Changeset 1984 for src

Timestamp:

May 22, 2012, 5:37:09 PM (9 years ago)

Author:

mulligan

Message:

Most proof obligations closed in main_lemma apart from those of the `false' cases in conditional jumps.

Location:

src/ASM

Files:

• AssemblyProof.ma (modified) (3 diffs)
• AssemblyProofSplit.ma (modified) (11 diffs)

src/ASM/AssemblyProof.ma

@@ -1435 +1435 @@
   [ nil ⇒ eq_bv … pc final_pc = true
   | cons i tl ⇒
-      (∃pc': Word. 〈i, pc', ticks_of_instruction i〉 = fetch code_memory pc ∧
+    let pc' ≝ add 16 pc (bitvector_of_nat 16 (|assembly1 … i|)) in
+      (〈i, pc', ticks_of_instruction i〉 = fetch code_memory pc ∧
         fetch_many code_memory final_pc pc' tl)
   ].
@@ -1507 +1508 @@
     lapply (conjunction_true ?? H3) * #H4 #H5
     lapply (conjunction_true … H4) * #B1 #B2
-    %{pc'} <(eq_instruction_to_eq … B1) >(eq_bv_eq … H5)
-    >(eqb_true_to_refl … B2) % try % @IH @H2
+    >(eq_instruction_to_eq … B1) >(eq_bv_eq … H5) %
+    >(eqb_true_to_refl … B2) >(eq_instruction_to_eq … B1) try % @IH @H2
   ]
 qed.
@@ -2364 +2365 @@
   //
 qed.
+
+(* XXX: easy but tedious *)
+axiom assembly1_lt_128:
+  ∀i: instruction.
+    |(assembly1 i)| < 128.
+
+axiom most_significant_bit_zero:
+  ∀size, m: nat.
+  ∀size_proof: 0 < size.
+    m < 2^size → get_index_v bool (S size) (bitvector_of_nat (S size) m) 1 ? = false.
+  normalize in size_proof; /2/
+qed.
+
+lemma bitvector_of_nat_sign_extension_equivalence:
+  ∀m: nat.
+  ∀size_proof: m < 128.
+    sign_extension … (bitvector_of_nat 8 m) = bitvector_of_nat 16 m.
+  #m #size_proof whd in ⊢ (??%?);
+  >most_significant_bit_zero
+  [1:
+    cases daemon
+  |2:
+    assumption
+  |3:
+    //
+  ]
+qed.

src/ASM/AssemblyProofSplit.ma

@@ -95 +95 @@
 qed.
 
+lemma program_counter_set_arg_1:
+  ∀M: Type[0].
+  ∀cm: M.
+  ∀s: PreStatus M cm.
+  ∀addr: [[bit_addr; carry]].
+  ∀b: Bit.
+    program_counter M cm (set_arg_1 M cm s addr b) = program_counter M cm s.
+  #M #cm #s whd in match set_arg_1; whd in match set_arg_1'; normalize nodelta
+  #addr #b
+  @(subaddressing_mode_elim … [[bit_addr; carry]] … [[bit_addr; carry]]) [1: // ]
+  [1:
+    #byte cases (split ????) #nu #nl normalize nodelta
+    cases (split ????) #ignore #three_bits normalize nodelta
+    cases (get_index_v bool ????) normalize nodelta
+    [1:
+      @program_counter_set_bit_addressable_sfr
+    |2:
+      @program_counter_set_low_internal_ram
+    ]
+  |2:
+    cases (split ????) //
+  ]
+qed.
+
 lemma None_Some_elim: ∀P:Prop. ∀A,a. None A = Some A a → P.
  #P #A #a #abs destruct
@@ -166 +190 @@
     fetch_many code_memory final_pc start_pc [i] →
       〈i, final_pc, ticks_of_instruction i〉 = fetch code_memory start_pc.
-  #code_memory #final_pc #start_pc #i * #new_pc *
-  #fetch_refl #fetch_many_assm whd in fetch_many_assm;
+  #code_memory #final_pc #start_pc #i * #new_pc
+  #fetch_many_assm whd in fetch_many_assm;
   cases (eq_bv_eq … fetch_many_assm) assumption
 qed.
@@ -184 +208 @@
  ∀costs : BitVectorTrie costlabel 16.
  ∀create_label_cost_refl : create_label_cost_map instr_list=〈labels,costs〉.
- ∀assembled : list Byte.
- ∀costs' : BitVectorTrie costlabel 16.
- ∀assembly_refl : assembly 〈preamble,instr_list〉 sigma policy=〈assembled,costs'〉.
- ∀EQassembled : assembled=\fst  (assembly cm sigma policy).
  ∀newppc : Word.
  ∀lookup_labels : Identifier→Word.
- ∀EQlookup_labels : lookup_labels = (λx:Identifier.sigma (address_of_word_labels_code_mem instr_list x)).
+ ∀EQlookup_labels : lookup_labels = (λx:Identifier. address_of_word_labels_code_mem instr_list x).
  ∀lookup_datalabels : identifier ASMTag→Word.
  ∀EQlookup_datalabels : lookup_datalabels = (λx.lookup_def ASMTag Word (construct_datalabels preamble) x (zero 16)).
@@ -205 +225 @@
          (add 16 ppc (bitvector_of_nat 16 1))).
  ∀P.
- ∀EQP:
-  P = (λs.
-        execute (|expand_relative_jump lookup_labels sigma ppc instr|)
-       (code_memory_of_pseudo_assembly_program cm sigma
-        policy)
-       (status_of_pseudo_status M cm ps sigma policy)
-      =status_of_pseudo_status M' cm s sigma policy).
+ ∀EQP: P = (λinstr, s.
   sigma (add 16 ppc (bitvector_of_nat 16 1))
    =add 16 (sigma ppc)
@@ -224 +238 @@
      (expand_pseudo_instruction lookup_labels sigma policy (program_counter pseudo_assembly_program cm ps) lookup_datalabels
       (Instruction instr))
-     →P (execute_1_preinstruction ticks Identifier pseudo_assembly_program cm
+     → ∃n. execute n
+       (code_memory_of_pseudo_assembly_program cm sigma
+        policy)
+       (status_of_pseudo_status M cm ps sigma policy)
+      =status_of_pseudo_status M' cm s sigma policy).
+     P instr (execute_1_preinstruction ticks Identifier pseudo_assembly_program cm
          addr_of instr s).
  #M #M' #preamble #instr_list #cm #EQcm #sigma #policy #sigma_policy_witness #ps #ppc #EQppc #labels
- #costs #create_label_cost_refl #assembled #costs' #assembly_refl #EQassembled #newppc
+ #costs #create_label_cost_refl #newppc
  #lookup_labels #EQlookup_labels #lookup_datalabels #EQlookup_datalabels #EQnewppc #instr
  #ticks #EQticks #addr_of #EQaddr_of #s #EQs #P #EQP
- #sigma_increment_commutation #maps_assm #fetch_many_assm
+ (*#sigma_increment_commutation #maps_assm #fetch_many_assm *)
  letin a ≝ Identifier letin m ≝ pseudo_assembly_program
- cut (Σxxx:PseudoStatus cm. P (execute_1_preinstruction ticks a m cm addr_of instr s))
+ cut (Σxxx:PseudoStatus cm. P instr (execute_1_preinstruction ticks a m cm addr_of instr s))
  [2: * // ]
  @(
@@ -644 +663 @@
 whd in match execute_1_preinstruction; normalize nodelta
 [4,5,6,7,8,36,37,38,39,40,41,50: (* INC, CLR, CPL, PUSH *)
+  (* XXX: work on the right hand side *)
   lapply (subaddressing_modein ???)
   <EQaddr normalize nodelta #irrelevant
   try (>p normalize nodelta)
   try (>p1 normalize nodelta)
-  (* XXX: start work on the left hand side *)
-  >EQP <instr_refl normalize nodelta whd in ⊢ (??%?);
-  (* XXX: work on fetch_many *)
-  <instr_refl in fetch_many_assm; #fetch_many_assm
-  <(fetch_many_singleton … fetch_many_assm) whd in ⊢ (??%?);
-  (* XXX: work on sigma commutation *)
-  <instr_refl in sigma_increment_commutation; #sigma_increment_commutation
-  (* XXX: work on both sides *)
+  (* XXX: switch to the left hand side *)
+  -instr_refl >EQP -P normalize nodelta
+  #sigma_increment_commutation #maps_assm #fetch_many_assm %{1}
+  whd in ⊢ (??%?);
+  <(fetch_many_singleton … fetch_many_assm) -fetch_many_assm whd in ⊢ (??%?);
+  (* XXX: work on the left hand side *)
   [1,2,3,4,5:
     generalize in ⊢ (??(???(?%))?);
@@ -666 +684 @@
   try @(jmpair_as_replace ?????????? p)
   [10: normalize nodelta try @(jmpair_as_replace ?????????? p1) ]
-  normalize nodelta
-  (* XXX: work on ticks (of all kinds) *)
-  <instr_refl in EQticks; #EQticks >EQticks
-  (* XXX: removes status 's' *)
-  normalize nodelta >EQs -s -ticks
+  (* XXX: switch to the right hand side *)
+  normalize nodelta >EQs -s >EQticks -ticks
   whd in ⊢ (??%%);
-  (* XXX: simplify the left hand side *)
+  (* XXX: finally, prove the equality using sigma commutation *)
   cases daemon
   (* XXX: work on both sides *)
 |1,2,3,9,46,51,53,54,55: (* ADD, ADDC, SUBB, DEC, SWAP, POP, XCHD, RET, RETI  *)
-  (* XXX: simplify the right hand side *)
+  (* XXX: work on the right hand side *)
   >p normalize nodelta
   try (>p1 normalize nodelta)
-  (* XXX: start work on the left hand side *)
-  >EQP <instr_refl normalize nodelta whd in ⊢ (??%?);
-  (* XXX: work on fetch_many *)
-  <instr_refl in fetch_many_assm; whd in ⊢ (% → ?); >EQassembled
-  whd in match code_memory_of_pseudo_assembly_program; normalize nodelta
-  whd in match (program_counter ?? (status_of_pseudo_status M cm ps sigma policy));
-  <EQppc cases (fetch ??) * #instr' #newpc #ticks' normalize nodelta * *
-  #eq_instr #EQticks' #fetch_many_assm whd in fetch_many_assm;
-  >(eq_bv_eq … fetch_many_assm) -newpc
-  >(eq_instruction_to_eq … eq_instr) -instr' whd in ⊢ (??%?);
-  (* XXX: work on sigma commutation *)
-  <instr_refl in sigma_increment_commutation; #sigma_increment_commutation 
-  (* XXX: work on ticks (of all kinds) *)
-  >EQticks' -ticks' <instr_refl in EQticks; #EQticks >EQticks
-  (* XXX: simplify the left hand side *)
+  (* XXX: switch to the left hand side *)
+  -instr_refl >EQP -P normalize nodelta
+  #sigma_increment_commutation #maps_assm #fetch_many_assm %{1}
+  whd in ⊢ (??%?);
+  <(fetch_many_singleton … fetch_many_assm) -fetch_many_assm whd in ⊢ (??%?);
+  (* XXX: work on the left hand side *)
   @(pair_replace ?????????? p)
   [1,3,5,7,9,11,13,15,17:
@@ -704 +710 @@
        ]
   ]
-  (* XXX: removes status 's' *)
-  normalize nodelta >EQs -s -ticks
+  (* XXX: switch to the right hand side *)
+  normalize nodelta >EQs -s >EQticks -ticks
   whd in ⊢ (??%%);
-  (* XXX: work on both sides *)
+  (* XXX: finally, prove the equality using sigma commutation *)
   cases daemon (*
        @split_eq_status try %
@@ -715 +721 @@
        ] *)
 |10,42,43,44,45,49,52,56: (* MUL *)
-  (* XXX: simplify the right hand side *)
-  (* XXX: start work on the left hand side *)
-  >EQP <instr_refl normalize nodelta whd in ⊢ (??%?);
-  (* XXX: work on fetch_many *)
-  <instr_refl in fetch_many_assm; whd in ⊢ (% → ?); >EQassembled
-  whd in match code_memory_of_pseudo_assembly_program; normalize nodelta
-  whd in match (program_counter ?? (status_of_pseudo_status M cm ps sigma policy));
-  <EQppc cases (fetch ??) * #instr' #newpc #ticks' normalize nodelta * *
-  #eq_instr #EQticks' #fetch_many_assm whd in fetch_many_assm;
-  >(eq_bv_eq … fetch_many_assm) -newpc
-  >(eq_instruction_to_eq … eq_instr) -instr' whd in ⊢ (??%?);
-  (* XXX: work on sigma commutation *)
-  <instr_refl in sigma_increment_commutation; #sigma_increment_commutation 
-  (* XXX: work on ticks (of all kinds) *)
-  >EQticks' -ticks' <instr_refl in EQticks; #EQticks >EQticks
-  (* XXX: removes status 's' *)
-  normalize nodelta >EQs -s -ticks
+  (* XXX: work on the right hand side *)
+  (* XXX: switch to the left hand side *)
+  -instr_refl >EQP -P normalize nodelta
+  #sigma_increment_commutation #maps_assm #fetch_many_assm %{1}
+  whd in ⊢ (??%?);
+  <(fetch_many_singleton … fetch_many_assm) -fetch_many_assm whd in ⊢ (??%?);
+  (* XXX: work on the left hand side *)
+  (* XXX: switch to the right hand side *)
+  normalize nodelta >EQs -s >EQticks -ticks
   whd in ⊢ (??%%);
-  (* XXX: work on both sides *)
-  (* @split_eq_status try % *)
+  (* XXX: finally, prove the equality using sigma commutation *)
   cases daemon
 |11,12: (* DIV *)
+  (* XXX: work on the right hand side *)
   normalize nodelta in p;
   >p normalize nodelta
-  >EQP <instr_refl normalize nodelta whd in ⊢ (??%?);
-  (* XXX: work on fetch_many *)
-  <instr_refl in fetch_many_assm; whd in ⊢ (% → ?); >EQassembled
-  whd in match code_memory_of_pseudo_assembly_program; normalize nodelta
-  whd in match (program_counter ?? (status_of_pseudo_status M cm ps sigma policy));
-  <EQppc cases (fetch ??) * #instr' #newpc #ticks' normalize nodelta * *
-  #eq_instr #EQticks' #fetch_many_assm whd in fetch_many_assm;
-  >(eq_bv_eq … fetch_many_assm) -newpc
-  >(eq_instruction_to_eq … eq_instr) -instr' whd in ⊢ (??%?);
-  (* XXX: work on sigma commutation *)
-  <instr_refl in sigma_increment_commutation; #sigma_increment_commutation 
-  (* XXX: work on ticks (of all kinds) *)
-  >EQticks' -ticks' <instr_refl in EQticks; #EQticks >EQticks
-  (* XXX: work on both sides *)
+  (* XXX: switch to the left hand side *)
+  -instr_refl >EQP -P normalize nodelta
+  #sigma_increment_commutation #maps_assm #fetch_many_assm %{1}
+  whd in ⊢ (??%?);
+  <(fetch_many_singleton … fetch_many_assm) -fetch_many_assm whd in ⊢ (??%?);
   @(pose … (nat_of_bitvector 8 ?)) #pose_assm #pose_refl
-  >(?: pose_assm = 0)
+  >(?: pose_assm = 0) normalize nodelta
   [2,4:
     <p >pose_refl
     cases daemon
   |1,3:
-    (* XXX: removes status 's' *)
-    normalize nodelta >EQs -s -ticks
+    (* XXX: switch to the right hand side *)
+    >EQs -s >EQticks -ticks
     whd in ⊢ (??%%);
-    (* XXX: work on both sides *)
+    (* XXX: finally, prove the equality using sigma commutation *)
     @split_eq_status try %
     cases daemon
   ]
 |13,14,15: (* DA *)
+  (* XXX: work on the right hand side *)
   >p normalize nodelta
   >p1 normalize nodelta
@@ -773 +763 @@
   try (>p4 normalize nodelta
   try (>p5 normalize nodelta))))
-  >EQP <instr_refl normalize nodelta whd in ⊢ (??%?);
-  (* XXX: work on fetch_many *)
-  <instr_refl in fetch_many_assm; whd in ⊢ (% → ?); >EQassembled
-  whd in match code_memory_of_pseudo_assembly_program; normalize nodelta
-  whd in match (program_counter ?? (status_of_pseudo_status M cm ps sigma policy));
-  <EQppc cases (fetch ??) * #instr' #newpc #ticks' normalize nodelta * *
-  #eq_instr #EQticks' #fetch_many_assm whd in fetch_many_assm;
-  >(eq_bv_eq … fetch_many_assm) -newpc
-  >(eq_instruction_to_eq … eq_instr) -instr' whd in ⊢ (??%?);
-  (* XXX: work on sigma commutation *)
-  <instr_refl in sigma_increment_commutation; #sigma_increment_commutation 
-  (* XXX: work on ticks (of all kinds) *)
-  >EQticks' -ticks' <instr_refl in EQticks; #EQticks >EQticks
-  (* XXX: work on both sides *)
+  (* XXX: switch to the left hand side *)
+  -instr_refl >EQP -P normalize nodelta
+  #sigma_increment_commutation #maps_assm #fetch_many_assm %{1}
+  whd in ⊢ (??%?);
+  <(fetch_many_singleton … fetch_many_assm) -fetch_many_assm whd in ⊢ (??%?);
+  (* XXX: work on the left hand side *)
   @(pair_replace ?????????? p)
   [1,3,5:
@@ -804 +786 @@
       ]
     ]
-    (* XXX: removes status 's' *)
-    normalize nodelta >EQs -s -ticks
+  (* XXX: switch to the right hand side *)
+  normalize nodelta >EQs -s >EQticks -ticks
+  whd in ⊢ (??%%);
+  (* XXX: finally, prove the equality using sigma commutation *)
+  @split_eq_status try %
+  cases daemon
+  ]
+|33,34,35,48: (* ANL, ORL, XRL, MOVX *)
+  (* XXX: work on the right hand side *)
+  cases addr #addr' normalize nodelta
+  [1,3:
+    cases addr' #addr'' normalize nodelta
+  ]
+  @pair_elim #lft #rgt #lft_rgt_refl >lft_rgt_refl normalize nodelta
+  (* XXX: switch to the left hand side *)
+  -instr_refl >EQP -P normalize nodelta
+  #sigma_increment_commutation #maps_assm #fetch_many_assm %{1}
+  whd in ⊢ (??%?);
+  <(fetch_many_singleton … fetch_many_assm) -fetch_many_assm whd in ⊢ (??%?);
+  (* XXX: work on the left hand side *)
+  (* XXX: switch to the right hand side *)
+  normalize nodelta >EQs -s >EQticks -ticks
+  whd in ⊢ (??%%);
+  (* XXX: finally, prove the equality using sigma commutation *)
+  cases daemon
+|47: (* MOV *)
+  (* XXX: work on the right hand side *)
+  cases addr -addr #addr normalize nodelta
+  [1:
+    cases addr #addr normalize nodelta
+    [1:
+      cases addr #addr normalize nodelta
+      [1:
+        cases addr #addr normalize nodelta
+        [1:
+          cases addr #addr normalize nodelta
+        ]
+      ]
+    ]
+  ]
+  cases addr #lft #rgt normalize nodelta
+  (* XXX: switch to the left hand side *)
+  >EQP -P normalize nodelta
+  #sigma_increment_commutation #maps_assm #fetch_many_assm %{1}
+  whd in ⊢ (??%?);
+  <(fetch_many_singleton … fetch_many_assm) -fetch_many_assm whd in ⊢ (??%?);
+  (* XXX: work on the left hand side *)
+  (* XXX: switch to the right hand side *)
+  normalize nodelta >EQs -s >EQticks -ticks
+  whd in ⊢ (??%%);
+  (* XXX: finally, prove the equality using sigma commutation *)
+  cases daemon
+|16,18,20,22,24,26,28: (* JC, JNC, JB, JNB, JBC, JZ, JNZ (true cases) *)
+  (* XXX: work on the right hand side *)
+  >p normalize nodelta
+  (* XXX: switch to the left hand side *)
+  -instr_refl >EQP -P normalize nodelta
+  #sigma_increment_commutation #maps_assm #fetch_many_assm
+  
+  whd in match (expand_pseudo_instruction ??????) in fetch_many_assm;
+  whd in match (expand_relative_jump ????);
+  <EQppc in fetch_many_assm;
+  @pair_elim #result #flags #sub16_refl
+  @pair_elim #upper #lower #split_refl
+  cases (eq_bv ???) normalize nodelta
+  [1,3,5,7,9,11,13:
+    >EQppc in ⊢ (% → ?); #fetch_many_assm %{1}
+    whd in ⊢ (??%?);
+    <(fetch_many_singleton … fetch_many_assm) -fetch_many_assm whd in ⊢ (??%?);
+    (* XXX: work on the left hand side *)
+    @(if_then_else_replace ???????? p) normalize nodelta
+    [1,3,5,7,9,11,13:
+      cases daemon
+    ]
+    (* XXX: switch to the right hand side *)
+    normalize nodelta >EQs -s >EQticks -ticks
     whd in ⊢ (??%%);
-    (* XXX: work on both sides *)
+    (* XXX: finally, prove the equality using sigma commutation *)
     @split_eq_status try %
     cases daemon
-  ]
-|33,34,35,48: (* ANL, ORL, XRL, MOVX *)
-  (* XXX: simplify the right hand side *)
-  inversion addr #addr' #EQaddr normalize nodelta
-  [1,3:
-    inversion addr' #addr'' #EQaddr' normalize nodelta
-  ]
-  @pair_elim #lft #rgt #lft_rgt_refl normalize nodelta
-  (* XXX: start work on the left hand side *)
-  >EQP <instr_refl normalize nodelta whd in ⊢ (??%?);
-  (* XXX: work on fetch_many *)
-  <instr_refl in fetch_many_assm; whd in ⊢ (% → ?); >EQassembled
-  whd in match code_memory_of_pseudo_assembly_program; normalize nodelta
-  whd in match (program_counter ?? (status_of_pseudo_status M cm ps sigma policy));
-  <EQppc cases (fetch ??) * #instr' #newpc #ticks' normalize nodelta * *
-  #eq_instr #EQticks' #fetch_many_assm whd in fetch_many_assm;
-  >(eq_bv_eq … fetch_many_assm) -newpc
-  >(eq_instruction_to_eq … eq_instr) -instr' whd in ⊢ (??%?);
-  (* XXX: work on sigma commutation *)
-  <instr_refl in sigma_increment_commutation; #sigma_increment_commutation 
-  (* XXX: work on ticks (of all kinds) *)
-  >EQticks' -ticks' <instr_refl in EQticks; #EQticks >EQticks
-  (* XXX: simplify the left hand side *)
-  >EQaddr normalize nodelta try (>EQaddr' normalize nodelta)
-  >lft_rgt_refl normalize nodelta
-  (* XXX: removes status 's' *)
-  normalize nodelta >EQs -s -ticks
-  whd in ⊢ (??%%);
-  (* XXX: work on both sides *)
-  cases daemon
-|47: (* MOV *)
-|* (* JUMPS!!! *)
+  |2,4,6,8,10,12,14:
+    >EQppc
+    * @(pose … (add 16 ??)) #intermediate_pc #EQintermediate_pc #fetch_refl
+    * @(pose … (add 16 ??)) #intermediate_pc' #EQintermediate_pc' #fetch_refl'
+    * @(pose … (add 16 ??)) #intermediate_pc'' #EQintermediate_pc'' #fetch_refl''
+    #fetch_many_assm whd in fetch_many_assm; %{2}
+    change with (execute_1 ?? = ?)
+    @(pose … (execute_1 ? (status_of_pseudo_status …)))
+    #status_after_1 #EQstatus_after_1
+    <(?: ? = status_after_1)
+    [3,6,9,12,15,18,21:
+      >EQstatus_after_1 in ⊢ (???%);
+      whd in ⊢ (???%);
+      [1: <fetch_refl in ⊢ (???%);
+      |2: <fetch_refl in ⊢ (???%);
+      |3: <fetch_refl in ⊢ (???%);
+      |4: <fetch_refl in ⊢ (???%);
+      |5: <fetch_refl in ⊢ (???%);
+      |6: <fetch_refl in ⊢ (???%);
+      |7: <fetch_refl in ⊢ (???%);
+      ]
+      whd in ⊢ (???%);
+      @(if_then_else_replace ???????? p)
+      [1,3,5,7,9,11,13:
+        cases daemon
+      |2,4,6,8,10,12,14:
+        normalize nodelta
+        whd in match (addr_of_relative ????);
+        >set_clock_mk_Status_commutation
+        [5:
+          (* XXX: demodulation not working in this case *)
+          >program_counter_set_arg_1 in ⊢ (???%);
+          >program_counter_set_program_counter in ⊢ (???%);
+        |*:
+          /demod/
+        ]
+        whd in ⊢ (???%);
+        change with (add ???) in match (\snd (half_add ???));
+        >(?: add ? intermediate_pc (sign_extension (bitvector_of_nat ? 2)) = intermediate_pc')
+        [2,4,6,8,10,12,14:
+          >bitvector_of_nat_sign_extension_equivalence
+          [1,3,5,7,9,11,13:
+            >EQintermediate_pc' %
+          |*:
+            repeat @le_S_S @le_O_n
+          ]
+        ]
+        %
+      ]
+    |1,4,7,10,13,16,19:
+      skip
+    ]
+    -status_after_1
+    @(pose … (execute_1 ? (mk_PreStatus …)))
+    #status_after_1 #EQstatus_after_1
+    <(?: ? = status_after_1)
+    [3,6,9,12,15,18,21:
+      >EQstatus_after_1 in ⊢ (???%);
+      whd in ⊢ (???%);
+      (* XXX: matita bug with patterns across multiple goals *)
+      [1: <fetch_refl'' in ⊢ (???%);
+      |2: <fetch_refl'' in ⊢ (???%);
+      |3: <fetch_refl'' in ⊢ (???%);
+      |4: <fetch_refl'' in ⊢ (???%);
+      |5: <fetch_refl'' in ⊢ (???%);
+      |6: <fetch_refl'' in ⊢ (???%);
+      |7: <fetch_refl'' in ⊢ (???%);
+      ]
+      whd in ⊢ (???%);
+      [5:
+      |*:
+        /demod/
+      ] %
+    |1,4,7,10,13,16,19:
+      skip
+    ]
+    -status_after_1 whd in ⊢ (??%?);
+    (* XXX: switch to the right hand side *)
+    normalize nodelta >EQs -s >EQticks -ticks
+    whd in ⊢ (??%%);
+    (* XXX: finally, prove the equality using sigma commutation *)
+    @split_eq_status try %
+    [3,7,11,15,20,28,32:
+      >program_counter_set_program_counter >set_clock_mk_Status_commutation
+      [5: >program_counter_set_program_counter ]
+      >EQaddr_of normalize nodelta
+      whd in ⊢ (??%?); >EQlookup_labels normalize nodelta
+      >EQcm %
+    |*:
+      cases daemon
+    ]
 ]
 qed.