Context Navigation

← Previous Change
Next Change →

Changeset 2225 for src

Timestamp:

Jul 20, 2012, 6:15:40 PM (9 years ago)

Author:

sacerdot

Message:

Minor and major improvements everywhere, shortened proofs.

Location:

src/ASM

Files:

: 3 edited

Policy.ma (modified) (22 diffs)
PolicyFront.ma (modified) (14 diffs)
PolicyStep.ma (modified) (14 diffs)

Legend:

: Unmodified
: Added
: Removed

src/ASM/Policy.ma

-                      r2211
+                      r2225
           | Some op ⇒ λp2.if no_ch
             then pi1 ?? (jump_expansion_internal program m)
             else pi1 ?? (jump_expansion_step program labels «op,?»)
+            else pi1 ?? (jump_expansion_step program (pi1 ?? labels) «op,?»)
           ] (refl … z)
   ] (refl … n).
+[ normalize nodelta cases (jump_expansion_start program (create_label_map program))
+[5: cases labels #label_map #spec #id #id_ok cases (spec … id_ok) //
+| normalize nodelta cases (jump_expansion_start program (create_label_map program))
   #x cases x -x
   [ #H / by I/
+  [ #H %
   | #sigma normalize nodelta #H @conj [ @conj
     [ @(proj1 ?? (proj1 ?? (proj1 ?? H)))
 …
+    ]
+  ]
 | / by I/
+| %
 | cases no_ch in p1; #p1
   [ @(pi2 ?? (jump_expansion_internal program m))
   | cases (jump_expansion_step program (create_label_map program) «op,?»)
+  | cases (jump_expansion_step ???)
     #x cases x -x #ch2 #z2 cases z2 normalize nodelta
     [ #_ / by I/
+    [ #_ %
     | #j2 #H2 @conj [ @conj
       [ @(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? H2)))))
 …
 lemma pe_refl: ∀program.reflexive ? (policy_equal_opt program).
+#program whd #x whd cases x
+[ //
+| #y @pe_int_refl
+]
+#program whd #x whd cases x try % #y @pe_int_refl
 qed.
 …
 #program whd #x #y #Hxy whd cases y in Hxy;
 [ cases x
   [ //
+  [ #_ %
   | #x' #H @⊥ @(absurd ? H) /2 by nmk/
+  ]
 …
      [ #HN normalize nodelta #SEQ >(Some_eq ??? (proj2 ?? (pair_destruct ?????? (pi1_eq ???? SEQ))))
        / by /
      | #HN normalize nodelta cases (jump_expansion_step program (create_label_map program) «Npol,?»)
+     | #HN normalize nodelta cases (jump_expansion_step ???)
        #x cases x -x #Stno_ch #Stno_o normalize nodelta cases Stno_o
        [ normalize nodelta #_ #H destruct (H)
 …
+   ]
+ ]
+qed.
+qed.
 lemma pe_step: ∀program:(Σl:list labelled_instruction.S (|l|) < 2^16 ∧ is_well_labelled_p l).
 …
   policy_equal_opt program (\snd (pi1 ?? (jump_expansion_internal program (S n))))
     (\snd (pi1 ?? (jump_expansion_internal program (S (S n))))).
+#program #n #Heq
+cases daemon (* XXX *)
+#program #n #Heq cases daemon (* XXX *)
 qed.
 …
     \fst (bvt_lookup … (bitvector_of_nat ? 0) (\snd p) 〈0,short_jump〉) = 0 ∧
     \fst p = \fst (bvt_lookup … (bitvector_of_nat ? (|program|)) (\snd p) 〈0,short_jump〉) ∧
     sigma_compact_unsafe program (create_label_map program) p ∧
+    sigma_compact_unsafe program (pi1 … (create_label_map program)) p ∧
     \fst p ≤ 2^16.
   ∀l.|l| ≤ |program| → ∀acc:ℕ.
   match \snd (pi1 ?? (jump_expansion_step program (create_label_map program) policy)) with
+  match \snd (pi1 ?? (jump_expansion_step program (pi1 … (create_label_map program)) policy)) with
   [ None   ⇒ True
   | Some p ⇒ measure_int l policy acc ≤ measure_int l p acc
   ].
+[2: cases (create_label_map ?) #label_map #H #id #id_ok cases (H … id_ok) // ]
 #program #policy #l elim l -l;
 [ #Hp #acc cases (jump_expansion_step ???) #pi1 cases pi1 #p #q -pi1; cases q [ // | #x #_ @le_n ]
 | #h #t #Hind #Hp #acc
+  lapply (refl ? (jump_expansion_step program (create_label_map program) policy))
+  cases (jump_expansion_step ???) in ⊢ (???% → %); #pi1 cases pi1 -pi1 #c #r cases r
+  inversion (jump_expansion_step ???) #pi1 cases pi1 -pi1 #c #r cases r
   [ / by I/
   | #x normalize nodelta #Hx #Hjeq
 …
     \fst (bvt_lookup … (bitvector_of_nat ? 0) (\snd p) 〈0,short_jump〉) = 0 ∧
     \fst p = \fst (bvt_lookup … (bitvector_of_nat ? (|program|)) (\snd p) 〈0,short_jump〉) ∧
     sigma_compact_unsafe program (create_label_map program) p ∧
+    sigma_compact_unsafe program (pi1 … (create_label_map program)) p ∧
     \fst p ≤ 2^16.
   match (\snd (pi1 ?? (jump_expansion_step program (create_label_map program) policy))) with
+  match (\snd (pi1 ?? (jump_expansion_step program (pi1 … (create_label_map program)) policy))) with
   [ None ⇒ True
   | Some p ⇒ measure_int program policy 0 = measure_int program p 0 → sigma_jump_equal program policy p ].
+#program #policy lapply (refl ? (pi1 ?? (jump_expansion_step program (create_label_map program) policy)))
+cases (jump_expansion_step program (create_label_map program) policy) in ⊢ (???% → %);
+[2: cases (create_label_map ?) #label_map #H #id #id_ok cases (H … id_ok) //]
+#program #policy inversion (jump_expansion_step ???)
 #p cases p -p #ch #pol normalize nodelta cases pol
 [ / by I/
 …
           (\fst (bvt_lookup … (bitvector_of_nat ? 0) (\snd pol) 〈0,short_jump〉) = 0)
           (\fst pol = \fst (bvt_lookup … (bitvector_of_nat ? (|program|)) (\snd pol) 〈0,short_jump〉)))
           (sigma_compact program (create_label_map program) pol))
+          (sigma_compact program (pi1 … (create_label_map program)) pol))
           (\fst pol ≤ 2^16)
       ].
 …
    (\snd (pi1 ?? (jump_expansion_internal program (S k))))) ? (2*|program|))
 [ #Hex cases Hex -Hex #k #Hk
+  lapply (refl ? (jump_expansion_internal program (S (2*|program|))))
+  cases (jump_expansion_internal ? (S (2*|program|))) in ⊢ (???% → %);
+  inversion (jump_expansion_internal ??)
   #x cases x -x #Gno_ch #Go cases Go normalize nodelta
   [ #H #Heq / by I/
 …
         | @(proj2 ?? (proj1 ?? (proj1 ?? HGp)))
+        ]
         | @(equal_compact_unsafe_compact ?? Fp)
+        | @(equal_compact_unsafe_compact ? Fp)
           [ lapply (jump_pc_equal program (2*|program|))
             >Feq >Geq normalize nodelta #H @H @Heq
 …
         | @(proj2 ?? (proj1 ?? (proj1 ?? HGp)))
+        ]
         | @(equal_compact_unsafe_compact ?? Fp)
+        | @(equal_compact_unsafe_compact ? Fp)
           [ lapply (jump_pc_equal program (2*(|program|))) >Feq >Geq normalize nodelta
             #H @H #i #Hi
             cases (dec_is_jump (\snd (nth i ? program 〈None ?, Comment []〉)))
+            inversion (is_jump (\snd (nth i ? program 〈None ?, Comment []〉)))
             [ #Hj whd in match (jump_expansion_internal program (S (2*|program|))) in Geq; (*85s*)
               >Feq in Geq; normalize nodelta cases Fno_ch
               [ normalize nodelta #Heq
                 >(Some_eq ??? (proj2 ?? (pair_destruct ?????? (pi1_eq ???? Heq)))) %
               | normalize nodelta cases (jump_expansion_step program (create_label_map program) «Fp,?»)
+              | normalize nodelta cases (jump_expansion_step ???)
                 #x cases x -x #stch #sto normalize nodelta cases sto
                 [ normalize nodelta #_ #X destruct (X)
 …
                    <(Some_eq ??? (proj2 ?? (pair_destruct ?????? (pi1_eq ???? Heq))))
                    lapply (proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hst)))) i (le_S_to_le … Hi))
                    lapply (Hfull i Hi Hj)
+                   lapply (Hfull i Hi ?) [>Hj %]
                    cases (bvt_lookup … (bitvector_of_nat ? i) (\snd Fp) 〈0,short_jump〉)
                    #fp #fj #Hfj >Hfj normalize nodelta
 …
+                 ]
+               ]
              | #Hj >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? HGp))) i Hi Hj)
                 >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? HFp))) i Hi Hj) @refl
+             | #Hj >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? HGp))) i Hi ?) [2:>Hj %]
+                >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? HFp))) i Hi ?) [2:>Hj] %
+              ]
             | cases daemon (* true, but have to add to properties in some way *)
 …
 (* The glue between Policy and Assembly. *)
-(*CSC: modified to really use the specification in Assembly.ma.*)
 definition jump_expansion':
 ∀program:preamble × (Σl:list labelled_instruction.S (|l|) < 2^16 ∧ is_well_labelled_p l).
 …
   [ None ⇒ λp.None ?
   | Some x ⇒ λp.Some ?
       «〈(λppc.let 〈pc,jl〉 ≝ bvt_lookup ?? ppc (\snd x) 〈0,short_jump〉 in
+      «〈(λppc.let pc ≝ \fst (bvt_lookup ?? ppc (\snd x) 〈0,short_jump〉) in
           bitvector_of_nat 16 pc),
          (λppc.let 〈pc,jl〉 ≝ bvt_lookup ?? ppc (\snd x) 〈0,short_jump〉 in
+         (λppc.let jl ≝ \snd (bvt_lookup ?? ppc (\snd x) 〈0,short_jump〉) in
           jmpeqb jl long_jump)〉,?»
   ] (refl ? f).
 …
         >(lookup_opt_lookup_hit … SHl 〈0,short_jump〉) normalize nodelta
         >(lookup_opt_lookup_hit … Hl 〈0,short_jump〉) normalize nodelta
+        >add_bitvector_of_nat_plus >Hcompact whd in match instruction_size;
+        normalize nodelta whd in match assembly_1_pseudoinstruction;
+        normalize nodelta whd in match expand_pseudo_instruction;
+        normalize nodelta whd in match fetch_pseudo_instruction;
+        normalize nodelta
+        lapply (refl ? (nth_safe … (nat_of_bitvector ? ppc) (\snd program) ppc_ok))
+        cases (nth_safe … (nat_of_bitvector ? ppc) (\snd program) ppc_ok) in ⊢ (???% → %);
+        #label #instr normalize nodelta #Hli <(nth_safe_nth ? (\snd program) (nat_of_bitvector 16 ppc) ppc_ok 〈None ?, Comment []〉)
+        >Hli normalize nodelta cases instr
+        [2,3,6: #x [3: #y] normalize nodelta %
+        |4,5: #x normalize nodelta
+          >(lookup_opt_lookup_hit … SHl 〈0,short_jump〉) normalize nodelta
+          whd in match create_label_map; normalize nodelta
+          >(lookup_opt_lookup_hit … Hl 〈0,short_jump〉) normalize nodelta
+          cases (bvt_lookup … (bitvector_of_nat ?
+           (lookup_def … (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
+          #lpc #ljl normalize nodelta @refl
+        |1: #pi cases pi
+          [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+            [1,2,3,6,7,24,25: #x #y
+            |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x]
+            normalize nodelta %
+          |9,10,11,12,13,14,15,16,17: [3,4,5,8,9: #y #x |1,2,6,7: #x] normalize nodelta
+            whd in match expand_relative_jump; normalize nodelta
+            whd in match expand_relative_jump_internal; normalize nodelta
+            >(lookup_opt_lookup_hit … SHl 〈0,short_jump〉) normalize nodelta
+            whd in match create_label_map; normalize nodelta
+            >(lookup_opt_lookup_hit … Hl 〈0,short_jump〉) normalize nodelta
+            cases (bvt_lookup … (bitvector_of_nat ?
+             (lookup_def … (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
+            #lpc #ljl normalize nodelta %
+          ]
+        ]
+      ]
+    ]
+        >add_bitvector_of_nat_plus >Hcompact @eq_f @eq_f @eq_f
+        whd in match (fetch_pseudo_instruction ???); >nth_safe_nth
+        [ cases (nth ? labelled_instruction ??) |2: skip] normalize nodelta // ]]
   | (* Basic proof scheme:
        - ppc < |snd program|, hence our instruction is in the program
 …
         cases (lookup_opt … (bitvector_of_nat ? (S (nat_of_bitvector ? ppc))) fpol) in ⊢ (???% → %);
         [ normalize nodelta #_ #abs cases abs
+        | #x cases x -x #Spc #Sjl #SEQ normalize nodelta whd in match instruction_size;
+          normalize nodelta whd in match assembly_1_pseudoinstruction;
+          normalize nodelta whd in match expand_pseudo_instruction;
+          normalize nodelta whd in match fetch_pseudo_instruction;
+          normalize nodelta
+          lapply (refl ? (nth_safe … (nat_of_bitvector ? ppc) (\snd program) ppc_ok))
+          cases (nth_safe … (nat_of_bitvector ? ppc) (\snd program) ppc_ok) in ⊢ (???% → %);
+          #label #instr normalize nodelta #Hli <(nth_safe_nth ? (\snd program) (nat_of_bitvector 16 ppc) ppc_ok 〈None ?, Comment []〉)
+          >Hli normalize nodelta cases instr
+          [2,3,6: #x [3: #y] normalize nodelta #H >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+            normalize nodelta >nat_of_bitvector_bitvector_of_nat_inverse
+            [1,3,5: <H
+              lapply (pc_increases (S (nat_of_bitvector 16 ppc)) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» ppc_ok (le_n ?))
+              >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉) #X @X
+            |2,4,6: lapply (pc_increases (nat_of_bitvector 16 ppc) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» (le_S_to_le … ppc_ok) (le_n ?))
+        | #x cases x -x #Spc #Sjl #SEQ normalize nodelta
+          #H >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+          >nat_of_bitvector_bitvector_of_nat_inverse
+          [2: lapply (pc_increases (nat_of_bitvector 16 ppc) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» (le_S_to_le … ppc_ok) (le_n ?))
               >bitvector_of_nat_inverse_nat_of_bitvector >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+              #H @(le_to_lt_to_lt … Hfpc) >(proj2 ?? (proj1 ?? (proj1 ?? Hfpol))) @H
+            ]
+          |4,5: #x normalize nodelta >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+            normalize nodelta >nat_of_bitvector_bitvector_of_nat_inverse
+            [1,3: <add_bitvector_of_nat_Sm in SEQ;
+              >bitvector_of_nat_inverse_nat_of_bitvector >add_commutative #SEQ
+              >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉) normalize nodelta
+              cases (bvt_lookup ?? (bitvector_of_nat ? (lookup_def ?? (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
+              #lpc #ljl normalize nodelta #H <H
+              lapply (pc_increases (S (nat_of_bitvector 16 ppc)) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» ppc_ok (le_n ?))
+              <add_bitvector_of_nat_Sm >bitvector_of_nat_inverse_nat_of_bitvector
+              >add_commutative >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉) #H2 @H2
+            |2,4: lapply (pc_increases (nat_of_bitvector 16 ppc) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» (le_S_to_le … ppc_ok) (le_n ?))
+              >bitvector_of_nat_inverse_nat_of_bitvector >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+              #H @(le_to_lt_to_lt … Hfpc) >(proj2 ?? (proj1 ?? (proj1 ?? Hfpol))) @H
+            ]
+          |1: #pi cases pi
+            [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+              [1,2,3,6,7,24,25: #x #y
+              |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x]
+              normalize nodelta #H >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+              normalize nodelta >nat_of_bitvector_bitvector_of_nat_inverse
+              [1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39,41,43,45,47,49,51,53,55:
+                <H lapply (pc_increases (S (nat_of_bitvector 16 ppc)) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» ppc_ok (le_n ?))
+                >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉) #X @X
+              |2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56:
+                lapply (pc_increases (nat_of_bitvector 16 ppc) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» (le_S_to_le … ppc_ok) (le_n ?))
+                >bitvector_of_nat_inverse_nat_of_bitvector >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+                #H @(le_to_lt_to_lt … Hfpc) >(proj2 ?? (proj1 ?? (proj1 ?? Hfpol))) @H
+              ]
+            |9,10,11,12,13,14,15,16,17: [3,4,5,8,9: #y #x |1,2,6,7: #x]
+              normalize nodelta >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+              normalize nodelta >nat_of_bitvector_bitvector_of_nat_inverse
+              [1,3,5,7,9,11,13,15,17: <add_bitvector_of_nat_Sm in SEQ;
+                >bitvector_of_nat_inverse_nat_of_bitvector >add_commutative #SEQ
+                whd in match expand_relative_jump; normalize nodelta
+                whd in match expand_relative_jump_internal; normalize nodelta
+                >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉) normalize nodelta
+                cases (bvt_lookup ?? (bitvector_of_nat ? (lookup_def ?? (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
+                #lpc #ljl normalize nodelta #H <H
+                lapply (pc_increases (S (nat_of_bitvector 16 ppc)) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» ppc_ok (le_n ?))
+                <add_bitvector_of_nat_Sm >bitvector_of_nat_inverse_nat_of_bitvector
+                >add_commutative >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉) #H2 @H2
+              |2,4,6,8,10,12,14,16,18:
+                lapply (pc_increases (nat_of_bitvector 16 ppc) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» (le_S_to_le … ppc_ok) (le_n ?))
+                >bitvector_of_nat_inverse_nat_of_bitvector >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+                #H @(le_to_lt_to_lt … Hfpc) >(proj2 ?? (proj1 ?? (proj1 ?? Hfpol))) @H
+              ]
+            ]
+          ]
+        ]
+      ]
+              #H @(le_to_lt_to_lt … Hfpc) >(proj2 ?? (proj1 ?? (proj1 ?? Hfpol))) @H ]
+          lapply (pc_increases (S (nat_of_bitvector 16 ppc)) (|\snd program|) (\snd program) «〈fpc,fpol〉,Hfpol» ppc_ok (le_n ?))
+          >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉) >H -H #H @(transitive_le … H)
+          cut (∀x,y. x=y → x ≤ y) [ #x #y * %] #eq_to_leq @eq_to_leq @eq_f @eq_f
+          whd in match (fetch_pseudo_instruction ???); >nth_safe_nth
+          [ cases (nth ? labelled_instruction ??) |2: skip] normalize nodelta // ]]
     | (* the program is of length 2^16 and ppc is followed by only zero-size instructions
        * until the end of the program *)
 …
               >(nth_safe_nth … 〈None ?, Comment []〉)
               cases (nth (nat_of_bitvector ? ppc) ? (\snd program) 〈None ?, Comment []〉)
+              #lbl #ins normalize nodelta
+              whd in match instruction_size;
+              whd in match assembly_1_pseudoinstruction;
+              whd in match expand_pseudo_instruction; normalize nodelta
+              <add_bitvector_of_nat_Sm in SEQ; >bitvector_of_nat_inverse_nat_of_bitvector
+              >add_commutative #SEQ cases ins
+              [2,3,6: #x [3: #y] normalize nodelta #H @H
+              |4,5: #x normalize nodelta
+                >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+                >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉)
+                cases (lookup … (bitvector_of_nat ? (lookup_def … (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
+                #lpc #ljl normalize nodelta #H @H
+              |1: #pi cases pi
+                [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+                  [1,2,3,6,7,24,25: #x #y
+                  |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x]
+                  normalize nodelta #H @H
+                |9,10,11,12,13,14,15,16,17: [3,4,5,8,9: #y #x |1,2,6,7: #x] normalize nodelta
+                  whd in match expand_relative_jump;
+                  whd in match expand_relative_jump_internal; normalize nodelta
+                  >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+                  >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉)
+                  cases (lookup … (bitvector_of_nat ? (lookup_def … (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
+                  #lpc #ljl normalize nodelta #H @H
+                ]
+              ]
+              #lbl #ins normalize nodelta #X @X
             | <(proj2 ?? (proj1 ?? (proj1 ?? Hfpol))) >Hfpc
               >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉) #Hspc %2 @conj
 …
                     normalize nodelta >(nth_safe_nth … 〈None ?, Comment []〉)
                     cases (nth (nat_of_bitvector ? ppc') ? (\snd program) 〈None ?, Comment []〉) in H;
+                    #lbl #ins normalize nodelta
+                    whd in match instruction_size;
+                    whd in match assembly_1_pseudoinstruction;
+                    whd in match expand_pseudo_instruction; normalize nodelta
+                    <add_bitvector_of_nat_Sm in SXEQ; >bitvector_of_nat_inverse_nat_of_bitvector
+                    >add_commutative #SXEQ cases ins
+                    [2,3,6: #x [3: #y] normalize nodelta #H @(sym_eq ??? H)
+                    |4,5: #x normalize nodelta
+                      >(lookup_opt_lookup_hit … XEQ 〈0,short_jump〉)
+                      >(lookup_opt_lookup_hit … SXEQ 〈0,short_jump〉)
+                      cases (lookup … (bitvector_of_nat ? (lookup_def … (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
+                      #lpc #ljl normalize nodelta #H @(sym_eq ??? H)
+                    |1: #pi cases pi
+                      [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+                        [1,2,3,6,7,24,25: #x #y
+                        |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x] normalize nodelta
+                          #H @(sym_eq ??? H)
+                      |9,10,11,12,13,14,15,16,17: [3,4,5,8,9: #y #x |1,2,6,7: #x] normalize nodelta
+                        whd in match expand_relative_jump;
+                        whd in match expand_relative_jump_internal; normalize nodelta
+                        >(lookup_opt_lookup_hit … XEQ 〈0,short_jump〉)
+                        >(lookup_opt_lookup_hit … SXEQ 〈0,short_jump〉)
+                        cases (lookup … (bitvector_of_nat ? (lookup_def … (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
+                        #lpc #ljl normalize nodelta #H @(sym_eq ??? H)
+                      ]
+                    ]
+                    #lbl #ins normalize nodelta #X @sym_eq @X
+                  ]
+                ]
 …
                   cases (lookup … (bitvector_of_nat ? (lookup_def … (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
                   #lpc #ljl normalize nodelta #H @H
+                |1: #pi cases pi
+                  [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+                    [1,2,3,6,7,24,25: #x #y
+                    |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x] normalize nodelta
+                    #H @H
+                  |9,10,11,12,13,14,15,16,17: [3,4,5,8,9: #y #x |1,2,6,7: #x] normalize nodelta
+                    whd in match expand_relative_jump;
+                    whd in match expand_relative_jump_internal; normalize nodelta
+                    >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+                    >(lookup_opt_lookup_hit … SEQ 〈0,short_jump〉)
+                    cases (lookup … (bitvector_of_nat ? (lookup_def … (\fst (create_label_cost_map (\snd program))) x 0)) fpol 〈0,short_jump〉)
+                    #lpc #ljl normalize nodelta #H @H
+                  ]
+                |1: #pi normalize nodelta #X @X
+                ]
+              ]

src/ASM/PolicyFront.ma

-                      r2222
+                      r2225
   λx:preinstruction Identifier.
   match x with
   [ JC _ ⇒ True
   | JNC _ ⇒ True
   | JZ _ ⇒ True
   | JNZ _ ⇒ True
   | JB _ _ ⇒ True
   | JNB _ _ ⇒ True
   | JBC _ _ ⇒ True
   | CJNE _ _ ⇒ True
   | DJNZ _ _ ⇒ True
   | _ ⇒ False
+  [ JC _ ⇒ true
+  | JNC _ ⇒ true
+  | JZ _ ⇒ true
+  | JNZ _ ⇒ true
+  | JB _ _ ⇒ true
+  | JNB _ _ ⇒ true
+  | JBC _ _ ⇒ true
+  | CJNE _ _ ⇒ true
+  | DJNZ _ _ ⇒ true
+  | _ ⇒ false
   ].
 …
   match instr with
   [ Instruction i ⇒ is_jump' i
   | _             ⇒ False
+  | _             ⇒ false
   ].
 …
   match instr with
   [ Instruction i   ⇒ is_jump' i
   | Call _ ⇒ True
   | Jmp _ ⇒ True
   | _ ⇒ False
+  | Call _ ⇒ true
+  | Jmp _ ⇒ true
+  | _ ⇒ false
   ].
 …
   λinstr:pseudo_instruction.
   match instr with
   [ Call _ ⇒ True
   | _ ⇒ False
+  [ Call _ ⇒ true
+  | _ ⇒ false
   ].
 …
    match j with
    [ short_jump ⇒ \fst (short_jump_cond pc_plus_jmp_length addr) = true ∧
       ¬is_call instr
+       bool_to_Prop (¬is_call instr)
    | absolute_jump ⇒  \fst (absolute_jump_cond pc_plus_jmp_length addr) = true ∧
        \fst (short_jump_cond pc_plus_jmp_length addr) = false ∧
        ¬is_relative_jump instr
+       bool_to_Prop (¬is_relative_jump instr)
    | long_jump   ⇒ \fst (short_jump_cond pc_plus_jmp_length addr) = false ∧
        \fst (absolute_jump_cond pc_plus_jmp_length addr) = false
 …
   then short_jump
   else select_call_length labels old_sigma inc_sigma added ppc lbl.
+definition destination_of: preinstruction Identifier → option Identifier ≝
+  λi.
+  match i with
+  [ JC j     ⇒ Some ? j
+  | JNC j    ⇒ Some ? j
+  | JZ j     ⇒ Some ? j
+  | JNZ j    ⇒ Some ? j
+  | JB _ j   ⇒ Some ? j
+  | JBC _ j  ⇒ Some ? j
+  | JNB _ j  ⇒ Some ? j
+  | CJNE _ j ⇒ Some ? j
+  | DJNZ _ j ⇒ Some ? j
+  | _        ⇒ None ?
+  ].
 definition jump_expansion_step_instruction: label_map → ppc_pc_map → ppc_pc_map →
   ℕ → ℕ → preinstruction Identifier → option jump_length ≝
   λlabels.λold_sigma.λinc_sigma.λadded.λppc.λi.
+  match i with
+  [ JC j     ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | JNC j    ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | JZ j     ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | JNZ j    ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | JB _ j   ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | JBC _ j  ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | JNB _ j  ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | CJNE _ j ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | DJNZ _ j ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | _        ⇒ None ?
+  ].
+lemma dec_is_jump: ∀x.Sum (is_jump x) (¬is_jump x).
+#i cases i
+[#id cases id
+ [1,2,3,6,7,33,34:
+  #x #y %2 whd in match (is_jump ?); /2 by nmk/
+ |4,5,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32:
+  #x %2 whd in match (is_jump ?); /2 by nmk/
+ |35,36,37: %2 whd in match (is_jump ?); /2 by nmk/
+ |9,10,14,15: #x %1 / by I/
+ |11,12,13,16,17: #x #y %1 / by I/
+ ]
+|2,3: #x %2 /2 by nmk/
+|4,5: #x %1 / by I/
+|6: #x #y %2 /2 by nmk/
+]
+qed.
+  match destination_of i with
+  [ Some j     ⇒ Some ? (select_reljump_length labels old_sigma inc_sigma added ppc j)
+  | None       ⇒ None ?
+  ].
 (* The first step of the jump expansion: everything to short. *)
 …
  #a #b #i cases i
  [1: #pi cases pi
+   [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+     try (#x #y #H #_) try (#x #H #_) try (#H #_) cases H
+   |9,10,11,12,13,14,15,16,17: #x [3,4,5,8,9: #y] #_ try (#_ %)
+     try (#abs normalize in abs; destruct (abs) @I)
+     cases a; cases b; try (#_ %) try (#abs normalize in abs; destruct(abs) @I)
+     try (@(subaddressing_mode_elim … x) #w #abs normalize in abs; destruct (abs) @I)
+     cases x * #a1 #a2 @(subaddressing_mode_elim … a2) #w
+     try ( #abs normalize in abs; destruct (abs) @I)
+     @(subaddressing_mode_elim … a1) #w2 #abs normalize in abs; destruct (abs)
+   ]
+   try (#x #y #H #EQ) try (#x #H #EQ) try (#H #EQ) cases H
+   cases a in EQ; cases b #EQ try %
+   try (normalize in EQ; destruct(EQ) @False)
+   try (lapply EQ @(subaddressing_mode_elim … x) #w #EQ normalize in EQ; destruct(EQ) @False)
+   lapply EQ -EQ cases x * #a1 #a2 @(subaddressing_mode_elim … a2) #w
+   try (#EQ normalize in EQ; destruct(EQ) @False)
+   @(subaddressing_mode_elim … a1) #w
+   #EQ normalize in EQ; destruct(EQ)
   |2,3,6: #x [3: #y] #H cases H
+  |4,5: #id #_ cases a cases b
+    [2,3,4,6,11,12,13,15: normalize #H destruct (H)
+    |1,5,7,8,9,10,14,16,17,18: #H / by refl/
+    ]
+  ]
+  |4,5: #id #_ cases a cases b #H try % normalize in H; destruct(H)
+ ]
 qed.
 …
  |4,5: #id #_ cases a cases b / by le_n/
  |1: #pi cases pi
+   [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+     try (#x #y #H) try (#x #H) try (#H) cases H
+   |9,10,11,12,13,14,15,16,17: #x [3,4,5,8,9: #y]
+     #_ cases a cases b
+     [1,4,5,6,7,8,9: / by le_n/
+     |10,13,14,15,16,17,18: / by le_n/
+     |19,22,23,24,25,26,27: / by le_n/
+     |28,31,32,33,34,35,36: / by le_n/
+     |37,40,41,42,43,44,45: / by le_n/
+     |46,47,48,49,50,51,52,53,54: / by le_n/
+     |55,56,57,58,59,60,61,62,63: / by le_n/
+     |64,65,66,67,68,69,70,71,72: / by le_n/
+     |73,74,75,76,77,78,79,80,81: / by le_n/
+     ]
+     try (@(subaddressing_mode_elim … x) #w normalize @le_S @le_S @le_S @le_S @le_S @le_n)
+     cases x * #ad
+     try (@(subaddressing_mode_elim … ad) #w #z normalize @le_S @le_S @le_S @le_S @le_S @le_n)
+     #z @(subaddressing_mode_elim … z) #w normalize / by /
+   ]
+    try (#x #y #H) try (#x #H) try (#H) cases H
+    -H cases a cases b @leb_true_to_le try %
+    try (@(subaddressing_mode_elim … x) #w % @False)
+    cases x * #a1 #a2 @(subaddressing_mode_elim … a2) #w try %
+    @(subaddressing_mode_elim … a1) #w %
+ ]
 qed.
 …
               cases (vsplit bool 9 7 result) #upper #lower normalize nodelta
               cases (get_index' bool 2 0 flags) normalize nodelta
               [3,4: #H @⊥ @(absurd ?? (proj2 ?? H)) / by I/
+              [3,4: #H cases (proj2 ?? H)
               |1,2: cases (eq_bv 9 upper ?)
                 [2,4: #H lapply (proj1 ?? H) #H3 destruct (H3)
 …
+              ]
+            ]
+          |1: #pi cases pi
+            [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+              [1,2,3,6,7,24,25: #x #y
+              |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x]
+              normalize nodelta #H #Heq @refl
+            |9,10,11,12,13,14,15,16,17: [1,2,6,7: #x |3,4,5,8,9: #y #x]
+              normalize nodelta >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉)
+              #Hj #Heq lapply (Hj x (refl ? x)) -Hj
+          |1: cut (∀A,B,ab.fst A B ab = (let 〈a,b〉 ≝ ab in a))
+              [#A #B * / by refl/] #fst_foo
+              cut (∀x.
+                    instruction_has_label x (\snd  (nth i labelled_instruction program 〈None (identifier ASMTag),Comment []〉)) →
+               lookup_def ?? (create_label_map program) x 0 ≤ (|program|))
+              [#x #Heq cases (create_label_map program) #clm #Hclm
+               @le_S_to_le @(proj2 ?? (Hclm x ?))
+               @(proj2 ?? Hprogram x (bitvector_of_nat ? i) ? (\snd (nth i ? program 〈None ?, Comment []〉)) ??)
+               [ >nat_of_bitvector_bitvector_of_nat_inverse
+                 [2: @(transitive_lt … (proj1 ?? Hprogram)) @le_S] @Hi
+               | whd in match fetch_pseudo_instruction; normalize nodelta
+                 >nth_safe_nth
+                 [ >nat_of_bitvector_bitvector_of_nat_inverse
+                   [ @pair_elim // ]
+                   @(transitive_lt … (proj1 ?? Hprogram)) @le_S @Hi ]
+                 | assumption ]] #lookup_in_program
+              -H #pi cases pi
+              try (#y #x #H #Heq) try (#x #H #Heq) try (#H #Heq) try %
+              normalize nodelta >(lookup_opt_lookup_hit … EQ 〈0,short_jump〉) in H;
+              #Hj lapply (Hj x (refl ? x)) -Hj
               whd in match expand_relative_jump; normalize nodelta
               whd in match expand_relative_jump_internal; normalize nodelta
 …
               <(plus_n_Sm i 0) <plus_n_O <plus_n_O cases x2 normalize nodelta
               [1,4,7,10,13,16,19,22,25:
+                cut (∀A,B,ab.fst A B ab = (let 〈a,b〉 ≝ ab in a))
+                [1,3,5,7,9,11,13,15,17: #A #B * / by refl/ ]
+                #fst_foo >fst_foo @pair_elim #sj_possible #disp #H #H2
+                >fst_foo @pair_elim #sj_possible #disp #H #H2
                 @(pair_replace ?????????? (eq_to_jmeq … H))
+                [1,3,5,7,9,11,13,15,17:
+                  cut (lookup_def ?? (create_label_map program) x 0 ≤ (|program|))
+                  [1,3,5,7,9,11,13,15,17: cases (create_label_map program) #clm #Hclm
+                    @le_S_to_le @(proj2 ?? (Hclm x ?))
+                    @(proj2 ?? Hprogram x (bitvector_of_nat ? i) ? (\snd (nth i ? program 〈None ?, Comment []〉)) ??)
+                    [1,4,7,10,13,16,19,22,25: >nat_of_bitvector_bitvector_of_nat_inverse
+                      [2,4,6,8,10,12,14,16,18: @(transitive_lt … (proj1 ?? Hprogram)) @le_S] @Hi
+                    |2,5,8,11,14,17,20,23,26: whd in match fetch_pseudo_instruction; normalize nodelta
+                      >nth_safe_nth
+                      [1,3,5,7,9,11,13,15,17: >nat_of_bitvector_bitvector_of_nat_inverse
+                        [1,3,5,7,9,11,13,15,17: >Heq %]
+                        @(transitive_lt … (proj1 ?? Hprogram)) @le_S @Hi
+                      ]
+                    ]
+                    >Heq / by /
+                  ]
+                  #X >(le_to_leb_true … X) @refl
+                ]
+                [1,3,5,7,9,11,13,15,17: >(le_to_leb_true … (lookup_in_program …))
+                  try % >Heq % ]
                 >(proj1 ?? H2) try (@refl) normalize nodelta
                 [1,2,3,5: @(subaddressing_mode_elim … y) #w %
 …
                   @(subaddressing_mode_elim … sth2) #x [3,4: #x2] %
+                ]
               |2,5,8,11,14,17,20,23,26: ** #_ #_ #abs cases abs #abs2 @⊥ @abs2 / by I/
+              |2,5,8,11,14,17,20,23,26: ** #_ #_ #abs cases abs
+              ]
+              cut (∀A,B,ab.fst A B ab = (let 〈a,b〉 ≝ ab in a))
+              [1,3,5,7,9,11,13,15,17: #A #B * / by refl/ ]
+              #fst_foo * #H #_ >fst_foo in H; @pair_elim #sj_possible #disp #H
+              * #H #_ >fst_foo in H; @pair_elim #sj_possible #disp #H
               @(pair_replace ?????????? (eq_to_jmeq … H))
+                [1,3,5,7,9,11,13,15,17:
+                  cut (lookup_def ?? (create_label_map program) x 0 ≤ (|program|))
+                  [1,3,5,7,9,11,13,15,17: cases (create_label_map program) #clm #Hclm
+                    @le_S_to_le @(proj2 ?? (Hclm x ?))
+                    @(proj2 ?? Hprogram x (bitvector_of_nat ? i) ? (\snd (nth i ? program 〈None ?, Comment []〉)) ??)
+                    [1,4,7,10,13,16,19,22,25: >nat_of_bitvector_bitvector_of_nat_inverse
+                      [2,4,6,8,10,12,14,16,18: @(transitive_lt … (proj1 ?? Hprogram)) @le_S] @Hi
+                    |2,5,8,11,14,17,20,23,26: whd in match fetch_pseudo_instruction; normalize nodelta
+                      >nth_safe_nth
+                      [1,3,5,7,9,11,13,15,17: >nat_of_bitvector_bitvector_of_nat_inverse
+                        [1,3,5,7,9,11,13,15,17: >Heq %]
+                        @(transitive_lt … (proj1 ?? Hprogram)) @le_S @Hi
+                      ]
+                    ]
+                    >Heq / by /
+                  ]
+                  #X >(le_to_leb_true … X) @refl
+                ]
+                [1,3,5,7,9,11,13,15,17: >(le_to_leb_true … (lookup_in_program …))
+                  try % >Heq % ]
                 #H2 >H2 try (@refl) normalize nodelta
                 [1,2,3,5: @(subaddressing_mode_elim … y) #w %
 …
                   [1,2: %] whd in match (map ????); whd in match (flatten ??);
                   whd in match (map ????) in ⊢ (???%); whd in match (flatten ??) in ⊢ (???%);
+                  >length_append >length_append @eq_f2 %
+                ]
+              ]
+            ]
+          ]
+        ]
+      ]
+                  >length_append >length_append %]]]]]
 qed.
 …
  #i cases i
  [2,3,6: #x [3: #y] #Hj #j1 #j2 %
+ |4,5: #x #Hi cases Hi #abs @⊥ @abs @I
+ |1: #pi cases pi
+   [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+     [1,2,3,6,7,24,25: #x #y
+     |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x]
+     #Hj #j1 #j2 %
+   |9,10,11,12,13,14,15,16,17: [1,2,6,7: #x |3,4,5,8,9: #y #x]
+     #Hi cases Hi #abs @⊥ @abs @I
+   ]
+ ]
+qed.
+ |4,5: #x #Hi cases Hi
+ |1: #pi cases pi try (#x #y #Hj #j1 #j2) try (#y #Hj #j1 #j2) try (#Hj #j1 #j2)
+     try % cases Hj ]
+qed.

src/ASM/PolicyStep.ma

-                      r2220
+                      r2225
 include alias "basics/logic.ma".
+lemma not_is_jump_to_destination_of_Nome:
+ ∀pi. ¬is_jump (Instruction pi) → destination_of pi = None ….
+ * try (#x #y #H) try (#y #H) try #H cases H %
+qed.
 lemma jump_expansion_step1:
+ ∀program : Σl:list labelled_instruction.S (|l|)< 2 \sup 16 ∧is_well_labelled_p l.
+ ∀prefix,x,tl. pi1 … program=prefix@[x]@tl →
+ ∀prefix: list labelled_instruction. S (|prefix|) < 2^16 → |prefix| < 2^16 → (*redundant*)
  ∀labels: label_map.
  ∀old_sigma : ppc_pc_map.
 …
    = policy.
   not_jump_default (prefix@[〈label,instr〉]) policy.
  #program #prefix #x #tl #prf #labels #old_sigma #inc_added #inc_pc_sigma #label #instr #inc_pc
  #inc_sigma #old_length #Hpolicy #policy #new_length #isize #Heq1 #Heq2
+ #prefix #prefix_ok1 #prefix_ok #labels #old_sigma #inc_added #inc_pc_sigma #label #instr #inc_pc
+ #inc_sigma #old_length #Hpolicy #policy #new_length #isize #Heq1 #Heq2
  #i >append_length <commutative_plus #Hi normalize in Hi;
  cases (le_to_or_lt_eq … (le_S_S_to_le … Hi)) -Hi #Hi
 …
      [ >(nth_append_first ? i prefix ?? Hi)
        @(Hpolicy i Hi)
+     | @bitvector_of_nat_abs
+       [ @(transitive_lt ??? Hi) ]
+       [1,2: @(transitive_lt … (proj1 ?? (pi2 ?? program))) >prf >append_length @le_S_S
+         @le_plus_n_r
+       | @lt_to_not_eq @Hi
+       ]
+     | @bitvector_of_nat_abs try assumption
+       [ @(transitive_lt ??? Hi) assumption ]
+       @lt_to_not_eq @Hi
+     ]
+   | @bitvector_of_nat_abs
+     [ @(transitive_lt ??? Hi) @le_S_to_le ]
+     [1,2: @(transitive_lt … (proj1 ?? (pi2 ?? program))) @le_S_S >prf >append_length
+       <plus_n_Sm @le_S_S @le_plus_n_r
+     | @lt_to_not_eq @le_S @Hi
+     ]
+   | @bitvector_of_nat_abs try assumption
+     [ @(transitive_lt ??? Hi) assumption ]
+     @lt_to_not_eq @le_S @Hi
+   ]
  | <Heq2 >Hi >lookup_insert_miss
    [ >lookup_insert_hit cases instr in Heq1;
      [2,3,6: #x [3: #y] normalize nodelta #Heq1 <(proj1 ?? (pair_destruct ?????? Heq1)) #_ @refl
+     |4,5: #x normalize nodelta #Heq1 #H @⊥ cases H #H @H >nth_append_second
+       [1,3: <minus_n_n whd in match (nth ????); %
+       |2,4: @le_n
+       ]
+     |1: #pi >nth_append_second [2: @le_n] <minus_n_n whd in match (nth ????); cases pi
+       [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+         [1,2,3,6,7,24,25: #x #y
+         |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x] normalize nodelta #Heq1
+         <(proj1 ?? (pair_destruct ?????? Heq1)) #_ @refl
+       |9,10,11,12,13,14,15,16,17: #x [3,4,5,8,9: #y] normalize nodelta
+         #_ #H @⊥ cases H #H2 @H2 %
+       ]
+     ]
+   | @bitvector_of_nat_abs
+     [ @le_S_to_le ]
+     [1,2: @(transitive_lt … (proj1 ?? (pi2 ?? program))) >prf @le_S_S
+       >append_length <plus_n_Sm @le_S_S @le_plus_n_r
+     | @lt_to_not_eq @le_n
+     ]
+   ]
+ ]
+     |4,5: #x normalize nodelta #Heq1 >nth_append_second try %
+           <minus_n_n #abs cases abs
+     |1: #pi normalize nodelta >nth_append_second [2: @le_n] <minus_n_n whd in match (nth ????);
+         #H #non_jump whd in match (jump_expansion_step_instruction ??????) in H;
+         >not_is_jump_to_destination_of_Nome in H; normalize nodelta // ]
+   | @bitvector_of_nat_abs [3: // | @le_S_to_le ] assumption ]]
 qed.
+lemma jump_expansion_step2:
+ ∀prefix: list labelled_instruction. S (|prefix|) < 2^16 → |prefix| < 2^16 → (*redundant*)
+ ∀labels : label_map.
+ ∀old_sigma : ppc_pc_map.
+ ∀inc_pc : ℕ.
+ ∀inc_sigma : (BitVectorTrie (ℕ×jump_length) 16).
+ ∀Hpolicy1 :
+  \fst  (lookup … (bitvector_of_nat … O) inc_sigma 〈O,short_jump〉) = O.
+ ∀Hpolicy2:
+   inc_pc =\fst  (lookup … (bitvector_of_nat … (|prefix|)) inc_sigma 〈O,short_jump〉).
+ ∀policy : ppc_pc_map.
+ ∀new_length : jump_length.
+ ∀isize : ℕ.
+ ∀Heq2 :
+  〈inc_pc+isize,
+   insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+   〈inc_pc+isize,
+   \snd  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+               (\snd  old_sigma) 〈O,short_jump〉)〉
+   (insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+    〈inc_pc,new_length〉 inc_sigma)〉
+   = policy.
+ \fst  (lookup … (bitvector_of_nat … O) (\snd  policy) 〈O,short_jump〉) = O.
+ #prefix #prefix_ok1 #prefix_ok #labels #old_sigma #inc_pc
+ #inc_sigma #Hpolicy1 #Hpolicy2 #policy #new_length #isize #Heq2
+ <Heq2 >lookup_insert_miss
+ [ cases (decidable_eq_nat 0 (|prefix|))
+   [ #Heq <Heq >lookup_insert_hit >Hpolicy2 <Heq @Hpolicy1
+   | #Hneq >lookup_insert_miss
+     [ @Hpolicy1
+     | @bitvector_of_nat_abs try assumption @lt_O_S ]]
+ | @bitvector_of_nat_abs [ @lt_O_S | @prefix_ok1 | 3: @lt_to_not_eq @lt_O_S ] ]
+qed.
+(*
+lemma jump_expansion_step3:
+(*
+ program :
+  (Σl:list labelled_instruction.S (|l|)< 2 \sup 16 ∧is_well_labelled_p l)
+ labels :
+  (Σlm:label_map
+   .(∀l:identifier ASMTag
+     .occurs_exactly_once ASMTag pseudo_instruction l program
+      →bitvector_of_nat 16 (lookup_def ASMTag ℕ lm l O)
+       =address_of_word_labels_code_mem program l))*)
+ ∀old_sigma :
+   Σpolicy:ppc_pc_map
+   .True(*not_jump_default program policy
+    ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                 〈O,short_jump〉)
+     =O
+    ∧\fst  policy
+     =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|program|))
+                  (\snd  policy) 〈O,short_jump〉)
+    ∧sigma_compact_unsafe program labels policy
+    ∧\fst  policy≤ 2 \sup 16*).
+ ∀prefix : list (option Identifier×pseudo_instruction). (*
+ x : (option Identifier×pseudo_instruction)
+ tl : (list (option Identifier×pseudo_instruction))
+ prf : (program=prefix@[x]@tl)
+ acc :
+  (Σx0:ℕ×ppc_pc_map
+   .(let 〈added,policy〉 ≝x0 in
+     not_jump_default prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) (\snd  policy)
+                  〈O,short_jump〉)
+      =O
+     ∧\fst  policy
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  policy) 〈O,short_jump〉)
+     ∧jump_increase prefix old_sigma policy
+     ∧sigma_compact_unsafe prefix labels policy
+     ∧(sigma_jump_equal prefix old_sigma policy→added=O)
+     ∧(added=O→sigma_pc_equal prefix old_sigma policy)
+     ∧out_of_program_none prefix policy
+     ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                  (\snd  policy) 〈O,short_jump〉)
+      =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+                   (\snd  old_sigma) 〈O,short_jump〉)
+       +added
+     ∧sigma_safe prefix labels added old_sigma policy))
+ inc_added : ℕ
+ inc_pc_sigma : ppc_pc_map
+ p : (acc≃〈inc_added,inc_pc_sigma〉)*)
+ ∀label : option Identifier.
+ ∀instr : pseudo_instruction.(*
+ p1 : (x≃〈label,instr〉)
+ add_instr ≝
+  match instr
+   in pseudo_instruction
+   return λ_:pseudo_instruction.(option jump_length)
+   with
+  [Instruction (i:(preinstruction Identifier))⇒
+   jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+   (|prefix|) i
+  |Comment (_:String)⇒None jump_length
+  |Cost (_:costlabel)⇒None jump_length
+  |Jmp (j:Identifier)⇒
+   Some jump_length
+   (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+  |Call (c:Identifier)⇒
+   Some jump_length
+   (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+  |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+ inc_pc : ℕ
+ inc_sigma : (BitVectorTrie (ℕ×jump_length) 16)
+ Hips : (inc_pc_sigma=〈inc_pc,inc_sigma〉)
+ old_pc : ℕ
+ old_length : jump_length
+ Holdeq :
+  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) (\snd  old_sigma)
+   〈O,short_jump〉
+   =〈old_pc,old_length〉)
+ Hpolicy :
+  (not_jump_default prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 O) inc_sigma
+                〈O,short_jump〉)
+    =O
+   ∧inc_pc
+    =\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                 〈O,short_jump〉)
+   ∧jump_increase prefix old_sigma 〈inc_pc,inc_sigma〉
+   ∧sigma_compact_unsafe prefix labels 〈inc_pc,inc_sigma〉
+   ∧(sigma_jump_equal prefix old_sigma 〈inc_pc,inc_sigma〉→inc_added=O)
+   ∧(inc_added=O→sigma_pc_equal prefix old_sigma 〈inc_pc,inc_sigma〉)
+   ∧out_of_program_none prefix 〈inc_pc,inc_sigma〉
+   ∧\fst  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|)) inc_sigma
+                〈O,short_jump〉)
+    =old_pc+inc_added
+   ∧sigma_safe prefix labels inc_added old_sigma 〈inc_pc,inc_sigma〉)
+ added : ℕ*)
+ ∀policy : ppc_pc_map.
+ (*new_length : jump_length
+ isize : ℕ
+ Heq1 :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_:String)⇒None jump_length
+   |Cost (_:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_:[[dptr]])   (_0:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).(jump_length×ℕ)
+    with
+   [None⇒〈short_jump,instruction_size_jmplen short_jump instr〉
+   |Some (pl:jump_length)⇒
+    〈max_length old_length pl,
+    instruction_size_jmplen (max_length old_length pl) instr〉]
+   =〈new_length,isize〉)
+ prefix_ok1 : (S (|prefix|)< 2 \sup 16 )
+ prefix_ok : (|prefix|< 2 \sup 16 )
+ Heq2a :
+  (match
+   match instr
+    in pseudo_instruction
+    return λ_0:pseudo_instruction.(option jump_length)
+    with
+   [Instruction (i:(preinstruction Identifier))⇒
+    jump_expansion_step_instruction labels old_sigma inc_pc_sigma inc_added
+    (|prefix|) i
+   |Comment (_0:String)⇒None jump_length
+   |Cost (_0:costlabel)⇒None jump_length
+   |Jmp (j:Identifier)⇒
+    Some jump_length
+    (select_jump_length labels old_sigma inc_pc_sigma inc_added (|prefix|) j)
+   |Call (c:Identifier)⇒
+    Some jump_length
+    (select_call_length labels old_sigma inc_pc_sigma inc_added (|prefix|) c)
+   |Mov (_0:[[dptr]])   (_00:Identifier)⇒None jump_length]
+    in option
+    return λ_0:(option jump_length).ℕ
+    with
+   [None⇒inc_added
+   |Some (x0:jump_length)⇒
+    inc_added+(isize-instruction_size_jmplen old_length instr)]
+   =added)
+ Heq2b :
+  (〈inc_pc+isize,
+   insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+   〈inc_pc+isize,
+   \snd  (lookup (ℕ×jump_length) 16 (bitvector_of_nat 16 (S (|prefix|)))
+               (\snd  old_sigma) 〈O,short_jump〉)〉
+   (insert (ℕ×jump_length) 16 (bitvector_of_nat 16 (|prefix|))
+    〈inc_pc,new_length〉 inc_sigma)〉
+   =policy)*)
+ jump_increase (prefix@[〈label,instr〉]) old_sigma policy.
+ #old_sigma #prefix #label #instr #policy
+    #i >append_length >commutative_plus #Hi normalize in Hi;
+    cases (le_to_or_lt_eq … Hi) -Hi; #Hi
+    [ cases (le_to_or_lt_eq … (le_S_S_to_le … Hi)) -Hi #Hi
+      [ (* USE[pass]: jump_increase *)
+        lapply (proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))) i (le_S_to_le … Hi))
+        <(proj2 ?? (pair_destruct ?????? Heq2))
+        @pair_elim #opc #oj #EQ1 >lookup_insert_miss
+        [ >lookup_insert_miss
+          [ @pair_elim #pc #j #EQ2 #X @X
+          | @bitvector_of_nat_abs
+            [ @(transitive_lt ??? Hi) ]
+            [1,2: @(transitive_lt … (proj1 ?? (pi2 ?? program))) >prf >append_length
+              @le_S_S @le_plus_n_r
+            | @lt_to_not_eq @Hi
+            ]
+          ]
+        | @bitvector_of_nat_abs
+          [ @(transitive_lt ??? Hi) @le_S_to_le ]
+          [1,2: @(transitive_lt … (proj1 ?? (pi2 ?? program))) >prf
+            >append_length @le_S_S <plus_n_Sm @le_plus_n_r
+          | @lt_to_not_eq @le_S @Hi
+          ]
+        ]
+      | >Hi <(proj2 ?? (pair_destruct ?????? Heq2)) >Holdeq normalize nodelta
+        >lookup_insert_miss
+        [ >lookup_insert_hit cases (dec_is_jump instr)
+          [ cases instr in Heq1; normalize nodelta
+            [ #pi cases pi
+              [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+                [1,2,3,6,7,24,25: #x #y
+                |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x] #_ #Hj cases Hj
+              |9,10,11,12,13,14,15,16,17: #x [3,4,5,8,9: #y]
+                whd in match jump_expansion_step_instruction; normalize nodelta #Heq1
+                #_ <(proj1 ?? (pair_destruct ?????? Heq1))
+                @jmpleq_max_length
+              ]
+            |2,3,6: #x [3: #y] #_ #Hj cases Hj
+            |4,5: #x #Heq1 #_ <(proj1 ?? (pair_destruct ?????? Heq1)) @jmpleq_max_length
+            ]
+          | lapply Heq1 -Heq1; lapply (refl ? instr); cases instr in ⊢ (???% → %); normalize nodelta
+            [ #pi cases pi
+              [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+                [1,2,3,6,7,24,25: #x #y
+                |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x]
+                whd in match jump_expansion_step_instruction; normalize nodelta #Heqi #Heq1
+                #Hj <(proj1 ?? (pair_destruct ?????? Heq1))
+                (* USE: not_jump_default (from old_sigma) *)
+                lapply (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma)))) (|prefix|) ??)
+                [1,4,7,10,13,16,19,22,25,28,31,34,37,40,43,46,49,52,55,58,61,64,67,70,73,76,79,82:
+                  >prf >nth_append_second
+                  [1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39,41,43,45,47,49,51,53,55:
+                    <minus_n_n whd in match (nth ????); >p1 >Heqi @Hj
+                  |2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56:
+                    @le_n
+                  ]
+                |2,5,8,11,14,17,20,23,26,29,32,35,38,41,44,47,50,53,56,59,62,65,68,71,74,77,80,83:
+                  >prf >append_length <plus_n_Sm @le_S_S @le_plus_n_r
+                |3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57,60,63,66,69,72,75,78,81,84:
+                  >Holdeq #EQ2 >EQ2 %2 @refl
+                ]
+              |9,10,11,12,13,14,15,16,17: #x [3,4,5,8,9: #y]
+                #_ #_ #abs @⊥ @(absurd ? I abs)
+              ]
+            |2,3,6: #x [3: #y] #Heqi #Heq1 #Hj <(proj1 ?? (pair_destruct ?????? Heq1))
+              (* USE: not_jump_default (from old_sigma) *)
+              lapply (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma)))) (|prefix|) ??)
+              [1,4,7: >prf >nth_append_second
+                [1,3,5: <minus_n_n whd in match (nth ????); >p1 >Heqi @Hj
+                |2,4,6: @le_n
+                ]
+              |2,5,8: >prf >append_length <plus_n_Sm @le_S_S @le_plus_n_r
+              |3,6,9: >Holdeq #EQ2 >EQ2 %2 @refl
+              ]
+            |4,5: #x #_ #_ #abs @⊥ @(absurd ? I abs)
+            ]
+          ]
+        | @bitvector_of_nat_abs
+          [ @le_S_to_le ]
+          [1,2: @(transitive_lt … (proj1 ?? (pi2 … program))) @le_S_S >prf
+            >append_length <plus_n_Sm @le_S_S @le_plus_n_r
+          | @lt_to_not_eq @le_n
+          ]
+        ]
+      ]
+    | <(proj2 ?? (pair_destruct ?????? Heq2)) >Hi >lookup_insert_hit
+      normalize nodelta
+      cases (bvt_lookup … (bitvector_of_nat ? (S (|prefix|))) (\snd old_sigma) 〈0,short_jump〉)
+      #a #b normalize nodelta %2 @refl
+    ]
+  ]
+qed.*)
 (* One step in the search for a jump expansion fixpoint. *)
 …
   [ (* USE: policy_jump_equal → added = 0 (from fold) *)
     @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind))))) #i #Hi
     cases (dec_is_jump (\snd (nth i ? program 〈None ?, Comment []〉)))
+    inversion (is_jump (\snd (nth i ? program 〈None ?, Comment []〉)))
     [ #Hj
       (* USE: policy_increase (from fold) *)
       lapply (proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))))) i (le_S_to_le … Hi))
       lapply (Habs i Hi Hj)
+      lapply (Habs i Hi ?) [ >Hj %]
       cases (bvt_lookup … (bitvector_of_nat ? i) (\snd old_sigma) 〈0,short_jump〉)
       #opc #oj
 …
     | #Hnj
       (* USE: not_jump_default (from fold and old_sigma) *)
+      >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))))))) i Hi Hnj)
+      >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma)))) i Hi Hnj)
+      @refl
+      >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hind)))))))) i Hi ?)
+      [2: >Hnj %]
+      >(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma)))) i Hi ?) try %
+      >Hnj %
+    ]
   | #abs >abs in Hsig; #Hsig
 …
   #added #policy normalize nodelta @pair_elim #new_length #isize normalize nodelta
   #Heq1 #Heq2
+  @conj [ @conj [ @conj [ @conj [ @conj [ @conj [ @conj [ @conj [ @conj
+ cut (S (|prefix|) < 2^16)
+ [ @(transitive_lt … (proj1 … (pi2 ?? program))) @le_S_S >prf >append_length
+   <plus_n_Sm @le_S_S @le_plus_n_r ] #prefix_ok1
+ cut (|prefix| < 2^16) [ @(transitive_lt … prefix_ok1) %] #prefix_ok
+ cases (pair_destruct ?????? Heq2) -Heq2 #Heq2a #Heq2b
+  % [ % [ % [ % [ % [ % [ % [ % [ % ]]]]]]]]
   (* NOTE: to save memory and speed up work, there's cases daemon here. They can be
    * commented out for full proofs, but this needs a lot of memory and time *)
   [ (* not_jump_default *)
+    cases (pair_destruct ?????? Heq2) -Heq2 #_ #Heq2
+    @(jump_expansion_step1 … prf … Heq1 Heq2)
+    @(jump_expansion_step1 … Heq1 Heq2b) try assumption
     @(proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))))
   | (* 0 ↦ 0 *)
+    <(proj2 ?? (pair_destruct ?????? Heq2)) >lookup_insert_miss
+    [ cases (decidable_eq_nat 0 (|prefix|))
+      [ #Heq <Heq >lookup_insert_hit
+        (* USE: inc_pc = fst policy *)
+        >(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy))))))))
+        <Heq
+        (* USE[pass]: 0 ↦ 0 *)
+        @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ??  (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))))
+      | #Hneq >lookup_insert_miss
+        [ (* USE[pass]: 0 ↦ 0 *) @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))))
+        | @bitvector_of_nat_abs
+          [3: @Hneq]
+        ]
+      ]
+    | @bitvector_of_nat_abs
+      [3: @lt_to_not_eq @lt_O_S ]
+    ]
+    [1,3: @lt_O_S
+    |2,4: @(transitive_lt … (proj1 ?? (pi2 ?? program))) >prf >append_length @le_S_S
+      [2: <plus_n_Sm @le_S_S]
+      @le_plus_n_r
+    ]
+  ]
+  | (* inc_pc = fst of policy *) <(proj2 ?? (pair_destruct ?????? Heq2))
+    >append_length >(commutative_plus (|prefix|)) >lookup_insert_hit @refl
+  ]
+  | (* jump_increase *) (* cases daemon *)
+    #i >append_length >commutative_plus #Hi normalize in Hi;
+    cases (le_to_or_lt_eq … Hi) -Hi; #Hi
+    [ cases (le_to_or_lt_eq … (le_S_S_to_le … Hi)) -Hi #Hi
+      [ (* USE[pass]: jump_increase *)
+        lapply (proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))) i (le_S_to_le … Hi))
+        <(proj2 ?? (pair_destruct ?????? Heq2))
+        @pair_elim #opc #oj #EQ1 >lookup_insert_miss
+        [ >lookup_insert_miss
+          [ @pair_elim #pc #j #EQ2 #X @X
+          | @bitvector_of_nat_abs
+            [ @(transitive_lt ??? Hi) ]
+            [1,2: @(transitive_lt … (proj1 ?? (pi2 ?? program))) >prf >append_length
+              @le_S_S @le_plus_n_r
+            | @lt_to_not_eq @Hi
+            ]
+          ]
+        | @bitvector_of_nat_abs
+          [ @(transitive_lt ??? Hi) @le_S_to_le ]
+          [1,2: @(transitive_lt … (proj1 ?? (pi2 ?? program))) >prf
+            >append_length @le_S_S <plus_n_Sm @le_plus_n_r
+          | @lt_to_not_eq @le_S @Hi
+          ]
+        ]
+      | >Hi <(proj2 ?? (pair_destruct ?????? Heq2)) >Holdeq normalize nodelta
+        >lookup_insert_miss
+        [ >lookup_insert_hit cases (dec_is_jump instr)
+          [ cases instr in Heq1; normalize nodelta
+            [ #pi cases pi
+              [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+                [1,2,3,6,7,24,25: #x #y
+                |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x] #_ #Hj cases Hj
+              |9,10,11,12,13,14,15,16,17: #x [3,4,5,8,9: #y]
+                whd in match jump_expansion_step_instruction; normalize nodelta #Heq1
+                #_ <(proj1 ?? (pair_destruct ?????? Heq1))
+                @jmpleq_max_length
+              ]
+            |2,3,6: #x [3: #y] #_ #Hj cases Hj
+            |4,5: #x #Heq1 #_ <(proj1 ?? (pair_destruct ?????? Heq1)) @jmpleq_max_length
+            ]
+          | lapply Heq1 -Heq1; lapply (refl ? instr); cases instr in ⊢ (???% → %); normalize nodelta
+            [ #pi cases pi
+              [1,2,3,4,5,6,7,8,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37:
+                [1,2,3,6,7,24,25: #x #y
+                |4,5,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23: #x]
+                whd in match jump_expansion_step_instruction; normalize nodelta #Heqi #Heq1
+                #Hj <(proj1 ?? (pair_destruct ?????? Heq1))
+                (* USE: not_jump_default (from old_sigma) *)
+                lapply (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma)))) (|prefix|) ??)
+                [1,4,7,10,13,16,19,22,25,28,31,34,37,40,43,46,49,52,55,58,61,64,67,70,73,76,79,82:
+                  >prf >nth_append_second
+                  [1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39,41,43,45,47,49,51,53,55:
+                    <minus_n_n whd in match (nth ????); >p1 >Heqi @Hj
+                  |2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56:
+                    @le_n
+                  ]
+                |2,5,8,11,14,17,20,23,26,29,32,35,38,41,44,47,50,53,56,59,62,65,68,71,74,77,80,83:
+                  >prf >append_length <plus_n_Sm @le_S_S @le_plus_n_r
+                |3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57,60,63,66,69,72,75,78,81,84:
+                  >Holdeq #EQ2 >EQ2 %2 @refl
+                ]
+              |9,10,11,12,13,14,15,16,17: #x [3,4,5,8,9: #y]
+                #_ #_ #abs @⊥ @(absurd ? I abs)
+              ]
+            |2,3,6: #x [3: #y] #Heqi #Heq1 #Hj <(proj1 ?? (pair_destruct ?????? Heq1))
+              (* USE: not_jump_default (from old_sigma) *)
+              lapply (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma)))) (|prefix|) ??)
+              [1,4,7: >prf >nth_append_second
+                [1,3,5: <minus_n_n whd in match (nth ????); >p1 >Heqi @Hj
+                |2,4,6: @le_n
+                ]
+              |2,5,8: >prf >append_length <plus_n_Sm @le_S_S @le_plus_n_r
+              |3,6,9: >Holdeq #EQ2 >EQ2 %2 @refl
+              ]
+            |4,5: #x #_ #_ #abs @⊥ @(absurd ? I abs)
+            ]
+          ]
+        | @bitvector_of_nat_abs
+          [ @le_S_to_le ]
+          [1,2: @(transitive_lt … (proj1 ?? (pi2 … program))) @le_S_S >prf
+            >append_length <plus_n_Sm @le_S_S @le_plus_n_r
+          | @lt_to_not_eq @le_n
+          ]
+        ]
+      ]
+    | <(proj2 ?? (pair_destruct ?????? Heq2)) >Hi >lookup_insert_hit
+      normalize nodelta
+      cases (bvt_lookup … (bitvector_of_nat ? (S (|prefix|))) (\snd old_sigma) 〈0,short_jump〉)
+      #a #b normalize nodelta %2 @refl
+    ]
+  ]
+  | (* sigma_compact_unsafe *)
+    @(jump_expansion_step2 … Heq2b) try assumption
+    [ @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ??  (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))))
+    | @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? (proj1 ?? Hpolicy)))))))) ]
+  | (* inc_pc = fst of policy *)
+    <Heq2b >append_length >(commutative_plus (|prefix|)) >lookup_insert_hit @refl
+  | (* jump_increase *)
+    cases daemon (*XXX*)
+  | (* sigma_compact_unsafe *) cases daemon (*
     #i >append_length <commutative_plus #Hi normalize in Hi;
     <(proj2 ?? (pair_destruct ?????? Heq2))
 …
+      ]
+    ]
+  ]
   | (* policy_jump_equal → added = 0 *)
+  ] *)
+  | (* policy_jump_equal → added = 0 *) cases daemon (*
     <(proj2 ?? (pair_destruct ?????? Heq2))
     #Heq <(proj1 ?? (pair_destruct ?????? Heq2))
 …
+      ]
+    ]
+  ]
+  ] *)
   | (* added = 0 → policy_pc_equal *) cases daemon
     (* USE[pass]: added = 0 → policy_pc_equal *)
 …
+      ]
     ] *)
+  ]
   | (* out_of_program_none *) cases daemon
     (* #i #Hi2 >append_length <commutative_plus @conj
 …
+      ]
     ] *)
+  ]
   | (* lookup p = lookup old_sigma + added *) cases daemon
     (* <(proj2 ?? (pair_destruct ?????? Heq2)) >append_length <plus_n_Sm <plus_n_O
 …
+      ]
     ] *)
+  ]
   | (* sigma_safe *) cases daemon (*#i >append_length >commutative_plus #Hi normalize in Hi;
     elim (le_to_or_lt_eq … (le_S_S_to_le … Hi)) -Hi #Hi
 …
                     [1,4,7: *)
+  ]
 | normalize nodelta @conj [ @conj [ @conj [ @conj [ @conj [ @conj [ @conj [ @conj [ @conj
+  ]
+| normalize nodelta % [ % [ % [ % [ % [ % [ % [ % [ % ]]]]]]]]
   [ #i cases i
     [ #Hi @⊥ @(absurd … Hi) @not_le_Sn_O
     | -i #i #Hi #Hj @⊥ @(absurd … Hi) @not_le_Sn_O
+    ]
+  | >lookup_insert_hit @refl
   | >lookup_insert_hit @refl
+  ]
-  | >lookup_insert_hit @refl
+  ]
   | #i #Hi <(le_n_O_to_eq … Hi)
     >lookup_insert_hit cases (bvt_lookup … (bitvector_of_nat ? 0) (\snd old_sigma) 〈0,short_jump〉)
     #a #b normalize nodelta %2 @refl
+  ]
   | #i cases i
     [ #Hi @⊥ @(absurd … Hi) @not_le_Sn_O
     | -i #i #Hi @⊥ @(absurd … Hi) @not_le_Sn_O
+    ]
+  ]
   | #_ %
+  ]
   | #_ #i #Hi <(le_n_O_to_eq … Hi) >lookup_insert_hit
     (* USE: 0 ↦ 0 (from old_sigma) *)
     @(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma)))))
+  ]
   | #i cases i
     [ #Hi2 @conj
 …
+      ]
+    ]
+  ]
   | >lookup_insert_hit (* USE: 0 ↦ 0 (from old_sigma) *)
     >(proj2 ?? (proj1 ?? (proj1 ?? (proj1 ?? (pi2 ?? old_sigma))))) <plus_n_O %
+  ]
   | #i cases i
     [ #Hi @⊥ @(absurd … Hi) @not_le_Sn_O
 …
+]
 qed.

Note: See TracChangeset for help on using the changeset viewer.