source: src/ASM/ASMCosts.ma @ 2475

include "ASM/ASM.ma".
include "ASM/Arithmetic.ma".
include "ASM/Fetch.ma".
include "ASM/Interpret.ma".
include "common/StructuredTraces.ma".

definition ASM_abstract_status: ∀code_memory. BitVectorTrie costlabel 16 → abstract_status ≝
  λcode_memory.
  λcost_labels.
    mk_abstract_status
      (Status code_memory)
      (λs,s'. (execute_1 … s) = s')
      word_deqset
      (program_counter …)
      (λs. ASM_classify … s)
      (λpc.lookup_opt ?? pc cost_labels)
      (next_instruction_properly_relates_program_counters code_memory)
      ?
      ?.
  cases daemon (* XXX: is final predicate, call ident function *)
qed.

definition trace_any_label_length ≝
  λcode_memory: BitVectorTrie Byte 16.
  λcost_labels: BitVectorTrie costlabel 16.
  λtrace_ends_flag: trace_ends_with_ret.
  λstart_status: Status code_memory.
  λfinal_status: Status code_memory.
  λthe_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start_status final_status.
    as_trace_any_label_length' … the_trace.

let rec all_program_counter_list
  (n: nat)
    on n ≝
  match n with
  [ O ⇒ [ ]
  | S n' ⇒ (bitvector_of_nat 16 n')::(all_program_counter_list n')
  ].

lemma all_program_counter_list_bound_eq:
  ∀bound: nat.
    |all_program_counter_list bound| = bound.
  #bound elim bound try %
  #bound' #inductive_hypothesis normalize
  >inductive_hypothesis %
qed.

lemma mem_all_program_counter_list_lt_bound:
  ∀bound: nat.
  ∀bound_proof: bound ≤ 2^16.
  ∀e: Word.
    memb word_deqset e (all_program_counter_list bound) = true →
      nat_of_bitvector … e < bound.
  #bound elim bound
  [1:
    #bound_proof #e
    normalize #absurd destruct(absurd)
  |2:
    #bound' #inductive_hypothesis
    #bound_proof #e
    change with (if eq_bv ??? then ? else ? = ? → ?)
    @eq_bv_elim
    [1:
      #eq_assm
      normalize nodelta destruct #_
      >nat_of_bitvector_bitvector_of_nat_inverse try assumption
      normalize %
    |2:
      #neq_assm normalize nodelta
      #memb_assm %2 @inductive_hypothesis
      try assumption
      @(transitive_le bound' (S bound'))
      try assumption %2 %
    ]
  ]
qed.

lemma lt_bound_mem_all_program_counter_list:
  ∀bound: nat.
  ∀bound_proof: bound ≤ 2^16.
  ∀e: Word.
    nat_of_bitvector … e < bound →
      memb word_deqset e (all_program_counter_list bound) = true.
  #bound elim bound
  [1:
    #bound_proof #e normalize
    #absurd cases (lt_to_not_zero … absurd)
  |2:
    #bound' #inductive_hypothesis
    #bound_proof #e
    change with (? → if eq_bv ??? then ? else ? = ?)
    #assm
    cases (le_to_or_lt_eq … (nat_of_bitvector 16 e) bound' ?)
    [1:
      #e_lt_assm
      @eq_bv_elim
      [1:
        #eq_assm normalize nodelta %
      |2:
        #neq_assm normalize nodelta
        @inductive_hypothesis try assumption
        @(transitive_le bound' (S bound')) try assumption
        %2 %
      ]
    |2:
      #relevant >eq_eq_bv normalize nodelta try %
      destruct >bitvector_of_nat_inverse_nat_of_bitvector %
    |3:
      normalize in assm;
      @le_S_S_to_le assumption
    ]
  ]
qed.

include alias "arithmetics/nat.ma".

lemma execute_1_and_program_counter_after_other_in_lockstep:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀start_status: Status code_memory.
    ASM_classify code_memory start_status = cl_other →
      let 〈instruction, pc, ticks〉 ≝ fetch code_memory (program_counter … start_status) in
        program_counter ? ? (execute_1 … start_status) =
          program_counter_after_other pc instruction.
  #code_memory #start_status #classify_assm
  whd in match execute_1; normalize nodelta
  cases (execute_1' code_memory start_status) #the_status 
  * #_ whd in classify_assm:(??%?); whd in match (current_instruction ??) in classify_assm;
  cases (fetch ? ?) in classify_assm; * #instruction #pc #ticks
  #classify_assm #classify_assm' @classify_assm' assumption
qed.

lemma nat_of_bitvector_lt_bound:
  ∀n: nat.
  ∀b: BitVector n.
    nat_of_bitvector n b < 2^n.
  #n #b cases daemon
qed.

lemma sublist_tal_pc_list_all_program_counter_list:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀cost_labels: BitVectorTrie costlabel 16.
  ∀start, final: Status code_memory.
  ∀trace_ends_flag.
  ∀the_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start final.
    sublist ? (tal_pc_list … the_trace) (all_program_counter_list (2^16)).
  #code_memory #cost_labels #start #final #trace_ends_flag #the_trace
  whd in match (sublist ???); #pc #memb_assm
  @lt_bound_mem_all_program_counter_list try %
  @nat_of_bitvector_lt_bound
qed.

corollary tal_pc_list_length_leq_total_program_size:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀cost_labels: BitVectorTrie costlabel 16.
  ∀start, final: Status code_memory.
  ∀trace_ends_flag.
  ∀the_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start final.
  ∀unrepeating_witness: tal_unrepeating (ASM_abstract_status code_memory cost_labels) trace_ends_flag start final the_trace.
    |tal_pc_list … the_trace| ≤ 2^16.
  #code_memory #cost_labels #start #final #trace_ends_flag #the_trace #unrepeating_witness
  <(all_program_counter_list_bound_eq (2^16))
  @sublist_length
  [1:
    @tal_unrepeating_uniqueb
    assumption
  |2:
    @sublist_tal_pc_list_all_program_counter_list
    assumption
  ]
qed.

let rec compute_paid_trace_any_label
  (code_memory: BitVectorTrie Byte 16) (cost_labels: BitVectorTrie costlabel 16)
    (trace_ends_flag: trace_ends_with_ret) (start_status: Status code_memory)
      (final_status: Status code_memory)
        (the_trace: trace_any_label (ASM_abstract_status code_memory cost_labels) trace_ends_flag start_status final_status)
       on the_trace: nat ≝
  match the_trace with
  [ tal_base_not_return the_status _ _ _ _ ⇒ current_instruction_cost … the_status
  | tal_base_return the_status _ _ _ ⇒ current_instruction_cost … the_status
  | tal_base_call pre_fun_call start_fun_call final _ _ _ _ call_trace ⇒ current_instruction_cost … pre_fun_call
  | tal_step_call end_flag pre_fun_call start_fun_call after_fun_call final
     _ _ _ call_trace _ final_trace ⇒
      let current_instruction_cost ≝ current_instruction_cost … pre_fun_call in
      let final_trace_cost ≝ compute_paid_trace_any_label … cost_labels end_flag … final_trace in
        current_instruction_cost + final_trace_cost
  | tal_step_default end_flag status_pre status_init status_end _ tail_trace _ _ ⇒
      let current_instruction_cost ≝ current_instruction_cost … status_pre in
      let tail_trace_cost ≝
       compute_paid_trace_any_label … cost_labels end_flag
        status_init status_end tail_trace
      in
        current_instruction_cost + tail_trace_cost
  ].

definition compute_paid_trace_label_label ≝
  λcode_memory: BitVectorTrie Byte 16.
  λcost_labels: BitVectorTrie costlabel 16.
  λtrace_ends_flag: trace_ends_with_ret.
  λstart_status: Status code_memory.
  λfinal_status: Status code_memory.
  λthe_trace: trace_label_label (ASM_abstract_status … cost_labels) trace_ends_flag start_status final_status.
  match the_trace with
  [ tll_base ends_flag initial final given_trace labelled_proof ⇒
      compute_paid_trace_any_label … given_trace
  ].

lemma trace_compute_paid_trace_cl_other:
  ∀code_memory' : (BitVectorTrie Byte 16).
  ∀program_counter' : Word.
  ∀cost_labels : (BitVectorTrie costlabel 16).
  ∀program_size' : ℕ.
  ∀ticks : ℕ.
  ∀instruction : instruction.
  ∀program_counter'' : Word.
  ∀FETCH : (〈instruction,program_counter'',ticks〉=fetch code_memory' program_counter').
  let program_counter''' ≝ program_counter_after_other program_counter'' instruction in
  ∀start_status : (Status code_memory').
  ∀final_status : (Status code_memory').
  ∀trace_ends_flag : trace_ends_with_ret.
  ∀the_trace : (trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status).
  ∀program_counter_refl : (program_counter' = program_counter (BitVectorTrie Byte 16) code_memory' start_status).
  ∀size_invariant : trace_any_label_length code_memory' cost_labels trace_ends_flag start_status final_status the_trace ≤S program_size'.
  ∀classify_assm: ASM_classify0 instruction = cl_other.
  ∀pi1 : ℕ.
   (if match lookup_opt costlabel 16 program_counter''' cost_labels with 
         [None ⇒ true
         |Some _ ⇒ false
         ] 
    then
      ∀start_status0:Status code_memory'.
      ∀final_status0:Status code_memory'.
      ∀trace_ends_flag0:trace_ends_with_ret.
      ∀the_trace0:trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag0 start_status0 final_status0.
        trace_any_label_length code_memory' cost_labels trace_ends_flag0
          start_status0 final_status0 the_trace0 ≤ program_size' →
        program_counter''' = program_counter (BitVectorTrie Byte 16) code_memory' start_status0 →
                  pi1
                    =compute_paid_trace_any_label code_memory' cost_labels
                     trace_ends_flag0 start_status0 final_status0 the_trace0
    else (pi1=O) )
   → ticks+pi1
     =compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag
      start_status final_status the_trace. 
  #code_memory' #program_counter' #cost_labels #program_size' #ticks #instruction
  #program_counter'' #FETCH #start_status #final_status #trace_ends_flag #the_trace
  #program_counter_refl #size_invariant #classify_assm #recursive_block_cost
  #recursive_assm
  @(trace_any_label_inv_ind … the_trace)
    [5:
      #end_flag #status_pre #status_init #status_end #execute_assm #trace_any_label
      #classifier_assm #costed_assm #trace_ends_refl #start_status_refl #final_status_refl
      #the_trace_refl
      destruct
      whd in match (trace_any_label_length … (tal_step_default …));
      whd in match (compute_paid_trace_any_label … (tal_step_default …));
      whd in costed_assm:(?%);
      generalize in match costed_assm;
      generalize in match (refl … (lookup_opt … (program_counter … (execute_1 … status_pre)) cost_labels));
      whd in match (as_label ??);
      generalize in match (lookup_opt … (program_counter … (execute_1 … status_pre)) cost_labels)
        in ⊢ (??%? → % → ?);
      #lookup_assm cases lookup_assm
      [1:
        #None_lookup_opt_assm normalize nodelta #_
        generalize in match recursive_assm;
        lapply (execute_1_and_program_counter_after_other_in_lockstep code_memory' ? classifier_assm)
        <FETCH normalize nodelta #rewrite_assm >rewrite_assm in None_lookup_opt_assm;
        #None_lookup_opt_assm <None_lookup_opt_assm
        normalize nodelta #new_recursive_assm
        cases(new_recursive_assm (execute_1 code_memory' status_pre) status_end
          end_flag trace_any_label ? ?) try (>rewrite_assm %)
        whd in match (current_instruction_cost … status_pre);
        cut(ticks = \snd (fetch code_memory'
           (program_counter (BitVectorTrie Byte 16) code_memory' status_pre)))
        [1,3:
          <FETCH %
        |2:
          #ticks_refl_assm
          >ticks_refl_assm %
        |4:
          #ticks_refl_assm
          change with (S ? ≤ S ?) in size_invariant;
          lapply (le_S_S_to_le … size_invariant) #assm
          assumption
        ]
      |2:
        #costlabel #Some_lookup_opt_assm <Some_lookup_opt_assm
        #absurd
        cases (not_Some_neq_None_to_False ?? absurd)
      ]
    |1:
      #status_start #status_final #execute_assm #classifier_assm #costed_assm
      #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
      destruct
      whd in match (trace_any_label_length … (tal_base_not_return …));
      whd in match (compute_paid_trace_any_label … (tal_base_not_return …));
      whd in costed_assm;
      generalize in match costed_assm;
      generalize in match (refl … (lookup_opt … (program_counter … (execute_1 … status_start)) cost_labels));
      whd in match (as_label ??);
      generalize in match (lookup_opt … (program_counter … (execute_1 code_memory' status_start)) cost_labels)
        in ⊢ (??%? → % → ?);
      #lookup_assm cases lookup_assm
      [1:
        #None_lookup_opt_assm
        #absurd @⊥ cases absurd -absurd #absurd @absurd %
      |2:
        #costlabel #Some_lookup_opt_assm normalize nodelta #ignore
        generalize in match recursive_assm;
        cases classifier_assm
        [1:
          whd in ⊢ (% → ?);
          whd in ⊢ (??%? → ?);
          whd in match (current_instruction code_memory' status_start);
          <FETCH generalize in match classify_assm;
          cases instruction
          [8:
            #preinstruction normalize nodelta
            whd in match ASM_classify0; normalize nodelta
            #contradiction >contradiction #absurd destruct(absurd)
          ]
          try(#addr1 #addr2 normalize nodelta #ignore #absurd destruct(absurd))
          try(#addr normalize nodelta #ignore #absurd destruct(absurd))
          normalize in ignore; destruct(ignore)
        |2:
          -classifier_assm #classifier_assm
          lapply (execute_1_and_program_counter_after_other_in_lockstep code_memory' ? classifier_assm)
          <FETCH normalize nodelta #rewrite_assm >rewrite_assm in Some_lookup_opt_assm;
          #Some_lookup_opt_assm <Some_lookup_opt_assm
          normalize nodelta #new_recursive_assm >new_recursive_assm
          cut(ticks = \snd (fetch code_memory'
             (program_counter (BitVectorTrie Byte 16) code_memory' status_start)))
          [1:
            <FETCH %
          |2:
            #ticks_refl_assm >ticks_refl_assm
            <plus_n_O %
          ]
        ]
      ]
    |2:
      #start_status' #final_status' #execute_assm #classifier_assm #trace_ends_assm
      #start_status_refl #final_status_refl #the_trace_assm destruct @⊥
    |3:
      #status_pre_fun_call #status_start_fun_call #status_final #execute_assm
      #classifier_assm #after_return_assm #trace_label_return #costed_assm
      #ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
      destruct @⊥
    |4:
      #end_flag #status_pre_fun_call #status_start_fun_call #status_after_fun_call
      #status_final #execute_assm #classifier_assm #after_return_assm #trace_label_return
      #costed_assm #trace_any_label #trace_ends_flag_refl #start_status_refl
      #final_status_refl #the_trace_refl destruct @⊥
    ]
  change with (ASM_classify0 ? = ?) in classifier_assm;
  whd in match current_instruction in classifier_assm; normalize nodelta in classifier_assm;
  whd in match current_instruction0 in classifier_assm; normalize nodelta in classifier_assm;
  <FETCH in classifier_assm; >classify_assm #absurd destruct(absurd)
qed.

lemma trace_compute_paid_trace_cl_jump:
  ∀code_memory': BitVectorTrie Byte 16.
  ∀program_counter': Word.
  ∀cost_labels: BitVectorTrie costlabel 16.
  ∀first_time_around: bool.
  ∀program_size': ℕ.
  ∀ticks: ℕ.
  ∀instruction: instruction.
  ∀program_counter'': Word.
  ∀FETCH: 〈instruction,program_counter'',ticks〉 = fetch code_memory' program_counter'.
  ∀start_status: (Status code_memory').
  ∀final_status: (Status code_memory').
  ∀trace_ends_flag: trace_ends_with_ret.
  ∀the_trace: (trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status).
  ∀program_counter_refl: (program_counter' = program_counter (BitVectorTrie Byte 16) code_memory' start_status).
  ∀classify_assm: ASM_classify0 instruction = cl_jump.
    ticks
     =compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag
      start_status final_status the_trace.
  #code_memory' #program_counter' #cost_labels #first_time_around
  #program_size' #ticks #instruction #program_counter'' #FETCH
  #start_status #final_status
  #trace_ends_flag #the_trace #program_counter_refl #classify_assm
  @(trace_any_label_inv_ind … the_trace)
  [5:
    #end_flag #status_pre #status_init #status_end #execute_assm #trace_any_label
    #classifier_assm #costed_assm #trace_ends_refl #start_status_refl #final_status_refl
    #the_trace_refl destruct @⊥
  |1:
    #status_start #status_final #execute_assm #classifier_assm #costed_assm
    #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct
    whd in match (trace_any_label_length … (tal_base_not_return …));
    whd in match (compute_paid_trace_any_label … (tal_base_not_return …));
    <FETCH %
  |2:
    #start_status' #final_status' #execute_assm #classifier_assm #trace_ends_assm
    #start_status_refl #final_status_refl #the_trace_assm destruct @⊥
  |3:
    #status_pre_fun_call #status_start_fun_call #status_final #execute_assm
    #classifier_assm #after_return_assm #trace_label_return #costed_assm
    #ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct @⊥
  |4:
    #end_flag #status_pre_fun_call #status_start_fun_call #status_after_fun_call
    #status_final #execute_assm #classifier_assm #after_return_assm #trace_label_return
    #costed_assm #trace_any_label #trace_ends_flag_refl #start_status_refl
    #final_status_refl #the_trace_refl destruct @⊥
  ]
  change with (ASM_classify0 ? = ?) in classifier_assm;
  whd in match current_instruction in classifier_assm; normalize nodelta in classifier_assm;
  whd in match current_instruction0 in classifier_assm; normalize nodelta in classifier_assm;
  <FETCH in classifier_assm; >classify_assm #absurd destruct(absurd)
qed.

lemma trace_compute_paid_trace_cl_call:
  ∀code_memory' : (BitVectorTrie Byte 16).
  ∀program_counter' : Word.
  ∀cost_labels : (BitVectorTrie costlabel 16).
  ∀program_size' : ℕ.
  ∀ticks : ℕ.
  ∀instruction : instruction.
  ∀program_counter'' : Word.
  ∀FETCH : (〈instruction,program_counter'',ticks〉=fetch code_memory' program_counter').
  ∀start_status : (Status code_memory').
  ∀final_status : (Status code_memory').
  ∀trace_ends_flag : trace_ends_with_ret.
  ∀the_trace : (trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status).
  ∀program_counter_refl : (program_counter' = program_counter (BitVectorTrie Byte 16) code_memory' start_status).
  ∀size_invariant : trace_any_label_length code_memory' cost_labels trace_ends_flag start_status final_status the_trace ≤S program_size'.
  ∀classify_assm: ASM_classify0 instruction = cl_call.
  (∀pi1:ℕ
  .if match lookup_opt costlabel 16 program_counter'' cost_labels with 
      [None ⇒ true | Some _ ⇒ false] 
   then (∀start_status0:Status code_memory'
             .∀final_status0:Status code_memory'
              .∀trace_ends_flag0:trace_ends_with_ret
               .∀the_trace0:trace_any_label
                                        (ASM_abstract_status code_memory' cost_labels)
                                        trace_ends_flag0 start_status0 final_status0.
                trace_any_label_length code_memory' cost_labels trace_ends_flag0
                  start_status0 final_status0 the_trace0
                   ≤ program_size' →
                program_counter''
                 =program_counter (BitVectorTrie Byte 16) code_memory' start_status0
                 → pi1
                   =compute_paid_trace_any_label code_memory' cost_labels
                    trace_ends_flag0 start_status0 final_status0 the_trace0) 
   else (pi1=O) 
   → ticks+pi1
     =compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag
      start_status final_status the_trace).
  #code_memory' #program_counter' #cost_labels #program_size'
  #ticks #instruction #program_counter'' #FETCH
  #start_status #final_status #trace_ends_flag
  #the_trace #program_counter_refl #size_invariant #classify_assm
  #recursive_block_cost #recursive_assm
  @(trace_any_label_inv_ind … the_trace)
  [5:
    #end_flag #status_pre #status_init #status_end #execute_assm #trace_any_label
    #classifier_assm #costed_assm #trace_ends_refl #start_status_refl #final_status_refl
    #the_trace_refl destruct @⊥
  |1:
    #status_start #status_final #execute_assm #classifier_assm #costed_assm
    #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct @⊥
  |2:
    #start_status' #final_status' #execute_assm #classifier_assm #trace_ends_assm
    #start_status_refl #final_status_refl #the_trace_assm destruct @⊥
  |3:
    #status_pre_fun_call #status_start_fun_call #status_final #execute_assm
    #classifier_assm #after_return_assm #trace_label_return #costed_assm
    #ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct
    whd in match (trace_any_label_length … (tal_base_call …));
    whd in match (compute_paid_trace_any_label … (tal_base_call …));
    whd in costed_assm;
    generalize in match costed_assm;
    generalize in match (refl … (lookup_opt … (program_counter … status_final) cost_labels));
    whd in match (as_label ??);
    generalize in match (lookup_opt … (program_counter … status_final) cost_labels)
      in ⊢ (??%? → % → ?);
    #lookup_assm cases lookup_assm
    [1:
      #None_lookup_opt normalize nodelta #absurd cases absurd
      -absurd #absurd @⊥ @absurd %
    |2:
      #costlabel #Some_lookup_opt normalize nodelta #ignore
      generalize in match recursive_assm;
      cut(program_counter'' = (program_counter (BitVectorTrie Byte 16) code_memory' status_final))
      [1:
        generalize in match after_return_assm;
        whd in ⊢ (% → ?); <FETCH normalize nodelta #relevant <relevant %
      |2:
        #program_counter_assm >program_counter_assm <Some_lookup_opt
        normalize nodelta #new_recursive_assm >new_recursive_assm
        cut(ticks = \snd (fetch code_memory' (program_counter (BitVectorTrie Byte 16) code_memory' status_pre_fun_call)))
        [1:
          <FETCH %
        |2:
          #ticks_refl_assm >ticks_refl_assm
          <plus_n_O %
        ]
      ]
    ]
  |4:
    #end_flag #status_pre_fun_call #status_start_fun_call #status_after_fun_call
    #status_final #execute_assm #classifier_assm #after_return_assm #trace_label_return
    #costed_assm #trace_any_label #trace_ends_flag_refl #start_status_refl
    #final_status_refl #the_trace_refl
    generalize in match execute_assm; destruct #execute_assm
    whd in match (trace_any_label_length … (tal_step_call …));
    whd in match (compute_paid_trace_any_label … (tal_step_call …));
    whd in costed_assm:(?%);
    generalize in match costed_assm;
    generalize in match (refl … (lookup_opt … (program_counter … status_after_fun_call) cost_labels));
    whd in match (as_label ??);
    generalize in match (lookup_opt … (program_counter … status_after_fun_call) cost_labels)
      in ⊢ (??%? → % → ?);
    #lookup_assm cases lookup_assm
    [1:
      #None_lookup_opt_assm normalize nodelta #ignore
      generalize in match recursive_assm;
      cut(program_counter'' = program_counter … status_after_fun_call)
      [1:
        generalize in match after_return_assm;
        whd in ⊢ (% → ?); <FETCH normalize nodelta #relevant >relevant %
      |2:
        #program_counter_refl >program_counter_refl <None_lookup_opt_assm
        normalize nodelta #new_recursive_assm
        cases (new_recursive_assm … trace_any_label ? ?)
        [1:
          @plus_right_monotone whd in ⊢ (???%); <FETCH %
        |2:
          @le_S_S_to_le @size_invariant
        |3:
          %
        ]
      ]
    |2:
      #cost_label #Some_lookup_opt_assm #absurd
      cases (not_Some_neq_None_to_False ?? absurd)
    ]
  ]
  try (change with (ASM_classify0 ? = ? ∨ ASM_classify0 ? = ?) in classifier_assm;)
  try (change with (ASM_classify0 ? = ?) in classifier_assm;)
  whd in match current_instruction in classifier_assm; normalize nodelta in classifier_assm;
  whd in match current_instruction0 in classifier_assm; normalize nodelta in classifier_assm;
  <FETCH in classifier_assm; >classify_assm #absurd destruct(absurd) cases absurd
  #absurd destruct(absurd)
qed.

lemma trace_compute_paid_trace_cl_return:
  ∀code_memory' : (BitVectorTrie Byte 16).
  ∀program_counter' : Word.
  ∀cost_labels : (BitVectorTrie costlabel 16).
  ∀program_size' : ℕ.
  ∀ticks : ℕ.
  ∀instruction : instruction.
  ∀program_counter'' : Word.
  ∀FETCH : (〈instruction,program_counter'',ticks〉=fetch code_memory' program_counter').
  ∀start_status : (Status code_memory').
  ∀final_status : (Status code_memory').
  ∀trace_ends_flag : trace_ends_with_ret.
  ∀the_trace : (trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status).
  ∀program_counter_refl : (program_counter' = program_counter (BitVectorTrie Byte 16) code_memory' start_status).
  ∀classify_assm: ASM_classify0 instruction = cl_return.
    ticks
     =compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag
      start_status final_status the_trace.
  #code_memory' #program_counter' #cost_labels #program_size'
  #ticks #instruction #program_counter'' #FETCH
  #start_status #final_status #trace_ends_flag
  #the_trace #program_counter_refl #classify_assm
  @(trace_any_label_inv_ind … the_trace)
  [1:
    #start_status' #final_status' #execute_assm #classifier_assm #costed_assm
    #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct @⊥
  |2:
    #start_status' #final_status' #execute_assm #classifier_assm #trace_ends_flag_refl
    #start_status_refl #final_status_refl #the_trace_refl destruct
    whd in match (trace_any_label_length … (tal_base_return …));
    whd in match (compute_paid_trace_any_label … (tal_base_return …));
    <FETCH %
  |3:
    #status_pre_fun_call #status_start_fun_call #status_final #execute_assm
    #classifier_assm #after_return_assm #trace_label_return #costed_assm
    #trace_ends_flag_refl #start_status_refl #final_status_refl #the_trace_refl
    destruct @⊥
  |4:
    #end_flag #status_pre_fun_call #status_start_fun_call #status_after_fun_call
    #status_final #execute_assm #classifier_assm #after_return_assm #trace_label_return
    #costed_assm #trace_any_label #trace_ends_flag_refl #start_status_refl
    #final_status_refl #the_trace_refl
    destruct @⊥
  |5:
    #end_flag #status_pre #status_init #status_end #execute_assm #trace_any_label
    #classifier_assm #costed_assm #trace_ends_flag_refl #start_status_refl
    #final_status_refl #the_trace_refl destruct @⊥
  ]
  try (change with (ASM_classify0 ? = ? ∨ ASM_classify0 ? = ?) in classifier_assm;)
  try (change with (ASM_classify0 ? = ?) in classifier_assm;)
  whd in match current_instruction in classifier_assm; normalize nodelta in classifier_assm;
  whd in match current_instruction0 in classifier_assm; normalize nodelta in classifier_assm;
  <FETCH in classifier_assm; >classify_assm
  #absurd try (destruct(absurd))
  cases absurd
  #absurd destruct(absurd)
qed.

lemma trace_any_label_length_leq_0_to_False:
  ∀code_memory: BitVectorTrie Byte 16.
  ∀cost_labels: BitVectorTrie costlabel 16.
  ∀trace_ends_flag: trace_ends_with_ret.
  ∀start_status: Status code_memory.
  ∀final_status: Status code_memory.
  ∀the_trace.
  trace_any_label_length code_memory cost_labels trace_ends_flag start_status
    final_status the_trace ≤ 0 → False.
  #code_memory #cost_labels #trace_ends_flag #start_status #final_status
  #the_trace
  cases the_trace /2/
qed.
      
let rec block_cost'
  (code_memory': BitVectorTrie Byte 16) (program_counter': Word)
    (program_size: nat) (cost_labels: BitVectorTrie costlabel 16)
      (first_time_around: bool)
        on program_size:
          Σcost_of_block: nat.
          if (match lookup_opt … program_counter' cost_labels with [ None ⇒ true | _ ⇒ first_time_around ]) then
            ∀start_status: Status code_memory'.
            ∀final_status: Status code_memory'.
            ∀trace_ends_flag.
            ∀the_trace: trace_any_label (ASM_abstract_status … cost_labels) trace_ends_flag start_status final_status.
              trace_any_label_length … the_trace ≤ program_size →
              program_counter' = program_counter … start_status →
                cost_of_block = compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag start_status final_status the_trace
          else
            (cost_of_block = 0) ≝
  match program_size return λx. x = program_size → ? with
  [ O ⇒ λbase_case. 0 (* XXX: dummy to be inserted here *)
  | S program_size' ⇒ λstep_case.
    let 〈instruction, program_counter'', ticks〉 as FETCH ≝ fetch code_memory' program_counter' in
    let to_continue ≝
      match lookup_opt … program_counter' cost_labels with
      [ None ⇒ true
      | Some _ ⇒ first_time_around
      ]
    in
      ((if to_continue then
       pi1 … (match instruction return λx. x = instruction → ? with
        [ RealInstruction real_instruction ⇒ λreal_instruction_refl.
          match real_instruction return λx. x = real_instruction →
          Σcost_of_block: nat.
            ∀start_status: Status code_memory'.
            ∀final_status: Status code_memory'.
            ∀trace_ends_flag.
            ∀the_trace: trace_any_label (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status.
              trace_any_label_length … the_trace ≤ S program_size' →
              program_counter' = program_counter … start_status →
                cost_of_block = compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag start_status final_status the_trace with
          [ RET                    ⇒ λinstr. ticks
          | RETI                   ⇒ λinstr. ticks
          | JC   relative          ⇒ λinstr. ticks
          | JNC  relative          ⇒ λinstr. ticks
          | JB   bit_addr relative ⇒ λinstr. ticks
          | JNB  bit_addr relative ⇒ λinstr. ticks
          | JBC  bit_addr relative ⇒ λinstr. ticks
          | JZ   relative          ⇒ λinstr. ticks
          | JNZ  relative          ⇒ λinstr. ticks
          | CJNE src_trgt relative ⇒ λinstr. ticks
          | DJNZ src_trgt relative ⇒ λinstr. ticks
          | _                      ⇒ λinstr.
              ticks + block_cost' code_memory' program_counter'' program_size' cost_labels false
          ] (refl …)
        | ACALL addr     ⇒ λinstr.
            ticks + block_cost' code_memory' program_counter'' program_size' cost_labels false
        | AJMP  addr     ⇒ λinstr.
          let jump_target ≝ compute_target_of_unconditional_jump program_counter'' instruction in
            ticks + block_cost' code_memory' jump_target program_size' cost_labels false
        | LCALL addr     ⇒ λinstr.
            ticks + block_cost' code_memory' program_counter'' program_size' cost_labels false
        | LJMP  addr     ⇒ λinstr.
          let jump_target ≝ compute_target_of_unconditional_jump program_counter'' instruction in
            ticks + block_cost' code_memory' jump_target program_size' cost_labels false
        | SJMP  addr     ⇒ λinstr.
          let jump_target ≝ compute_target_of_unconditional_jump program_counter'' instruction in
            ticks + block_cost' code_memory' jump_target program_size' cost_labels false
        | JMP   addr     ⇒ λinstr. (* XXX: actually a call due to use with fptrs *)
            ticks + block_cost' code_memory' program_counter'' program_size' cost_labels false
        | MOVC  src trgt ⇒ λinstr.
            ticks + block_cost' code_memory' program_counter'' program_size' cost_labels false
        ] (refl …))
      else
        0)
      : Σcost_of_block: nat.
          match (match lookup_opt … program_counter' cost_labels with [ None ⇒ true | _ ⇒ first_time_around ]) with
          [ true ⇒
            ∀start_status: Status code_memory'.
            ∀final_status: Status code_memory'.
            ∀trace_ends_flag.
            ∀the_trace: trace_any_label (ASM_abstract_status … cost_labels) trace_ends_flag start_status final_status.
              trace_any_label_length … the_trace ≤ S program_size' →
              program_counter' = program_counter … start_status →
                cost_of_block = compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag start_status final_status the_trace
          | false ⇒
            (cost_of_block = 0)
          ])
  ] (refl …).
  [2:
    change with (if to_continue then ? else (? = 0))
    >p in ⊢ (match % return ? with [ _ ⇒ ? | _ ⇒ ? ]); normalize nodelta
    @pi2
  |1:
    destruct
    cases (lookup_opt ????) normalize nodelta
    [1:
      #start_status #final_status #trace_ends_flag #the_trace
      #absurd
      cases (trace_any_label_length_leq_0_to_False … absurd)
    |2:
      #cost cases first_time_around normalize nodelta try %
      #start_status #final_status #trace_ends_flag #the_trace #absurd
      cases (trace_any_label_length_leq_0_to_False … absurd)
    ]
  |3:
    change with (if to_continue then ? else (0 = 0))
    >p normalize nodelta %
  |5,6:
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl
    @(trace_compute_paid_trace_cl_return … program_size' … FETCH … the_trace program_counter_refl)
    destruct %
  |42,46,47:
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl
    cases(block_cost' ?????) -block_cost'
    @(trace_compute_paid_trace_cl_call … program_size' … FETCH … the_trace program_counter_refl size_invariant)
    destruct %
  |43,44,45: (* XXX: unconditional jumps *)
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl
    cases (block_cost' ?????) -block_cost'
    lapply (trace_compute_paid_trace_cl_other … program_size' … FETCH … the_trace program_counter_refl size_invariant)
    whd in match (program_counter_after_other ??); normalize nodelta destruct
    whd in match (is_unconditional_jump ?); normalize nodelta #assm @assm %
  |24,25,26,27,28,29,30,31,32:
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl 
    @(trace_compute_paid_trace_cl_jump … first_time_around program_size' … FETCH … the_trace program_counter_refl)
    destruct %
  |*:
    #start_status #final_status #trace_ends_flag #the_trace #size_invariant #program_counter_refl
    cases(block_cost' ?????) -block_cost'
    lapply (trace_compute_paid_trace_cl_other … program_size' … FETCH … the_trace program_counter_refl size_invariant)      
    destruct #assm @assm %
  ]
qed.

definition block_cost:
    ∀code_memory': BitVectorTrie Byte 16.
    ∀program_counter': Word.
    ∀cost_labels: BitVectorTrie costlabel 16.
      Σcost_of_block: nat.
        ∀start_status: Status code_memory'.
        ∀final_status: Status code_memory'.
        ∀trace_ends_flag.
        ∀the_trace: trace_any_label (ASM_abstract_status … cost_labels) trace_ends_flag start_status final_status.
        ∀unrepeating_witness: tal_unrepeating (ASM_abstract_status code_memory' cost_labels) trace_ends_flag start_status final_status the_trace.
          program_counter' = program_counter … start_status →
            cost_of_block = compute_paid_trace_any_label code_memory' cost_labels trace_ends_flag start_status final_status the_trace ≝
  λcode_memory: BitVectorTrie Byte 16.
  λprogram_counter: Word.
  λcost_labels: BitVectorTrie costlabel 16. ?.
  cases(block_cost' code_memory program_counter (2^16) cost_labels true)
  #cost_of_block #block_cost_hyp
  %{cost_of_block}
  cases(lookup_opt … cost_labels) in block_cost_hyp;
  [2: #cost_label] normalize nodelta
  #hyp #start_status #final_status #trace_ends_flag #the_trace #unrepeating_witness
  @hyp @tal_pc_list_length_leq_total_program_size try assumption
qed.