source: src/ASM/ASMCosts.ma @ 1625

include "ASM/ASM.ma".
include "ASM/Arithmetic.ma".
include "ASM/Fetch.ma".
include "ASM/Interpret.ma".
include "common/StructuredTraces.ma".

definition current_instruction0 ≝
  λmem,pc. \fst (\fst (fetch … mem pc)).

definition current_instruction ≝
 λs:Status. current_instruction0 (code_memory … s) (program_counter … s).

definition ASM_classify0: instruction → status_class ≝
 λi.
  match i with
   [ RealInstruction pre ⇒
     match pre with
      [ RET ⇒ cl_return
      | JZ _ ⇒ cl_jump
      | JNZ _ ⇒ cl_jump
      | JC _ ⇒ cl_jump
      | JNC _ ⇒ cl_jump
      | JB _ _ ⇒ cl_jump
      | JNB _ _ ⇒ cl_jump
      | JBC _ _ ⇒ cl_jump
      | CJNE _ _ ⇒ cl_jump
      | DJNZ _ _ ⇒ cl_jump
      | _ ⇒ cl_other
      ]
   | ACALL _ ⇒ cl_call
   | LCALL _ ⇒ cl_call
   | JMP _ ⇒ cl_call
   | AJMP _ ⇒ cl_jump
   | LJMP _ ⇒ cl_jump
   | SJMP _ ⇒ cl_jump
   | _ ⇒ cl_other
   ].

definition ASM_classify: Status → status_class ≝
 λs.ASM_classify0 (current_instruction s).

definition current_instruction_is_labelled ≝
  λcost_labels: BitVectorTrie costlabel 16.
  λs: Status.
  let pc ≝ program_counter … s in
    match lookup_opt … pc cost_labels with
    [ None ⇒ False
    | _    ⇒ True
    ].

definition label_of_current_instruction:
 BitVectorTrie costlabel 16 → Status → list costlabel
 ≝
  λcost_labels,s.
  let pc ≝ program_counter … s in
    match lookup_opt … pc cost_labels with
    [ None ⇒ []
    | Some l ⇒ [l]
    ].

definition next_instruction_properly_relates_program_counters ≝
  λbefore: Status.
  λafter : Status.
  let size ≝ current_instruction_cost before in
  let pc_before ≝ program_counter … before in
  let pc_after ≝ program_counter … after in
  let sum ≝ \snd (half_add … pc_before (bitvector_of_nat … size)) in
    sum = pc_after.

definition ASM_abstract_status: BitVectorTrie costlabel 16 → abstract_status ≝
 λcost_labels.
  mk_abstract_status
   Status
   (λs,s'. (execute_1 s) = s')
   (λs,class. ASM_classify s = class)
   (current_instruction_is_labelled cost_labels)
   next_instruction_properly_relates_program_counters.

(* To be moved in ASM/arithmetic.ma *)
definition addr16_of_addr11: Word → Word11 → Word ≝
  λpc: Word.
  λa: Word11.
  let 〈pc_upper, ignore〉 ≝ split … 8 8 pc in
  let 〈n1, n2〉 ≝ split … 4 4 pc_upper in
  let 〈b123, b〉 ≝ split … 3 8 a in
  let b1 ≝ get_index_v … b123 0 ? in
  let b2 ≝ get_index_v … b123 1 ? in
  let b3 ≝ get_index_v … b123 2 ? in
  let p5 ≝ get_index_v … n2 0 ? in
    (n1 @@ [[ p5; b1; b2; b3 ]]) @@ b.
  //
qed. 
    
definition good_program_counter: BitVectorTrie Byte 16 → Word → nat → Prop ≝
  λcode_memory: BitVectorTrie Byte 16.
  λprogram_counter: Word.
  λprogram_size: nat.
    ∃n: nat.
      let tail_program_counter ≝ fetch_program_counter_n n code_memory (zero 16) in
        program_counter = fetch_program_counter_n (S n) code_memory (zero 16) ∧
          nat_of_bitvector 16 program_counter ≤ program_size ∧
            nat_of_bitvector 16 tail_program_counter < nat_of_bitvector 16 program_counter.

definition good_program: BitVectorTrie Byte 16 → Word → nat → Prop ≝
  λcode_memory: BitVectorTrie Byte 16.
  λprogram_counter: Word.
  λtotal_program_size: nat.
  let 〈instruction, program_counter, ticks〉 ≝ fetch code_memory program_counter in
    match instruction with
    [ RealInstruction instr ⇒
      match instr with
      [ RET                    ⇒ True
      | JC   relative          ⇒ True (* XXX: see below *)
      | JNC  relative          ⇒ True (* XXX: see below *)
      | JB   bit_addr relative ⇒ True
      | JNB  bit_addr relative ⇒ True
      | JBC  bit_addr relative ⇒ True
      | JZ   relative          ⇒ True
      | JNZ  relative          ⇒ True
      | CJNE src_trgt relative ⇒ True
      | DJNZ src_trgt relative ⇒ True
      | _                      ⇒
          good_program_counter code_memory program_counter total_program_size
      ]
    | LCALL addr         ⇒
      match addr return λx. bool_to_Prop (is_in … [[ addr16 ]] x) → Prop with
      [ ADDR16 addr ⇒ λaddr16: True.
          good_program_counter code_memory addr total_program_size ∧
            good_program_counter code_memory program_counter total_program_size
      | _ ⇒ λother: False. ⊥
      ] (subaddressing_modein … addr)
    | ACALL addr         ⇒
      match addr return λx. bool_to_Prop (is_in … [[ addr11 ]] x) → Prop with
      [ ADDR11 addr ⇒ λaddr11: True.
        let 〈pc_bu, pc_bl〉 ≝ split … 8 8 program_counter in
        let 〈thr, eig〉 ≝ split … 3 8 addr in
        let 〈fiv, thr'〉 ≝ split … 5 3 pc_bu in
        let new_program_counter ≝ (fiv @@ thr) @@ pc_bl in
          good_program_counter code_memory new_program_counter total_program_size ∧
            good_program_counter code_memory program_counter total_program_size
      | _ ⇒ λother: False. ⊥
      ] (subaddressing_modein … addr)
    | AJMP  addr         ⇒
      match addr return λx. bool_to_Prop (is_in … [[ addr11 ]] x) → Prop with
      [ ADDR11 addr ⇒ λaddr11: True.
        let 〈pc_bu, pc_bl〉 ≝ split … 8 8 program_counter in
        let 〈nu, nl〉 ≝ split … 4 4 pc_bu in
        let bit ≝ get_index' … O ? nl in
        let 〈relevant1, relevant2〉 ≝ split … 3 8 addr in
        let new_addr ≝ (nu @@ (bit ::: relevant1)) @@ relevant2 in
        let 〈carry, new_program_counter〉 ≝ half_add 16 program_counter new_addr in
          (good_program_counter code_memory new_program_counter total_program_size) ∧
            (good_program_counter code_memory program_counter total_program_size)
      | _ ⇒ λother: False. ⊥
      ] (subaddressing_modein … addr)
    | LJMP  addr         ⇒
      match addr return λx. bool_to_Prop (is_in … [[ addr16 ]] x) → Prop with
      [ ADDR16 addr ⇒ λaddr16: True.
          good_program_counter code_memory addr total_program_size ∧
            good_program_counter code_memory program_counter total_program_size
      | _ ⇒ λother: False. ⊥
      ] (subaddressing_modein … addr)
    | SJMP  addr     ⇒
      match addr return λx. bool_to_Prop (is_in … [[ relative ]] x) → Prop with
      [ RELATIVE addr ⇒ λrelative: True.
        let 〈carry, new_program_counter〉 ≝ half_add … program_counter (sign_extension addr) in
          good_program_counter code_memory new_program_counter total_program_size ∧
            good_program_counter code_memory program_counter total_program_size
      | _ ⇒ λother: False. ⊥
      ] (subaddressing_modein … addr)
    | JMP   addr     ⇒ True (* XXX: should recurse here, but dptr in JMP ... *)
    | MOVC  src trgt ⇒
        good_program_counter code_memory program_counter total_program_size
    ].
  cases other
qed.

lemma is_in_tail_to_is_in_cons_hd_tl:
  ∀n: nat.
  ∀the_vect: Vector addressing_mode_tag n.
  ∀h: addressing_mode_tag.
  ∀element: addressing_mode.
    is_in n the_vect element → is_in (S n) (h:::the_vect) element.
  #n #the_vect #h #element #assm
  normalize cases (is_a h element) normalize nodelta
  //
qed.

axiom is_in_subvector_is_in_supervector:
  ∀m, n: nat.
  ∀subvector: Vector addressing_mode_tag m.
  ∀supervector: Vector addressing_mode_tag n.
  ∀element: addressing_mode.
    subvector_with … eq_a subvector supervector →
      is_in m subvector element → is_in n supervector element.

let rec member_addressing_mode_tag
  (n: nat) (v: Vector addressing_mode_tag n) (a: addressing_mode_tag)
    on v: Prop ≝
  match v with
  [ VEmpty ⇒ False
  | VCons n' hd tl ⇒
      bool_to_Prop (eq_a hd a) ∨ member_addressing_mode_tag n' tl a
  ].
  
let rec subaddressing_mode_elim_type
  (T: Type[2]) (m: nat) (fixed_v: Vector addressing_mode_tag m)
    (Q: addressing_mode → T → Prop)
      (p_addr11:            ∀w: Word11.      is_in m fixed_v (ADDR11 w)        → T)
      (p_addr16:            ∀w: Word.        is_in m fixed_v (ADDR16 w)        → T)
      (p_direct:            ∀w: Byte.        is_in m fixed_v (DIRECT w)        → T)
      (p_indirect:          ∀w: Bit.         is_in m fixed_v (INDIRECT w)      → T)
      (p_ext_indirect:      ∀w: Bit.         is_in m fixed_v (EXT_INDIRECT w)  → T)
      (p_acc_a:                              is_in m fixed_v ACC_A             → T)
      (p_register:          ∀w: BitVector 3. is_in m fixed_v (REGISTER w)      → T)
      (p_acc_b:                              is_in m fixed_v ACC_B             → T)
      (p_dptr:                               is_in m fixed_v DPTR              → T)
      (p_data:              ∀w: Byte.        is_in m fixed_v (DATA w)          → T)
      (p_data16:            ∀w: Word.        is_in m fixed_v (DATA16 w)        → T)
      (p_acc_dptr:                           is_in m fixed_v ACC_DPTR          → T)
      (p_acc_pc:                             is_in m fixed_v ACC_PC            → T)
      (p_ext_indirect_dptr:                  is_in m fixed_v EXT_INDIRECT_DPTR → T)
      (p_indirect_dptr:                      is_in m fixed_v INDIRECT_DPTR     → T)
      (p_carry:                              is_in m fixed_v CARRY             → T)
      (p_bit_addr:          ∀w: Byte.        is_in m fixed_v (BIT_ADDR w)      → T)
      (p_n_bit_addr:        ∀w: Byte.        is_in m fixed_v (N_BIT_ADDR w)    → T)
      (p_relative:          ∀w: Byte.        is_in m fixed_v (RELATIVE w)      → T)
        (n: nat) (v: Vector addressing_mode_tag n) (proof: subvector_with … eq_a v fixed_v)
      on v: Prop ≝
  match v return λo: nat. λv': Vector addressing_mode_tag o. o = n → v ≃ v' → ? with
  [ VEmpty         ⇒ λm_refl. λv_refl.
      ∀addr: addressing_mode. ∀p: is_in m fixed_v addr.
        Q addr (
        match addr return λx: addressing_mode. is_in … fixed_v x → T with 
        [ ADDR11 x          ⇒ p_addr11 x
        | ADDR16 x          ⇒ p_addr16 x
        | DIRECT x          ⇒ p_direct x
        | INDIRECT x        ⇒ p_indirect x
        | EXT_INDIRECT x    ⇒ p_ext_indirect x
        | ACC_A             ⇒ p_acc_a
        | REGISTER x        ⇒ p_register x
        | ACC_B             ⇒ p_acc_b
        | DPTR              ⇒ p_dptr
        | DATA x            ⇒ p_data x
        | DATA16 x          ⇒ p_data16 x
        | ACC_DPTR          ⇒ p_acc_dptr
        | ACC_PC            ⇒ p_acc_pc
        | EXT_INDIRECT_DPTR ⇒ p_ext_indirect_dptr
        | INDIRECT_DPTR     ⇒ p_indirect_dptr
        | CARRY             ⇒ p_carry
        | BIT_ADDR x        ⇒ p_bit_addr x
        | N_BIT_ADDR x      ⇒ p_n_bit_addr x
        | RELATIVE x        ⇒ p_relative x
        ] p)
  | VCons n' hd tl ⇒ λm_refl. λv_refl.
    let tail_call ≝ subaddressing_mode_elim_type T m fixed_v Q p_addr11
      p_addr16 p_direct p_indirect p_ext_indirect p_acc_a
        p_register p_acc_b p_dptr p_data p_data16 p_acc_dptr
          p_acc_pc p_ext_indirect_dptr p_indirect_dptr p_carry
            p_bit_addr p_n_bit_addr p_relative n' tl ?
    in
    match hd return λa: addressing_mode_tag. a = hd → ? with
    [ addr11            ⇒ λhd_refl. (∀w. Q (ADDR11 w) (p_addr11 w ?)) → tail_call
    | addr16            ⇒ λhd_refl. (∀w. Q (ADDR16 w) (p_addr16 w ?)) → tail_call
    | direct            ⇒ λhd_refl. (∀w. Q (DIRECT w) (p_direct w ?)) → tail_call
    | indirect          ⇒ λhd_refl. (∀w. Q (INDIRECT w) (p_indirect w ?)) → tail_call
    | ext_indirect      ⇒ λhd_refl. (∀w. Q (EXT_INDIRECT w) (p_ext_indirect w ?)) → tail_call
    | acc_a             ⇒ λhd_refl. (Q ACC_A (p_acc_a ?)) → tail_call
    | registr           ⇒ λhd_refl. (∀w. Q (REGISTER w) (p_register w ?)) → tail_call
    | acc_b             ⇒ λhd_refl. (Q ACC_A (p_acc_b ?)) → tail_call
    | dptr              ⇒ λhd_refl. (Q DPTR (p_dptr ?)) → tail_call
    | data              ⇒ λhd_refl. (∀w. Q (DATA w) (p_data w ?)) → tail_call
    | data16            ⇒ λhd_refl. (∀w. Q (DATA16 w) (p_data16 w ?)) → tail_call
    | acc_dptr          ⇒ λhd_refl. (Q ACC_DPTR (p_acc_dptr ?)) → tail_call
    | acc_pc            ⇒ λhd_refl. (Q ACC_PC (p_acc_pc ?)) → tail_call
    | ext_indirect_dptr ⇒ λhd_refl. (Q EXT_INDIRECT_DPTR (p_ext_indirect_dptr ?)) → tail_call
    | indirect_dptr     ⇒ λhd_refl. (Q INDIRECT_DPTR (p_indirect_dptr ?)) → tail_call
    | carry             ⇒ λhd_refl. (Q CARRY (p_carry ?)) → tail_call
    | bit_addr          ⇒ λhd_refl. (∀w. Q (BIT_ADDR w) (p_bit_addr w ?)) → tail_call
    | n_bit_addr        ⇒ λhd_refl. (∀w. Q (N_BIT_ADDR w) (p_n_bit_addr w ?)) → tail_call
    | relative          ⇒ λhd_refl. (∀w. Q (RELATIVE w) (p_relative w ?)) → tail_call
    ] (refl … hd)
  ] (refl … n) (refl_jmeq … v).
  [20:
    generalize in match proof; destruct
    whd in match (subvector_with … eq_a (hd:::tl) fixed_v);
    cases (mem … eq_a m fixed_v hd) normalize nodelta
    [1:
      whd in match (subvector_with … eq_a tl fixed_v);
      #assm assumption
    |2:
      normalize in ⊢ (% → ?);
      #absurd cases absurd
    ]
  ]
  @(is_in_subvector_is_in_supervector n m v fixed_v … proof)
  destruct @I
qed.

lemma subaddressing_mode_elim':
  ∀T: Type[2].
  ∀m: nat.
  ∀fixed_v: Vector addressing_mode_tag m.
  ∀Q: addressing_mode → T → Prop.
  ∀P1,P2,P3,P4,P5,P6,P7,P8,P9,P10,P11,P12,P13,P14,P15,P16,P17,P18,P19.
  ∀n: nat.
  
  ∀v: Vector addressing_mode_tag n.
  ∀proof.
    subaddressing_mode_elim_type T m fixed_v Q P1 P2 P3 P4 P5 P6 P7
      P8 P9 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 n v proof.
  #T #m #fixed_v #Q #H1 #H2 #H3 #H4 #H5 #H6 #H7 #H8 #H9 #H10 #H11 #H12 #H13 #H14 #H15 #H16 #H17 #H18 #H19 #n #v
  elim v
  [ #proof normalize
    
qed.

(*
lemma subaddressing_mode_elim:
  ∀T:Type[2].
  ∀P1: Word11 → T.
  ∀P2,P3,P4,P5,P6,P7,P8,P9,P10,P11,P12,P13,P14,P15,P16,P17,P18,P19: False → T.
  ∀addr: addressing_mode.
  ∀p: is_in 1 [[ addr11 ]] addr.
  ∀Q: addressing_mode → T → Prop.
    (∀w. Q (ADDR11 w) (P1 w)) →
      Q addr (
        match addr return λx:addressing_mode. (is_in 1 [[addr11]] x → T) with 
        [ ADDR11 (x:Word11) ⇒ λH:True. P1 x
        | ADDR16 _ ⇒ λH:False. P2 H
        | DIRECT _ ⇒ λH:False. P3 H
        | INDIRECT _ ⇒ λH:False. P4 H
        | EXT_INDIRECT _ ⇒ λH:False. P5 H
        | ACC_A ⇒ λH:False. P6 H
        | REGISTER _ ⇒ λH:False. P7 H
        | ACC_B ⇒ λH:False. P8 H
        | DPTR ⇒ λH:False. P9 H
        | DATA _ ⇒ λH:False. P10 H
        | DATA16 _ ⇒ λH:False. P11 H
        | ACC_DPTR ⇒ λH:False. P12 H
        | ACC_PC ⇒ λH:False. P13 H
        | EXT_INDIRECT_DPTR ⇒ λH:False. P14 H
        | INDIRECT_DPTR ⇒ λH:False. P15 H
        | CARRY ⇒ λH:False. P16 H
        | BIT_ADDR _ ⇒ λH:False. P17 H
        | N_BIT_ADDR _ ⇒ λH:False. P18 H   
        | RELATIVE _ ⇒ λH:False. P19 H
        ] p).
  #T #P1 #P2 #P3 #P4 #P5 #P6 #P7 #P8 #P9 #P10 #P11 #P12 #P13
  #P14 #P15 #P16 #P17 #P18 #P19
  * try #x1 try #x2 try #x3 try #x4
  try (@⊥ assumption) normalize @x4
qed. *)

include alias "arithmetics/nat.ma".

lemma lt_n_o_to_plus_m_n_lt_plus_m_o:
  ∀m, n, o: nat.
    n < o → m + n < m + o.
  #m #n #o #assm /2 by monotonic_le_plus_r/
qed.

axiom fetch_program_counter_n_technical:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀program_counter, program_counter': Word.
  ∀instruction: instruction.
  ∀ticks, n: nat.
  program_counter' = \snd (\fst (fetch code_memory program_counter)) →
    program_counter' = fetch_program_counter_n (S n) code_memory (zero …) →
      program_counter = fetch_program_counter_n n code_memory (zero …).
    
let rec block_cost
  (code_memory: BitVectorTrie Byte 16) (program_counter: Word)
    (program_size: nat) (total_program_size: nat) (cost_labels: BitVectorTrie costlabel 16)
      (good_program_witness: good_program code_memory program_counter total_program_size)
        on program_size: total_program_size ≤ program_size + nat_of_bitvector … program_counter → nat ≝
  match program_size return λprogram_size: nat. total_program_size ≤ program_size + nat_of_bitvector … program_counter → nat with
  [ O ⇒ λbase_case. 0
  | S program_size' ⇒ λrecursive_case.
    let 〈instruction, program_counter', ticks〉 as FETCH ≝ fetch code_memory program_counter in
      match lookup_opt … program_counter' cost_labels return λx: option costlabel. nat with
      [ None   ⇒
        match instruction return λx. x = instruction → ? with
        [ RealInstruction instruction ⇒ λreal_instruction.
          match instruction return λx. x = instruction → ? with
          [ RET                    ⇒ λinstr. ticks
          | JC   relative          ⇒ λinstr. ticks
          | JNC  relative          ⇒ λinstr. ticks
          | JB   bit_addr relative ⇒ λinstr. ticks
          | JNB  bit_addr relative ⇒ λinstr. ticks
          | JBC  bit_addr relative ⇒ λinstr. ticks
          | JZ   relative          ⇒ λinstr. ticks
          | JNZ  relative          ⇒ λinstr. ticks
          | CJNE src_trgt relative ⇒ λinstr. ticks
          | DJNZ src_trgt relative ⇒ λinstr. ticks
          | _                      ⇒ λinstr.
              ticks + block_cost code_memory program_counter' program_size' total_program_size cost_labels ? ?
          ] (refl … instruction)
        | ACALL addr     ⇒ λinstr.
            ticks + block_cost code_memory program_counter' program_size' total_program_size cost_labels ? ?
        | AJMP  addr     ⇒ λinstr. ticks
        | LCALL addr     ⇒ λinstr.
            ticks + block_cost code_memory program_counter' program_size' total_program_size cost_labels ? ?
        | LJMP  addr     ⇒ λinstr. ticks
        | SJMP  addr     ⇒ λinstr. ticks
        | JMP   addr     ⇒ λinstr. (* XXX: actually a call due to use with fptrs *)
            ticks + block_cost code_memory program_counter' program_size' total_program_size cost_labels ? ?
        | MOVC  src trgt ⇒ λinstr.
            ticks + block_cost code_memory program_counter' program_size' total_program_size cost_labels ? ?
        ] (refl … instruction)
      | Some _ ⇒ ticks
      ]
  ].
  [1:
    generalize in match good_program_witness;
    whd in match good_program; normalize nodelta
    cases FETCH normalize nodelta
    cases instr normalize nodelta
    @(subaddressing_mode_elim … [[ addr11 ]]) #new_addr
    cases (split … 8 8 program_counter') #pc_bu #pc_bl normalize nodelta
    cases (split … 3 8 new_addr) #thr #eig normalize nodelta
    cases (split … 5 3 pc_bu) #fiv #thr' normalize nodelta
    #assm cases assm #ignore
    whd in match good_program_counter; normalize nodelta * #n * *
    #program_counter_eq' #program_counter_lt_total_program_size
    #fetch_n_leq_program_counter'
    @(transitive_le
      total_program_size
      ((S program_size') + nat_of_bitvector … program_counter)
      (program_size' + nat_of_bitvector … program_counter') recursive_case)
    whd in ⊢ (?%?);
    change with (
      program_size' + (nat_of_bitvector … program_counter) <
        program_size' + (nat_of_bitvector … program_counter'))
    @lt_n_o_to_plus_m_n_lt_plus_m_o
    >(fetch_program_counter_n_technical code_memory program_counter
      program_counter' instruction ticks n)
    /2 by pair_destruct_2/
  |7:
    generalize in match good_program_witness;
    whd in match good_program; normalize nodelta
    cases FETCH normalize nodelta
    cases instr normalize nodelta
    @(subaddressing_mode_elim … [[ acc_dptr; acc_pc ]]) #new_addr
    cases (split … 8 8 program_counter') #pc_bu #pc_bl normalize nodelta
    cases (split … 3 8 new_addr) #thr #eig normalize nodelta
    cases (split … 5 3 pc_bu) #fiv #thr' normalize nodelta
    #assm cases assm #ignore
    whd in match good_program_counter; normalize nodelta * #n * *
    #program_counter_eq' #program_counter_lt_total_program_size
    #fetch_n_leq_program_counter'
    @(transitive_le
      total_program_size
      ((S program_size') + nat_of_bitvector … program_counter)
      (program_size' + nat_of_bitvector … program_counter') recursive_case)
    whd in ⊢ (?%?);
    change with (
      program_size' + (nat_of_bitvector … program_counter) <
        program_size' + (nat_of_bitvector … program_counter'))
    @lt_n_o_to_plus_m_n_lt_plus_m_o
    >(fetch_program_counter_n_technical code_memory program_counter
      program_counter' instruction ticks n)
    /2 by pair_destruct_2/
  |3,5,7,9,11:
    (* XXX etc. need the subaddressing_mode_elim generalizing *)
  |2:
    generalize in match good_program_witness;
    whd in match (good_program code_memory program_counter total_program_size);
    cases FETCH normalize nodelta
    cases instr normalize nodelta
    @subaddressing_mode_elim #new_addr
    cases (split … 8 8 program_counter') #pc_bu #pc_bl normalize nodelta
    cases (split … 3 8 new_addr) #thr #eig normalize nodelta
    cases (split … 5 3 pc_bu) #fiv #thr' normalize nodelta
    #assm cases assm #ignore #good_program_counter
    whd in match (good_program code_memory program_counter' total_program_size);
    cases(fetch code_memory program_counter') #instruction_program_counter'' #ticks''
    cases(instruction_program_counter'') #instruction'' #program_counter'' normalize nodelta
    
  [2:
    (* generalize in match good_program_witness; *)
    whd in match good_program; normalize nodelta
    cases FETCH normalize nodelta
    cases (fetch code_memory program_counter') #instruction_program_counter' #ticks' normalize nodelta
    cases instruction_program_counter' #instruction' #program_counter'' normalize nodelta
    cases acall normalize nodelta
    cases addr #subaddressing_mode cases subaddressing_mode
    try (#assm #absurd normalize in absurd; cases absurd)
    try (#absurd normalize in absurd; cases absurd)
    normalize nodelta
    cases instruction'
    try (#assm normalize nodelta)
    [7:
      #irrelevant
      whd in match good_program_counter; normalize nodelta
      
      
      
      
      
      
      
      
      
(* XXX: use memoisation here in the future *)
let rec block_cost
  (code_memory: BitVectorTrie Byte 16) (cost_labels: BitVectorTrie costlabel 16)
    (program_counter: Word) (program_size: nat) (total_program_size: nat)
      (size_invariant: total_program_size ≤ code_memory_size)
        (pc_invariant: nat_of_bitvector … program_counter < total_program_size)
          on program_size: total_program_size - nat_of_bitvector … program_counter ≤ program_size → nat ≝
  match program_size return λprogram_size: nat. total_program_size - nat_of_bitvector … program_counter ≤ program_size → nat with
  [ O ⇒ λbase_case. 0 (* XXX: change from ⊥ before *)
  | S program_size ⇒ λrecursive_case.
    let 〈instr, newpc, ticks〉 ≝ fetch … code_memory program_counter in
      match lookup_opt … newpc cost_labels return λx: option costlabel. nat with
      [ None ⇒
          let classify ≝ ASM_classify0 instr in
          match classify return λx. classify = x → ? with
          [ cl_jump ⇒ λclassify_refl. ticks
          | cl_call ⇒ λclassify_refl. (* ite here *)
              ticks + (block_cost code_memory cost_labels newpc program_size total_program_size size_invariant ? final_instr_invariant ?)
          | cl_return ⇒ λclassify_refl. ticks
          | cl_other ⇒ λclassify_refl. (* ite here *)
              ticks + (block_cost code_memory cost_labels newpc program_size total_program_size size_invariant ? final_instr_invariant ?)
          ] (refl … classify)
        | Some _ ⇒ ticks
      ]
  ].

let rec traverse_code_internal
  (program: list Byte) (mem: BitVectorTrie Byte 16)
    (cost_labels: BitVectorTrie costlabel 16) (pc: Word) (program_size: nat)
      on program: identifier_map CostTag nat ≝
 let 〈instr,newpc,ticks〉 ≝ fetch … mem pc in
 match program with
 [ nil ⇒ empty_map …
 | cons hd tl ⇒
   match lookup_opt … pc cost_labels with
   [ None ⇒ traverse_code_internal tl mem cost_labels newpc program_size
   | Some lbl ⇒
     let cost ≝ block_cost mem cost_labels pc program_size in
     let cost_mapping ≝ traverse_code_internal tl mem cost_labels newpc program_size in
       add … cost_mapping lbl cost ]].

definition traverse_code ≝
  λprogram: list Byte.
  λmem: BitVectorTrie Byte 16.
  λcost_labels.
  λprogram_size: nat.
    traverse_code_internal program mem cost_labels (zero …) program_size.

definition compute_costs ≝
  λprogram: list Byte.
  λcost_labels: BitVectorTrie costlabel 16.
  λhas_main: bool.
  let program_size ≝ |program| + 1 in
  let memory ≝ load_code_memory program in
   traverse_code program memory cost_labels program_size.