source: src/Clight/toCminorCorrectness.ma @ 2672

include "Clight/toCminor.ma".
include "Clight/CexecInd.ma".
include "common/Globalenvs.ma".
include "Clight/memoryInjections.ma".
include "Clight/Clight_abstract.ma".
include "Cminor/Cminor_abstract.ma".

(* Expr simulation. Contains important definitions for statements, too.  *)
include "Clight/toCminorCorrectnessExpr.ma".


(* When we characterise the local Clight variables, those that are stack
   allocated are given disjoint regions of the stack. *)

lemma characterise_vars_disjoint : ∀globals,f,vartypes,stacksize,id,n,ty.
  characterise_vars globals f = 〈vartypes, stacksize〉 →
  lookup ?? vartypes id = Some ? 〈Stack n,ty〉 →
  ∀id',n',ty'. id ≠ id' →
  lookup ?? vartypes id' = Some ? 〈Stack n',ty'〉 →
  n' + sizeof ty' ≤ n ∨ n + sizeof ty ≤ n'.
#globals * #ret #args #vars #body #vartypes #stacksize #id #n #ty
whd in ⊢ (??%? → ?);
generalize in match vartypes; -vartypes
generalize in match stacksize; -stacksize
elim (args@vars)
[ #stacksize #vartypes #CHAR #L @⊥ whd in CHAR:(??%?); destruct
  elim globals in L;
  [ normalize #L destruct
  | * * #id' #r #ty' #tl #IH
    whd in match (foldr ?????);
    #L cases (lookup_add_cases ??????? L)
    [ * #E1 #E2 destruct
    | @IH
    ]
  ]
| * #id1 #ty1 #tl #IH #stacksize #vartypes
  whd in match (foldr ?????);
  (* Avoid writing out the definition again *)
  letin ih ≝ (foldr ? (Prod ??) ?? tl) in IH ⊢ %;
  lapply (refl ? ih) whd in match ih; -ih
  cases (foldr ? (Prod ??) ?? tl) in ⊢ (???% → %);
  #vartypes' #stack' #FOLD #IH
  whd in ⊢ (??(match % with [_⇒?])? → ?);
  cases (orb ??)
  #CHAR whd in CHAR:(??%?); destruct
  #L cases (lookup_add_cases ??????? L)
  [ 1,3: * #E1 #E2 destruct
    #id' #n' #ty' #NE >lookup_add_miss /2/
    #L' %1 -L -IH
    generalize in match vartypes' in FOLD L' ⊢ %; -vartypes'
    generalize in match stack'; -stack'
    elim tl
    [ #stack' #vartypes2 whd in ⊢ (??%? → ?); #F destruct #L' @⊥
      elim globals in L';
      [ normalize #E destruct
      | * * #id2 #r2 #ty2 #tl2 #IH whd in match (foldr ?????);
        #L cases (lookup_add_cases ??????? L)
        [ * #E1 #E2 destruct
        | @IH
        ]
      ]
    | * #id2 #ty2 #tl2 #IH #stack' #vartypes'
      whd in ⊢ (??%? → ?); cases (foldr ? (Prod ??) ???) in IH ⊢ %;
      #vartypes2 #stack2 #IH
      whd in ⊢ (??%? → ?);
      cases (orb ??)
      [ #E whd in E:(??%?); destruct #L cases (lookup_add_cases ??????? L)
        [ * #E1 #E2 destruct //
        | #L'' lapply (IH ?? (refl ??) L'') /2/
        ]
      | #E whd in E:(??%?); destruct #L cases (lookup_add_cases ??????? L)
        [ * #E1 #E2 destruct
        | #L'' lapply (IH ?? (refl ??) L'') /2/
        ]
      ]
    ]
  | -L #L #id' #n' #ty' #NE #L'
    cases (lookup_add_cases ??????? L')
    [ * #E1 #E2 destruct
      %2 -IH -L'
      generalize in match vartypes' in FOLD L; -vartypes'
      generalize in match stack'; -stack'
      elim tl
      [ #stack' #vartypes' whd in ⊢ (??%? → ?); #F destruct #L @⊥
        elim globals in L;
        [ normalize #E destruct
        | * * #id1 #r1 #ty1 #tl1 #IH whd in match (foldr ?????);
          #L cases (lookup_add_cases ??????? L)
          [ * #E1 #E2 destruct
          | @IH
          ]
        ]
      | * #id1 #ty1 #tl1 #IH #stack' #vartypes'
        whd in ⊢ (??%? → ?); cases (foldr ? (Prod ??) ???) in IH ⊢ %;
        #vartypes2 #stack2 #IH
        whd in ⊢ (??%? → ?);
        cases (orb ??)
        #E whd in E:(??%?); destruct
        #L cases (lookup_add_cases ??????? L)
        [ 1,3: * #E1 #E2 destruct //
        | 2,4: #L' lapply (IH ?? (refl ??) L') /2/
        ]
      ]
    | @(IH … (refl ??) L … NE)
    ]
  | -L #L #id' #n' #ty' #NE #L'
    cases (lookup_add_cases ??????? L')
    [ * #E1 #E2 destruct
    | @(IH … (refl ??) L … NE)
    ]
  ]
] qed.

(* And everything is in the stack frame. *)

lemma characterise_vars_in_range : ∀globals,f,vartypes,stacksize,id,n,ty.
  characterise_vars globals f = 〈vartypes, stacksize〉 →
  lookup ?? vartypes id = Some ? 〈Stack n,ty〉 →
  n + sizeof ty ≤ stacksize.
#globals * #ret #args #vars #body whd in match (characterise_vars ??);
elim (args@vars)
[ #vartypes #stacksize #id #n #ty #FOLD #L @⊥
  whd in FOLD:(??%?); destruct elim globals in L;
  [ #E normalize in E; destruct
  | * * #id' #r' #ty' #tl' #IH
    whd in match (foldr ?????); #L cases (lookup_add_cases ??????? L)
    [ * #E1 #E2 destruct
    | @IH
    ]
  ]
| * #id' #ty' #tl #IH #vartypes #stacksize #id #n #ty
  whd in match (foldr ?????); cases (foldr ? (Prod ??) ???) in IH ⊢ %;
  #vartypes' #stackspace' #IH
  whd in ⊢ (??(match % with [_⇒?])? → ?);
  cases (orb ??) whd in ⊢ (??%? → ?);
  #E destruct #L cases (lookup_add_cases ??????? L)
  [ 1,3: * #E1 #E2 destruct //
  | 2,4: #L' lapply (IH … (refl ??) L') /2/
  ]
] qed.



(* Put knowledge that Globals are global into a more useful form than the
   one used for the invariant. *)   
(* XXX superfluous lemma ? Commenting it for now. 
       if not superfluous : move to toCminorCorrectnessExpr.ma, after
       [characterise_vars_localid] *)
(*
lemma characterise_vars_global : ∀globals,f,vartypes,stacksize.
  characterise_vars globals f = 〈vartypes, stacksize〉 →
  ∀id,r,ty. lookup' vartypes id = OK ? 〈Global r,ty〉 →
  Exists ? (λx.x = 〈〈id,r〉,ty〉) globals ∧
  ¬ Exists ? (λx. \fst x = id) (fn_params f @ fn_vars f).
#globals #f #vartypes #stacksize #CHAR #id #r #ty #L
cases (characterise_vars_src … CHAR id ?)
[ * #r' * #ty' >L
  * #E1 destruct (E1) #EX
  %
  [ @EX
  | % #EX' cases (characterise_vars_localid … CHAR EX')
    #ty' whd in ⊢ (% → ?); >L *
  ]
| * #ty' whd in ⊢ (% → ?); >L *
| whd >(opt_eq_from_res ???? L) % #E destruct
] qed. *)

(* Show how the global environments match up. *)

lemma map_partial_All_to_All2 : ∀A,B,P,f,l,H,l'.
  map_partial_All A B P f l H = OK ? l' →
  All2 ?? (λa,b. ∃p. f a p = OK ? b) l l'.
#A #B #P #f #l
elim l
[ #H #l' #MAP normalize in MAP; destruct //
| #h #t #IH * #p #H #l'
  whd in ⊢ (??%? → ?);
  lapply (refl ? (f h p)) whd in match (proj1 ???);
  cases (f h p) in ⊢ (???% → %);
  [ #b #E #MAP cases (bind_inversion ????? MAP)
    #tl' * #MAP' #E' normalize in E'; destruct
    % [ %{p} @E | @IH [ @H | @MAP' ] ]
  | #m #_ #X normalize in X; destruct
  ]
] qed.
  

definition clight_cminor_matching : clight_program → matching ≝
λp.
  let tmpuniverse ≝ universe_for_program p in
  let fun_globals ≝ map ?? (λidf. 〈\fst idf,Code,type_of_fundef (\snd idf)〉) (prog_funct ?? p) in
  let var_globals ≝ map ?? (λv. 〈\fst (\fst v), \snd (\fst v), \snd (\snd v)〉) (prog_vars ?? p) in
  let globals ≝ fun_globals @ var_globals in
  mk_matching
    ?? (list init_data × type) (list init_data)
    (λvs,f_clight,f_cminor. ∃H1,H2. translate_fundef tmpuniverse globals H1 f_clight H2 = OK ? f_cminor)
    (λv,w. \fst v = w).

lemma clight_to_cminor_varnames : ∀p,p'.
  clight_to_cminor p = OK ? p' →
  prog_var_names … p = prog_var_names … p'.
* #vars #fns #main * #vars' #fns' #main'
#TO cases (bind_inversion ????? TO) #fns'' * #MAP #E
whd in E:(??%%); destruct
-MAP normalize
elim vars
[ //
| * * #id #r * #d #t #tl #IH normalize >IH //
] qed.

lemma clight_to_cminor_matches : ∀p,p'.
  clight_to_cminor p = OK ? p' →
  match_program (clight_cminor_matching p) p p'.
* #vars #fns #main * #vars' #fns' #main'
#TO cases (bind_inversion ????? TO) #fns'' * #MAP #E
whd in E:(??%%); destruct
%
[ -MAP whd in match (m_V ?); whd in match (m_W ?);
  elim vars
  [ //
  | * * #id #r * #init #ty #tl #IH %
    [ % //
    | @(All2_mp … IH) * * #a #b * #c #d * * #e #f #g * /2/
    ]
  ]
| @(All2_mp … (map_partial_All_to_All2 … MAP)) -MAP
  * #id #f * #id' #f' * #H #F cases (bind_inversion ????? F) #f'' * #TRANSF #E
  normalize in E; destruct
  <(clight_to_cminor_varnames … TO)
  % whd
  % [2: % [2: @TRANSF | skip ] | skip ]
| %
] qed.


(* This is the statement for expression simulation copied from toCminorCorrectnessExpr.ma,
   for easier reference.
lemma eval_expr_sim :
  (* [cl_cm_inv] maps CL globals to CM globals, including functions *)
  ∀cl_cm_inv  : clight_cminor_inv.
  (* current function (defines local environment) *)
  ∀f          : function.
  ∀data       : clight_cminor_data f cl_cm_inv.
  (* clight expr to cminor expr *)
  (∀(e:expr).
   ∀(e':CMexpr (typ_of_type (typeof e))).
   ∀Hexpr_vars.
   translate_expr (alloc_type ?? data) e = OK ? («e', Hexpr_vars») →
   ∀cl_val,trace,Hyp_present.
   exec_expr (ge_cl … cl_cm_inv) (cl_env ?? data) (cl_m ?? data) e = OK ? 〈cl_val, trace〉 →
   ∃cm_val. eval_expr (ge_cm cl_cm_inv) (typ_of_type (typeof e)) e' (cm_env ?? data) Hyp_present (stackptr ?? data) (cm_m ?? data) = OK ? 〈trace, cm_val〉 ∧
            value_eq (E ?? data) cl_val cm_val) ∧
   (* clight /lvalue/ to cminor /expr/ *)
  (∀ed,ty.
   ∀(e':CMexpr ASTptr).
   ∀Hexpr_vars.
   translate_addr (alloc_type ?? data) (Expr ed ty) = OK ? («e', Hexpr_vars») →
   ∀cl_blo,cl_off,trace,Hyp_present.
   exec_lvalue' (ge_cl … cl_cm_inv) (cl_env ?? data) (cl_m ?? data) ed ty = OK ? 〈cl_blo, cl_off, trace〉 →
   ∃cm_val. eval_expr (ge_cm cl_cm_inv) ASTptr e' (cm_env ?? data) Hyp_present (stackptr ?? data) (cm_m ?? data) = OK ? 〈trace, cm_val〉 ∧
            value_eq (E ?? data) (Vptr (mk_pointer cl_blo cl_off)) cm_val).
*)

definition foo ≝ 3.

(* relate Clight continuations and Cminor ones. *)
inductive clight_cminor_cont_rel :
  ∀INV:  clight_cminor_inv.  (* stuff on global variables and functions (matching between CL and CM) *)
  ∀cl_f: function.           (* current Clight function *)
  internal_function →        (* current Cminor function *)
  clight_cminor_data cl_f INV → (* data for the current stack frame in CL and CM *)
  option typ →               (* optional target type - uniform over a given function *)
  cl_cont →                  (* CL cont *)
  cm_cont →                  (* CM cont *)
  Prop ≝
| ClCm_cont_stop:
  ∀INV, cl_f, cm_f, frame_data, target_type.
  clight_cminor_cont_rel INV cl_f cm_f frame_data target_type Kstop Kend
| ClCm_cont_seq:
  ∀INV, cl_f, cm_f, frame_data, target_type.
  ∀cl_s: statement.
  ∀cm_s: stmt.
  ∀cl_k':  cl_cont.
  ∀cm_k':  cm_cont.
  ∀stmt_univ, stmt_univ'.
  ∀lbl_univ, lbl_univ'.
  ∀lbls.
  ∀flag.
  ∀Htranslate_inv.
  translate_statement (alloc_type ?? frame_data) stmt_univ lbl_univ lbls flag target_type cl_s = OK ? «〈stmt_univ',lbl_univ',cm_s〉, Htranslate_inv» →
  clight_cminor_cont_rel INV cl_f cm_f frame_data target_type cl_k' cm_k' →
  clight_cminor_cont_rel INV cl_f cm_f frame_data target_type (ClKseq cl_s cl_k') (Kseq cm_s cm_k')
| ClCm_cont_while:
  (* Inductive family parameters *)
  ∀INV, cl_f, cm_f, frame_data, target_type.

  (* sub-continuations *)
  ∀cl_k': cl_cont.
  ∀cm_k': cm_cont.

  (* elements of the source while statement *)
  ∀sz,sg.
  ∀cl_cond_desc.
  ∀cl_body.

  (* elements of the converted while statement *)
  ∀cm_cond: CMexpr (ASTint sz sg).
  ∀cm_body.
  ∀entry,exit: identifier Label.
 
  (* universes used to generate fresh labels and variables *)  
  ∀stmt_univ, stmt_univ'.
  ∀lbl_univ, lbl_univ', lbl_univ''.
  ∀lbls: lenv.
  ∀Htranslate_inv.

  (* relate CL and CM expressions *)
  ∀Hexpr_vars.
  translate_expr (alloc_type ?? frame_data) (Expr cl_cond_desc (Tint sz sg)) = OK ? («cm_cond, Hexpr_vars») →

  (* Parameters and results to find_label_always *)
  ∀sInv: stmt_inv cm_f (cm_env ?? frame_data) (f_body cm_f).
  ∀Hinv.

  (* Specify how the labels for the while-replacing gotos are produced *)
  mklabels lbl_univ = 〈〈entry, exit〉, lbl_univ'〉 →
  translate_statement (alloc_type ?? frame_data) stmt_univ lbl_univ' lbls (ConvertTo entry exit) target_type cl_body = OK ? «〈stmt_univ',lbl_univ'',cm_body〉, Htranslate_inv» →
  find_label_always entry (f_body cm_f) Kend (proj2 … (proj1 … (proj1 … Hinv))) cm_f (cm_env ?? frame_data) sInv I =
    «〈St_label entry
          (St_seq
            (St_ifthenelse ?? cm_cond (St_seq cm_body (St_goto entry)) St_skip)
            (St_label exit St_skip)), cm_k'〉, Hinv» →
  clight_cminor_cont_rel INV cl_f cm_f frame_data target_type cl_k' cm_k' →
  clight_cminor_cont_rel INV cl_f cm_f frame_data target_type (Kwhile (Expr cl_cond_desc (Tint sz sg)) cl_body cl_k') (Kseq (St_goto entry) (Kseq (St_label exit St_skip) cm_k')).
  

(* The type of maps from labels to Clight continuations *)
(* definition label_map ≝ identifier_map SymbolTag cont. *)

(* Definition of the simulation relation on states. The orders of the parameters is dictated by
 * the necessity of performing an inversion on the continuation sim relation without having to
 * play the usual game of lapplying all previous dependent arguments.  *)
inductive clight_cminor_rel : clight_cminor_inv → Clight_state → Cminor_state → Prop ≝
| CMR_normal :
  (* Relates globals to globals and functions to functions. *)
  ∀INV:  clight_cminor_inv.
  
  (* ---- Statements ---- *)
  ∀cl_s: statement.                                       (* Clight statement *)  
  ∀cm_s: stmt.                                            (* Cminor statement *)

  (* ---- Continuations ---- *)
  ∀cl_k: cl_cont.                                      (* Clight continuation *)
  ∀cm_k: cm_cont.                                      (* Cminor continuation *)
  ∀cm_st: stack.                                              (* Cminor stack *)
  
  ∀cl_f: function.                               (* Clight enclosing function *) 
  ∀cm_f: internal_function.                             (* enclosing function *)
  ∀frame_data: clight_cminor_data cl_f INV. 
  (*∀alloctype:  var_types.*)                       (* map from var to alloc type *)
  ∀rettyp.                                     (* return type of the function *)
  
  (* ---- Relate Clight continuation to Cminor continuation ---- *)
  clight_cminor_cont_rel INV cl_f cm_f frame_data rettyp cl_k cm_k →

  (* ---- Other Cminor variables ---- *)
  ∀fInv: stmt_inv cm_f (cm_env ?? frame_data) (f_body cm_f).             (* Cminor invariants *)
  ∀sInv: stmt_inv cm_f (cm_env ?? frame_data) cm_s.
  ∀kInv: cont_inv cm_f (cm_env ?? frame_data) cm_k.

  (* ---- Relate return type variable to actual return type ---- *)
  rettyp = opttyp_of_type (fn_return cl_f) → 

  (* ---- specification of the contents of clight environment (needed for expr sim) ---- *)

  (* ---- relate Clight and Cminor functions ---- *)
  ∀func_univ: universe SymbolTag.
  ∀Hfresh_globals: globals_fresh_for_univ ? (globals INV) func_univ.
  ∀Hfresh_function: fn_fresh_for_univ cl_f func_univ.
  translate_function func_univ (globals INV) cl_f Hfresh_globals Hfresh_function = OK ? cm_f →

  (* ---- relate Clight and Cminor statements ---- *)
  ∀stmt_univ,stmt_univ': tmpgen (alloc_type ?? frame_data).
  ∀lbl_univ,lbl_univ':   labgen.
  ∀lbls:      lenv.
  ∀flag:      convert_flag.
  ∀Htranslate_inv.
  translate_statement (alloc_type ?? frame_data) stmt_univ lbl_univ lbls flag rettyp cl_s = OK ? «〈stmt_univ',lbl_univ',cm_s〉, Htranslate_inv» →
   
  clight_cminor_rel INV 
    (ClState cl_f cl_s cl_k (cl_env ?? frame_data) (cl_m ?? frame_data)) 
    (CmState cm_f cm_s (cm_env ?? frame_data) fInv sInv (cm_m ?? frame_data) (stackptr ?? frame_data) cm_k kInv cm_st).

lemma invert_assert : 
  ∀b. ∀P. assert b P → b = true ∧ P.
* #P whd in ⊢ (% → ?); #H
[ @conj try @refl @H
| @False_ind @H ]
qed.

lemma res_to_io :
  ∀A,B:Type[0]. ∀C. 
  ∀x: res A. ∀y.
  match x with
  [ OK v ⇒  Value B C ? v
  | Error m ⇒ Wrong … m ] = return y →
  x = OK ? y.
#A #B #C *
[ #x #y normalize nodelta whd in ⊢ ((???%) → ?); #Heq destruct (Heq) @refl
| #err #y normalize nodelta whd in ⊢ ((???%) → ?); #Heq destruct (Heq) ]
qed.


(* axiom clight_cminor_rel : clight_cminor_inv → Clight_state → Cminor_state → Prop. *)

(* Conjectured simulation results

   We split these based on the start state:
   
   1. ‘normal’ states take some [S n] normal steps and simulates them by [S m]
      normal steps in Cminor;
   2. call and return steps are simulated by a call/return step plus [m] normal
      steps (to copy stack allocated parameters / results); and
   3. lone cost label steps are simulates by a lone cost label step
   
   These should allow us to maintain enough structure to identify the Cminor
   subtrace corresponding to a measurable Clight subtrace.
 *)

definition clight_normal : Clight_state → bool ≝
λs. match Clight_classify s with [ cl_other ⇒ true | cl_jump ⇒ true | _ ⇒ false ].

definition cminor_normal : Cminor_state → bool ≝
λs. match Cminor_classify s with [ cl_other ⇒ true | cl_jump ⇒ true | _ ⇒ false ].


lemma clight_cminor_normal :
  ∀INV:clight_cminor_inv.
  ∀s1,s1',s2,tr.
  clight_cminor_rel INV s1 s1' →
  clight_normal s1 = true →
  ¬ Clight_labelled s1 →
  ∃n. after_n_steps (S n) … clight_exec (ge_cl INV) s1 (λs.clight_normal s ∧ ¬ Clight_labelled s) (λtr',s. 〈tr',s〉 = 〈tr,s2〉) →
  ∃m. after_n_steps (S m) … Cminor_exec (ge_cm INV) s1' (λs.cminor_normal s) (λtr',s2'.
    tr = tr' ∧
    clight_cminor_rel INV s2 s2'
  ).
#INV #s1 #s1' #s2 #tr #Hstate_rel #Hclight_normal #Hnot_labeleld
inversion Hstate_rel
#INV' #cl_s
(* case analysis on Clight statement *)
cases cl_s
[ 1: | 2: #lhs #rhs | 3: #retv #func #args | 4: #stm1 #stm2 | 5: #cond #iftrue #iffalse | 6: #cond #body
| 7: #cond #body | 8: #init #cond #step #body | 9,10: | 11: #retval | 12: #cond #switchcases | 13: #lab #body
| 14: #lab | 15: #cost #body ]
[ 1: (* Skip *)
     #cm_s #cl_k #cm_k #cm_st #cl_f #cm_f #frame_data #rettyp #Hcont_rel
     (* case analysis on continuation *)
     inversion Hcont_rel
     [ (* Kstop continuation *)
       (* simplifying the goal using outcome of the inversion *)
       #kINV #kcl_f #kcm_f #kframe_data #ktarget_type #Heq_INV
       #Heq_cl_f #Heq_cm_f #Heq_frame #Heq_rettyp #Heq_cl_k #Heq_cm_k  #_
       (* get rid of jmeqs and destruct *)
       lapply (jmeq_to_eq ??? Heq_INV) -Heq_INV #Heq_INV
       lapply (jmeq_to_eq ??? Heq_cl_f) -Heq_cl_f #Heq_cl_f
       destruct (Heq_INV Heq_cl_f)
       lapply (jmeq_to_eq ??? Heq_frame) -Heq_frame #Heq_frame
       lapply (jmeq_to_eq ??? Heq_cm_f) -Heq_cm_f #Heq_cm_f
       lapply (jmeq_to_eq ??? Heq_rettyp) -Heq_rettyp #Heq_rettypv
       lapply (jmeq_to_eq ??? Heq_cm_k) -Heq_cm_k #Heq_cm_k
       lapply (jmeq_to_eq ??? Heq_cl_k) -Heq_cl_k #Heq_cl_k
       destruct (Heq_frame Heq_cl_k Heq_cm_k Heq_cm_f Heq_rettyp)
       (* introduce everything *)
       #fInv #sInv #kInv
       #Htarget_type #func_univ #Hfresh_globals #Hfresh_function #Htranslate_function
       #stmt_univ #stmt_univ' #lbl_univ #lbl_univ' #lbls
       #flag * * * * #Hstmt_inv #Hlabels_translated #Htmps_preserved
       #Hreturn_ok #Hlabel_wf
       (* reduce statement translation function *)
       whd in ⊢ ((??%?) → ?);
       #Heq_translate
       (* In this simple case, trivial translation *)
       destruct (Heq_translate)
       #Heq_INV' #Heq_s1 #Heq_s1'
       lapply (jmeq_to_eq ??? Heq_INV') -Heq_INV' #Heq_INV'
       lapply (jmeq_to_eq ??? Heq_s1) -Heq_s1 #Heq_s1
       lapply (jmeq_to_eq ??? Heq_s1') -Heq_s1' #Heq_s1'
       destruct (Heq_INV' Heq_s1 Heq_s1') #_
       (* unfold the clight execution *)
       %{0}
       whd in ⊢ (% → ?); whd in match (step io_out io_in clight_exec ??);
       inversion (fn_return kcl_f) normalize nodelta
       [ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
       | #structname #fieldspec | #unionname #fieldspec | #id ]
       #Hfn_return
       whd in ⊢ (% → ?);
       @False_ind
    | (* KSeq continuation *)
      #kINV #kcl_f #kcm_f #kframe_data #ktarget_type #kcl_s #kcm_s #kcl_k' #kcm_k'
      #kstmt_univ #kstmt_univ' #klbl_univ #klbl_univ' #klbls #kflag
      * * * * #kHstmt_inv #kHlabels_translated #kHtmps_preserved
      #kHreturn_ok #kHlabel_wf #kHeq_translate #kHcont_rel #_
      #Heq_INV #Heq_cl_f #Heq_cm_f #Heq_frame #Heq_rettyp #Heq_cl_k #Heq_cm_k  #_
      (* get rid of jmeqs and destruct *)
      lapply (jmeq_to_eq ??? Heq_INV) -Heq_INV #Heq_INV
      lapply (jmeq_to_eq ??? Heq_cl_f) -Heq_cl_f #Heq_cl_f
      destruct (Heq_INV Heq_cl_f)
      lapply (jmeq_to_eq ??? Heq_frame) -Heq_frame #Heq_frame
      lapply (jmeq_to_eq ??? Heq_cm_f) -Heq_cm_f #Heq_cm_f
      lapply (jmeq_to_eq ??? Heq_rettyp) -Heq_rettyp #Heq_rettypv
      lapply (jmeq_to_eq ??? Heq_cm_k) -Heq_cm_k #Heq_cm_k
      lapply (jmeq_to_eq ??? Heq_cl_k) -Heq_cl_k #Heq_cl_k
      destruct (Heq_frame Heq_cl_k Heq_cm_k Heq_cm_f Heq_rettyp)    
      #fInv #sInv #kInv #Hktarget_type
      #func_univ #Hfresh_globals #Hfresh_function #Htranslate_function 
      #stmt_univ #stmt_univ' #lbl_univ #lbl_univ' #lbls
      #flag * * * * #Hstmt_inv #Hlabels_translated #Htmps_preserved
      #Hreturn_ok #Hlabel_wf
      (* reduce translation function and eliminate result *)
      (* In this simple case, trivial translation *)
      whd in ⊢ ((??%?) → ?); #Heq_translate
      destruct (Heq_translate)
      #Heq_INV' #Heq_s1 #Heq_s1'
      lapply (jmeq_to_eq ??? Heq_INV') -Heq_INV' #Heq_INV'
      lapply (jmeq_to_eq ??? Heq_s1) -Heq_s1 #Heq_s1
      lapply (jmeq_to_eq ??? Heq_s1') -Heq_s1' #Heq_s1' #_
      (* unfold the clight execution *)
      %{0}
      whd in ⊢ (% → ?); #Hassert
      cases (invert_assert ?? Hassert) -Hassert #Hclight_class
      cases (andb_inversion … Hclight_class) -Hclight_class
      #_ #Hnot_labelled whd in ⊢ (% → ?); #Heq destruct (Heq)
      %{0} whd in ⊢ %; @conj try @refl
      (* close simulation *)
      %1{kINV kHcont_rel ? ? Hfresh_globals Hfresh_function
         Htranslate_function kstmt_univ kstmt_univ' klbl_univ klbl_univ' klbls kflag}
      [ 3: @kHeq_translate | assumption ]
    | (* Kwhile continuation *)
      #kINV #kcl_f #kcm_f #kframe_data #ktarget_type
      #kcl_k' #kcm_k' #ksz #ksg #kcl_cond_desc #kcl_body #kcm_cond #kcm_body
      #kentry #kexit #kstmt_univ #kstmt_univ' #klbl_univ #klbl_univ' #klbl_univ''
      #klbls #kHtranslate_inv #kHexpr_vars #kHtranslate_expr #kfInv
      * * * * #kHentry_declared * * * *
      * * * #kHcond_vars_declared * * * *
      * * * #kHbody_inv * * *
      whd in ⊢ (% → ?); #kHentry_declared'
      * * * * * * * * *
      whd in ⊢ (% → ?); #kHexit_declared *
      * * * *
      #kHcont_inv #kHmklabels #kHeq_translate #kHfind_label #kHcont_rel #_
      #Heq_INV #Heq_cl_f #Heq_cm_f #Heq_frame #Heq_rettyp #Heq_cm_k #Heq_cl_k
      lapply (jmeq_to_eq ??? Heq_INV) -Heq_INV #Heq_INV
      lapply (jmeq_to_eq ??? Heq_cl_f) -Heq_cl_f #Heq_cl_f
      destruct (Heq_INV Heq_cl_f)      
      lapply (jmeq_to_eq ??? Heq_cm_f) -Heq_cm_f #Heq_cm_f
      lapply (jmeq_to_eq ??? Heq_frame) -Heq_frame #Heq_frame
      lapply (jmeq_to_eq ??? Heq_rettyp) -Heq_rettyp #Heq_rettyp
      lapply (jmeq_to_eq ??? Heq_cm_k) -Heq_cm_k #Heq_cm_k
      lapply (jmeq_to_eq ??? Heq_cl_k) -Heq_cl_k #Heq_cl_k #_
      destruct (Heq_cl_k Heq_cm_k Heq_cm_f Heq_frame Heq_rettyp)
      (* introduce state relation contents *)
      #fInv #sInv * whd in ⊢ (% → ?); * *
      whd in ⊢ (% → ?); * whd in ⊢ (% → ?); #Hlabel_defined * #kInv
      #Heq_rettyp
      #func_univ #Hfresh_globals #Hfresh_function #Htranslate_function 
      #stmt_univ #stmt_univ' #lbl_univ #lbl_univ' #lbls
      #flag * * * * #Hstmt_inv #Hlabels_translated #Htmps_preserved
      #Hreturn_ok #Hlabel_wf
      (* reduce translation function and eliminate result *)
      (* In this simple case, trivial translation *)
      whd in ⊢ ((??%?) → ?); #Heq_translate
      destruct (Heq_translate)
      #Heq_INV' #Heq_s1 #Heq_s1'
      lapply (jmeq_to_eq ??? Heq_INV') -Heq_INV' #Heq_INV'
      lapply (jmeq_to_eq ??? Heq_s1) -Heq_s1 #Heq_s1
      lapply (jmeq_to_eq ??? Heq_s1') -Heq_s1' #Heq_s1' #_
      (* unfold the clight execution *)
      %{1} whd in ⊢ (% → ?); #Hawait
      cases (await_value_bind_inv … Hawait) -Hawait
      * #cl_val #cl_trace * #Hexec_cond #Hawait
      cases (await_value_bind_inv … Hawait) -Hawait
      #cond_outcome * #Hcond_outcome
      cases (eval_expr_sim … kframe_data) #Hsim_expr #_
      (* use simulation lemma on expressions *)
      lapply (Hsim_expr … kHtranslate_expr … kHcond_vars_declared … Hexec_cond) -Hsim_expr
      whd in match (typeof ?) in Hcond_outcome; cases cond_outcome in Hcond_outcome;
      #Hcond_outcome lapply (exec_bool_of_val_inversion … Hcond_outcome)
      * [ 2,4: * #ptr * #ty' * * #_ #Habsurd destruct (Habsurd) ]
      * [ 2,4: * #ty' * * #_ #Habsurd destruct (Habsurd) ]
      * #vsz * #vsg * #i * * #Hcl_val #Htype_eq destruct (Hcl_val Htype_eq)
      normalize nodelta #Hi_eq
      * #cm_val * #Hexec_cond_cm #Hvalue_eq #Hassert
      cases (invert_assert … Hassert) -Hassert #Handb
      cases (andb_inversion … Handb) -Handb #_ #HClight_not_labelled
      whd in ⊢ (% → ?); #Heq destruct (Heq)
      [ %{5} whd whd in ⊢ (??%?); normalize nodelta
        >kHfind_label -kHfind_label normalize nodelta
        whd in match (proj1 ???);
        whd in match (proj2 ???);
        whd whd in ⊢ (??%?); normalize nodelta
        >Hexec_cond_cm normalize nodelta
        whd in match (m_bind ?????);
        >(value_eq_int_inversion … Hvalue_eq)
        whd in match (eval_bool_of_val ?); normalize nodelta
        <Hi_eq normalize nodelta
        whd @conj [ normalize >append_nil try @refl ]
        whd in match (proj1 ???);
        whd in match (proj2 ???);
        whd whd in ⊢ (??%?); normalize nodelta
        %{??????? kframe_data ktarget_type Hcont_rel Heq_rettyp ??? Htranslate_function
          ??????? kHeq_translate}
      | %{6} whd whd in ⊢ (??%?); normalize nodelta
        >kHfind_label -kHfind_label normalize nodelta
        whd in match (proj1 ???);
        whd in match (proj2 ???);
        whd whd in ⊢ (??%?); normalize nodelta
        >Hexec_cond_cm normalize nodelta
        whd in match (m_bind ?????);
        >(value_eq_int_inversion … Hvalue_eq)
        whd in match (eval_bool_of_val ?); normalize nodelta
        <Hi_eq normalize nodelta
        whd @conj [ normalize >append_nil >append_nil try @refl ]
        whd in match (proj1 ???);
        whd in match (proj2 ???);
        whd whd in ⊢ (??%?); normalize nodelta
        %{??????? kframe_data ktarget_type kHcont_rel Heq_rettyp ??? Htranslate_function}
        try assumption
        [ @conj try @conj try @conj try @conj //
        | @refl ]
      ]
  (*| TODO: other continuations *)
    ]
| 2: (* Assign *)
     #cm_s #cl_k #cm_k #cm_st #cl_f #cm_f #frame_data #rettyp #Hcont_rel
     #fInv #sInv #kInv #Hrettyp #func_univ #Hfresh_globals #Hfresh_function
     #Htranslate_function #stmt_univ #stmt_univ' #lbl_univ #lbl_univ' #lbls #flag
     * * * * #Hstmt_inv_cm #Huseless_hypothesis
      #Htmps_preserved #Hreturn_ok #Hlabel_wf     
     (* case-split on lhs in order to reduce lvalue production in Cminor *)
     cases lhs #lhs_ed #lhs_ty
     cases lhs_ed
     (* intro expr contents *)
     [ #sz #i | #var_id | #e1 | #e1 | #op #e1 |#op #e1 #e2 | #cast_ty #e1
     | #cond #iftrue #iffalse | #e1 #e2 | #e1 #e2 | #sizeofty | #e1 #field | #cost #e1 ]
     [ 2: #Htranslate_statement
          cases (bind_inversion ????? Htranslate_statement)
          * #cm_rhs #Hexpr_vars_rhs * #Htranslate_rhs #Htranslate_statement'
          cases (bind_inversion ????? Htranslate_statement')
          #lhs_dest * #Htranslate_lhs
          cases (bind2_eq_inversion ?????? Htranslate_lhs) -Htranslate_lhs
          #alloctype * #type_of_var * #Hlookup_var_success
          cases alloctype in Hlookup_var_success;
          normalize nodelta
          [ 1: (* Global *) #r
               #Hlookup_var_success whd in ⊢ ((???%) → ?); #Hlhs_dest_eq 
               destruct (Hlhs_dest_eq) normalize nodelta
               whd in match (proj1 ???); whd in match (proj2 ???);
               whd in ⊢ ((???%) → ?); #Heq destruct (Heq)
               #Heq_INV #Heq_s1 #Heq_s1'
               lapply (jmeq_to_eq ??? Heq_INV) -Heq_INV #Heq_INV
               lapply (jmeq_to_eq ??? Heq_s1) -Heq_s1 #Heq_s1
               lapply (jmeq_to_eq ??? Heq_s1') -Heq_s1' #Heq_s1'
               destruct (Heq_INV Heq_s1 Heq_s1') #_
               %{1} whd in ⊢ (% → ?); #Hawait
               cases (await_value_bind_inv … Hawait) -Hawait
               * * #cl_blo #cl_off #cl_tr * whd in ⊢ ((??%?) → ?);
               #Hexec_lvalue
               lapply (res_to_io ????? Hexec_lvalue) -Hexec_lvalue #Hexec_lvalue
               #Hawait
               cases (await_value_bind_inv … Hawait) -Hawait
               * #rhs_val #rhs_trace * #Hexec_rhs_trace #Hawait
               cases (await_value_bind_inv … Hawait) -Hawait
               #mem_after_store * #Hstore_value #Hawait
               lapply (opt_to_io_Value ?????? Hstore_value) -Hstore_value #Hstore_value
               -Htranslate_statement' -Htranslate_statement
               cases (invert_assert … Hawait) -Hawait #Handb
               cases (andb_inversion … Handb) -Handb #_ #HClight_not_labelled #Hawait               
               (* TODO: use the memory injection to handle the store,
                  use INV contents to match up CL global with CM one.
                  Note to self: globals should be exactly matched in CL and CM,
                  maybe memory_injection is not useful in this particular case,
                  only in Stack and Local cases.
                * *)
               @cthulhu
          | 2: (* Stack *) #n @cthulhu
          | 3: (* Local *) @cthulhu
          ]
     | *: (* memdest *) @cthulhu ]     
| *: @cthulhu
] qed.

axiom clight_cminor_call_return :
  ∀INV:clight_cminor_inv.
  ∀s1,s1',s2,tr.
  clight_cminor_rel INV s1 s1' →
  match Clight_classify s1 with [ cl_call ⇒ true | cl_return ⇒ true | _ ⇒ false ] →
  after_n_steps 1 … clight_exec (ge_cl INV) s1 (λs.true) (λtr',s. 〈tr',s〉 = 〈tr,s2〉) →
  ∃m. after_n_steps (S m) … Cminor_exec (ge_cm INV) s1' (λs.cminor_normal s) (λtr',s2'.
    tr = tr' ∧
    clight_cminor_rel INV s2 s2'
  ).

axiom clight_cminor_cost :
  ∀INV:clight_cminor_inv.
  ∀s1,s1',s2,tr.
  clight_cminor_rel INV s1 s1' →
  Clight_labelled s1 →
  after_n_steps 1 … clight_exec (ge_cl INV) s1 (λs.true) (λtr',s. 〈tr',s〉 = 〈tr,s2〉) →
  after_n_steps 1 … Cminor_exec (ge_cm INV) s1' (λs.true) (λtr',s2'.
    tr = tr' ∧
    clight_cminor_rel INV s2 s2'
  ).

axiom clight_cminor_init : ∀cl_program,cm_program,s,s'.
  clight_to_cminor cl_program = OK ? cm_program →
  make_initial_state ?? clight_fullexec cl_program = OK ? s →
  make_initial_state ?? Cminor_fullexec cm_program = OK ? s' →
  ∃INV. clight_cminor_rel INV s s'.