root/src/ASM/ASMCosts.ma @ 1927

include "ASM/ASM.ma".
include "ASM/Arithmetic.ma".
include "ASM/Fetch.ma".
include "ASM/Interpret.ma".
include "common/StructuredTraces.ma".

(* XXX: alternative approach:
 * R : Word → Prop
 * TPS ≝ |R|
 * GP : ∀a. R(a) → R(next(a))
 *)

let rec fetch_program_counter_n
  (n: nat) (code_memory: BitVectorTrie Byte 16) (program_counter: Word)
    on n: option Word ≝
  match n with
  [ O ⇒ Some … program_counter
  | S n ⇒
    match fetch_program_counter_n n code_memory program_counter with
    [ None ⇒ None …
    | Some tail_pc ⇒
      let 〈instr, program_counter, ticks〉 ≝ fetch code_memory tail_pc in
        if ltb (nat_of_bitvector … tail_pc) (nat_of_bitvector … program_counter) then
          Some … program_counter
        else
          None Word (* XXX: overflow! *)
    ]
  ].
    
definition reachable_program_counter: BitVectorTrie Byte 16 → nat → Word → Prop ≝
  λcode_memory: BitVectorTrie Byte 16.
  λprogram_size: nat.
  λprogram_counter: Word.
    (∃n: nat. Some … program_counter = fetch_program_counter_n n code_memory (zero 16)) ∧
        nat_of_bitvector 16 program_counter < program_size.
   
definition well_labelling: BitVectorTrie costlabel 16 → Prop ≝
  λcost_labels.
    injective … (λx. lookup_opt … x cost_labels).
    
definition good_program: ∀code_memory: BitVectorTrie Byte 16. ∀total_program_size: nat. Prop ≝
  λcode_memory: BitVectorTrie Byte 16.
  λtotal_program_size: nat.
  ∀program_counter: Word.
  ∀good_program_counter_witness: reachable_program_counter code_memory total_program_size program_counter.
  let 〈instruction, program_counter', ticks〉 ≝ fetch code_memory program_counter in
    match instruction with
    [ RealInstruction instr ⇒
      match instr with
      [ RET                    ⇒ True
      | JC   relative          ⇒ True (* XXX: see below *)
      | JNC  relative          ⇒ True (* XXX: see below *)
      | JB   bit_addr relative ⇒ True
      | JNB  bit_addr relative ⇒ True
      | JBC  bit_addr relative ⇒ True
      | JZ   relative          ⇒ True
      | JNZ  relative          ⇒ True
      | CJNE src_trgt relative ⇒ True
      | DJNZ src_trgt relative ⇒ True
      | _                      ⇒
        nat_of_bitvector … program_counter < nat_of_bitvector … program_counter' ∧
          nat_of_bitvector … program_counter' < total_program_size
      ]
    | LCALL addr         ⇒
      nat_of_bitvector … program_counter < nat_of_bitvector … program_counter' ∧
        nat_of_bitvector … program_counter' < total_program_size
      (*match addr return λx. bool_to_Prop (is_in … [[ addr16 ]] x) → Prop with
      [ ADDR16 addr ⇒ λaddr16: True.
          reachable_program_counter code_memory total_program_size addr ∧
            nat_of_bitvector … program_counter < nat_of_bitvector … program_counter' ∧
              nat_of_bitvector … program_counter' < total_program_size
      | _ ⇒ λother: False. ⊥
      ] (subaddressing_modein … addr) *)
    | ACALL addr         ⇒
      nat_of_bitvector … program_counter < nat_of_bitvector … program_counter' ∧
        nat_of_bitvector … program_counter' < total_program_size
      (* match addr return λx. bool_to_Prop (is_in … [[ addr11 ]] x) → Prop with
      [ ADDR11 addr ⇒ λaddr11: True.
        let 〈pc_bu, pc_bl〉 ≝ split … 8 8 program_counter' in
        let 〈thr, eig〉 ≝ split … 3 8 addr in
        let 〈fiv, thr'〉 ≝ split … 5 3 pc_bu in
        let new_program_counter ≝ (fiv @@ thr) @@ pc_bl in
          reachable_program_counter code_memory total_program_size new_program_counter ∧
            nat_of_bitvector … program_counter < nat_of_bitvector … program_counter' ∧
              nat_of_bitvector … program_counter' < total_program_size
      | _ ⇒ λother: False. ⊥
      ] (subaddressing_modein … addr) *)
    | AJMP  addr         ⇒
      let jump_target ≝ compute_target_of_unconditional_jump program_counter' instruction in
        reachable_program_counter code_memory total_program_size jump_target
    | LJMP  addr         ⇒
      let jump_target ≝ compute_target_of_unconditional_jump program_counter' instruction in
        reachable_program_counter code_memory total_program_size jump_target
    | SJMP  addr     ⇒
      let jump_target ≝ compute_target_of_unconditional_jump program_counter' instruction in
        reachable_program_counter code_memory total_program_size jump_target
    | JMP   addr     ⇒ (* XXX: JMP is used for fptrs and unconstrained *)
      nat_of_bitvector … program_counter < nat_of_bitvector … program_counter' ∧
        nat_of_bitvector … program_counter' < total_program_size
    | MOVC  src trgt ⇒
        nat_of_bitvector … program_counter < nat_of_bitvector … program_counter' ∧
          nat_of_bitvector … program_counter' < total_program_size
    ].
(*  cases other 
qed. *)

definition current_instruction_label ≝
  λcode_memory.
  λcost_labels: BitVectorTrie costlabel 16.
  λs: Status code_memory.
  let pc ≝ program_counter … code_memory s in
    lookup_opt … pc cost_labels.

definition next_instruction_properly_relates_program_counters ≝
  λcode_memory.
  λbefore: Status code_memory.
  λafter : Status code_memory.
    let program_counter_before ≝ program_counter ? code_memory before in
    let 〈instruction, program_counter_after, ticks〉 ≝ fetch code_memory program_counter_before in
      program_counter ? code_memory after = program_counter_after.

lemma eq_bv_true_to_refl:
  ∀n: nat.
  ∀x: BitVector n.
  ∀y: BitVector n.
    eq_bv n x y = true → x = y.
  #n #x #y
  cases daemon (* XXX: !!! *)
qed.

lemma refl_to_eq_bv_true:
  ∀n: nat.
  ∀x: BitVector n.
  ∀y: BitVector n.
    x = y → eq_bv n x y = true.
  #n #x #y #refl destruct /2/
qed.

corollary refl_iff_eq_bv_true:
  ∀n: nat.
  ∀x: BitVector n.
  ∀y: BitVector n.
    eq_bv n x y = true ↔ x = y.
  #n #x #y whd in match iff; normalize nodelta
  @conj /2/
qed.

definition word_deqset: DeqSet ≝
  mk_DeqSet Word (eq_bv 16) ?.
  @refl_iff_eq_bv_true
qed.

definition ASM_abstract_status: ∀code_memory. BitVectorTrie costlabel 16 → abstract_status ≝
  λcode_memory.
  λcost_labels.
    mk_abstract_status
      (Status code_memory)
      (λs,s'. (execute_1 … s) = s')
      word_deqset
      (program_counter …)
      (λs,class. ASM_classify … s = class)
      (current_instruction_label code_memory cost_labels)
      (next_instruction_properly_relates_program_counters code_memory)
      ?.
  cases daemon (* XXX: is final predicate *)
qed.

let rec trace_any_label_length
  (code_memory: BitVectorTrie Byte 16) (cost_labels: BitVectorTrie costlabel 16)
    (trace_ends_flag: trace_ends_with_ret) (start_status: Status code_memory)
      (final_status: Status code_memory)
      (the_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start_status final_status)
        on the_trace: nat ≝
  match the_trace with
  [ tal_base_not_return the_status _ _ _ _ ⇒ 0
  | tal_base_call pre_fun_call start_fun_call final _ _ _ _ call_trace ⇒ 0
  | tal_base_return the_status _ _ _ ⇒ 0
  | tal_step_call end_flag pre_fun_call start_fun_call after_fun_call final _ _ _ call_trace _ final_trace ⇒
      let tail_length ≝ trace_any_label_length … final_trace in
      let pc_difference ≝ nat_of_bitvector … (program_counter … after_fun_call) - nat_of_bitvector … (program_counter … pre_fun_call) in        
        pc_difference + tail_length
  | tal_step_default end_flag status_pre status_init status_end _ tail_trace _ _ ⇒
      let tail_length ≝ trace_any_label_length … tail_trace in
      let pc_difference ≝ nat_of_bitvector … (program_counter … status_init) - nat_of_bitvector … (program_counter … status_pre) in
        pc_difference + tail_length        
  ].

definition trace_any_label_length' ≝
  λcode_memory: BitVectorTrie Byte 16.
  λcost_labels: BitVectorTrie costlabel 16.
  λtrace_ends_flag: trace_ends_with_ret.
  λstart_status: Status code_memory.
  λfinal_status: Status code_memory.
  λthe_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start_status final_status.
    as_trace_any_label_length' … the_trace.

let rec all_program_counter_list
  (n: nat)
    on n ≝
  match n with
  [ O ⇒ [ ]
  | S n' ⇒ (bitvector_of_nat 16 n')::(all_program_counter_list n')
  ].

lemma all_program_counter_list_bound_eq:
  ∀bound: nat.
    |all_program_counter_list bound| = bound.
  #bound elim bound try %
  #bound' #inductive_hypothesis normalize
  >inductive_hypothesis %
qed.

axiom nat_of_bitvector_bitvector_of_nat_inverse:
  ∀n: nat.
  ∀b: nat.
    b < 2^n → nat_of_bitvector n (bitvector_of_nat n b) = b.

axiom bitvector_of_nat_inverse_nat_of_bitvector:
  ∀n: nat.
  ∀b: BitVector n.
    bitvector_of_nat n (nat_of_bitvector n b) = b.

lemma mem_all_program_counter_list_lt_bound:
  ∀bound: nat.
  ∀bound_proof: bound ≤ 2^16.
  ∀e: Word.
    memb word_deqset e (all_program_counter_list bound) = true →
      nat_of_bitvector … e < bound.
  #bound elim bound
  [1:
    #bound_proof #e
    normalize #absurd destruct(absurd)
  |2:
    #bound' #inductive_hypothesis
    #bound_proof #e
    change with (if eq_bv ??? then ? else ? = ? → ?)
    @eq_bv_elim
    [1:
      #eq_assm
      normalize nodelta destruct #_
      >nat_of_bitvector_bitvector_of_nat_inverse try assumption
      normalize %
    |2:
      #neq_assm normalize nodelta
      #memb_assm %2 @inductive_hypothesis
      try assumption
      @(transitive_le bound' (S bound'))
      try assumption %2 %
    ]
  ]
qed.

lemma lt_bound_mem_all_program_counter_list:
  ∀bound: nat.
  ∀bound_proof: bound ≤ 2^16.
  ∀e: Word.
    nat_of_bitvector … e < bound →
      memb word_deqset e (all_program_counter_list bound) = true.
  #bound elim bound
  [1:
    #bound_proof #e normalize
    #absurd cases (lt_to_not_zero … absurd)
  |2:
    #bound' #inductive_hypothesis
    #bound_proof #e
    change with (? → if eq_bv ??? then ? else ? = ?)
    #assm
    cases (le_to_or_lt_eq … (nat_of_bitvector 16 e) bound' ?)
    [1:
      #e_lt_assm
      @eq_bv_elim
      [1:
        #eq_assm normalize nodelta %
      |2:
        #neq_assm normalize nodelta
        @inductive_hypothesis try assumption
        @(transitive_le bound' (S bound')) try assumption
        %2 %
      ]
    |2:
      #relevant >eq_eq_bv normalize nodelta try %
      destruct >bitvector_of_nat_inverse_nat_of_bitvector %
    |3:
      normalize in assm;
      @le_S_S_to_le assumption
    ]
  ]
qed.

include alias "arithmetics/nat.ma".

lemma fetch_program_counter_n_Sn:
  ∀instruction: instruction.
  ∀program_counter, program_counter': Word.
  ∀ticks, n: nat.
  ∀code_memory: BitVectorTrie Byte 16.
    Some … program_counter = fetch_program_counter_n n code_memory (zero 16) →
      〈instruction,program_counter',ticks〉 = fetch code_memory program_counter →
        nat_of_bitvector … program_counter < nat_of_bitvector … program_counter' →
          Some … program_counter' = fetch_program_counter_n (S n) code_memory (zero …).
  #instruction #program_counter #program_counter' #ticks #n #code_memory
  #fetch_program_counter_n_hyp #fetch_hyp #lt_hyp
  whd in match (fetch_program_counter_n (S n) code_memory (zero …));
  <fetch_program_counter_n_hyp normalize nodelta
  <fetch_hyp normalize nodelta
  change with (
    leb (S (nat_of_bitvector … program_counter)) (nat_of_bitvector … program_counter')
  ) in match (ltb (nat_of_bitvector … program_counter) (nat_of_bitvector … program_counter'));
  >(le_to_leb_true … lt_hyp) %
qed.

(* XXX: indexing bug *)
lemma execute_1_and_program_counter_after_other_in_lockstep:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀start_status: Status code_memory.
    ASM_classify code_memory start_status = cl_other →
      let 〈instruction, pc, ticks〉 ≝ fetch code_memory (program_counter … start_status) in
        program_counter ? ? (execute_1 … start_status) =
          program_counter_after_other pc instruction.
  #code_memory #start_status #classify_assm
  whd in match execute_1; normalize nodelta
  cases (execute_1' code_memory start_status) #the_status 
  * #_ whd in classify_assm:(??%?); whd in match (current_instruction ??) in classify_assm;
  cases (fetch ? ?) in classify_assm; * #instruction #pc #ticks
  #classify_assm #classify_assm' @classify_assm' assumption
qed-.

let rec tal_pc_list_lt_total_program_size
  (code_memory: BitVectorTrie Byte 16) (cost_labels: BitVectorTrie costlabel 16)
    (total_program_size: nat) (total_program_size_invariant: total_program_size ≤ 2^16)
      (good_program_witness: good_program code_memory total_program_size)
        (start: Status code_memory) (final: Status code_memory) (trace_ends_flag: trace_ends_with_ret)
          (the_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start final)
            (pc: as_pc (ASM_abstract_status code_memory cost_labels))
              on the_trace:
  reachable_program_counter code_memory total_program_size (program_counter … start) →
    memb word_deqset pc (tal_pc_list (ASM_abstract_status code_memory cost_labels) trace_ends_flag start final the_trace) = true →
      nat_of_bitvector 16 pc<total_program_size ≝
  match the_trace with
  [ tal_base_not_return the_status _ _ _ _ ⇒ ?
  | tal_base_return the_status _ _ _ ⇒ ?
  | tal_base_call pre_fun_call start_fun_call final _ _ _ _ call_trace ⇒ ?
  | tal_step_call end_flag pre_fun_call start_fun_call after_fun_call final
     _ classifier after_return call_trace _ final_trace ⇒ ?
  | tal_step_default end_flag status_pre status_init status_end execute tail_trace classifier _ ⇒ ?
  ].
  #reachable_program_counter_witness
  whd in ⊢ (??%? → ?); @(bool_inv_ind … (pc==as_pc_of (ASM_abstract_status code_memory cost_labels) ?))
  normalize nodelta #eq_assm cases reachable_program_counter_witness
  [1,3,5,7,9:
    >(eq_bv_eq … eq_assm) #_ #relevant #_
    assumption
  |2,4,6:
    #_ #_ #absurd
    normalize in absurd; destruct(absurd)
  |8:
    #Some_assm #tps_lt_assm @tal_pc_list_lt_total_program_size try assumption
    whd in after_return;
    lapply after_return
    @pair_elim * normalize nodelta #instruction #pc' #ticks
    #fetch_eq #pc_assm' >pc_assm' 
    lapply (good_program_witness ? reachable_program_counter_witness)
    whd in classifier; whd in classifier:(??%?);
    whd in match (current_instruction ??) in classifier;
    whd in match current_instruction0 in classifier;
    >fetch_eq in classifier;
    normalize nodelta cases instruction
    normalize nodelta -tal_pc_list_lt_total_program_size
    [8:
      #preinstruction elim preinstruction
      normalize in match (? = cl_call);
    ]
    try (#assm1 #assm2 #absurd destruct(absurd) @I)
    try (#assm1 #absurd destruct(absurd) @I)
    try (#absurd destruct(absurd) @I)
    (* [1:
      #addr #_
      @(subaddressing_mode_elim … [[addr11]] … [[addr11]]) [1: // ]
      #w
      @pair_elim #lft #rgt @pair_elim #lft' #rgt' @pair_elim #lft'' #rgt''
      #_ #_ #_ * * #_
    |2:
      #addr #_
      @(subaddressing_mode_elim … [[addr16]] … [[addr16]]) [1: // ]
      #w * * #_
    |3:
      #addr #_ *
    ] *)
    #_ #_ * #relevant #pc_tps_assm'
    whd cases reachable_program_counter_witness * #n
    #Some_assm #_ % try assumption
    %{(S n)}
    @(fetch_program_counter_n_Sn … Some_assm (sym_eq … fetch_eq))
    assumption
  |10:
    #Some_assm #tps_lt_assm @tal_pc_list_lt_total_program_size try assumption -tal_pc_list_lt_total_program_size
    lapply (execute_1_and_program_counter_after_other_in_lockstep … status_pre classifier)
    @pair_elim * #instruction #pc #ticks normalize nodelta
    #fetch_eq whd in match program_counter_after_other; normalize nodelta
    lapply (good_program_witness … reachable_program_counter_witness)
    whd in classifier; whd in classifier:(??%?);
    whd in match (current_instruction ??) in classifier;
    whd in match current_instruction0 in classifier;
    >fetch_eq in classifier; normalize nodelta cases instruction
    normalize nodelta
    [8:
      #preinstruction elim preinstruction
      normalize in match (? = cl_other);
    ]
    try (#assm1 #assm2 #absurd destruct(absurd) @I)
    try (#assm1 #absurd destruct(absurd) @I)
    try (#absurd destruct(absurd) @I) normalize nodelta
    [27,28,29:
      #addr #_ #reachable
      #program_counter_execute_1_refl
      whd in execute; <execute
      >program_counter_execute_1_refl assumption
    |*:
      try (#assm1 #assm2 #_ * #relevant #pc_lt_assm)
      try (#assm1 #_ * #relevant #pc_lt_assm)
      try (#_ * #relevant #pc_lt_assm) #pc_refl
      cases reachable_program_counter_witness * #n
      #Some_assm #tps_lt_assm
      whd in match reachable_program_counter; normalize nodelta %
      try %{(S n)}
      whd in execute; <execute
      try (@(fetch_program_counter_n_Sn instruction ?? ticks ?? Some_assm ?) >execute >fetch_eq <pc_refl >execute try %)
      <pc_refl in relevant; <execute #assm
      >pc_refl >pc_refl in assm; #assm assumption
    ]
  ]
qed. 

lemma sublist_tal_pc_list_all_program_counter_list:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀cost_labels: BitVectorTrie costlabel 16.
  ∀total_program_size: nat.
  ∀total_program_size_invariant: total_program_size ≤ 2^16.
  ∀good_program_witness: good_program code_memory total_program_size.
  ∀start, final: Status code_memory.
  ∀reachable_program_counter_witness: reachable_program_counter code_memory total_program_size
    (program_counter (BitVectorTrie Byte 16) code_memory start).
  ∀trace_ends_flag.
  ∀the_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start final.
    sublist ? (tal_pc_list … the_trace) (all_program_counter_list total_program_size).
  #code_memory #cost_labels #total_program_size #total_program_size_invariant
  #good_program_witness #start #final #reachable_program_counter_witness
  #trace_ends_flag #the_trace
  whd in match (sublist ???); #pc #memb_assm
  @lt_bound_mem_all_program_counter_list
  try assumption destruct
  lapply memb_assm -memb_assm
  @tal_pc_list_lt_total_program_size
  assumption
qed.

corollary tal_pc_list_length_leq_total_program_size:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀cost_labels: BitVectorTrie costlabel 16.
  ∀total_program_size: nat.
  ∀total_program_size_invariant: total_program_size ≤ 2^16.
  ∀good_program_witness: good_program code_memory total_program_size.
  ∀start, final: Status code_memory.
  ∀reachable_program_counter_witness: reachable_program_counter code_memory total_program_size
    (program_counter (BitVectorTrie Byte 16) code_memory start).
  ∀trace_ends_flag.
  ∀the_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start final.
  ∀unrepeating_witness: tal_unrepeating (ASM_abstract_status code_memory cost_labels) trace_ends_flag start final the_trace.
    |tal_pc_list … the_trace| ≤ total_program_size.
  #code_memory #cost_labels #total_program_size #total_program_size_invariant
  #good_program_witness #start #final #reachable_program_counter_witness
  #trace_ends_flag #the_trace #unrepeating_witness
  <(all_program_counter_list_bound_eq total_program_size)
  @sublist_length
  [1:
    @tal_unrepeating_uniqueb
    assumption
  |2:
    @sublist_tal_pc_list_all_program_counter_list
    assumption
  ]
qed.

let rec compute_paid_trace_any_label
  (code_memory: BitVectorTrie Byte 16) (cost_labels: BitVectorTrie costlabel 16)
    (trace_ends_flag: trace_ends_with_ret) (start_status: Status code_memory)
      (final_status: Status code_memory)
        (the_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start_status final_status)
       on the_trace: nat ≝
  match the_trace with
  [ tal_base_not_return the_status _ _ _ _ ⇒ current_instruction_cost … the_status
  | tal_base_return the_status _ _ _ ⇒ current_instruction_cost … the_status
  | tal_base_call pre_fun_call start_fun_call final _ _ _ _ call_trace ⇒ current_instruction_cost … pre_fun_call
  | tal_step_call end_flag pre_fun_call start_fun_call after_fun_call final
     _ _ _ call_trace _ final_trace ⇒
      let current_instruction_cost ≝ current_instruction_cost … pre_fun_call in
      let final_trace_cost ≝ compute_paid_trace_any_label … cost_labels end_flag … final_trace in
        current_instruction_cost + final_trace_cost
  | tal_step_default end_flag status_pre status_init status_end _ tail_trace _ _ ⇒
      let current_instruction_cost ≝ current_instruction_cost … status_pre in
      let tail_trace_cost ≝
       compute_paid_trace_any_label … cost_labels end_flag
        status_init status_end tail_trace
      in
        current_instruction_cost + tail_trace_cost
  ].

definition compute_paid_trace_label_label ≝
  λcode_memory: BitVectorTrie Byte 16.
  λcost_labels: BitVectorTrie costlabel 16.
  λtrace_ends_flag: trace_ends_with_ret.
  λstart_status: Status code_memory.
  λfinal_status: Status code_memory.
  λthe_trace: trace_label_label (ASM_abstract_status … cost_labels) trace_ends_flag start_status final_status.
  match the_trace with
  [ tll_base ends_flag initial final given_trace labelled_proof ⇒
      compute_paid_trace_any_label … given_trace
  ].

include alias "arithmetics/nat.ma".
include alias "basics/logic.ma".

lemma plus_right_monotone:
  ∀m, n, o: nat.
    m = n → m + o = n + o.
  #m #n #o #refl >refl %
qed.

lemma plus_left_monotone:
  ∀m, n, o: nat.
    m = n → o + m = o + n.
  #m #n #o #refl destruct %
qed.

lemma minus_plus_cancel:
  ∀m, n : nat.
  ∀proof: n ≤ m.
    (m - n) + n = m.
  #m #n #proof /2 by plus_minus/
qed.

lemma reachable_program_counter_to_0_lt_total_program_size:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀program_counter: Word.
  ∀total_program_size: nat.
    reachable_program_counter code_memory total_program_size program_counter →
      0 < total_program_size.
  #code_memory #program_counter #total_program_size
  whd in match reachable_program_counter; normalize nodelta * * #some_n
  #_ cases (nat_of_bitvector 16 program_counter)
  [1:
    #assm assumption
  |2:
    #new_pc @ltn_to_ltO
  ]
qed.

lemma not_Some_neq_None_to_False:
  ∀a: Type[0].
  ∀e: a.
    ¬ (Some a e ≠ None a) → False.
  #a #e #absurd cases absurd -absurd
  #absurd @absurd @nmk -absurd
  #absurd destruct(absurd)
qed.

lemma trace_compute_paid_trace_cl_other:
  ∀code_memory' : (BitVectorTrie Byte 16).
  ∀program_counter' : Word.
  ∀total_program_size : ℕ.
  ∀cost_labels : (BitVectorTrie costlabel 16).
  ∀reachable_program_counter_witness : (reachable_program_counter code_memory' total_program_size program_counter').
  ∀good_program_witness : (good_program code_memory' total_program_size).
  ∀program_size' : ℕ.
  ∀ticks : ℕ.
  ∀instruction : instruction.
  ∀program_counter'' : Word.
  ∀FETCH : (〈instruction,program_counter'',ticks〉=fetch code_memory' program_counter').
  let program_counter''' ≝ program_counter_after_other program_counter'' instruction in
  ∀start_status : (Status code_memory').
  ∀final_status : (Status code_memory').
  ∀trace_ends_flag : trace_ends_with_ret.
  ∀the_trace : (trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status).
  ∀program_counter_refl : (program_counter' = program_counter (BitVectorTrie Byte 16) code_memory' start_status).
  ∀size_invariant : trace_any_label_length' code_memory' cost_labels trace_ends_flag start_status final_status the_trace ≤S program_size'.
  ∀classify_assm: ASM_classify0 instruction = cl_other.
  ∀pi1 : ℕ.
   (if match lookup_opt costlabel 16 program_counter''' cost_labels with 
         [None ⇒ true
         |Some _ ⇒ false
         ] 
    then
      ∀start_status0:Status code_memory'.
      ∀final_status0:Status code_memory'.
      ∀trace_ends_flag0:trace_ends_with_ret.
      ∀the_trace0:trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag0 start_status0 final_status0.
        trace_any_label_length' code_memory' cost_labels trace_ends_flag0
          start_status0 final_status0 the_trace0 ≤ program_size' →
        program_counter''' = program_counter (BitVectorTrie Byte 16) code_memory' start_status0 →
                  pi1
                    =compute_paid_trace_any_label code_memory' cost_labels
                     trace_ends_flag0 start_status0 final_status0 the_trace0
    else (pi1=O) )
   → ticks+pi1
     =compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag
      start_status final_status the_trace. 
  #code_memory' #program_counter' #total_program_size #cost_labels
  #reachable_program_counter_witness #good_program_witness
  #program_size' #ticks #instruction #program_counter'' #FETCH
  #start_status #final_status
  #trace_ends_flag #the_trace #program_counter_refl #size_invariant #classify_assm #recursive_block_cost
  #recursive_assm
  @(trace_any_label_inv_ind … the_trace)
    [5:
      #end_flag #status_pre #status_init #status_end #execute_assm #trace_any_label
      #classifier_assm #costed_assm #trace_ends_refl #start_status_refl #final_status_refl
      #the_trace_refl
      destruct
      whd in match (trace_any_label_length … (tal_step_default …));
      whd in match (compute_paid_trace_any_label … (tal_step_default …));
      whd in costed_assm:(?%);
      generalize in match costed_assm;
      generalize in match (refl … (lookup_opt … (program_counter … (execute_1 … status_pre)) cost_labels));
      whd in match (as_label ??);
      generalize in match (lookup_opt … (program_counter … (execute_1 … status_pre)) cost_labels)
        in ⊢ (??%? → % → ?);
      #lookup_assm cases lookup_assm
      [1:
        #None_lookup_opt_assm normalize nodelta #_
        generalize in match recursive_assm;
        lapply (execute_1_and_program_counter_after_other_in_lockstep code_memory' ? classifier_assm)
        <FETCH normalize nodelta #rewrite_assm >rewrite_assm in None_lookup_opt_assm;
        #None_lookup_opt_assm <None_lookup_opt_assm
        normalize nodelta #new_recursive_assm
        cases(new_recursive_assm (execute_1 code_memory' status_pre) status_end
          end_flag trace_any_label ? ?) try %
        whd in match (current_instruction_cost … status_pre);
        cut(ticks = \snd (fetch code_memory'
           (program_counter (BitVectorTrie Byte 16) code_memory' status_pre)))
        [1,3,5:
          <FETCH %
        |2:
          #ticks_refl_assm
          >ticks_refl_assm %
        |4:
          #ticks_refl_assm
          change with (S ? ≤ S ?) in size_invariant;
          lapply (le_S_S_to_le … size_invariant) #assm
          assumption
        |6:
          #ticks_refl_assm
          <rewrite_assm %
        ]
      |2:
        #costlabel #Some_lookup_opt_assm <Some_lookup_opt_assm
        #absurd
        cases (not_Some_neq_None_to_False ?? absurd)
      ]
    |1:
      #status_start #status_final #execute_assm #classifier_assm #costed_assm
      #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
      destruct
      whd in match (trace_any_label_length … (tal_base_not_return …));
      whd in match (compute_paid_trace_any_label … (tal_base_not_return …));
      whd in costed_assm;
      generalize in match costed_assm;
      generalize in match (refl … (lookup_opt … (program_counter … (execute_1 … status_start)) cost_labels));
      whd in match (as_label ??);
      generalize in match (lookup_opt … (program_counter … (execute_1 code_memory' status_start)) cost_labels)
        in ⊢ (??%? → % → ?);
      #lookup_assm cases lookup_assm
      [1:
        #None_lookup_opt_assm
        #absurd @⊥ cases absurd -absurd #absurd @absurd %
      |2:
        #costlabel #Some_lookup_opt_assm normalize nodelta #ignore
        generalize in match recursive_assm;
        cases classifier_assm
        [1:
          whd in ⊢ (% → ?);
          whd in ⊢ (??%? → ?);
          whd in match (current_instruction code_memory' status_start);
          <FETCH generalize in match classify_assm;
          cases instruction
          [8:
            #preinstruction normalize nodelta
            whd in match ASM_classify0; normalize nodelta
            #contradiction >contradiction #absurd destruct(absurd)
          ]
          try(#addr1 #addr2 normalize nodelta #ignore #absurd destruct(absurd))
          try(#addr normalize nodelta #ignore #absurd destruct(absurd))
          normalize in ignore; destruct(ignore)
        |2:
          -classifier_assm #classifier_assm
          lapply (execute_1_and_program_counter_after_other_in_lockstep code_memory' ? classifier_assm)
          <FETCH normalize nodelta #rewrite_assm >rewrite_assm in Some_lookup_opt_assm;
          #Some_lookup_opt_assm <Some_lookup_opt_assm
          normalize nodelta #new_recursive_assm >new_recursive_assm
          cut(ticks = \snd (fetch code_memory'
             (program_counter (BitVectorTrie Byte 16) code_memory' status_start)))
          [1:
            <FETCH %
          |2:
            #ticks_refl_assm >ticks_refl_assm
            <plus_n_O %
          ]
        ]
      ]
    |2:
      #start_status' #final_status' #execute_assm #classifier_assm #trace_ends_assm
      #start_status_refl #final_status_refl #the_trace_assm destruct @⊥
    |3:
      #status_pre_fun_call #status_start_fun_call #status_final #execute_assm
      #classifier_assm #after_return_assm #trace_label_return #costed_assm
      #ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
      destruct @⊥
    |4:
      #end_flag #status_pre_fun_call #status_start_fun_call #status_after_fun_call
      #status_final #execute_assm #classifier_assm #after_return_assm #trace_label_return
      #costed_assm #trace_any_label #trace_ends_flag_refl #start_status_refl
      #final_status_refl #the_trace_refl destruct @⊥
    ]
  change with (ASM_classify0 ? = ?) in classifier_assm;
  whd in match current_instruction in classifier_assm; normalize nodelta in classifier_assm;
  whd in match current_instruction0 in classifier_assm; normalize nodelta in classifier_assm;
  <FETCH in classifier_assm; >classify_assm #absurd destruct(absurd)
qed.

lemma trace_compute_paid_trace_cl_jump:
  ∀code_memory': BitVectorTrie Byte 16.
  ∀program_counter': Word.
  ∀total_program_size: ℕ.
  ∀cost_labels: BitVectorTrie costlabel 16.
  ∀reachable_program_counter_witness: reachable_program_counter code_memory' total_program_size program_counter'.
  ∀good_program_witness: good_program code_memory' total_program_size.
  ∀first_time_around: bool.
  ∀program_size': ℕ.
  ∀ticks: ℕ.
  ∀instruction: instruction.
  ∀program_counter'': Word.
  ∀FETCH: 〈instruction,program_counter'',ticks〉 = fetch code_memory' program_counter'.
  ∀start_status: (Status code_memory').
  ∀final_status: (Status code_memory').
  ∀trace_ends_flag: trace_ends_with_ret.
  ∀the_trace: (trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status).
  ∀program_counter_refl: (program_counter' = program_counter (BitVectorTrie Byte 16) code_memory' start_status).
  ∀classify_assm: ASM_classify0 instruction = cl_jump.
    ticks
     =compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag
      start_status final_status the_trace.
  #code_memory' #program_counter' #total_program_size #cost_labels
  #reachable_program_counter_witness #good_program_witness #first_time_around
  #program_size' #ticks #instruction #program_counter'' #FETCH
  #start_status #final_status
  #trace_ends_flag #the_trace #program_counter_refl #classify_assm
  @(trace_any_label_inv_ind … the_trace)
  [5:
    #end_flag #status_pre #status_init #status_end #execute_assm #trace_any_label
    #classifier_assm #costed_assm #trace_ends_refl #start_status_refl #final_status_refl
    #the_trace_refl destruct @⊥
  |1:
    #status_start #status_final #execute_assm #classifier_assm #costed_assm
    #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct
    whd in match (trace_any_label_length … (tal_base_not_return …));
    whd in match (compute_paid_trace_any_label … (tal_base_not_return …));
    <FETCH %
  |2:
    #start_status' #final_status' #execute_assm #classifier_assm #trace_ends_assm
    #start_status_refl #final_status_refl #the_trace_assm destruct @⊥
  |3:
    #status_pre_fun_call #status_start_fun_call #status_final #execute_assm
    #classifier_assm #after_return_assm #trace_label_return #costed_assm
    #ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct @⊥
  |4:
    #end_flag #status_pre_fun_call #status_start_fun_call #status_after_fun_call
    #status_final #execute_assm #classifier_assm #after_return_assm #trace_label_return
    #costed_assm #trace_any_label #trace_ends_flag_refl #start_status_refl
    #final_status_refl #the_trace_refl destruct @⊥
  ]
  change with (ASM_classify0 ? = ?) in classifier_assm;
  whd in match current_instruction in classifier_assm; normalize nodelta in classifier_assm;
  whd in match current_instruction0 in classifier_assm; normalize nodelta in classifier_assm;
  <FETCH in classifier_assm; >classify_assm #absurd destruct(absurd)
qed.

lemma trace_compute_paid_trace_cl_call:
  ∀code_memory' : (BitVectorTrie Byte 16).
  ∀program_counter' : Word.
  ∀total_program_size : ℕ.
  ∀cost_labels : (BitVectorTrie costlabel 16).
  ∀reachable_program_counter_witness : (reachable_program_counter code_memory' total_program_size program_counter').
  ∀good_program_witness : (good_program code_memory' total_program_size).
  ∀program_size' : ℕ.
  ∀ticks : ℕ.
  ∀instruction : instruction.
  ∀program_counter'' : Word.
  ∀FETCH : (〈instruction,program_counter'',ticks〉=fetch code_memory' program_counter').
  ∀start_status : (Status code_memory').
  ∀final_status : (Status code_memory').
  ∀trace_ends_flag : trace_ends_with_ret.
  ∀the_trace : (trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status).
  ∀program_counter_refl : (program_counter' = program_counter (BitVectorTrie Byte 16) code_memory' start_status).
  ∀size_invariant : trace_any_label_length' code_memory' cost_labels trace_ends_flag start_status final_status the_trace ≤S program_size'.
  ∀classify_assm: ASM_classify0 instruction = cl_call.
  (∀pi1:ℕ
  .if match lookup_opt costlabel 16 program_counter'' cost_labels with 
      [None ⇒ true | Some _ ⇒ false] 
   then (∀start_status0:Status code_memory'
             .∀final_status0:Status code_memory'
              .∀trace_ends_flag0:trace_ends_with_ret
               .∀the_trace0:trace_any_label
                                        (ASM_abstract_status code_memory' cost_labels)
                                        trace_ends_flag0 start_status0 final_status0.
                trace_any_label_length' code_memory' cost_labels trace_ends_flag0
                  start_status0 final_status0 the_trace0
                   ≤ program_size' →
                program_counter''
                 =program_counter (BitVectorTrie Byte 16) code_memory' start_status0
                 → pi1
                   =compute_paid_trace_any_label code_memory' cost_labels
                    trace_ends_flag0 start_status0 final_status0 the_trace0) 
   else (pi1=O) 
   → ticks+pi1
     =compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag
      start_status final_status the_trace).
  #code_memory' #program_counter' #total_program_size #cost_labels
  #reachable_program_counter_witness #good_program_witness #program_size'
  #ticks #instruction #program_counter'' #FETCH
  #start_status #final_status #trace_ends_flag
  #the_trace #program_counter_refl #size_invariant #classify_assm
  #recursive_block_cost #recursive_assm
  @(trace_any_label_inv_ind … the_trace)
  [5:
    #end_flag #status_pre #status_init #status_end #execute_assm #trace_any_label
    #classifier_assm #costed_assm #trace_ends_refl #start_status_refl #final_status_refl
    #the_trace_refl destruct @⊥
  |1:
    #status_start #status_final #execute_assm #classifier_assm #costed_assm
    #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct @⊥
  |2:
    #start_status' #final_status' #execute_assm #classifier_assm #trace_ends_assm
    #start_status_refl #final_status_refl #the_trace_assm destruct @⊥
  |3:
    #status_pre_fun_call #status_start_fun_call #status_final #execute_assm
    #classifier_assm #after_return_assm #trace_label_return #costed_assm
    #ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct
    whd in match (trace_any_label_length … (tal_base_call …));
    whd in match (compute_paid_trace_any_label … (tal_base_call …));
    whd in costed_assm;
    generalize in match costed_assm;
    generalize in match (refl … (lookup_opt … (program_counter … status_final) cost_labels));
    whd in match (as_label ??);
    generalize in match (lookup_opt … (program_counter … status_final) cost_labels)
      in ⊢ (??%? → % → ?);
    #lookup_assm cases lookup_assm
    [1:
      #None_lookup_opt normalize nodelta #absurd cases absurd
      -absurd #absurd @⊥ @absurd %
    |2:
      #costlabel #Some_lookup_opt normalize nodelta #ignore
      generalize in match recursive_assm;
      cut(program_counter'' = (program_counter (BitVectorTrie Byte 16) code_memory' status_final))
      [1:
        generalize in match after_return_assm;
        whd in ⊢ (% → ?); <FETCH normalize nodelta #relevant <relevant %
      |2:
        #program_counter_assm >program_counter_assm <Some_lookup_opt
        normalize nodelta #new_recursive_assm >new_recursive_assm
        cut(ticks = \snd (fetch code_memory' (program_counter (BitVectorTrie Byte 16) code_memory' status_pre_fun_call)))
        [1:
          <FETCH %
        |2:
          #ticks_refl_assm >ticks_refl_assm
          <plus_n_O %
        ]
      ]
    ]
  |4:
    #end_flag #status_pre_fun_call #status_start_fun_call #status_after_fun_call
    #status_final #execute_assm #classifier_assm #after_return_assm #trace_label_return
    #costed_assm #trace_any_label #trace_ends_flag_refl #start_status_refl
    #final_status_refl #the_trace_refl
    generalize in match execute_assm; destruct #execute_assm
    whd in match (trace_any_label_length … (tal_step_call …));
    whd in match (compute_paid_trace_any_label … (tal_step_call …));
    whd in costed_assm:(?%);
    generalize in match costed_assm;
    generalize in match (refl … (lookup_opt … (program_counter … status_after_fun_call) cost_labels));
    whd in match (as_label ??);
    generalize in match (lookup_opt … (program_counter … status_after_fun_call) cost_labels)
      in ⊢ (??%? → % → ?);
    #lookup_assm cases lookup_assm
    [1:
      #None_lookup_opt_assm normalize nodelta #ignore
      generalize in match recursive_assm;
      cut(program_counter'' = program_counter … status_after_fun_call)
      [1:
        generalize in match after_return_assm;
        whd in ⊢ (% → ?); <FETCH normalize nodelta #relevant >relevant %
      |2:
        #program_counter_refl >program_counter_refl <None_lookup_opt_assm
        normalize nodelta #new_recursive_assm
        cases (new_recursive_assm … trace_any_label ? ?)
        [1:
          @plus_right_monotone whd in ⊢ (???%); <FETCH %
        |2:
          @le_S_S_to_le @size_invariant
        |3:
          %
        ]
      ]
    |2:
      #cost_label #Some_lookup_opt_assm #absurd
      cases (not_Some_neq_None_to_False ?? absurd)
    ]
  ]
  try (change with (ASM_classify0 ? = ? ∨ ASM_classify0 ? = ?) in classifier_assm;)
  try (change with (ASM_classify0 ? = ?) in classifier_assm;)
  whd in match current_instruction in classifier_assm; normalize nodelta in classifier_assm;
  whd in match current_instruction0 in classifier_assm; normalize nodelta in classifier_assm;
  <FETCH in classifier_assm; >classify_assm #absurd destruct(absurd) cases absurd
  #absurd destruct(absurd)
qed.

lemma trace_compute_paid_trace_cl_return:
  ∀code_memory' : (BitVectorTrie Byte 16).
  ∀program_counter' : Word.
  ∀total_program_size : ℕ.
  ∀cost_labels : (BitVectorTrie costlabel 16).
  ∀reachable_program_counter_witness : (reachable_program_counter code_memory' total_program_size program_counter').
  ∀good_program_witness : (good_program code_memory' total_program_size).
  ∀program_size' : ℕ.
  ∀ticks : ℕ.
  ∀instruction : instruction.
  ∀program_counter'' : Word.
  ∀FETCH : (〈instruction,program_counter'',ticks〉=fetch code_memory' program_counter').
  ∀start_status : (Status code_memory').
  ∀final_status : (Status code_memory').
  ∀trace_ends_flag : trace_ends_with_ret.
  ∀the_trace : (trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status).
  ∀program_counter_refl : (program_counter' = program_counter (BitVectorTrie Byte 16) code_memory' start_status).
  ∀classify_assm: ASM_classify0 instruction = cl_return.
    ticks
     =compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag
      start_status final_status the_trace.
  #code_memory' #program_counter' #total_program_size #cost_labels
  #reachable_program_counter_witness #good_program_witness #program_size'
  #ticks #instruction #program_counter'' #FETCH
  #start_status #final_status #trace_ends_flag
  #the_trace #program_counter_refl #classify_assm
  @(trace_any_label_inv_ind … the_trace)
  [1:
    #start_status' #final_status' #execute_assm #classifier_assm #costed_assm
    #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct @⊥
  |2:
    #start_status' #final_status' #execute_assm #classifier_assm #trace_ends_flag_refl
    #start_status_refl #final_status_refl #the_trace_refl destruct
    whd in match (trace_any_label_length … (tal_base_return …));
    whd in match (compute_paid_trace_any_label … (tal_base_return …));
    <FETCH %
  |3:
    #status_pre_fun_call #status_start_fun_call #status_final #execute_assm
    #classifier_assm #after_return_assm #trace_label_return #costed_assm
    #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct @⊥
  |4:
    #end_flag #status_pre_fun_call #status_start_fun_call #status_after_fun_call
    #status_final #execute_assm #classifier_assm #after_return_assm #trace_label_return
    #costed_assm #trace_any_label #trace_ends_flag_refl #start_status_refl
    #final_status_refl #the_trace_refl
    destruct @⊥
  |5:
    #end_flag #status_pre #status_init #status_end #execute_assm #trace_any_label
    #classifier_assm #costed_assm #trace_ends_flag_refl #start_status_refl
    #final_status_refl #the_trace_refl destruct @⊥
  ]
  try (change with (ASM_classify0 ? = ? ∨ ASM_classify0 ? = ?) in classifier_assm;)
  try (change with (ASM_classify0 ? = ?) in classifier_assm;)
  whd in match current_instruction in classifier_assm; normalize nodelta in classifier_assm;
  whd in match current_instruction0 in classifier_assm; normalize nodelta in classifier_assm;
  <FETCH in classifier_assm; >classify_assm
  #absurd try (destruct(absurd))
  cases absurd
  #absurd destruct(absurd)
qed.

lemma trace_any_label_length_leq_0_to_False:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀cost_labels: BitVectorTrie costlabel 16.
  ∀trace_ends_flag: trace_ends_with_ret.
  ∀start_status: Status code_memory.
  ∀final_status: Status code_memory.
  ∀the_trace.
  trace_any_label_length' code_memory cost_labels trace_ends_flag start_status
    final_status the_trace ≤ 0 → False.
  #code_memory #cost_labels #trace_ends_flag #start_status #final_status
  #the_trace
  cases the_trace /2/
qed.
      
let rec block_cost'
  (code_memory': BitVectorTrie Byte 16) (program_counter': Word)
    (program_size: nat) (total_program_size: nat) (cost_labels: BitVectorTrie costlabel 16)
      (reachable_program_counter_witness: reachable_program_counter code_memory' total_program_size program_counter')
        (good_program_witness: good_program code_memory' total_program_size) (first_time_around: bool)
          on program_size:
          Σcost_of_block: nat.
          if (match lookup_opt … program_counter' cost_labels with [ None ⇒ true | _ ⇒ first_time_around ]) then
            ∀start_status: Status code_memory'.
            ∀final_status: Status code_memory'.
            ∀trace_ends_flag.
            ∀the_trace: trace_any_label (ASM_abstract_status … cost_labels) trace_ends_flag start_status final_status.
              trace_any_label_length' … the_trace ≤ program_size →
              program_counter' = program_counter … start_status →
                cost_of_block = compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag start_status final_status the_trace
          else
            (cost_of_block = 0) ≝
  match program_size return λx. x = program_size → ? with
  [ O ⇒ λbase_case. 0 (* XXX: dummy to be inserted here *)
  | S program_size' ⇒ λstep_case.
    let 〈instruction, program_counter'', ticks〉 as FETCH ≝ fetch code_memory' program_counter' in
    let to_continue ≝
      match lookup_opt … program_counter' cost_labels with
      [ None ⇒ true
      | Some _ ⇒ first_time_around
      ]
    in
      ((if to_continue then
       pi1 … (match instruction return λx. x = instruction → ? with
        [ RealInstruction real_instruction ⇒ λreal_instruction_refl.
          match real_instruction return λx. x = real_instruction →
          Σcost_of_block: nat.
            ∀start_status: Status code_memory'.
            ∀final_status: Status code_memory'.
            ∀trace_ends_flag.
            ∀the_trace: trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status.
              trace_any_label_length' … the_trace ≤ S program_size' →
              program_counter' = program_counter … start_status →
                cost_of_block = compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag start_status final_status the_trace with
          [ RET                    ⇒ λinstr. ticks
          | RETI                   ⇒ λinstr. ticks
          | JC   relative          ⇒ λinstr. ticks
          | JNC  relative          ⇒ λinstr. ticks
          | JB   bit_addr relative ⇒ λinstr. ticks
          | JNB  bit_addr relative ⇒ λinstr. ticks
          | JBC  bit_addr relative ⇒ λinstr. ticks
          | JZ   relative          ⇒ λinstr. ticks
          | JNZ  relative          ⇒ λinstr. ticks
          | CJNE src_trgt relative ⇒ λinstr. ticks
          | DJNZ src_trgt relative ⇒ λinstr. ticks
          | _                      ⇒ λinstr.
              ticks + block_cost' code_memory' program_counter'' program_size' total_program_size cost_labels ? good_program_witness false
          ] (refl …)
        | ACALL addr     ⇒ λinstr.
            ticks + block_cost' code_memory' program_counter'' program_size' total_program_size cost_labels ? good_program_witness false
        | AJMP  addr     ⇒ λinstr.
          let jump_target ≝ compute_target_of_unconditional_jump program_counter'' instruction in
            ticks + block_cost' code_memory' jump_target program_size' total_program_size cost_labels ? good_program_witness false
        | LCALL addr     ⇒ λinstr.
            ticks + block_cost' code_memory' program_counter'' program_size' total_program_size cost_labels ? good_program_witness false
        | LJMP  addr     ⇒ λinstr.
          let jump_target ≝ compute_target_of_unconditional_jump program_counter'' instruction in
            ticks + block_cost' code_memory' jump_target program_size' total_program_size cost_labels ? good_program_witness false
        | SJMP  addr     ⇒ λinstr.
          let jump_target ≝ compute_target_of_unconditional_jump program_counter'' instruction in
            ticks + block_cost' code_memory' jump_target program_size' total_program_size cost_labels ? good_program_witness false
        | JMP   addr     ⇒ λinstr. (* XXX: actually a call due to use with fptrs *)
            ticks + block_cost' code_memory' program_counter'' program_size' total_program_size cost_labels ? good_program_witness false
        | MOVC  src trgt ⇒ λinstr.
            ticks + block_cost' code_memory' program_counter'' program_size' total_program_size cost_labels ? good_program_witness false
        ] (refl …))
      else
        0)
      : Σcost_of_block: nat.
          match (match lookup_opt … program_counter' cost_labels with [ None ⇒ true | _ ⇒ first_time_around ]) with
          [ true ⇒
            ∀start_status: Status code_memory'.
            ∀final_status: Status code_memory'.
            ∀trace_ends_flag.
            ∀the_trace: trace_any_label (ASM_abstract_status … cost_labels) trace_ends_flag start_status final_status.
              trace_any_label_length' … the_trace ≤ S program_size' →
              program_counter' = program_counter … start_status →
                cost_of_block = compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag start_status final_status the_trace
          | false ⇒
            (cost_of_block = 0)
          ])
  ] (refl …).
  [2:
    change with (if to_continue then ? else (? = 0))
    >p in ⊢ (match % return ? with [ _ ⇒ ? | _ ⇒ ? ]); normalize nodelta
    @pi2
  |1:
    destruct
    cases (lookup_opt ????) normalize nodelta
    [1:
      #start_status #final_status #trace_ends_flag #the_trace
      #absurd
      cases (trace_any_label_length_leq_0_to_False … absurd)
    |2:
      #cost cases first_time_around normalize nodelta try %
      #start_status #final_status #trace_ends_flag #the_trace #absurd
      cases (trace_any_label_length_leq_0_to_False … absurd)
    ]
  |3:
    change with (if to_continue then ? else (0 = 0))
    >p normalize nodelta %
  |6,7:
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl
    @(trace_compute_paid_trace_cl_return … reachable_program_counter_witness good_program_witness program_size' … FETCH … the_trace program_counter_refl)
    destruct %
  |69,77,79:
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl
    cases(block_cost' ????????) -block_cost'
    @(trace_compute_paid_trace_cl_call … reachable_program_counter_witness good_program_witness program_size' … FETCH … the_trace program_counter_refl size_invariant)
    destruct %
  |4,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,51,53,55,57,59,61,63,65,
    67:
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl
    cases(block_cost' ????????) -block_cost'
    lapply (trace_compute_paid_trace_cl_other … reachable_program_counter_witness good_program_witness program_size' … FETCH … the_trace program_counter_refl size_invariant)      
    destruct #assm @assm %
  |42,43,44,45,46,47,48,49,50:
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl 
    @(trace_compute_paid_trace_cl_jump … reachable_program_counter_witness good_program_witness … FETCH … the_trace program_counter_refl)
    destruct %
  |71,73,75: (* XXX: unconditional jumps *)
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl
    cases (block_cost' ????????) -block_cost'
    lapply (trace_compute_paid_trace_cl_other … reachable_program_counter_witness good_program_witness program_size' … FETCH … the_trace program_counter_refl size_invariant)
    whd in match (program_counter_after_other ??); normalize nodelta destruct
    whd in match (is_unconditional_jump ?); normalize nodelta #assm @assm %
  ]
  -block_cost'
  [29,30,31: (* XXX: unconditional jumps *)
    normalize nodelta
    cases reachable_program_counter_witness * #n #fetch_n_hyp #lt_hyp
    lapply (good_program_witness program_counter' reachable_program_counter_witness)
    <FETCH normalize nodelta <instr normalize nodelta #assm assumption
  |*:
    cases reachable_program_counter_witness * #n #fetch_n_hyp #lt_hyp
    lapply(good_program_witness program_counter' reachable_program_counter_witness)
    <FETCH normalize nodelta destruct normalize nodelta
    * #program_counter_lt' #program_counter_lt_tps'
    % try assumption
    %{(S n)} whd in ⊢ (???%); <fetch_n_hyp normalize nodelta
    <FETCH normalize nodelta whd in match ltb; normalize nodelta
    >(le_to_leb_true … program_counter_lt') %
  ]
qed.

definition block_cost:
    ∀code_memory': BitVectorTrie Byte 16.
    ∀program_counter': Word.
    ∀total_program_size: nat.
    ∀total_program_size_invariant: total_program_size ≤ 2^16.
    ∀cost_labels: BitVectorTrie costlabel 16.
    ∀reachable_program_counter_witness: reachable_program_counter code_memory' total_program_size program_counter'.
    ∀good_program_witness: good_program code_memory' total_program_size.
      Σcost_of_block: nat.
        ∀start_status: Status code_memory'.
        ∀final_status: Status code_memory'.
        ∀trace_ends_flag.
        ∀the_trace: trace_any_label (ASM_abstract_status … cost_labels) trace_ends_flag start_status final_status.
        ∀reachable_program_counter_witness: reachable_program_counter code_memory' total_program_size (program_counter (BitVectorTrie Byte 16) code_memory' start_status).
        ∀unrepeating_witness: tal_unrepeating (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status the_trace.
          program_counter' = program_counter … start_status →
            cost_of_block = compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag start_status final_status the_trace ≝
  λcode_memory: BitVectorTrie Byte 16.
  λprogram_counter: Word.
  λtotal_program_size: nat.
  λtotal_program_size_invariant: total_program_size ≤ 2^16.
  λcost_labels: BitVectorTrie costlabel 16.
  λreachable_program_counter_witness: reachable_program_counter code_memory total_program_size program_counter.
  λgood_program_witness: good_program code_memory total_program_size. ?.
  cases(block_cost' code_memory program_counter total_program_size total_program_size cost_labels
    reachable_program_counter_witness good_program_witness true)
  #cost_of_block #block_cost_hyp
  %{cost_of_block}
  cases(lookup_opt … cost_labels) in block_cost_hyp;
  [2: #cost_label] normalize nodelta
  #hyp #start_status #final_status #trace_ends_flag #the_trace
  #reachable_program_counter_witness #unrepeating_witness
  @hyp @tal_pc_list_length_leq_total_program_size try assumption
qed.

(* XXX: to be moved into common/Identifiers.ma *)
lemma lookup_present_add_hit:
  ∀tag, A, map, k, v, k_pres.
    lookup_present tag A (add … map k v) k k_pres = v.
  #tag #a #map #k #v #k_pres
  lapply (lookup_lookup_present … (add … map k v) … k_pres)
  >lookup_add_hit #Some_assm destruct(Some_assm)
  <e0 %
qed.

lemma lookup_present_add_miss:
  ∀tag, A, map, k, k', v, k_pres', k_pres''.
    k' ≠ k →
      lookup_present tag A (add … map k v) k' k_pres' = lookup_present tag A map k' k_pres''.
  #tag #A #map #k #k' #v #k_pres' #k_pres'' #neq_assm
  lapply (lookup_lookup_present … (add … map k v) ? k_pres')
  >lookup_add_miss try assumption
  #Some_assm
  lapply (lookup_lookup_present … map k') >Some_assm #Some_assm'
  lapply (Some_assm' k_pres'') #Some_assm'' destruct assumption
qed.

(* XXX: to be moved into basics/types.ma *)
lemma not_None_to_Some:
  ∀A: Type[0].
  ∀o: option A.
    o ≠ None A → ∃v: A. o = Some A v.
  #A #o cases o
  [1:
    #absurd cases absurd #absurd' cases (absurd' (refl …))
  |2:
    #v' #ignore /2/
  ]
qed.

lemma present_add_present:
  ∀tag, a, map, k, k', v.
    k' ≠ k →
      present tag a (add tag a map k v) k' → 
        present tag a map k'.
  #tag #a #map #k #k' #v #neq_hyp #present_hyp
  whd in match present; normalize nodelta
  whd in match present in present_hyp; normalize nodelta in present_hyp;
  cases (not_None_to_Some a … present_hyp) #v' #Some_eq_hyp
  lapply (lookup_add_cases tag ?????? Some_eq_hyp) *
  [1:
    * #k_eq_hyp @⊥ /2/
  |2:
    #Some_eq_hyp' /2/
  ]
qed.

lemma present_add_hit:
  ∀tag, a, map, k, v.
    present tag a (add tag a map k v) k.
  #tag #a #map #k #v
  whd >lookup_add_hit
  % #absurd destruct
qed.

lemma present_add_miss:
  ∀tag, a, map, k, k', v.
    k' ≠ k → present tag a map k' → present tag a (add tag a map k v) k'.
  #tag #a #map #k #k' #v #neq_assm #present_assm
  whd >lookup_add_miss assumption
qed.

lemma lt_to_le_to_le:
  ∀n, m, p: nat.
    n < m → m ≤ p → n ≤ p.
  #n #m #p #H #H1
  elim H
  [1:
    @(transitive_le n m p) /2/
  |2:
    /2/
  ]
qed.

lemma eqb_decidable:
  ∀l, r: nat.
    (eqb l r = true) ∨ (eqb l r = false).
  #l #r //
qed.

lemma r_Sr_and_l_r_to_Sl_r:
  ∀r, l: nat.
    (∃r': nat. r = S r' ∧ l = r') → S l = r.
  #r #l #exists_hyp
  cases exists_hyp #r'
  #and_hyp cases and_hyp
  #left_hyp #right_hyp
  destruct %
qed.

lemma eqb_Sn_to_exists_n':
  ∀m, n: nat.
    eqb (S m) n = true → ∃n': nat. n = S n'.
  #m #n
  cases n
  [1:
    normalize #absurd
    destruct(absurd)
  |2:
    #n' #_ %{n'} %
  ]
qed.

lemma eqb_true_to_eqb_S_S_true:
  ∀m, n: nat.
    eqb m n = true → eqb (S m) (S n) = true.
  #m #n normalize #assm assumption
qed.

lemma eqb_S_S_true_to_eqb_true:
  ∀m, n: nat.
    eqb (S m) (S n) = true → eqb m n = true.
  #m #n normalize #assm assumption
qed.

lemma eqb_true_to_refl:
  ∀l, r: nat.
    eqb l r = true → l = r.
  #l
  elim l
  [1:
    #r cases r
    [1:
      #_ %
    |2:
      #l' normalize
      #absurd destruct(absurd)
    ]
  |2:
    #l' #inductive_hypothesis #r
    #eqb_refl @r_Sr_and_l_r_to_Sl_r
    %{(pred r)} @conj
    [1:
      cases (eqb_Sn_to_exists_n' … eqb_refl)
      #r' #S_assm >S_assm %
    |2:
      cases (eqb_Sn_to_exists_n' … eqb_refl)
      #r' #refl_assm destruct normalize
      @inductive_hypothesis
      normalize in eqb_refl; assumption
    ]
  ]
qed.

lemma r_O_or_exists_r_r_Sr_and_l_neq_r_to_Sl_neq_r:
  ∀r, l: nat.
    r = O ∨ (∃r': nat. r = S r' ∧ l ≠ r') → S l ≠ r.
  #r #l #disj_hyp
  cases disj_hyp
  [1:
    #r_O_refl destruct @nmk
    #absurd destruct(absurd)
  |2:
    #exists_hyp cases exists_hyp #r'
    #conj_hyp cases conj_hyp #left_conj #right_conj
    destruct @nmk #S_S_refl_hyp
    elim right_conj #hyp @hyp //
  ]
qed.

lemma neq_l_r_to_neq_Sl_Sr:
  ∀l, r: nat.
    l ≠ r → S l ≠ S r.
  #l #r #l_neq_r_assm
  @nmk #Sl_Sr_assm cases l_neq_r_assm
  #assm @assm //
qed.

lemma eqb_false_to_not_refl:
  ∀l, r: nat.
    eqb l r = false → l ≠ r.
  #l
  elim l
  [1:
    #r cases r
    [1:
      normalize #absurd destruct(absurd)
    |2:
      #r' #_ @nmk
      #absurd destruct(absurd)
    ]
  |2:
    #l' #inductive_hypothesis #r
    cases r
    [1:
      #eqb_false_assm
      @r_O_or_exists_r_r_Sr_and_l_neq_r_to_Sl_neq_r
      @or_introl %
    |2:
      #r' #eqb_false_assm
      @neq_l_r_to_neq_Sl_Sr
      @inductive_hypothesis
      assumption
    ]
  ]
qed.

lemma le_to_lt_or_eq:
  ∀m, n: nat.
    m ≤ n → m = n ∨ m < n.
  #m #n #le_hyp
  cases le_hyp
  [1:
    @or_introl %
  |2:
    #m' #le_hyp'
    @or_intror
    normalize
    @le_S_S assumption
  ]
qed.

lemma le_neq_to_lt:
  ∀m, n: nat.
    m ≤ n → m ≠ n → m < n.
  #m #n #le_hyp #neq_hyp
  cases neq_hyp
  #eq_absurd_hyp
  generalize in match (le_to_lt_or_eq m n le_hyp);
  #disj_assm cases disj_assm
  [1:
    #absurd cases (eq_absurd_hyp absurd)
  |2:
    #assm assumption
  ]
qed.

inverter nat_jmdiscr for nat.

lemma plus_lt_to_lt:
  ∀m, n, o: nat.
    m + n < o → m < o.
  #m #n #o
  elim n
  [1:
    <(plus_n_O m) in ⊢ (% → ?);
    #assumption assumption
  |2:
    #n' #inductive_hypothesis
    <(plus_n_Sm m n') in ⊢ (% → ?);
    #assm @inductive_hypothesis
    normalize in assm; normalize
    /2 by lt_S_to_lt/
  ]
qed.

include "arithmetics/div_and_mod.ma".

lemma n_plus_1_n_to_False:
  ∀n: nat.
    n + 1 = n → False.
  #n elim n
  [1:
    normalize #absurd destruct(absurd)
  |2:
    #n' #inductive_hypothesis normalize
    #absurd @inductive_hypothesis /2/
  ]
qed.

lemma one_two_times_n_to_False:
  ∀n: nat.
    1=2*n→False.
  #n cases n
  [1:
    normalize #absurd destruct(absurd)
  |2:
    #n' normalize #absurd
    lapply (injective_S … absurd) -absurd #absurd
    /2/
  ]
qed.

let rec odd_p
  (n: nat)
    on n ≝
  match n with
  [ O ⇒ False
  | S n' ⇒ even_p n'
  ]
and even_p
  (n: nat)
    on n ≝
  match n with
  [ O ⇒ True
  | S n' ⇒ odd_p n'
  ].

let rec n_even_p_to_n_plus_2_even_p
  (n: nat)
    on n: even_p n → even_p (n + 2) ≝
  match n with
  [ O ⇒ ?
  | S n' ⇒ ?
  ]
and n_odd_p_to_n_plus_2_odd_p
  (n: nat)
    on n: odd_p n → odd_p (n + 2) ≝
  match n with
  [ O ⇒ ?
  | S n' ⇒ ?
  ].
  [1,3:
    normalize #assm assumption
  |2:
    normalize @n_odd_p_to_n_plus_2_odd_p
  |4:
    normalize @n_even_p_to_n_plus_2_even_p
  ]
qed.

let rec two_times_n_even_p
  (n: nat)
    on n: even_p (2 * n) ≝
  match n with
  [ O ⇒ ?
  | S n' ⇒ ?
  ]
and two_times_n_plus_one_odd_p
  (n: nat)
    on n: odd_p ((2 * n) + 1) ≝
  match n with
  [ O ⇒ ?
  | S n' ⇒ ?
  ].
  [1,3:
    normalize @I
  |2:
    normalize
    >plus_n_Sm
    <(associative_plus n' n' 1)
    >(plus_n_O (n' + n'))
    cut(n' + n' + 0 + 1 = 2 * n' + 1)
    [1:
      //
    |2:
      #refl_assm >refl_assm
      @two_times_n_plus_one_odd_p      
    ]
  |4:
    normalize
    >plus_n_Sm
    cut(n' + (n' + 1) + 1 = (2 * n') + 2)
    [1:
      normalize /2/
    |2:
      #refl_assm >refl_assm
      @n_even_p_to_n_plus_2_even_p
      @two_times_n_even_p
    ]
  ]
qed.

let rec even_p_to_not_odd_p
  (n: nat)
    on n: even_p n → ¬ odd_p n ≝
  match n with
  [ O ⇒ ?
  | S n' ⇒ ?
  ]
and odd_p_to_not_even_p
  (n: nat)
    on n: odd_p n → ¬ even_p n ≝
  match n with
  [ O ⇒ ?
  | S n' ⇒ ?
  ].
  [1:
    normalize #_
    @nmk #assm assumption
  |3:
    normalize #absurd
    cases absurd
  |2:
    normalize
    @odd_p_to_not_even_p
  |4:
    normalize
    @even_p_to_not_odd_p
  ]
qed.

lemma even_p_odd_p_cases:
  ∀n: nat.
    even_p n ∨ odd_p n.
  #n elim n
  [1:
    normalize @or_introl @I
  |2:
    #n' #inductive_hypothesis
    normalize
    cases inductive_hypothesis
    #assm
    try (@or_introl assumption)
    try (@or_intror assumption)
  ]
qed.

lemma two_times_n_plus_one_refl_two_times_n_to_False:
  ∀m, n: nat.
    2 * m + 1 = 2 * n → False.
  #m #n
  #assm
  cut (even_p (2 * n) ∧ even_p ((2 * m) + 1))
  [1:
    >assm
    @conj
    @two_times_n_even_p
  |2:
    * #_ #absurd
    cases (even_p_to_not_odd_p … absurd)
    #assm @assm
    @two_times_n_plus_one_odd_p
  ]
qed.

lemma nat_of_bitvector_aux_injective:
  ∀n: nat.
  ∀l, r: BitVector n.
  ∀acc_l, acc_r: nat.
    nat_of_bitvector_aux n acc_l l = nat_of_bitvector_aux n acc_r r →
      acc_l = acc_r ∧ l ≃ r.
  #n #l
  elim l #r
  [1:
    #acc_l #acc_r normalize
    >(BitVector_O r) normalize /2/
  |2:
    #hd #tl #inductive_hypothesis #r #acc_l #acc_r
    normalize normalize in inductive_hypothesis;
    cases (BitVector_Sn … r)
    #r_hd * #r_tl #r_refl destruct normalize
    cases hd cases r_hd normalize
    [1:
      #relevant
      cases (inductive_hypothesis … relevant)
      #acc_assm #tl_assm destruct % //
      lapply (injective_plus_l ? ? ? acc_assm)
      -acc_assm #acc_assm
      change with (2 * acc_l = 2 * acc_r) in acc_assm;
      lapply (injective_times_r ? ? ? ? acc_assm) /2/
    |4:
      #relevant
      cases (inductive_hypothesis … relevant)
      #acc_assm #tl_assm destruct % //
      change with (2 * acc_l = 2 * acc_r) in acc_assm;
      lapply(injective_times_r ? ? ? ? acc_assm) /2/
    |2:
      #relevant  
      change with ((nat_of_bitvector_aux r (2 * acc_l + 1) tl) =
        (nat_of_bitvector_aux r (2 * acc_r) r_tl)) in relevant;
      cases (eqb_decidable … (2 * acc_l + 1) (2 * acc_r))
      [1:
        #eqb_true_assm
        lapply (eqb_true_to_refl … eqb_true_assm)
        #refl_assm
        cases (two_times_n_plus_one_refl_two_times_n_to_False … refl_assm)
      |2:
        #eqb_false_assm
        lapply (eqb_false_to_not_refl … eqb_false_assm)
        #not_refl_assm cases not_refl_assm #absurd_assm
        cases (inductive_hypothesis … relevant) #absurd
        cases (absurd_assm absurd)
      ]
    |3:
      #relevant  
      change with ((nat_of_bitvector_aux r (2 * acc_l) tl) =
        (nat_of_bitvector_aux r (2 * acc_r + 1) r_tl)) in relevant;
      cases (eqb_decidable … (2 * acc_l) (2 * acc_r + 1))
      [1:
        #eqb_true_assm
        lapply (eqb_true_to_refl … eqb_true_assm)
        #refl_assm
        lapply (sym_eq ? (2 * acc_l) (2 * acc_r + 1) refl_assm)
        -refl_assm #refl_assm
        cases (two_times_n_plus_one_refl_two_times_n_to_False … refl_assm)
      |2:
        #eqb_false_assm
        lapply (eqb_false_to_not_refl … eqb_false_assm)
        #not_refl_assm cases not_refl_assm #absurd_assm
        cases (inductive_hypothesis … relevant) #absurd
        cases (absurd_assm absurd)
      ]
    ]
  ]
qed.

lemma nat_of_bitvector_destruct:
  ∀n: nat.
  ∀l_hd, r_hd: bool.
  ∀l_tl, r_tl: BitVector n.
    nat_of_bitvector (S n) (l_hd:::l_tl) = nat_of_bitvector (S n) (r_hd:::r_tl) →
      l_hd = r_hd ∧ nat_of_bitvector n l_tl = nat_of_bitvector n r_tl.
  #n #l_hd #r_hd #l_tl #r_tl
  normalize
  cases l_hd cases r_hd
  normalize
  [4:
    /2/
  |1:
    #relevant
    cases (nat_of_bitvector_aux_injective … relevant)
    #_ #l_r_tl_refl destruct /2/
  |2,3:
    #relevant
    cases (nat_of_bitvector_aux_injective … relevant)
    #absurd destruct(absurd)
  ]
qed.

lemma BitVector_cons_injective:
  ∀n: nat.
  ∀l_hd, r_hd: bool.
  ∀l_tl, r_tl: BitVector n.
    l_hd = r_hd → l_tl = r_tl → l_hd:::l_tl = r_hd:::r_tl.
  #l #l_hd #r_hd #l_tl #r_tl
  #l_refl #r_refl destruct %
qed.

lemma refl_nat_of_bitvector_to_refl:
  ∀n: nat.
  ∀l, r: BitVector n.
    nat_of_bitvector n l = nat_of_bitvector n r → l = r.
  #n
  elim n
  [1:
    #l #r
    >(BitVector_O l)
    >(BitVector_O r)
    #_ %
  |2:
    #n' #inductive_hypothesis #l #r
    lapply (BitVector_Sn ? l) #l_hypothesis
    lapply (BitVector_Sn ? r) #r_hypothesis
    cases l_hypothesis #l_hd #l_tail_hypothesis
    cases r_hypothesis #r_hd #r_tail_hypothesis
    cases l_tail_hypothesis #l_tl #l_hd_tl_refl
    cases r_tail_hypothesis #r_tl #r_hd_tl_refl
    destruct #cons_refl
    cases (nat_of_bitvector_destruct n' l_hd r_hd l_tl r_tl cons_refl)
    #hd_refl #tl_refl
    @BitVector_cons_injective try assumption
    @inductive_hypothesis assumption
  ]
qed.