source: src/ASM/AssemblyProof.ma @ 982

include "ASM/Assembly.ma".
include "ASM/Interpret.ma".


definition bit_elim_prop: ∀P: bool → Prop. Prop ≝
  λP.
    P true ∧ P false.
 
let rec bitvector_elim_prop_internal
  (n: nat) (P: BitVector n → Prop) (m: nat) on m: m ≤ n → BitVector (n - m) → Prop ≝
  match m return λm. m ≤ n → BitVector (n - m) → Prop with
  [ O    ⇒ λprf1. λprefix. P ?
  | S n' ⇒ λprf2. λprefix. bit_elim_prop (λbit. bitvector_elim_prop_internal n P n' ? ?)
  ].
  [ applyS prefix
  | letin res ≝ (bit ::: prefix)
    < (minus_S_S ? ?)
    > (minus_Sn_m ? ?)
  [ @ res
  | @ prf2
  ]
  | /2/
  ].
qed.

definition bitvector_elim_prop ≝
  λn: nat.
  λP: BitVector n → Prop.
    bitvector_elim_prop_internal n P n ? ?.
  [ @ (le_n ?)
  | < (minus_n_n ?)
    @ [[ ]]
  ]
qed.

lemma eq_b_eq:
  ∀b, c.
    eq_b b c = true → b = c.
  #b #c
  cases b
  cases c
  normalize //
qed.

lemma BitVector_O: ∀v:BitVector 0. v ≃ VEmpty bool.
 #v generalize in match (refl … 0) cases v in ⊢ (??%? → ?%%??) //
 #n #hd #tl #abs @⊥ //
qed.

lemma BitVector_Sn: ∀n.∀v:BitVector (S n).
 ∃hd.∃tl.v ≃ VCons bool n hd tl.
 #n #v generalize in match (refl … (S n)) cases v in ⊢ (??%? → ??(λ_.??(λ_.?%%??)))
 [ #abs @⊥ //
 | #m #hd #tl #EQ <(injective_S … EQ) %[@hd] %[@tl] // ]
qed.

lemma eq_bv_eq:
  ∀n, v, q.
    eq_bv n v q = true → v = q.
  #n #v #q generalize in match v
  elim q
  [ #v #h @BitVector_O
  | #n #hd #tl #ih #v' #h
    cases (BitVector_Sn ? v')
    #hd' * #tl' #jmeq >jmeq in h;
    #new_h
    change in new_h with ((andb ? ?) = ?);
    cases(conjunction_true … new_h)
    #eq_heads #eq_tails
    whd in eq_heads:(??(??(%))?);
    cases(eq_b_eq … eq_heads)
    whd in eq_tails:(??(?????(%))?);
    change in eq_tails with (eq_bv ??? = ?);
    <(ih tl') //
  ]
qed.

lemma bool_eq_internal_eq:
  ∀b, c.
    (λb. λc. (if b then c else (if c then false else true))) b c = true → b = c.
  #b #c
  cases b
  [ normalize //
  | normalize
    cases c
    [ normalize //
    | normalize //
    ]
  ]
qed.

lemma eq_bv_refl:
  ∀n,v. eq_bv n v v = true.
  #n #v
  elim v
  [ //
  | #n #hd #tl #ih
    normalize
    cases hd
    [ normalize
      @ ih
    | normalize
      @ ih
    ]
  ]
qed.

lemma eq_eq_bv:
  ∀n, v, q.
    v = q → eq_bv n v q = true.
  #n #v
  elim v
  [ #q #h <h normalize %
  | #n #hd #tl #ih #q #h >h //
  ]
qed.

definition bit_elim: ∀P: bool → bool. bool ≝
  λP.
    P true ∧ P false.

let rec bitvector_elim_internal
  (n: nat) (P: BitVector n → bool) (m: nat) on m: m ≤ n → BitVector (n - m) → bool ≝
  match m return λm. m ≤ n → BitVector (n - m) → bool with
  [ O    ⇒ λprf1. λprefix. P ?
  | S n' ⇒ λprf2. λprefix. bit_elim (λbit. bitvector_elim_internal n P n' ? ?)
  ].
  [ applyS prefix
  | letin res ≝ (bit ::: prefix)
    < (minus_S_S ? ?)
    > (minus_Sn_m ? ?)
    [ @ res
    | @ prf2
    ]
  | /2/
  ].
qed.

definition bitvector_elim ≝
  λn: nat.
  λP: BitVector n → bool.
    bitvector_elim_internal n P n ? ?.
  [ @ (le_n ?)
  | < (minus_n_n ?)
    @ [[ ]]
  ]
qed.

axiom vector_associative_append:
  ∀A: Type[0].
  ∀n, m, o:  nat.
  ∀v: Vector A n.
  ∀q: Vector A m.
  ∀r: Vector A o.
    ((v @@ q) @@ r)
    ≃
    (v @@ (q @@ r)).
        
lemma vector_cons_append:
  ∀A: Type[0].
  ∀n: nat.
  ∀e: A.
  ∀v: Vector A n.
    e ::: v = [[ e ]] @@ v.
  # A # N # E # V
  elim V
  [ normalize %
  | # NN # AA # VV # IH
    normalize
    % 
  ]
qed.

lemma super_rewrite2:
 ∀A:Type[0].∀n,m.∀v1: Vector A n.∀v2: Vector A m.
  ∀P: ∀m. Vector A m → Prop.
   n=m → v1 ≃ v2 → P n v1 → P m v2.
 #A #n #m #v1 #v2 #P #EQ <EQ in v2; #V #JMEQ >JMEQ //
qed.

lemma mem_middle_vector:
  ∀A: Type[0].
  ∀m, o: nat.
  ∀eq: A → A → bool.
  ∀reflex: ∀a. eq a a = true.
  ∀p: Vector A m.
  ∀a: A.
  ∀r: Vector A o.
    mem A eq ? (p@@(a:::r)) a = true.
  # A # M # O # EQ # REFLEX # P # A
  elim P
  [ normalize
    > (REFLEX A)
    normalize
    # H
    %
  | # NN # AA # PP # IH
    normalize
    cases (EQ A AA) //
     @ IH
  ]
qed.

lemma mem_monotonic_wrt_append:
  ∀A: Type[0].
  ∀m, o: nat.
  ∀eq: A → A → bool.
  ∀reflex: ∀a. eq a a = true.
  ∀p: Vector A m.
  ∀a: A.
  ∀r: Vector A o.
    mem A eq ? r a = true → mem A eq ? (p @@ r) a = true.
  # A # M # O # EQ # REFLEX # P # A
  elim P
  [ #R #H @H
  | #NN #AA # PP # IH #R #H
    normalize
    cases (EQ A AA)
    [ normalize %
    | @ IH @ H
    ]
  ]
qed.

lemma subvector_multiple_append:
  ∀A: Type[0].
  ∀o, n: nat.
  ∀eq: A → A → bool.
  ∀refl: ∀a. eq a a = true.
  ∀h: Vector A o.
  ∀v: Vector A n.
  ∀m: nat.
  ∀q: Vector A m.
    bool_to_Prop (subvector_with A ? ? eq v (h @@ q @@ v)).
  # A # O # N # EQ # REFLEX # H # V
  elim V
  [ normalize
    # M # V %
  | # NN # AA # VV # IH # MM # QQ
    change with (bool_to_Prop (andb ??))
    cut ((mem A EQ (O + (MM + S NN)) (H@@QQ@@AA:::VV) AA) = true)
    [ 
    | # HH > HH
      > (vector_cons_append ? ? AA VV)
      change with (bool_to_Prop (subvector_with ??????))
      @(super_rewrite2 A ((MM + 1)+ NN) (MM+S NN) ??
        (λSS.λVS.bool_to_Prop (subvector_with ?? (O+SS) ?? (H@@VS)))
        ?
        (vector_associative_append A ? ? ? QQ [[AA]] VV))
      [ >associative_plus //
      | @IH ]
    ]
    @(mem_monotonic_wrt_append)
    [ @ REFLEX
    | @(mem_monotonic_wrt_append)
      [ @ REFLEX
      | normalize
        > REFLEX
        normalize
        %
      ]
    ]
qed.

lemma vector_cons_empty:
  ∀A: Type[0].
  ∀n: nat.
  ∀v: Vector A n.
    [[ ]] @@ v = v.
  # A # N # V
  elim V
  [ normalize %
  | # NN # HH # VV #H %
  ]
qed.

corollary subvector_hd_tl:
  ∀A: Type[0].
  ∀o: nat.
  ∀eq: A → A → bool.
  ∀refl: ∀a. eq a a = true.
  ∀h: A.
  ∀v: Vector A o.
    bool_to_Prop (subvector_with A ? ? eq v (h ::: v)).
  # A # O # EQ # REFLEX # H # V
  > (vector_cons_append A ? H V)
  < (vector_cons_empty A ? ([[H]] @@ V))
  @ (subvector_multiple_append A ? ? EQ REFLEX [[]] V ? [[ H ]])
qed.

lemma eq_a_reflexive:
  ∀a. eq_a a a = true.
  # A
  cases A
  %
qed.

lemma is_in_monotonic_wrt_append:
  ∀m, n: nat.
  ∀p: Vector addressing_mode_tag m.
  ∀q: Vector addressing_mode_tag n.
  ∀to_search: addressing_mode.
    bool_to_Prop (is_in ? p to_search) → bool_to_Prop (is_in ? (q @@ p) to_search).
  # M # N # P # Q # TO_SEARCH
  # H
  elim Q
  [ normalize
    @ H
  | # NN # PP # QQ # IH
    normalize
    cases (is_a PP TO_SEARCH)
    [ normalize
      %
    | normalize
      normalize in IH
      @ IH
    ]
  ]
qed.

corollary is_in_hd_tl:
  ∀to_search: addressing_mode.
  ∀hd: addressing_mode_tag.
  ∀n: nat.
  ∀v: Vector addressing_mode_tag n.
    bool_to_Prop (is_in ? v to_search) → bool_to_Prop (is_in ? (hd:::v) to_search).
  # TO_SEARCH # HD # N # V
  elim V
  [ # H
    normalize in H;
    cases H
  | # NN # HHD # VV # IH # HH
    > vector_cons_append
    > (vector_cons_append ? ? HHD VV)
    @ (is_in_monotonic_wrt_append ? 1 ([[HHD]]@@VV) [[HD]] TO_SEARCH)
    @ HH
  ]
qed.
  
let rec list_addressing_mode_tags_elim
  (n: nat) (l: Vector addressing_mode_tag (S n)) on l: (l → bool) → bool ≝
  match l return λx.match x with [O ⇒ λl: Vector … O. bool | S x' ⇒ λl: Vector addressing_mode_tag (S x').
   (l → bool) → bool ] with
  [ VEmpty      ⇒  true  
  | VCons len hd tl ⇒ λP.
    let process_hd ≝
      match hd return λhd. ∀P: hd:::tl → bool. bool with
      [ direct ⇒ λP.bitvector_elim 8 (λx. P (DIRECT x))
      | indirect ⇒ λP.bit_elim (λx. P (INDIRECT x))
      | ext_indirect ⇒ λP.bit_elim (λx. P (EXT_INDIRECT x))
      | registr ⇒ λP.bitvector_elim 3 (λx. P (REGISTER x))
      | acc_a ⇒ λP.P ACC_A
      | acc_b ⇒ λP.P ACC_B
      | dptr ⇒ λP.P DPTR
      | data ⇒ λP.bitvector_elim 8 (λx. P (DATA x))
      | data16 ⇒ λP.bitvector_elim 16 (λx. P (DATA16 x))
      | acc_dptr ⇒ λP.P ACC_DPTR
      | acc_pc ⇒ λP.P ACC_PC
      | ext_indirect_dptr ⇒ λP.P EXT_INDIRECT_DPTR
      | indirect_dptr ⇒ λP.P INDIRECT_DPTR
      | carry ⇒ λP.P CARRY
      | bit_addr ⇒ λP.bitvector_elim 8 (λx. P (BIT_ADDR x))
      | n_bit_addr ⇒ λP.bitvector_elim 8 (λx. P (N_BIT_ADDR x))
      | relative ⇒ λP.bitvector_elim 8 (λx. P (RELATIVE x))
      | addr11 ⇒ λP.bitvector_elim 11 (λx. P (ADDR11 x))
      | addr16 ⇒ λP.bitvector_elim 16 (λx. P (ADDR16 x))
      ]
    in
      andb (process_hd P)
       (match len return λx. x = len → bool with
         [ O ⇒ λprf. true
         | S y ⇒ λprf. list_addressing_mode_tags_elim y ? P ] (refl ? len))
  ].
  try %
  [ 2: cases (sym_eq ??? prf); @tl
  | generalize in match H; generalize in match tl; cases prf;
    (* cases prf in tl H; : ??? WAS WORKING BEFORE *)
    #tl
    normalize in ⊢ (∀_: %. ?)
    # H
    whd
    normalize in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ?])
    cases (is_a hd (subaddressing_modeel y tl H)) whd // ]
qed.

definition product_elim ≝
  λm, n: nat.
  λv: Vector addressing_mode_tag (S m).
  λq: Vector addressing_mode_tag (S n).
  λP: (v × q) → bool.
    list_addressing_mode_tags_elim ? v (λx. list_addressing_mode_tags_elim ? q (λy. P 〈x, y〉)).

definition union_elim ≝ 
  λA, B: Type[0].
  λelimA: (A → bool) → bool.
  λelimB: (B → bool) → bool.
  λelimU: A ⊎ B → bool.
    elimA (λa. elimB (λb. elimU (inl ? ? a) ∧ elimU (inr ? ? b))).

(*                           
definition preinstruction_elim: ∀P: preinstruction [[ relative ]] → bool. bool ≝
  λP.
    list_addressing_mode_tags_elim ? [[ registr ; direct ; indirect ; data ]] (λaddr. P (ADD ? ACC_A addr)) ∧
    list_addressing_mode_tags_elim ? [[ registr ; direct ; indirect ; data ]] (λaddr. P (ADDC ? ACC_A addr)) ∧
    list_addressing_mode_tags_elim ? [[ registr ; direct ; indirect ; data ]] (λaddr. P (SUBB ? ACC_A addr)) ∧
    list_addressing_mode_tags_elim ? [[ acc_a ; registr ; direct ; indirect ; dptr ]] (λaddr. P (INC ? addr)) ∧
    list_addressing_mode_tags_elim ? [[ acc_a ; registr ; direct ; indirect ]] (λaddr. P (DEC ? addr)) ∧
    list_addressing_mode_tags_elim ? [[acc_b]] (λaddr. P (MUL ? ACC_A addr)) ∧
    list_addressing_mode_tags_elim ? [[acc_b]] (λaddr. P (DIV ? ACC_A addr)) ∧
    list_addressing_mode_tags_elim ? [[ registr ; direct ]] (λaddr. bitvector_elim 8 (λr. P (DJNZ ? addr (RELATIVE r)))) ∧
    list_addressing_mode_tags_elim ? [[ acc_a ; carry ; bit_addr ]] (λaddr. P (CLR ? addr)) ∧
    list_addressing_mode_tags_elim ? [[ acc_a ; carry ; bit_addr ]] (λaddr. P (CPL ? addr)) ∧
    P (DA ? ACC_A) ∧
    bitvector_elim 8 (λr. P (JC ? (RELATIVE r))) ∧
    bitvector_elim 8 (λr. P (JNC ? (RELATIVE r))) ∧
    bitvector_elim 8 (λr. P (JZ ? (RELATIVE r))) ∧
    bitvector_elim 8 (λr. P (JNZ ? (RELATIVE r))) ∧
    bitvector_elim 8 (λr. (bitvector_elim 8 (λb: BitVector 8. P (JB ? (BIT_ADDR b) (RELATIVE r))))) ∧
    bitvector_elim 8 (λr. (bitvector_elim 8 (λb: BitVector 8. P (JNB ? (BIT_ADDR b) (RELATIVE r))))) ∧
    bitvector_elim 8 (λr. (bitvector_elim 8 (λb: BitVector 8. P (JBC ? (BIT_ADDR b) (RELATIVE r))))) ∧
    list_addressing_mode_tags_elim ? [[ registr; direct ]] (λaddr. bitvector_elim 8 (λr. P (DJNZ ? addr (RELATIVE r)))) ∧
    P (RL ? ACC_A) ∧
    P (RLC ? ACC_A) ∧
    P (RR ? ACC_A) ∧
    P (RRC ? ACC_A) ∧
    P (SWAP ? ACC_A) ∧
    P (RET ?) ∧
    P (RETI ?) ∧
    P (NOP ?) ∧
    bit_elim (λb. P (XCHD ? ACC_A (INDIRECT b))) ∧
    list_addressing_mode_tags_elim ? [[ carry; bit_addr ]] (λaddr. P (SETB ? addr)) ∧
    bitvector_elim 8 (λaddr. P (PUSH ? (DIRECT addr))) ∧
    bitvector_elim 8 (λaddr. P (POP ? (DIRECT addr))) ∧
    union_elim ? ? (product_elim ? ? [[ acc_a ]] [[ direct; data ]])
                   (product_elim ? ? [[ registr; indirect ]] [[ data ]])
                   (λd. bitvector_elim 8 (λb. P (CJNE ? d (RELATIVE b)))) ∧
    list_addressing_mode_tags_elim ? [[ registr; direct; indirect ]] (λaddr. P (XCH ? ACC_A addr)) ∧
    union_elim ? ? (product_elim ? ? [[acc_a]] [[ data ; registr ; direct ; indirect ]])
                   (product_elim ? ? [[direct]] [[ acc_a ; data ]])
                   (λd. P (XRL ? d)) ∧
    union_elim ? ? (union_elim ? ? (product_elim ? ? [[acc_a]] [[ registr ; direct ; indirect ; data ]]) 
                                   (product_elim ? ? [[direct]] [[ acc_a ; data ]]))
                   (product_elim ? ? [[carry]] [[ bit_addr ; n_bit_addr]])
                   (λd. P (ANL ? d)) ∧
    union_elim ? ? (union_elim ? ? (product_elim ? ? [[acc_a]] [[ registr ; data ; direct ; indirect ]]) 
                                   (product_elim ? ? [[direct]] [[ acc_a ; data ]]))
                   (product_elim ? ? [[carry]] [[ bit_addr ; n_bit_addr]])
                   (λd. P (ORL ? d)) ∧
    union_elim ? ? (product_elim ? ? [[acc_a]] [[ ext_indirect ; ext_indirect_dptr ]])
                   (product_elim ? ? [[ ext_indirect ; ext_indirect_dptr ]] [[acc_a]])
                   (λd. P (MOVX ? d)) ∧
    union_elim ? ? (
      union_elim ? ? (
        union_elim ? ? (
          union_elim ? ? (
            union_elim ? ?  (product_elim ? ? [[acc_a]] [[ registr ; direct ; indirect ; data ]])
                            (product_elim ? ? [[ registr ; indirect ]] [[ acc_a ; direct ; data ]]))
                            (product_elim ? ? [[direct]] [[ acc_a ; registr ; direct ; indirect ; data ]]))
                            (product_elim ? ? [[dptr]] [[data16]]))
                            (product_elim ? ? [[carry]] [[bit_addr]]))
                            (product_elim ? ? [[bit_addr]] [[carry]])
                            (λd. P (MOV ? d)).
  %
qed.
  
definition instruction_elim: ∀P: instruction → bool. bool ≝
  λP. (*
    bitvector_elim 11 (λx. P (ACALL (ADDR11 x))) ∧
    bitvector_elim 16 (λx. P (LCALL (ADDR16 x))) ∧
    bitvector_elim 11 (λx. P (AJMP (ADDR11 x))) ∧
    bitvector_elim 16 (λx. P (LJMP (ADDR16 x))) ∧ *)
    bitvector_elim 8 (λx. P (SJMP (RELATIVE x))). (*  ∧
    P (JMP INDIRECT_DPTR) ∧
    list_addressing_mode_tags_elim ? [[ acc_dptr; acc_pc ]] (λa. P (MOVC ACC_A a)) ∧
    preinstruction_elim (λp. P (RealInstruction p)). *)
  %
qed.


axiom instruction_elim_complete:
 ∀P. instruction_elim P = true → ∀i. P i = true.
*)
(*definition eq_instruction ≝
  λi, j: instruction.
    true.*)
axiom eq_instruction: instruction → instruction → bool.
axiom eq_instruction_refl: ∀i. eq_instruction i i = true.

let rec vect_member
  (A: Type[0]) (n: nat) (eq: A → A → bool)
  (v: Vector A n) (a: A) on v: bool ≝
  match v with
  [ VEmpty          ⇒ false
  | VCons len hd tl ⇒
    eq hd a ∨ (vect_member A ? eq tl a)
  ].

let rec list_addressing_mode_tags_elim_prop
  (n: nat)
  (l: Vector addressing_mode_tag (S n))
  on l:
  ∀P: l → Prop.
  ∀direct_a. ∀indirect_a. ∀ext_indirect_a. ∀register_a. ∀acc_a_a.
  ∀acc_b_a. ∀dptr_a. ∀data_a. ∀data16_a. ∀acc_dptr_a. ∀acc_pc_a.
  ∀ext_indirect_dptr_a. ∀indirect_dptr_a. ∀carry_a. ∀bit_addr_a.
  ∀n_bit_addr_a. ∀relative_a. ∀addr11_a. ∀addr16_a.
  ∀x: l. P x ≝
  match l return
    λy.
      match y with
      [ O    ⇒ λm: Vector addressing_mode_tag O. ∀prf: 0 = S n. True
      | S y' ⇒ λl: Vector addressing_mode_tag (S y'). ∀prf: S y' = S n.∀P:l → Prop.
               ∀direct_a: if vect_member … eq_a l direct then ∀x. P (DIRECT x) else True.
               ∀indirect_a: if vect_member … eq_a l indirect then ∀x. P (INDIRECT x) else True.
               ∀ext_indirect_a: if vect_member … eq_a l ext_indirect then ∀x. P (EXT_INDIRECT x) else True.
               ∀register_a: if vect_member … eq_a l registr then ∀x. P (REGISTER x) else True.
               ∀acc_a_a: if vect_member … eq_a l acc_a then P (ACC_A) else True.
               ∀acc_b_a: if vect_member … eq_a l acc_b then P (ACC_B) else True.
               ∀dptr_a: if vect_member … eq_a l dptr then P DPTR else True.
               ∀data_a: if vect_member … eq_a l data then ∀x. P (DATA x) else True.
               ∀data16_a: if vect_member … eq_a l data16 then ∀x. P (DATA16 x) else True.
               ∀acc_dptr_a: if vect_member … eq_a l acc_dptr then P ACC_DPTR else True.
               ∀acc_pc_a: if vect_member … eq_a l acc_pc then P ACC_PC else True.
               ∀ext_indirect_dptr_a: if vect_member … eq_a l ext_indirect_dptr then P EXT_INDIRECT_DPTR else True.
               ∀indirect_dptr_a: if vect_member … eq_a l indirect_dptr then P INDIRECT_DPTR else True.
               ∀carry_a: if vect_member … eq_a l carry then P CARRY else True.
               ∀bit_addr_a: if vect_member … eq_a l bit_addr then ∀x. P (BIT_ADDR x) else True.
               ∀n_bit_addr_a: if vect_member … eq_a l n_bit_addr then ∀x. P (N_BIT_ADDR x) else True.
               ∀relative_a: if vect_member … eq_a l relative then ∀x. P (RELATIVE x) else True.
               ∀addr11_a: if vect_member … eq_a l addr11 then ∀x. P (ADDR11 x) else True.
               ∀addr_16_a: if vect_member … eq_a l addr16 then ∀x. P (ADDR16 x) else True.
               ∀x:l. P x
      ] with
  [ VEmpty          ⇒ λAbsurd. ⊥
  | VCons len hd tl ⇒ λProof. ?
  ] (refl ? (S n)). cases daemon. qed. (*
  [ destruct(Absurd)
  | # A1 # A2 # A3 # A4 # A5 # A6 # A7
    # A8 # A9 # A10 # A11 # A12 # A13 # A14
    # A15 # A16 # A17 # A18 # A19 # X
    cases X
    # SUB cases daemon ] qed.
    cases SUB
    [ # BYTE
    normalize
  ].
  
  
(*    let prepare_hd ≝
      match hd with
      [ direct ⇒ λdirect_prf. ?
      | indirect ⇒ λindirect_prf. ?
      | ext_indirect ⇒ λext_indirect_prf. ?
      | registr ⇒ λregistr_prf. ?
      | acc_a ⇒ λacc_a_prf. ?
      | acc_b ⇒ λacc_b_prf. ?
      | dptr ⇒ λdptr_prf. ?
      | data ⇒ λdata_prf. ?
      | data16 ⇒ λdata16_prf. ?
      | acc_dptr ⇒ λacc_dptr_prf. ?
      | acc_pc ⇒ λacc_pc_prf. ?
      | ext_indirect_dptr ⇒ λext_indirect_prf. ?
      | indirect_dptr ⇒ λindirect_prf. ?
      | carry ⇒ λcarry_prf. ?
      | bit_addr ⇒ λbit_addr_prf. ?
      | n_bit_addr ⇒ λn_bit_addr_prf. ?
      | relative ⇒ λrelative_prf. ?
      | addr11 ⇒ λaddr11_prf. ?
      | addr16 ⇒ λaddr16_prf. ?
      ]
    in ? *)
  ].
  [ 1: destruct(absd)
  | 2: # A1 # A2 # A3 # A4 # A5 # A6
       # A7 # A8 # A9 # A10 # A11 # A12
       # A13 # A14 # A15 # A16 # A17 # A18
       # A19 * 
  ].


  match l return λx.match x with [O ⇒ λl: Vector … O. bool | S x' ⇒ λl: Vector addressing_mode_tag (S x').
   (l → bool) → bool ] with
  [ VEmpty      ⇒  true  
  | VCons len hd tl ⇒ λP.
    let process_hd ≝
      match hd return λhd. ∀P: hd:::tl → bool. bool with
      [ direct ⇒ λP.bitvector_elim 8 (λx. P (DIRECT x))
      | indirect ⇒ λP.bit_elim (λx. P (INDIRECT x))
      | ext_indirect ⇒ λP.bit_elim (λx. P (EXT_INDIRECT x))
      | registr ⇒ λP.bitvector_elim 3 (λx. P (REGISTER x))
      | acc_a ⇒ λP.P ACC_A
      | acc_b ⇒ λP.P ACC_B
      | dptr ⇒ λP.P DPTR
      | data ⇒ λP.bitvector_elim 8 (λx. P (DATA x))
      | data16 ⇒ λP.bitvector_elim 16 (λx. P (DATA16 x))
      | acc_dptr ⇒ λP.P ACC_DPTR
      | acc_pc ⇒ λP.P ACC_PC
      | ext_indirect_dptr ⇒ λP.P EXT_INDIRECT_DPTR
      | indirect_dptr ⇒ λP.P INDIRECT_DPTR
      | carry ⇒ λP.P CARRY
      | bit_addr ⇒ λP.bitvector_elim 8 (λx. P (BIT_ADDR x))
      | n_bit_addr ⇒ λP.bitvector_elim 8 (λx. P (N_BIT_ADDR x))
      | relative ⇒ λP.bitvector_elim 8 (λx. P (RELATIVE x))
      | addr11 ⇒ λP.bitvector_elim 11 (λx. P (ADDR11 x))
      | addr16 ⇒ λP.bitvector_elim 16 (λx. P (ADDR16 x))
      ]
    in
      andb (process_hd P)
       (match len return λx. x = len → bool with
         [ O ⇒ λprf. true
         | S y ⇒ λprf. list_addressing_mode_tags_elim y ? P ] (refl ? len))
  ].
  try %
  [ 2: cases (sym_eq ??? prf); @tl
  | generalize in match H; generalize in match tl; cases prf;
    (* cases prf in tl H; : ??? WAS WORKING BEFORE *)
    #tl
    normalize in ⊢ (∀_: %. ?)
    # H
    whd
    normalize in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ?])
    cases (is_a hd (subaddressing_modeel y tl H)) whd // ]
qed.
*)
(*
lemma test:
  let i ≝ SJMP (RELATIVE (bitvector_of_nat 8 255)) in
      (let assembled ≝ assembly1 i in
      let code_memory ≝ load_code_memory assembled in
      let fetched ≝ fetch code_memory ? in
      let 〈instr_pc, ticks〉 ≝ fetched in
        eq_instruction (\fst instr_pc)) i = true.
 [2: @ zero
 | normalize
 ]*)

lemma BitVectorTrie_O:
 ∀A:Type[0].∀v:BitVectorTrie A 0.(∃w. v ≃ Leaf A w) ∨ v ≃ Stub A 0.
 #A #v generalize in match (refl … O) cases v in ⊢ (??%? → (?(??(λ_.?%%??)))(?%%??))
  [ #w #_ %1 %[@w] %
  | #n #l #r #abs @⊥ //
  | #n #EQ %2 >EQ %]
qed.

lemma BitVectorTrie_Sn:
 ∀A:Type[0].∀n.∀v:BitVectorTrie A (S n).(∃l,r. v ≃ Node A n l r) ∨ v ≃ Stub A (S n).
 #A #n #v generalize in match (refl … (S n)) cases v in ⊢ (??%? → (?(??(λ_.??(λ_.?%%??))))%)
  [ #m #abs @⊥ //
  | #m #l #r #EQ %1 <(injective_S … EQ) %[@l] %[@r] //
  | #m #EQ %2 // ]
qed.

lemma lookup_prepare_trie_for_insertion_hit:
 ∀A:Type[0].∀a,v:A.∀n.∀b:BitVector n.
  lookup … b (prepare_trie_for_insertion … b v) a = v. 
 #A #a #v #n #b elim b // #m #hd #tl #IH cases hd normalize //
qed.
 
lemma lookup_insert_hit:
 ∀A:Type[0].∀a,v:A.∀n.∀b:BitVector n.∀t:BitVectorTrie A n.
  lookup … b (insert … b v t) a = v.
 #A #a #v #n #b elim b -b -n //
 #n #hd #tl #IH #t cases(BitVectorTrie_Sn … t)
  [ * #l * #r #JMEQ >JMEQ cases hd normalize //
  | #JMEQ >JMEQ cases hd normalize @lookup_prepare_trie_for_insertion_hit ]
qed.

coercion bool_to_Prop: ∀b:bool. Prop ≝ bool_to_Prop on _b:bool to Type[0]. 

lemma lookup_prepare_trie_for_insertion_miss:
 ∀A:Type[0].∀a,v:A.∀n.∀c,b:BitVector n.
  (notb (eq_bv ? b c)) → lookup … b (prepare_trie_for_insertion … c v) a = a.
 #A #a #v #n #c elim c
  [ #b >(BitVector_O … b) normalize #abs @⊥ //
  | #m #hd #tl #IH #b cases(BitVector_Sn … b) #hd' * #tl' #JMEQ >JMEQ
    cases hd cases hd' normalize
    [2,3: #_ cases tl' //
    |*: change with (bool_to_Prop (notb (eq_bv ???)) → ?) /2/ ]]
qed.
  
lemma lookup_insert_miss:
 ∀A:Type[0].∀a,v:A.∀n.∀c,b:BitVector n.∀t:BitVectorTrie A n.
  (notb (eq_bv ? b c)) → lookup … b (insert … c v t) a = lookup … b t a.
 #A #a #v #n #c elim c -c -n
  [ #b #t #DIFF @⊥ whd in DIFF; >(BitVector_O … b) in DIFF //
  | #n #hd #tl #IH #b cases(BitVector_Sn … b) #hd' * #tl' #JMEQ >JMEQ
    #t cases(BitVectorTrie_Sn … t)
    [ * #l * #r #JMEQ >JMEQ cases hd cases hd' #H normalize in H;
     [1,4: change in H with (bool_to_Prop (notb (eq_bv ???))) ] normalize // @IH //
    | #JMEQ >JMEQ cases hd cases hd' #H normalize in H;
     [1,4: change in H with (bool_to_Prop (notb (eq_bv ???))) ] normalize
     [3,4: cases tl' // | *: @lookup_prepare_trie_for_insertion_miss //]]]
qed.

definition load_code_memory_aux ≝
 fold_left_i_aux … (
   λi, mem, v.
     insert … (bitvector_of_nat … i) v mem) (Stub Byte 16).

axiom split_elim:
 ∀A,l,m,v.∀P: (Vector A l) × (Vector A m) → Prop.
  (∀vl,vm. v = vl@@vm → P 〈vl,vm〉) → P (split A l m v).

axiom half_add_SO:
 ∀pc.
 \snd (half_add 16 (bitvector_of_nat … pc) (bitvector_of_nat … 1)) = bitvector_of_nat … (S pc).

(*
axiom not_eqvb_S:
 ∀pc.
 (¬eq_bv 16 (bitvector_of_nat 16 pc) (bitvector_of_nat 16 (S pc))).

axiom not_eqvb_SS:
 ∀pc.
 (¬eq_bv 16 (bitvector_of_nat 16 pc) (bitvector_of_nat 16 (S (S pc)))).
 
axiom bitvector_elim_complete:
 ∀n,P. bitvector_elim n P = true → ∀bv. P bv.

lemma bitvector_elim_complete':
 ∀n,P. bitvector_elim n P = true → ∀bv. P bv = true.
 #n #P #H generalize in match (bitvector_elim_complete … H) #K #bv
 generalize in match (K bv) normalize cases (P bv) normalize // #abs @⊥ //
qed.
*)




(*
lemma andb_elim':
 ∀b1,b2. (b1 = true) → (b2 = true) → (b1 ∧ b2) = true.
 #b1 #b2 #H1 #H2 @andb_elim cases b1 in H1; normalize //
qed.
*)

let rec encoding_check (code_memory: BitVectorTrie Byte 16) (pc: Word) (final_pc: Word)
                       (encoding: list Byte) on encoding: Prop ≝
  match encoding with
  [ nil ⇒ final_pc = pc
  | cons hd tl ⇒
    let 〈new_pc, byte〉 ≝ next code_memory pc in
      hd = byte ∧ encoding_check code_memory new_pc final_pc tl
  ].

lemma encoding_check_append: ∀code_memory,final_pc,l1,pc,l2.
 encoding_check code_memory (bitvector_of_nat … pc) (bitvector_of_nat … final_pc) (l1@l2) →
  let intermediate_pc ≝ pc + length … l1 in
   encoding_check code_memory (bitvector_of_nat … pc) (bitvector_of_nat … intermediate_pc) l1 ∧
    encoding_check code_memory (bitvector_of_nat … intermediate_pc) (bitvector_of_nat … final_pc) l2.
 #code_memory #final_pc #l1 elim l1
  [ #pc #l2 whd in ⊢ (????% → ?) #H <plus_n_O whd whd in ⊢ (?%?) /2/
  | #hd #tl #IH #pc #l2 * #H1 #H2 >half_add_SO in H2; #H2 cases (IH … H2) <plus_n_Sm
    #K1 #K2 % [2:@K2] whd % // >half_add_SO @K1 ]
qed.

axiom bitvector_3_elim_prop:
 ∀P: BitVector 3 → Prop.
  P [[false;false;false]] → P [[false;false;true]] → P [[false;true;false]] →
  P [[false;true;true]] → P [[true;false;false]] → P [[true;false;true]] →
  P [[true;true;false]] → P [[true;true;true]] → ∀v. P v.

definition ticks_of_instruction ≝
 λi.
  let trivial_code_memory ≝ assembly1 i in
  let trivial_status ≝ load_code_memory trivial_code_memory in
   \snd (fetch trivial_status (zero ?)).

axiom fetch_assembly:
  ∀pc,i,code_memory,assembled.
    assembled = assembly1 i →
      let len ≝ length … assembled in
      encoding_check code_memory (bitvector_of_nat … pc) (bitvector_of_nat … (pc + len)) assembled →
      let fetched ≝ fetch code_memory (bitvector_of_nat … pc) in
      let 〈instr_pc, ticks〉 ≝ fetched in
      let 〈instr,pc'〉 ≝ instr_pc in
       (eq_instruction instr i ∧ eqb ticks (ticks_of_instruction instr) ∧ eq_bv … pc' (bitvector_of_nat … (pc + len))) = true.
(* #pc #i #code_memory #assembled cases i [8: *]
 [16,20,29: * * |18,19: * * [1,2,4,5: *] |28: * * [1,2: * [1,2: * [1,2: * [1,2: *]]]]]
 [47,48,49:
 |*: #arg @(list_addressing_mode_tags_elim_prop … arg) whd try % -arg
  [2,3,5,7,10,12,16,17,18,21,25,26,27,30,31,32,37,38,39,40,41,42,43,44,45,48,51,58,
   59,60,63,64,65,66,67: #ARG]]
 [4,5,6,7,8,9,10,11,12,13,22,23,24,27,28,39,40,41,42,43,44,45,46,47,48,49,50,51,52,
  56,57,69,70,72,73,75: #arg2 @(list_addressing_mode_tags_elim_prop … arg2) whd try % -arg2
  [1,2,4,7,9,10,12,13,15,16,17,18,20,22,23,24,25,26,27,28,29,30,31,32,33,36,37,38,
   39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,
   68,69,70,71: #ARG2]]
 [1,2,19,20: #arg3 @(list_addressing_mode_tags_elim_prop … arg3) whd try % -arg3 #ARG3]
 normalize in ⊢ (???% → ?)
 [92,94,42,93,95: @split_elim #vl #vm #E >E -E; [2,4: @(bitvector_3_elim_prop … vl)]
  normalize in ⊢ (???% → ?)]
 #H >H * #H1 try (change in ⊢ (% → ?) with (? ∧ ?) * #H2)
 try (change in ⊢ (% → ?) with (? ∧ ?) * #H3) whd in ⊢ (% → ?) #H4
 change in ⊢ (let fetched ≝ % in ?) with (fetch0 ??)
 whd in ⊢ (let fetched ≝ ??% in ?) <H1 whd in ⊢ (let fetched ≝ % in ?)
 [17,18,19,20,21,22,23,24,25,26,31,34,35,36,37,38: <H3]
 [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,
  30,31,32,33,34,35,36,37,38,39,40,43,45,48,49,52,53,54,55,56,57,60,61,62,65,66,
  69,70,73,74,78,80,81,84,85,95,98,101,102,103,104,105,106,107,108,109,110: <H2]
 whd >eq_instruction_refl >H4 @eq_bv_refl
qed. *)

let rec fetch_many code_memory final_pc pc expected on expected: Prop ≝
 match expected with
  [ nil ⇒ eq_bv … pc final_pc = true
  | cons i tl ⇒
     let fetched ≝ fetch code_memory pc in
     let 〈instr_pc, ticks〉 ≝ fetched in
     let 〈instr,pc'〉 ≝ instr_pc in
      eq_instruction instr i = true ∧
      ticks = (ticks_of_instruction i) ∧
      fetch_many code_memory final_pc pc' tl].

lemma option_destruct_Some: ∀A,a,b. Some A a = Some A b → a=b.
 #A #a #b #EQ destruct //
qed.

axiom eq_bv_to_eq: ∀n.∀v1,v2: BitVector n. eq_bv … v1 v2 = true → v1=v2.

axiom eq_instruction_to_eq: ∀i1,i2. eq_instruction i1 i2 = true → i1 = i2.

lemma fetch_assembly_pseudo:
 ∀program,ppc,lookup_labels,lookup_datalabels.
  ∀pi,code_memory,len,assembled,instructions,pc.
   let expansion ≝ jump_expansion ppc program in
   Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (bitvector_of_nat ? pc) expansion pi →
    Some … 〈len,assembled〉 = assembly_1_pseudoinstruction program ppc (bitvector_of_nat ? pc) lookup_labels lookup_datalabels pi →
     encoding_check code_memory (bitvector_of_nat … pc) (bitvector_of_nat … (pc + len)) assembled →
      fetch_many code_memory (bitvector_of_nat … (pc + len)) (bitvector_of_nat … pc) instructions.
 #program #ppc #lookup_labels #lookup_datalabels #pi #code_memory #len #assembled #instructions #pc
 #EQ1 whd in ⊢ (???% → ?) <EQ1 whd in ⊢ (???% → ?) #EQ2
 cases (pair_destruct ?????? (option_destruct_Some … EQ2)) -EQ2; #EQ2a #EQ2b
 >EQ2a >EQ2b -EQ2a EQ2b;
  generalize in match (pc + |flatten … (map … assembly1 instructions)|); #final_pc
  generalize in match pc elim instructions
  [ #pc whd in ⊢ (% → %) #H >H @eq_bv_refl
  | #i #tl #IH #pc #H whd cases (encoding_check_append … H); -H; #H1 #H2 whd
    generalize in match (fetch_assembly pc i code_memory … (refl …) H1)
    cases (fetch code_memory (bitvector_of_nat … pc)) #newi_pc #ticks whd in ⊢ (% → %)
    cases newi_pc #newi #newpc whd in ⊢ (% → %) #K cases (conjunction_true … K) -K; #K1
    cases (conjunction_true … K1) -K1; #K1 #K2 #K3 % try % //
    [ @eqb_true_to_eq <(eq_instruction_to_eq … K1) // | >(eq_bv_to_eq … K3) @IH @H2 ]
qed.

(* This establishes the correspondence between pseudo program counters and
   program counters. It is at the heart of the proof. *)
(*CSC: code taken from build_maps *)
definition sigma00: pseudo_assembly_program → list ? → option (nat × (nat × (BitVectorTrie Word 16))) ≝
 λinstr_list.λl:list labelled_instruction.
  foldl ??
   (λt,i.
       match t with
       [ None ⇒ None ?
       | Some ppc_pc_map ⇒
         let 〈ppc,pc_map〉 ≝ ppc_pc_map in
         let 〈program_counter, sigma_map〉 ≝ pc_map in
         let 〈label, i〉 ≝ i in
          match construct_costs instr_list ppc program_counter (λx. zero ?) (λx. zero ?) (Stub …) i with
           [ None ⇒ None ?
           | Some pc_ignore ⇒
              let 〈pc,ignore〉 ≝ pc_ignore in
              Some … 〈S ppc,〈pc, insert ? ? (bitvector_of_nat ? ppc) (bitvector_of_nat ? pc) sigma_map〉〉 ]
       ]) (Some ? 〈0, 〈0, (Stub ? ?)〉〉) l.

definition sigma0: pseudo_assembly_program → option (nat × (nat × (BitVectorTrie Word 16)))
 ≝ λprog.sigma00 prog (\snd prog).

definition tech_pc_sigma00: pseudo_assembly_program → list labelled_instruction → option (nat × nat) ≝
 λprogram,instr_list.
  match sigma00 program instr_list with
   [ None ⇒ None …
   | Some result ⇒
      let 〈ppc,pc_sigma_map〉 ≝ result in
      let 〈pc,map〉 ≝ pc_sigma_map in
       Some … 〈ppc,pc〉 ].

definition sigma_safe: pseudo_assembly_program → option (Word → Word) ≝       
 λinstr_list.
  match sigma0 instr_list with
  [ None ⇒ None ?
  | Some result ⇒
    let 〈ppc,pc_sigma_map〉 ≝ result in
    let 〈pc, sigma_map〉 ≝ pc_sigma_map in
      if gtb pc (2^16) then
        None ?
      else
        Some ? (λx.lookup ?? x sigma_map (zero …)) ].

(* stuff about policy *)

lemma policy_ok: ∀p. sigma_safe p ≠ None ….
 #instr_list whd in match (sigma_safe ?) whd in match (sigma0 ?) 
 
definition sigma: pseudo_assembly_program → Word → Word ≝
 λp.
  match sigma_safe p return λr:option (Word → Word). r ≠ None … → Word → Word with
   [ None ⇒ λabs. ⊥
   | Some r ⇒ λ_.r] (policy_ok p).
 cases abs //
qed.

lemma length_append:
 ∀A.∀l1,l2:list A.
  |l1 @ l2| = |l1| + |l2|.
 #A #l1 elim l1
  [ //
  | #hd #tl #IH #l2 normalize <IH //]
qed.

let rec does_not_occur (id:Identifier) (l:list labelled_instruction) on l: bool ≝
 match l with
  [ nil ⇒ true
  | cons hd tl ⇒ notb (instruction_matches_identifier id hd) ∧ does_not_occur id tl].

lemma does_not_occur_None:
 ∀id,i,list_instr.
  does_not_occur id (list_instr@[〈None …,i〉]) =
  does_not_occur id list_instr.
 #id #i #list_instr elim list_instr
  [ % | #hd #tl #IH whd in ⊢ (??%%) >IH %]
qed.

lemma does_not_occur_Some:
 ∀id,id',i,list_instr.
  eq_bv ? id' id = false →
   does_not_occur id (list_instr@[〈Some ? id',i〉]) =
    does_not_occur id list_instr.
 #id #id' #i #list_instr elim list_instr
  [ #H normalize in H ⊢ %; >H %
  | * #x #i' #tl #IH #H whd in ⊢ (??%%) >(IH H) %]
qed.

lemma does_not_occur_absurd:
 ∀id,i,list_instr.
  does_not_occur id (list_instr@[〈Some ? id,i〉]) = false.
 #id #i #list_instr elim list_instr
  [ normalize change with (if (if eq_bv ??? then ? else ?) then ? else ? = ?)
    >eq_bv_refl %
  | * #x #i' #tl #IH whd in ⊢ (??%%) >IH cases (notb ?) %]
qed.

let rec occurs_exactly_once (id:Identifier) (l:list labelled_instruction) on l : bool ≝
 match l with
  [ nil ⇒ false
  | cons hd tl ⇒
     if instruction_matches_identifier id hd then
      does_not_occur id tl
     else
      occurs_exactly_once id tl ].

lemma occurs_exactly_once_None:
 ∀id,i,list_instr.
  occurs_exactly_once id (list_instr@[〈None …,i〉]) =
  occurs_exactly_once id list_instr.
 #id #i #list_instr elim list_instr
  [ % | #hd #tl #IH whd in ⊢ (??%%) >IH >does_not_occur_None %]
qed.

lemma occurs_exactly_once_Some:
 ∀id,id',i,prefix.
  occurs_exactly_once id (prefix@[〈Some ? id',i〉]) → eq_bv ? id' id ∨ occurs_exactly_once id prefix.
 #id #id' #i #prefix elim prefix
  [ whd in ⊢ (?% → ?) whd in ⊢ (?(match % with [_ ⇒ ? | _ ⇒ ?]) → ?)
    change with (? → eq_v ?? eq_b id' id ∨ ?) cases (eq_v ?????) normalize nodelta; /2/
  | *; #he #i' #tl #IH whd in ⊢ (?% → ?) whd in ⊢ (?(match % with [_ ⇒ ? | _ ⇒ ?]) → ?)
    cases he; normalize nodelta
     [ #H @ (IH H)
     | #x whd in ⊢ (? → ?(??%)) whd in match (instruction_matches_identifier ??)
       change in match (eq_v ???x id) with (eq_bv ? x id) cases (eq_bv ???) normalize nodelta;
       [generalize in match (refl … (eq_bv 16 id' id)) cases (eq_bv ???) in ⊢ (??%? → %) normalize nodelta;
        /2/ #H >does_not_occur_Some //
       | #H @IH @H]]]
qed.

lemma index_of_internal_None: ∀i,id,instr_list,n.
 occurs_exactly_once id (instr_list@[〈None …,i〉]) →
  index_of_internal ? (instruction_matches_identifier id) instr_list n =
   index_of_internal ? (instruction_matches_identifier id) (instr_list@[〈None …,i〉]) n.
 #i #id #instr_list elim instr_list
  [ #n #abs whd in abs; cases abs
  | #hd #tl #IH #n whd in ⊢ (% → ??%%); whd in ⊢ (match % with [_ ⇒ ? | _ ⇒ ?] → ?)
    cases (instruction_matches_identifier id hd) whd in ⊢ (match % with [_ ⇒ ? | _ ⇒ ?] → ??%%)
    [ #H %
    | #H @IH whd in H; cases (occurs_exactly_once ??) in H ⊢ %
      [ #_ % | #abs cases abs ]]]
qed.

lemma index_of_internal_Some_miss: ∀i,id,id'.
 eq_bv ? id' id = false →
 ∀instr_list,n.
 occurs_exactly_once id (instr_list@[〈Some ? id',i〉]) →
  index_of_internal ? (instruction_matches_identifier id) instr_list n =
   index_of_internal ? (instruction_matches_identifier id) (instr_list@[〈Some ? id',i〉]) n.
 #i #id #id' #EQ #instr_list #n #H generalize in match (occurs_exactly_once_Some … H) in ⊢ ?; >EQ
 change with (occurs_exactly_once ?? → ?) generalize in match n; -n H; elim instr_list
  [ #n #abs cases abs
  | #hd #tl #IH #n whd in ⊢ (?% → ??%%) cases (instruction_matches_identifier id hd) normalize nodelta;
    [ // | #K @IH //]]
qed.

lemma index_of_internal_Some_hit: ∀i,id.
 ∀instr_list,n.
  occurs_exactly_once id (instr_list@[〈Some ? id,i〉]) →
   index_of_internal ? (instruction_matches_identifier id) (instr_list@[〈Some ? id,i〉]) n
  = |instr_list| + n.
 #i #id #instr_list elim instr_list
  [ #n #_ whd in ⊢ (??%%) change with (if eq_bv … id id then ? else ? = ?) >eq_bv_refl %
  | #hd #tl #IH #n whd in ⊢ (?% → ??%%) cases (instruction_matches_identifier id hd) normalize nodelta;
    [ >does_not_occur_absurd #abs cases abs | #H applyS (IH (S n)) //]]
qed.

lemma address_of_word_labels_code_mem_None: ∀i,id,instr_list.
 occurs_exactly_once id (instr_list@[〈None …,i〉]) →
  address_of_word_labels_code_mem instr_list id =
  address_of_word_labels_code_mem (instr_list@[〈None …,i〉]) id.
 #i #id #instr_list #H whd in ⊢ (??%%) whd in ⊢ (??(??%?)(??%?))
 >(index_of_internal_None … H) %
qed.

lemma address_of_word_labels_code_mem_Some_miss: ∀i,id,id',instr_list.
 eq_bv ? id' id = false →
  occurs_exactly_once id (instr_list@[〈Some ? id',i〉]) →
   address_of_word_labels_code_mem instr_list id =
   address_of_word_labels_code_mem (instr_list@[〈Some … id',i〉]) id.
 #i #id #id' #instr_list #EQ #H whd in ⊢ (??%%) whd in ⊢ (??(??%?)(??%?))
 >(index_of_internal_Some_miss … H) //
qed.

lemma address_of_word_labels_code_mem_Some_hit: ∀i,id,instr_list.
  occurs_exactly_once id (instr_list@[〈Some ? id,i〉]) →
   address_of_word_labels_code_mem (instr_list@[〈Some … id,i〉]) id
   = bitvector_of_nat … (|instr_list|).
 #i #id #instr_list #H whd in ⊢ (??%%) whd in ⊢ (??(??%?)?)
 >(index_of_internal_Some_hit … H) //
qed.

axiom tech_pc_sigma00_append_Some:
 ∀program,prefix,costs,label,i,pc',code,ppc,pc.
  tech_pc_sigma00 program prefix = Some … 〈ppc,pc〉 →
   construct_costs program … ppc pc (λx.zero 16) (λx. zero 16) costs i = Some … 〈pc',code〉 →
    tech_pc_sigma00 program (prefix@[〈label,i〉]) = Some … 〈S ppc,pc'〉.

axiom tech_pc_sigma00_append_None:
 ∀program,prefix,i,ppc,pc,costs.
  tech_pc_sigma00 program prefix = Some … 〈ppc,pc〉 →
   construct_costs program … ppc pc (λx.zero 16) (λx. zero 16) costs i = None …
    → False.

lemma eq_false_to_notb: ∀b. b = false → ¬ b.
 *; //
qed.

lemma eq_bv_sym: ∀n,v1,v2. eq_bv n v1 v2 = eq_bv n v2 v1.
 #n #v1 #v2 @(eq_bv_elim … v1 v2) [// | #H >eq_bv_false /2/]
qed.

example sigma_0: ∀p. sigma p (bitvector_of_nat ? 0) = bitvector_of_nat ? 0.
 cases daemon.
qed.

axiom construct_costs_sigma:
 ∀p,ppc,pc,pc',costs,costs',i.
  bitvector_of_nat ? pc = sigma p (bitvector_of_nat ? ppc) →
   Some … 〈pc',costs'〉 = construct_costs p ppc pc (λx.zero 16) (λx.zero 16) costs i →
    bitvector_of_nat ? pc' = sigma p (bitvector_of_nat 16 (S ppc)).

definition build_maps' ≝
  λpseudo_program.
  let result ≝
   foldl_strong
    (option Identifier × pseudo_instruction)
    (λpre. Σres:((BitVectorTrie Word 16) × (nat × (nat × (BitVectorTrie Word 16)))).
      let 〈labels,ppc_pc_costs〉 ≝ res in
      let 〈ppc',pc_costs〉 ≝ ppc_pc_costs in
      let 〈pc',costs〉 ≝ pc_costs in
       bitvector_of_nat ? pc' = sigma pseudo_program (bitvector_of_nat ? ppc') ∧
       ppc' = length … pre ∧
       tech_pc_sigma00 pseudo_program pre = Some ? 〈ppc',pc'〉 ∧
       ∀id. occurs_exactly_once id pre →
        lookup ?? id labels (zero …) = sigma pseudo_program (address_of_word_labels_code_mem pre id))
    (\snd pseudo_program)
    (λprefix,i,tl,prf,t.
      let 〈labels, ppc_pc_costs〉 ≝ t in
      let 〈ppc, pc_costs〉 ≝ ppc_pc_costs in
      let 〈pc,costs〉 ≝ pc_costs in
       let 〈label, i'〉 ≝ i in
       let labels ≝
         match label with
         [ None ⇒ labels
         | Some label ⇒
           let program_counter_bv ≝ bitvector_of_nat ? pc in
             insert ? ? label program_counter_bv labels
         ]
       in
         match construct_costs pseudo_program ppc pc (λx. zero ?) (λx. zero ?) costs i' with
         [ None ⇒
            let dummy ≝ 〈labels,ppc_pc_costs〉 in
             dummy
         | Some construct ⇒ 〈labels, 〈S ppc,construct〉〉
         ]
    ) 〈(Stub ? ?), 〈0, 〈0, Stub ? ?〉〉〉
  in
   let 〈labels, ppc_pc_costs〉 ≝ result in
   let 〈ppc,pc_costs〉 ≝ ppc_pc_costs in
   let 〈pc, costs〉 ≝ pc_costs in
    〈labels, costs〉.
 [3: whd % [% [%]] // [>sigma_0//] #id normalize in ⊢ (% → ?) #abs @⊥ //
 | whd generalize in match (sig2 … t) >p >p1 >p2 >p3 * * * #IHn1 #IH0 #IH1 #IH2
   cases construct in p4 #PC #CODE #JMEQ % [% [%]]
   [ @(construct_costs_sigma … IHn1) [4: <JMEQ % |*: skip]
   | >length_append <IH0 normalize; -IHn1; (*CSC: otherwise it diverges!*) //
   | @(tech_pc_sigma00_append_Some … IH1 (jmeq_to_eq … JMEQ))
   | #id normalize nodelta; -labels1; cases label; normalize nodelta
     [ #K <address_of_word_labels_code_mem_None [2:@K] @IH2 -IHn1; (*CSC: otherwise it diverges!*) //
     | #l #H generalize in match (occurs_exactly_once_Some ???? H) in ⊢ ?;
       generalize in match (refl … (eq_bv ? l id)); cases (eq_bv … l id) in ⊢ (???% → %)
        [ #EQ #_ <(eq_bv_to_eq … EQ) >lookup_insert_hit >address_of_word_labels_code_mem_Some_hit 
          <IH0 [@IHn1 | <(eq_bv_to_eq … EQ) in H #H @H] 
        | #EQ change with (occurs_exactly_once ?? → ?) #K >lookup_insert_miss [2: -IHn1; /2/]
          <(address_of_word_labels_code_mem_Some_miss … EQ … H) @IH2 -IHn1; //]]]
 | (* dummy case *) @⊥ generalize in match (sig2 … t) >p >p1 >p2 >p3 * *; #IH0 #IH1 #IH2 
   @(tech_pc_sigma00_append_None … IH1 (jmeq_to_eq ??? p4)) ]
qed.

lemma build_maps_ok:
 ∀p:pseudo_assembly_program.
  let 〈labels,costs〉 ≝ build_maps' p in
   ∀pc.
    (nat_of_bitvector … pc) < length … (\snd p) →
     lookup ?? pc labels (zero …) = sigma p (\snd (fetch_pseudo_instruction (\snd p) pc)).
 #p cases p #preamble #instr_list
  elim instr_list
   [ whd #pc #abs normalize in abs; cases (not_le_Sn_O ?) [#H cases (H abs) ]
   | #hd #tl #IH 
    whd in ⊢ (match % with [ _ ⇒ ?])
   ]
qed.
*)

(*
lemma rev_preserves_length:
 ∀A.∀l. length … (rev A l) = length … l.
  #A #l elim l
   [ %
   | #hd #tl #IH normalize >length_append normalize /2/ ]
qed.

lemma rev_append:
 ∀A.∀l1,l2.
  rev A (l1@l2) = rev A l2 @ rev A l1.
 #A #l1 elim l1 normalize //
qed.
  
lemma rev_rev: ∀A.∀l. rev … (rev A l) = l.
 #A #l elim l
  [ //
  | #hd #tl #IH normalize >rev_append normalize // ]
qed.

lemma split_len_Sn:
 ∀A:Type[0].∀l:list A.∀len.
  length … l = S len →
   Σl'.Σa. l = l'@[a] ∧ length … l' = len.
 #A #l elim l
  [ normalize #len #abs destruct
  | #hd #tl #IH #len
    generalize in match (rev_rev … tl)
    cases (rev A tl) in ⊢ (??%? → ?)
     [ #H <H normalize #EQ % [@[ ]] % [@hd] normalize /2/  
     | #a #l' #H <H normalize #EQ 
      %[@(hd::rev … l')] %[@a] % //
      >length_append in EQ #EQ normalize in EQ; normalize;
      generalize in match (injective_S … EQ) #EQ2 /2/ ]]
qed.

lemma list_elim_rev:
 ∀A:Type[0].∀P:list A → Type[0].
  P [ ] → (∀l,a. P l → P (l@[a])) →
   ∀l. P l.
 #A #P #H1 #H2 #l
 generalize in match (refl … (length … l))
 generalize in ⊢ (???% → ?) #n generalize in match l
 elim n
  [ #L cases L [ // | #x #w #abs (normalize in abs) @⊥ // ]
  | #m #IH #L #EQ
    cases (split_len_Sn … EQ) #l' * #a * /3/ ]
qed.

axiom is_prefix: ∀A:Type[0]. list A → list A → Prop.
axiom prefix_of_append:
 ∀A:Type[0].∀l,l1,l2:list A.
  is_prefix … l l1 → is_prefix … l (l1@l2).
axiom prefix_reflexive: ∀A,l. is_prefix A l l.
axiom nil_prefix: ∀A,l. is_prefix A [ ] l.

record Propify (A:Type[0]) : Type[0] (*Prop*) ≝ { in_propify: A }.

definition Propify_elim: ∀A. ∀P:Prop. (A → P) → (Propify A → P) ≝
 λA,P,H,x. match x with [ mk_Propify p ⇒ H p ].

definition app ≝
 λA:Type[0].λl1:Propify (list A).λl2:list A.
  match l1 with
   [ mk_Propify l1 ⇒ mk_Propify … (l1@l2) ].

lemma app_nil: ∀A,l1. app A l1 [ ] = l1.
 #A * /3/
qed.

lemma app_assoc: ∀A,l1,l2,l3. app A (app A l1 l2) l3 = app A l1 (l2@l3).
 #A * #l1 normalize //
qed. 

let rec foldli (A: Type[0]) (B: Propify (list A) → Type[0])
 (f: ∀prefix. B prefix → ∀x.B (app … prefix [x]))
 (prefix: Propify (list A)) (b: B prefix) (l: list A) on l :
 B (app … prefix l) ≝
  match l with
  [ nil ⇒ ? (* b *)
  | cons hd tl ⇒ ? (*foldli A B f (prefix@[hd]) (f prefix b hd) tl*)
  ].
 [ applyS b
 | <(app_assoc ?? [hd]) @(foldli A B f (app … prefix [hd]) (f prefix b hd) tl) ]
qed.

(*
let rec foldli (A: Type[0]) (B: list A → Type[0]) (f: ∀prefix. B prefix → ∀x. B (prefix@[x]))
 (prefix: list A) (b: B prefix) (l: list A) on l : B (prefix@l) ≝
  match l with
  [ nil ⇒ ? (* b *)
  | cons hd tl ⇒
     ? (*foldli A B f (prefix@[hd]) (f prefix b hd) tl*)
  ].
 [ applyS b
 | applyS (foldli A B f (prefix@[hd]) (f prefix b hd) tl) ]
qed.
*)

definition foldll:
 ∀A:Type[0].∀B: Propify (list A) → Type[0].
  (∀prefix. B prefix → ∀x. B (app … prefix [x])) →
   B (mk_Propify … []) → ∀l: list A. B (mk_Propify … l)
 ≝ λA,B,f. foldli A B f (mk_Propify … [ ]).

axiom is_pprefix: ∀A:Type[0]. Propify (list A) → list A → Prop.
axiom pprefix_of_append:
 ∀A:Type[0].∀l,l1,l2.
  is_pprefix A l l1 → is_pprefix A l (l1@l2).
axiom pprefix_reflexive: ∀A,l. is_pprefix A (mk_Propify … l) l.
axiom nil_pprefix: ∀A,l. is_pprefix A (mk_Propify … [ ]) l.


axiom foldll':
 ∀A:Type[0].∀l: list A.
  ∀B: ∀prefix:Propify (list A). is_pprefix ? prefix l → Type[0].
  (∀prefix,proof. B prefix proof → ∀x,proof'. B (app … prefix [x]) proof') →
   B (mk_Propify … [ ]) (nil_pprefix …) → B (mk_Propify … l) (pprefix_reflexive … l).
 #A #l #B
 generalize in match (foldll A (λprefix. is_pprefix ? prefix l)) #HH
 
 
  #H #acc
 @foldll
  [
  |
  ]
 
 ≝ λA,B,f. foldli A B f (mk_Propify … [ ]).


(*
record subset (A:Type[0]) (P: A → Prop): Type[0] ≝
 { subset_wit:> A;
   subset_proof: P subset_wit
 }.
*)

definition build_maps' ≝
  λpseudo_program.
  let 〈preamble,instr_list〉 ≝ pseudo_program in
  let result ≝
   foldll
    (option Identifier × pseudo_instruction)
    (λprefix.
      Σt:((BitVectorTrie Word 16) × (nat × (BitVectorTrie Word 16))).
       match prefix return λ_.Prop with [mk_Propify prefix ⇒ tech_pc_sigma0 〈preamble,prefix〉 ≠ None ?])
    (λprefix,t,i.
      let 〈labels, pc_costs〉 ≝ t in
      let 〈program_counter, costs〉 ≝ pc_costs in
       let 〈label, i'〉 ≝ i in
       let labels ≝
         match label with
         [ None ⇒ labels
         | Some label ⇒
           let program_counter_bv ≝ bitvector_of_nat ? program_counter in
             insert ? ? label program_counter_bv labels
         ]
       in
         match construct_costs pseudo_program program_counter (λx. zero ?) (λx. zero ?) costs i' with
         [ None ⇒
            let dummy ≝ 〈labels,pc_costs〉 in
              dummy
         | Some construct ⇒ 〈labels, construct〉
         ]
    ) 〈(Stub ? ?), 〈0, (Stub ? ?)〉〉 instr_list
  in
   let 〈labels, pc_costs〉 ≝ result in
   let 〈pc, costs〉 ≝ pc_costs in
    〈labels, costs〉.
 [
 | @⊥ 
 | normalize % // 
 ]
qed.

definition build_maps' ≝
  λpseudo_program.
  let 〈preamble,instr_list〉 ≝ pseudo_program in
  let result ≝
   foldl
    (Σt:((BitVectorTrie Word 16) × (nat × (BitVectorTrie Word 16))).
          ∃instr_list_prefix. is_prefix ? instr_list_prefix instr_list ∧
           tech_pc_sigma0 〈preamble,instr_list_prefix〉 = Some ? (\fst (\snd t)))
    (Σi:option Identifier × pseudo_instruction. ∀instr_list_prefix.
          let instr_list_prefix' ≝ instr_list_prefix @ [i] in
           is_prefix ? instr_list_prefix' instr_list →
           tech_pc_sigma0 〈preamble,instr_list_prefix'〉 ≠ None ?)
    (λt: Σt:((BitVectorTrie Word 16) × (nat × (BitVectorTrie Word 16))).
          ∃instr_list_prefix. is_prefix ? instr_list_prefix instr_list ∧
           tech_pc_sigma0 〈preamble,instr_list_prefix〉 = Some ? (\fst (\snd t)).
     λi: Σi:option Identifier × pseudo_instruction. ∀instr_list_prefix.
          let instr_list_prefix' ≝ instr_list_prefix @ [i] in
           is_prefix ? instr_list_prefix' instr_list →
           tech_pc_sigma0 〈preamble,instr_list_prefix'〉 ≠ None ? .
      let 〈labels, pc_costs〉 ≝ t in
      let 〈program_counter, costs〉 ≝ pc_costs in
       let 〈label, i'〉 ≝ i in
       let labels ≝
         match label with
         [ None ⇒ labels
         | Some label ⇒
           let program_counter_bv ≝ bitvector_of_nat ? program_counter in
             insert ? ? label program_counter_bv labels
         ]
       in
         match construct_costs pseudo_program program_counter (λx. zero ?) (λx. zero ?) costs i' with
         [ None ⇒
            let dummy ≝ 〈labels,pc_costs〉 in
              dummy
         | Some construct ⇒ 〈labels, construct〉
         ]
    ) 〈(Stub ? ?), 〈0, (Stub ? ?)〉〉 ?(*instr_list*)
  in
   let 〈labels, pc_costs〉 ≝ result in
   let 〈pc, costs〉 ≝ pc_costs in
    〈labels, costs〉.
 [4: @(list_elim_rev ?
       (λinstr_list. list (
        (Σi:option Identifier × pseudo_instruction. ∀instr_list_prefix.
          let instr_list_prefix' ≝ instr_list_prefix @ [i] in
           is_prefix ? instr_list_prefix' instr_list →
           tech_pc_sigma0 〈preamble,instr_list_prefix'〉 ≠ None ?)))
       ?? instr_list) (* CSC: BAD ORDER FOR CODE EXTRACTION *)
      [ @[ ]
      | #l' #a #limage %2
        [ %[@a] #PREFIX #PREFIX_OK 
        | (* CSC: EVEN WORST CODE FOR EXTRACTION: WE SHOULD STRENGTHEN
             THE INDUCTION HYPOTHESIS INSTEAD *)
          elim limage
           [ %1
           | #HD #TL #IH @(?::IH) cases HD #ELEM #K1 %[@ELEM] #K2 #K3
             @K1 @(prefix_of_append ???? K3)
           ]  
        ] 
        
       
     
 
  cases t in c2 ⊢ % #t' * #LIST_PREFIX * #H1t' #H2t' #HJMt'
     % [@ (LIST_PREFIX @ [i])] %
      [ cases (sig2 … i LIST_PREFIX) #K1 #K2 @K1
      | (* DOABLE IN PRINCIPLE *)
      ]
 | (* assert false case *)
 |3: % [@ ([ ])] % [2: % | (* DOABLE *)]
 |   
*)

axiom assembly_ok:
 ∀program,assembled,costs,labels.
  Some … 〈labels,costs〉 = build_maps program →
  Some … 〈assembled,costs〉 = assembly program →
  let code_memory ≝ load_code_memory assembled in
  let preamble ≝ \fst program in
  let datalabels ≝ construct_datalabels preamble in
  let lookup_labels ≝ λx. sigma program (address_of_word_labels_code_mem (\snd program) x) in
  let lookup_datalabels ≝ λx. lookup ?? x datalabels (zero ?) in
   ∀ppc,len,assembledi.
    let 〈pi,newppc〉 ≝ fetch_pseudo_instruction (\snd program) ppc in
     Some … 〈len,assembledi〉 = assembly_1_pseudoinstruction program ppc (sigma program ppc) lookup_labels lookup_datalabels pi →
      encoding_check code_memory (sigma program ppc) (bitvector_of_nat … (nat_of_bitvector … (sigma program ppc) + len)) assembledi ∧
       sigma program newppc = bitvector_of_nat … (nat_of_bitvector … (sigma program ppc) + len).

axiom bitvector_of_nat_nat_of_bitvector:
  ∀n,v.
    bitvector_of_nat n (nat_of_bitvector n v) = v.

axiom assembly_ok_to_expand_pseudo_instruction_ok:
 ∀program,assembled,costs.
  Some … 〈assembled,costs〉 = assembly program →
   ∀ppc.
    let code_memory ≝ load_code_memory assembled in
    let preamble ≝ \fst program in   
    let data_labels ≝ construct_datalabels preamble in
    let lookup_labels ≝ λx. sigma program (address_of_word_labels_code_mem (\snd program) x) in
    let lookup_datalabels ≝ λx. lookup ? ? x data_labels (zero ?) in
    let expansion ≝ jump_expansion ppc program in
    let 〈pi,newppc〉 ≝ fetch_pseudo_instruction (\snd program) ppc in
     ∃instructions.
      Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (sigma program ppc) expansion pi.

lemma fetch_assembly_pseudo2:
 ∀program,assembled,costs,labels.
  Some … 〈labels,costs〉 = build_maps program →
  Some … 〈assembled,costs〉 = assembly program →
   ∀ppc.
    let code_memory ≝ load_code_memory assembled in
    let preamble ≝ \fst program in
    let data_labels ≝ construct_datalabels preamble in
    let lookup_labels ≝ λx. sigma program (address_of_word_labels_code_mem (\snd program) x) in
    let lookup_datalabels ≝ λx. lookup ? ? x data_labels (zero ?) in
    let expansion ≝ jump_expansion ppc program in
    let 〈pi,newppc〉 ≝ fetch_pseudo_instruction (\snd program) ppc in
     ∃instructions.
      Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (sigma program ppc) expansion pi ∧
       fetch_many code_memory (sigma program newppc) (sigma program ppc) instructions.
 #program #assembled #costs #labels #BUILD_MAPS #ASSEMBLY #ppc
 generalize in match (assembly_ok_to_expand_pseudo_instruction_ok program assembled costs ASSEMBLY ppc)
 letin code_memory ≝ (load_code_memory assembled)
 letin preamble ≝ (\fst program)
 letin data_labels ≝ (construct_datalabels preamble)
 letin lookup_labels ≝ (λx. sigma program (address_of_word_labels_code_mem (\snd program) x))
 letin lookup_datalabels ≝ (λx. lookup ? ? x data_labels (zero ?))
 whd in ⊢ (% → %)
 generalize in match (assembly_ok … BUILD_MAPS ASSEMBLY ppc)
 cases (fetch_pseudo_instruction (\snd program) ppc) #pi #newppc
 generalize in match (fetch_assembly_pseudo program ppc
  (λx. sigma program (address_of_word_labels_code_mem (\snd program) x)) (λx. lookup ?? x data_labels (zero ?)) pi
  (load_code_memory assembled));
 whd in ⊢ ((∀_.∀_.∀_.∀_.%) → (∀_.∀_.%) → % → %) #H1 #H2 * #instructions #EXPAND
 whd in H1:(∀_.∀_.∀_.∀_.? → ???% → ?) H2:(∀_.∀_.???% → ?);
 normalize nodelta in EXPAND; (* HERE *)
 generalize in match (λlen, assembled.H1 len assembled instructions (nat_of_bitvector … (sigma program ppc))) -H1; #H1
 >bitvector_of_nat_nat_of_bitvector in H1; #H1
 <EXPAND in H1 H2; whd in ⊢ ((∀_.∀_.? → ???% → ?) → (∀_.∀_.???% → ?) → ?)
 #H1 #H2
 cases (H2 ?? (refl …)) -H2; #K1 #K2 >K2
 generalize in match (H1 ?? (refl …) (refl …) ?) -H1;
  [ #K3 % [2: % [% | @K3]] | @K1 ]
qed.

(* OLD?
definition assembly_specification:
  ∀assembly_program: pseudo_assembly_program.
  ∀code_mem: BitVectorTrie Byte 16. Prop ≝
  λpseudo_assembly_program.
  λcode_mem.
    ∀pc: Word.
      let 〈preamble, instr_list〉 ≝ pseudo_assembly_program in
      let 〈pre_instr, pre_new_pc〉 ≝ fetch_pseudo_instruction instr_list pc in
      let labels ≝ λx. sigma' pseudo_assembly_program (address_of_word_labels_code_mem instr_list x) in
      let datalabels ≝ λx. sigma' pseudo_assembly_program (lookup ? ? x (construct_datalabels preamble) (zero ?)) in
      let pre_assembled ≝ assembly_1_pseudoinstruction pseudo_assembly_program
       (sigma' pseudo_assembly_program pc) labels datalabels pre_instr in
      match pre_assembled with
       [ None ⇒ True
       | Some pc_code ⇒
          let 〈new_pc,code〉 ≝ pc_code in
           encoding_check code_mem pc (sigma' pseudo_assembly_program pre_new_pc) code ].

axiom assembly_meets_specification:
  ∀pseudo_assembly_program.
    match assembly pseudo_assembly_program with
    [ None ⇒ True
    | Some code_mem_cost ⇒
      let 〈code_mem, cost〉 ≝ code_mem_cost in
        assembly_specification pseudo_assembly_program (load_code_memory code_mem)
    ].
(*
  # PROGRAM
  [ cases PROGRAM
    # PREAMBLE
    # INSTR_LIST
    elim INSTR_LIST
    [ whd
      whd in ⊢ (∀_. %)
      # PC
      whd
    | # INSTR
      # INSTR_LIST_TL
      # H
      whd
      whd in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ?])
    ]
  | cases not_implemented
  ] *)
*)

definition internal_pseudo_address_map ≝ list (BitVector 8).

axiom low_internal_ram_of_pseudo_low_internal_ram:
 ∀M:internal_pseudo_address_map.∀ram:BitVectorTrie Byte 7.BitVectorTrie Byte 7.

axiom high_internal_ram_of_pseudo_high_internal_ram:
 ∀M:internal_pseudo_address_map.∀ram:BitVectorTrie Byte 7.BitVectorTrie Byte 7.

axiom low_internal_ram_of_pseudo_internal_ram_hit:
 ∀M:internal_pseudo_address_map.∀s:PseudoStatus.∀addr:BitVector 7.
  member ? (eq_bv 8) (false:::addr) M = true →
   let ram ≝ low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram … s) in 
   let pbl ≝ lookup ? 7 addr (low_internal_ram ? s) (zero 8) in
   let pbu ≝ lookup ? 7 (\snd (half_add ? addr (bitvector_of_nat 7 1))) (low_internal_ram ? s) (zero 8) in
   let bl ≝ lookup ? 7 addr ram (zero 8) in
   let bu ≝ lookup ? 7 (\snd (half_add ? addr (bitvector_of_nat 7 1))) ram (zero 8) in
    bu@@bl = sigma (code_memory … s) (pbu@@pbl).

(* changed from add to sub *)
axiom low_internal_ram_of_pseudo_internal_ram_miss:
 ∀T.∀M:internal_pseudo_address_map.∀s:PreStatus T.∀addr:BitVector 7.
  let ram ≝ low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram … s) in 
  let 〈Saddr,flags〉 ≝ sub_7_with_carry addr (bitvector_of_nat 7 1) false in
  let carr ≝ get_index_v ? ? flags 1 ? in
  carr = false →
  member ? (eq_bv 8) (false:::Saddr) M = false →
   member ? (eq_bv 8) (false:::addr) M = false →
    lookup ? 7 addr ram (zero ?) = lookup ? 7 addr (low_internal_ram … s) (zero ?).
  //
qed.

definition addressing_mode_ok ≝
 λT.λM:internal_pseudo_address_map.λs:PreStatus T.
  λaddr:addressing_mode.
   match addr with
    [ DIRECT d ⇒
       ¬(member ? (eq_bv 8) d M) ∧
       ¬(member ? (eq_bv 8) (\fst (sub_8_with_carry d (bitvector_of_nat 8 1) false)) M)
    | INDIRECT i ⇒
       let d ≝ get_register ? s [[false;false;i]] in
       ¬(member ? (eq_bv 8) d M) ∧
       ¬(member ? (eq_bv 8) (\fst (sub_8_with_carry d (bitvector_of_nat 8 1) false)) M)
    | EXT_INDIRECT _ ⇒ true
    | REGISTER _ ⇒ true
    | ACC_A ⇒ true
    | ACC_B ⇒ true
    | DPTR ⇒ true
    | DATA _ ⇒ true
    | DATA16 _ ⇒ true
    | ACC_DPTR ⇒ true
    | ACC_PC ⇒ true
    | EXT_INDIRECT_DPTR ⇒ true
    | INDIRECT_DPTR ⇒ true
    | CARRY ⇒ true
    | BIT_ADDR _ ⇒ ¬true (* TO BE COMPLETED *)
    | N_BIT_ADDR _ ⇒ ¬true (* TO BE COMPLETED *)
    | RELATIVE _ ⇒ true
    | ADDR11 _ ⇒ true
    | ADDR16 _ ⇒ true ].
    
definition next_internal_pseudo_address_map0 ≝
  λT.
  λfetched.
  λM: internal_pseudo_address_map.
  λs: PreStatus T.
   match fetched with
    [ Comment _ ⇒ Some ? M
    | Cost _ ⇒ Some … M
    | Jmp _ ⇒ Some … M
    | Call _ ⇒
       Some … (\snd (half_add ? (get_8051_sfr … s SFR_SP) (bitvector_of_nat 8 1))::M)
    | Mov _ _ ⇒ Some … M
    | Instruction instr ⇒
       match instr with
        [ ADD addr1 addr2 ⇒
           if addressing_mode_ok T M s addr1 ∧ addressing_mode_ok T M s addr2 then
            Some ? M
           else
            None ?
        | ADDC addr1 addr2 ⇒ 
           if addressing_mode_ok T M s addr1 ∧ addressing_mode_ok T M s addr2 then
            Some ? M
           else
            None ?
        | SUBB addr1 addr2 ⇒
           if addressing_mode_ok T M s addr1 ∧ addressing_mode_ok T M s addr2 then
            Some ? M
           else
            None ?        
        | _ ⇒ (* TO BE COMPLETED *) Some ? M ]].
  

definition next_internal_pseudo_address_map ≝
 λM:internal_pseudo_address_map.
  λs:PseudoStatus.
    next_internal_pseudo_address_map0 ?
     (\fst (fetch_pseudo_instruction (\snd (code_memory ? s)) (program_counter ? s))) M s.
    
definition status_of_pseudo_status:
 internal_pseudo_address_map → PseudoStatus → option Status ≝
 λM,ps.
  let pap ≝ code_memory … ps in
   match assembly pap with
    [ None ⇒ None …
    | Some p ⇒
       let cm ≝ load_code_memory (\fst p) in
       let pc ≝ sigma pap (program_counter ? ps) in
       let lir ≝ low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram … ps) in
       let hir ≝ high_internal_ram_of_pseudo_high_internal_ram M (high_internal_ram … ps) in
        Some …
         (mk_PreStatus (BitVectorTrie Byte 16)
           cm
           lir
           hir
           (external_ram … ps)
           pc
           (special_function_registers_8051 … ps)
           (special_function_registers_8052 … ps)
           (p1_latch … ps)
           (p3_latch … ps)
           (clock … ps)) ].

(*
definition write_at_stack_pointer':
 ∀M. ∀ps: PreStatus M. Byte → Σps':PreStatus M.(code_memory … ps = code_memory … ps') ≝
  λM: Type[0].
  λs: PreStatus M.
  λv: Byte.
    let 〈 nu, nl 〉 ≝ split … 4 4 (get_8051_sfr ? s SFR_SP) in
    let bit_zero ≝ get_index_v… nu O ? in
    let bit_1 ≝ get_index_v… nu 1 ? in
    let bit_2 ≝ get_index_v… nu 2 ? in
    let bit_3 ≝ get_index_v… nu 3 ? in
      if bit_zero then
        let memory ≝ insert … ([[ bit_1 ; bit_2 ; bit_3 ]] @@ nl)
                              v (low_internal_ram ? s) in
          set_low_internal_ram ? s memory
      else
        let memory ≝ insert … ([[ bit_1 ; bit_2 ; bit_3 ]] @@ nl)
                              v (high_internal_ram ? s) in
          set_high_internal_ram ? s memory.
  [ cases l0 %
  |2,3,4,5: normalize repeat (@ le_S_S) @ le_O_n ]
qed.

definition execute_1_pseudo_instruction': (Word → nat) → ∀ps:PseudoStatus.
 Σps':PseudoStatus.(code_memory … ps = code_memory … ps')
≝
  λticks_of.
  λs.
  let 〈instr, pc〉 ≝ fetch_pseudo_instruction (\snd (code_memory ? s)) (program_counter ? s) in
  let ticks ≝ ticks_of (program_counter ? s) in
  let s ≝ set_clock ? s (clock ? s + ticks) in
  let s ≝ set_program_counter ? s pc in
    match instr with
    [ Instruction instr ⇒
       execute_1_preinstruction … (λx, y. address_of_word_labels y x) instr s
    | Comment cmt ⇒ s
    | Cost cst ⇒ s
    | Jmp jmp ⇒ set_program_counter ? s (address_of_word_labels s jmp)
    | Call call ⇒
      let a ≝ address_of_word_labels s call in
      let 〈carry, new_sp〉 ≝ half_add ? (get_8051_sfr ? s SFR_SP) (bitvector_of_nat 8 1) in
      let s ≝ set_8051_sfr ? s SFR_SP new_sp in
      let 〈pc_bu, pc_bl〉 ≝ split ? 8 8 (program_counter ? s) in
      let s ≝ write_at_stack_pointer' ? s pc_bl in
      let 〈carry, new_sp〉 ≝ half_add ? (get_8051_sfr ? s SFR_SP) (bitvector_of_nat 8 1) in
      let s ≝ set_8051_sfr ? s SFR_SP new_sp in
      let s ≝ write_at_stack_pointer' ? s pc_bu in
        set_program_counter ? s a
    | Mov dptr ident ⇒
       set_arg_16 ? s (get_arg_16 ? s (DATA16 (address_of_word_labels s ident))) dptr
    ].
 [
 |2,3,4: %
 | <(sig2 … l7) whd in ⊢ (??? (??%)) <(sig2 … l5) %
 |
 | %
 ]
 cases not_implemented
qed.
*)

axiom execute_1_pseudo_instruction_preserves_code_memory:
 ∀ticks_of,ps.
  code_memory … (execute_1_pseudo_instruction ticks_of ps) = code_memory … ps.

(*
lemma execute_code_memory_unchanged:
 ∀ticks_of,ps. code_memory ? ps = code_memory ? (execute_1_pseudo_instruction ticks_of ps).
 #ticks #ps whd in ⊢ (??? (??%))
 cases (fetch_pseudo_instruction (\snd (code_memory pseudo_assembly_program ps))
  (program_counter pseudo_assembly_program ps)) #instr #pc
 whd in ⊢ (??? (??%)) cases instr
  [ #pre cases pre
     [ #a1 #a2 whd in ⊢ (??? (??%)) cases (add_8_with_carry ???) #y1 #y2 whd in ⊢ (??? (??%))
       cases (split ????) #z1 #z2 %
     | #a1 #a2 whd in ⊢ (??? (??%)) cases (add_8_with_carry ???) #y1 #y2 whd in ⊢ (??? (??%))
       cases (split ????) #z1 #z2 %
     | #a1 #a2 whd in ⊢ (??? (??%)) cases (sub_8_with_carry ???) #y1 #y2 whd in ⊢ (??? (??%))
       cases (split ????) #z1 #z2 %
     | #a1 whd in ⊢ (??? (??%)) cases a1 #x #H whd in ⊢ (??? (??%)) cases x
       [ #x1 whd in ⊢ (??? (??%)) 
     | *: cases not_implemented
     ]
  | #comment %
  | #cost %
  | #label %
  | #label whd in ⊢ (??? (??%)) cases (half_add ???) #x1 #x2 whd in ⊢ (??? (??%))
    cases (split ????) #y1 #y2 whd in ⊢ (??? (??%)) cases (half_add ???) #z1 #z2
    whd in ⊢ (??? (??%)) whd in ⊢ (??? (??%)) cases (split ????) #w1 #w2
    whd in ⊢ (??? (??%)) cases (get_index_v bool ????) whd in ⊢ (??? (??%))
    (* CSC: ??? *)
  | #dptr #label (* CSC: ??? *)
  ]
  cases not_implemented
qed.
*)

lemma status_of_pseudo_status_failure_depends_only_on_code_memory:
 ∀M:internal_pseudo_address_map.
 ∀ps,ps': PseudoStatus.
  code_memory … ps = code_memory … ps' →
   match status_of_pseudo_status M ps with
    [ None ⇒ status_of_pseudo_status M ps' = None …
    | Some _ ⇒ ∃w. status_of_pseudo_status M ps' = Some … w
    ].
 #M #ps #ps' #H whd in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ])
 generalize in match (refl … (assembly (code_memory … ps)))
 cases (assembly ?) in ⊢ (???% → %)
  [ #K whd whd in ⊢ (??%?) <H >K %
  | #x #K whd whd in ⊢ (?? (λ_.??%?)) <H >K % [2: % ] ]
qed.

definition ticks_of0: pseudo_assembly_program → Word → ? → nat × nat ≝
  λprogram: pseudo_assembly_program.
  λppc: Word.
  λfetched.
    match fetched with
    [ Instruction instr ⇒
      match instr with
      [ JC lbl ⇒
        match jump_expansion ppc program with
        [ short_jump ⇒ 〈2, 2〉
        | medium_jump ⇒ ?
        | long_jump ⇒ 〈4, 4〉
        ]
      | JNC lbl ⇒
        match jump_expansion ppc program with
        [ short_jump ⇒ 〈2, 2〉
        | medium_jump ⇒ ?
        | long_jump ⇒ 〈4, 4〉
        ]
      | JB bit lbl ⇒
        match jump_expansion ppc program with
        [ short_jump ⇒ 〈2, 2〉
        | medium_jump ⇒ ?
        | long_jump ⇒ 〈4, 4〉
        ]
      | JNB bit lbl ⇒
        match jump_expansion ppc program with
        [ short_jump ⇒ 〈2, 2〉
        | medium_jump ⇒ ?
        | long_jump ⇒ 〈4, 4〉
        ]
      | JBC bit lbl ⇒
        match jump_expansion ppc program with
        [ short_jump ⇒ 〈2, 2〉
        | medium_jump ⇒ ?
        | long_jump ⇒ 〈4, 4〉
        ]
      | JZ lbl ⇒
        match jump_expansion ppc program with
        [ short_jump ⇒ 〈2, 2〉
        | medium_jump ⇒ ?
        | long_jump ⇒ 〈4, 4〉
        ]
      | JNZ lbl ⇒
        match jump_expansion ppc program with
        [ short_jump ⇒ 〈2, 2〉
        | medium_jump ⇒ ?
        | long_jump ⇒ 〈4, 4〉
        ]
      | CJNE arg lbl ⇒
        match jump_expansion ppc program with
        [ short_jump ⇒ 〈2, 2〉
        | medium_jump ⇒ ?
        | long_jump ⇒ 〈4, 4〉
        ]
      | DJNZ arg lbl ⇒
        match jump_expansion ppc program with
        [ short_jump ⇒ 〈2, 2〉
        | medium_jump ⇒ ?
        | long_jump ⇒ 〈4, 4〉
        ]
      | ADD arg1 arg2 ⇒
        let ticks ≝ ticks_of_instruction (ADD ? arg1 arg2) in
         〈ticks, ticks〉
      | ADDC arg1 arg2 ⇒ 
        let ticks ≝ ticks_of_instruction (ADDC ? arg1 arg2) in
         〈ticks, ticks〉
      | SUBB arg1 arg2 ⇒ 
        let ticks ≝ ticks_of_instruction (SUBB ? arg1 arg2) in
         〈ticks, ticks〉
      | INC arg ⇒ 
        let ticks ≝ ticks_of_instruction (INC ? arg) in
         〈ticks, ticks〉
      | DEC arg ⇒ 
        let ticks ≝ ticks_of_instruction (DEC ? arg) in
         〈ticks, ticks〉
      | MUL arg1 arg2 ⇒ 
        let ticks ≝ ticks_of_instruction (MUL ? arg1 arg2) in
         〈ticks, ticks〉
      | DIV arg1 arg2 ⇒ 
        let ticks ≝ ticks_of_instruction (DIV ? arg1 arg2) in
         〈ticks, ticks〉
      | DA arg ⇒ 
        let ticks ≝ ticks_of_instruction (DA ? arg) in
         〈ticks, ticks〉
      | ANL arg ⇒
        let ticks ≝ ticks_of_instruction (ANL ? arg) in
         〈ticks, ticks〉
      | ORL arg ⇒
        let ticks ≝ ticks_of_instruction (ORL ? arg) in
         〈ticks, ticks〉
      | XRL arg ⇒
        let ticks ≝ ticks_of_instruction (XRL ? arg) in
         〈ticks, ticks〉
      | CLR arg ⇒
        let ticks ≝ ticks_of_instruction (CLR ? arg) in
         〈ticks, ticks〉
      | CPL arg ⇒
        let ticks ≝ ticks_of_instruction (CPL ? arg) in
         〈ticks, ticks〉
      | RL arg ⇒
        let ticks ≝ ticks_of_instruction (RL ? arg) in
         〈ticks, ticks〉
      | RLC arg ⇒
        let ticks ≝ ticks_of_instruction (RLC ? arg) in
         〈ticks, ticks〉
      | RR arg ⇒
        let ticks ≝ ticks_of_instruction (RR ? arg) in
         〈ticks, ticks〉
      | RRC arg ⇒
        let ticks ≝ ticks_of_instruction (RRC ? arg) in
         〈ticks, ticks〉
      | SWAP arg ⇒
        let ticks ≝ ticks_of_instruction (SWAP ? arg) in
         〈ticks, ticks〉
      | MOV arg ⇒
        let ticks ≝ ticks_of_instruction (MOV ? arg) in
         〈ticks, ticks〉
      | MOVX arg ⇒
        let ticks ≝ ticks_of_instruction (MOVX ? arg) in
         〈ticks, ticks〉
      | SETB arg ⇒
        let ticks ≝ ticks_of_instruction (SETB ? arg) in
         〈ticks, ticks〉
      | PUSH arg ⇒
        let ticks ≝ ticks_of_instruction (PUSH ? arg) in
         〈ticks, ticks〉
      | POP arg ⇒
        let ticks ≝ ticks_of_instruction (POP ? arg) in
         〈ticks, ticks〉
      | XCH arg1 arg2 ⇒
        let ticks ≝ ticks_of_instruction (XCH ? arg1 arg2) in
         〈ticks, ticks〉
      | XCHD arg1 arg2 ⇒
        let ticks ≝ ticks_of_instruction (XCHD ? arg1 arg2) in
         〈ticks, ticks〉
      | RET ⇒
        let ticks ≝ ticks_of_instruction (RET ?) in
         〈ticks, ticks〉
      | RETI ⇒
        let ticks ≝ ticks_of_instruction (RETI ?) in
         〈ticks, ticks〉
      | NOP ⇒
        let ticks ≝ ticks_of_instruction (NOP ?) in
         〈ticks, ticks〉
      ]
    | Comment comment ⇒ 〈0, 0〉
    | Cost cost ⇒ 〈0, 0〉
    | Jmp jmp ⇒ 〈2, 2〉
    | Call call ⇒ 〈2, 2〉
    | Mov dptr tgt ⇒ 〈2, 2〉
    ].
  cases not_implemented (* policy returned medium_jump for conditional jumping = impossible *)
qed.

definition ticks_of: pseudo_assembly_program → Word → nat × nat ≝
  λprogram: pseudo_assembly_program.
  λppc: Word.
    let 〈preamble, pseudo〉 ≝ program in
    let 〈fetched, new_ppc〉 ≝ fetch_pseudo_instruction pseudo ppc in
     ticks_of0 program ppc fetched.

lemma get_register_set_program_counter:
 ∀T,s,pc. get_register T (set_program_counter … s pc) = get_register … s.
 #T #s #pc %
qed.

lemma get_8051_sfr_set_program_counter:
 ∀T,s,pc. get_8051_sfr T (set_program_counter … s pc) = get_8051_sfr … s.
 #T #s #pc %
qed.

lemma get_bit_addressable_sfr_set_program_counter:
 ∀T,s,pc. get_bit_addressable_sfr T (set_program_counter … s pc) = get_bit_addressable_sfr … s.
 #T #s #pc %
qed.

lemma low_internal_ram_set_program_counter:
 ∀T,s,pc. low_internal_ram T (set_program_counter … s pc) = low_internal_ram … s.
 #T #s #pc %
qed.

lemma get_arg_8_set_program_counter:
 ∀n.∀l:Vector addressing_mode_tag (S n). ¬(is_in ? l ACC_PC) →
  ∀T,s,pc,b.∀arg:l.
   get_arg_8 T (set_program_counter … s pc) b arg = get_arg_8 … s b arg.
 [2,3: cases arg; *; normalize //]
 #n #l #H #T #s #pc #b * *; [11: #NH @⊥ //] #X try #Y %
qed.

lemma set_bit_addressable_sfr_set_code_memory:
  ∀T, U: Type[0].
  ∀ps: PreStatus ?.
  ∀code_mem.
  ∀x.
  ∀val.
  set_bit_addressable_sfr ? (set_code_memory T U ps code_mem) x val =
  set_code_memory T U (set_bit_addressable_sfr ? ps x val) code_mem.
  #T #U #ps #code_mem #x #val
  whd in ⊢ (??%?)
  whd in ⊢ (???(???%?))
  cases (eqb ? 128) [ normalize nodelta cases not_implemented
  | normalize nodelta
  cases (eqb (nat_of_bitvector 8 x) ?) [ normalize nodelta cases not_implemented
  | normalize nodelta
  cases (eqb (nat_of_bitvector 8 x) ?) [ normalize nodelta cases not_implemented
  | normalize nodelta
  cases (eqb ? 176) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 153) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 138) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 139) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 140) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 141) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 200) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 202) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 203) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 204) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 205) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 135) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 136) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 137) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 152) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 168) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 184) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 129) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 130) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 131) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 208) [ normalize nodelta %
  | normalize nodelta
  cases (eqb ? 224) [ normalize nodelta % 
  | normalize nodelta
  cases (eqb ? 240) [ normalize nodelta % 
  | normalize nodelta
    cases not_implemented
  ]]]]]]]]]]]]]]]]]]]]]]]]]]
qed.

lemma set_arg_8_set_code_memory:
  ∀n:nat.
  ∀l:Vector addressing_mode_tag (S n).
    ¬(is_in ? l ACC_PC) →
    ∀T: Type[0].
    ∀U: Type[0].
    ∀ps: PreStatus ?.
    ∀code_mem.
    ∀val.
    ∀b: l.
  set_arg_8 ? (set_code_memory T U ps code_mem) b val =
  set_code_memory T U (set_arg_8 ? ps b val) code_mem.
  [2,3: cases b; *; normalize //]
  #n #l #prf #T #U #ps #code_mem #val * *;
  [*:
    [1,2,3,4,8,9,15,16,17,18,19: #x]
    try #y whd in ⊢ (??(%)?)
    whd in ⊢ (???(???(%)?))
    [1,2:
      cases (split bool 4 4 ?)
      #nu' #nl'
      normalize nodelta
      cases (split bool 1 3 nu')
      #bit1' #ignore'
      normalize nodelta
      cases (get_index_v bool 4 nu' 0 ?)
      [1,2,3,4:
        normalize nodelta
        try %
        try (@(set_bit_addressable_sfr_set_code_memory T U ps code_mem x val))
        try (normalize in ⊢ (???(???%?)))
      ]
    |3,4: %
    |*:
       try normalize nodelta
       normalize cases (not_implemented)
    ]
 ]
 

qed.

axiom set_arg_8_set_program_counter:
  ∀n:nat.
  ∀l:Vector addressing_mode_tag (S n).
    ¬(is_in ? l ACC_PC) →
    ∀T: Type[0].
    ∀ps: PreStatus ?.
    ∀pc.
    ∀val.
    ∀b: l.
  set_arg_8 ? (set_program_counter T ps pc) b val =
  set_program_counter T (set_arg_8 ? ps b val) pc.
  [1,2: cases b; *; normalize //]
qed.
  

lemma get_arg_8_set_code_memory:
 ∀T1,T2,s,code_mem,b,arg.
   get_arg_8 T1 (set_code_memory T2 T1 s code_mem) b arg = get_arg_8 … s b arg.
 #T1 #T2 #s #code_mem #b #arg %
qed.

lemma set_code_memory_set_flags:
 ∀T1,T2,s,f1,f2,f3,code_mem.
  set_code_memory T1 T2 (set_flags T1 s f1 f2 f3) code_mem =
   set_flags … (set_code_memory … s code_mem) f1 f2 f3.
 #T1 #T2 #s #f1 #f2 #f3 #code_mem %
qed.

lemma set_program_counter_set_flags:
 ∀T1,s,f1,f2,f3,pc.
  set_program_counter T1 (set_flags T1 s f1 f2 f3) pc =
   set_flags … (set_program_counter … s pc) f1 f2 f3.
 #T1 #s #f1 #f2 #f3 #pc  %
qed.

lemma program_counter_set_flags:
 ∀T1,s,f1,f2,f3.
  program_counter T1 (set_flags T1 s f1 f2 f3) = program_counter … s.
 #T1 #s #f1 #f2 #f3 %
qed.

lemma special_function_registers_8051_write_at_stack_pointer:
 ∀T,s,x.
    special_function_registers_8051 T (write_at_stack_pointer T s x)
  = special_function_registers_8051 T s.
 #T #s #x whd in ⊢ (??(??%)?)
 cases (split ????) #nu #nl normalize nodelta;
 cases (get_index_v bool ????) %
qed.

lemma get_8051_sfr_write_at_stack_pointer:
 ∀T,s,x,y. get_8051_sfr T (write_at_stack_pointer T s x) y = get_8051_sfr T s y.
 #T #s #x #y whd in ⊢ (??%%) //
qed.

lemma code_memory_write_at_stack_pointer:
 ∀T,s,x. code_memory T (write_at_stack_pointer T s x) = code_memory T s.
 #T #s #x whd in ⊢ (??(??%)?)
 cases (split ????) #nu #nl normalize nodelta;
 cases (get_index_v bool ????) %
qed.

axiom low_internal_ram_write_at_stack_pointer:
 ∀T1,T2,M,s1,s2,s3.∀pbu,pbl,bu,bl,sp1,sp2:BitVector 8.
  get_8051_sfr ? s2 SFR_SP = get_8051_sfr ? s3 SFR_SP →
  low_internal_ram ? s2 = low_internal_ram T2 s3 →
  sp1 = \snd (half_add ? (get_8051_sfr ? s1 SFR_SP) (bitvector_of_nat 8 1)) →
  sp2 = \snd (half_add ? sp1 (bitvector_of_nat 8 1)) →
  bu@@bl = sigma (code_memory … s2) (pbu@@pbl) →
   low_internal_ram T1
     (write_at_stack_pointer ?
       (set_8051_sfr ?
         (write_at_stack_pointer ?
           (set_8051_sfr ?
             (set_low_internal_ram ? s1
               (low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram ? s2)))
             SFR_SP sp1)
          bl)
        SFR_SP sp2)
      bu)
   = low_internal_ram_of_pseudo_low_internal_ram (sp1::M)
      (low_internal_ram ?
       (write_at_stack_pointer ?
         (set_8051_sfr ?
           (write_at_stack_pointer ? (set_8051_sfr ? s3 SFR_SP sp1) pbl)
          SFR_SP sp2)
        pbu)).
        
axiom high_internal_ram_write_at_stack_pointer:
 ∀T1,T2,M,s1,s2,s3.∀pbu,pbl,bu,bl,sp1,sp2:BitVector 8.
  get_8051_sfr ? s2 SFR_SP = get_8051_sfr ? s3 SFR_SP →
  high_internal_ram ? s2 = high_internal_ram T2 s3 →
  sp1 = \snd (half_add ? (get_8051_sfr ? s1 SFR_SP) (bitvector_of_nat 8 1)) →
  sp2 = \snd (half_add ? sp1 (bitvector_of_nat 8 1)) →
  bu@@bl = sigma (code_memory … s2) (pbu@@pbl) →
   high_internal_ram T1
     (write_at_stack_pointer ?
       (set_8051_sfr ?
         (write_at_stack_pointer ?
           (set_8051_sfr ?
             (set_high_internal_ram ? s1
               (high_internal_ram_of_pseudo_high_internal_ram M (high_internal_ram ? s2)))
             SFR_SP sp1)
          bl)
        SFR_SP sp2)
      bu)
   = high_internal_ram_of_pseudo_high_internal_ram (sp1::M)
      (high_internal_ram ?
       (write_at_stack_pointer ?
         (set_8051_sfr ?
           (write_at_stack_pointer ? (set_8051_sfr ? s3 SFR_SP sp1) pbl)
          SFR_SP sp2)
        pbu)).

lemma set_program_counter_set_low_internal_ram:
 ∀T,s,x,y.
  set_program_counter T (set_low_internal_ram … s x) y =
   set_low_internal_ram … (set_program_counter … s y) x.
 //
qed.

lemma set_clock_set_low_internal_ram:
 ∀T,s,x,y.
  set_clock T (set_low_internal_ram … s x) y =
   set_low_internal_ram … (set_clock … s y) x.
 //
qed.

lemma set_program_counter_set_high_internal_ram:
 ∀T,s,x,y.
  set_program_counter T (set_high_internal_ram … s x) y =
   set_high_internal_ram … (set_program_counter … s y) x.
 //
qed.

lemma set_clock_set_high_internal_ram:
 ∀T,s,x,y.
  set_clock T (set_high_internal_ram … s x) y =
   set_high_internal_ram … (set_clock … s y) x.
 //
qed.

lemma set_low_internal_ram_set_high_internal_ram:
 ∀T,s,x,y.
  set_low_internal_ram T (set_high_internal_ram … s x) y =
   set_high_internal_ram … (set_low_internal_ram … s y) x.
 //
qed.

lemma external_ram_write_at_stack_pointer:
 ∀T,s,x. external_ram T (write_at_stack_pointer T s x) = external_ram T s.
 #T #s #x whd in ⊢ (??(??%)?)
 cases (split ????) #nu #nl normalize nodelta;
 cases (get_index_v bool ????) %
qed.

lemma special_function_registers_8052_write_at_stack_pointer:
 ∀T,s,x.
    special_function_registers_8052 T (write_at_stack_pointer T s x)
  = special_function_registers_8052 T s.
 #T #s #x whd in ⊢ (??(??%)?)
 cases (split ????) #nu #nl normalize nodelta;
 cases (get_index_v bool ????) %
qed.

lemma p1_latch_write_at_stack_pointer:
 ∀T,s,x. p1_latch T (write_at_stack_pointer T s x) = p1_latch T s.
 #T #s #x whd in ⊢ (??(??%)?)
 cases (split ????) #nu #nl normalize nodelta;
 cases (get_index_v bool ????) %
qed.

lemma p3_latch_write_at_stack_pointer:
 ∀T,s,x. p3_latch T (write_at_stack_pointer T s x) = p3_latch T s.
 #T #s #x whd in ⊢ (??(??%)?)
 cases (split ????) #nu #nl normalize nodelta;
 cases (get_index_v bool ????) %
qed.

lemma clock_write_at_stack_pointer:
 ∀T,s,x. clock T (write_at_stack_pointer T s x) = clock T s.
 #T #s #x whd in ⊢ (??(??%)?)
 cases (split ????) #nu #nl normalize nodelta;
 cases (get_index_v bool ????) %
qed.

axiom get_index_v_set_index:
 ∀T,n,x,m,p,y. get_index_v T n (set_index T n x m y p) m p = y.

lemma get_8051_sfr_set_8051_sfr:
 ∀T,s,x,y. get_8051_sfr T (set_8051_sfr ? s x y) x = y.
 #T *; #A #B #C #D #E #F #G #H #I #J *; #y whd in ⊢ (??(??%?)?)
 whd in match get_8051_sfr; normalize nodelta @get_index_v_set_index
qed.

lemma program_counter_set_8051_sfr:
 ∀T,s,x,y. program_counter T (set_8051_sfr ? s x y) = program_counter ? s.
 //
qed.

lemma eq_rect_Type1_r:
  ∀A: Type[1].
  ∀a:A.
  ∀P: ∀x:A. eq ? x a → Type[1]. P a (refl A a) → ∀x: A.∀p:eq ? x a. P x p.
  #A #a #P #H #x #p
  generalize in match H
  generalize in match P
  cases p
  //
qed.

lemma split_eq_status:
 ∀T.
 ∀A1,A2,A3,A4,A5,A6,A7,A8,A9,A10.
 ∀B1,B2,B3,B4,B5,B6,B7,B8,B9,B10.
  A1=B1 → A2=B2 → A3=B3 → A4=B4 → A5=B5 → A6=B6 → A7=B7 → A8=B8 → A9=B9 → A10=B10 →
   mk_PreStatus T A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 =
   mk_PreStatus T B1 B2 B3 B4 B5 B6 B7 B8 B9 B10.
 //
qed.

axiom pair_elim':
  ∀A,B,C: Type[0].
  ∀T: A → B → C.
  ∀p.
  ∀P: A×B → C → Prop.
    (∀lft, rgt. p = 〈lft,rgt〉 → P 〈lft,rgt〉 (T lft rgt)) →
      P p (let 〈lft, rgt〉 ≝ p in T lft rgt).

axiom pair_elim'':
  ∀A,B,C,C': Type[0].
  ∀T: A → B → C.
  ∀T': A → B → C'.
  ∀p.
  ∀P: A×B → C → C' → Prop.
    (∀lft, rgt. p = 〈lft,rgt〉 → P 〈lft,rgt〉 (T lft rgt) (T' lft rgt)) →
      P p (let 〈lft, rgt〉 ≝ p in T lft rgt) (let 〈lft, rgt〉 ≝ p in T' lft rgt).

axiom split_elim':
  ∀A: Type[0].
  ∀B: Type[1].
  ∀l, m, v.
  ∀T: Vector A l → Vector A m → B.
  ∀P: B → Prop.
    (∀lft, rgt. v = lft @@ rgt → P (T lft rgt)) →
      P (let 〈lft, rgt〉 ≝ split A l m v in T lft rgt).

axiom split_elim'':
  ∀A: Type[0].
  ∀B,B': Type[1].
  ∀l, m, v.
  ∀T: Vector A l → Vector A m → B.
  ∀T': Vector A l → Vector A m → B'.
  ∀P: B → B' → Prop.
    (∀lft, rgt. v = lft @@ rgt → P (T lft rgt) (T' lft rgt)) →
      P (let 〈lft, rgt〉 ≝ split A l m v in T lft rgt)
        (let 〈lft, rgt〉 ≝ split A l m v in T' lft rgt).

axiom split_append:
  ∀A: Type[0].
  ∀m, n: nat.
  ∀v, v': Vector A m.
  ∀q, q': Vector A n.
    let 〈v', q'〉 ≝ split A m n (v@@q) in
      v = v' ∧ q = q'.

axiom split_vector_singleton:
  ∀A: Type[0].
  ∀n: nat.
  ∀v: Vector A (S n).
  ∀rest: Vector A n.
  ∀s: Vector A 1.
  ∀prf.
    v = s @@ rest →
    ((get_index_v A ? v 0 prf) ::: rest) = v.

axiom sub_minus_one_seven_eight:
  ∀v: BitVector 7.
  false ::: (\fst (sub_7_with_carry v (bitvector_of_nat ? 1) false)) =
  \fst (sub_8_with_carry (false ::: v) (bitvector_of_nat ? 1) false).

lemma pair_destruct_1:
 ∀A,B.∀a:A.∀b:B.∀c. 〈a,b〉 = c → a = \fst c.
 #A #B #a #b *; /2/
qed.

lemma pair_destruct_2:
 ∀A,B.∀a:A.∀b:B.∀c. 〈a,b〉 = c → b = \snd c.
 #A #B #a #b *; /2/
qed.

(*
lemma blah:
  ∀m: internal_pseudo_address_map.
  ∀s: PseudoStatus.
  ∀arg: Byte.
  ∀b: bool.
    addressing_mode_ok m s (DIRECT arg) = true →
      get_arg_8 ? (set_low_internal_ram ? s (low_internal_ram_of_pseudo_low_internal_ram m (low_internal_ram ? s))) b (DIRECT arg) =
      get_arg_8 ? s b (DIRECT arg).
  [2, 3: normalize % ]
  #m #s #arg #b #hyp
  whd in ⊢ (??%%)
  @split_elim''
  #nu' #nl' #arg_nu_nl_eq
  normalize nodelta
  generalize in match (refl ? (get_index_v bool 4 nu' ? ?))
  cases (get_index_v bool 4 nu' ? ?) in ⊢ (??%? → %)
  #get_index_v_eq
  normalize nodelta
  [2:
    normalize nodelta
    @split_elim''
    #bit_one' #three_bits' #bit_one_three_bit_eq
    generalize in match (low_internal_ram_of_pseudo_internal_ram_miss m s (three_bits'@@nl'))
    normalize nodelta
    generalize in match (refl ? (sub_7_with_carry ? ? ?))
    cases (sub_7_with_carry ? ? ?) in ⊢ (??%? → %)
    #Saddr #carr' #Saddr_carr_eq
    normalize nodelta
    #carr_hyp'
    @carr_hyp'
    [1:
    |2: whd in hyp:(??%?); generalize in match hyp; -hyp;
        generalize in match (refl ? (¬(member (BitVector 8) ? arg m))) 
        cases (¬(member (BitVector 8) ? arg m)) in ⊢ (??%? → %)
        #member_eq
        normalize nodelta
        [2: #destr destruct(destr)
        |1: -carr_hyp';
            >arg_nu_nl_eq
            <(split_vector_singleton ? ? nu' ? ? ? bit_one_three_bit_eq)
            [1: >get_index_v_eq in ⊢ (??%? → ?)
            |2: @le_S @le_S @le_S @le_n
            ]
            cases (member (BitVector 8) ? (\fst ?) ?)
            [1: #destr normalize in destr; destruct(destr)
            |2:
            ]
        ]
    |3: >get_index_v_eq in ⊢ (??%?)
        change in ⊢ (??(???%?)?) with ((? ::: three_bits') @@ nl')
        >(split_vector_singleton … bit_one_three_bit_eq)
        <arg_nu_nl_eq
        whd in hyp:(??%?)
        cases (member (BitVector 8) (eq_bv 8) arg m) in hyp
        normalize nodelta [*: #ignore @sym_eq ]
    ]
  |
  ].
*)
(*
map_address0 ... (DIRECT arg) = Some .. →
  get_arg_8 (map_address0 ... (internal_ram ...) (DIRECT arg) =
  get_arg_8 (internal_ram ...) (DIRECT arg)

((if addressing_mode_ok M ps ACC_A∧addressing_mode_ok M ps (DIRECT ARG2) 
                     then Some internal_pseudo_address_map M 
                     else None internal_pseudo_address_map )
                    =Some internal_pseudo_address_map M')
*)

lemma main_thm:
 ∀M,M',ps,s,s''.
  next_internal_pseudo_address_map M ps = Some … M' →
  status_of_pseudo_status M ps = Some … s →
  status_of_pseudo_status M' (execute_1_pseudo_instruction (ticks_of (code_memory … ps)) ps) = Some … s'' →
   ∃n. execute n s = s''.
 #M #M' #ps #s #s''
 generalize in match (fetch_assembly_pseudo2 (code_memory … ps))
 whd in ⊢ (? → ? → ??%? → ??%? → ?)
 >execute_1_pseudo_instruction_preserves_code_memory
 generalize in match (refl … (assembly (code_memory … ps)))
 generalize in match (assembly (code_memory … ps)) in ⊢ (??%? → %) #ASS whd in ⊢ (???% → ?)
 cases (build_maps (code_memory … ps))
  [ cases (code_memory … ps) #preamble #instr_list whd in ⊢ (???% → ?) #EQ >EQ #H #MAP
    #abs @⊥ normalize in abs; destruct (abs) ]
 * #labels #costs change in ⊢ (? → ? → ??%? → ?) with (next_internal_pseudo_address_map0 ? ? ? ?)
 generalize in match (refl … (code_memory … ps)) cases (code_memory … ps) in ⊢ (???% → %) #preamble #instr_list #EQ0 normalize nodelta;
 generalize in ⊢ (???(match % with [_ ⇒ ? | _ ⇒ ?]) → ?) *; normalize nodelta;
  [ #EQ >EQ #_ #_ #abs @⊥ normalize in abs; destruct (abs) ]
 * #final_ppc * #final_pc #assembled #EQ >EQ -EQ ASS; normalize nodelta;
 #H generalize in match (H ??? (refl …) (refl …)) -H; #H;
 #MAP
 #H1 generalize in match (option_destruct_Some ??? H1) -H1; #H1 <H1 -H1;
 #H2 generalize in match (option_destruct_Some ??? H2) -H2; #H2 <H2 -H2;
 change with
  (∃n.
    execute n
     (set_low_internal_ram ?
       (set_high_internal_ram ?
         (set_program_counter ?
           (set_code_memory ?? ps (load_code_memory assembled))
          (sigma 〈preamble,instr_list〉 (program_counter ? ps)))
        (high_internal_ram_of_pseudo_high_internal_ram M ?))
      (low_internal_ram_of_pseudo_low_internal_ram M ?))
   = set_low_internal_ram ?
      (set_high_internal_ram ?
        (set_program_counter ?
          (set_code_memory ?? (execute_1_pseudo_instruction ? ps) (load_code_memory assembled))
         (sigma ??))
       ?)
     ?)
 whd in match (\snd 〈preamble,instr_list〉) in H;
 whd in match (\fst 〈preamble,instr_list〉) in H;
 whd in match (\snd 〈final_pc,assembled〉) in H;
 whd in match (\snd 〈preamble,instr_list〉) in MAP;
 -s s'' labels costs final_ppc final_pc;
 letin ps' ≝ (execute_1_pseudo_instruction (ticks_of 〈preamble,instr_list〉) ps)
 (* NICE STATEMENT HERE *)
 generalize in match (refl … ps') generalize in ⊢ (??%? → ?) normalize nodelta; -ps'; #ps'
 #K <K generalize in match K; -K;
 (* STATEMENT WITH EQUALITY HERE *)
 whd in ⊢ (???(?%?) → ?)
 whd in ⊢ (???% → ?) generalize in match (H (program_counter … ps)) -H; >EQ0 normalize nodelta;
 cases (fetch_pseudo_instruction instr_list (program_counter … ps)) in MAP ⊢ %
 #pi #newppc normalize nodelta; #MAP * #instructions *;
 cases pi in MAP; normalize nodelta;
  [2,3: (* Comment, Cost *) #ARG #MAP #H1 #H2 #EQ %[1,3:@0]
    generalize in match (option_destruct_Some ??? MAP) -MAP; #MAP <MAP -MAP M';
    normalize in H1; generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
    #H2 >(eq_bv_to_eq … H2) >EQ %
(*  |6: (* Mov *) #arg1 #arg2
       #H1 #H2 #EQ %[@1]
       normalize in H1; generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
       change in ⊢ (? → ??%?) with (execute_1_0 ??)
       cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
       * * #H2a #H2b whd in ⊢ (% → ?) #H2c
       >H2b >(eq_instruction_to_eq … H2a)
       generalize in match EQ; -EQ; whd in ⊢ (???% → ??%?);
       @(list_addressing_mode_tags_elim_prop … arg1) whd try % -arg1; whd in ⊢ (???% → ??%?)
       @(list_addressing_mode_tags_elim_prop … arg2) whd try % -arg2; #ARG2
       normalize nodelta;
       [1,2,3,4,5,6,7,8: cases (add_8_with_carry ???) |*: cases (sub_8_with_carry ???)]
       #result #flags
       #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) % *)
  |5: (* Call *) #label #MAP
      generalize in match (option_destruct_Some ??? MAP) -MAP; #MAP <MAP -MAP;
      whd in ⊢ (???% → ?) cases (jump_expansion ??) normalize nodelta;
       [ (* short *) #abs @⊥ destruct (abs)
       |3: (* long *) #H1 #H2 #EQ %[@1]
           (* normalize in H1; !!!*) generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
           change in ⊢ (? → ??%?) with (execute_1_0 ??)
           cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
           * * #H2a #H2b whd in ⊢ (% → ?) #H2c
           >H2b >(eq_instruction_to_eq … H2a)
           generalize in match EQ; -EQ;
           whd in ⊢ (???% → ??%?);
           generalize in match (refl … (half_add 8 (get_8051_sfr ? ps SFR_SP) (bitvector_of_nat ? 1))) cases (half_add ???) in ⊢ (??%? → %) #carry #new_sp #EQ1 normalize nodelta;
           >(eq_bv_to_eq … H2c)
           change with
            ((?=let 〈ppc_bu,ppc_bl〉 ≝ split bool 8 8 newppc in ?) →
                (let 〈pc_bu,pc_bl〉 ≝ split bool 8 8 (sigma 〈preamble,instr_list〉 newppc) in ?)=?)
           generalize in match (refl … (split … 8 8 newppc)) cases (split bool 8 8 newppc) in ⊢ (??%? → %) #ppc_bu #ppc_bl #EQppc
           generalize in match (refl … (split … 8 8 (sigma 〈preamble,instr_list〉 newppc))) cases (split bool 8 8 (sigma 〈preamble,instr_list〉 newppc)) in ⊢ (??%? → %) #pc_bu #pc_bl #EQpc normalize nodelta;
           >get_8051_sfr_write_at_stack_pointer >get_8051_sfr_write_at_stack_pointer
           >get_8051_sfr_set_8051_sfr >get_8051_sfr_set_8051_sfr
           generalize in match (refl … (half_add ? new_sp (bitvector_of_nat ? 1))) cases (half_add ???) in ⊢ (??%? → %) #carry' #new_sp' #EQ2 normalize nodelta;
           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c)
           @split_eq_status;
            [ >code_memory_write_at_stack_pointer whd in ⊢ (??%?)
              >code_memory_write_at_stack_pointer %
            | >set_program_counter_set_low_internal_ram
              >set_clock_set_low_internal_ram
              @low_internal_ram_write_at_stack_pointer
               [ % | %
               | @(pair_destruct_2 … EQ1)
               | @(pair_destruct_2 … EQ2)
               | >(pair_destruct_1 ????? EQpc)
                 >(pair_destruct_2 ????? EQpc)
                 @split_elim #x #y #H <H -x y H;
                 >(pair_destruct_1 ????? EQppc)
                 >(pair_destruct_2 ????? EQppc)
                 @split_elim #x #y #H <H -x y H;
                 >EQ0 % ]
            | >set_low_internal_ram_set_high_internal_ram
              >set_program_counter_set_high_internal_ram
              >set_clock_set_high_internal_ram
              @high_internal_ram_write_at_stack_pointer
               [ % | %
               | @(pair_destruct_2 … EQ1)
               | @(pair_destruct_2 … EQ2)
               | >(pair_destruct_1 ????? EQpc)
                 >(pair_destruct_2 ????? EQpc)
                 @split_elim #x #y #H <H -x y H;
                 >(pair_destruct_1 ????? EQppc)
                 >(pair_destruct_2 ????? EQppc)
                 @split_elim #x #y #H <H -x y H;
                 >EQ0 % ]            
            | >external_ram_write_at_stack_pointer whd in ⊢ (??%?)
              >external_ram_write_at_stack_pointer whd in ⊢ (???%)
              >external_ram_write_at_stack_pointer whd in ⊢ (???%)
              >external_ram_write_at_stack_pointer %
            | change with (? = sigma ?(address_of_word_labels_code_mem (\snd (code_memory ? ps)) ?))
              >EQ0 % 
            | >special_function_registers_8051_write_at_stack_pointer whd in ⊢ (??%?)
              >special_function_registers_8051_write_at_stack_pointer whd in ⊢ (???%)
              >special_function_registers_8051_write_at_stack_pointer whd in ⊢ (???%)
              >special_function_registers_8051_write_at_stack_pointer %
            | >special_function_registers_8052_write_at_stack_pointer whd in ⊢ (??%?)
              >special_function_registers_8052_write_at_stack_pointer whd in ⊢ (???%)
              >special_function_registers_8052_write_at_stack_pointer whd in ⊢ (???%)
              >special_function_registers_8052_write_at_stack_pointer %
            | >p1_latch_write_at_stack_pointer whd in ⊢ (??%?)
              >p1_latch_write_at_stack_pointer whd in ⊢ (???%)
              >p1_latch_write_at_stack_pointer whd in ⊢ (???%)
              >p1_latch_write_at_stack_pointer %
            | >p3_latch_write_at_stack_pointer whd in ⊢ (??%?)
              >p3_latch_write_at_stack_pointer whd in ⊢ (???%)
              >p3_latch_write_at_stack_pointer whd in ⊢ (???%)
              >p3_latch_write_at_stack_pointer %
            | >clock_write_at_stack_pointer whd in ⊢ (??%?)
              >clock_write_at_stack_pointer whd in ⊢ (???%)
              >clock_write_at_stack_pointer whd in ⊢ (???%)
              >clock_write_at_stack_pointer %]
       | (* medium *)  #H1 #H2 #EQ %[@1] generalize in match H1; -H1;
         @pair_elim' #fst_5_addr #rest_addr #EQ1
         @pair_elim' #fst_5_pc #rest_pc #EQ2
         generalize in match (refl … (eq_bv … fst_5_addr fst_5_pc))
         cases (eq_bv ???) in ⊢ (??%? → %) normalize nodelta; #EQ3 #TEQ [2: destruct (TEQ)]
         generalize in match (option_destruct_Some ??? TEQ) -TEQ; #K1 >K1 in H2; whd in ⊢ (% → ?)
         change in ⊢ (? →??%?) with (execute_1_0 ??)
         @pair_elim' * #instr #newppc' #ticks #EQn
          * * #H2a #H2b whd in ⊢ (% → ?) #H2c >H2b >(eq_instruction_to_eq … H2a) whd in ⊢ (??%?)
          generalize in match EQ; -EQ; normalize nodelta; >(eq_bv_to_eq … H2c)
          @pair_elim' #carry #new_sp change with (half_add ? (get_8051_sfr ? ps ?) ? = ? → ?) #EQ4
          @split_elim' #pc_bu #pc_bl >program_counter_set_8051_sfr XXX change with (newppc = ?) #EQ5
          @pair_elim' #carry' #new_sp' #EQ6 normalize nodelta; #EQx >EQx -EQx;
          change in ⊢ (??(match ????% with [_ ⇒ ?])?) with (sigma … newppc)
          @split_elim' #pc_bu' #pc_bl' #EQ7 change with (newppc' = ? → ?)
          >get_8051_sfr_set_8051_sfr
          
          whd in EQ:(???%) ⊢ ? >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) whd in ⊢ (??%?)
           change with ((let 〈pc_bu,pc_bl〉 ≝ split bool 8 8 (sigma 〈preamble,instr_list〉 newppc) in ?)=?)
           generalize in match (refl … (split bool 8 8 (sigma 〈preamble,instr_list〉 newppc)))
           cases (split ????) in ⊢ (??%? → %) #pc_bu #pc_bl normalize nodelta; #EQ4
           generalize in match (refl … (split bool 4 4 pc_bu))
           cases (split ????) in ⊢ (??%? → %) #nu #nl normalize nodelta; #EQ5
           generalize in match (refl … (split bool 3 8 rest_addr))
           cases (split ????) in ⊢ (??%? → %) #relevant1 #relevant2 normalize nodelta; #EQ6
           change with ((let 〈carry,new_pc〉 ≝ half_add ? (sigma … newppc) ? in ?) = ?)
           generalize in match
            (refl …
             (half_add 16 (sigma 〈preamble,instr_list〉 newppc)
             ((nu@@get_index' bool 0 3 nl:::relevant1)@@relevant2)))
           cases (half_add ???) in ⊢ (??%? → %) #carry #new_pc normalize nodelta; #EQ7
           @split_eq_status try %
            [ change with (? = sigma ? (address_of_word_labels ps label))
              (* ARITHMETICS, BUT THE GOAL SEEMS FALSE *)
            | whd in ⊢ (??%%) whd in ⊢ (??(?%?)?) whd in ⊢ (??(?(match ?(?%)? with [_ ⇒ ?])?)?) 
              @(bitvector_3_elim_prop … (\fst (split bool 3 8 rest_addr))) %]] *)
  |4: (* Jmp *) #label #MAP
      generalize in match (option_destruct_Some ??? MAP) -MAP; #MAP >MAP -MAP;
      whd in ⊢ (???% → ?) cases (jump_expansion ??) normalize nodelta;
       [3: (* long *) #H1 #H2 #EQ %[@1]
           (* normalize in H1; !!!*) generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
           change in ⊢ (? → ??%?) with (execute_1_0 ??)
           cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
           * * #H2a #H2b whd in ⊢ (% → ?) #H2c
           >H2b >(eq_instruction_to_eq … H2a)
           generalize in match EQ; -EQ;
           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c)
           cases ps in EQ0 ⊢ %; #A1 #A2 #A3 #A4 #A5 #A6 #A7 #A8 #A9 #A10 #XXXX >XXXX %
       |1: (* short *) #H1 #H2 #EQ %[@1] generalize in match H1; -H1;
           generalize in match
            (refl ?
             (sub_16_with_carry
              (sigma 〈preamble,instr_list〉 (program_counter … ps))
              (sigma 〈preamble,instr_list〉 (address_of_word_labels_code_mem instr_list label))
              false))
           cases (sub_16_with_carry ???) in ⊢ (??%? → %); #results #flags normalize nodelta;
           generalize in match (refl … (split … 8 8 results)) cases (split ????) in ⊢ (??%? → %) #upper #lower normalize nodelta;
           generalize in match (refl … (eq_bv … upper (zero 8))) cases (eq_bv ???) in ⊢ (??%? → %) normalize nodelta;
           #EQ1 #EQ2 #EQ3 #H1 [2: @⊥ destruct (H1)]
           generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
           change in ⊢ (? → ??%?) with (execute_1_0 ??)
           cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
           * * #H2a #H2b whd in ⊢ (% → ?) #H2c
           >H2b >(eq_instruction_to_eq … H2a)
           generalize in match EQ; -EQ;
           whd in ⊢ (???% → ?);
           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c)
           change with ((let 〈carry,new_pc〉 ≝ half_add ? (sigma ??) ? in ?) = ?)
           generalize in match (refl … (half_add 16 (sigma 〈preamble,instr_list〉 newppc) (sign_extension lower)))
           cases (half_add ???) in ⊢ (??%? → %) #carry #newpc normalize nodelta #EQ4
           @split_eq_status try % change with (newpc = sigma ? (address_of_word_labels ps label))
           (* ARITHMETICS, BUT THE GOAL SEEMS FALSE *)
       | (* medium *)  #H1 #H2 #EQ %[@1] generalize in match H1; -H1;
         generalize in match
          (refl …
            (split … 5 11 (sigma 〈preamble,instr_list〉 (address_of_word_labels_code_mem instr_list label))))
         cases (split ????) in ⊢ (??%? → %) #fst_5_addr #rest_addr normalize nodelta; #EQ1
         generalize in match
          (refl …
            (split … 5 11 (sigma 〈preamble,instr_list〉 (program_counter … ps))))
         cases (split ????) in ⊢ (??%? → %) #fst_5_pc #rest_pc normalize nodelta; #EQ2
         generalize in match (refl … (eq_bv … fst_5_addr fst_5_pc))
         cases (eq_bv ???) in ⊢ (??%? → %) normalize nodelta; #EQ3 #TEQ [2: destruct (TEQ)]
         generalize in match (option_destruct_Some ??? TEQ) -TEQ; #K1 >K1 in H2; whd in ⊢ (% → ?)
         change in ⊢ (? →??%?) with (execute_1_0 ??)
           cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
           * * #H2a #H2b whd in ⊢ (% → ?) #H2c
           >H2b >(eq_instruction_to_eq … H2a)
           generalize in match EQ; -EQ;
           whd in ⊢ (???% → ?);
           #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) whd in ⊢ (??%?)
           change with ((let 〈pc_bu,pc_bl〉 ≝ split bool 8 8 (sigma 〈preamble,instr_list〉 newppc) in ?)=?)
           generalize in match (refl … (split bool 8 8 (sigma 〈preamble,instr_list〉 newppc)))
           cases (split ????) in ⊢ (??%? → %) #pc_bu #pc_bl normalize nodelta; #EQ4
           generalize in match (refl … (split bool 4 4 pc_bu))
           cases (split ????) in ⊢ (??%? → %) #nu #nl normalize nodelta; #EQ5
           generalize in match (refl … (split bool 3 8 rest_addr))
           cases (split ????) in ⊢ (??%? → %) #relevant1 #relevant2 normalize nodelta; #EQ6
           change with ((let 〈carry,new_pc〉 ≝ half_add ? (sigma … newppc) ? in ?) = ?)
           generalize in match
            (refl …
             (half_add 16 (sigma 〈preamble,instr_list〉 newppc)
             ((nu@@get_index' bool 0 3 nl:::relevant1)@@relevant2)))
           cases (half_add ???) in ⊢ (??%? → %) #carry #new_pc normalize nodelta; #EQ7    
           @split_eq_status try %
            [ change with (? = sigma ? (address_of_word_labels ps label))
              (* ARITHMETICS, BUT THE GOAL SEEMS FALSE *)
            | whd in ⊢ (??%%) whd in ⊢ (??(?%?)?) whd in ⊢ (??(?(match ?(?%)? with [_ ⇒ ?])?)?) 
              @(bitvector_3_elim_prop … (\fst (split bool 3 8 rest_addr))) %]]
  | (* Instruction *) -pi;  whd in ⊢ (? → ??%? → ?) *; normalize nodelta;
    [1,2,3: (* ADD, ADDC, SUBB *) #arg1 #arg2 #MAP #H1 #H2 #EQ %[1,3,5:@1]
       normalize in H1; generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
       change in ⊢ (? → ??%?) with (execute_1_0 ??)
       cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
       * * #H2a #H2b whd in ⊢ (% → ?) #H2c
       >H2b >(eq_instruction_to_eq … H2a)
       generalize in match EQ; -EQ; whd in ⊢ (???% → ??%?); generalize in match MAP; -MAP;
       @(list_addressing_mode_tags_elim_prop … arg1) whd try % -arg1;
       @(list_addressing_mode_tags_elim_prop … arg2) whd try % -arg2; #ARG2
       normalize nodelta; #MAP;
       [1: change in ⊢ (? → %) with
        ((let 〈result,flags〉 ≝
          add_8_with_carry
           (get_arg_8 ? ps false ACC_A)
           (get_arg_8 ?
             (set_low_internal_ram ? ps (low_internal_ram_of_pseudo_low_internal_ram M (low_internal_ram … ps)))
             false (DIRECT ARG2))
           ? in ?) = ?)
       [1,2: cut (addressing_mode_ok M ps (DIRECT ARG2) = true) [2:
        [1,2:whd in MAP:(??(match % with [ _ ⇒ ? | _ ⇒ ?])?)]
       [1,2,3,4,5,6,7,8: cases (add_8_with_carry ???) |*: cases (sub_8_with_carry ???)]
       #result #flags
       #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) %
    | (* INC *) #arg1 #H1 #H2 #EQ %[@1]
       normalize in H1; generalize in match (option_destruct_Some ??? H1) #K1 >K1 in H2; whd in ⊢ (% → ?)
       change in ⊢ (? → ??%?) with (execute_1_0 ??)
       cases (fetch (load_code_memory assembled) (sigma 〈preamble,instr_list〉 (program_counter … ps))) * #instr #newppc' #ticks normalize nodelta;
       * * #H2a #H2b whd in ⊢ (% → ?) #H2c
       >H2b >(eq_instruction_to_eq … H2a)
       generalize in match EQ; -EQ; whd in ⊢ (???% → ??%?);
       @(list_addressing_mode_tags_elim_prop … arg1) whd try % -arg1; normalize nodelta; [1,2,3: #ARG]
       [1,2,3,4: cases (half_add ???) #carry #result
       | cases (half_add ???) #carry #bl normalize nodelta;
         cases (full_add ????) #carry' #bu normalize nodelta ]
        #EQ >EQ -EQ; normalize nodelta; >(eq_bv_to_eq … H2c) -newppc';
        [5: %
        |1: <(set_arg_8_set_code_memory 0 [[direct]] ? ? ? (set_clock pseudo_assembly_program
      (set_program_counter pseudo_assembly_program ps newppc)
      (\fst  (ticks_of0 〈preamble,instr_list〉
                   (program_counter pseudo_assembly_program ps)
                   (Instruction (INC Identifier (DIRECT ARG))))
       +clock pseudo_assembly_program
        (set_program_counter pseudo_assembly_program ps newppc))) (load_code_memory assembled) result (DIRECT ARG))
        [2,3: // ]
            <(set_arg_8_set_program_counter 0 [[direct]] ? ? ? ? ?) [2://]
            whd in ⊢ (??%%)
            cases (split bool 4 4 ARG)
            #nu' #nl'
            normalize nodelta
            cases (split bool 1 3 nu')
            #bit_1' #ignore'
            normalize nodelta
            cases (get_index_v bool 4 nu' ? ?)
            [ normalize nodelta (* HERE *) whd in ⊢ (??%%) %
            |
            ]