Changeset 1871

Timestamp:

Apr 4, 2012, 1:40:30 PM (8 years ago)

Author:

campbell

Message:

Change Clight to Cminor compilation to use gotos rather than loops, blocks
and exits. (Commit on behalf of Ilias)

File:

• src/Clight/toCminor.ma (modified) (41 diffs)

src/Clight/toCminor.ma

@@ -1 @@
-
 include "Clight/Csyntax.ma".
 include "Clight/TypeComparison.ma".
@@ -6 +5 @@
 
 (* Identify local variables that must be allocated memory. *)
-
+(* These are the variables whose addresses are taken. *)
 let rec gather_mem_vars_expr (e:expr) : identifier_set SymbolTag ≝
 match e with
@@ -77 +76 @@
 ].
 
+(* Defines where a variable should be allocated. *)
 inductive var_type : Type[0] ≝
-| Global : region → var_type
-| Stack  : nat → var_type
-| Local  : var_type
+| Global : region → var_type  (* A global, allocated statically in a given region (which one ???)  *)
+| Stack  : nat → var_type     (* On the stack, at a given height *) 
+| Local  : var_type           (* Locally (hopefully, in a register) *)
 .
 
+(* A map associating each variable identifier to its allocation mode and its type. *)
 definition var_types ≝ identifier_map SymbolTag (var_type × type).
 
@@ -99 +100 @@
  *)
 
+(* Some kind of data is never allocated in registers, even if it fits, typically structured data. *)
 definition always_alloc : type → bool ≝
 λt. match t with
@@ -107 +109 @@
 ].
 
+(* This builds a [var_types] map characterizing the allocation mode, of variables,
+ * and it returns a stack usage for the function (in bytes, according to [sizeof]) *)
 definition characterise_vars : list (ident×region×type) → function → var_types × nat ≝
 λglobals, f.
+  (* globals are added into a map, with var_type Global, region π_2(idrt) and type π_3(idrt) *)
   let m ≝ foldr ?? (λidrt,m. add ?? m (\fst (\fst idrt)) 〈Global (\snd (\fst idrt)), \snd idrt〉) (empty_map ??) globals in
+  (* variables in the body of the function are gathered in [mem_vars] *)
   let mem_vars ≝ gather_mem_vars_stmt (fn_body f) in
+  (* iterate on the parameters and local variables of the function, with a tuple (map, stack_high) as an accumulator *)
   let 〈m,stacksize〉 ≝ foldr ?? (λv,ms.
-    let 〈m,stack_high〉 ≝ ms in
-    let 〈id,ty〉 ≝ v in
-    let 〈c,stack_high〉 ≝ if always_alloc ty ∨ mem_set ? mem_vars id
-                           then 〈Stack stack_high,stack_high + sizeof ty〉
-                           else 〈Local, stack_high〉 in
+    let 〈m,stack_high〉 ≝ ms in 
+    let 〈id,ty〉 ≝ v in         
+    let 〈c,stack_high〉 ≝
+      (* if the (local, parameter) variable is of a compound type OR if its adress is taken, we allocate it on the stack. *)
+      if always_alloc ty ∨ mem_set ? mem_vars id then 
+        〈Stack stack_high,stack_high + sizeof ty〉
+      else 
+        〈Local, stack_high〉 
+    in
       〈add ?? m id 〈c, ty〉, stack_high〉) 〈m,0〉 (fn_params f @ fn_vars f) in
   〈m,stacksize〉.
 
+(* A local variable id' status is not modified by the removal of a global variable id : id' is still local *)
 lemma local_id_add_global : ∀vars,id,r,t,id',t'.
   local_id (add ?? vars id 〈Global r, t〉) id' t' → local_id vars id' t'.
@@ -129 +141 @@
 ] qed.
 
+(* If I add a variable id ≠ id', then id' is still local *)
 lemma local_id_add_miss : ∀vars,id,vt,id',t'.
   id ≠ id' → local_id (add ?? vars id vt) id' t' → local_id vars id' t'.
@@ -138 +151 @@
 qed.
 
+(* After characterise_vars, a variable in the resulting map is either a global or a "local"(register or stack allocated) *)
 lemma characterise_vars_src : ∀gl,f,vars,n.
   characterise_vars gl f = 〈vars,n〉 →
-  ∀id. present ?? vars id →
+  ∀id. present ?? vars id → 
    (∃r,ty. lookup' vars id = OK ? 〈Global r,ty〉 ∧ Exists ? (λx.x = 〈〈id,r〉,ty〉) gl) ∨
    ∃t.local_id vars id t.
@@ -181 +195 @@
 ] qed.
 
-
+(* A local variable in a function is either a parameter or a "local" (:=register or stack alloc'd) 
+ * variable, with the right type *)
 lemma characterise_vars_all : ∀l,f,vars,n.
   characterise_vars l f = 〈vars,n〉 →
@@ -215 +230 @@
 ] qed.
 
+(* The map generated by characterise_vars is "correct" wrt the fresh ident generator of tag [u],
+   i.e. by generating fresh idents with u, we risk no collision with the idents in the map domain. *)
 lemma characterise_vars_fresh : ∀gl,f,vars,n,u.
-  characterise_vars gl f = 〈vars,n〉 →
-  globals_fresh_for_univ ? gl u →
-  fn_fresh_for_univ f u →
-  fresh_map_for_univ … vars u.
+  characterise_vars gl f = 〈vars,n〉 →              (* If we generate a map ... *)
+  globals_fresh_for_univ ? gl u →                  (* and the globals are out of the idents generated by u *)
+  fn_fresh_for_univ f u →                          (* and the variables of the function f are cool with u too ... *)
+  fresh_map_for_univ … vars u.                     (* then there won't be collisions between the map and idents made from u *)
 #gl #f #vars #n #u #CH #GL #FN
 #id #H
@@ -238 +255 @@
 axiom MissingField : String.
 
-
+(* type_should_eq enforces that two types are equal and eliminates this equality by
+   transporting P ty1 to P ty2. If ty1 != ty2, then Error *)
 definition type_should_eq : ∀ty1,ty2. ∀P:type → Type[0]. P ty1 → res (P ty2) ≝
 λty1,ty2,P,p.
   do E ← assert_type_eq ty1 ty2;
-  OK ? (match E return λx.λ_. P ty1 → P x with [ refl ⇒ λp.p ] p).
-
+  OK ? (match E return λx.λ_. P ty1 → P x with [ refl ⇒ λp.p ] p).  
+
+(* same gig for regions *)
 definition region_should_eq : ∀r1,r2. ∀P:region → Type[0]. P r1 → res (P r2).
 * * #P #p try @(OK ? p) @(Error ? (msg TypeMismatch))
 qed.
 
+(* same gig for AST typs *)
 definition typ_should_eq : ∀ty1,ty2. ∀P:typ → Type[0]. P ty1 → res (P ty2).
 * [ #sz1 #sg1 | #r1 | #sz1 ]
@@ -257 +277 @@
 ] qed.
 
-
 alias id "CLunop" = "cic:/matita/cerco/Clight/Csyntax/unary_operation.ind(1,0,0)".
 alias id "CMunop" = "cic:/matita/cerco/common/FrontEndOps/unary_operation.ind(1,0,0)".
@@ -264 +283 @@
 alias id "CMnotbool" = "cic:/matita/cerco/common/FrontEndOps/unary_operation.con(0,3,0)".
 
+(* Translates a Clight unary operation into a Cminor one, while checking
+ * that the domain and codomain types are consistent. *)
 definition translate_unop : ∀t,t':typ. CLunop → res (CMunop t t') ≝
 λt,t'.λop:CLunop.
@@ -294 +315 @@
   ]. @I qed.
 
+(* Translates a Clight addition into a Cminor one. Four cases to consider :
+  - integer/integer add
+  - fp/fp add
+  - pointer/integer
+  - integer/pointer.
+  Consistency of the type is enforced by explicit checks.
+*)
 definition translate_add ≝
 λty1,e1,ty2,e2,ty'.
@@ -315 +343 @@
 | add_default ⇒ Error ? (msg TypeMismatch)
 ].
+
 
 definition translate_sub ≝
@@ -408 +437 @@
 ].
 
+(* Recall that [expr_vars], defined in Cminor/Syntax.ma, asserts a predicate on 
+  all the variables of a program. [translate_binop_vars], given
+  a predicate verified for all variables of subexprs e1 and e2, produces
+  a proof that all variables of [translate_binop op _ e1 _ e2 _] satisfy this
+  predicate. *)
 lemma translate_binop_vars : ∀P,op,ty1,e1,ty2,e2,ty,e.
   expr_vars ? e1 P →
@@ -445 +479 @@
 (* We'll need to implement proper translation of pointers if we really do memory
    spaces. *)
+(* This function performs leibniz-style subst if r1 = r2, and fails otherwise. *)
 definition check_region : ∀r1:region. ∀r2:region. ∀P:region → Type[0]. P r1 → res (P r2) ≝
 λr1,r2,P.
@@ -456 +491 @@
   ].
 
+(* Simple application of [check_region] to translate between terms. *)
 definition translate_ptr : ∀P,r1,r2. (Σe:CMexpr (ASTptr r1). expr_vars ? e P) → res (Σe':CMexpr (ASTptr r2).expr_vars ? e' P) ≝
 λP,r1,r2,e. check_region r1 r2 (λr.Σe:CMexpr (ASTptr r).expr_vars ? e P) e.
@@ -461 +497 @@
 axiom FIXME : String.
 
-definition translate_cast : ∀P.type → ∀ty2:type. (Σe:CMexpr ?. expr_vars ? e P) → res (Σe':CMexpr (typ_of_type ty2). expr_vars ? e' P) ≝
+(* Given a source and target type, translate an expession of type source to type target *)
+definition translate_cast : ∀P. ∀ty1:type.∀ty2:type. (Σe:CMexpr (typ_of_type ty1). expr_vars ? e P) → res (Σe':CMexpr (typ_of_type ty2). expr_vars ? e' P) ≝
 λP,ty1,ty2.
 match ty1 return λx.(Σe:CMexpr (typ_of_type x). expr_vars ? e P) → ? with
@@ -496 +533 @@
 qed.
 
+(* Small inversion lemma : if the access mode of a type is by reference, then it must be a ptr type. *)
 lemma access_mode_typ : ∀ty,r. access_mode ty = By_reference r → typ_of_type ty = ASTptr r.
 *
@@ -506 +544 @@
 ] qed.
 
+(* Translate Clight exprs into Cminor ones.
+  Arguments :
+  - vars:var_types, an environment mapping each variable to a couple (allocation mode, type)
+  - e:expr, the expression to be converted
+  Result : res (Σe':CMexpr (typ_of_type (typeof e)). expr_vars ? e' (local_id vars))
+  that is, either
+  . an error
+  . an expression e', matching the type of e, such that e' respect the property that all variables
+    in it are not global. In effect, [translate_expr] will replace global variables by constant symbols.
+*)
 let rec translate_expr (vars:var_types) (e:expr) on e : res (Σe':CMexpr (typ_of_type (typeof e)). expr_vars ? e' (local_id vars)) ≝
 match e return λe. res (Σe':CMexpr (typ_of_type (typeof e)). expr_vars ? e' (local_id vars)) with
@@ -513 +561 @@
   | Econst_float f ⇒ OK ? «Cst ? (Ofloatconst f), ?»
   | Evar id ⇒
-      do 〈c,t〉 as E ← lookup' vars id;
+      do 〈c,t〉 as E ← lookup' vars id; (* E is an equality proof of the shape "lookup' vars id = Ok <c,t>" *)
       match c return λx.? = ? → res (Σe':CMexpr ?. ?) with
-      [ Global r ⇒ λ_.
+      [ Global r ⇒ λ_. 
+          (* We are accessing a global variable in an expression. Its Cminor counterpart also depends on
+             its access mode:
+             - By_value q, where q is a memory chunk specification (whitch should match the type of the global)
+             - By_reference, and we only take the adress of the variable
+             - By_nothing : error 
+           *)
           match access_mode ty with
-          [ By_value q ⇒ OK ? «Mem ? r q (Cst ? (Oaddrsymbol id 0)), ?»
+          [ By_value q ⇒ OK ? «Mem ? r q (Cst ? (Oaddrsymbol id 0)), ?» (* Mem is "load" in compcert *)
           | By_reference _ ⇒ OK ? «Cst ? (Oaddrsymbol id 0), ?»
           | By_nothing ⇒ Error ? [MSG BadlyTypedAccess; CTX ? id]
           ]
       | Stack n ⇒ λE.
+          (* We have decided that the variable should be allocated on the stack, 
+           * because its adress was taken somewhere or becauste it's a structured data. *)
           match access_mode ty with
           [ By_value q ⇒ OK ? «Mem ? Any q (Cst ? (Oaddrstack n)), ?»
@@ -527 +583 @@
           | By_nothing ⇒ Error ? [MSG BadlyTypedAccess; CTX ? id]
           ]
+          (* This is a local variable. Keep it as an identifier in the Cminor code, ensuring that the type of the original expr and of ty match. *)
       | Local ⇒ λE. type_should_eq t ty (λt.Σe':CMexpr (typ_of_type t).expr_vars (typ_of_type t) e' (local_id vars))  («Id (typ_of_type t) id, ?»)
       ] E
   | Ederef e1 ⇒
       do e1' ← translate_expr vars e1;
+      (* According to the way the data pointed to by e1 is accessed, the generated Cminor code will vary.
+        - if e1 is a kind of int* ptr, then we load ("Mem") the ptr returned by e1
+        - if e1 is a struct* or a function ptr, then we acess by reference, in which case we :
+           1) check the consistency of the regions in the type of e1 and in the access mode of its type
+           2) return directly the converted CMinor expression "as is" (TODO : what is the strange notation with the ceil function and the mapsto ?)
+      *)
       match typ_of_type (typeof e1) return λx.(Σz:CMexpr x.expr_vars ? z (local_id vars)) → ? with
       [ ASTptr r ⇒ λe1'.
@@ -634 +697 @@
       typ_should_eq (typ_of_type (typeof e1)) (typ_of_type ty) (λx.Σe:CMexpr x.?) e'
   ]
-] and translate_addr (vars:var_types) (e:expr) on e : res (𝚺r. Σe':CMexpr (ASTptr r). expr_vars ? e' (local_id vars)) ≝
+] 
+
+(* Translate addr takes an expression e1, and returns a Cminor code computing the address of the result of [e1].   *)
+and translate_addr (vars:var_types) (e:expr) on e : res (𝚺r. Σe':CMexpr (ASTptr r). expr_vars ? e' (local_id vars)) ≝
 match e with
 [ Expr ed _ ⇒
@@ -685 +751 @@
 | MemDest : ∀r:region. memory_chunk → (Σe:CMexpr (ASTptr r).expr_vars ? e (local_id vars)) → destination vars.
 
+(* Let a source Clight expression be assign(e1, e2). First of all, observe that [e1] is a
+  /Clight/ expression, not converted by translate_expr. We thus have to do part of the work
+  of [translate_expr] in this function. [translate_dest] will convert e1
+   into a proper destination for an assignement operation. We proceed by case analysis on e1.
+   - if e1 is a variable [id], then we proceed by case analysis on its allocation mode:
+      - if [id] is allocated locally (in a register), then id becomes directly
+        the target for the assignement, as (IdDest vars id t H), where t is the type
+        of id, and H asserts that id is indeed a local variable.
+      - if [id] is a global variable stored in region [r], then we perform [translate_expr]'s 
+        job and return an adress, given as a constant symbol corresponding to [id], with
+        region r and memory chunk specified by the access mode of the rhs type ty2 of [e2].
+      - same thing for stack-allocated variables, except that we don't specify any region.
+   - if e1 is not a variable, we use [translate_addr] to generate a Cminor expression computing
+    the adres of e1
+*)
 definition translate_dest ≝
 λvars,e1,ty2.
@@ -710 +791 @@
 qed.
 
+(* [lenv] is the type of maps from Clight labels to Cminor labels. *)
 definition lenv ≝ identifier_map SymbolTag (identifier Label).
 
 axiom MissingLabel : String.
 
+(* Find the Cminor label corresponding to [l] or fail. *)
 definition lookup_label ≝
 λlbls:lenv.λl. opt_to_res … [MSG MissingLabel; CTX ? l] (lookup ?? lbls l).
 
+(* True iff the Cminor label [l] is in the codomain of [lbls] *)
 definition lpresent ≝ λlbls:lenv. λl. ∃l'. lookup_label lbls l' = OK ? l.
+
+(* True iff The Clight label [l] is in the domain of [lbls] *)
+definition label_in_domain ≝ λlbls:lenv. λl. present ?? lbls l.
+
+let rec fresh_list_for_univ (l:list (identifier Label)) (u:universe Label) ≝
+match l with
+[ nil ⇒ True
+| cons elt tl ⇒ fresh_for_univ ? elt u ∧ fresh_list_for_univ tl u].
+
+record labgen : Type[0] ≝ {
+  labuniverse   : universe Label;
+  label_genlist    : list (identifier Label);
+  genlist_is_fresh : fresh_list_for_univ label_genlist labuniverse
+}.
+
+lemma fresh_list_stays_fresh : ∀l,tmp,u,u'. fresh_list_for_univ l u → 〈tmp,u'〉=fresh Label u → fresh_list_for_univ l u'.
+#l elim l
+[ 1: normalize // 
+| 2: #hd #tl #Hind #tmp #u #u' #HA #HB
+  whd
+  @conj
+  [ 1: whd in HA ⊢ ?;
+    elim HA #HAleft #HAright
+    @(fresh_remains_fresh ? hd tmp u u') assumption
+  | 2: whd in HA ⊢ ?;
+    elim HA #HAleft #HAright    
+    @Hind //
+  ]
+]
+qed. 
+
+definition In ≝ λelttype.λelt.λl.Exists elttype (λx.x=elt) l.   
+
+definition generate_fresh_label :
+ ∀ul. Σlul:(identifier Label × labgen).
+               (And (∀lab. In ? lab (label_genlist ul) → In ? lab (label_genlist (snd … lul)))
+                   (In ? (fst … lul) (label_genlist (snd … lul)))) ≝
+λul.
+let 〈tmp,u〉 as E ≝ fresh ? (labuniverse ul) in
+ «〈tmp, mk_labgen u (tmp::(label_genlist ul)) ?〉, ?».
+[ 1: normalize @conj 
+  [ 1: @(fresh_is_fresh ? tmp u (labuniverse ul) ?) assumption
+  | 2: @fresh_list_stays_fresh // ]
+| @conj /2/
+]
+qed.
 
 let rec labels_defined (s:statement) : list ident ≝
@@ -739 +869 @@
 definition ldefined ≝ λs.λl.Exists ? (λl'.l' = l) (labels_of s).
 
+(* For each label l in s, there exists a matching label l' = lenv(l) defined in s' *)
 definition labels_translated : lenv → statement → stmt → Prop ≝
 λlbls,s,s'.  ∀l.
   (Exists ? (λl'.l' = l) (labels_defined s)) →
-  ∃l'. lookup_label lbls l = OK ? l' ∧ ldefined s' l'.
-
-definition stmt_inv ≝
-λvars. λlbls:lenv.
-  stmt_P (λs.stmt_vars (local_id vars) s ∧ stmt_labels (lpresent lbls) s).
-
-definition translate_assign : ∀vars:var_types. expr → expr → res (Σs:stmt.∀ls. stmt_inv vars ls s) ≝
+  ∃l'. lookup_label lbls l = (OK ? l') ∧ ldefined s' l'.
+
+
+(* Invariant on statements, holds during conversion to Cminor *)
+definition stmt_inv ≝  λvars. stmt_P (stmt_vars (local_id vars)).
+
+(* I (Ilias) decided to inline the following definition, to make explicit the data constructed.
+ * This was needed to prove some stuff in translate_statement at some point, but it might be
+ * useless now. If needed, I can revert this change.  *)
+definition translate_assign : ∀vars:var_types. expr → expr → res (Σs:stmt. stmt_inv vars s) ≝
 λvars,e1,e2.
-do e2' ← translate_expr vars e2;
+do e2' ← translate_expr vars e2;              
 do dest ← translate_dest vars e1 (typeof e2);
 match dest with
@@ -758 +892 @@
 | MemDest r q e1' ⇒ OK ? «St_store ? r q e1' e2', ?»
 ].
-#ls whd %
-[ % // @pi2
-| @I
-| % @pi2
-| @I
-] qed.
+% try (//)  try (elim e2' //) elim e1' //
+qed.
 
 definition m_option_map : ∀A,B:Type[0]. (A → res B) → option A → res (option B) ≝
@@ -779 +909 @@
 qed.
 
+(* Add the list of typed variables tmpenv to the environment [var_types] with
+   the allocation mode Local. *)
 definition add_tmps : var_types → list (ident × type) → var_types ≝
 λvs,tmpenv.
@@ -787 +919 @@
   tmp_env : list (ident × type);
   tmp_ok : fresh_map_for_univ … (add_tmps vars tmp_env) tmp_universe;
-  tmp_preserved : 
+  tmp_preserved :
     ∀id,ty. local_id vars id ty → local_id (add_tmps vars tmp_env) id ty
 }.
@@ -814 +946 @@
 ] qed.
 
+
 lemma lookup_label_hit : ∀lbls,l,l'.
   lookup_label lbls l = OK ? l' →
@@ -821 +954 @@
 
 (* TODO: is this really needed now? *)
+
 definition tmps_preserved : ∀vars:var_types. tmpgen vars → tmpgen vars → Prop ≝
 λvars,u1,u2.
@@ -839 +973 @@
 qed.
 
-definition trans_inv : ∀vars:var_types. lenv → statement → tmpgen vars → (stmt×(tmpgen vars)) → Prop ≝
-λvars,lbls,s,u,su'.
-  let 〈s',u'〉 ≝ su' in
-  stmt_inv (add_tmps vars (tmp_env … u')) lbls s' ∧
-  labels_translated lbls s s' ∧
-  tmps_preserved vars u u'.
-
-lemma trans_inv_stmt_inv : ∀vars,lbls,s,u,su.
-  trans_inv vars lbls s u su → stmt_inv (add_tmps vars (tmp_env … (\snd su))) lbls (\fst su).
-#var #lbls #s #u * #s' #u' * * #H1 #H2 #H3 @H1
-qed.
-
-lemma trans_inv_labels : ∀vars,lbls,s,u,su.
-  trans_inv vars lbls s u su → labels_translated lbls s (\fst su).
-#vars #lbls #s #u * #s' #u' * * #_ #H #_ @H
-qed.
-
-(* TODO: still needed? *)
-lemma local_id_add_local_oblivious : ∀vars,id,ty,id',ty'.
-  fresh_for_map ?? id' vars →
-  local_id vars id ty → local_id (add ?? vars id' 〈Local, ty'〉) id ty.
-#vars #id #ty #id' #ty' #F #H whd whd in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]);
-cases (identifier_eq ? id id')
-[ #E @False_ind >E in H; whd in ⊢ (% → ?);
-  whd in ⊢ (match % with [_⇒ ?|_⇒ ?] → ?); cases id' in F ⊢ %; #id'
-  #F whd in F; >F *
-| #NE >lookup_add_miss [ @H | // ]
-] qed.
-
-(*
-lemma local_id_add_tmps_oblivious : ∀vars,id,ty,u.
-  local_id vars id ty → local_id (add_tmps vars (tmp_env vars u)) id ty.
-#vars #id #ty * #u #l #F #H elim l
-[ //
-| * #id' #ty' #tl @local_id_add_local_oblivious @F
-] qed.
-*)
-
-lemma add_tmps_oblivious : ∀vars,lbls,s,u.
-  stmt_inv vars lbls s → stmt_inv (add_tmps vars (tmp_env vars u)) lbls s.
-#vars #lbls #s #u #H
+lemma add_tmps_oblivious : ∀vars,s,u.
+  stmt_inv vars s → stmt_inv (add_tmps vars (tmp_env vars u)) s.
+#vars #s #u #H
 @(stmt_P_mp … H)
-#s' * #H1 #H2 %
-[ @(stmt_vars_mp … H1)
-  #id #t @(tmp_preserved ? u)
-| @H2
-] qed.
+#s' #H1 @(stmt_vars_mp … H1) #id #t #H @(tmp_preserved ? u ?? H)
+qed.
 
 lemma local_id_fresh_tmp : ∀vars,tmp,u,ty,u0.
@@ -898 +991 @@
 qed.
 
-let rec translate_statement (vars:var_types) (lbls:lenv) (u:tmpgen vars) (s:statement) on s : res (Σsu:stmt×(tmpgen vars).trans_inv vars lbls s u su) ≝
-match s return λs.res (Σsu:stmt×(tmpgen vars).trans_inv vars lbls s u su) with
-[ Sskip ⇒ OK ? «〈St_skip, u〉, ?»
+
+let rec mklabels (ul:labgen) : (identifier Label) × (identifier Label) × labgen ≝
+  match generate_fresh_label ul with
+  [ mk_Sig res1 H1 ⇒
+     let 〈entry_label, ul1〉 as E1 ≝ res1 in
+     match generate_fresh_label ul1 with
+     [ mk_Sig res2 H2 ⇒
+        let 〈exit_label, ul2〉 as E2 ≝ res2 in
+        〈entry_label, exit_label, ul2〉
+     ]
+  ].
+
+(* When converting loops into gotos, and in order to eliminate blocks, we have
+ * to convert continues and breaks into goto's, too. We add some "flags" in
+ * in argument to [translate_statement], meaning that the next encountered break
+ * or continue has to be converted into a goto to some contained label. 
+ * ConvertTo l1 l2 means "convert continue to goto l1 and convert break to goto l2".
+ *)
+inductive convert_flag : Type[0] ≝
+| DoNotConvert : convert_flag
+| ConvertTo    : identifier Label → identifier Label → convert_flag. (* continue, break *)
+
+let rec labels_of_flag (flag : convert_flag) : list (identifier Label) ≝
+match flag with
+[ DoNotConvert ⇒ [ ]
+| ConvertTo continue break ⇒ continue :: break :: [ ]
+].
+
+(* For a top-level expression, [label-wf] collapses to "all labels are properly declared" *)
+definition label_wf ≝
+λ (s : statement) .λ (s' : stmt) .λ (lbls : lenv). λ (flag : convert_flag).
+    stmt_P (λs1. stmt_labels (λl.ldefined s' l ∨ lpresent lbls l ∨ In ? l (labels_of_flag flag)) s1) s'.
+
+(* trans_inv is the invariant which is enforced during the translation from Clight to Cminor.
+  The involved arguments are the following:
+  . vars:var_types, an environment mapping variables to their types and allocation modes
+  . lbls:lenv, a mapping from old (Clight) to fresh and new (Cminor) labels,
+  . s:statement, a Clight statement,
+  . uv, a fresh variable generator (containing itself some invariants)
+  . flag, wich maps "break" and "continue" to "gotos"
+  . su', a couple of a Cminor statement and fresh variable generator.
+*)
+definition trans_inv : ∀vars:var_types . ∀lbls:lenv . statement → tmpgen vars → convert_flag → ((tmpgen vars) × labgen × stmt) → Prop ≝
+λvars,lbls,s,uv,flag,su'. 
+  let 〈uv', ul', s'〉 ≝ su' in
+  stmt_inv (add_tmps vars (tmp_env … uv')) s' ∧   (* remaining variables in s' are local*)
+  labels_translated lbls s s' ∧                   (* all the labels in s are transformed in label of s' using [lbls] as a map *)
+  tmps_preserved vars uv uv' ∧                    (* the variables generated are local and grows in a monotonic fashion *)
+  label_wf s s' lbls flag.                        (* labels are "properly" declared, as defined in [ŀabel_wf].*) 
+                                 
+let rec translate_statement (vars:var_types) (uv:tmpgen vars) (ul:labgen) (lbls:lenv) (flag:convert_flag) (s:statement) on s 
+  : res (Σsu:(tmpgen vars)×labgen×stmt.trans_inv vars lbls s uv flag su) ≝
+match s return λs.res (Σsu:(tmpgen vars)×labgen×stmt.trans_inv vars lbls s uv flag su) with
+[ Sskip ⇒ OK ? «〈uv, ul, St_skip〉, ?»
 | Sassign e1 e2 ⇒
-    do s' ← translate_assign vars e1 e2;
-    OK ? «〈pi1 ?? s', u〉, ?»
+    do e2' ← translate_expr vars e2;              (* rhs *)
+    do dest ← translate_dest vars e1 (typeof e2); (* e1 *)
+    match dest with
+    [ IdDest id ty p ⇒
+       do e2' ← type_should_eq (typeof e2) ty ? e2';
+       OK ? «〈uv, ul, St_assign ? id e2'〉, ?»
+    | MemDest r q e1' ⇒ 
+       OK ? «〈uv, ul, St_store ? r q e1' e2'〉, ?»
+    ]
 | Scall ret ef args ⇒
     do ef' ← translate_expr vars ef;
@@ -909 +1060 @@
     do args' ← mmap_sigma ??? (translate_expr_sigma vars) args;
     match ret with
-    [ None ⇒ OK ? «〈St_call (None ?) ef' args', u〉, ?»
+    [ None ⇒ OK ? «〈uv, ul, St_call (None ?) ef' args'〉, ?»
     | Some e1 ⇒
         do dest ← translate_dest vars e1 (typeof e1); (* TODO: check if it's sane to use e1's type rather than the return type *)
         match dest with
-        [ IdDest id ty p ⇒ OK ? «〈St_call (Some ? 〈id,typ_of_type ty〉) ef' args', u〉, ?»
+        [ IdDest id ty p ⇒ OK ? «〈uv, ul, St_call (Some ? 〈id,typ_of_type ty〉) ef' args'〉, ?»
         | MemDest r q e1' ⇒
-            let 〈tmp, u〉 as Etmp ≝ alloc_tmp ? (typeof e1) u in
-            OK ? «〈St_seq (St_call (Some ? 〈tmp,typ_of_type (typeof e1)〉) ef' args') (St_store (typ_of_type (typeof e1)) r q e1' (Id ? tmp)), u〉, ?»
+            let 〈tmp, uv1〉 as Etmp ≝ alloc_tmp ? (typeof e1) uv in
+            OK ? «〈uv1, ul, St_seq (St_call (Some ? 〈tmp,typ_of_type (typeof e1)〉) ef' args') (St_store (typ_of_type (typeof e1)) r q e1' (Id ? tmp))〉, ?»
         ]
     ]
 | Ssequence s1 s2 ⇒
-     do «s1', u1, H1» ← translate_statement vars lbls u s1;
-     do «s2', u2, H2» ← translate_statement vars lbls u1 s2;
-    OK ? «〈St_seq s1' s2', u2〉, ?»
+    do «fgens1, s1', H1» ← translate_statement vars uv ul «lbls,?» flag s1;
+    do «fgens2, s2', H2» ← translate_statement vars (fst … fgens1) (snd … fgens1) «lbls,?» flag s2;
+    OK ? «〈fgens2, St_seq s1' s2'〉, ?»
 | Sifthenelse e1 s1 s2 ⇒
     do e1' ← translate_expr vars e1;
     match typ_of_type (typeof e1) return λx.(Σe:CMexpr x.expr_vars ? e ?) → ? with
     [ ASTint _ _ ⇒ λe1'.
-         do «s1', u, H1» ← translate_statement vars lbls u s1;
-         do «s2', u, H2» ← translate_statement vars lbls u s2;
-        OK ? «〈St_ifthenelse ?? e1' s1' s2', u〉, ?»
+         do «fgens1, s1', H1» ← translate_statement vars uv ul «lbls,?» flag s1;
+         do «fgens2, s2', H2» ← translate_statement vars (fst … fgens1) (snd … fgens1) «lbls,?» flag s2;
+        OK ? «〈fgens2, St_ifthenelse ?? e1' s1' s2'〉, ?»
     | _ ⇒ λ_.Error ? (msg TypeMismatch)
     ] e1'
@@ -935 +1086 @@
     do e1' ← translate_expr vars e1;
     match typ_of_type (typeof e1) return λx.(Σe:CMexpr x.expr_vars ? e ?) → ? with
-    [ ASTint _ _ ⇒ λe1'.
-         do «s1', u, H1» ← translate_statement vars lbls u s1;
-        (* TODO: this is a little different from the prototype and CompCert, is it OK? *)
-        OK ? «〈St_block
-               (St_loop
-                 (St_ifthenelse ?? e1' (St_block s1') (St_exit 0))), u〉, ?»
+    [ ASTint _ _ ⇒ λe1'.         
+         (* TODO: this is a little different from the prototype and CompCert, is it OK? *)
+         match mklabels ul with
+         [ mk_Sig result Hmklabels =>
+              let 〈labels, ul1〉 as E1 ≝ result in
+              let 〈entry, exit〉 as E2 ≝ labels in
+              do «fgens2, s1',H1» ← translate_statement vars uv ul1 «lbls,?» (ConvertTo entry exit) s1;
+              let converted_loop ≝
+               St_label entry
+               (St_seq
+                 (St_ifthenelse ?? e1' (St_seq s1' (St_goto entry)) St_skip)
+                 (St_label exit St_skip))
+              in         
+              OK ? «〈fgens2, converted_loop〉, ?»
+         ]
     | _ ⇒ λ_.Error ? (msg TypeMismatch)
     ] e1'
@@ -947 +1107 @@
     match typ_of_type (typeof e1) return λx.(Σe:CMexpr x. expr_vars ? e ?) → ? with
     [ ASTint _ _ ⇒ λe1'.
-         do «s1',u, H1» ← translate_statement vars lbls u s1;
-        (* TODO: this is a little different from the prototype and CompCert, is it OK? *)
-        OK ? «〈St_block
-               (St_loop
-                 (St_seq (St_block s1') (St_ifthenelse ?? e1' St_skip (St_exit 0)))), u〉, ?»
+         match mklabels ul with
+         [ mk_Sig result Hmklabels ⇒
+              let 〈labels, ul1〉 as E1 ≝ result in
+              let 〈entry, exit〉 as E2 ≝ labels in              
+              do «fgens2, s1', H1» ← translate_statement vars uv ul1 «lbls,?» (ConvertTo entry exit) s1;
+              let converted_loop ≝
+               St_label entry
+                 (St_seq
+                   (St_seq 
+                     s1' 
+                     (St_ifthenelse ?? e1' (St_goto entry) St_skip)
+                   )
+                   (St_label exit St_skip))
+              in
+              (* TODO: this is a little different from the prototype and CompCert, is it OK? *)
+              OK ? «〈fgens2, converted_loop〉, ?»
+         ]
     | _ ⇒ λ_.Error ? (msg TypeMismatch)
     ] e1'
@@ -958 +1130 @@
     match typ_of_type (typeof e1) return λx.(Σe:CMexpr x. expr_vars ? e ?) → ? with
     [ ASTint _ _ ⇒ λe1'.
-         do «s1', u, H1» ← translate_statement vars lbls u s1;
-         do «s2', u, H2» ← translate_statement vars lbls u s2;
-         do «s3', u, H3» ← translate_statement vars lbls u s3;
-        (* TODO: this is a little different from the prototype and CompCert, is it OK? *)
-        OK ? «〈St_seq s1'
-             (St_block
-               (St_loop
-                 (St_ifthenelse ?? e1' (St_seq (St_block s3') s2') (St_exit 0)))), u〉, ?»
+         match mklabels ul with
+         [ mk_Sig result Hmklabels ⇒ 
+              let 〈labels, ul1〉 as E ≝ result in
+              let 〈entry, exit〉 as E2 ≝ labels in                            
+              do «fgens2, s1', H1» ← translate_statement vars uv ul1 «lbls,?» flag s1;
+              do «fgens3, s2', H2» ← translate_statement vars (fst … fgens2) (snd … fgens2) «lbls, ?» (ConvertTo entry exit) s2;
+              do «fgens4, s3', H3» ← translate_statement vars (fst … fgens3) (snd … fgens3) «lbls, ?» (ConvertTo entry exit) s3;
+              (* TODO: this is a little different from the prototype and CompCert, is it OK? *)
+              let converted_loop ≝
+                St_seq
+                 s1'
+                 (St_label entry
+                   (St_seq
+                     (St_ifthenelse ?? e1' (St_seq s3' (St_seq s2' (St_goto entry))) St_skip)
+                     (St_label exit St_skip)
+                    ))
+              in 
+             OK ? «〈fgens4, converted_loop〉, ?»
+        ]
     | _ ⇒ λ_.Error ? (msg TypeMismatch)
     ] e1'
-| Sbreak ⇒ OK ? «〈St_exit 1, u〉, ?»
-| Scontinue ⇒ OK ? «〈St_exit 0, u〉, ?»
+| Sbreak ⇒
+   match flag return λf.flag = f → ? with
+   [ DoNotConvert ⇒ λEflag.
+     Error ? (msg FIXME) 
+   | ConvertTo continue_label break_label ⇒ λEflag.
+     OK ? «〈uv, ul, St_goto break_label〉, ?» 
+   ] (refl ? flag)
+| Scontinue ⇒ 
+  match flag return λf.flag = f → ? with
+  [ DoNotConvert ⇒ λEflag.
+    Error ? (msg FIXME) 
+  | ConvertTo continue_label break_label ⇒ λEflag.
+    OK ? «〈uv, ul, St_goto continue_label〉, ?»
+  ] (refl ? flag) 
 | Sreturn ret ⇒
     match ret with
-    [ None ⇒ OK ? «〈St_return (None ?), u〉, ?»
+    [ None ⇒ OK ? «〈uv, ul, St_return (None ?)〉, ?»
     | Some e1 ⇒
         do e1' ← translate_expr vars e1;
-        OK ? «〈St_return (Some ? (mk_DPair … e1')), u〉, ?»
+        OK ? «〈uv, ul, St_return (Some ? (mk_DPair … e1'))〉, ?»
     ]
 | Sswitch e1 ls ⇒ Error ? (msg FIXME)
 | Slabel l s1 ⇒
     do l' as E ← lookup_label lbls l;
-     do «s1', u, H1» ← translate_statement vars lbls u s1;
-    OK ? «〈St_label l' s1', u〉, ?»
+    do «fgens1, s1', H1» ← translate_statement vars uv ul lbls flag s1;
+    OK ? «〈fgens1, St_label l' s1'〉, ?»
 | Sgoto l ⇒
     do l' as E ← lookup_label lbls l;
-    OK ? «〈St_goto l', u〉, ?»
+    OK ? «〈uv, ul, St_goto l'〉, ?»
 | Scost l s1 ⇒
-     do «s1', u, H1» ← translate_statement vars lbls u s1;
-    OK ? «〈St_cost l s1', u〉, ?»
-].
-try @conj try @conj try @conj try @conj try @conj try @conj try @conj try @conj try @conj try @conj try @conj
-try @I
-try (#l #H @(match H in False with [ ]))
-try (#id #ty #H @H)
-[ @add_tmps_oblivious @(pi2 ?? s')
-| @(tmp_preserved … u) @p
-]
-try (@sub_pi2 #x @expr_vars_mp #i #ty @(tmp_preserved … u))
-[ 1,3,6: @sub_pi2 #x @All_mp * #ty #e @expr_vars_mp #i #ty' @(tmp_preserved … u)
-| 2,4: @(local_id_fresh_tmp … Etmp)
-| @(alloc_tmp_preserves … Etmp)
-| 7,11: @(stmt_P_mp … (π1 (π1 H1))) #s * #H3 #H4 % [ 1,3: @(stmt_vars_mp … H3) cases H2 #_ #H @H | *: @H4 ]
-| 8,12: @(trans_inv_stmt_inv … H2)
-| 9,13: #l #H cases (Exists_append … H)
-  [ 1,3: #H3 cases H1 * #S1 #L1 #T1 cases (L1 l H3) #l' * #E1 #D1
-    %{l'} % [ 1,3: @E1 | *: @Exists_append_l @D1 ]
-  | *: #H3 cases H2 * #S2 #L2 #T2 cases (L2 l H3) #l' * #E2 #D2
-    %{l'} % [ 1,3: @E2 | *: @Exists_append_r @D2 ]
-  ]
-| 10,14: cases H2 #_ #TP2 #id #ty #L @TP2 cases H1 #_ #TP1 @TP1 @L
-| 15,18: @(π1 (π1 H1))
-| 16,19: cases H1 * #_ #L1 #_ #l #H cases (L1 l H) #l' * #E1 #D1
-  %{l'} % [ 1,3: @E1 | *: @Exists_append_l @D1 ]
-| 17,20: @(π2 H1)
-(* Sfor *)
-| @(stmt_P_mp … (π1 (π1 H1))) #s * #H4 #H5 % [ @(stmt_vars_mp … H4) #id #ty #H @(π2 H3) @(π2 H2) @H | @H5 ]
-| @(π1 (π1 H3))
-| @(stmt_P_mp … (π1 (π1 H2))) #s * #H4 #H5 % [ @(stmt_vars_mp … H4) #id #ty #H @(π2 H3) @H | @H5 ]
-| #l #H cases (Exists_append … H)
-  [ #EX1 cases H1 * #S1 #L1 #_ cases (L1 l EX1) #l' * #E1 #D1
-    %{l'} % [ @E1 | @Exists_append_l @D1 ]
-  | #EX cases (Exists_append … EX)
-    [ #EX2 cases H2 * #S2 #L2 #_ cases (L2 l EX2) #l' * #E2 #D2
-      %{l'} % [ @E2 | @Exists_append_r @Exists_append_l @Exists_append_r @D2 ]
-    | #EX3 cases H3 * #S3 #L3 #_ cases (L3 l EX3) #l' * #E3 #D3
-      %{l'} % [ @E3 | @Exists_append_r @Exists_append_l @Exists_append_l @D3 ]
-    ]
-  ]
-| #id #ty #H @(π2 H3) @(π2 H2) @(π2 H1) @H
-(* Slabel *)
-| %{l} @E
-| @(π1 (π1 H1))
-| #l'' * [ #E <E %{l'} % // %1 @refl | #EX cases (π2 (π1 H1) l'' EX) #l4 * #LK #LD %{l4} % // %2 @LD ]
-| @(π2 H1)
-(* Sgoto *)
-| %{l} @E
-| @(π1 (π1 H1))
-(* Scost *)
-| @(π2 (π1 H1))
-| @(π2 H1)
+    do «fgens1, s1', H1» ← translate_statement vars uv ul lbls flag s1;
+    OK ? «〈fgens1, St_cost l s1'〉, ?»
+].
+try @conj try @conj try @conj try @conj try @conj try @conj try @conj
+try (@I)
+try (#l #H elim H)
+try (#size #sign #H assumption)
+try (#region #H assumption)
+[ 1,5: @(tmp_preserved … p) ]
+[ 1,3: elim e2' | 2,9: elim e1' | 4,7,14: elim ef' ]
+[ 1,2,3,4,5,6,7 : #e #Hvars @(expr_vars_mp … Hvars) #i #t #Hlocal @(tmp_preserved … Hlocal) ]
+[ 1: @All_mp [ 1: @(λe.match e with [ mk_DPair t e0 ⇒ expr_vars t e0 (local_id vars) ])
+             | 2: * #t #e #Hev whd in Hev ⊢ %; @(expr_vars_mp … Hev) #i #t #Hp @(tmp_preserved … Hp)
+             | 3: elim args' // ] 
+| 8: (* we should be able to merge this case with the previous ... *)
+     @All_mp [ 1: @(λe.match e with [ mk_DPair t e0 ⇒ expr_vars t e0 (local_id vars) ])
+             | 2: * #t #e #Hev whd in Hev ⊢ %; @(expr_vars_mp … Hev) #i #t #Hp @(tmp_preserved … Hp)
+             | 3: elim args' // ]
+| 2: @(local_id_fresh_tmp vars tmp uv1 (typeof e1) uv Etmp)
+| 3:  @(All_mp (𝚺 t:typ.expr t) (λe. match e with [ mk_DPair t e0 ⇒ expr_vars t e0 (local_id vars)]))
+       [ 1: #a #Ha elim a in Ha ⊢ ?; #ta #a #Ha whd @(expr_vars_mp ?? (local_id vars))
+       [ 1: #i0 #t0 #H0 @(tmp_preserved vars uv1 i0 t0 H0)
+       | 2: assumption ]
+       | 2: elim args' // ]
+| 4: @(local_id_fresh_tmp vars tmp uv1 (typeof e1) uv Etmp) ]
+[ 1: #size #sign | 2: #reg | 3: #fsize ]
+[ 1,2,3: #H @(alloc_tmp_preserves vars tmp uv uv1 … Etmp) @H ]
+try @(match fgens1 return λx.x=fgens1 → ? with
+     [ mk_Prod uv1 ul1 ⇒ λHfgens1.? ] (refl ? fgens1))
+try @(match fgens2 return λx.x=fgens2 → ? with
+     [ mk_Prod uv2 ul2 ⇒ λHfgens2.? ] (refl ? fgens2))
+try @(match fgens3 return λx.x=fgens3 → ? with
+     [ mk_Prod uv3 ul3 ⇒ λHfgens3.? ] (refl ? fgens3))
+try @(match fgens4 return λx.x=fgens4 → ? with
+     [ mk_Prod uv4 ul4 ⇒ λHfgens4.? ] (refl ? fgens4))
+whd in H1 H2 H3 ⊢ ?; destruct whd nodelta in H1 H2 H3;
+try (elim H1 -H1 * * #Hstmt_inv1 #Hlabels_tr1 #Htmps_pres1)
+try (elim H2 -H2 * * #Hstmt_inv2 #Hlabels_tr2 #Htmps_pres2)
+try (elim H3 -H3 * * #Hstmt_inv3 #Hlabels_tr3 #Htmps_pres3)
+[ 1,2: #Hind1 #Hind2 | 3,4,9,11: #Hind | 5: #Hind1 #Hind2 #Hind3 ]
+try @conj try @conj try @conj try @conj try @conj try (whd @I) try assumption
+[ 1,7: @(stmt_P_mp … Hstmt_inv1) #e #Hvars @(stmt_vars_mp … Hvars) #i #t #Hlocal @(Htmps_pres2 … Hlocal)
+| 2: #l #H cases (Exists_append ???? H) #Hcase
+         [ 1: elim (Hlabels_tr1 l Hcase) #label #Hlabel @(ex_intro … label) @conj
+           [ 1: @(proj1 ?? Hlabel)
+           | 2: normalize @Exists_append_l @(proj2 … Hlabel) ]
+         | 2: elim (Hlabels_tr2 l Hcase) #label #Hlabel @(ex_intro … label) @conj
+           [ 1: @(proj1 ?? Hlabel)
+           | 2: normalize @Exists_append_r @(proj2 … Hlabel) ]
+         ]
+| 3,9: #id #ty #H @(Htmps_pres2 … (Htmps_pres1 id ty H)) ]
+[ 1: @(stmt_P_mp … Hind2) | 2: @(stmt_P_mp … Hind1) ]
+[ 1,2: #s0 #Hstmt_labels @(stmt_labels_mp … Hstmt_labels)
+     #l * try * [ 1,4: #H %1 %1 normalize in H ⊢ %; try (@Exists_append_l @H); try (@Exists_append_r @H)
+                | 2,5: #H %1 %2 assumption
+                | 3,6: #H %2 assumption ]
+(* if/then/else *)
+| 3: whd elim e1' #e #Hvars @(expr_vars_mp … Hvars) #i #t #Hlocal @(tmp_preserved … Hlocal)
+| 4: whd #l #H
+       cases (Exists_append ???? H) #Hcase
+         [ 1: elim (Hlabels_tr1 l Hcase) #label #Hlabel @(ex_intro … label) @conj
+           [ 1: @(proj1 ?? Hlabel)
+           | 2: normalize @Exists_append_l @(proj2 … Hlabel) ]
+         | 2: elim (Hlabels_tr2 l Hcase) #label #Hlabel @(ex_intro … label) @conj
+           [ 1: @(proj1 ?? Hlabel)
+           | 2: normalize @Exists_append_r @(proj2 … Hlabel) ]
+         ]
+]                  
+[ 1: 1: @(stmt_P_mp … Hind2) | 2: @(stmt_P_mp … Hind1) ]
+[ 1,2: #s0 #Hstmt_labels @(stmt_labels_mp … Hstmt_labels)
+     #l * try * [ 1,4: #H %1 %1 normalize in H ⊢ %; try (@Exists_append_l @H); try (@Exists_append_r @H)
+                | 2,5: #H %1 %2 assumption
+                | 3,6: #H %2 assumption ] ]
+try @conj try @conj try @conj try @conj try @conj try @conj try @conj try @conj try @I
+[ 1,9,19,32: whd elim e1' #e #Hvars @(expr_vars_mp … Hvars) #i #t #Hlocal @(tmp_preserved … Hlocal)
+| 2,8: @(stmt_P_mp … Hstmt_inv1) #s0 #Hstmt_vars @(stmt_vars_mp … Hstmt_vars) //
+| 3,10: whd #l #H normalize in H;
+         elim (Hlabels_tr1 … H) #label #Hlabel @(ex_intro … label)
+         @conj
+         [ 1,3: @(proj1 … Hlabel)
+         | 2,4: whd @or_intror normalize @Exists_append_l @Exists_append_l try @Exists_append_l
+              @(proj2 … Hlabel) ]
+| 30: whd %2 %2 whd /2/
+| 31: whd %2 whd /2/
+| 4,16: whd %1 %1 normalize /2/
+| 5,12: @(stmt_P_mp … Hind) #s0 #Hstmt_labels @(stmt_labels_mp … Hstmt_labels)
+   #l * try * [ 1,5: #H %1 %1 normalize %2 @Exists_append_l @Exists_append_l try @Exists_append_l @H
+              | 2,6: #H %1 %2 assumption
+              | 3,7: #H <H %1 %1 normalize /2/
+              | 4,8: #H normalize in H; elim H [ 1,3: #E <E %1 %1 normalize %2
+                                                 @Exists_append_r normalize /2/
+                                               | 2,4: * ]
+              ]
+| 6: normalize %1 %1 %1 //                                                                                   
+| 7,14: normalize %1 %1 %2 @Exists_append_r normalize /2/
+| 11,13: whd %1 %1 normalize /2/
+| 15: whd #label * [ 1: #Eq @(ex_intro … l') @conj [ 1: destruct // | whd /2/ ]
+                   | 2: #H elim (Hlabels_tr1 label H)
+                         #lab * #Hlookup #Hdef @(ex_intro … lab) @conj
+                         [ 1: // | 2: whd %2 assumption ]
+                   ]
+| 17: @(stmt_P_mp … Hind) #s0 #Hstmt_labels @(stmt_labels_mp … Hstmt_labels)
+   #l * try * [ 1: #H %1 %1 normalize %2 @H
+              | 2: #H %1 %2 assumption
+              | 3: #H %2 assumption ]
+| 18: @(stmt_P_mp … Hstmt_inv1) #s0 #Hstmt_vars @(stmt_vars_mp … Hstmt_vars) #i #t
+   #H @(Htmps_pres3 … (Htmps_pres2 … H))
+| 20: @(stmt_P_mp … Hstmt_inv3) //
+| 21: @(stmt_P_mp … Hstmt_inv2) #s0 #Hstmt_vars @(stmt_vars_mp … Hstmt_vars) #i #t
+   #H @(Htmps_pres3 … H)
+| 22: whd #l #H normalize in H;
+      cases (Exists_append … H) #Hcase
+      [ 1: elim (Hlabels_tr1 l Hcase) #label #Hlabel @(ex_intro … label) @conj
+        [ 1: @(proj1 … Hlabel)
+        | 2: normalize @Exists_append_l @(proj2 … Hlabel)
+        ]
+      | 2: cases (Exists_append … Hcase) #Hcase2
+        [ 1: elim (Hlabels_tr2 l Hcase2) #label #Hlabel @(ex_intro … label) @conj
+          [ 1: @(proj1 … Hlabel)
+          | 2: normalize >append_nil >append_nil >append_cons
+               @Exists_append_r @Exists_append_l @Exists_append_r
+               @(proj2 … Hlabel)
+          ]
+        | 2: elim (Hlabels_tr3 l Hcase2) #label #Hlabel @(ex_intro … label) @conj
+          [ 1: @(proj1 … Hlabel)
+          | 2: normalize >append_nil >append_nil >append_cons
+             @Exists_append_r @Exists_append_l @Exists_append_l
+             @(proj2 … Hlabel)
+          ]
+        ]
+      ]
+| 23: #id #ty #H @(Htmps_pres3 … (Htmps_pres2 … (Htmps_pres1 … H)))
+| 24: @(stmt_P_mp … Hind3) #s0 #Hstmt_labels @(stmt_labels_mp … Hstmt_labels)
+   #l * try * [ 1: #H %1 %1 normalize @Exists_append_l @H
+              | 2: #H %1 %2 assumption
+              | 3: #H %2 assumption ]
+| 25: whd %1 %1 normalize /2/
+| 26: @(stmt_P_mp … Hind1) #s0 #Hstmt_labels @(stmt_labels_mp … Hstmt_labels)
+   #l * try * [ 1: #H %1 %1 normalize @Exists_append_r @(Exists_add ?? (nil ?))
+                   @Exists_append_r @Exists_append_l @Exists_append_l 
+                   @Exists_append_l assumption
+              | 2: #H %1 %2 assumption
+              | 3: #H <H %1 %1 normalize
+                   @Exists_append_r whd %1 //
+              | 4: * [ 1: #H <H %1 %1 normalize
+                       @Exists_append_r @(Exists_add ?? (nil ?))
+                       @Exists_append_r @Exists_append_r
+                       whd %1 //
+                     | 2: * ]
+              ]
+| 27: @(stmt_P_mp … Hind2) #s0 #Hstmt_labels @(stmt_labels_mp … Hstmt_labels)
+   #l * try * [ 1: #H %1 %1 normalize @Exists_append_r @(Exists_add ?? (nil ?))
+                   @Exists_append_r @Exists_append_l @Exists_append_l                    
+                   @Exists_append_r @Exists_append_l assumption
+              | 2: #H %1 %2 assumption
+              | 3: #H <H %1 %1 normalize
+                   @Exists_append_r whd %1 //
+              | 4: * [ 1: #Eq <Eq %1 %1 whd normalize
+                       @Exists_append_r @(Exists_add ?? (nil ?)) @Exists_append_r
+                       @Exists_append_r whd %1 //
+                     | 2: * ]
+              ]
+| 28: whd %1 %1 normalize /2/
+| 29: whd %1 %1 normalize
+      @Exists_append_r @(Exists_add ?? (nil ?)) @Exists_append_r @Exists_append_r 
+      whd %1 //
+| 33: whd %1 %2 whd @(ex_intro … l) @E
 ] qed.
 
-
 axiom ParamGlobalMixup : String.
 
-(* ls and s0 aren't real parameters, they're just there for giving the invariant. *)
-definition alloc_params : ∀vars:var_types.∀ls,s0,u. list (ident×type) → (Σsu:stmt×(tmpgen vars). trans_inv vars ls s0 u su) → res (Σsu:stmt×(tmpgen vars).trans_inv vars ls s0 u su) ≝
-λvars,ls,s0,u,params,s. foldl ?? (λsu,it.
+(* params and statement aren't real parameters, they're just there for giving the invariant. *)
+definition alloc_params :
+ ∀vars:var_types.∀lbls,statement,uv,flag. list (ident×type) → (Σsu:(tmpgen vars)×labgen×stmt. trans_inv vars lbls statement uv flag su) 
+   → res (Σsu:(tmpgen vars)×labgen×stmt.trans_inv vars lbls statement uv flag su) ≝   
+λvars,lbls,statement,uv,ul,params,s. foldl ?? (λsu,it.
   let 〈id,ty〉 ≝ it in
-   do «s,u, Is» ← su;
+  do «result,Is» ← su;
+  let 〈fgens1, s〉 as Eresult ≝ result in
   do 〈t,ty'〉 as E ← lookup' vars id;
-  match t return λx.? → ? with
-  [ Local ⇒ λE. OK (Σs:stmt×(tmpgen vars).?) «〈s,u〉,Is»
+  match t return λx.? → res (Σsu:(tmpgen vars)×labgen×stmt.trans_inv vars lbls statement uv ul su) with
+  [ Local ⇒ λE. OK (Σs:(tmpgen vars)×labgen×stmt.?) «result,Is»
   | Stack n ⇒ λE.
       do q ← match access_mode ty with
@@ -1058 +1369 @@
       | By_nothing ⇒ Error ? [MSG BadlyTypedAccess; CTX ? id]
       ];
-      OK ? «〈St_seq (St_store ? Any q (Cst ? (Oaddrstack n)) (Id (typ_of_type ty') id)) s, u〉, ?»
+      OK ? «〈fgens1, St_seq (St_store ? Any q (Cst ? (Oaddrstack n)) (Id (typ_of_type ty') id)) s〉, ?»
   | Global _ ⇒ λE. Error ? [MSG ParamGlobalMixup; CTX ? id]
   ] E) (OK ? s) params.
-try @conj try @conj try @conj try @conj try @conj try @conj
-try @I
-[ @(expr_vars_mp … (tmp_preserved … u)) whd >E @refl
-| @(π1 (π1 Is))
-| @(π2 (π1 Is))
-| @(π2 Is)
-] qed.
-
-(*
-lemma local_id_add_local : ∀vars,id,id'.
-  local_id vars id →
-  local_id (add ?? vars id' Local) id.
-#vars #id #id' #H
-whd whd in ⊢ match % with [ _ ⇒ ? | _ ⇒ ?] cases (identifier_eq ? id id')
-[ #E < E >lookup_add_hit //
-| #NE >lookup_add_miss // @eq_identifier_elim // #E cases NE >E /2/
-] qed. 
-*)
+whd
+@(match fgens1 return λx.x=fgens1 → ? with
+  [ mk_Prod uv1 ul1 ⇒ λHfgens1.? ] (refl ? fgens1))
+whd in Is ⊢ %; destruct whd in Is;
+try @conj try @conj try @conj try @conj try @conj try @conj try @conj try @I
+elim Is * * #Hincl #Hstmt_inv #Hlab_tr #Htmp_pr try assumption
+@(expr_vars_mp … (tmp_preserved … uv1)) whd >E @refl
+qed.
+
 axiom DuplicateLabel : String.
 
@@ -1098 +1400 @@
 >lookup_add_miss
 [ @refl | @NE ]
-qed.  
-
-let rec populate_lenv (ls:list ident) (lbls:lenv) (u:universe ?) : res (Σlbls':lenv. lenv_list_inv lbls lbls' ls) ≝
-match ls return λls. res (Σlbls':lenv. lenv_list_inv lbls lbls' ls) with
-[ nil ⇒ OK ? «lbls, ?»
+qed.
+
+let rec populate_lenv (ls:list ident) (ul:labgen) (lbls:lenv): res ((Σlbls':lenv. lenv_list_inv lbls lbls' ls) × labgen) ≝
+match ls return λls.res ((Σlbls':lenv. lenv_list_inv lbls lbls' ls) × labgen) with
+[ nil ⇒ OK ? 〈«lbls, ?», ul〉
 | cons l t ⇒
-    match lookup_label lbls l return λx.lookup_label lbls l = x → ? with
-    [ OK _ ⇒ λ_. Error ? (msg DuplicateLabel)
-    | Error _ ⇒ λLOOK.
-        let 〈l',u1〉 ≝ fresh … u in
-        do lbls1 ← populate_lenv t (add … lbls l l') u1;
-        OK ? «pi1 … lbls1, ?»
-    ] (refl ? (lookup_label lbls l))
-].
-[ #l #l' #H %2 @H
-| cases lbls1 #lbls' #I whd in ⊢ (??%?);
-  #l1 #l1' #E1 @(eq_identifier_elim … l l1)
-  [ #E %1 %1 @E
-  | #NE cases (I l1 l1' E1)
-    [ #H %1 %2 @H
-    | #LOOK' %2 >lookup_label_miss in LOOK'; /2/ #H @H
-    ]
-  ]
-] qed.
-
-definition build_label_env : ∀body:statement. res (Σlbls:lenv. ∀l,l'.lookup_label lbls l = OK ? l' → Exists ? (λl'.l' = l) (labels_defined body)) ≝
+  match lookup_label lbls l return λlook. lookup_label lbls l = look → ? with
+  [ OK _    ⇒ λ_.Error ? (msg DuplicateLabel)
+  | Error _ ⇒ λLOOK.
+    match generate_fresh_label … ul with
+    [ mk_Sig ret H ⇒ 
+       do 〈packed_lbls, ul1〉 ← populate_lenv t (snd ?? ret) (add … lbls l (fst ?? ret));
+       match packed_lbls with
+       [ mk_Sig lbls' Hinv ⇒ OK ? 〈«lbls', ?», ul1〉 ]
+    ]
+  ] (refl ? (lookup_label lbls l))
+].
+[ 1: whd #l #l' #Hlookup %2 assumption
+| 2: whd in Hinv; whd #cl_lab #cm_lab #Hlookup
+     @(eq_identifier_elim … l cl_lab)
+     [ 1: #Heq %1 >Heq whd %1 //
+     | 2: #Hneq cases (Hinv cl_lab cm_lab Hlookup)
+           [ 1: #H %1 %2 @H
+           | 2: #LOOK' %2 >lookup_label_miss in LOOK'; /2/ #H @H ]
+     ]
+]
+qed.
+
+definition build_label_env : 
+   ∀body:statement. res ((Σlbls:lenv. ∀l,l'.lookup_label lbls l = OK ? l' → Exists ? (λl'.l' = l) (labels_defined body)) × labgen) ≝
 λbody.
-  do «lbls, H» ← populate_lenv (labels_defined body) (empty_map ??) (new_universe ?);
-  OK ? «lbls, ?».
-#l #l' #E cases (H l l' E) //
-whd in ⊢ (??%? → ?); #H destruct
+  let initial_labgen ≝ mk_labgen (new_universe ?) (nil ?) ?  in
+  do 〈label_map, u〉 ← populate_lenv (labels_defined body) initial_labgen (empty_map ??);
+  let lbls ≝ pi1 ?? label_map in
+  let H    ≝ pi2 ?? label_map in
+  OK ? 〈«lbls, ?», u〉.
+[ 1: #l #l' #E cases (H l l' E) //
+     whd in ⊢ (??%? → ?); #H destruct
+| 2: whd @I ]
 qed.
 
@@ -1158 +1468 @@
 ] qed.
 
+(* This lemma allows to merge two stmt_P in one. Used in the following parts to merge an invariant on variables
+   and an invariant on labels. *)
+lemma stmt_P_conj : ∀ (P1:stmt → Prop). ∀ (P2:stmt → Prop). ∀ s. stmt_P P1 s → stmt_P P2 s → stmt_P (λs.P1 s ∧ P2 s) s.
+#P1 #P2 #s elim s
+normalize try @conj try @conj try /3/
+[ #z0 #s #Hind1 #Hind2 * * #HA #HB #HC * * #HD #HE #HF try @conj try @conj try @conj try /2/
+| #H5 #H6 #H7 #H8 #H9 #H10 #H11 * * #H15 #H16 #H17 * * #H20 #H21 #H22
+  try @conj try @conj try @conj try /2/
+| 3,4: #H24 #H25 * #H29 #H30 * #H33 #H34 try @conj try @conj try @conj try /2/
+| 5,6: #H36 #H37 #H38 * #H42 #H43 * #H46 #H47 try @conj try @conj try @conj try /2/ ]
+qed.
+
 definition translate_function :
   ∀tmpuniverse:universe SymbolTag.
@@ -1166 +1488 @@
   res internal_function ≝
 λtmpuniverse, globals, f, Fglobals, Ffn.
-  do «lbls, Ilbls» ← build_label_env (fn_body f);
-  let 〈vartypes, stacksize〉 as E ≝ characterise_vars globals f in
-  let tmp ≝ mk_tmpgen vartypes tmpuniverse [ ] ?? in
-  do s ← translate_statement vartypes lbls tmp (fn_body f);
-  do «s,tmp, Is» ← alloc_params vartypes lbls ?? (fn_params f) s;
-  let params ≝ map ?? (λv.〈\fst v, typ_of_type (\snd v)〉) (fn_params f) in
-  let vars ≝ map ?? (λv.〈\fst v, typ_of_type (\snd v)〉) (tmp_env ? tmp @ fn_vars f) in
-  do D ← check_distinct_env ?? (params @ vars);
-  OK ? (mk_internal_function
-    (opttyp_of_type (fn_return f))
-    params
-    vars
-    D
-    stacksize
-    s ?).
-[ //
-| @(characterise_vars_fresh … (sym_eq … E)) //
-| cases Is * #S #L #TP
-  @(stmt_P_mp ???? S)
-  #s1 * #H1 #H2 %
-  [ @(stmt_vars_mp … H1)
-    #i #t #H
-    cases (local_id_split … H)
-    [ #H' >map_append
-      @Exists_map [ 2: @Exists_squeeze @(characterise_vars_all … (sym_eq ??? E) i t) @H'
-                  | skip
-                  | * #id #ty * #E1 #E2 <E1 <E2 @refl
-                  ]
-    | #EX @Exists_append_r whd in ⊢ (???%); <map_append @Exists_append_l @Exists_map [2: @EX | skip | * #id #ty * #E1 #E2 <E1 <E2 % @refl ]
-    ]
-  | @(stmt_labels_mp … H2)
-    #l * #l' #LOOKUP
-    lapply (Ilbls l' l LOOKUP) #DEFINED
-    cases (L … DEFINED) #lx * #LOOKUPx >LOOKUPx in LOOKUP; #Ex destruct (Ex)
-    #H @H
-  ]
-] qed.
+  do 〈env_pack, ul〉 ← build_label_env (fn_body f);
+    match env_pack with
+    [ mk_Sig lbls Ilbls ⇒
+      let 〈vartypes, stacksize〉 as E ≝ characterise_vars globals f in
+      let uv ≝ mk_tmpgen vartypes tmpuniverse [ ] ?? in
+      do s0 ← translate_statement vartypes uv ul lbls DoNotConvert (fn_body f);
+      do «fgens, s1, Is» ← alloc_params vartypes lbls ? uv DoNotConvert (fn_params f) s0;
+      let params ≝ map ?? (λv.〈\fst v, typ_of_type (\snd v)〉) (fn_params f) in
+      let vars ≝ map ?? (λv.〈\fst v, typ_of_type (\snd v)〉) (tmp_env ? (fst ?? fgens) @ fn_vars f) in
+      do D ← check_distinct_env ?? (params @ vars);
+      OK ? (mk_internal_function
+        (opttyp_of_type (fn_return f))
+        params
+        vars
+        D
+        stacksize
+        s1 ?)
+  ].
+[ 1: #i #t #Hloc whd @Hloc
+| 2: whd #id #Hpresent normalize in Hpresent:(???%?); whd in Hpresent;
+      @(characterise_vars_fresh … (sym_eq … E)) //
+| 3: @(match fgens return λx.x=fgens → ? with
+     [ mk_Prod uv' ul' ⇒ λHfgens.? ] (refl ? fgens))
+     whd in Is; <Hfgens in Is; #Is whd in Is ⊢ %;
+     elim Is * * #Hstmt_inv #Hlab_trans #Htmps_pres #Hlabel_wf
+     (* merge Hlabel_wf with Hstmt_inv and eliminate right away *)
+     @(stmt_P_mp … (stmt_P_conj … Hstmt_inv Hlabel_wf))
+     #s * #Hstmt_vars #Hstmt_labels @conj
+     [ 1: (* prove that variables are either parameters or locals *)
+        @(stmt_vars_mp … Hstmt_vars) #i #t #H
+        (* Case analysis: (i, t) is either in vartypes, or in (tmp_env vartypes uv) *)
+        cases (local_id_split … H)
+        [ 1: #H' >map_append
+          @Exists_map [ 1: #x @(And (\fst x = i) (typ_of_type (\snd x) = t))  (* * #id #ty @(〈id, typ_of_type ty〉=〈i, t〉)*)
+                      | 2: whd @Exists_squeeze @(characterise_vars_all globals f ?? (sym_eq ??? E) i t H')
+                      | 3: * #id #ty * #E1 #E2 <E1 <E2 @refl
+                      ]
+        | 2: #EX @Exists_append_r whd in ⊢ (???%); <map_append @Exists_append_l 
+          @Exists_map [ 1: #x @(And (\fst x = i) (typ_of_type (\snd x) = t))
+                      | 2: <Hfgens @EX
+                      | 3: * #id #ty * #E1 #E2 <E1 <E2 % @refl
+                      ]
+        ]
+     | 2: (* prove that labels are properly declared. *) 
+          @(stmt_labels_mp … Hstmt_labels) #l * *
+          [ 1: #H assumption
+          | 2: * #cl_label #Hlookup lapply (Ilbls cl_label l Hlookup) #Hdefined
+                cases (Hlab_trans … Hdefined) #lx * #LOOKUPx >LOOKUPx in Hlookup; #Ex destruct (Ex)
+                #H @H
+          ]
+    ]
+] qed.    
 
 definition translate_fundef :