Let E be a well formed event structure, and let X be a linear valid execution
with respect to E.  Form a set of labels L:
  memL = { REvt er NONE | er IN mem_reads E /\ er NOTIN RANGE rfmap } UNION 
         { REvt er (SOME ew) | er IN mem_reads E /\ (ew, er) IN rfmap } UNION
         { TauEvt e | e IN mem_writes E }
localL = { REvt er NONE | er IN reads E /\ er NOTIN RANGE rfmap } UNION 
         { REvt er (SOME ew) | er IN reads E /\ (ew, er) IN rfmap } UNION 
         { WEvt e | e IN writes E } UNION
         { BEvt e | e IN barriers E }
     L = memL UNION 
         localL UNION
         { LockE p es | es IN E.atomicity /\ p = proc es } UNION
         { UnlockE p es | es IN E.atomicity /\ p = proc es }

Denote the event associated with a label l as l.e (taking the use of notation
to assert that there is one).

Call the memory order on X mo and define << SUBSET L * L as follows:
(1) l << l' 			if l IN memL /\ l' IN memL /\ l.e mo l'.e
(2) l << l'			if l IN localL /\ l' IN localL /\ l.e po_iico l'.e

(3) WEvt e << TauEvt e
(4) TauEvt e << BEvt e'		if e po_iico e'
(5) TauEvt e << LockE p es	if e NOTIN es /\ ?e' IN es. e po_iico e' /\ e' IN mem_accesses E

(6) LockE p es << l		if l.e IN es /\ l.e IN mem_accesses E
(7) l << UnlockE p es		if l.e IN es /\ l IN memL
(8) UnlockE p es << l		if ?e' IN es. e' mo l.e /\ l.e NOTIN es /\ 
                                   (l IN memL \/ (l.e IN mem_accesses E /\ (proc e = p)))
(9) l << LockE p es		if ?e' IN es. l.e mo e' /\ l.e NOTIN es /\ l IN memL
(10) Unlock p es << Lock p' es'	if es <> es' /\ ?e IN es. ?e' IN es'. e mo e'

(11) WEvt e << WEvt e'		if e mo e' /\ proc e = proc e'

We have proven in HOL that there exists a partial order (called lo) that is a
superset of <<.  We can see that lo has finite prefixes because mo and po_iico
have finite prefixes (mo by the definition of linear valid execution, and
po_iico by the definition of well formed event structures), and relational
composition preserves the finite prefixes property.  Furthermore, the set of
labels is at most countable.  We have proven, in HOL, a theorem that therefore,
there exists a linear order with finite prefixes that contains <<.  Let tr be
the sequence of labels that corresponds that linear order.


Lemma 1:
LockE and UnlockE properly bracket the labels corresponding to memory events in
the annotating atomicity set.  However, other processors' WEvt, register REvt,
and BEvt labels can appear inside, and this processor's register REvt, and BEvt
labels can appear outside. 
Proof:
Atomic sets are totally ordered by the memory order (since each is required to
contain a memory read).  (6) and (7) ensure that all of the atomic memory event
labels are inside of the appropriate lock/unlock pair, and (8)--(10) ensure
that memory labels from outside of the atomic set do not occur inside the
labels (due to the totality of memory ordering in linear_valid_executions).
Note that (3) in conjunction with (7) and (9) ensures that WEvt labels don't
happen too late.

Lemma 2:
If l appears in tr before l' and l IN memL and l' IN memL, then l.e mo l'.e.
Proof: by (1) and the totality of memory ordering.

Lemma 3:
If l appears in tr before l' and l IN localL and l' IN localL and proc l.e =
proc l'.e and loc l.e = loc l'.e and one of l.e or l'.e is a WEvt, then l.e
po_iico l'.e.
Proof:
It is not the case that l'.e po_iico l.e by (2), so we only need to show that
po_iico relates them.  If l.e and l'.e come from different instructions it
does.  If they come from the same instruction, well_formed_event_structure
requires an intra_causality edge.

Lemma 4: Any path corresponding to tr is an okEpath with respect to E.
Proof: 
The WEvt, REvt, and BEvt labels of tr are unduplicated and correspond exactly
to the events of E because the << relation mentions exactly the E events (for
its localL subset, the REvt labels in the memL subset are all in the localL
subset anyway).  Uniqueness is guaranteed because tr comes from a set-theoretic
relation.  (2) ensures that po_iico edges are respected by tr.  Lemma 1 gives
the required property of atomic instuctions.

Lemma 5: There is an okMpath corresponding to tr.
Proof: 
First, note that tr has a TauEvt for each WEvt that is a memory write (due to
the definitions of memL and localL).  Start the path with a machine state 
following the initial state from X, and empty buffers.

To build a path through the machine such that the sequence of labels
corresponds exactly to tr, suppose that such a trace can be built for i steps.
We now show that it can be extended.

Case tr(i+1) = LockE p es:
The evt-lock transition requires the buffer to be empty, and the machine to be
unlocked.  The machine is not locked by Lemma 1.  The buffer on processor p is
empty because otherwise there is a WEvt ew on processor p in tr(1..i).  It is
not in es by (6), so either ew po_iico es or es po_iico ew.  By (2), and the
presence of a memory read in es, not (es po_iico ew).  Thus by (5), TauEvt ew
IN tr(1..i).

Case tr(i+1) = UnlockE p es: 
The evt-unlock rule requires the buffer to be empty, and the machine to be
locked to processor p.  The machine is locked to p by Lemma 1.  The buffer is
empty, because it was empty on entry to the lock, and for each locked memory
write ew IN es, (7) places it's TauEvt ew before the unlock.

Case tr(i+1) = BEvt e: 
The evt-barrier rule requires the buffer to be empty (if the barrier is an
Mfence, otherwise the evt-nop rule always applies).  If a write was in the
buffer, there would be a WEvt ew in tr(1..i), but no TauEvt ew in tr(1..i),
where ew is on the same processor as e.  Note that no instructions have
unrelated mfence and memory write events.  Thus, either ew po_iico e or e
po_iico ew.  In the first case, (4) ensures the Tau label is in tr(1..i).  In
the second case, WEvt ew is not in tr(1..i) by (2).

Case tr(i+1) = WEvt e: 
The machine cannot block on a WEvt label (since all in L are in localL, and
hence contain write events).  evt-write-buffer and evt-write-reg together cover
the different kinds of writes.

Case tr(i+1) = TauEvt e:
The evt-write-mem rule requires that the processor is unlocked or locked to
proc e, and also that e is the oldest write to its address in the write buffer.
(3) ensures that e is in a write buffer.  Suppose it is not the oldest.  Then
there is some e' with proc e = proc e' where WEvt e' is in tr(1..i) before WEvt
e, and TauEvt e' is in tr, but not tr(1..i+1).  Thus e mo e' by Lemma 2, and by
(11) WEvt e precedes WEvt e', a contradiction.

Case tr(i+1) = REvt e (SOME ew) and e is a register read: 
The evt-read-reg rule requires that ew is the annotation on the register that e
is reading from.  This happens iff ew is the most recent write to that location
in tr.  By the definition of L, (ew, e) IN X.rfmap.  By check_rfmap_written, ew
is a maximal in po_iico among writes that precede e (in po_iico) to the same
register as e.  Thus, by (2) ew precedes e in tr(1..i).  If no other write to
the same location comes in between, we are done.  Suppose there is a write ew'
to the same register that appears in tr(1..i) after ew.  By Lemma 3, ew po_iico
ew' and ew' po_iico e, which contradicts the maximality property of e.

Case tr(i+1) = REvt e (SOME ew) and e is a memory read: 
By the definition of L, (ew, e) IN X.rfmap.  By check_rfmap_written, ew is
maximal in memory order among writes that precede e (in po_iico or memory
order) to the same memory location as e.  Because memory order is a total
order, ew is the unique maximal element.  Consider the case where ew precedes e
in memory order.
By (1), TauEvt ew in tr(1..i).  Only two things could prevent the machine from
making the transition in this case:
  - an ew' such that TauEvt ew' follows TauEvt ew in tr(1..i) and loc ew = loc
    ew' (this would keep evt-read-mem from applying), or
  - an ew' such that WEvt ew' in tr(1..i) and TauEvt ew' NOTIN tr(1..i) and loc
    ew = loc ew' and proc e = proc ew' (this would keep evt-read-buffer from
    applying)
In the first instance, Lemma 2 gives ew mo ew' and ew' mo e, contradicting the
maximality of ew.  In the second, Lemma 2 gives ew mo ew', and Lemma 3 gives
ew' po_iico e, again contradicting the maximality of ew.
Consider the case where ew precedes e in po_iico and not in memory order: 
By (2), WEvt ew in tr(1..i), and by Lemma 2, TauEvt ew NOTIN tr(1..i).  The
only way for the machine to get stuck is for there to be another write ew' such
that WEvt ew' follows WEvt ew in tr(1..i) and loc ew = loc ew' and proc ew =
proc ew'.  In this case, Lemma 3 gives ew po_iico ew', and ew' po_iico e, and
since ew and ew' are both writes, ew mo ew', contradicting ew's maximality.

Case tr(i+1) = REvt e NONE:
By check_rfmap_initial there is no ew such that ew mo e or ew po_iico e (with
loc ew = loc e).  Lemmas 2 and 3 ensure therefore that there are no TauEvt or
WEvt labels preceding e that would block the read from the initial state.


Theorem:
!E X.
  well_formed_event_structure E /\ linear_valid_execution E X
  ==>
  ?path. okEpath E path /\ okMpath path
Proof:
By Lemmas 4 and 5.


