source: src/Clight/toCminorCorrectness.ma @ 2745

include "Clight/toCminor.ma".
include "Clight/CexecInd.ma".
include "common/Globalenvs.ma".
include "Clight/memoryInjections.ma".
include "Clight/Clight_abstract.ma".
include "Cminor/Cminor_abstract.ma".
include "common/Measurable.ma".

(* Expr simulation. Contains important definitions for statements, too.  *)
include "Clight/toCminorCorrectnessExpr.ma".

(* When we characterise the local Clight variables, those that are stack
   allocated are given disjoint regions of the stack. *)
lemma characterise_vars_disjoint : ∀globals,f,vartypes,stacksize,id,n,ty.
  characterise_vars globals f = 〈vartypes, stacksize〉 →
  lookup ?? vartypes id = Some ? 〈Stack n,ty〉 →
  ∀id',n',ty'. id ≠ id' →
  lookup ?? vartypes id' = Some ? 〈Stack n',ty'〉 →
  n' + sizeof ty' ≤ n ∨ n + sizeof ty ≤ n'.
#globals * #ret #args #vars #body #vartypes #stacksize #id #n #ty
whd in ⊢ (??%? → ?);
generalize in match vartypes; -vartypes
generalize in match stacksize; -stacksize
elim (args@vars)
[ #stacksize #vartypes #CHAR #L @⊥ whd in CHAR:(??%?); destruct
  elim globals in L;
  [ normalize #L destruct
  | * * #id' #r #ty' #tl #IH
    whd in match (foldr ?????);
    #L cases (lookup_add_cases ??????? L)
    [ * #E1 #E2 destruct
    | @IH
    ]
  ]
| * #id1 #ty1 #tl #IH #stacksize #vartypes
  whd in match (foldr ?????);
  (* Avoid writing out the definition again *)
  letin ih ≝ (foldr ? (Prod ??) ?? tl) in IH ⊢ %;
  lapply (refl ? ih) whd in match ih; -ih
  cases (foldr ? (Prod ??) ?? tl) in ⊢ (???% → %);
  #vartypes' #stack' #FOLD #IH
  whd in ⊢ (??(match % with [_⇒?])? → ?);
  cases (orb ??)
  #CHAR whd in CHAR:(??%?); destruct
  #L cases (lookup_add_cases ??????? L)
  [ 1,3: * #E1 #E2 destruct
    #id' #n' #ty' #NE >lookup_add_miss /2/
    #L' %1 -L -IH
    generalize in match vartypes' in FOLD L' ⊢ %; -vartypes'
    generalize in match stack'; -stack'
    elim tl
    [ #stack' #vartypes2 whd in ⊢ (??%? → ?); #F destruct #L' @⊥
      elim globals in L';
      [ normalize #E destruct
      | * * #id2 #r2 #ty2 #tl2 #IH whd in match (foldr ?????);
        #L cases (lookup_add_cases ??????? L)
        [ * #E1 #E2 destruct
        | @IH
        ]
      ]
    | * #id2 #ty2 #tl2 #IH #stack' #vartypes'
      whd in ⊢ (??%? → ?); cases (foldr ? (Prod ??) ???) in IH ⊢ %;
      #vartypes2 #stack2 #IH
      whd in ⊢ (??%? → ?);
      cases (orb ??)
      [ #E whd in E:(??%?); destruct #L cases (lookup_add_cases ??????? L)
        [ * #E1 #E2 destruct //
        | #L'' lapply (IH ?? (refl ??) L'') /2/
        ]
      | #E whd in E:(??%?); destruct #L cases (lookup_add_cases ??????? L)
        [ * #E1 #E2 destruct
        | #L'' lapply (IH ?? (refl ??) L'') /2/
        ]
      ]
    ]
  | -L #L #id' #n' #ty' #NE #L'
    cases (lookup_add_cases ??????? L')
    [ * #E1 #E2 destruct
      %2 -IH -L'
      generalize in match vartypes' in FOLD L; -vartypes'
      generalize in match stack'; -stack'
      elim tl
      [ #stack' #vartypes' whd in ⊢ (??%? → ?); #F destruct #L @⊥
        elim globals in L;
        [ normalize #E destruct
        | * * #id1 #r1 #ty1 #tl1 #IH whd in match (foldr ?????);
          #L cases (lookup_add_cases ??????? L)
          [ * #E1 #E2 destruct
          | @IH
          ]
        ]
      | * #id1 #ty1 #tl1 #IH #stack' #vartypes'
        whd in ⊢ (??%? → ?); cases (foldr ? (Prod ??) ???) in IH ⊢ %;
        #vartypes2 #stack2 #IH
        whd in ⊢ (??%? → ?);
        cases (orb ??)
        #E whd in E:(??%?); destruct
        #L cases (lookup_add_cases ??????? L)
        [ 1,3: * #E1 #E2 destruct //
        | 2,4: #L' lapply (IH ?? (refl ??) L') /2/
        ]
      ]
    | @(IH … (refl ??) L … NE)
    ]
  | -L #L #id' #n' #ty' #NE #L'
    cases (lookup_add_cases ??????? L')
    [ * #E1 #E2 destruct
    | @(IH … (refl ??) L … NE)
    ]
  ]
] qed.

(* And everything is in the stack frame. *)

lemma characterise_vars_in_range : ∀globals,f,vartypes,stacksize,id,n,ty.
  characterise_vars globals f = 〈vartypes, stacksize〉 →
  lookup ?? vartypes id = Some ? 〈Stack n,ty〉 →
  n + sizeof ty ≤ stacksize.
#globals * #ret #args #vars #body whd in match (characterise_vars ??);
elim (args@vars)
[ #vartypes #stacksize #id #n #ty #FOLD #L @⊥
  whd in FOLD:(??%?); destruct elim globals in L;
  [ #E normalize in E; destruct
  | * * #id' #r' #ty' #tl' #IH
    whd in match (foldr ?????); #L cases (lookup_add_cases ??????? L)
    [ * #E1 #E2 destruct
    | @IH
    ]
  ]
| * #id' #ty' #tl #IH #vartypes #stacksize #id #n #ty
  whd in match (foldr ?????); cases (foldr ? (Prod ??) ???) in IH ⊢ %;
  #vartypes' #stackspace' #IH
  whd in ⊢ (??(match % with [_⇒?])? → ?);
  cases (orb ??) whd in ⊢ (??%? → ?);
  #E destruct #L cases (lookup_add_cases ??????? L)
  [ 1,3: * #E1 #E2 destruct //
  | 2,4: #L' lapply (IH … (refl ??) L') /2/
  ]
] qed.



(* Put knowledge that Globals are global into a more useful form than the
   one used for the invariant. *)   
(* XXX superfluous lemma ? Commenting it for now. 
       if not superfluous : move to toCminorCorrectnessExpr.ma, after
       [characterise_vars_localid] *)
(*
lemma characterise_vars_global : ∀globals,f,vartypes,stacksize.
  characterise_vars globals f = 〈vartypes, stacksize〉 →
  ∀id,r,ty. lookup' vartypes id = OK ? 〈Global r,ty〉 →
  Exists ? (λx.x = 〈〈id,r〉,ty〉) globals ∧
  ¬ Exists ? (λx. \fst x = id) (fn_params f @ fn_vars f).
#globals #f #vartypes #stacksize #CHAR #id #r #ty #L
cases (characterise_vars_src … CHAR id ?)
[ * #r' * #ty' >L
  * #E1 destruct (E1) #EX
  %
  [ @EX
  | % #EX' cases (characterise_vars_localid … CHAR EX')
    #ty' whd in ⊢ (% → ?); >L *
  ]
| * #ty' whd in ⊢ (% → ?); >L *
| whd >(opt_eq_from_res ???? L) % #E destruct
] qed. *)

(* Show how the global environments match up. *)

lemma map_partial_All_to_All2 : ∀A,B,P,f,l,H,l'.
  map_partial_All A B P f l H = OK ? l' →
  All2 ?? (λa,b. ∃p. f a p = OK ? b) l l'.
#A #B #P #f #l
elim l
[ #H #l' #MAP normalize in MAP; destruct //
| #h #t #IH * #p #H #l'
  whd in ⊢ (??%? → ?);
  lapply (refl ? (f h p)) whd in match (proj1 ???);
  cases (f h p) in ⊢ (???% → %);
  [ #b #E #MAP cases (bind_inversion ????? MAP)
    #tl' * #MAP' #E' normalize in E'; destruct
    % [ %{p} @E | @IH [ @H | @MAP' ] ]
  | #m #_ #X normalize in X; destruct
  ]
] qed.
  

definition clight_cminor_matching : clight_program → matching ≝
λp.
  let tmpuniverse ≝ universe_for_program p in
  let fun_globals ≝ map ?? (λidf. 〈\fst idf,Code,type_of_fundef (\snd idf)〉) (prog_funct ?? p) in
  let var_globals ≝ map ?? (λv. 〈\fst (\fst v), \snd (\fst v), \snd (\snd v)〉) (prog_vars ?? p) in
  let globals ≝ fun_globals @ var_globals in
  mk_matching
    ?? (list init_data × type) (list init_data)
    (λvs,f_clight,f_cminor. ∃H1,H2. translate_fundef tmpuniverse globals H1 f_clight H2 = OK ? f_cminor)
    (λv,w. \fst v = w).

lemma clight_to_cminor_varnames : ∀p,p'.
  clight_to_cminor p = OK ? p' →
  prog_var_names … p = prog_var_names … p'.
* #vars #fns #main * #vars' #fns' #main'
#TO cases (bind_inversion ????? TO) #fns'' * #MAP #E
whd in E:(??%%); destruct
-MAP normalize
elim vars
[ //
| * * #id #r * #d #t #tl #IH normalize >IH //
] qed.

lemma clight_to_cminor_matches : ∀p,p'.
  clight_to_cminor p = OK ? p' →
  match_program (clight_cminor_matching p) p p'.
* #vars #fns #main * #vars' #fns' #main'
#TO cases (bind_inversion ????? TO) #fns'' * #MAP #E
whd in E:(??%%); destruct
%
[ -MAP whd in match (m_V ?); whd in match (m_W ?);
  elim vars
  [ //
  | * * #id #r * #init #ty #tl #IH %
    [ % //
    | @(All2_mp … IH) * * #a #b * #c #d * * #e #f #g * /2/
    ]
  ]
| @(All2_mp … (map_partial_All_to_All2 … MAP)) -MAP
  * #id #f * #id' #f' * #H #F cases (bind_inversion ????? F) #f'' * #TRANSF #E
  normalize in E; destruct
  <(clight_to_cminor_varnames … TO)
  % whd
  % [2: % [2: @TRANSF | skip ] | skip ]
| %
] qed.

(* A measure on Clight states that is decreasing along execution sequences *)

(* statements *)
let rec measure_Clight_statement (s : statement) : ℕ ≝
match s with
[ Sskip ⇒ 0
| Ssequence s1 s2 ⇒
  measure_Clight_statement s1 + measure_Clight_statement s2 + 1
| Sifthenelse e s1 s2 =>
  measure_Clight_statement s1 + measure_Clight_statement s2 + 1
| Swhile e s => 
  measure_Clight_statement s + 1
| Sdowhile e s =>
  measure_Clight_statement s + 1
| Sfor s1 e s2 s3 => 
  measure_Clight_statement s1 + 
  measure_Clight_statement s2 +
  measure_Clight_statement s3 + 1
| Sswitch e ls =>
  measure_Clight_ls ls + 1
| Slabel l s => 
  measure_Clight_statement s + 1
| Scost cl s =>
  measure_Clight_statement s + 1
| _ => 1
]
and measure_Clight_ls (ls : labeled_statements) : ℕ :=
match ls with
[ LSdefault s =>
  measure_Clight_statement s
| LScase sz i s ls =>
  measure_Clight_statement s +
  measure_Clight_ls ls
].

(* continuations *)
let rec measure_Clight_cont (cont : cl_cont) : ℕ ≝
match cont with
[ Kstop => 0
| Kseq s k =>
  measure_Clight_statement s +
  measure_Clight_cont k + 1
| Kwhile e s k =>
  measure_Clight_statement s +
  measure_Clight_cont k + 1
| Kdowhile e s k => 
  measure_Clight_statement s +
  measure_Clight_cont k + 1
| Kfor2 e s1 s2 k => 
  measure_Clight_statement s1 +
  measure_Clight_statement s2 +
  measure_Clight_cont k + 1
| Kfor3 e s1 s2 k =>
  measure_Clight_statement s1 +
  measure_Clight_statement s2 +
  measure_Clight_cont k + 1
| Kswitch k =>
  measure_Clight_cont k + 1
| Kcall retaddr f e k =>
  measure_Clight_statement (fn_body f) +
  measure_Clight_cont k + 1
].

(* Shamelessly copying Compcert. *)
definition measure_Clight : Clight_state → ℕ × ℕ ≝
λstate.
match state with
[ State f s k e m ⇒
  〈measure_Clight_statement s + measure_Clight_cont k + 1, measure_Clight_statement s + 1〉
| Callstate fb fd args k m ⇒ 〈0, 0〉
| Returnstate res k m ⇒ 〈0, 0〉
| Finalstate r ⇒ 〈0, 0〉
].

(* Stuff on lexicographic orders *)
definition lexicographic : ∀A:Type[0]. (A → A → Prop) → A × A → A × A → Prop ≝
λA,Ord, x, y.
  let 〈xa, xb〉 ≝ x in
  let 〈ya, yb〉 ≝ y in
  Ord xa ya ∨ (xa = ya ∧ Ord xb yb).

definition lex_lt ≝ lexicographic nat lt.


(* relate Clight continuations and Cminor ones. *)
inductive clight_cminor_cont_rel :
  ∀cl_ge, cm_ge.
  ∀INV:  clight_cminor_inv cl_ge cm_ge.     (* stuff on global variables and functions (matching between CL and CM) *)
  ∀cl_f: function.                          (* current Clight function *)
  internal_function →                       (* current Cminor function *)
  clight_cminor_data cl_f cl_ge cm_ge INV → (* data for the current stack frame in CL and CM *)
  option typ →                              (* optional target type - uniform over a given function *)
  cl_cont →                                 (* CL cont *)
  cm_cont →                                 (* CM cont *)
  Prop ≝
| ClCm_cont_stop:
  ∀cl_ge, cm_ge, INV, cl_f, cm_f, frame_data, target_type.
  clight_cminor_cont_rel cl_ge cm_ge INV cl_f cm_f frame_data target_type Kstop Kend
| ClCm_cont_seq:
  ∀cl_ge, cm_ge, INV, cl_f, cm_f, frame_data, target_type.
  ∀cl_s: statement.
  ∀cm_s: stmt.
  ∀cl_k':  cl_cont.
  ∀cm_k':  cm_cont.
  ∀stmt_univ, stmt_univ'.
  ∀lbl_univ, lbl_univ'.
  ∀lbls.
  ∀flag.
  ∀Htranslate_inv.
  translate_statement (alloc_type … frame_data) stmt_univ lbl_univ lbls flag target_type cl_s = OK ? «〈stmt_univ',lbl_univ',cm_s〉, Htranslate_inv» →
  clight_cminor_cont_rel cl_ge cm_ge INV cl_f cm_f frame_data target_type cl_k' cm_k' →
  clight_cminor_cont_rel cl_ge cm_ge INV cl_f cm_f frame_data target_type (ClKseq cl_s cl_k') (Kseq cm_s cm_k')
| ClCm_cont_while:
  (* Inductive family parameters *)
  ∀cl_ge, cm_ge, INV, cl_f, cm_f, frame_data, target_type.

  (* sub-continuations *)
  ∀cl_k': cl_cont.
  ∀cm_k': cm_cont.

  (* elements of the source while statement *)
  ∀sz,sg.
  ∀cl_cond_desc.
  ∀cl_body.

  (* elements of the converted while statement *)
  ∀cm_cond: CMexpr (ASTint sz sg).
  ∀cm_body.
  ∀entry,exit: identifier Label.
 
  (* universes used to generate fresh labels and variables *)  
  ∀stmt_univ, stmt_univ'.
  ∀lbl_univ, lbl_univ', lbl_univ''.
  ∀lbls: lenv.
  ∀Htranslate_inv.

  (* relate CL and CM expressions *)
  ∀Hexpr_vars.
  translate_expr (alloc_type … frame_data) (Expr cl_cond_desc (Tint sz sg)) = OK ? («cm_cond, Hexpr_vars») →

  (* Parameters and results to find_label_always *)
  ∀sInv: stmt_inv cm_f (cm_env … frame_data) (f_body cm_f).
  ∀Hinv.

  (* Specify how the labels for the while-replacing gotos are produced *)
  mklabels lbl_univ = 〈〈entry, exit〉, lbl_univ'〉 →
  translate_statement (alloc_type … frame_data) stmt_univ lbl_univ' lbls (ConvertTo entry exit) target_type cl_body = OK ? «〈stmt_univ',lbl_univ'',cm_body〉, Htranslate_inv» →
  find_label_always entry (f_body cm_f) Kend (proj2 … (proj1 … (proj1 … Hinv))) cm_f (cm_env … frame_data) sInv I =
    «〈St_label entry
          (St_seq
            (St_ifthenelse ?? cm_cond (St_seq cm_body (St_goto entry)) St_skip)
            (St_label exit St_skip)), cm_k'〉, Hinv» →
  clight_cminor_cont_rel cl_ge cm_ge INV cl_f cm_f frame_data target_type cl_k' cm_k' →
  clight_cminor_cont_rel cl_ge cm_ge INV cl_f cm_f frame_data target_type (Kwhile (Expr cl_cond_desc (Tint sz sg)) cl_body cl_k') (Kseq (St_goto entry) (Kseq (St_label exit St_skip) cm_k')).

(* Definition of the simulation relation on states. The orders of the parameters is dictated by
 * the necessity of performing an inversion on the continuation sim relation without having to
 * play the usual game of lapplying all previous dependent arguments.  *)
inductive clight_cminor_rel : ∀cl_ge, cm_ge. clight_cminor_inv cl_ge cm_ge  → Clight_state → Cminor_state → Prop ≝
| CMR_normal :
  ∀cl_ge, cm_ge.
  (* Relates globals to globals and functions to functions. *)
  ∀INV:  clight_cminor_inv cl_ge cm_ge.
  
  (* ---- Statements ---- *)
  ∀cl_s: statement.                                       (* Clight statement *)  
  ∀cm_s: stmt.                                            (* Cminor statement *)

  (* ---- Continuations ---- *)
  ∀cl_k: cl_cont.                                      (* Clight continuation *)
  ∀cm_k: cm_cont.                                      (* Cminor continuation *)
  ∀cm_st: stack.                                              (* Cminor stack *)
  
  ∀cl_f: function.                               (* Clight enclosing function *) 
  ∀cm_f: internal_function.                             (* enclosing function *)
  ∀frame_data: clight_cminor_data cl_f ?? INV. 
  ∀rettyp.                                     (* return type of the function *)
  
  (* ---- Relate Clight continuation to Cminor continuation ---- *)
  clight_cminor_cont_rel cl_ge cm_ge INV cl_f cm_f frame_data rettyp cl_k cm_k →

  (* ---- Other Cminor variables ---- *)
  ∀fInv: stmt_inv cm_f (cm_env … frame_data) (f_body cm_f).             (* Cminor invariants *)
  ∀sInv: stmt_inv cm_f (cm_env … frame_data) cm_s.
  ∀kInv: cont_inv cm_f (cm_env … frame_data) cm_k.

  (* ---- Relate return type variable to actual return type ---- *)
  rettyp = opttyp_of_type (fn_return cl_f) → 

  (* ---- specification of the contents of clight environment (needed for expr sim) ---- *)

  (* ---- relate Clight and Cminor functions ---- *)
  ∀func_univ: universe SymbolTag.
  ∀Hfresh_globals: globals_fresh_for_univ ? (globals ?? INV) func_univ.
  ∀Hfresh_function: fn_fresh_for_univ cl_f func_univ.
  translate_function func_univ (globals ?? INV) cl_f Hfresh_globals Hfresh_function = OK ? cm_f →

  (* ---- relate Clight and Cminor statements ---- *)
  ∀stmt_univ,stmt_univ': tmpgen (alloc_type … frame_data).
  ∀lbl_univ,lbl_univ':   labgen.
  ∀lbls:      lenv.
  ∀flag:      convert_flag.
  ∀Htranslate_inv.
  translate_statement (alloc_type … frame_data) stmt_univ lbl_univ lbls flag rettyp cl_s = OK ? «〈stmt_univ',lbl_univ',cm_s〉, Htranslate_inv» →
   
  clight_cminor_rel cl_ge cm_ge INV 
    (ClState cl_f cl_s cl_k (cl_env … frame_data) (cl_m … frame_data)) 
    (CmState cm_f cm_s (cm_env … frame_data) fInv sInv (cm_m … frame_data) (stackptr … frame_data) cm_k kInv cm_st)

| CMR_return :
  ∀cl_ge, cm_ge, cl_f.
  ∀INV:  clight_cminor_inv cl_ge cm_ge.
  ∀frame_data: clight_cminor_data cl_f ?? INV.
  ∀cl_mem, cm_mem.
  cl_mem = cl_m … frame_data →
  cm_mem = cm_m … frame_data →
  ∀cm_st: stack.                                              (* Cminor stack *)
  clight_cminor_rel cl_ge cm_ge INV
    (ClReturnstate Vundef Kstop cl_mem)
    (CmReturnstate (None val) cm_mem cm_st)
    
| CMR_call :
 ∀cl_ge, cm_ge, cl_f, cm_f.
 ∀INV: clight_cminor_inv cl_ge cm_ge.
 ∀frame_data: clight_cminor_data cl_f cl_ge cm_ge INV.
 ∀u: universe SymbolTag.
 ∀cl_fundef, cm_fundef.
 ∀Hglobals_fresh: globals_fresh_for_univ type (globals cl_ge cm_ge INV) u.
 ∀Hfundef_fresh:  fd_fresh_for_univ cl_fundef u.
 ∀rettyp. rettyp = opttyp_of_type (fn_return cl_f) →
 ∀cl_k, cm_k.
 clight_cminor_cont_rel cl_ge cm_ge INV cl_f cm_f frame_data rettyp cl_k cm_k →
 ∀fblock.
 match cl_fundef with
 [ CL_Internal cl_function ⇒
   find_funct clight_fundef cl_ge (Vptr (mk_pointer fblock zero_offset)) = Some ? (CL_Internal cl_function) ∧
   find_funct (fundef internal_function) cm_ge (Vptr (mk_pointer fblock zero_offset)) = Some ? cm_fundef ∧
   translate_fundef u (globals ?? INV) Hglobals_fresh cl_fundef Hfundef_fresh = OK ? cm_fundef
 | CL_External name argtypes rettype ⇒
   True
 ] →
 ∀fptr_block.
 ∀sInv, fInv, kInv.
 ∀cl_args_values, cm_args_values.
 (* TODO: add invariant All2 value_eq cl_args_values cm_args_values *)
 ∀cm_stack.
 clight_cminor_rel cl_ge cm_ge INV
  (ClCallstate (Vptr (mk_pointer fptr_block zero_offset))
   cl_fundef cl_args_values
   (Kcall (None (block×offset×type)) cl_f (cl_env ???? frame_data) cl_k)
   (cl_m ???? frame_data))
  (CmCallstate (Vptr (mk_pointer fptr_block zero_offset)) cm_fundef
   cm_args_values (cm_m ???? frame_data)
   (Scall (None (ident×typ)) cm_f (stackptr ???? frame_data) (cm_env ???? frame_data) sInv fInv cm_k kInv cm_stack)).

definition clight_normal : Clight_state → bool ≝
λs. match Clight_classify s with [ cl_other ⇒ true | cl_jump ⇒ true | _ ⇒ false ].

definition cminor_normal : Cminor_state → bool ≝
λs. match Cminor_classify s with [ cl_other ⇒ true | cl_jump ⇒ true | _ ⇒ false ].

definition cl_pre : preclassified_system ≝
  mk_preclassified_system
    clight_fullexec
    (λg. Clight_labelled)
    (λg. Clight_classify)
    (λf,g,s,H. 0). (* XXX TODO *)

definition cm_pre : preclassified_system ≝
  mk_preclassified_system
    Cminor_fullexec
    (λg. Cminor_labelled)
    (λg. Cminor_classify)
    (λf,g,s,H. 0).   (* XXX TODO *)

(* Auxilliary lemmas. *)

lemma invert_assert : 
  ∀b. ∀P. assert b P → b = true ∧ P.
* #P whd in ⊢ (% → ?); #H
[ @conj try @refl @H
| @False_ind @H ]
qed.

lemma res_to_io :
  ∀A,B:Type[0]. ∀C. 
  ∀x: res A. ∀y.
  match x with
  [ OK v ⇒  Value B C ? v
  | Error m ⇒ Wrong … m ] = return y →
  x = OK ? y.
#A #B #C *
[ #x #y normalize nodelta whd in ⊢ ((???%) → ?); #Heq destruct (Heq) @refl
| #err #y normalize nodelta whd in ⊢ ((???%) → ?); #Heq destruct (Heq) ]
qed.

lemma jmeq_absorb : ∀A:Type[0]. ∀a,b: A. ∀P:Prop. (a = b → P) → a ≃ b → P.
#A #a #b #P #H #Heq lapply (jmeq_to_eq ??? Heq) #Heq' @H @Heq' qed.

(* wrap up some trivial bit of reasoning to alleviate strange destruct behaviour *)
lemma pair_eq_split : 
  ∀A,B:Type[0]. ∀a1,a2:A. ∀b1,b2:B. 
  〈a1,b1〉 = 〈a2, b2〉 →
  a1 = a2 ∧ b1 = b2.
#A #B #a1 #a2 #b1 #b2 #Heq destruct (Heq) @conj try @refl
qed.

lemma ok_eq_ok_destruct :
  ∀A:Type[0]. ∀a,b:A. OK ? a = OK ? b → a = b.
#H1 #H2 #H3 #H4 destruct @refl qed.

lemma sigma_eq_destruct  : ∀A:Type[0]. ∀a,b:A. ∀P: A → Prop. ∀Ha: P a. ∀Hb: P b.  «a, Ha» = «b,Hb» → a = b ∧ Ha ≃ Hb.
#A #a #b #P #Ha #Hb #Heq destruct (Heq)
@conj try %
qed.

(* inverting find_funct and find_funct_ptr *)
lemma find_funct_inversion : 
  ∀F: Type[0]. ∀ge: genv_t F. ∀v: val. ∀res: F.
      find_funct F ge v = Some ? res →
      (∃ptr. v = Vptr ptr ∧
            (poff ptr) = zero_offset ∧
            block_region (pblock ptr) = Code ∧
            (∃p. block_id (pblock ptr) = neg p ∧
                 lookup_opt … p (functions … ge) = Some ? res)).
#F #ge #v #res
cases v
[ | #sz #i | | #ptr ]
whd in ⊢ ((??%?) → ?);
#Heq destruct (Heq)
%{ptr} @conj try @conj try @conj try @refl
lapply Heq -Heq
@(eq_offset_elim … (poff ptr) zero_offset) //
normalize nodelta
[ 1,3,5: #_ #Habsurd destruct (Habsurd) ]
#Heq destruct (Heq)
whd in ⊢ ((??%?) → ?);
cases ptr #blo #off cases (block_region blo) normalize nodelta
[ 1,3: #Habsurd destruct (Habsurd) ]
[ // ]
cases (block_id blo) normalize nodelta
[ #Habsurd destruct (Habsurd) | #p #Habsurd destruct (Habsurd) ]
#p #Hlookup %{p} @conj try @refl assumption
qed.

(* We should be able to prove that ty = ty' with some more hypotheses, if needed. *)
lemma translate_dest_id_inversion :
  ∀var_types, e, var_id, ty,H.
   translate_dest var_types e = return IdDest var_types var_id ty H →
   e = Expr (Evar var_id) (typeof e).
@cthulhu
(*   
#vars #e #var_id #ty #H
cases e #ed #ty'
cases ed
[ #sz #i | #id | #e1 | #e1 | #op #e1 |#op #e1 #e2 | #cast_ty #e1
| #cond #iftrue #iffalse | #e1 #e2 | #e1 #e2 | #sizeofty | #e1 #field | #cost #e1 ]
whd in ⊢ ((??%%) → ?);
#Heq
[ 1,4,5,6,7,8,9,10,11,13: destruct (Heq)
| 3,12: cases (bind_inversion ????? Heq) * #H1 #H2 #H3 cases H3
        #_ whd in ⊢ ((??%%) → ?); #Heq destruct (Heq) ]
lapply Heq -Heq
change with (bind2_eq ????? ) in ⊢ ((??%?) → ?); #Heq
cases (bind2_eq_inversion ?????? Heq)
#alloctype
(* * #alloctype *) * #typ' *
cases alloctype
[ #r | #n | ] normalize nodelta #Hlookup'
[ 1,2: whd in ⊢ ((??%%) → ?); #Heq destruct (Heq) ]
whd in ⊢ ((??%%) → ?); #Heq' destruct (Heq')
@refl*)
qed.


(* Note: duplicate in switchRemoval.ma *)
lemma fresh_elim : ∀u. ∃fv',u'. fresh SymbolTag u = 〈fv', u'〉. #u /3 by ex_intro/ qed.

lemma breakup_dependent_match_on_pairs :
 ∀A,B,C: Type[0].
 ∀term: A × B.
 ∀F: ∀x,y. 〈x, y〉 = term → C.
 ∀z:C.
 match term
 return λx.x = term → ? with 
 [ mk_Prod x y ⇒ λEq. F x y Eq ] (refl ? term) = z →
 ∃xa,xb,H. term = 〈xa, xb〉 ∧
           F xa xb H = z.
#A #B #C * #xa #xb #F #z normalize nodelta #H %{xa} %{xb} %{(refl ??)} @conj try @conj
// qed.


lemma translate_expr_sigma_welltyped : ∀vars, cl_expr, cm_expr.
  translate_expr_sigma vars cl_expr = OK ? cm_expr →
  dpi1 ?? (pi1 ?? cm_expr) = typ_of_type (typeof cl_expr).
#vars #cl_expr * * #typ #cm_expr normalize nodelta #Hexpr_vars
whd in ⊢ ((??%?) → ?); #H
cases (bind_inversion ????? H) -H * #cm_expr' #Hexpr_vars' *
#Htranslate_expr
whd in ⊢ ((??%%) → ?); #Heq destruct (Heq) @refl
qed.

lemma translate_exprlist_sigma_welltyped :
  ∀vars, cl_exprs, cm_exprs.
  mmap_sigma ??? (translate_expr_sigma vars) cl_exprs = OK ? cm_exprs →
  All2 ?? (λcl, cm. dpi1 ?? cm = typ_of_type (typeof cl)) cl_exprs (pi1 ?? cm_exprs).
#vars #cl_exprs
elim cl_exprs
[ * #cm_exprs #Hall whd in ⊢ ((??%?) → ?); #Heq destruct (Heq) @I
| #hd #tl #Hind * #cm_exprs #Hall #H
  cases (bind_inversion ????? H) -H
  * * #cm_typ #cm_expr normalize nodelta
  #Hexpr_vars_cm * #Htranslate_hd
  lapply (translate_expr_sigma_welltyped … Htranslate_hd)
  #Heq_cm_typ #H
  cases (bind_inversion ????? H) -H
  #cm_tail lapply (Hind cm_tail) cases cm_tail
  #cm_tail_expr #Hall_tail -Hind #Hind * #Heq_cm_tail normalize nodelta
   whd in ⊢ ((??%%) → ?); #Heq destruct (Heq) whd @conj
   [ @Heq_cm_typ
   | @Hind assumption ]
] qed.

lemma translate_dest_MemDest_simulation :
  ∀f.
  ∀cl_ge : genv_t clight_fundef.
  ∀cm_ge : genv_t (fundef internal_function).
  ∀INV   : clight_cminor_inv cl_ge cm_ge.
  ∀frame_data : clight_cminor_data f cl_ge cm_ge INV.
  ∀cl_expr. ∀cm_expr. 
  ∀cl_block, cl_offset, trace.
  ∀Hyp_present.
     translate_dest (alloc_type … frame_data) cl_expr = OK ? (MemDest ? cm_expr) →
     exec_lvalue cl_ge (cl_env … frame_data) (cl_m … frame_data) cl_expr = OK ? 〈〈cl_block, cl_offset〉, trace〉 →
     ∃cm_val. eval_expr cm_ge ASTptr cm_expr (cm_env … frame_data) Hyp_present (stackptr … frame_data) (cm_m … frame_data) = OK ? 〈trace, cm_val〉 ∧
              value_eq (Em … frame_data) (Vptr (mk_pointer cl_block cl_offset)) cm_val.     
#f #cl_ge #cm_ge #INV #frame_data #cl_expr * #cm_expr #Hexpr_vars #cl_block #cl_offset #trace #Hyp_present
whd in match (translate_dest ??); cases cl_expr #cl_desc #cl_typ normalize nodelta
cases cl_desc normalize nodelta
[ #sz #i | #id | #e1 | #e1 | #op #e1 |#op #e1 #e2 | #cast_ty #e1
| #cond #iftrue #iffalse | #e1 #e2 | #e1 #e2 | #sizeofty | #e1 #field | #cost #e1 ]
#Htranslate
[ 2:
| *: cases (bind_inversion ????? Htranslate) -Htranslate * #cm_expr' #Hexpr_vars' *
     #Htranslate_addr
     whd in ⊢ ((??%%) → ?); #Heq destruct (Heq) #Hexec_lvalue
     cases (eval_expr_sim cl_ge cm_ge INV ? frame_data) #_ #Hsim
     @(Hsim ??? Hexpr_vars … Htranslate_addr ??? ? Hexec_lvalue) ]
cases (bind2_eq_inversion ?????? Htranslate) -Htranslate *
[ #r | #n | ]
* #cl_type * #Heq_lookup normalize nodelta
whd in ⊢ ((??%%) → ?); #Heq destruct (Heq)
whd in ⊢ ((??%?) → ?);
@(match lookup SymbolTag block (cl_env f cl_ge cm_ge INV frame_data) id 
  return λx. (lookup SymbolTag block (cl_env f cl_ge cm_ge INV frame_data) id = x) → ?
  with
  [ None ⇒ ?
  | Some loc ⇒ ? 
  ] (refl ? (lookup SymbolTag block (cl_env f cl_ge cm_ge INV frame_data) id ))) normalize nodelta
#Hlookup_eq
[ 2,4: #Heq destruct (Heq) whd in match (eval_expr ???????);
  [ 2: %{(Vptr (mk_pointer (stackptr f cl_ge cm_ge INV frame_data)
               (shift_offset (bitsize_of_intsize I16) zero_offset (repr I16 n))))}
       @conj try @refl
       lapply (matching … frame_data id)  
       >Hlookup_eq normalize nodelta 
       >(opt_to_res_inversion ???? Heq_lookup) normalize nodelta
       #Hembed %4 whd in ⊢ (??%?); >Hembed @refl
  | 1: whd in match (eval_constant ????);
       lapply (matching … frame_data id)
       >Hlookup_eq normalize nodelta  
       >(opt_to_res_inversion ???? Heq_lookup) normalize nodelta
       @False_ind
  ]
| 1,3: #Hfind_symbol
  cases (bind_inversion ????? Hfind_symbol) -Hfind_symbol #block *
  whd in ⊢ ((??%%) → ?); #Hfind_symbol
  lapply (opt_to_res_inversion ???? Hfind_symbol) #Hfind_symbol_eq
  whd in ⊢ ((??%%) → ?); #Heq destruct (Heq)
  whd in match (eval_expr ???????);
  whd in match (eval_constant ????);
  lapply (matching … frame_data id)
  [ >Hlookup_eq normalize nodelta >Hfind_symbol_eq normalize nodelta
    #Hembed
    <(eq_sym … INV id) >Hfind_symbol_eq normalize nodelta
     %{(Vptr
         (mk_pointer cl_block
          (shift_offset (bitsize_of_intsize I16) zero_offset (repr I16 O))))}
     @conj try @refl
     %4 whd in ⊢ (??%?); >Hembed try @refl
  | (* A stack variable is not in the local environment but in the global one. *)
    (* we have a contradiction somewhere in the context *)
    (* TODO *)
    @cthulhu
  ]
] qed.
  
(* lift simulation result to eval_exprlist *)
lemma eval_exprlist_simulation :
  ∀f.
  ∀cl_ge : genv_t clight_fundef.
  ∀cm_ge : genv_t (fundef internal_function).
  ∀INV   : clight_cminor_inv cl_ge cm_ge.
  ∀frame_data : clight_cminor_data f cl_ge cm_ge INV.
  ∀cl_exprs,cm_exprs.
  ∀cl_results,trace.
  exec_exprlist cl_ge (cl_env … frame_data) (cl_m … frame_data) cl_exprs = OK ? 〈cl_results, trace〉 →
  mmap_sigma ??? (translate_expr_sigma (alloc_type … frame_data)) cl_exprs = OK ? cm_exprs →
  ∀H:All ? (λx:𝚺t:typ.expr t.
             match x with
             [ mk_DPair ty e ⇒ 
                    (expr_vars ty e
                     (λid:ident.λty:typ.present SymbolTag val (cm_env … frame_data) id)) ]) cm_exprs.
  ∃cm_results.
  trace_map_inv … (λe. match e return λe.
                         match e with 
                         [ mk_DPair _ _ ⇒ ? ] → ? 
                       with
                       [ mk_DPair ty e ⇒ λp. eval_expr cm_ge ? e (cm_env … frame_data) p (stackptr … frame_data) (cm_m … frame_data) ]) cm_exprs H = OK ? 〈trace, cm_results〉 ∧
  All2 ?? (λcl_val, cm_val. value_eq (Em … frame_data) cl_val cm_val) cl_results cm_results.
#f #cl_ge #cm_ge #INV #frame_data #cl_exprs
elim cl_exprs
[ #cm_exprs #cl_results #trace
  whd in ⊢ ((??%?) → ?);
  #Heq destruct (Heq)
  whd in ⊢ ((??%?) → ?);
  #Heq destruct (Heq) #H %{[]}
  @conj try @refl try @I
| #cl_hd #cl_tl #Hind #cm_exprs #cl_results #trace
  #Heq cases (bind_inversion ????? Heq) -Heq
  * #hd_val #hd_trace * #Hexec_expr_cl
  #Heq cases (bind_inversion ????? Heq) -Heq  
  * #cl_tl_vals #cl_tl_trace * #Hexec_expr_tl
  whd in ⊢ ((??%%) → ?); #Heq destruct (Heq)
  #Htranslate
  lapply (translate_exprlist_sigma_welltyped … Htranslate)
  #Htype_eq_all #Hall
  cases (bind_inversion ????? Htranslate) -Htranslate
  * * #cmtype #cmexpr normalize nodelta
  #Hexpr_vars_local_cm * #Htranslate_expr_sigma #Htranslate
  cases (bind_inversion ????? Htranslate) -Htranslate
  * #cm_tail #Hexpr_vars_local_cm_tail * #Htranslate_tail
  normalize nodelta
  whd in ⊢ ((??%%) → ?); #Heq destruct (Heq)
  cases Htype_eq_all -Htype_eq_all #Hcm_type_eq #Htype_eq_all
  lapply (Hind cm_tail cl_tl_vals cl_tl_trace Hexec_expr_tl)
  [ assumption ] -Hind #Hind
  lapply (Hind Htranslate_tail (proj2 ?? Hall)) -Hind
  * #cm_results_tl * #Hcm_exec_tl #Hvalues_eq_tl
  cases (eval_expr_sim cl_ge cm_ge INV ? frame_data) #Hsim #_
  cases (bind_inversion ????? Htranslate_expr_sigma)
  * #cmexpr' #Hexpr_vars_local_cm' * #Htranslate
  whd in ⊢ ((??%%) → ?); #Heq destruct (Heq)
  lapply (Hsim cl_hd cmexpr ??????) -Hsim try assumption
  [ @(proj1 ?? Hall) ]
  * #cm_val_hd * #Heval_expr_cm #Hvalue_eq      
  %{(cm_val_hd :: cm_results_tl)} @conj
  [ 2: @conj try assumption
  | 1: whd in ⊢ (??%?); normalize nodelta >Heval_expr_cm
       normalize nodelta >Hcm_exec_tl @refl
  ]
] qed.  

(* Conjectured simulation results

   We split these based on the start state:
   
   1. ‘normal’ states take some [S n] normal steps and simulates them by [S m]
      normal steps in Cminor;
   2. call and return steps are simulated by a call/return step plus [m] normal
      steps (to copy stack allocated parameters / results); and
   3. lone cost label steps are simulates by a lone cost label step
   
   These should allow us to maintain enough structure to identify the Cminor
   subtrace corresponding to a measurable Clight subtrace.
 *)

lemma clight_cminor_normal :
    ∀g1,g2.
    ∀INV:clight_cminor_inv g1 g2.
    ∀s1,s1'.
    clight_cminor_rel g1 g2 INV s1 s1' →
    clight_normal s1 →
    ¬ pcs_labelled cl_pre g1 s1 →
    ∀s2,tr. step … (pcs_exec cl_pre) g1 s1 = Value … 〈tr,s2〉 →    
    ∃m. after_n_steps m ?? (pcs_exec cm_pre) g2 s1' (λs.cminor_normal s) (λtr',s2'.
      tr = tr' ∧
      clight_cminor_rel g1 g2 INV s2 s2' ∧
      (m = 0 → lex_lt (measure_Clight s2) (measure_Clight s1))
    ).
#g1 #g2 #INV #s1 #s1' #Hstate_rel #Hclight_normal #Hnot_labeleld
inversion Hstate_rel
#cl_ge #cm_ge #INV' #cl_s
(* case analysis on Clight statement *)
cases cl_s
[ 1: | 2: #lhs #rhs | 3: #retv #func #args | 4: #stm1 #stm2 | 5: #cond #iftrue #iffalse | 6: #cond #body
| 7: #cond #body | 8: #init #cond #step #body | 9,10: | 11: #retval | 12: #cond #switchcases | 13: #lab #body
| 14: #lab | 15: #cost #body ]
[ 3: (* Call *)
     #cm_s #cl_k #cm_k #cm_st #cl_f #cm_f #frame_data #rettyp #Hcont_rel
     (* introduce everything *)
     #fInv #sInv #kInv
     #Htarget_type #func_univ #Hfresh_globals #Hfresh_function #Htranslate_function
     #stmt_univ #stmt_univ' #lbl_univ #lbl_univ' #lbls
     #flag * * * * #Hstmt_inv #Hlabels_translated #Htmps_preserved
     #Hreturn_ok #Hlabel_wf
     (* generalize away ugly proof *)
     generalize in ⊢ (∀_:(???(??(????%))).?); #Hugly
     #Htranslate
     @(jmeq_absorb ?????) #HA @(jmeq_absorb ?????) #HB
     destruct (HA HB)
     @(jmeq_absorb ?????) #HC @(jmeq_absorb ?????) #HD @(jmeq_absorb ?????) #HE
     destruct (HC HD HE) #_
     (* back to unfolding Clight execution *)
     cases (bind_inversion ????? Htranslate) -Htranslate *
     #ef #Hexpr_vars_ef * #Htranslate_ef normalize nodelta #Htranslate
     cases (bind_inversion ????? Htranslate) -Htranslate *
     #ef' #Hexpr_vars_local_ef' * #Htyp_should_eq_ef
     cases (typ_should_eq_inversion (typ_of_type (typeof func)) ASTptr … Htyp_should_eq_ef)
     -Htyp_should_eq_ef #Htyp_equality_ef
     #Heq_ef_ef' #Htranslate
     cases (bind_inversion ????? Htranslate) -Htranslate *
     #args #Hall_variables_from_args_local *
     whd in ⊢ ((???%) → ?); #Hargs_spec
     cases retv normalize nodelta
     [ 2: (* return something *)
       #lhs #Hdest
       cases (bind_inversion ????? Hdest) -Hdest #dest *
       inversion dest normalize nodelta
       [ (* register dest *) #var_id #var_ty #His_local @(jmeq_absorb ?????) #Hdest       
         #Htranslate_dest whd in ⊢ ((???%) → ?); #Heq destruct (Heq)
         (* make explicit the nature of lhs, allowing to prove that no trace is emitted *)
         lapply (translate_dest_id_inversion  … Htranslate_dest) #Hlhs_eq
       | * #cm_expr #Hexpr_vars_cm #Hdest #Htranslate_dest #Hgensym
         lapply (breakup_dependent_match_on_pairs ?????? Hgensym) -Hgensym
         * #ret_var * #new_gensym * #Heq_alloc_tmp * #Halloc_tmp #Hgensym
         lapply (breakup_dependent_match_on_pairs ?????? Hgensym) -Hgensym
         * #tmp_var * #new_gensym' * #Heq_alloc_tmp' * #Halloc_tmp'         
         generalize in ⊢ ((??(?? (????%) )?) → ?); #Hstmt_inv_after_gensym
         whd in ⊢ ((???%) → ?); #Heq destruct (Heq)
       ]
     | 1: (* return void *)
          generalize in ⊢ ((??(??(????%))?) → ?); #Hugly2
          whd in ⊢ ((???%) → ?); #Heq destruct (Heq) ]
     #s2 #tr #Htranslate
     cases (bindIO_inversion ??????? Htranslate) -Htranslate *
     #func_ptr_val #func_trace * #Hexec_func_ptr normalize nodelta
     whd in ⊢ ((???%) → ?); #Htranslate
     cases (bindIO_inversion ??????? Htranslate) -Htranslate *
     #args_values #args_trace * #Hexec_arglist #Htranslate
     cases (bindIO_inversion ??????? Htranslate) -Htranslate
     #cl_fundef * #Hfind_funct
     lapply (opt_to_io_Value ?????? Hfind_funct) -Hfind_funct #Hfind_funct
     cases (find_funct_inversion ???? Hfind_funct)
     #func_ptr * * * #Hfunc_ptr_eq destruct (Hfunc_ptr_eq)
     #Hpoff_eq_zero #Hregion_is_code
     * #block_id * #Hblock_id_neg #Hlookup
     #Htranslate
     cases (bindIO_inversion ??????? Htranslate) -Htranslate #Htype_of_fundef *
     #Hassert_type_eq
     [ 1,2: #Htranslate
            cases (bindIO_inversion ??????? Htranslate) -Htranslate * * 
            #lblock #loffset #ltrace *
            #Hexec_lvalue
            [ 1: (* empty trace *) @cthulhu (* TODO wip *)
            | 2: @cthulhu (* TODO wip *)
            ]
     | 3: @cthulhu ]
     (* TODO wip  *)
 (*     
     whd in ⊢ ((??%%) → ?); #Heq destruct (Heq)
       [ 1: >Hlhs_eq in Hexec_lvalue; #Hexec_lvalue %{1}
       | 2: (* Execute Cminor part: evaluate lhs, evaluate assign *)
            %{2} whd whd in ⊢ (??%?); normalize nodelta
            whd in match (eval_expr ???????);
            whd in match (m_bind ?????);
            lapply (Hsim_expr … Htranslate_ef … Hexpr_vars_present_ef … Hexec_func_ptr)
            -Hsim_expr * #cm_func_ptr_val * #Heval_func #Hvalue_eq_func
            
       | 3: 
       ]
       (* execute Cminor part *)
       [ %{1} | %{2} | %{1} ]
       whd whd in ⊢ (??%?); normalize nodelta
       [ 1: generalize in match (proj2 (present ????) (expr_vars ???) (proj1 ???));
       | 2: generalize in match (proj2 (present ????) (expr_vars ???) (proj1 ???));
       | 3: generalize in match (proj2 True ??); ]
       #Hexpr_vars_present_ef'
       cases (eval_expr_sim … frame_data) #Hsim_expr #_
       cut (expr_vars (typ_of_type (typeof func)) ef
             (λid:ident.λty:typ.present SymbolTag val (cm_env cl_f cl_ge cm_ge INV' frame_data) id))
       [ 1,3,5: lapply Heq_ef_ef' lapply Hexpr_vars_ef lapply ef >Htyp_equality_ef
                #ef #Hexpr_vars_ef @(jmeq_absorb ?????) #Heq destruct (Heq)
                @Hexpr_vars_present_ef' ]
       #Hexpr_vars_present_ef           
       (* use simulation lemma on expressions for function *)
       lapply (Hsim_expr … Htranslate_ef … Hexpr_vars_present_ef … Hexec_func_ptr)
       -Hsim_expr * #cm_func_ptr_val * #Heval_func #Hvalue_eq_func
       cut (eval_expr cm_ge ASTptr ef'
             (cm_env cl_f cl_ge cm_ge INV' frame_data) Hexpr_vars_present_ef'
             (stackptr cl_f cl_ge cm_ge INV' frame_data)
             (cm_m cl_f cl_ge cm_ge INV' frame_data)
               =OK (trace×val) 〈func_trace,cm_func_ptr_val〉)
       [ 1,3,5:
         lapply Heq_ef_ef' lapply Heval_func lapply Hexpr_vars_ef lapply Hexpr_vars_local_ef'
         lapply Hexpr_vars_present_ef lapply ef lapply Hexpr_vars_present_ef' lapply ef'
         <Htyp_equality_ef #ef' #HA #ef #HB #HC #HD #HE
         @(jmeq_absorb ?????) #Heq destruct (Heq) @HE ]
       -Heval_func #Heval_func >Heval_func
       whd in match (m_bind ?????);
       lapply (trans_fn … INV' … Hfind_funct)
       * #tmp_u * #cminor_fundef * #Hglobals_fresh_for_tmp_u * #Hfundef_fresh_for_tmp_u *
       #Htranslate_fundef #Hfind_funct_cm
       lapply (value_eq_ptr_inversion … Hvalue_eq_func) * #cm_func_ptr * #Hcm_func_ptr
       whd in ⊢ ((??%?) → ?); cases func_ptr in Hfind_funct Hfind_funct_cm Hregion_is_code Hpoff_eq_zero;
       #cm_block #cm_off #Hfind_funct #Hfind_funct_cm #Hregion_is_code #Hpoff_eq_zero destruct (Hpoff_eq_zero)
       whd in ⊢ ((??%?) → ?); >(Em_fn_id … frame_data … cm_block Hregion_is_code)
       normalize nodelta cases cm_func_ptr in Hcm_func_ptr; #cm_block' #cm_off'
       #Hcm_func_ptr #Heq destruct (Hcm_func_ptr Heq) >addition_n_0
       >Hfind_funct_cm
       whd in match (opt_to_res ???); normalize nodelta
       cut (All (𝚺t:typ.CMexpr t)
              (λx:𝚺t:typ.expr t.(
                match x with
                [ mk_DPair ty e ⇒
                 expr_vars ty e
                   (λid:ident
                    .λty0:typ.present SymbolTag val (cm_env cl_f cl_ge cm_ge INV' frame_data) id)])) args)
       [ 1: cases sInv * * normalize nodelta * #_ #_ #Hall #_ #_ @Hall
       | 3: cases sInv * * * * * * * normalize nodelta * #_ #_ #Hall #_ #_ #_ @Hall
       | 5: cases sInv * * normalize nodelta * #_ #_ #Hall #_ #_ @Hall ]
       #Hall
       cases (eval_exprlist_simulation … frame_data ???? Hexec_arglist Hargs_spec Hall)
       #cm_values * #Hcm_exec_list #Hcl_cm_values_eq >Hcm_exec_list
       whd in match (m_bind ?????); normalize nodelta whd  (* TODO here bug in toCminor to be fixed before going on *) @conj
       [ 2,4,6: #Habsurd destruct (Habsurd) ]
       @conj try @refl
       generalize in match (proj1 True (expr_vars ???) (proj1 ???));
       * @(CMR_call … tmp_u) try assumption normalize nodelta
       (* a dependency somewhere prevents case analysis *)
       lapply Hfind_funct lapply Hfind_funct_cm lapply Htranslate_fundef lapply Hfundef_fresh_for_tmp_u
       cases cl_fundef
       [ 2: #H1 #H2 #H3 #H4 #H5 #H6 #H7 @I
       | 1: #H9 #H10 #H11 #H12 #H13 @conj try @conj try // ]
     | (* return something *)
       #lhs #Hdest
       cases (bind_inversion ????? Hdest) -Hdest #dest *
       inversion dest normalize nodelta
       [ (* register dest *) #var_id #var_ty #His_local @(jmeq_absorb ?????) #Hdest
         #Htranslate_dest whd in ⊢ ((???%) → ?); #Heq destruct (Heq)
          generalize in match (conj ???);
     ]
   
         
         whd in match (proj1 ???); whd in match (proj2 ???);
         
         
         [ 2: cases sInv * * normalize nodelta * #_ #_ #Hall #_ #_ @Hall ]
         
         >Hfind_funct_cm
         (* case split away the invariants *)
         cases sInv * * normalize nodelta * * #Hexpr_vars_ef' #Hall_args_present
         whd in ⊢ (% → ?); * * normalize nodelta * #Heval_expr #Hvalue_eq
         >Heval_expr
         *
    
[ 1: (* Skip *)
     #cm_s #cl_k #cm_k #cm_st #cl_f #cm_f #frame_data #rettyp #Hcont_rel
     (* case analysis on continuation *)
     inversion Hcont_rel
     [ (* Kstop continuation *)
       (* simplifying the goal using outcome of the inversion *)
       #kcl_ge #kcm_ge #kINV #kcl_f #kcm_f #kframe_data #ktarget_type
       @(jmeq_absorb ?????) #HA @(jmeq_absorb ?????) #HB
       destruct (HA HB)
       @(jmeq_absorb ?????) #HC @(jmeq_absorb ?????) #HD @(jmeq_absorb ?????) #HE
       destruct (HC HD HE)
       @(jmeq_absorb ?????) #HF @(jmeq_absorb ?????) #HG @(jmeq_absorb ?????) #HH @(jmeq_absorb ?????) #HI
       destruct (HF HG HH HI) #_
       (* introduce everything *)
       #fInv #sInv #kInv
       #Htarget_type #func_univ #Hfresh_globals #Hfresh_function #Htranslate_function
       #stmt_univ #stmt_univ' #lbl_univ #lbl_univ' #lbls
       #flag * * * * #Hstmt_inv #Hlabels_translated #Htmps_preserved
       #Hreturn_ok #Hlabel_wf
       (* reduce statement translation function *)
       whd in ⊢ ((??%?) → ?);
       #Heq_translate
       (* In this simple case, trivial translation *)
       destruct (Heq_translate)
       @(jmeq_absorb ?????) #HA @(jmeq_absorb ?????) #HB
       destruct (HA HB)
       @(jmeq_absorb ?????) #HC @(jmeq_absorb ?????) #HD @(jmeq_absorb ?????) #HE
       destruct (HC HD HE) #_
       (* unfold the clight execution *)
       #s2 #tr whd in ⊢ ((??%?) → ?);
       inversion (fn_return kcl_f) normalize nodelta
       normalize nodelta
       [ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
       | #structname #fieldspec | #unionname #fieldspec | #id ]
       #Hfn_return whd in ⊢ ((??%?) → ?); #Heq destruct (Heq)
       %{1} whd @conj try @conj try @refl
       [ 2: #Habsurd destruct (Habsurd) ]
       %2{kcl_f}
       [ %{ (alloc_type … kframe_data) 
            (stacksize … kframe_data)
            (alloc_hyp … kframe_data)
            (cl_env … kframe_data)
            (cm_env … kframe_data)
            (cl_env_hyp … kframe_data)
            (free_list (cl_m … kframe_data) (blocks_of_env (cl_env … kframe_data)))
            (free (cm_m … kframe_data) (stackptr … kframe_data))
            (Em … kframe_data)
            ? (* injection *)
            (stackptr … kframe_data)
            ? (* matching *)}
         [ @(freelist_memory_inj_m1_m2 … (injection … kframe_data) (blocks_of_env (cl_env … kframe_data)) (stackptr … kframe_data))
           [ 2,3: @refl
           |
 
     @cthulhu
    | (* KSeq continuation *)
      #gcl_ge #kcm_ge #kINV #kcl_f #kcm_f #kframe_data #ktarget_type #kcl_s #kcm_s #kcl_k' #kcm_k'
      #kstmt_univ #kstmt_univ' #klbl_univ #klbl_univ' #klbls #kflag
      * * * * #kHstmt_inv #kHlabels_translated #kHtmps_preserved
      #kHreturn_ok #kHlabel_wf #kHeq_translate #kHcont_rel #_
      @(jmeq_absorb ?????) #HA @(jmeq_absorb ?????) #HB
      destruct (HA HB)
      @(jmeq_absorb ?????) #HC @(jmeq_absorb ?????) #HD @(jmeq_absorb ?????) #HE
      destruct (HC HD HE)
      @(jmeq_absorb ?????) #HF
      
      #Heq_INV #Heq_cl_f #Heq_cm_f #Heq_frame #Heq_rettyp #Heq_cl_k #Heq_cm_k  #_
      (* get rid of jmeqs and destruct *)
      lapply (jmeq_to_eq ??? Heq_INV) -Heq_INV #Heq_INV
      lapply (jmeq_to_eq ??? Heq_cl_f) -Heq_cl_f #Heq_cl_f
      destruct (Heq_INV Heq_cl_f)
      lapply (jmeq_to_eq ??? Heq_frame) -Heq_frame #Heq_frame
      lapply (jmeq_to_eq ??? Heq_cm_f) -Heq_cm_f #Heq_cm_f
      lapply (jmeq_to_eq ??? Heq_rettyp) -Heq_rettyp #Heq_rettypv
      lapply (jmeq_to_eq ??? Heq_cm_k) -Heq_cm_k #Heq_cm_k
      lapply (jmeq_to_eq ??? Heq_cl_k) -Heq_cl_k #Heq_cl_k
      destruct (Heq_frame Heq_cl_k Heq_cm_k Heq_cm_f Heq_rettyp)    
      #fInv #sInv #kInv #Hktarget_type
      #func_univ #Hfresh_globals #Hfresh_function #Htranslate_function 
      #stmt_univ #stmt_univ' #lbl_univ #lbl_univ' #lbls
      #flag * * * * #Hstmt_inv #Hlabels_translated #Htmps_preserved
      #Hreturn_ok #Hlabel_wf
      (* reduce translation function and eliminate result *)
      (* In this simple case, trivial translation *)
      whd in ⊢ ((??%?) → ?); #Heq_translate
      destruct (Heq_translate)
      #Heq_INV' #Heq_s1 #Heq_s1'
      lapply (jmeq_to_eq ??? Heq_INV') -Heq_INV' #Heq_INV'
      lapply (jmeq_to_eq ??? Heq_s1) -Heq_s1 #Heq_s1
      lapply (jmeq_to_eq ??? Heq_s1') -Heq_s1' #Heq_s1' #_
      (* unfold the clight execution *)
      %{0}
      whd in ⊢ (% → ?); #Hassert
      cases (invert_assert ?? Hassert) -Hassert #Hclight_class
      cases (andb_inversion … Hclight_class) -Hclight_class
      #_ #Hnot_labelled whd in ⊢ (% → ?); #Heq destruct (Heq)
      %{0} whd in ⊢ %; @conj try @refl
      (* close simulation *)
      %1{kINV kHcont_rel ? ? Hfresh_globals Hfresh_function
         Htranslate_function kstmt_univ kstmt_univ' klbl_univ klbl_univ' klbls kflag}
      [ 3: @kHeq_translate | assumption ]
    | (* Kwhile continuation *)
      #kINV #kcl_f #kcm_f #kframe_data #ktarget_type
      #kcl_k' #kcm_k' #ksz #ksg #kcl_cond_desc #kcl_body #kcm_cond #kcm_body
      #kentry #kexit #kstmt_univ #kstmt_univ' #klbl_univ #klbl_univ' #klbl_univ''
      #klbls #kHtranslate_inv #kHexpr_vars #kHtranslate_expr #kfInv
      * * * * #kHentry_declared * * * *
      * * * #kHcond_vars_declared * * * *
      * * * #kHbody_inv * * *
      whd in ⊢ (% → ?); #kHentry_declared'
      * * * * * * * * *
      whd in ⊢ (% → ?); #kHexit_declared *
      * * * *
      #kHcont_inv #kHmklabels #kHeq_translate #kHfind_label #kHcont_rel #_
      #Heq_INV #Heq_cl_f #Heq_cm_f #Heq_frame #Heq_rettyp #Heq_cm_k #Heq_cl_k
      lapply (jmeq_to_eq ??? Heq_INV) -Heq_INV #Heq_INV
      lapply (jmeq_to_eq ??? Heq_cl_f) -Heq_cl_f #Heq_cl_f
      destruct (Heq_INV Heq_cl_f)      
      lapply (jmeq_to_eq ??? Heq_cm_f) -Heq_cm_f #Heq_cm_f
      lapply (jmeq_to_eq ??? Heq_frame) -Heq_frame #Heq_frame
      lapply (jmeq_to_eq ??? Heq_rettyp) -Heq_rettyp #Heq_rettyp
      lapply (jmeq_to_eq ??? Heq_cm_k) -Heq_cm_k #Heq_cm_k
      lapply (jmeq_to_eq ??? Heq_cl_k) -Heq_cl_k #Heq_cl_k #_
      destruct (Heq_cl_k Heq_cm_k Heq_cm_f Heq_frame Heq_rettyp)
      (* introduce state relation contents *)
      #fInv #sInv * whd in ⊢ (% → ?); * *
      whd in ⊢ (% → ?); * whd in ⊢ (% → ?); #Hlabel_defined * #kInv
      #Heq_rettyp
      #func_univ #Hfresh_globals #Hfresh_function #Htranslate_function 
      #stmt_univ #stmt_univ' #lbl_univ #lbl_univ' #lbls
      #flag * * * * #Hstmt_inv #Hlabels_translated #Htmps_preserved
      #Hreturn_ok #Hlabel_wf
      (* reduce translation function and eliminate result *)
      (* In this simple case, trivial translation *)
      whd in ⊢ ((??%?) → ?); #Heq_translate
      destruct (Heq_translate)
      #Heq_INV' #Heq_s1 #Heq_s1'
      lapply (jmeq_to_eq ??? Heq_INV') -Heq_INV' #Heq_INV'
      lapply (jmeq_to_eq ??? Heq_s1) -Heq_s1 #Heq_s1
      lapply (jmeq_to_eq ??? Heq_s1') -Heq_s1' #Heq_s1' #_
      (* unfold the clight execution *)
      %{1} whd in ⊢ (% → ?); #Hawait
      cases (await_value_bind_inv … Hawait) -Hawait
      * #cl_val #cl_trace * #Hexec_cond #Hawait
      cases (await_value_bind_inv … Hawait) -Hawait
      #cond_outcome * #Hcond_outcome
      cases (eval_expr_sim … kframe_data) #Hsim_expr #_
      (* use simulation lemma on expressions *)
      lapply (Hsim_expr … kHtranslate_expr … kHcond_vars_declared … Hexec_cond) -Hsim_expr
      whd in match (typeof ?) in Hcond_outcome; cases cond_outcome in Hcond_outcome;
      #Hcond_outcome lapply (exec_bool_of_val_inversion … Hcond_outcome)
      * [ 2,4: * #ptr * #ty' * * #_ #Habsurd destruct (Habsurd) ]
      * [ 2,4: * #ty' * * #_ #Habsurd destruct (Habsurd) ]
      * #vsz * #vsg * #i * * #Hcl_val #Htype_eq destruct (Hcl_val Htype_eq)
      normalize nodelta #Hi_eq
      * #cm_val * #Hexec_cond_cm #Hvalue_eq #Hassert
      cases (invert_assert … Hassert) -Hassert #Handb
      cases (andb_inversion … Handb) -Handb #_ #HClight_not_labelled
      whd in ⊢ (% → ?); #Heq destruct (Heq)
      [ %{5} whd whd in ⊢ (??%?); normalize nodelta
        >kHfind_label -kHfind_label normalize nodelta
        whd in match (proj1 ???);
        whd in match (proj2 ???);
        whd whd in ⊢ (??%?); normalize nodelta
        >Hexec_cond_cm normalize nodelta
        whd in match (m_bind ?????);
        >(value_eq_int_inversion … Hvalue_eq)
        whd in match (eval_bool_of_val ?); normalize nodelta
        <Hi_eq normalize nodelta
        whd @conj [ normalize >append_nil try @refl ]
        whd in match (proj1 ???);
        whd in match (proj2 ???);
        whd whd in ⊢ (??%?); normalize nodelta
        %{??????? kframe_data ktarget_type Hcont_rel Heq_rettyp ??? Htranslate_function
          ??????? kHeq_translate}
      | %{6} whd whd in ⊢ (??%?); normalize nodelta
        >kHfind_label -kHfind_label normalize nodelta
        whd in match (proj1 ???);
        whd in match (proj2 ???);
        whd whd in ⊢ (??%?); normalize nodelta
        >Hexec_cond_cm normalize nodelta
        whd in match (m_bind ?????);
        >(value_eq_int_inversion … Hvalue_eq)
        whd in match (eval_bool_of_val ?); normalize nodelta
        <Hi_eq normalize nodelta
        whd @conj [ normalize >append_nil >append_nil try @refl ]
        whd in match (proj1 ???);
        whd in match (proj2 ???);
        whd whd in ⊢ (??%?); normalize nodelta
        %{??????? kframe_data ktarget_type kHcont_rel Heq_rettyp ??? Htranslate_function}
        try assumption
        [ @conj try @conj try @conj try @conj //
        | @refl ]
      ]
  (*| TODO: other continuations *)
    ]
| 2: (* Assign *)
     #cm_s #cl_k #cm_k #cm_st #cl_f #cm_f #frame_data #rettyp #Hcont_rel
     #fInv #sInv #kInv #Hrettyp #func_univ #Hfresh_globals #Hfresh_function
     #Htranslate_function #stmt_univ #stmt_univ' #lbl_univ #lbl_univ' #lbls #flag
     * * * * #Hstmt_inv_cm #Huseless_hypothesis
      #Htmps_preserved #Hreturn_ok #Hlabel_wf     
     (* case-split on lhs in order to reduce lvalue production in Cminor *)
     cases lhs #lhs_ed #lhs_ty
     cases lhs_ed
     (* intro expr contents *)
     [ #sz #i | #var_id | #e1 | #e1 | #op #e1 |#op #e1 #e2 | #cast_ty #e1
     | #cond #iftrue #iffalse | #e1 #e2 | #e1 #e2 | #sizeofty | #e1 #field | #cost #e1 ]
     [ 2: #Htranslate_statement
          cases (bind_inversion ????? Htranslate_statement)
          * #cm_rhs #Hexpr_vars_rhs * #Htranslate_rhs #Htranslate_statement'
          cases (bind_inversion ????? Htranslate_statement')
          #lhs_dest * #Htranslate_lhs
          cases (bind2_eq_inversion ?????? Htranslate_lhs) -Htranslate_lhs
          #alloctype * #type_of_var * #Hlookup_var_success
          cases alloctype in Hlookup_var_success;
          normalize nodelta
          [ 1: (* Global *) #r
               #Hlookup_var_success whd in ⊢ ((???%) → ?); #Hlhs_dest_eq 
               destruct (Hlhs_dest_eq) normalize nodelta
               whd in match (proj1 ???); whd in match (proj2 ???);
               whd in ⊢ ((???%) → ?); #Heq destruct (Heq)
               #Heq_INV #Heq_s1 #Heq_s1'
               lapply (jmeq_to_eq ??? Heq_INV) -Heq_INV #Heq_INV
               lapply (jmeq_to_eq ??? Heq_s1) -Heq_s1 #Heq_s1
               lapply (jmeq_to_eq ??? Heq_s1') -Heq_s1' #Heq_s1'
               destruct (Heq_INV Heq_s1 Heq_s1') #_
               %{1} whd in ⊢ (% → ?); #Hawait
               cases (await_value_bind_inv … Hawait) -Hawait
               * * #cl_blo #cl_off #cl_tr * whd in ⊢ ((??%?) → ?);
               #Hexec_lvalue
               lapply (res_to_io ????? Hexec_lvalue) -Hexec_lvalue #Hexec_lvalue
               #Hawait
               cases (await_value_bind_inv … Hawait) -Hawait
               * #rhs_val #rhs_trace * #Hexec_rhs_trace #Hawait
               cases (await_value_bind_inv … Hawait) -Hawait
               #mem_after_store * #Hstore_value #Hawait
               lapply (opt_to_io_Value ?????? Hstore_value) -Hstore_value #Hstore_value
               -Htranslate_statement' -Htranslate_statement
               cases (invert_assert … Hawait) -Hawait #Handb
               cases (andb_inversion … Handb) -Handb #_ #HClight_not_labelled #Hawait               
               (* TODO: use the memory injection to handle the store,
                  use INV contents to match up CL global with CM one.
                  Note to self: globals should be exactly matched in CL and CM,
                  maybe memory_injection is not useful in this particular case,
                  only in Stack and Local cases.
                * *)
               @cthulhu
          | 2: (* Stack *) #n @cthulhu
          | 3: (* Local *) @cthulhu
          ]
     | *: (* memdest *) @cthulhu ]   *)  
| *: @cthulhu
] qed.

(* TODO: adapt the following to the new goal shape. *)
axiom clight_cminor_call_return :
  ∀INV:clight_cminor_inv.
  ∀s1,s1',s2,tr.
  clight_cminor_rel INV s1 s1' →
  match Clight_classify s1 with [ cl_call ⇒ true | cl_return ⇒ true | _ ⇒ false ] →
  after_n_steps 1 … clight_exec (ge_cl INV) s1 (λs.true) (λtr',s. 〈tr',s〉 = 〈tr,s2〉) →
  ∃m. after_n_steps (S m) … Cminor_exec (ge_cm INV) s1' (λs.cminor_normal s) (λtr',s2'.
    tr = tr' ∧
    clight_cminor_rel INV s2 s2'
  ).

axiom clight_cminor_cost :
  ∀INV:clight_cminor_inv.
  ∀s1,s1',s2,tr.
  clight_cminor_rel INV s1 s1' →
  Clight_labelled s1 →
  after_n_steps 1 … clight_exec (ge_cl INV) s1 (λs.true) (λtr',s. 〈tr',s〉 = 〈tr,s2〉) →
  after_n_steps 1 … Cminor_exec (ge_cm INV) s1' (λs.true) (λtr',s2'.
    tr = tr' ∧
    clight_cminor_rel INV s2 s2'
  ).

axiom clight_cminor_init : ∀cl_program,cm_program,s,s'.
  clight_to_cminor cl_program = OK ? cm_program →
  make_initial_state ?? clight_fullexec cl_program = OK ? s →
  make_initial_state ?? Cminor_fullexec cm_program = OK ? s' →
  ∃INV. clight_cminor_rel INV s s'.