From 7f4fad24fbf817586544b9d1c37ebaa9fdd6fe01 Mon Sep 17 00:00:00 2001
From: Siddharth Bhat <siddu.druid@gmail.com>
Date: Wed, 11 Sep 2024 13:58:34 -0500
Subject: [PATCH] feat: toNat_sub_of_le
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This adds a simplification lemma for `(x - y).toNat` when the subtraction is known to not overflow (i.e., `y ≤ x`).
---
 src/Init/Data/BitVec/Lemmas.lean | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/Init/Data/BitVec/Lemmas.lean b/src/Init/Data/BitVec/Lemmas.lean
index a537d407079c..03e0347a9878 100644
--- a/src/Init/Data/BitVec/Lemmas.lean
+++ b/src/Init/Data/BitVec/Lemmas.lean
@@ -2009,4 +2009,20 @@ theorem getLsbD_intMax (w : Nat) : (intMax w).getLsbD i = decide (i + 1 < w) :=
   · simp [h]
   · rw [Nat.sub_add_cancel (Nat.two_pow_pos (w - 1)), Nat.two_pow_pred_mod_two_pow (by omega)]
 
+
+/-! ### Non-overflow theorems -/
+
+/--
+If `y ≤ x`, then the subtraction `(x - y)` does not overflow.
+Thus, `(x - y).toNat = x.toNat - y.toNat`
+-/
+theorem toNat_sub_of_le {x y : BitVec n} (h : y ≤ x) :
+    (x - y).toNat = x.toNat - y.toNat := by
+  simp only [toNat_sub]
+  rw [BitVec.le_def] at h
+  by_cases h' : x.toNat = y.toNat
+  · rw [h', Nat.sub_self, Nat.sub_add_cancel (by omega), Nat.mod_self]
+  · rw [show 2 ^ n - y.toNat + x.toNat = 2 ^ n + (x.toNat - y.toNat) by omega,
+      Nat.add_mod_left, Nat.mod_eq_of_lt (by omega)]
+
 end BitVec