ≤ - b := by
+  rw [add_le_iff_le_sub, Int.zero_sub]
+theorem add_le_zero_iff_le_neg' (a b : Int) : a + b ≤ 0 ↔ b ≤ -a := by
+  rw [Int.add_comm, add_le_zero_iff_le_neg]
+theorem add_nonnneg_iff_neg_le (a b : Int) : 0 ≤ a + b ↔ -b ≤ a := by
+  rw [le_add_iff_sub_le, Int.zero_sub]
+theorem add_nonnneg_iff_neg_le' (a b : Int) : 0 ≤ a + b ↔ -a ≤ b := by
+  rw [Int.add_comm, add_nonnneg_iff_neg_le]
+
+theorem ofNat_fst_mk {β} {x : Nat} {y : β} : (Prod.mk x y).fst = (x : Int) := rfl
+theorem ofNat_snd_mk {α} {x : α} {y : Nat} : (Prod.mk x y).snd = (y : Int) := rfl
+
+
+end Int
+
+namespace Nat
+
+theorem lt_of_gt {x y : Nat} (h : x > y) : y < x := gt_iff_lt.mp h
+theorem le_of_ge {x y : Nat} (h : x ≥ y) : y ≤ x := ge_iff_le.mp h
+
+end Nat
+
+namespace Prod
+
+theorem of_lex (w : Prod.Lex r s p q) : r p.fst q.fst ∨ p.fst = q.fst ∧ s p.snd q.snd :=
+  (Prod.lex_def r s).mp w
+
+theorem of_not_lex {α} {r : α → α → Prop} [DecidableEq α] {β} {s : β → β → Prop}
+    {p q : α × β} (w : ¬ Prod.Lex r s p q) :
+    ¬ r p.fst q.fst ∧ (p.fst ≠ q.fst ∨ ¬ s p.snd q.snd) := by
+  rw [Prod.lex_def, not_or, Decidable.not_and_iff_or_not_not] at w
+  exact w
+
+theorem fst_mk : (Prod.mk x y).fst = x := rfl
+theorem snd_mk : (Prod.mk x y).snd = y := rfl
+
+end Prod
+
+end Lean.Omega

src/Init/Omega/IntList.lean

@@ -0,0 +1,412 @@
+/-
+Copyright (c) 2023 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Scott Morrison
+-/
+prelude
+import Init.Data.List.Lemmas
+
+namespace Lean.Omega
+
+/--
+A type synonym for `List Int`, used by `omega` for dense representation of coefficients.
+
+We define algebraic operations,
+interpreting `List Int` as a finitely supported function `Nat → Int`.
+-/
+abbrev IntList := List Int
+
+namespace IntList
+
+/-- Get the `i`-th element (interpreted as `0` if the list is not long enough). -/
+def get (xs : IntList) (i : Nat) : Int := (xs.get? i).getD 0
+
+@[simp] theorem get_nil : get ([] : IntList) i = 0 := rfl
+@[simp] theorem get_cons_zero : get (x :: xs) 0 = x := rfl
+@[simp] theorem get_cons_succ : get (x :: xs) (i+1) = get xs i := rfl
+
+theorem get_map {xs : IntList} (h : f 0 = 0) : get (xs.map f) i = f (xs.get i) := by
+  simp only [get, List.get?_map]
+  cases xs.get? i <;> simp_all
+
+theorem get_of_length_le {xs : IntList} (h : xs.length ≤ i) : xs.get i = 0 := by
+  rw [get, List.get?_eq_none.mpr h]
+  rfl
+
+-- theorem lt_length_of_get_nonzero {xs : IntList} (h : xs.get i ≠ 0) : i < xs.length := by
+--   revert h
+--   simpa using mt get_of_length_le
+
+/-- Like `List.set`, but right-pad with zeroes as necessary first. -/
+def set (xs : IntList) (i : Nat) (y : Int) : IntList :=
+  match xs, i with
+  | [], 0 => [y]
+  | [], (i+1) => 0 :: set [] i y
+  | _ :: xs, 0 => y :: xs
+  | x :: xs, (i+1) => x :: set xs i y
+
+@[simp] theorem set_nil_zero : set [] 0 y = [y] := rfl
+@[simp] theorem set_nil_succ : set [] (i+1) y = 0 :: set [] i y := rfl
+@[simp] theorem set_cons_zero : set (x :: xs) 0 y = y :: xs := rfl
+@[simp] theorem set_cons_succ : set (x :: xs) (i+1) y = x :: set xs i y := rfl
+
+/-- Returns the leading coefficient, i.e. the first non-zero entry. -/
+def leading (xs : IntList) : Int := xs.find? (! · == 0) |>.getD 0
+
+/-- Implementation of `+` on `IntList`. -/
+def add (xs ys : IntList) : IntList :=
+  List.zipWithAll (fun x y => x.getD 0 + y.getD 0) xs ys
+
+instance : Add IntList := ⟨add⟩
+
+theorem add_def (xs ys : IntList) :
+    xs + ys = List.zipWithAll (fun x y => x.getD 0 + y.getD 0) xs ys :=
+  rfl
+
+@[simp] theorem add_get (xs ys : IntList) (i : Nat) : (xs + ys).get i = xs.get i + ys.get i := by
+  simp only [add_def, get, List.zipWithAll_get?, List.get?_eq_none]
+  cases xs.get? i <;> cases ys.get? i <;> simp
+
+@[simp] theorem add_nil (xs : IntList) : xs + [] = xs := by simp [add_def]
+@[simp] theorem nil_add (xs : IntList) : [] + xs = xs := by simp [add_def]
+@[simp] theorem cons_add_cons (x) (xs : IntList) (y) (ys : IntList) :
+    (x :: xs) + (y :: ys) = (x + y) :: (xs + ys) := by simp [add_def]
+
+/-- Implementation of `*` on `IntList`. -/
+def mul (xs ys : IntList) : IntList := List.zipWith (· * ·) xs ys
+
+instance : Mul IntList := ⟨mul⟩
+
+theorem mul_def (xs ys : IntList) : xs * ys = List.zipWith (· * ·) xs ys :=
+  rfl
+
+@[simp] theorem mul_get (xs ys : IntList) (i : Nat) : (xs * ys).get i = xs.get i * ys.get i := by
+  simp only [mul_def, get, List.zipWith_get?]
+  cases xs.get? i <;> cases ys.get? i <;> simp
+
+@[simp] theorem mul_nil_left : ([] : IntList) * ys = [] := rfl
+@[simp] theorem mul_nil_right : xs * ([] : IntList) = [] := List.zipWith_nil_right
+@[simp] theorem mul_cons₂ : (x::xs : IntList) * (y::ys) = (x * y) :: (xs * ys) := rfl
+
+/-- Implementation of negation on `IntList`. -/
+def neg (xs : IntList) : IntList := xs.map fun x => -x
+
+instance : Neg IntList := ⟨neg⟩
+
+theorem neg_def (xs : IntList) : - xs = xs.map fun x => -x := rfl
+
+@[simp] theorem neg_get (xs : IntList) (i : Nat) : (- xs).get i = - xs.get i := by
+  simp only [neg_def, get, List.get?_map]
+  cases xs.get? i <;> simp
+
+@[simp] theorem neg_nil : (- ([] : IntList)) = [] := rfl
+@[simp] theorem neg_cons : (- (x::xs : IntList)) = -x :: -xs := rfl
+
+/-- Implementation of subtraction on `IntList`. -/
+def sub (xs ys : IntList) : IntList :=
+  List.zipWithAll (fun x y => x.getD 0 - y.getD 0) xs ys
+
+instance : Sub IntList := ⟨sub⟩
+
+theorem sub_def (xs ys : IntList) :
+    xs - ys = List.zipWithAll (fun x y => x.getD 0 - y.getD 0) xs ys :=
+  rfl
+
+/-- Implementation of scalar multiplication by an integer on `IntList`. -/
+def smul (xs : IntList) (i : Int) : IntList :=
+  xs.map fun x => i * x
+
+instance : HMul Int IntList IntList where
+  hMul i xs := xs.smul i
+
+theorem smul_def (xs : IntList) (i : Int) : i * xs = xs.map fun x => i * x := rfl
+
+@[simp] theorem smul_get (xs : IntList) (a : Int) (i : Nat) : (a * xs).get i = a * xs.get i := by
+  simp only [smul_def, get, List.get?_map]
+  cases xs.get? i <;> simp
+
+@[simp] theorem smul_nil {i : Int} : i * ([] : IntList) = [] := rfl
+@[simp] theorem smul_cons {i : Int} : i * (x::xs : IntList) = i * x :: i * xs := rfl
+
+/-- A linear combination of two `IntList`s. -/
+def combo (a : Int) (xs : IntList) (b : Int) (ys : IntList) : IntList :=
+  List.zipWithAll (fun x y => a * x.getD 0 + b * y.getD 0) xs ys
+
+theorem combo_eq_smul_add_smul (a : Int) (xs : IntList) (b : Int) (ys : IntList) :
+    combo a xs b ys = a * xs + b * ys := by
+  dsimp [combo]
+  induction xs generalizing ys with
+  | nil => simp; rfl
+  | cons x xs ih =>
+    cases ys with
+    | nil => simp; rfl
+    | cons y ys => simp_all
+
+attribute [local simp] add_def mul_def in
+theorem mul_distrib_left (xs ys zs : IntList) : (xs + ys) * zs = xs * zs + ys * zs := by
+  induction xs generalizing ys zs with
+  | nil =>
+    cases ys with
+    | nil => simp
+    | cons _ _ =>
+      cases zs with
+      | nil => simp
+      | cons _ _ => simp_all [Int.add_mul]
+  | cons x xs ih₁ =>
+    cases ys with
+    | nil => simp_all
+    | cons _ _ =>
+      cases zs with
+      | nil => simp
+      | cons _ _ => simp_all [Int.add_mul]
+
+theorem mul_neg_left (xs ys : IntList) : (-xs) * ys = -(xs * ys) := by
+  induction xs generalizing ys with
+  | nil => simp
+  | cons x xs ih =>
+    cases ys with
+    | nil => simp
+    | cons y ys => simp_all [Int.neg_mul]
+
+attribute [local simp] add_def neg_def sub_def in
+theorem sub_eq_add_neg (xs ys : IntList) : xs - ys = xs + (-ys) := by
+  induction xs generalizing ys with
+  | nil => simp; rfl
+  | cons x xs ih =>
+    cases ys with
+    | nil => simp
+    | cons y ys => simp_all [Int.sub_eq_add_neg]
+
+@[simp] theorem mul_smul_left {i : Int} {xs ys : IntList} : (i * xs) * ys = i * (xs * ys) := by
+  induction xs generalizing ys with
+  | nil => simp
+  | cons x xs ih =>
+    cases ys with
+    | nil => simp
+    | cons y ys => simp_all [Int.mul_assoc]
+
+/-- The sum of the entries of an `IntList`. -/
+def sum (xs : IntList) : Int := xs.foldr (· + ·) 0
+
+@[simp] theorem sum_nil : sum ([] : IntList) = 0 := rfl
+@[simp] theorem sum_cons : sum (x::xs : IntList) = x + sum xs := rfl
+
+attribute [local simp] sum add_def in
+theorem sum_add (xs ys : IntList) : (xs + ys).sum = xs.sum + ys.sum := by
+  induction xs generalizing ys with
+  | nil => simp
+  | cons x xs ih =>
+    cases ys with
+    | nil => simp
+    | cons y ys => simp_all [Int.add_assoc, Int.add_left_comm]
+
+@[simp]
+theorem sum_neg (xs : IntList) : (-xs).sum = -(xs.sum) := by
+  induction xs with
+  | nil => simp
+  | cons x xs ih => simp_all [Int.neg_add]
+
+@[simp]
+theorem sum_smul (i : Int) (xs : IntList) : (i * xs).sum = i * (xs.sum) := by
+  induction xs with
+  | nil => simp
+  | cons x xs ih => simp_all [Int.mul_add]
+
+/-- The dot product of two `IntList`s. -/
+def dot (xs ys : IntList) : Int := (xs * ys).sum
+
+example : IntList.dot [a, b, c] [x, y, z] = IntList.dot [a, b, c, d] [x, y, z] := rfl
+example : IntList.dot [a, b, c] [x, y, z] = IntList.dot [a, b, c] [x, y, z, w] := rfl
+
+@[local simp] theorem dot_nil_left : dot ([] : IntList) ys = 0 := rfl
+@[simp] theorem dot_nil_right : dot xs ([] : IntList) = 0 := by simp [dot]
+@[simp] theorem dot_cons₂ : dot (x::xs) (y::ys) = x * y + dot xs ys := rfl
+
+-- theorem dot_comm (xs ys : IntList) : dot xs ys = dot ys xs := by
+--   rw [dot, dot, mul_comm]
+
+@[simp] theorem dot_set_left (xs ys : IntList) (i : Nat) (z : Int) :
+    dot (xs.set i z) ys = dot xs ys + (z - xs.get i) * ys.get i := by
+  induction xs generalizing i ys with
+  | nil =>
+    induction i generalizing ys with
+    | zero => cases ys <;> simp
+    | succ i => cases ys <;> simp_all
+  | cons x xs ih =>
+    induction i generalizing ys with
+    | zero =>
+      cases ys with
+      | nil => simp
+      | cons y ys =>
+        simp only [Nat.zero_eq, set_cons_zero, dot_cons₂, get_cons_zero, Int.sub_mul]
+        rw [Int.add_right_comm, Int.add_comm (x * y), Int.sub_add_cancel]
+    | succ i =>
+      cases ys with
+      | nil => simp
+      | cons y ys => simp_all [Int.add_assoc]
+
+theorem dot_distrib_left (xs ys zs : IntList) : (xs + ys).dot zs = xs.dot zs + ys.dot zs := by
+  simp [dot, mul_distrib_left, sum_add]
+
+@[simp] theorem dot_neg_left (xs ys : IntList) : (-xs).dot ys = -(xs.dot ys) := by
+  simp [dot, mul_neg_left]
+
+@[simp] theorem dot_smul_left (xs ys : IntList) (i : Int) : (i * xs).dot ys = i * xs.dot ys := by
+  simp [dot]
+
+theorem dot_of_left_zero (w : ∀ x, x ∈ xs → x = 0) : dot xs ys = 0 := by
+  induction xs generalizing ys with
+  | nil => simp
+  | cons x xs ih =>
+    cases ys with
+    | nil => simp
+    | cons y ys =>
+      rw [dot_cons₂, w x (by simp), ih]
+      · simp
+      · intro x m
+        apply w
+        exact List.mem_cons_of_mem _ m
+
+/-- Division of an `IntList` by a integer. -/
+def sdiv (xs : IntList) (g : Int) : IntList := xs.map fun x => x / g
+
+@[simp] theorem sdiv_nil : sdiv [] g = [] := rfl
+@[simp] theorem sdiv_cons : sdiv (x::xs) g = (x / g) :: sdiv xs g := rfl
+
+/-- The gcd of the absolute values of the entries of an `IntList`. -/
+def gcd (xs : IntList) : Nat := xs.foldr (fun x g => Nat.gcd x.natAbs g) 0
+
+@[simp] theorem gcd_nil : gcd [] = 0 := rfl
+@[simp] theorem gcd_cons : gcd (x :: xs) = Nat.gcd x.natAbs (gcd xs) := rfl
+
+theorem gcd_cons_div_left : (gcd (x::xs) : Int) ∣ x := by
+  simp only [gcd, List.foldr_cons, Int.ofNat_dvd_left]
+  apply Nat.gcd_dvd_left
+
+theorem gcd_cons_div_right : gcd (x::xs) ∣ gcd xs := by
+  simp only [gcd, List.foldr_cons]
+  apply Nat.gcd_dvd_right
+
+theorem gcd_cons_div_right' : (gcd (x::xs) : Int) ∣ (gcd xs : Int) := by
+  rw [Int.ofNat_dvd_left, Int.natAbs_ofNat]
+  exact gcd_cons_div_right
+
+theorem gcd_dvd (xs : IntList) {a : Int} (m : a ∈ xs) : (xs.gcd : Int) ∣ a := by
+  rw [Int.ofNat_dvd_left]
+  induction m with
+  | head =>
+    simp only [gcd_cons]
+    apply Nat.gcd_dvd_left
+  | tail b m ih =>   -- FIXME: why is the argument of tail implicit?
+    simp only [gcd_cons]
+    exact Nat.dvd_trans (Nat.gcd_dvd_right _ _) ih
+
+theorem dvd_gcd (xs : IntList) (c : Nat) (w : ∀ {a : Int}, a ∈ xs → (c : Int) ∣ a) :
+    c ∣ xs.gcd := by
+  simp only [Int.ofNat_dvd_left] at w
+  induction xs with
+  | nil => have := Nat.dvd_zero c; simp at this; exact this
+  | cons x xs ih =>
+    simp
+    apply Nat.dvd_gcd
+    · apply w
+      simp
+    · apply ih
+      intro b m
+      apply w
+      exact List.mem_cons_of_mem x m
+
+theorem gcd_eq_iff (xs : IntList) (g : Nat) :
+    xs.gcd = g ↔
+      (∀ {a : Int}, a ∈ xs → (g : Int) ∣ a) ∧
+        (∀ (c : Nat), (∀ {a : Int}, a ∈ xs → (c : Int) ∣ a) → c ∣ g) := by
+  constructor
+  · rintro rfl
+    exact ⟨gcd_dvd _, dvd_gcd _⟩
+  · rintro ⟨hi, hg⟩
+    apply Nat.dvd_antisymm
+    · apply hg
+      intro i m
+      exact gcd_dvd xs m
+    · exact dvd_gcd xs g hi
+
+attribute [simp] Int.zero_dvd
+
+@[simp] theorem gcd_eq_zero (xs : IntList) : xs.gcd = 0 ↔ ∀ x, x ∈ xs → x = 0 := by
+  simp [gcd_eq_iff, Nat.dvd_zero]
+
+@[simp] theorem dot_mod_gcd_left (xs ys : IntList) : dot xs ys % xs.gcd = 0 := by
+  induction xs generalizing ys with
+  | nil => simp
+  | cons x xs ih =>
+    cases ys with
+    | nil => simp
+    | cons y ys =>
+      rw [dot_cons₂, Int.add_emod,
+        ← Int.emod_emod_of_dvd (x * y) (gcd_cons_div_left),
+        ← Int.emod_emod_of_dvd (dot xs ys) (Int.ofNat_dvd.mpr gcd_cons_div_right)]
+      simp_all
+
+theorem gcd_dvd_dot_left (xs ys : IntList) : (xs.gcd : Int) ∣ dot xs ys :=
+  Int.dvd_of_emod_eq_zero (dot_mod_gcd_left xs ys)
+
+@[simp]
+theorem dot_eq_zero_of_left_eq_zero {xs ys : IntList} (h : ∀ x, x ∈ xs → x = 0) : dot xs ys = 0 := by
+  induction xs generalizing ys with
+  | nil => rfl
+  | cons x xs ih =>
+    cases ys with
+    | nil => rfl
+    | cons y ys =>
+      rw [dot_cons₂, h x (List.mem_cons_self _ _), ih (fun x m => h x (List.mem_cons_of_mem _ m)),
+        Int.zero_mul, Int.add_zero]
+
+theorem dot_sdiv_left (xs ys : IntList) {d : Int} (h : d ∣ xs.gcd) :
+    dot (xs.sdiv d) ys = (dot xs ys) / d := by
+  induction xs generalizing ys with
+  | nil => simp
+  | cons x xs ih =>
+    cases ys with
+    | nil => simp
+    | cons y ys =>
+      have wx : d ∣ x := Int.dvd_trans h (gcd_cons_div_left)
+      have wxy : d ∣ x * y := Int.dvd_trans wx (Int.dvd_mul_right x y)
+      have w : d ∣ (IntList.gcd xs : Int) := Int.dvd_trans h (gcd_cons_div_right')
+      simp_all [Int.add_ediv_of_dvd_left, Int.mul_ediv_assoc']
+
+/-- Apply "balanced mod" to each entry in an `IntList`. -/
+abbrev bmod (x : IntList) (m : Nat) : IntList := x.map (Int.bmod · m)
+
+theorem bmod_length (x : IntList) (m) : (bmod x m).length ≤ x.length :=
+  Nat.le_of_eq (List.length_map _ _)
+
+/--
+The difference between the balanced mod of a dot product,
+and the dot product with balanced mod applied to each entry of the left factor.
+-/
+abbrev bmod_dot_sub_dot_bmod (m : Nat) (a b : IntList) : Int :=
+    (Int.bmod (dot a b) m) - dot (bmod a m) b
+
+theorem dvd_bmod_dot_sub_dot_bmod (m : Nat) (xs ys : IntList) :
+    (m : Int) ∣ bmod_dot_sub_dot_bmod m xs ys := by
+  dsimp [bmod_dot_sub_dot_bmod]
+  rw [Int.dvd_iff_emod_eq_zero]
+  induction xs generalizing ys with
+  | nil => simp
+  | cons x xs ih =>
+    cases ys with
+    | nil => simp
+    | cons y ys =>
+      simp only [IntList.dot_cons₂, List.map_cons]
+      specialize ih ys
+      rw [Int.sub_emod, Int.bmod_emod] at ih
+      rw [Int.sub_emod, Int.bmod_emod, Int.add_emod, Int.add_emod (Int.bmod x m * y),
+        ← Int.sub_emod, ← Int.sub_sub, Int.sub_eq_add_neg, Int.sub_eq_add_neg,
+        Int.add_assoc (x * y % m), Int.add_comm (IntList.dot _ _ % m), ← Int.add_assoc,
+        Int.add_assoc, ← Int.sub_eq_add_neg, ← Int.sub_eq_add_neg, Int.add_emod, ih, Int.add_zero,
+        Int.emod_emod, Int.mul_emod, Int.mul_emod (Int.bmod x m), Int.bmod_emod, Int.sub_self,
+        Int.zero_emod]
+
+end IntList
+
+end Lean.Omega

src/Init/Omega/LinearCombo.lean

@@ -0,0 +1,178 @@
+/-
+Copyright (c) 2023 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Scott Morrison
+-/
+prelude
+import Init.Omega.Coeffs
+
+/-!
+# Linear combinations
+
+We use this data structure while processing hypotheses.
+
+-/
+
+namespace Lean.Omega
+
+/-- Internal representation of a linear combination of atoms, and a constant term. -/
+structure LinearCombo where
+  /-- Constant term. -/
+  const : Int := 0
+  /-- Coefficients of the atoms. -/
+  coeffs : Coeffs := []
+deriving DecidableEq, Repr
+
+namespace LinearCombo
+
+instance : ToString LinearCombo where
+  toString lc :=
+    s!"{lc.const}{String.join <| lc.coeffs.toList.enum.map fun ⟨i, c⟩ => s!" + {c} * x{i+1}"}"
+
+instance : Inhabited LinearCombo := ⟨{const := 1}⟩
+
+theorem ext {a b : LinearCombo} (w₁ : a.const = b.const) (w₂ : a.coeffs = b.coeffs) :
+    a = b := by
+  cases a; cases b
+  subst w₁; subst w₂
+  congr
+
+/--
+Evaluate a linear combination `⟨r, [c_1, …, c_k]⟩` at values `[v_1, …, v_k]` to obtain
+`r + (c_1 * x_1 + (c_2 * x_2 + ... (c_k * x_k + 0))))`.
+-/
+def eval (lc : LinearCombo) (values : Coeffs) : Int :=
+  lc.const + lc.coeffs.dot values
+
+@[simp] theorem eval_nil : (lc : LinearCombo).eval .nil = lc.const := by
+  simp [eval]
+
+/-- The `i`-th coordinate function. -/
+def coordinate (i : Nat) : LinearCombo where
+  const := 0
+  coeffs := Coeffs.set .nil i 1
+
+@[simp] theorem coordinate_eval (i : Nat) (v : Coeffs) :
+    (coordinate i).eval v = v.get i := by
+  simp [eval, coordinate]
+
+theorem coordinate_eval_0 : (coordinate 0).eval (.ofList (a0 :: t)) = a0 := by simp
+theorem coordinate_eval_1 : (coordinate 1).eval (.ofList (a0 :: a1 :: t)) = a1 := by simp
+theorem coordinate_eval_2 : (coordinate 2).eval (.ofList (a0 :: a1 :: a2 :: t)) = a2 := by simp
+theorem coordinate_eval_3 :
+    (coordinate 3).eval (.ofList (a0 :: a1 :: a2 :: a3 :: t)) = a3 := by simp
+theorem coordinate_eval_4 :
+    (coordinate 4).eval (.ofList (a0 :: a1 :: a2 :: a3 :: a4 :: t)) = a4 := by simp
+theorem coordinate_eval_5 :
+    (coordinate 5).eval (.ofList (a0 :: a1 :: a2 :: a3 :: a4 :: a5 :: t)) = a5 := by simp
+theorem coordinate_eval_6 :
+    (coordinate 6).eval (.ofList (a0 :: a1 :: a2 :: a3 :: a4 :: a5 :: a6 :: t)) = a6 := by simp
+theorem coordinate_eval_7 :
+    (coordinate 7).eval
+      (.ofList (a0 :: a1 :: a2 :: a3 :: a4 :: a5 :: a6 :: a7 :: t)) = a7 := by simp
+theorem coordinate_eval_8 :
+    (coordinate 8).eval
+      (.ofList (a0 :: a1 :: a2 :: a3 :: a4 :: a5 :: a6 :: a7 :: a8 :: t)) = a8 := by simp
+theorem coordinate_eval_9 :
+    (coordinate 9).eval
+      (.ofList (a0 :: a1 :: a2 :: a3 :: a4 :: a5 :: a6 :: a7 :: a8 :: a9 :: t)) = a9 := by simp
+
+/-- Implementation of addition on `LinearCombo`. -/
+def add (l₁ l₂ : LinearCombo) : LinearCombo where
+  const := l₁.const + l₂.const
+  coeffs := l₁.coeffs + l₂.coeffs
+
+instance : Add LinearCombo := ⟨add⟩
+
+@[simp] theorem add_const {l₁ l₂ : LinearCombo} : (l₁ + l₂).const = l₁.const + l₂.const := rfl
+@[simp] theorem add_coeffs {l₁ l₂ : LinearCombo} : (l₁ + l₂).coeffs = l₁.coeffs + l₂.coeffs := rfl
+
+/-- Implementation of subtraction on `LinearCombo`. -/
+def sub (l₁ l₂ : LinearCombo) : LinearCombo where
+  const := l₁.const - l₂.const
+  coeffs := l₁.coeffs - l₂.coeffs
+
+instance : Sub LinearCombo := ⟨sub⟩
+
+@[simp] theorem sub_const {l₁ l₂ : LinearCombo} : (l₁ - l₂).const = l₁.const - l₂.const := rfl
+@[simp] theorem sub_coeffs {l₁ l₂ : LinearCombo} : (l₁ - l₂).coeffs = l₁.coeffs - l₂.coeffs := rfl
+
+/-- Implementation of negation on `LinearCombo`. -/
+def neg (lc : LinearCombo) : LinearCombo where
+  const := -lc.const
+  coeffs := -lc.coeffs
+
+instance : Neg LinearCombo := ⟨neg⟩
+
+@[simp] theorem neg_const {l : LinearCombo} : (-l).const = -l.const := rfl
+@[simp] theorem neg_coeffs {l : LinearCombo} : (-l).coeffs = -l.coeffs  := rfl
+
+theorem sub_eq_add_neg (l₁ l₂ : LinearCombo) : l₁ - l₂ = l₁ + -l₂ := by
+  rcases l₁ with ⟨a₁, c₁⟩; rcases l₂ with ⟨a₂, c₂⟩
+  apply ext
+  · simp [Int.sub_eq_add_neg]
+  · simp [Coeffs.sub_eq_add_neg]
+
+/-- Implementation of scalar multiplication of a `LinearCombo` by an `Int`. -/
+def smul (lc : LinearCombo) (i : Int) : LinearCombo where
+  const := i * lc.const
+  coeffs := lc.coeffs.smul i
+
+instance : HMul Int LinearCombo LinearCombo := ⟨fun i lc => lc.smul i⟩
+
+@[simp] theorem smul_const {lc : LinearCombo} {i : Int} : (i * lc).const = i * lc.const := rfl
+@[simp] theorem smul_coeffs {lc : LinearCombo} {i : Int} : (i * lc).coeffs = i * lc.coeffs := rfl
+
+@[simp] theorem add_eval (l₁ l₂ : LinearCombo) (v : Coeffs) :
+    (l₁ + l₂).eval v = l₁.eval v + l₂.eval v := by
+  rcases l₁ with ⟨r₁, c₁⟩; rcases l₂ with ⟨r₂, c₂⟩
+  simp only [eval, add_const, add_coeffs, Int.add_assoc, Int.add_left_comm]
+  congr
+  exact Coeffs.dot_distrib_left c₁ c₂ v
+
+@[simp] theorem neg_eval (lc : LinearCombo) (v : Coeffs) : (-lc).eval v = - lc.eval v := by
+  rcases lc with ⟨a, coeffs⟩
+  simp [eval, Int.neg_add]
+
+@[simp] theorem sub_eval (l₁ l₂ : LinearCombo) (v : Coeffs) :
+    (l₁ - l₂).eval v = l₁.eval v - l₂.eval v := by
+  simp [sub_eq_add_neg, Int.sub_eq_add_neg]
+
+@[simp] theorem smul_eval (lc : LinearCombo) (i : Int) (v : Coeffs) :
+    (i * lc).eval v = i * lc.eval v := by
+  rcases lc with ⟨a, coeffs⟩
+  simp [eval, Int.mul_add]
+
+theorem smul_eval_comm (lc : LinearCombo) (i : Int) (v : Coeffs) :
+    (i * lc).eval v = lc.eval v * i := by
+  simp [Int.mul_comm]
+
+/--
+Multiplication of two linear combinations.
+This is useful only if at least one of the linear combinations is constant,
+and otherwise should be considered as a junk value.
+-/
+def mul (l₁ l₂ : LinearCombo) : LinearCombo :=
+  l₂.const * l₁ + l₁.const * l₂ - { const := l₁.const * l₂.const }
+
+theorem mul_eval_of_const_left (l₁ l₂ : LinearCombo) (v : Coeffs) (w : l₁.coeffs.isZero) :
+    (mul l₁ l₂).eval v = l₁.eval v * l₂.eval v := by
+  have : Coeffs.dot l₁.coeffs v = 0 := IntList.dot_of_left_zero w
+  simp [mul, eval, this, Coeffs.sub_eq_add_neg, Coeffs.dot_distrib_left, Int.add_mul, Int.mul_add,
+    Int.mul_comm]
+
+theorem mul_eval_of_const_right (l₁ l₂ : LinearCombo) (v : Coeffs) (w : l₂.coeffs.isZero) :
+    (mul l₁ l₂).eval v = l₁.eval v * l₂.eval v := by
+  have : Coeffs.dot l₂.coeffs v = 0 := IntList.dot_of_left_zero w
+  simp [mul, eval, this, Coeffs.sub_eq_add_neg, Coeffs.dot_distrib_left, Int.add_mul, Int.mul_add,
+    Int.mul_comm]
+
+theorem mul_eval (l₁ l₂ : LinearCombo) (v : Coeffs) (w : l₁.coeffs.isZero ∨ l₂.coeffs.isZero) :
+    (mul l₁ l₂).eval v = l₁.eval v * l₂.eval v := by
+  rcases w with w | w
+  · rw [mul_eval_of_const_left _ _ _ w]
+  · rw [mul_eval_of_const_right _ _ _ w]
+
+end LinearCombo
+
+end Lean.Omega

src/Init/Omega/Logic.lean

@@ -0,0 +1,50 @@
+/-
+Copyright (c) 2023 Lean FRO, LLC. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Scott Morrison
+-/
+prelude
+import Init.PropLemmas
+/-!
+# Specializations of basic logic lemmas
+
+These are useful for `omega` while constructing proofs, but not considered generally useful
+so are hidden in the `Std.Tactic.Omega` namespace.
+
+If you find yourself needing them elsewhere, please move them first to another file.
+-/
+
+namespace Lean.Omega
+
+theorem and_not_not_of_not_or (h : ¬ (p ∨ q)) : ¬ p ∧ ¬ q := not_or.mp h
+
+theorem Decidable.or_not_not_of_not_and [Decidable p] [Decidable q]
+    (h : ¬ (p ∧ q)) : ¬ p ∨ ¬ q :=
+  (Decidable.not_and_iff_or_not _ _).mp h
+
+theorem Decidable.and_or_not_and_not_of_iff {p q : Prop} [Decidable q] (h : p ↔ q) :
+    (p ∧ q) ∨ (¬p ∧ ¬q) := Decidable.iff_iff_and_or_not_and_not.mp h
+
+theorem Decidable.not_iff_iff_and_not_or_not_and [Decidable a] [Decidable b] :
+    (¬ (a ↔ b)) ↔ (a ∧ ¬ b) ∨ ((¬ a) ∧ b) :=
+  ⟨fun e => if hb : b then
+    .inr ⟨fun ha => e ⟨fun _ => hb, fun _ => ha⟩, hb⟩
+  else
+    .inl ⟨if ha : a then ha else False.elim (e ⟨fun ha' => absurd ha' ha, fun hb' => absurd hb' hb⟩), hb⟩,
+  Or.rec (And.rec fun ha nb w => nb (w.mp ha)) (And.rec fun na hb w => na (w.mpr hb))⟩
+
+theorem Decidable.and_not_or_not_and_of_not_iff [Decidable a] [Decidable b]
+    (h : ¬ (a ↔ b)) : a ∧ ¬b ∨ ¬a ∧ b :=
+  Decidable.not_iff_iff_and_not_or_not_and.mp h
+
+theorem Decidable.and_not_of_not_imp [Decidable a] (h : ¬(a → b)) : a ∧ ¬b :=
+  Decidable.not_imp_iff_and_not.mp h
+
+theorem ite_disjunction {α : Type u} {P : Prop} [Decidable P] {a b : α} :
+    (P ∧ (if P then a else b) = a) ∨ (¬ P ∧ (if P then a else b) = b) :=
+  if h : P then
+    .inl ⟨h, if_pos h⟩
+  else
+    .inr ⟨h, if_neg h⟩
+
+end Lean.Omega

src/Init/Prelude.lean

@@ -9,9 +9,9 @@ set_option linter.missingDocs true -- keep it documented
 /-!
 # Init.Prelude
 
-This is the first file in the lean import hierarchy. It is responsible for setting
-up basic definitions, most of which lean already has "built in knowledge" about,
-so it is important that they be set up in exactly this way. (For example, lean will
+This is the first file in the Lean import hierarchy. It is responsible for setting
+up basic definitions, most of which Lean already has "built in knowledge" about,
+so it is important that they be set up in exactly this way. (For example, Lean will
 use `PUnit` in the desugaring of `do` notation, or in the pattern match compiler.)
 
 -/
@@ -24,7 +24,7 @@ The identity function. `id` takes an implicit argument `α : Sort u`
 
 Although this may look like a useless function, one application of the identity
 function is to explicitly put a type on an expression. If `e` has type `T`,
-and `T'` is definitionally equal to `T`, then `@id T' e` typechecks, and lean
+and `T'` is definitionally equal to `T`, then `@id T' e` typechecks, and Lean
 knows that this expression has type `T'` rather than `T`. This can make a
 difference for typeclass inference, since `T` and `T'` may have different
 typeclass instances on them. `show T' from e` is sugar for an `@id T' e`
@@ -287,9 +287,9 @@ inductive Eq : α → α → Prop where
 same as `Eq.refl` except that it takes `a` implicitly instead of explicitly.
 
 This is a more powerful theorem than it may appear at first, because although
-the statement of the theorem is `a = a`, lean will allow anything that is
+the statement of the theorem is `a = a`, Lean will allow anything that is
 definitionally equal to that type. So, for instance, `2 + 2 = 4` is proven in
-lean by `rfl`, because both sides are the same up to definitional equality.
+Lean by `rfl`, because both sides are the same up to definitional equality.
 -/
 @[match_pattern] def rfl {α : Sort u} {a : α} : Eq a a := Eq.refl a
 
@@ -548,6 +548,11 @@ theorem Or.elim {c : Prop} (h : Or a b) (left : a → c) (right : b → c) : c :
   | Or.inl h => left h
   | Or.inr h => right h
 
+theorem Or.resolve_left  (h: Or a b) (na : Not a) : b := h.elim (absurd · na) id
+theorem Or.resolve_right (h: Or a b) (nb : Not b) : a := h.elim id (absurd · nb)
+theorem Or.neg_resolve_left  (h : Or (Not a) b) (ha : a) : b := h.elim (absurd ha) id
+theorem Or.neg_resolve_right (h : Or a (Not b)) (nb : b) : a := h.elim id (absurd nb)
+
 /--
 `Bool` is the type of boolean values, `true` and `false`. Classically,
 this is equivalent to `Prop` (the type of propositions), but the distinction
@@ -597,7 +602,7 @@ For example, the `Membership` class is defined as:
 class Membership (α : outParam (Type u)) (γ : Type v)
 ```
 This means that whenever a typeclass goal of the form `Membership ?α ?γ` comes
-up, lean will wait to solve it until `?γ` is known, but then it will run
+up, Lean will wait to solve it until `?γ` is known, but then it will run
 typeclass inference, and take the first solution it finds, for any value of `?α`,
 which thereby determines what `?α` should be.
 
@@ -712,13 +717,13 @@ nonempty, then `fun i => Classical.choice (h i) : ∀ i, α i` is a family of
 chosen elements. This is actually a bit stronger than the ZFC choice axiom;
 this is sometimes called "[global choice](https://en.wikipedia.org/wiki/Axiom_of_global_choice)".
 
-In lean, we use the axiom of choice to derive the law of excluded middle
+In Lean, we use the axiom of choice to derive the law of excluded middle
 (see `Classical.em`), so it will often show up in axiom listings where you
 may not expect. You can use `#print axioms my_thm` to find out if a given
 theorem depends on this or other axioms.
 
 This axiom can be used to construct "data", but obviously there is no algorithm
-to compute it, so lean will require you to mark any definition that would
+to compute it, so Lean will require you to mark any definition that would
 involve executing `Classical.choice` or other axioms as `noncomputable`, and
 will not produce any executable code for such definitions.
 -/
@@ -943,7 +948,7 @@ determines how to evaluate `c` to true or false. Write `if h : c then t else e`
 instead for a "dependent if-then-else" `dite`, which allows `t`/`e` to use the fact
 that `c` is true/false.
 
-Because lean uses a strict (call-by-value) evaluation strategy, the signature of this
+Because Lean uses a strict (call-by-value) evaluation strategy, the signature of this
 function is problematic in that it would require `t` and `e` to be evaluated before
 calling the `ite` function, which would cause both sides of the `if` to be evaluated.
 Even if the result is discarded, this would be a big performance problem,
@@ -1033,7 +1038,7 @@ You can prove a theorem `P n` about `n : Nat` by `induction n`, which will
 expect a proof of the theorem for `P 0`, and a proof of `P (succ i)` assuming
 a proof of `P i`. The same method also works to define functions by recursion
 on natural numbers: induction and recursion are two expressions of the same
-operation from lean's point of view.
+operation from Lean's point of view.
 
 ```
 open Nat
@@ -1069,14 +1074,14 @@ instance : Inhabited Nat where
 
 /--
 The class `OfNat α n` powers the numeric literal parser. If you write
-`37 : α`, lean will attempt to synthesize `OfNat α 37`, and will generate
+`37 : α`, Lean will attempt to synthesize `OfNat α 37`, and will generate
 the term `(OfNat.ofNat 37 : α)`.
 
 There is a bit of infinite regress here since the desugaring apparently
 still contains a literal `37` in it. The type of expressions contains a
 primitive constructor for "raw natural number literals", which you can directly
 access using the macro `nat_lit 37`. Raw number literals are always of type `Nat`.
-So it would be more correct to say that lean looks for an instance of
+So it would be more correct to say that Lean looks for an instance of
 `OfNat α (nat_lit 37)`, and it generates the term `(OfNat.ofNat (nat_lit 37) : α)`.
 -/
 class OfNat (α : Type u) (_ : Nat) where
@@ -1314,6 +1319,11 @@ class Mod (α : Type u) where
   /-- `a % b` computes the remainder upon dividing `a` by `b`. See `HMod`. -/
   mod : α → α → α
 
+/-- Notation typeclass for the `∣` operation (typed as `\|`), which represents divisibility. -/
+class Dvd (α : Type _) where
+  /-- Divisibility. `a ∣ b` (typed as `\|`) means that there is some `c` such that `b = a * c`. -/
+  dvd : α → α → Prop
+
 /--
 The homogeneous version of `HPow`: `a ^ b : α` where `a : α`, `b : β`.
 (The right argument is not the same as the left since we often want this even
@@ -1780,7 +1790,7 @@ Gets the word size of the platform. That is, whether the platform is 64 or 32 bi
 
 This function is opaque because we cannot guarantee at compile time that the target
 will have the same size as the host, and also because we would like to avoid
-typechecking being architecture-dependent. Nevertheless, lean only works on
+typechecking being architecture-dependent. Nevertheless, Lean only works on
 64 and 32 bit systems so we can encode this as a fact available for proof purposes.
 -/
 @[extern "lean_system_platform_nbits"] opaque System.Platform.getNumBits : Unit → Subtype fun (n : Nat) => Or (Eq n 32) (Eq n 64) :=
@@ -2518,7 +2528,7 @@ attribute [nospecialize] Inhabited
 
 /--
 The class `GetElem cont idx elem dom` implements the `xs[i]` notation.
-When you write this, given `xs : cont` and `i : idx`, lean looks for an instance
+When you write this, given `xs : cont` and `i : idx`, Lean looks for an instance
 of `GetElem cont idx elem dom`. Here `elem` is the type of `xs[i]`, while
 `dom` is whatever proof side conditions are required to make this applicable.
 For example, the instance for arrays looks like
@@ -2558,7 +2568,7 @@ export GetElem (getElem)
 with elements from `α`. This type has special support in the runtime.
 
 An array has a size and a capacity; the size is `Array.size` but the capacity
-is not observable from lean code. Arrays perform best when unshared; as long
+is not observable from Lean code. Arrays perform best when unshared; as long
 as they are used "linearly" all updates will be performed destructively on the
 array, so it has comparable performance to mutable arrays in imperative
 programming languages.
@@ -3231,7 +3241,7 @@ instance (σ : Type u) (m : Type u → Type v) [MonadStateOf σ m] : MonadState
 /--
 `modify (f : σ → σ)` applies the function `f` to the state.
 
-It is equivalent to `do put (f (← get))`, but `modify f` may be preferable
+It is equivalent to `do set (f (← get))`, but `modify f` may be preferable
 because the former does not use the state linearly (without sufficient inlining).
 -/
 @[always_inline, inline]

src/Init/PropLemmas.lean

@@ -0,0 +1,437 @@
+/-
+Copyright (c) 2024 Lean FRO.  All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Leonardo de Moura, Jeremy Avigad, Floris van Doorn, Mario Carneiro
+
+This provides additional lemmas about propositional types beyond what is
+needed for Core and SimpLemmas.
+-/
+prelude
+import Init.Core
+import Init.NotationExtra
+set_option linter.missingDocs true -- keep it documented
+
+/-! ## not -/
+
+theorem not_not_em (a : Prop) : ¬¬(a ∨ ¬a) := fun h => h (.inr (h ∘ .inl))
+
+/-! ## and -/
+
+theorem and_self_iff : a ∧ a ↔ a := Iff.of_eq (and_self a)
+theorem and_not_self_iff (a : Prop) : a ∧ ¬a ↔ False := iff_false_intro and_not_self
+theorem not_and_self_iff (a : Prop) : ¬a ∧ a ↔ False := iff_false_intro not_and_self
+
+theorem And.imp (f : a → c) (g : b → d) (h : a ∧ b) : c ∧ d :=  And.intro (f h.left) (g h.right)
+theorem And.imp_left (h : a → b) : a ∧ c → b ∧ c := .imp h id
+theorem And.imp_right (h : a → b) : c ∧ a → c ∧ b := .imp id h
+
+theorem and_congr (h₁ : a ↔ c) (h₂ : b ↔ d) : a ∧ b ↔ c ∧ d :=
+  Iff.intro (And.imp h₁.mp h₂.mp) (And.imp h₁.mpr h₂.mpr)
+theorem and_congr_left' (h : a ↔ b) : a ∧ c ↔ b ∧ c := and_congr h .rfl
+theorem and_congr_right' (h : b ↔ c) : a ∧ b ↔ a ∧ c := and_congr .rfl h
+
+theorem not_and_of_not_left (b : Prop) : ¬a → ¬(a ∧ b) := mt And.left
+theorem not_and_of_not_right (a : Prop) {b : Prop} : ¬b → ¬(a ∧ b) := mt And.right
+
+theorem and_congr_right_eq (h : a → b = c) : (a ∧ b) = (a ∧ c) :=
+  propext (and_congr_right (Iff.of_eq ∘ h))
+theorem and_congr_left_eq  (h : c → a = b) : (a ∧ c) = (b ∧ c) :=
+  propext (and_congr_left  (Iff.of_eq ∘ h))
+
+theorem and_left_comm : a ∧ b ∧ c ↔ b ∧ a ∧ c :=
+  Iff.intro (fun ⟨ha, hb, hc⟩ => ⟨hb, ha, hc⟩)
+            (fun ⟨hb, ha, hc⟩ => ⟨ha, hb, hc⟩)
+
+theorem and_right_comm : (a ∧ b) ∧ c ↔ (a ∧ c) ∧ b :=
+  Iff.intro (fun ⟨⟨ha, hb⟩, hc⟩ => ⟨⟨ha, hc⟩, hb⟩)
+            (fun ⟨⟨ha, hc⟩, hb⟩ => ⟨⟨ha, hb⟩, hc⟩)
+
+theorem and_rotate : a ∧ b ∧ c ↔ b ∧ c ∧ a := by rw [and_left_comm, @and_comm a c]
+theorem and_and_and_comm : (a ∧ b) ∧ c ∧ d ↔ (a ∧ c) ∧ b ∧ d := by rw [← and_assoc, @and_right_comm a, and_assoc]
+theorem and_and_left  : a ∧ (b ∧ c) ↔ (a ∧ b) ∧ a ∧ c := by rw [and_and_and_comm, and_self]
+theorem and_and_right : (a ∧ b) ∧ c ↔ (a ∧ c) ∧ b ∧ c := by rw [and_and_and_comm, and_self]
+
+theorem and_iff_left  (hb : b) : a ∧ b ↔ a := Iff.intro And.left  (And.intro · hb)
+theorem and_iff_right (ha : a) : a ∧ b ↔ b := Iff.intro And.right (And.intro ha ·)
+
+/-! ## or -/
+
+theorem or_self_iff : a ∨ a ↔ a := or_self _ ▸ .rfl
+theorem not_or_intro {a b : Prop} (ha : ¬a) (hb : ¬b) : ¬(a ∨ b) := (·.elim ha hb)
+
+theorem or_congr (h₁ : a ↔ c) (h₂ : b ↔ d) : (a ∨ b) ↔ (c ∨ d) := ⟨.imp h₁.mp h₂.mp, .imp h₁.mpr h₂.mpr⟩
+theorem or_congr_left (h : a ↔ b) : a ∨ c ↔ b ∨ c := or_congr h .rfl
+theorem or_congr_right (h : b ↔ c) : a ∨ b ↔ a ∨ c := or_congr .rfl h
+
+theorem or_left_comm  : a ∨ (b ∨ c) ↔ b ∨ (a ∨ c) := by rw [← or_assoc, ← or_assoc, @or_comm a b]
+theorem or_right_comm : (a ∨ b) ∨ c ↔ (a ∨ c) ∨ b := by rw [or_assoc, or_assoc, @or_comm b]
+
+theorem or_or_or_comm : (a ∨ b) ∨ c ∨ d ↔ (a ∨ c) ∨ b ∨ d := by rw [← or_assoc, @or_right_comm a, or_assoc]
+
+theorem or_or_distrib_left : a ∨ b ∨ c ↔ (a ∨ b) ∨ a ∨ c := by rw [or_or_or_comm, or_self]
+theorem or_or_distrib_right : (a ∨ b) ∨ c ↔ (a ∨ c) ∨ b ∨ c := by rw [or_or_or_comm, or_self]
+
+theorem or_rotate : a ∨ b ∨ c ↔ b ∨ c ∨ a := by simp only [or_left_comm, Or.comm]
+
+theorem or_iff_left  (hb : ¬b) : a ∨ b ↔ a := or_iff_left_iff_imp.mpr  hb.elim
+theorem or_iff_right (ha : ¬a) : a ∨ b ↔ b := or_iff_right_iff_imp.mpr ha.elim
+
+/-! ## distributivity -/
+
+theorem not_imp_of_and_not : a ∧ ¬b → ¬(a → b)
+  | ⟨ha, hb⟩, h => hb <| h ha
+
+theorem imp_and {α} : (α → b ∧ c) ↔ (α → b) ∧ (α → c) :=
+  ⟨fun h => ⟨fun ha => (h ha).1, fun ha => (h ha).2⟩, fun h ha => ⟨h.1 ha, h.2 ha⟩⟩
+
+theorem not_and' : ¬(a ∧ b) ↔ b → ¬a := Iff.trans not_and imp_not_comm
+
+/-- `∧` distributes over `∨` (on the left). -/
+theorem and_or_left : a ∧ (b ∨ c) ↔ (a ∧ b) ∨ (a ∧ c) :=
+  Iff.intro (fun ⟨ha, hbc⟩ => hbc.imp (.intro ha) (.intro ha))
+            (Or.rec (.imp_right .inl) (.imp_right .inr))
+
+/-- `∧` distributes over `∨` (on the right). -/
+theorem or_and_right : (a ∨ b) ∧ c ↔ (a ∧ c) ∨ (b ∧ c) := by rw [@and_comm (a ∨ b), and_or_left, @and_comm c, @and_comm c]
+
+/-- `∨` distributes over `∧` (on the left). -/
+theorem or_and_left : a ∨ (b ∧ c) ↔ (a ∨ b) ∧ (a ∨ c) :=
+  Iff.intro (Or.rec (fun ha => ⟨.inl ha, .inl ha⟩) (.imp .inr .inr))
+            (And.rec <| .rec (fun _ => .inl ·) (.imp_right ∘ .intro))
+
+/-- `∨` distributes over `∧` (on the right). -/
+theorem and_or_right : (a ∧ b) ∨ c ↔ (a ∨ c) ∧ (b ∨ c) := by rw [@or_comm (a ∧ b), or_and_left, @or_comm c, @or_comm c]
+
+theorem or_imp : (a ∨ b → c) ↔ (a → c) ∧ (b → c) :=
+  Iff.intro (fun h => ⟨h ∘ .inl, h ∘ .inr⟩) (fun ⟨ha, hb⟩ => Or.rec ha hb)
+theorem not_or : ¬(p ∨ q) ↔ ¬p ∧ ¬q := or_imp
+
+theorem not_and_of_not_or_not (h : ¬a ∨ ¬b) : ¬(a ∧ b) := h.elim (mt (·.1)) (mt (·.2))
+
+/-! ## exists and forall -/
+
+section quantifiers
+variable {p q : α → Prop} {b : Prop}
+
+theorem forall_imp (h : ∀ a, p a → q a) : (∀ a, p a) → ∀ a, q a := fun h' a => h a (h' a)
+
+/--
+As `simp` does not index foralls, this `@[simp]` lemma is tried on every `forall` expression.
+This is not ideal, and likely a performance issue, but it is difficult to remove this attribute at this time.
+-/
+@[simp] theorem forall_exists_index {q : (∃ x, p x) → Prop} :
+    (∀ h, q h) ↔ ∀ x (h : p x), q ⟨x, h⟩ :=
+  ⟨fun h x hpx => h ⟨x, hpx⟩, fun h ⟨x, hpx⟩ => h x hpx⟩
+
+theorem Exists.imp (h : ∀ a, p a → q a) : (∃ a, p a) → ∃ a, q a
+  | ⟨a, hp⟩ => ⟨a, h a hp⟩
+
+theorem Exists.imp' {β} {q : β → Prop} (f : α → β) (hpq : ∀ a, p a → q (f a)) :
+    (∃ a, p a) → ∃ b, q b
+  | ⟨_, hp⟩ => ⟨_, hpq _ hp⟩
+
+theorem exists_imp : ((∃ x, p x) → b) ↔ ∀ x, p x → b := forall_exists_index
+
+@[simp] theorem exists_const (α) [i : Nonempty α] : (∃ _ : α, b) ↔ b :=
+  ⟨fun ⟨_, h⟩ => h, i.elim Exists.intro⟩
+
+section forall_congr
+
+theorem forall_congr' (h : ∀ a, p a ↔ q a) : (∀ a, p a) ↔ ∀ a, q a :=
+  ⟨fun H a => (h a).1 (H a), fun H a => (h a).2 (H a)⟩
+
+theorem exists_congr (h : ∀ a, p a ↔ q a) : (∃ a, p a) ↔ ∃ a, q a :=
+  ⟨Exists.imp fun x => (h x).1, Exists.imp fun x => (h x).2⟩
+
+variable {β : α → Sort _}
+
+theorem forall₂_congr {p q : ∀ a, β a → Prop} (h : ∀ a b, p a b ↔ q a b) :
+    (∀ a b, p a b) ↔ ∀ a b, q a b :=
+  forall_congr' fun a => forall_congr' <| h a
+
+theorem exists₂_congr {p q : ∀ a, β a → Prop} (h : ∀ a b, p a b ↔ q a b) :
+    (∃ a b, p a b) ↔ ∃ a b, q a b :=
+  exists_congr fun a => exists_congr <| h a
+
+variable {γ : ∀ a, β a → Sort _}
+theorem forall₃_congr {p q : ∀ a b, γ a b → Prop} (h : ∀ a b c, p a b c ↔ q a b c) :
+    (∀ a b c, p a b c) ↔ ∀ a b c, q a b c :=
+  forall_congr' fun a => forall₂_congr <| h a
+
+theorem exists₃_congr {p q : ∀ a b, γ a b → Prop} (h : ∀ a b c, p a b c ↔ q a b c) :
+    (∃ a b c, p a b c) ↔ ∃ a b c, q a b c :=
+  exists_congr fun a => exists₂_congr <| h a
+
+variable {δ : ∀ a b, γ a b → Sort _}
+theorem forall₄_congr {p q : ∀ a b c, δ a b c → Prop} (h : ∀ a b c d, p a b c d ↔ q a b c d) :
+    (∀ a b c d, p a b c d) ↔ ∀ a b c d, q a b c d :=
+  forall_congr' fun a => forall₃_congr <| h a
+
+theorem exists₄_congr {p q : ∀ a b c, δ a b c → Prop} (h : ∀ a b c d, p a b c d ↔ q a b c d) :
+    (∃ a b c d, p a b c d) ↔ ∃ a b c d, q a b c d :=
+  exists_congr fun a => exists₃_congr <| h a
+
+variable {ε : ∀ a b c, δ a b c → Sort _}
+theorem forall₅_congr {p q : ∀ a b c d, ε a b c d → Prop}
+    (h : ∀ a b c d e, p a b c d e ↔ q a b c d e) :
+    (∀ a b c d e, p a b c d e) ↔ ∀ a b c d e, q a b c d e :=
+  forall_congr' fun a => forall₄_congr <| h a
+
+theorem exists₅_congr {p q : ∀ a b c d, ε a b c d → Prop}
+    (h : ∀ a b c d e, p a b c d e ↔ q a b c d e) :
+    (∃ a b c d e, p a b c d e) ↔ ∃ a b c d e, q a b c d e :=
+  exists_congr fun a => exists₄_congr <| h a
+
+end forall_congr
+
+@[simp] theorem not_exists : (¬∃ x, p x) ↔ ∀ x, ¬p x := exists_imp
+
+theorem forall_and : (∀ x, p x ∧ q x) ↔ (∀ x, p x) ∧ (∀ x, q x) :=
+  ⟨fun h => ⟨fun x => (h x).1, fun x => (h x).2⟩, fun ⟨h₁, h₂⟩ x => ⟨h₁ x, h₂ x⟩⟩
+
+theorem exists_or : (∃ x, p x ∨ q x) ↔ (∃ x, p x) ∨ ∃ x, q x :=
+  ⟨fun | ⟨x, .inl h⟩ => .inl ⟨x, h⟩ | ⟨x, .inr h⟩ => .inr ⟨x, h⟩,
+   fun | .inl ⟨x, h⟩ => ⟨x, .inl h⟩ | .inr ⟨x, h⟩ => ⟨x, .inr h⟩⟩
+
+@[simp] theorem exists_false : ¬(∃ _a : α, False) := fun ⟨_, h⟩ => h
+
+@[simp] theorem forall_const (α : Sort _) [i : Nonempty α] : (α → b) ↔ b :=
+  ⟨i.elim, fun hb _ => hb⟩
+
+theorem Exists.nonempty : (∃ x, p x) → Nonempty α | ⟨x, _⟩ => ⟨x⟩
+
+theorem not_forall_of_exists_not {p : α → Prop} : (∃ x, ¬p x) → ¬∀ x, p x
+  | ⟨x, hn⟩, h => hn (h x)
+
+@[simp] theorem forall_eq {p : α → Prop} {a' : α} : (∀ a, a = a' → p a) ↔ p a' :=
+  ⟨fun h => h a' rfl, fun h _ e => e.symm ▸ h⟩
+
+@[simp] theorem forall_eq' {a' : α} : (∀ a, a' = a → p a) ↔ p a' := by simp [@eq_comm _ a']
+
+@[simp] theorem exists_eq : ∃ a, a = a' := ⟨_, rfl⟩
+
+@[simp] theorem exists_eq' : ∃ a, a' = a := ⟨_, rfl⟩
+
+@[simp] theorem exists_eq_left : (∃ a, a = a' ∧ p a) ↔ p a' :=
+  ⟨fun ⟨_, e, h⟩ => e ▸ h, fun h => ⟨_, rfl, h⟩⟩
+
+@[simp] theorem exists_eq_right : (∃ a, p a ∧ a = a') ↔ p a' :=
+  (exists_congr <| by exact fun a => And.comm).trans exists_eq_left
+
+@[simp] theorem exists_and_left : (∃ x, b ∧ p x) ↔ b ∧ (∃ x, p x) :=
+  ⟨fun ⟨x, h, hp⟩ => ⟨h, x, hp⟩, fun ⟨h, x, hp⟩ => ⟨x, h, hp⟩⟩
+
+@[simp] theorem exists_and_right : (∃ x, p x ∧ b) ↔ (∃ x, p x) ∧ b := by simp [And.comm]
+
+@[simp] theorem exists_eq_left' : (∃ a, a' = a ∧ p a) ↔ p a' := by simp [@eq_comm _ a']
+
+@[simp] theorem forall_eq_or_imp : (∀ a, a = a' ∨ q a → p a) ↔ p a' ∧ ∀ a, q a → p a := by
+  simp only [or_imp, forall_and, forall_eq]
+
+@[simp] theorem exists_eq_or_imp : (∃ a, (a = a' ∨ q a) ∧ p a) ↔ p a' ∨ ∃ a, q a ∧ p a := by
+  simp only [or_and_right, exists_or, exists_eq_left]
+
+@[simp] theorem exists_eq_right_right : (∃ (a : α), p a ∧ q a ∧ a = a') ↔ p a' ∧ q a' := by
+  simp [← and_assoc]
+
+@[simp] theorem exists_eq_right_right' : (∃ (a : α), p a ∧ q a ∧ a' = a) ↔ p a' ∧ q a' := by
+  simp [@eq_comm _ a']
+
+@[simp] theorem exists_prop : (∃ _h : a, b) ↔ a ∧ b :=
+  ⟨fun ⟨hp, hq⟩ => ⟨hp, hq⟩, fun ⟨hp, hq⟩ => ⟨hp, hq⟩⟩
+
+@[simp] theorem exists_apply_eq_apply (f : α → β) (a' : α) : ∃ a, f a = f a' := ⟨a', rfl⟩
+
+theorem forall_prop_of_true {p : Prop} {q : p → Prop} (h : p) : (∀ h' : p, q h') ↔ q h :=
+  @forall_const (q h) p ⟨h⟩
+
+theorem forall_comm {p : α → β → Prop} : (∀ a b, p a b) ↔ (∀ b a, p a b) :=
+  ⟨fun h b a => h a b, fun h a b => h b a⟩
+
+theorem exists_comm {p : α → β → Prop} : (∃ a b, p a b) ↔ (∃ b a, p a b) :=
+  ⟨fun ⟨a, b, h⟩ => ⟨b, a, h⟩, fun ⟨b, a, h⟩ => ⟨a, b, h⟩⟩
+
+@[simp] theorem forall_apply_eq_imp_iff {f : α → β} {p : β → Prop} :
+    (∀ b a, f a = b → p b) ↔ ∀ a, p (f a) := by simp [forall_comm]
+
+@[simp] theorem forall_eq_apply_imp_iff {f : α → β} {p : β → Prop} :
+    (∀ b a, b = f a → p b) ↔ ∀ a, p (f a) := by simp [forall_comm]
+
+@[simp] theorem forall_apply_eq_imp_iff₂ {f : α → β} {p : α → Prop} {q : β → Prop} :
+    (∀ b a, p a → f a = b → q b) ↔ ∀ a, p a → q (f a) :=
+  ⟨fun h a ha => h (f a) a ha rfl, fun h _ a ha hb => hb ▸ h a ha⟩
+
+theorem forall_prop_of_false {p : Prop} {q : p → Prop} (hn : ¬p) : (∀ h' : p, q h') ↔ True :=
+  iff_true_intro fun h => hn.elim h
+
+end quantifiers
+
+/-! ## decidable -/
+
+theorem Decidable.not_not [Decidable p] : ¬¬p ↔ p := ⟨of_not_not, not_not_intro⟩
+
+theorem Decidable.by_contra [Decidable p] : (¬p → False) → p := of_not_not
+
+/-- Construct a non-Prop by cases on an `Or`, when the left conjunct is decidable. -/
+protected def Or.by_cases [Decidable p] {α : Sort u} (h : p ∨ q) (h₁ : p → α) (h₂ : q → α) : α :=
+  if hp : p then h₁ hp else h₂ (h.resolve_left hp)
+
+/-- Construct a non-Prop by cases on an `Or`, when the right conjunct is decidable. -/
+protected def Or.by_cases' [Decidable q] {α : Sort u} (h : p ∨ q) (h₁ : p → α) (h₂ : q → α) : α :=
+  if hq : q then h₂ hq else h₁ (h.resolve_right hq)
+
+instance exists_prop_decidable {p} (P : p → Prop)
+  [Decidable p] [∀ h, Decidable (P h)] : Decidable (∃ h, P h) :=
+if h : p then
+  decidable_of_decidable_of_iff ⟨fun h2 => ⟨h, h2⟩, fun ⟨_, h2⟩ => h2⟩
+else isFalse fun ⟨h', _⟩ => h h'
+
+instance forall_prop_decidable {p} (P : p → Prop)
+  [Decidable p] [∀ h, Decidable (P h)] : Decidable (∀ h, P h) :=
+if h : p then
+  decidable_of_decidable_of_iff ⟨fun h2 _ => h2, fun al => al h⟩
+else isTrue fun h2 => absurd h2 h
+
+theorem decide_eq_true_iff (p : Prop) [Decidable p] : (decide p = true) ↔ p := by simp
+
+@[simp] theorem decide_eq_false_iff_not (p : Prop) {_ : Decidable p} : (decide p = false) ↔ ¬p :=
+  ⟨of_decide_eq_false, decide_eq_false⟩
+
+@[simp] theorem decide_eq_decide {p q : Prop} {_ : Decidable p} {_ : Decidable q} :
+    decide p = decide q ↔ (p ↔ q) :=
+  ⟨fun h => by rw [← decide_eq_true_iff p, h, decide_eq_true_iff], fun h => by simp [h]⟩
+
+theorem Decidable.of_not_imp [Decidable a] (h : ¬(a → b)) : a :=
+  byContradiction (not_not_of_not_imp h)
+
+theorem Decidable.not_imp_symm [Decidable a] (h : ¬a → b) (hb : ¬b) : a :=
+  byContradiction <| hb ∘ h
+
+theorem Decidable.not_imp_comm [Decidable a] [Decidable b] : (¬a → b) ↔ (¬b → a) :=
+  ⟨not_imp_symm, not_imp_symm⟩
+
+theorem Decidable.not_imp_self [Decidable a] : (¬a → a) ↔ a := by
+  have := @imp_not_self (¬a); rwa [not_not] at this
+
+theorem Decidable.or_iff_not_imp_left [Decidable a] : a ∨ b ↔ (¬a → b) :=
+  ⟨Or.resolve_left, fun h => dite _ .inl (.inr ∘ h)⟩
+
+theorem Decidable.or_iff_not_imp_right [Decidable b] : a ∨ b ↔ (¬b → a) :=
+  or_comm.trans or_iff_not_imp_left
+
+theorem Decidable.not_imp_not [Decidable a] : (¬a → ¬b) ↔ (b → a) :=
+  ⟨fun h hb => byContradiction (h · hb), mt⟩
+
+theorem Decidable.not_or_of_imp [Decidable a] (h : a → b) : ¬a ∨ b :=
+  if ha : a then .inr (h ha) else .inl ha
+
+theorem Decidable.imp_iff_not_or [Decidable a] : (a → b) ↔ (¬a ∨ b) :=
+  ⟨not_or_of_imp, Or.neg_resolve_left⟩
+
+theorem Decidable.imp_iff_or_not [Decidable b] : b → a ↔ a ∨ ¬b :=
+  Decidable.imp_iff_not_or.trans or_comm
+
+theorem Decidable.imp_or [h : Decidable a] : (a → b ∨ c) ↔ (a → b) ∨ (a → c) :=
+  if h : a then by
+    rw [imp_iff_right h, imp_iff_right h, imp_iff_right h]
+  else by
+    rw [iff_false_intro h, false_imp_iff, false_imp_iff, true_or]
+
+theorem Decidable.imp_or' [Decidable b] : (a → b ∨ c) ↔ (a → b) ∨ (a → c) :=
+  if h : b then by simp [h] else by
+    rw [eq_false h, false_or]; exact (or_iff_right_of_imp fun hx x => (hx x).elim).symm
+
+theorem Decidable.not_imp_iff_and_not [Decidable a] : ¬(a → b) ↔ a ∧ ¬b :=
+  ⟨fun h => ⟨of_not_imp h, not_of_not_imp h⟩, not_imp_of_and_not⟩
+
+theorem Decidable.peirce (a b : Prop) [Decidable a] : ((a → b) → a) → a :=
+  if ha : a then fun _ => ha else fun h => h ha.elim
+
+theorem peirce' {a : Prop} (H : ∀ b : Prop, (a → b) → a) : a := H _ id
+
+theorem Decidable.not_iff_not [Decidable a] [Decidable b] : (¬a ↔ ¬b) ↔ (a ↔ b) := by
+  rw [@iff_def (¬a), @iff_def' a]; exact and_congr not_imp_not not_imp_not
+
+theorem Decidable.not_iff_comm [Decidable a] [Decidable b] : (¬a ↔ b) ↔ (¬b ↔ a) := by
+  rw [@iff_def (¬a), @iff_def (¬b)]; exact and_congr not_imp_comm imp_not_comm
+
+theorem Decidable.not_iff [Decidable b] : ¬(a ↔ b) ↔ (¬a ↔ b) :=
+  if h : b then by
+    rw [iff_true_right h, iff_true_right h]
+  else by
+    rw [iff_false_right h, iff_false_right h]
+
+theorem Decidable.iff_not_comm [Decidable a] [Decidable b] : (a ↔ ¬b) ↔ (b ↔ ¬a) := by
+  rw [@iff_def a, @iff_def b]; exact and_congr imp_not_comm not_imp_comm
+
+theorem Decidable.iff_iff_and_or_not_and_not {a b : Prop} [Decidable b] :
+    (a ↔ b) ↔ (a ∧ b) ∨ (¬a ∧ ¬b) :=
+  ⟨fun e => if h : b then .inl ⟨e.2 h, h⟩ else .inr ⟨mt e.1 h, h⟩,
+   Or.rec (And.rec iff_of_true) (And.rec iff_of_false)⟩
+
+theorem Decidable.iff_iff_not_or_and_or_not [Decidable a] [Decidable b] :
+    (a ↔ b) ↔ (¬a ∨ b) ∧ (a ∨ ¬b) := by
+  rw [iff_iff_implies_and_implies a b]; simp only [imp_iff_not_or, Or.comm]
+
+theorem Decidable.not_and_not_right [Decidable b] : ¬(a ∧ ¬b) ↔ (a → b) :=
+  ⟨fun h ha => not_imp_symm (And.intro ha) h, fun h ⟨ha, hb⟩ => hb <| h ha⟩
+
+theorem Decidable.not_and_iff_or_not_not [Decidable a] : ¬(a ∧ b) ↔ ¬a ∨ ¬b :=
+  ⟨fun h => if ha : a then .inr (h ⟨ha, ·⟩) else .inl ha, not_and_of_not_or_not⟩
+
+theorem Decidable.not_and_iff_or_not_not' [Decidable b] : ¬(a ∧ b) ↔ ¬a ∨ ¬b :=
+  ⟨fun h => if hb : b then .inl (h ⟨·, hb⟩) else .inr hb, not_and_of_not_or_not⟩
+
+theorem Decidable.or_iff_not_and_not [Decidable a] [Decidable b] : a ∨ b ↔ ¬(¬a ∧ ¬b) := by
+  rw [← not_or, not_not]
+
+theorem Decidable.and_iff_not_or_not [Decidable a] [Decidable b] : a ∧ b ↔ ¬(¬a ∨ ¬b) := by
+  rw [← not_and_iff_or_not_not, not_not]
+
+theorem Decidable.imp_iff_right_iff [Decidable a] : (a → b ↔ b) ↔ a ∨ b :=
+  ⟨fun H => (Decidable.em a).imp_right fun ha' => H.1 fun ha => (ha' ha).elim,
+   fun H => H.elim imp_iff_right fun hb => iff_of_true (fun _ => hb) hb⟩
+
+theorem Decidable.and_or_imp [Decidable a] : a ∧ b ∨ (a → c) ↔ a → b ∨ c :=
+  if ha : a then by simp only [ha, true_and, true_imp_iff]
+  else by simp only [ha, false_or, false_and, false_imp_iff]
+
+theorem Decidable.or_congr_left' [Decidable c] (h : ¬c → (a ↔ b)) : a ∨ c ↔ b ∨ c := by
+  rw [or_iff_not_imp_right, or_iff_not_imp_right]; exact imp_congr_right h
+
+theorem Decidable.or_congr_right' [Decidable a] (h : ¬a → (b ↔ c)) : a ∨ b ↔ a ∨ c := by
+  rw [or_iff_not_imp_left, or_iff_not_imp_left]; exact imp_congr_right h
+
+/-- Transfer decidability of `a` to decidability of `b`, if the propositions are equivalent.
+**Important**: this function should be used instead of `rw` on `Decidable b`, because the
+kernel will get stuck reducing the usage of `propext` otherwise,
+and `decide` will not work. -/
+@[inline] def decidable_of_iff (a : Prop) (h : a ↔ b) [Decidable a] : Decidable b :=
+  decidable_of_decidable_of_iff h
+
+/-- Transfer decidability of `b` to decidability of `a`, if the propositions are equivalent.
+This is the same as `decidable_of_iff` but the iff is flipped. -/
+@[inline] def decidable_of_iff' (b : Prop) (h : a ↔ b) [Decidable b] : Decidable a :=
+  decidable_of_decidable_of_iff h.symm
+
+instance Decidable.predToBool (p : α → Prop) [DecidablePred p] :
+    CoeDep (α → Prop) p (α → Bool) := ⟨fun b => decide <| p b⟩
+
+/-- Prove that `a` is decidable by constructing a boolean `b` and a proof that `b ↔ a`.
+(This is sometimes taken as an alternate definition of decidability.) -/
+def decidable_of_bool : ∀ (b : Bool), (b ↔ a) → Decidable a
+  | true, h => isTrue (h.1 rfl)
+  | false, h => isFalse (mt h.2 Bool.noConfusion)
+
+protected theorem Decidable.not_forall {p : α → Prop} [Decidable (∃ x, ¬p x)]
+    [∀ x, Decidable (p x)] : (¬∀ x, p x) ↔ ∃ x, ¬p x :=
+  ⟨Decidable.not_imp_symm fun nx x => Decidable.not_imp_symm (fun h => ⟨x, h⟩) nx,
+   not_forall_of_exists_not⟩
+
+protected theorem Decidable.not_forall_not {p : α → Prop} [Decidable (∃ x, p x)] :
+    (¬∀ x, ¬p x) ↔ ∃ x, p x :=
+  (@Decidable.not_iff_comm _ _ _ (decidable_of_iff (¬∃ x, p x) not_exists)).1 not_exists
+
+protected theorem Decidable.not_exists_not {p : α → Prop} [∀ x, Decidable (p x)] :
+    (¬∃ x, ¬p x) ↔ ∀ x, p x := by
+  simp only [not_exists, Decidable.not_not]

src/Init/RCases.lean

@@ -0,0 +1,192 @@
+/-
+Copyright (c) 2017 Mario Carneiro. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: Mario Carneiro, Jacob von Raumer
+-/
+prelude
+import Init.Tactics
+import Init.NotationExtra
+
+/-!
+# Recursive cases (`rcases`) tactic and related tactics
+
+`rcases` is a tactic that will perform `cases` recursively, according to a pattern. It is used to
+destructure hypotheses or expressions composed of inductive types like `h1 : a ∧ b ∧ c ∨ d` or
+`h2 : ∃ x y, trans_rel R x y`. Usual usage might be `rcases h1 with ⟨ha, hb, hc⟩ | hd` or
+`rcases h2 with ⟨x, y, _ | ⟨z, hxz, hzy⟩⟩` for these examples.
+
+Each element of an `rcases` pattern is matched against a particular local hypothesis (most of which
+are generated during the execution of `rcases` and represent individual elements destructured from
+the input expression). An `rcases` pattern has the following grammar:
+
+* A name like `x`, which names the active hypothesis as `x`.
+* A blank `_`, which does nothing (letting the automatic naming system used by `cases` name the
+  hypothesis).
+* A hyphen `-`, which clears the active hypothesis and any dependents.
+* The keyword `rfl`, which expects the hypothesis to be `h : a = b`, and calls `subst` on the
+  hypothesis (which has the effect of replacing `b` with `a` everywhere or vice versa).
+* A type ascription `p : ty`, which sets the type of the hypothesis to `ty` and then matches it
+  against `p`. (Of course, `ty` must unify with the actual type of `h` for this to work.)
+* A tuple pattern `⟨p1, p2, p3⟩`, which matches a constructor with many arguments, or a series
+  of nested conjunctions or existentials. For example if the active hypothesis is `a ∧ b ∧ c`,
+  then the conjunction will be destructured, and `p1` will be matched against `a`, `p2` against `b`
+  and so on.
+* A `@` before a tuple pattern as in `@⟨p1, p2, p3⟩` will bind all arguments in the constructor,
+  while leaving the `@` off will only use the patterns on the explicit arguments.
+* An alternation pattern `p1 | p2 | p3`, which matches an inductive type with multiple constructors,
+  or a nested disjunction like `a ∨ b ∨ c`.
+
+The patterns are fairly liberal about the exact shape of the constructors, and will insert
+additional alternation branches and tuple arguments if there are not enough arguments provided, and
+reuse the tail for further matches if there are too many arguments provided to alternation and
+tuple patterns.
+
+This file also contains the `obtain` and `rintro` tactics, which use the same syntax of `rcases`
+patterns but with a slightly different use case:
+
+* `rintro` (or `rintros`) is used like `rintro x ⟨y, z⟩` and is the same as `intros` followed by
+  `rcases` on the newly introduced arguments.
+* `obtain` is the same as `rcases` but with a syntax styled after `have` rather than `cases`.
+  `obtain ⟨hx, hy⟩ | hz := foo` is equivalent to `rcases foo with ⟨hx, hy⟩ | hz`. Unlike `rcases`,
+  `obtain` also allows one to omit `:= foo`, although a type must be provided in this case,
+  as in `obtain ⟨hx, hy⟩ | hz : a ∧ b ∨ c`, in which case it produces a subgoal for proving
+  `a ∧ b ∨ c` in addition to the subgoals `hx : a, hy : b |- goal` and `hz : c |- goal`.
+
+## Tags
+
+rcases, rintro, obtain, destructuring, cases, pattern matching, match
+-/
+namespace Lean.Parser.Tactic
+
+/-- The syntax category of `rcases` patterns. -/
+declare_syntax_cat rcasesPat
+/-- A medium precedence `rcases` pattern is a list of `rcasesPat` separated by `|` -/
+syntax rcasesPatMed := sepBy1(rcasesPat, " | ")
+/-- A low precedence `rcases` pattern is a `rcasesPatMed` optionally followed by `: ty` -/
+syntax rcasesPatLo := rcasesPatMed (" : " term)?
+/-- `x` is a pattern which binds `x` -/
+syntax (name := rcasesPat.one) ident : rcasesPat
+/-- `_` is a pattern which ignores the value and gives it an inaccessible name -/
+syntax (name := rcasesPat.ignore) "_" : rcasesPat
+/-- `-` is a pattern which removes the value from the context -/
+syntax (name := rcasesPat.clear) "-" : rcasesPat
+/--
+A `@` before a tuple pattern as in `@⟨p1, p2, p3⟩` will bind all arguments in the constructor,
+while leaving the `@` off will only use the patterns on the explicit arguments.
+-/
+syntax (name := rcasesPat.explicit) "@" noWs rcasesPat : rcasesPat
+/--
+`⟨pat, ...⟩` is a pattern which matches on a tuple-like constructor
+or multi-argument inductive constructor
+-/
+syntax (name := rcasesPat.tuple) "⟨" rcasesPatLo,* "⟩" : rcasesPat
+/-- `(pat)` is a pattern which resets the precedence to low -/
+syntax (name := rcasesPat.paren) "(" rcasesPatLo ")" : rcasesPat
+
+/-- The syntax category of `rintro` patterns. -/
+declare_syntax_cat rintroPat
+/-- An `rcases` pattern is an `rintro` pattern -/
+syntax (name := rintroPat.one) rcasesPat : rintroPat
+/--
+A multi argument binder `(pat1 pat2 : ty)` binds a list of patterns and gives them all type `ty`.
+-/
+syntax (name := rintroPat.binder) (priority := default+1) -- to override rcasesPat.paren
+  "(" rintroPat+ (" : " term)? ")" : rintroPat
+
+/- TODO
+/--
+`rcases? e` will perform case splits on `e` in the same way as `rcases e`,
+but rather than accepting a pattern, it does a maximal cases and prints the
+pattern that would produce this case splitting. The default maximum depth is 5,
+but this can be modified with `rcases? e : n`.
+-/
+syntax (name := rcases?) "rcases?" casesTarget,* (" : " num)? : tactic
+-/
+
+/--
+`rcases` is a tactic that will perform `cases` recursively, according to a pattern. It is used to
+destructure hypotheses or expressions composed of inductive types like `h1 : a ∧ b ∧ c ∨ d` or
+`h2 : ∃ x y, trans_rel R x y`. Usual usage might be `rcases h1 with ⟨ha, hb, hc⟩ | hd` or
+`rcases h2 with ⟨x, y, _ | ⟨z, hxz, hzy⟩⟩` for these examples.
+
+Each element of an `rcases` pattern is matched against a particular local hypothesis (most of which
+are generated during the execution of `rcases` and represent individual elements destructured from
+the input expression). An `rcases` pattern has the following grammar:
+
+* A name like `x`, which names the active hypothesis as `x`.
+* A blank `_`, which does nothing (letting the automatic naming system used by `cases` name the
+  hypothesis).
+* A hyphen `-`, which clears the active hypothesis and any dependents.
+* The keyword `rfl`, which expects the hypothesis to be `h : a = b`, and calls `subst` on the
+  hypothesis (which has the effect of replacing `b` with `a` everywhere or vice versa).
+* A type ascription `p : ty`, which sets the type of the hypothesis to `ty` and then matches it
+  against `p`. (Of course, `ty` must unify with the actual type of `h` for this to work.)
+* A tuple pattern `⟨p1, p2, p3⟩`, which matches a constructor with many arguments, or a series
+  of nested conjunctions or existentials. For example if the active hypothesis is `a ∧ b ∧ c`,
+  then the conjunction will be destructured, and `p1` will be matched against `a`, `p2` against `b`
+  and so on.
+* A `@` before a tuple pattern as in `@⟨p1, p2, p3⟩` will bind all arguments in the constructor,
+  while leaving the `@` off will only use the patterns on the explicit arguments.
+* An alteration pattern `p1 | p2 | p3`, which matches an inductive type with multiple constructors,
+  or a nested disjunction like `a ∨ b ∨ c`.
+
+A pattern like `⟨a, b, c⟩ | ⟨d, e⟩` will do a split over the inductive datatype,
+naming the first three parameters of the first constructor as `a,b,c` and the
+first two of the second constructor `d,e`. If the list is not as long as the
+number of arguments to the constructor or the number of constructors, the
+remaining variables will be automatically named. If there are nested brackets
+such as `⟨⟨a⟩, b | c⟩ | d` then these will cause more case splits as necessary.
+If there are too many arguments, such as `⟨a, b, c⟩` for splitting on
+`∃ x, ∃ y, p x`, then it will be treated as `⟨a, ⟨b, c⟩⟩`, splitting the last
+parameter as necessary.
+
+`rcases` also has special support for quotient types: quotient induction into Prop works like
+matching on the constructor `quot.mk`.
+
+`rcases h : e with PAT` will do the same as `rcases e with PAT` with the exception that an
+assumption `h : e = PAT` will be added to the context.
+-/
+syntax (name := rcases) "rcases" casesTarget,* (" with " rcasesPatLo)? : tactic
+
+/--
+The `obtain` tactic is a combination of `have` and `rcases`. See `rcases` for
+a description of supported patterns.
+
+```lean
+obtain ⟨patt⟩ : type := proof
+```
+is equivalent to
+```lean
+have h : type := proof
+rcases h with ⟨patt⟩
+```
+
+If `⟨patt⟩` is omitted, `rcases` will try to infer the pattern.
+
+If `type` is omitted, `:= proof` is required.
+-/
+syntax (name := obtain) "obtain" (ppSpace rcasesPatMed)? (" : " term)? (" := " term,+)? : tactic
+
+/- TODO
+/--
+`rintro?` will introduce and case split on variables in the same way as
+`rintro`, but will also print the `rintro` invocation that would have the same
+result. Like `rcases?`, `rintro? : n` allows for modifying the
+depth of splitting; the default is 5.
+-/
+syntax (name := rintro?) "rintro?" (" : " num)? : tactic
+-/
+
+/--
+The `rintro` tactic is a combination of the `intros` tactic with `rcases` to
+allow for destructuring patterns while introducing variables. See `rcases` for
+a description of supported patterns. For example, `rintro (a | ⟨b, c⟩) ⟨d, e⟩`
+will introduce two variables, and then do case splits on both of them producing
+two subgoals, one with variables `a d e` and the other with `b c d e`.
+
+`rintro`, unlike `rcases`, also supports the form `(x y : ty)` for introducing
+and type-ascripting multiple variables at once, similar to binders.
+-/
+syntax (name := rintro) "rintro" (ppSpace colGt rintroPat)+ (" : " term)? : tactic
+
+end Lean.Parser.Tactic