Changeset 2181 for src/ASM/Test.ma

Timestamp:

Jul 13, 2012, 11:00:04 AM (9 years ago)

Author:

mulligan

Message:

Work from the last week on the new formulation of the main lemma for assembler correctness.

File:

• src/ASM/Test.ma (modified) (18 diffs)

src/ASM/Test.ma

@@ -19 +19 @@
     status_of_pseudo_status M cm (set_program_counter … cm s new_ppc) sigma policy.
   #M #cm #sigma #policy #s #s' #new_ppc #s_refl <s_refl //
+qed.
+
+lemma if_then_else_status_of_pseudo_status_true:
+  ∀M: internal_pseudo_address_map.
+  ∀cm: pseudo_assembly_program.
+  ∀sigma: Word → Word.
+  ∀policy: Word → bool.
+  ∀s, s', s'', s'''.
+  ∀t: bool.
+    t = true →
+    status_of_pseudo_status M cm s sigma policy = s' →
+      if t then
+        s'
+      else
+        s'' =
+      status_of_pseudo_status M cm (if t then s else s''') sigma policy.
+  #M #cm #sigma #policy #s #s' #s'' #s''' #t #t_refl #s_refl
+  >t_refl normalize nodelta >s_refl %
+qed.
+
+lemma if_then_else_status_of_pseudo_status_false:
+  ∀M: internal_pseudo_address_map.
+  ∀cm: pseudo_assembly_program.
+  ∀sigma: Word → Word.
+  ∀policy: Word → bool.
+  ∀s, s', s'', s'''.
+  ∀t: bool.
+    t = false →
+    status_of_pseudo_status M cm s sigma policy = s' →
+      if t then
+        s''
+      else
+        s' =
+      status_of_pseudo_status M cm (if t then s''' else s) sigma policy.
+  #M #cm #sigma #policy #s #s' #s'' #s''' #t #t_refl #s_refl
+  >t_refl normalize nodelta >s_refl %
 qed.
 
@@ -225 +261 @@
 
 lemma get_index_v_status_of_pseudo_status:
-  ∀M, code_memory, sigma, policy, s, sfr.
-    (get_index_v Byte 19
+  ∀M, code_memory, sigma, policy, s, s', sfr.
+    map_address_using_internal_pseudo_address_map M sigma sfr
+      (get_index_v Byte 19
+        (special_function_registers_8051 pseudo_assembly_program code_memory s)
+        (sfr_8051_index sfr) (sfr8051_index_19 sfr)) = s' →
+    get_index_v Byte 19
       (special_function_registers_8051 (BitVectorTrie Byte 16)
       (code_memory_of_pseudo_assembly_program code_memory sigma policy)
       (status_of_pseudo_status M code_memory s sigma policy))
-      (sfr_8051_index sfr) (sfr8051_index_19 sfr) =
-    map_address_using_internal_pseudo_address_map M sigma sfr
-      (get_index_v Byte 19
-        (special_function_registers_8051 pseudo_assembly_program code_memory s)
-        (sfr_8051_index sfr) (sfr8051_index_19 sfr))).
-  #M #code_memory #sigma #policy #s #sfr
+      (sfr_8051_index sfr) (sfr8051_index_19 sfr) = s'.
+  #M #code_memory #sigma #policy #s #s' #sfr #s_refl <s_refl
   whd in match status_of_pseudo_status; normalize nodelta
   whd in match sfr_8051_of_pseudo_sfr_8051; normalize nodelta
@@ -275 +311 @@
 
 lemma get_8051_sfr_status_of_pseudo_status:
-  ∀M, code_memory, sigma, policy, s, s', sfr.
+  ∀M, code_memory, sigma, policy, s, s', s'', sfr.
     status_of_pseudo_status M code_memory s sigma policy = s' →
-  (get_8051_sfr (BitVectorTrie Byte 16)
+    map_address_using_internal_pseudo_address_map M sigma sfr
+     (get_8051_sfr pseudo_assembly_program code_memory s sfr) = s'' →
+  get_8051_sfr (BitVectorTrie Byte 16)
     (code_memory_of_pseudo_assembly_program code_memory sigma policy)
-     s' sfr =
-  map_address_using_internal_pseudo_address_map M sigma sfr
-   (get_8051_sfr pseudo_assembly_program code_memory s sfr)).
-  #M #code_memory #sigma #policy #s #s' #sfr #s_refl <s_refl
+     s' sfr = s''.
+  #M #code_memory #sigma #policy #s #s' #s'' #sfr #s_refl #s_refl' <s_refl <s_refl'
   whd in match get_8051_sfr; normalize nodelta
-  @get_index_v_status_of_pseudo_status
+  @get_index_v_status_of_pseudo_status %
 qed.
 
@@ -444 +480 @@
   bit_address_of_register … cm s r.
  #M #cm #s #sigma #policy #r whd in ⊢ (??%%);
- >(get_8051_sfr_status_of_pseudo_status … (refl …))
+ >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
  @pair_elim #un #ln #_
  @pair_elim #r1 #r0 #_ %
@@ -452 +488 @@
   primitive *)
 axiom lookup_low_internal_ram_of_pseudo_low_internal_ram:
- ∀M,sigma,cm,s,addr.
+ ∀M,sigma,cm,s,s',addr.
+  map_internal_ram_address_using_pseudo_address_map M sigma (false:::addr)
+  (lookup Byte 7 addr
+   (low_internal_ram pseudo_assembly_program cm s) (zero 8)) = s' →
   lookup Byte 7 addr
   (low_internal_ram_of_pseudo_low_internal_ram M
    (low_internal_ram pseudo_assembly_program cm s)) (zero 8)
-  =
-  map_internal_ram_address_using_pseudo_address_map M sigma (false:::addr)
-  (lookup Byte 7 addr
-   (low_internal_ram pseudo_assembly_program cm s) (zero 8)).
+  = s'.
 
 (*CSC: provable using the axiom in AssemblyProof, but this one seems more
   primitive *)
 axiom lookup_high_internal_ram_of_pseudo_high_internal_ram:
- ∀M,sigma,cm,s,addr.
+ ∀M,sigma,cm,s,s',addr.
+  map_internal_ram_address_using_pseudo_address_map M sigma (true:::addr)
+  (lookup Byte 7 addr
+   (high_internal_ram pseudo_assembly_program cm s) (zero 8)) = s' →
   lookup Byte 7 addr
   (high_internal_ram_of_pseudo_high_internal_ram M
    (high_internal_ram pseudo_assembly_program cm s)) (zero 8)
-  =
-  map_internal_ram_address_using_pseudo_address_map M sigma (true:::addr)
-  (lookup Byte 7 addr
-   (high_internal_ram pseudo_assembly_program cm s) (zero 8)).
+  = s'.
 
 lemma get_register_status_of_pseudo_status:
- ∀M,cm,sigma,policy,s,s',r.
+ ∀M,cm,sigma,policy,s,s',s'',r.
   status_of_pseudo_status M cm s sigma policy = s' →
+  map_internal_ram_address_using_pseudo_address_map M sigma (false:::bit_address_of_register pseudo_assembly_program cm s r)
+   (get_register … cm s r) = s'' →
   get_register …
    (code_memory_of_pseudo_assembly_program cm sigma policy)
-   s' r =
-  map_internal_ram_address_using_pseudo_address_map M sigma (false:::bit_address_of_register pseudo_assembly_program cm s r)
-   (get_register … cm s r).
- #M #cm #sigma #policy #s #s' #r #s_refl <s_refl whd in match get_register; normalize nodelta
+   s' r = s''.
+ #M #cm #sigma #policy #s #s' #s'' #r #s_refl #s_refl' <s_refl <s_refl'
+ whd in match get_register; normalize nodelta
  whd in match status_of_pseudo_status; normalize nodelta
  >bit_address_of_register_status_of_pseudo_status
- @lookup_low_internal_ram_of_pseudo_low_internal_ram
+ @(lookup_low_internal_ram_of_pseudo_low_internal_ram … (refl …))
 qed.
 
@@ -586 +623 @@
 qed.
 
-lemma set_arg_8_status_of_pseudo_status:
+lemma set_arg_8_status_of_pseudo_status':
   ∀cm.
   ∀ps.
@@ -654 +691 @@
     | #_ #v_ok >(insert_low_internal_ram_status_of_pseudo_status … v) // ]
   |3,4: #EQ1 #EQ2 change with (get_register ????) in match register in p;
-      >(get_register_status_of_pseudo_status … (refl …))
+      >(get_register_status_of_pseudo_status … (refl …) (refl …))
       whd in match map_internal_ram_address_using_pseudo_address_map; normalize nodelta
       >EQ1 normalize nodelta >p normalize nodelta >p1 normalize nodelta
@@ -660 +697 @@
       | >(insert_low_internal_ram_status_of_pseudo_status … v) ]
       // <EQ2 @eq_f2 try % <(vsplit_ok … (sym_eq … p)) <eq_cons_head_append >p1 %
-  |5: #EQ1 #EQ2 <EQ2 >(get_register_status_of_pseudo_status … (refl …))
+  |5: #EQ1 #EQ2 <EQ2 >(get_register_status_of_pseudo_status … (refl …) (refl …))
       whd in match map_internal_ram_address_using_pseudo_address_map; normalize nodelta
       >EQ1 normalize nodelta
@@ -667 +704 @@
   |7: #EQ1 #EQ2 <EQ2 /2 by set_8051_sfr_status_of_pseudo_status/
   |8: #_ #EQ <EQ @set_8051_sfr_status_of_pseudo_status %
-  |9: #_ #EQ <EQ >(get_8051_sfr_status_of_pseudo_status … (refl …))
-      >(get_8051_sfr_status_of_pseudo_status … (refl …))
+  |9: #_ #EQ <EQ >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
+      >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
       >external_ram_status_of_pseudo_status @set_external_ram_status_of_pseudo_status ] %
+qed.
+
+lemma set_arg_8_status_of_pseudo_status:
+  ∀cm.
+  ∀ps.
+  ∀addr:[[ direct ; indirect ; registr ; acc_a ; acc_b ; ext_indirect ; ext_indirect_dptr ]].
+  ∀value.
+  ∀M. ∀sigma. ∀policy. ∀s'. ∀value'.
+   status_of_pseudo_status M cm ps sigma policy = s' →
+   map_address_mode_using_internal_pseudo_address_map_ok1 M cm ps sigma addr →
+   map_address_mode_using_internal_pseudo_address_map_ok2 … M sigma cm ps addr value = value' →
+    set_arg_8 (BitVectorTrie Byte 16)
+      (code_memory_of_pseudo_assembly_program cm sigma policy)
+      s' addr value' =
+    status_of_pseudo_status M cm (set_arg_8 … cm ps addr value) sigma policy.
+  #cm #ps #addr #value
+  cases (set_arg_8_status_of_pseudo_status' cm ps addr value) #_ #relevant
+  @relevant
 qed.
 
@@ -754 +809 @@
     ∀d: Byte.
     ∀l: bool.
-    ∀M. ∀sigma. ∀policy. ∀s'.
+    ∀M. ∀sigma. ∀policy. ∀s'. ∀s''.
+      map_address_Byte_using_internal_pseudo_address_map M sigma
+         d (get_bit_addressable_sfr pseudo_assembly_program code_memory s d l) = s'' →
       (status_of_pseudo_status M code_memory s sigma policy) = s' →
         (get_bit_addressable_sfr (BitVectorTrie Byte 16)
           (code_memory_of_pseudo_assembly_program code_memory sigma policy)
-          s' d l =
-        map_address_Byte_using_internal_pseudo_address_map M sigma
-         d (get_bit_addressable_sfr pseudo_assembly_program code_memory s d l)).
- #code #s #d #v cases (get_bit_addressable_sfr_status_of_pseudo_status' code s d v) #_
- #H @H
+          s' d l) = s''.
+ #code #s #d #v
+ cases (get_bit_addressable_sfr_status_of_pseudo_status' code s d v) #_ #relevant
+ #M #sigma #policy #s' #s'' #s_refl #s_refl' <s_refl <s_refl' @relevant %
 qed.
 
 lemma program_counter_status_of_pseudo_status:
-    ∀M. ∀sigma. ∀policy.
+    ∀M. ∀sigma: Word → Word. ∀policy.
     ∀code_memory: pseudo_assembly_program.
     ∀s: PreStatus ? code_memory.
     ∀s'.
+    ∀s''.
+    sigma (program_counter … s) = s'' →
     (status_of_pseudo_status M code_memory s sigma policy) = s' →
       program_counter … (code_memory_of_pseudo_assembly_program code_memory sigma policy)
-        s' =
-        sigma (program_counter … s).
-  #M #sigma #policy #code_memory #s #s' #s_refl <s_refl //
+        s' = s''.
+  #M #sigma #policy #code_memory #s #s' #s'' #s_refl #s_refl' <s_refl <s_refl' //
 qed.
 
@@ -786 +843 @@
   #M #cm #sigma #policy #s #s' #s_refl <s_refl
   whd in match get_cy_flag; normalize nodelta
-  >get_index_v_status_of_pseudo_status %
-qed.
-
-lemma get_arg_8_status_of_pseudo_status:
+  >(get_index_v_status_of_pseudo_status … (refl …)) %
+qed.
+
+lemma get_arg_8_status_of_pseudo_status':
   ∀cm.
   ∀ps.
@@ -850 +907 @@
   [1:
     #_ >p normalize nodelta >p1 normalize nodelta
-    @get_bit_addressable_sfr_status_of_pseudo_status %
+    @(get_bit_addressable_sfr_status_of_pseudo_status … (refl …)) %
   |2:
     #_>p normalize nodelta >p1 normalize nodelta
-    @lookup_low_internal_ram_of_pseudo_low_internal_ram
+    @(lookup_low_internal_ram_of_pseudo_low_internal_ram … sigma) %
   |3,4:
-    #assoc_list_assm >(get_register_status_of_pseudo_status … (refl …))
+    #assoc_list_assm >(get_register_status_of_pseudo_status … (refl …) (refl …))
     whd in match map_internal_ram_address_using_pseudo_address_map in ⊢ (??%?); normalize nodelta
     >assoc_list_assm normalize nodelta >p normalize nodelta >p1 normalize nodelta
     [1:
-      >(lookup_high_internal_ram_of_pseudo_high_internal_ram … sigma)
+      @(lookup_high_internal_ram_of_pseudo_high_internal_ram … sigma)
     |2:
-      >(lookup_low_internal_ram_of_pseudo_low_internal_ram … sigma)
+      @(lookup_low_internal_ram_of_pseudo_low_internal_ram … sigma)
     ]
     @eq_f2 try % <(vsplit_ok … (sym_eq … p)) <eq_cons_head_append >p1 %
   |5:
-    #assoc_list_assm >(get_register_status_of_pseudo_status … (refl …))
+    #assoc_list_assm >(get_register_status_of_pseudo_status … (refl …) (refl …))
     whd in match map_internal_ram_address_using_pseudo_address_map in ⊢ (??%?); normalize nodelta
     >assoc_list_assm normalize nodelta %
   |6,7,8,9:
-    #_ /2/
+    #_ /2 by refl, get_register_status_of_pseudo_status, get_index_v_status_of_pseudo_status/
   |10:
-    #acc_a_assm >(get_8051_sfr_status_of_pseudo_status … (refl …))
-    >(get_8051_sfr_status_of_pseudo_status … (refl …))
-    >(get_8051_sfr_status_of_pseudo_status … (refl …))
+    #acc_a_assm >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
+    >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
+    >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
     whd in match map_address_using_internal_pseudo_address_map; normalize nodelta
     >acc_a_assm >p normalize nodelta //
   |11:
-    * #map_acc_a_assm #sigma_assm >(get_8051_sfr_status_of_pseudo_status … (refl …))
-    >(program_counter_status_of_pseudo_status … (refl …))
+    * #map_acc_a_assm #sigma_assm >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
+    >(program_counter_status_of_pseudo_status … (refl …) (refl …))
     whd in match map_address_using_internal_pseudo_address_map; normalize nodelta
     >sigma_assm >map_acc_a_assm >p normalize nodelta //
   |12:
-    #_ >(get_8051_sfr_status_of_pseudo_status … (refl …))
-    >(get_8051_sfr_status_of_pseudo_status … (refl …))
+    #_ >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
+    >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
     >external_ram_status_of_pseudo_status //
   ]
+qed.
+
+lemma get_arg_8_status_of_pseudo_status:
+  ∀cm.
+  ∀ps.
+  ∀l.
+  ∀addr:[[ direct ; indirect ; registr ; acc_a ; acc_b ; data ; acc_dptr ; acc_pc ; ext_indirect ; ext_indirect_dptr ]].
+  ∀M. ∀sigma. ∀policy. ∀s', s''.
+      (status_of_pseudo_status M cm ps sigma policy) = s' →
+      map_address_mode_using_internal_pseudo_address_map_ok2 … M sigma cm ps addr (get_arg_8 … cm ps l addr) = s'' →
+      map_address_mode_using_internal_pseudo_address_map_ok1 M cm ps sigma addr →
+      get_arg_8 (BitVectorTrie Byte 16) (code_memory_of_pseudo_assembly_program cm sigma policy)
+      s' l addr = s''.
+  #cm #ps #l #addr
+  cases (get_arg_8_status_of_pseudo_status' cm ps l addr) #_ #relevant
+  #M #sigma #policy #s' #s'' #s_refl #s_refl' <s_refl'
+  @relevant assumption
 qed.
 
@@ -1017 +1091 @@
   |2,4:
     whd in ⊢ (% → ?); >p normalize nodelta >p1 normalize nodelta
-    >(get_bit_addressable_sfr_status_of_pseudo_status … (refl …)) #map_address_assm
+    >(get_bit_addressable_sfr_status_of_pseudo_status … (refl …) (refl …)) #map_address_assm
     >map_address_assm %
   |3,5:
     whd in ⊢ (% → ?); >p normalize nodelta >p1 normalize nodelta
     whd in match status_of_pseudo_status; normalize nodelta
-    >(lookup_low_internal_ram_of_pseudo_low_internal_ram … sigma)
+    >(lookup_low_internal_ram_of_pseudo_low_internal_ram … sigma … (refl …))
     #map_address_assm >map_address_assm %
   ]
@@ -1106 +1180 @@
 qed.
 
-lemma set_arg_1_status_of_pseudo_status:
+lemma set_arg_1_status_of_pseudo_status':
   ∀cm: pseudo_assembly_program.
   ∀ps: PreStatus pseudo_assembly_program cm.
   ∀addr: [[bit_addr; carry]].
   ∀b: Bit.
-    Σp: PreStatus … cm. ∀M. ∀sigma. ∀policy. ∀s'.
+    Σp: PreStatus … cm. ∀M. ∀sigma. ∀policy. ∀s'. ∀b'.
+      b = b' →
       status_of_pseudo_status M cm ps sigma policy = s' →
       map_bit_address_mode_using_internal_pseudo_address_map_set_1 M cm ps sigma addr b →
@@ -1118 +1193 @@
           (code_memory_of_pseudo_assembly_program cm sigma policy)
           s' addr b =
-        status_of_pseudo_status M cm (set_arg_1 … cm ps addr b) sigma policy.
+        status_of_pseudo_status M cm (set_arg_1 … cm ps addr b') sigma policy.
   whd in match set_arg_1; normalize nodelta
   whd in match map_bit_address_mode_using_internal_pseudo_address_map_set_1; normalize nodelta
@@ -1157 +1232 @@
             [ ]
       ] (subaddressing_modein … a)) normalize nodelta
-  try @modulus_less_than #M #sigma #policy #s' #s_refl <s_refl
+  try @modulus_less_than #M #sigma #policy #s' #b' #b_refl <b_refl #s_refl <s_refl
   [1:
-    #_ #_ >(get_8051_sfr_status_of_pseudo_status … (refl …))
+    #_ #_ >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
     whd in match map_address_using_internal_pseudo_address_map; normalize nodelta
     >p normalize nodelta @set_8051_sfr_status_of_pseudo_status %
   |2,3:
-    >(get_8051_sfr_status_of_pseudo_status … (refl …))
+    >(get_8051_sfr_status_of_pseudo_status … (refl …) (refl …))
     whd in match map_address_using_internal_pseudo_address_map; normalize nodelta
     >p normalize nodelta >p1 normalize nodelta
     #map_bit_address_assm_1 #map_bit_address_assm_2
     [1:
-      >(get_bit_addressable_sfr_status_of_pseudo_status … (refl …))
+      >(get_bit_addressable_sfr_status_of_pseudo_status … (refl …) (refl …))
       >map_bit_address_assm_1
       >(set_bit_addressable_sfr_status_of_pseudo_status cm s … map_bit_address_assm_2) %
     |2:
       whd in match status_of_pseudo_status in ⊢ (??(????%)?); normalize nodelta
-      >(lookup_low_internal_ram_of_pseudo_low_internal_ram … sigma)
+      >(lookup_low_internal_ram_of_pseudo_low_internal_ram … sigma … (refl …))
       >map_bit_address_assm_1
       >(insert_low_internal_ram_of_pseudo_low_internal_ram … map_bit_address_assm_2)
@@ -1179 +1254 @@
     ]
   ]
+qed.
+
+lemma set_arg_1_status_of_pseudo_status:
+  ∀cm: pseudo_assembly_program.
+  ∀ps: PreStatus pseudo_assembly_program cm.
+  ∀addr: [[bit_addr; carry]].
+  ∀b: Bit.
+  ∀M. ∀sigma. ∀policy. ∀s'. ∀b'.
+      b = b' →
+      status_of_pseudo_status M cm ps sigma policy = s' →
+      map_bit_address_mode_using_internal_pseudo_address_map_set_1 M cm ps sigma addr b →
+      map_bit_address_mode_using_internal_pseudo_address_map_set_2 M cm ps sigma addr b →
+        set_arg_1 (BitVectorTrie Byte 16)
+          (code_memory_of_pseudo_assembly_program cm sigma policy)
+          s' addr b =
+        status_of_pseudo_status M cm (set_arg_1 … cm ps addr b') sigma policy.
+  #cm #ps #addr #b
+  cases (set_arg_1_status_of_pseudo_status' cm ps addr b) #_ #relevant
+  @relevant
 qed.
 
@@ -1201 +1295 @@
   #M #cm #sigma #policy #s #s' #v #v' #s_refl #v_refl <s_refl <v_refl //
 qed.
+
+lemma let_pair_in_status_of_pseudo_status:
+  ∀A, B, M, cm, sigma, policy. ∀c, c': A × B. ∀s, s'.
+    c = c' →
+    (∀left, right. status_of_pseudo_status M cm (s left right c') sigma policy = s' left right c') →
+    let 〈left, right〉 ≝ c' in s' left right c' =
+    status_of_pseudo_status M cm (let 〈left, right〉 ≝ c in s left right c) sigma policy.
+  #A #B #M #cm #sigma #policy * #a #b * #a' #b' #s #s' normalize nodelta //
+qed.
+
+lemma let_pair_as_in_status_of_pseudo_status:
+  ∀A, B, M, cm, sigma, policy. ∀c, c': A × B. ∀s, s'.
+  ∀c_refl: c = c'.
+    (∀left, right, H. status_of_pseudo_status M cm (s left right H c') sigma policy = s' left right H c) →
+    let 〈left, right〉 as H ≝ c' in s' left right H c =
+    status_of_pseudo_status M cm (let 〈left, right〉 as H' ≝ c in s left right ? c) sigma policy.
+  [2: >H' assumption ]
+  #A #B #M #cm #sigma #policy * #a #b * #a' #b' #s #s'
+  #destruct_assm destruct(destruct_assm) normalize nodelta
+  #status_of_pseudo_status_assm >status_of_pseudo_status_assm //
+qed.
+
+lemma if_then_else_status_of_pseudo_status:
+  ∀M: internal_pseudo_address_map.
+  ∀cm: pseudo_assembly_program.
+  ∀sigma: Word → Word.
+  ∀policy: Word → bool.
+  ∀s, s', s'', s'''.
+  ∀t, t': bool.
+    t = t' →
+    status_of_pseudo_status M cm s sigma policy = s' →
+    status_of_pseudo_status M cm s'' sigma policy = s''' →
+      if t then
+        s'
+      else
+        s''' =
+      status_of_pseudo_status M cm (if t' then s else s'') sigma policy.
+  #M #cm #sigma #policy #s #s' #s'' #s''' #t #t' #t_refl #s_refl
+  >t_refl normalize nodelta >s_refl cases t' normalize nodelta //
+qed.