Changeset 2234 for src/Clight/switchRemoval.ma

Timestamp:

Jul 23, 2012, 7:31:11 PM (9 years ago)

Author:

garnier

Message:

Progress on proving semantics preservation under memory injections.

File:

• src/Clight/switchRemoval.ma (modified) (7 diffs)

src/Clight/switchRemoval.ma

@@ -1 @@
- include "Clight/Csyntax.ma".
+include "Clight/Csyntax.ma".
 include "Clight/fresh.ma".
 include "basics/lists/list.ma".
@@ -1311 +1311 @@
      %{p2} @conj try @refl try assumption
 ] qed.
+
+(* A cleaner version of inversion for [value_eq] *)
+lemma value_eq_inversion :
+  ∀E,v1,v2. ∀P : val → val → Prop. value_eq E v1 v2 → 
+  (∀v. P Vundef v) →
+  (∀sz,i. P (Vint sz i) (Vint sz i)) →
+  (∀f. P (Vfloat f) (Vfloat f)) →
+  (P Vnull Vnull) →
+  (∀p1,p2. pointer_translation p1 E = Some ? p2 → P (Vptr p1) (Vptr p2)) →
+  P v1 v2.
+#E #v1 #v2 #P #Heq #H1 #H2 #H3 #H4 #H5
+inversion Heq
+[ 1: #v #Hv1 #Hv2 #_ destruct @H1
+| 2: #sz #i #Hv1 #Hv2 #_ destruct @H2
+| 3: #f #Hv1 #Hv2 #_ destruct @H3
+| 4: #Hv1 #Hv2 #_ destruct @H4
+| 5: #p1 #p2 #Hembed #Hv1 #Hv2 #_ destruct @H5 // ] qed.
  
 (* If we succeed to load something by value from a 〈b,off〉 location, 
@@ -1318 +1335 @@
     access_mode ty = By_value (typ_of_type ty) →
     load_value_of_type ty m b off = Some ? v →
-    Zltb (block_id b) (nextblock m) = true. (* → valid_block m b *)
-#ty #m * #brg #bid #off #v whd in match (valid_block ??);
+    Zltb (block_id b) (nextblock m) = true.
+#ty #m * #brg #bid #off #v
 cases ty
 [ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
@@ -1335 +1352 @@
 ] qed.
 
+(* If we succeed in loading some data from a location, then this loc is a valid pointer. *)
+lemma load_by_value_success_valid_ptr_aux :
+  ∀ty,m,b,off,v.
+    access_mode ty = By_value (typ_of_type ty) →
+    load_value_of_type ty m b off = Some ? v →
+    Zltb (block_id b) (nextblock m) = true ∧
+    Zleb (low_bound m b) (offv off) = true ∧
+    Zltb (offv off) (high_bound m b) = true.
+#ty #m * #brg #bid #off #v
+cases ty
+[ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
+| 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
+whd in match (load_value_of_type ????);
+[ 1,7,8: #_ #Habsurd destruct (Habsurd) ]
+#Hmode
+[ 1,2,3,6: [ 1: elim sz | 2: elim fsz ]
+     normalize in match (typesize ?); 
+     whd in match (loadn ???);
+     whd in match (beloadv ??);
+     cases (Zltb bid (nextblock m)) normalize nodelta
+     cases (Zleb (low (blocks m (mk_block brg bid))) (offv off))
+     cases (Zleb (low (blocks m (mk_block brg bid))) (offv off))
+     cases (Zltb (offv off) (high (blocks m (mk_block brg bid)))) normalize nodelta
+     #Heq destruct (Heq)
+     try /3 by conj, refl/
+| *: normalize in Hmode; destruct (Hmode)
+] qed.
+
 
 lemma valid_block_from_bool : ∀b,m. Zltb (block_id b) (nextblock m) = true → valid_block m b.
@@ -1351 +1396 @@
 #ty #m #b #off #v #Haccess_mode #Hload
 @valid_block_from_bool
-@(load_by_value_success_valid_block_aux ty m b off v Haccess_mode Hload)
-qed.
+elim (load_by_value_success_valid_ptr_aux ty m b off v Haccess_mode Hload) * //
+qed.
+
+lemma load_by_value_success_valid_pointer :
+  ∀ty,m,b,off,v.
+    access_mode ty = By_value (typ_of_type ty) → 
+    load_value_of_type ty m b off = Some ? v → 
+    valid_pointer m (mk_pointer b off).
+#ty #m #b #off #v #Haccess_mode #Hload normalize
+elim (load_by_value_success_valid_ptr_aux ty m b off v Haccess_mode Hload)
+* #H1 #H2 #H3 >H1 >H2 normalize nodelta
+>Zle_to_Zleb_true try //
+lapply (Zlt_to_Zle … (Zltb_true_to_Zlt … H3)) /2/
+qed.
+
 
 (* Making explicit the contents of memory_inj for load_value_of_type *)
@@ -2196 +2254 @@
 qed.
 
-(* A cleaner version of inversion for [value_eq] *)
-lemma value_eq_inversion :
-  ∀E,v1,v2. ∀P : val → val → Prop. value_eq E v1 v2 → 
-  (∀v. P Vundef v) →
-  (∀sz,i. P (Vint sz i) (Vint sz i)) →
-  (∀f. P (Vfloat f) (Vfloat f)) →
-  (P Vnull Vnull) →
-  (∀p1,p2. pointer_translation p1 E = Some ? p2 → P (Vptr p1) (Vptr p2)) →
-  P v1 v2.
-#E #v1 #v2 #P #Heq #H1 #H2 #H3 #H4 #H5
-inversion Heq
-[ 1: #v #Hv1 #Hv2 #_ destruct @H1
-| 2: #sz #i #Hv1 #Hv2 #_ destruct @H2
-| 3: #f #Hv1 #Hv2 #_ destruct @H3
-| 4: #Hv1 #Hv2 #_ destruct @H4
-| 5: #p1 #p2 #Hembed #Hv1 #Hv2 #_ destruct @H5 // ] qed.
 
 (* value_eq lifts to addition *)
 lemma add_value_eq :
-  ∀E,v1,v2,v1',v2',ty1,ty2,m1,m2.
+  ∀E,v1,v2,v1',v2',ty1,ty2.
    value_eq E v1 v2 →
    value_eq E v1' v2' →
-   memory_inj E m1 m2 → (* This injection seems useless TODO *)
+   (* memory_inj E m1 m2 →  This injection seems useless TODO *)
    ∀r1. (sem_add v1 ty1 v1' ty2=Some val r1→
            ∃r2:val.sem_add v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
-#E #v1 #v2 #v1' #v2' #ty1 #ty2 #m1 #m2 #Hvalue_eq1 #Hvalue_eq2 #Hinj #r1
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
 @(value_eq_inversion E … Hvalue_eq1)
 [ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
@@ -2292 +2334 @@
      ]
 ] qed.
-          
-(* TODO all other 10 binary operations. Then wrap this in [binary_operation_value_eq] *)
-
-
+
+(* Offset subtraction is invariant by translation *)
+lemma sub_offset_translation :
+ ∀n,x,y,delta. sub_offset n x y = sub_offset n (offset_plus x delta) (offset_plus y delta).
+#n #x #y #delta
+whd in match (sub_offset ???) in ⊢ (??%%);
+elim x #x' elim y #y' elim delta #delta'
+normalize in match (offset_plus ??);
+normalize in match (offset_plus ??); 
+cut ((x' - y') = (x'+delta'-(y'+delta'))) 
+[ whd in match (Zminus ??) in ⊢ (??%%);
+  >(Zopp_Zplus y' delta') <associative_Zplus /2/ ]
+#Heq >Heq @refl
+qed.    
+
+(* value_eq lifts to addition *)
+lemma sub_value_eq :
+  ∀E,v1,v2,v1',v2',ty1,ty2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_sub v1 ty1 v1' ty2=Some val r1→
+           ∃r2:val.sem_sub v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #n #ty #sz #sg | 4: #n #sz #sg #ty | 5: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta     
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 2,3,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,6,7,8,9,10: #Habsurd destruct (Habsurd) ]
+     @intsize_eq_elim_elim
+      [ 1: #_ #Habsurd destruct (Habsurd)
+      | 2: #Heq destruct (Heq) normalize nodelta
+           #Heq destruct (Heq)
+          /3 by ex_intro, conj, vint_eq/           
+      ]
+| 3: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta     
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+| 4: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,2,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,6,7,9,10: #Habsurd destruct (Habsurd) ]          
+     [ 1: @eq_bv_elim [ 1: normalize nodelta #Heq1 #Heq2 destruct /3 by ex_intro, conj, vnull_eq/
+                      | 2: #_ normalize nodelta #Habsurd destruct (Habsurd) ]
+     | 2: #Heq destruct (Heq) /3 by ex_intro, conj, vnull_eq/ ]
+| 5: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,2,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,6,7,8,9: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     [ 1: %{(Vptr (neg_shift_pointer_n (bitsize_of_intsize sz') p2 (sizeof ty) i'))} @conj try @refl
+          @vptr_eq whd in match (pointer_translation ??) in Hembed ⊢ %;
+          elim p1 in Hembed; #b1 #o1 normalize nodelta
+          cases (E b1)
+          [ 1: normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd)
+          | 2: * #block #offset normalize nodelta #Heq destruct (Heq)
+               normalize >(sym_Zplus ? (offv offset)) <associative_Zplus >(sym_Zplus ? (offv offset))
+               @refl
+          ]
+     | 2: lapply Heq @eq_block_elim
+          [ 2: #_ normalize nodelta #Habsurd destruct (Habsurd)
+          | 1: #Hpblock1_eq normalize nodelta
+               elim p1 in Hpblock1_eq Hembed Hembed'; #b1 #off1
+               elim p1' #b1' #off1' whd in ⊢ (% → % → ?); #Hpblock1_eq destruct (Hpblock1_eq)
+               whd in ⊢ ((??%?) → (??%?) → ?);
+               cases (E b1') normalize nodelta
+               [ 1: #Habsurd destruct (Habsurd) ]
+               * #dest_block #dest_off normalize nodelta
+               #Heq_ptr1 #Heq_ptr2 destruct >eq_block_identity normalize nodelta
+               cases (eqb (sizeof tsg) O) normalize nodelta
+               [ 1: #Habsurd destruct (Habsurd)
+               | 2: >(sub_offset_translation 32 off1 off1' dest_off)
+                    cases (division_u 31
+                            (sub_offset 32 (offset_plus off1 dest_off) (offset_plus off1' dest_off))
+                            (repr (sizeof tsg)))
+                    [ 1: normalize nodelta #Habsurd destruct (Habsurd)
+                    | 2: #r1' normalize nodelta #Heq2 destruct (Heq2)
+                         /3 by ex_intro, conj, vint_eq/ ]
+    ] ] ]
+] qed.
+
+
+lemma mul_value_eq :
+  ∀E,v1,v2,v1',v2',ty1,ty2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_mul v1 ty1 v1' ty2=Some val r1→
+           ∃r2:val.sem_mul v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 2,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     @intsize_eq_elim_elim
+      [ 1: #_ #Habsurd destruct (Habsurd)
+      | 2: #Heq destruct (Heq) normalize nodelta
+           #Heq destruct (Heq)
+          /3 by ex_intro, conj, vint_eq/           
+      ]
+| 3: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta     
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+| 4: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]     
+     #Habsurd destruct (Habsurd)
+] qed.
+
+lemma div_value_eq :
+  ∀E,v1,v2,v1',v2',ty1,ty2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_div v1 ty1 v1' ty2=Some val r1→
+           ∃r2:val.sem_div v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 2,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     elim sg normalize nodelta
+     @intsize_eq_elim_elim
+     [ 1,3: #_ #Habsurd destruct (Habsurd)
+     | 2,4: #Heq destruct (Heq) normalize nodelta
+            @(match (division_s (bitsize_of_intsize sz') i i') with
+              [ None ⇒ ?
+              | Some bv' ⇒ ? ])
+            [ 1: normalize  #Habsurd destruct (Habsurd)
+            | 2: normalize #Heq destruct (Heq)
+                 /3 by ex_intro, conj, vint_eq/
+            | 3,4: elim sz' in i' i; #i' #i
+                   normalize in match (pred_size_intsize ?);
+                   generalize in match division_u; #division_u normalize
+                   @(match (division_u ???) with
+                    [ None ⇒ ?
+                    | Some bv ⇒ ?]) normalize nodelta
+                   #H destruct (H)
+                  /3 by ex_intro, conj, vint_eq/ ]
+     ]
+| 3: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta     
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+| 4: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]     
+     #Habsurd destruct (Habsurd)
+] qed.
+
+lemma mod_value_eq :
+  ∀E,v1,v2,v1',v2',ty1,ty2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_mod v1 ty1 v1' ty2=Some val r1→
+           ∃r2:val.sem_mod v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 2,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     elim sg normalize nodelta
+     @intsize_eq_elim_elim
+     [ 1,3: #_ #Habsurd destruct (Habsurd)
+     | 2,4: #Heq destruct (Heq) normalize nodelta
+            @(match (modulus_s (bitsize_of_intsize sz') i i') with
+              [ None ⇒ ?
+              | Some bv' ⇒ ? ])
+            [ 1: normalize  #Habsurd destruct (Habsurd)
+            | 2: normalize #Heq destruct (Heq)
+                 /3 by ex_intro, conj, vint_eq/
+            | 3,4: elim sz' in i' i; #i' #i
+                   generalize in match modulus_u; #modulus_u normalize
+                   @(match (modulus_u ???) with
+                    [ None ⇒ ?
+                    | Some bv ⇒ ?]) normalize nodelta
+                   #H destruct (H)
+                  /3 by ex_intro, conj, vint_eq/ ]
+     ]
+| 3: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 4: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]     
+     #Habsurd destruct (Habsurd)
+] qed.
+
+(* boolean ops *)
+lemma and_value_eq :
+  ∀E,v1,v2,v1',v2'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_and v1 v1'=Some val r1→
+           ∃r2:val.sem_and v2 v2'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 2: #sz #i
+     @(value_eq_inversion E … Hvalue_eq2)
+     [ 2: #sz' #i' whd in match (sem_and ??);
+          @intsize_eq_elim_elim
+          [ 1: #_ #Habsurd destruct (Habsurd)
+          | 2: #Heq destruct (Heq) normalize nodelta 
+               #Heq destruct (Heq) /3 by ex_intro,conj,vint_eq/ ]
+] ]
+normalize in match (sem_and ??); #arg1 destruct
+normalize in match (sem_and ??); #arg2 destruct
+normalize in match (sem_and ??); #arg3 destruct
+normalize in match (sem_and ??); #arg4 destruct
+qed.
+
+lemma or_value_eq :
+  ∀E,v1,v2,v1',v2'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_or v1 v1'=Some val r1→
+           ∃r2:val.sem_or v2 v2'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 2: #sz #i
+     @(value_eq_inversion E … Hvalue_eq2)
+     [ 2: #sz' #i' whd in match (sem_or ??);
+          @intsize_eq_elim_elim
+          [ 1: #_ #Habsurd destruct (Habsurd)
+          | 2: #Heq destruct (Heq) normalize nodelta 
+               #Heq destruct (Heq) /3 by ex_intro,conj,vint_eq/ ]
+] ]
+normalize in match (sem_or ??); #arg1 destruct
+normalize in match (sem_or ??); #arg2 destruct
+normalize in match (sem_or ??); #arg3 destruct
+normalize in match (sem_or ??); #arg4 destruct
+qed.
+
+lemma xor_value_eq :
+  ∀E,v1,v2,v1',v2'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_xor v1 v1'=Some val r1→
+           ∃r2:val.sem_xor v2 v2'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 2: #sz #i
+     @(value_eq_inversion E … Hvalue_eq2)
+     [ 2: #sz' #i' whd in match (sem_xor ??);
+          @intsize_eq_elim_elim
+          [ 1: #_ #Habsurd destruct (Habsurd)
+          | 2: #Heq destruct (Heq) normalize nodelta 
+               #Heq destruct (Heq) /3 by ex_intro,conj,vint_eq/ ]
+] ]
+normalize in match (sem_xor ??); #arg1 destruct
+normalize in match (sem_xor ??); #arg2 destruct
+normalize in match (sem_xor ??); #arg3 destruct
+normalize in match (sem_xor ??); #arg4 destruct
+qed.
+
+lemma shl_value_eq :
+  ∀E,v1,v2,v1',v2'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_shl v1 v1'=Some val r1→
+           ∃r2:val.sem_shl v2 v2'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 2:
+     @(value_eq_inversion E … Hvalue_eq2)
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 2: whd in match (sem_shl ??);
+          cases (lt_u ???) normalize nodelta
+          [ 1: #Heq destruct (Heq) /3 by ex_intro,conj,vint_eq/ 
+          | 2: #Habsurd destruct (Habsurd)
+          ]
+     | *: whd in match (sem_shl ??); #Habsurd destruct (Habsurd) ]
+| *: whd in match (sem_shl ??); #Habsurd destruct (Habsurd) ]
+qed.
+
+lemma shr_value_eq :
+  ∀E,v1,v2,v1',v2',ty,ty'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_shr v1 ty v1' ty'=Some val r1→
+           ∃r2:val.sem_shr v2 ty v2' ty'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty #ty' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+whd in match (sem_shr ????); whd in match (sem_shr ????);
+[ 1: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 2,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     elim sg normalize nodelta
+     cases (lt_u ???) normalize nodelta #Heq destruct (Heq)
+     /3 by ex_intro, conj, refl, vint_eq/
+| 3: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 4: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+] qed.
+
+(* We want to prove that, but we can't since valid_pointers can in fact be one off outside the block,
+   and [memory_inj] handles only stuff that is loadable (i.e. inside a block). TODO *)
+lemma pointer_eq_valid :
+∀E,m,m',p,p'.
+ memory_inj E m m' → 
+ pointer_translation p E = Some ? p' →
+ valid_pointer m p → 
+ valid_pointer m' p'.
+@cthulhu qed.
+
+
+lemma sem_cmp_value_eq :
+  ∀E,v1,v2,v1',v2',ty,ty',m1,m2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   memory_inj E m1 m2 →   
+   ∀op,r1. (sem_cmp op v1 ty v1' ty' m1 = Some val r1→
+           ∃r2:val.sem_cmp op v2 ty v2' ty' m2 = Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty #ty' #m1 #m2 #Hvalue_eq1 #Hvalue_eq2 #Hinj #op #r1
+cases op whd in match (sem_cmp ??????); whd in match (sem_cmp ??????);
+[ 1:
+  cases (classify_cmp ty ty') normalize nodelta
+  [ 1: #sz #sg | 2: #n #ty0 | 3: #fsz | 4: #ty0 #ty0' #Habsurd destruct (Habsurd) ]
+  @(value_eq_inversion E … Hvalue_eq1)
+  [ 1,6,11: #v | 2,7,12: #sz #i | 3,8,13: #f | 4,9,14: | 5,10,15: #p1 #p2 #Hembed ]
+  normalize nodelta
+  [ 1,2,3,5,6,7,8,10,12,13,15: #Habsurd destruct (Habsurd) ]
+  @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+  [ 1,6,11,16: #v' | 2,7,12,17: #sz' #i' | 3,8,13,18: #f' | 4,9,14,19: | 5,10,15,20: #p1' #p2' #Hembed' ]
+  [ 5: elim sg normalize nodelta
+       @intsize_eq_elim_elim
+       [ 1,3: #_ #Habsurd destruct (Habsurd)
+       | 2,4: #Heq destruct (Heq) normalize nodelta
+              [ 1: cases (cmp_int ????) whd in match (of_bool ?); #Heq destruct (Heq)
+              | 2: cases (cmpu_int ????) whd in match (of_bool ?); #Heq destruct (Heq) ]
+              /3 by ex_intro, conj, vint_eq/ ]
+  | 10: #Heq destruct (Heq) cases (Fcmp Ceq f f') /3 by ex_intro, conj, vint_eq/
+  | 15: whd in match (sem_cmp_match ?); #Heq destruct (Heq)
+        /3 by ex_intro, conj, vint_eq/
+  | 16,19: whd in match (sem_cmp_mismatch ?); #Heq destruct (Heq)
+        /3 by ex_intro, conj, vint_eq/
+  | 20: @cthulhu (* relies on [pointer_eq_valid] TODO *)   
+  | *: #Habsurd destruct (Habsurd) ]
+| *: @cthulhu ]
+qed.
+ 
 (* Commutation result for binary operators. *)
 lemma binary_operation_value_eq :