Context Navigation

← Previous Change
Next Change →

switchRemoval.ma

Timestamp:

Sep 12, 2012, 12:36:46 PM (7 years ago)

Author:

garnier

Message:

Some progress on switch removal. Small fix in the definition of free, in GenMem?.ma.

File:

: 1 edited

src/Clight/switchRemoval.ma (modified) (22 diffs)

Legend:

: Unmodified
: Added
: Removed

src/Clight/switchRemoval.ma

-                      r2304
+                      r2332
 include "Clight/fresh.ma".
 include "basics/lists/list.ma".
+include "basics/lists/listb.ma".
 include "common/Identifiers.ma".
+include "utilities/extralib.ma".
 include "Clight/Cexec.ma".
 include "Clight/CexecInd.ma".
 include "Clight/frontend_misc.ma".
+include "Clight/casts.ma". (* lemmas related to bitvectors ... *)
+(*
+include "Clight/maps_obsequiv.ma".
+*)
+include "Clight/memoryInjections.ma".
 (* -----------------------------------------------------------------------------
 …
 | 5: #l #s0 #Hind #lab #Hsf whd in Hsf; normalize /3/
 ] qed.
-(* Obsolete. This version generates a nested pseudo-sequence of if-then-elses. *)
-(*
-let rec produce_cond
-  (e : expr)
-  (switch_cases : stlist)
-  (def_case : ident × sf_statement)
-  (exit : label) on switch_cases : sf_statement × label ≝
-match switch_cases with
-[ nil ⇒
-  match def_case with
-  [ mk_Prod default_label default_statement ⇒
-    〈«Slabel default_label (convert_break_to_goto (pi1 … default_statement) exit), ?», default_label〉
+  ]
-| cons switch_case tail ⇒
-  let 〈case_label, case_value, case_statement〉 ≝ switch_case in
-    match case_value with
-    [ mk_DPair sz val ⇒
-       let test ≝ Expr (Ebinop Oeq e (Expr (Econst_int sz val) (typeof e))) (Tint I32 Signed) in
-       (* let test ≝ Expr (Ebinop Oeq e e) (Tint I32 Unsigned) in *)
-       (* let test ≝ Expr (Econst_int I32 (bvzero 32)) (Tint I32 Signed)  in *)
-       let 〈sub_statement, sub_label〉 ≝ produce_cond e tail def_case exit in
-       let result ≝
-         Sifthenelse test
-          (Slabel case_label
-            (Ssequence (convert_break_to_goto (pi1 … case_statement) exit)
-                       (Sgoto sub_label)))
-          (pi1 … sub_statement)
-      in
-      〈«result, ?», case_label〉
+    ]
-].
-[ 1: normalize @convert_break_lift elim default_statement //
-| 2: whd @conj normalize try @conj try //
-  [ 1: @convert_break_lift elim case_statement //
-  | 2: elim sub_statement // ]
-] qed. *)
-(* We assume that the expression e is consistely typed w.r.t. the switch branches *)
-(*
-let rec produce_cond2
-  (e : expr)
-  (switch_cases : stlist)
-  (def_case : ident × sf_statement)
-  (exit : label) on switch_cases : sf_statement × label ≝
-match switch_cases with
-[ nil ⇒
-  let 〈default_label, default_statement〉 ≝ def_case in
-  〈«Slabel default_label (convert_break_to_goto (pi1 … default_statement) exit), ?», default_label〉
-| cons switch_case tail ⇒
-  let 〈case_label, case_value, case_statement〉 ≝ switch_case in
-  match case_value with
-  [ mk_DPair sz val ⇒
-    let test ≝ Expr (Ebinop Oeq e (Expr (Econst_int sz val) (typeof e))) (Tint I32 Signed) in
-    let 〈sub_statement, sub_label〉 ≝ produce_cond2 e tail def_case exit in
-    let case_statement_res ≝
-       Sifthenelse test
-        (Slabel case_label
-          (Ssequence (convert_break_to_goto (pi1 … case_statement) exit)
-                     (Sgoto sub_label)))
-        Sskip
-    in
-    〈«Ssequence case_statement_res (pi1 … sub_statement), ?», case_label〉
+  ]
-].
-[ 1: normalize @convert_break_lift elim default_statement //
-| 2: whd @conj
-     [ 1: whd @conj try // whd in match (switch_free ?); @conj
-          [ 1: @convert_break_lift elim case_statement //
-          | 2: // ]
-     | 2: elim sub_statement // ]
-] qed. *)
 (*  (def_case : ident × sf_statement) *)
 …
 qed.
-(*
-lemma switch_removal_fresh : ∀i,s,u.
-    fresh_for_univ ? i u →
-    fresh_for_univ ? i (\snd (switch_removal s u)).
-#i #s @(statement_ind2 ? (λls. ∀u. fresh_for_univ ? i u →
-                                      fresh_for_univ ? i (\snd (switch_removal_branches ls u))) … s)
-try //
-[ 1: #s1' #s2' #Hind1 #Hind2 #u #Hyp
-     whd in match (switch_removal (Ssequence s1' s2') u);
-     lapply (Hind1 u Hyp) elim (switch_removal s1' u)
-     * #irr1 #irr2 #uA #HuA normalize nodelta
-     lapply (Hind2 uA HuA) elim (switch_removal s2' uA)
-     * #irr3 #irr4 #uB #HuB normalize nodelta //
-| 2: #e #s1' #s2' #Hind1 #Hind2 #u #Hyp
-     whd in match (switch_removal (Sifthenelse e s1' s2') u);
-     lapply (Hind1 u Hyp) elim (switch_removal s1' u)
-     * #irr1 #irr2 #uA #HuA normalize nodelta
-     lapply (Hind2 uA HuA) elim (switch_removal s2' uA)
-     * #irr3 #irr4 #uB #HuB normalize nodelta //
-| 3,4: #e #s' #Hind #u #Hyp
-     whd in match (switch_removal ? u);
-     lapply (Hind u Hyp) elim (switch_removal s' u)
-     * #irr1 #irr2 #uA #HuA normalize nodelta //
-| 5: #s1' #e #s2' #s3' #Hind1 #Hind2 #Hind3 #u #Hyp
-     whd in match (switch_removal (Sfor s1' e s2' s3') u);
-     lapply (Hind1 u Hyp) elim (switch_removal s1' u)
-     * #irr1 #irr2 #uA #HuA normalize nodelta
-     lapply (Hind2 uA HuA) elim (switch_removal s2' uA)
-     * #irr3 #irr4 #uB #HuB normalize nodelta
-     lapply (Hind3 uB HuB) elim (switch_removal s3' uB)
-     * #irr5 #irr6 #uC #HuC normalize nodelta //
-| 6: #e #ls #Hind #u #Hyp
-     whd in match (switch_removal (Sswitch e ls) u);
-     lapply (Hind u Hyp)
-     cases (switch_removal_branches ls u)
-     * #irr1 #irr2 #uA #HuA normalize nodelta
-     lapply (fresh_for_univ_still_fresh … HuA)
-     cases (fresh SymbolTag uA) #v #uA' #Haux lapply (Haux v uA' (refl ? 〈v,uA'〉))
-     -Haux #HuA' normalize nodelta
-     lapply (simplify_switch_fresh uA' i (Expr (Evar v) (typeof e)) irr1 HuA')
-     cases (simplify_switch ???) #stm #uB
-     #Haux normalize nodelta //
-| 7,8: #label #body #Hind #u #Hyp
-     whd in match (switch_removal ? u);
-     lapply (Hind u Hyp) elim (switch_removal body u)
-     * #irr1 #irr2 #uA #HuA normalize nodelta //
-| 9: #defcase #Hind #u #Hyp whd in match (switch_removal_branches ??);
-     lapply (Hind u Hyp) elim (switch_removal defcase u)
-     * #irr1 #irr2 #uA #HuA normalize nodelta //
-| 10: #sz #i0 #s0 #tl #Hind1 #Hind2 #u #Hyp normalize
-     lapply (Hind2 u Hyp) elim (switch_removal_branches tl u)
-     * #irr1 #irr2 #uA #HuA normalize nodelta
-     lapply (Hind1 uA HuA) elim (switch_removal s0 uA)
-     * #irr3 #irr4 #uB #HuB //
-] qed.
-lemma switch_removal_branches_fresh : ∀i,ls,u.
-    fresh_for_univ ? i u →
-    fresh_for_univ ? i (\snd (switch_removal_branches ls u)).
-#i #ls @(labeled_statements_ind2 (λs. ∀u. fresh_for_univ ? i u →
-                                           fresh_for_univ ? i (\snd (switch_removal s u))) ? … ls)
-try /2 by switch_removal_fresh/
-[ 1: #s #Hind #u #Hfresh normalize lapply (switch_removal_fresh ? s ? Hfresh)
-     cases (switch_removal s u) * //
-| 2: #sz #i #s #tl #Hs #Htl #u #Hfresh normalize
-     lapply (Htl u Hfresh)
-     cases (switch_removal_branches tl u) * normalize nodelta
-     #ls' #fvs #u' #Hfresh'
-     lapply (Hs u' Hfresh')
-     cases (switch_removal s u') * //
-] qed.
-*)
 (* -----------------------------------------------------------------------------
    Simulation proof and related voodoo.
 …
 ].
 (* Correctness: we can't use a lock-step simulation result. The exec_step for Sswitch will be matched
    by a non-constant number of evaluations in the converted program. More precisely,
 …
 (* A version of simplify_switch hiding the ugly projs *)
 definition fresh_for_expression ≝
 λe,u. fresh_for_univ SymbolTag (max_of_expr e) u.
+  λe,u. fresh_for_univ SymbolTag (max_of_expr e) u.
 definition fresh_for_statement ≝
 λs,u. fresh_for_univ SymbolTag (max_of_statement s) u.
+  λs,u. fresh_for_univ SymbolTag (max_of_statement s) u.
 (* needed during mutual induction ... *)
 definition fresh_for_labeled_statements ≝
 λls,u. fresh_for_univ ? (max_of_ls ls) u.
+  λls,u. fresh_for_univ ? (max_of_ls ls) u.
 definition fresh_for_function ≝
 λf,u. fresh_for_univ SymbolTag (max_id_of_function f) u.
+  λf,u. fresh_for_univ SymbolTag (max_id_of_function f) u.
 (* misc properties of the max function on positives. *)
-lemma max_one_neutral : ∀v. max v one = v.
-* // qed.
 lemma max_id_one_neutral : ∀v. max_id v (an_identifier ? one) = v.
 …
 >commutative_max // qed.
-lemma transitive_le : transitive ? le. // qed.
-lemma le_S_weaken : ∀a,b. le (succ a) b → le a b.
-#a #b /2/ qed.
-(* cycle of length 1 *)
-lemma le_S_contradiction_1 : ∀a. le (succ a) a → False.
-* /2 by absurd/ qed.
-(* cycle of length 2 *)
-lemma le_S_contradiction_2 : ∀a,b. le (succ a) b → le (succ b) a → False.
-#a #b #H1 #H2 lapply (le_to_le_to_eq … (le_S_weaken ?? H1) (le_S_weaken ?? H2))
-#Heq @(le_S_contradiction_1 a) destruct // qed.
-(* cycle of length 3 *)
-lemma le_S_contradiction_3 : ∀a,b,c. le (succ a) b → le (succ b) c → le (succ c) a → False.
-#a #b #c #H1 #H2 #H3 lapply (transitive_le … H1 (le_S_weaken ?? H2)) #H4
-@(le_S_contradiction_2 … H3 H4)
-qed.
-lemma reflexive_leb : ∀a. leb a a = true.
-#a @(le_to_leb_true a a) // qed.
-(* This should be somewhere else. *)
-lemma associative_max : associative ? max.
-#a #b #c
-whd in ⊢ (??%%); whd in match (max a b); whd in match (max b c);
-lapply (pos_compare_to_Prop a b)
-cases (pos_compare a b) whd in ⊢ (% → ?); #Hab
-[ 1: >(le_to_leb_true a b) normalize nodelta /2/
-     lapply (pos_compare_to_Prop b c)
-     cases (pos_compare b c) whd in ⊢ (% → ?); #Hbc
-     [ 1: >(le_to_leb_true b c) normalize nodelta
-          lapply (pos_compare_to_Prop a c)
-          cases (pos_compare a c) whd in ⊢ (% → ?); #Hac
-          [ 1: >(le_to_leb_true a c) /2/
-          | 2: destruct cases (leb c c) //
-          | 3: (* There is an obvious contradiction in the hypotheses. omega, I miss you *)
-               @(False_ind … (le_S_contradiction_3 ??? Hab Hbc Hac))
+          ]
-          @le_S_weaken //
-     | 2: destruct
-          cases (leb c c) normalize nodelta
-          >(le_to_leb_true a c) /2/
-     | 3: >(not_le_to_leb_false b c) normalize nodelta /2/
-          >(le_to_leb_true a b) /2/
+     ]
-| 2: destruct (Hab) >reflexive_leb normalize nodelta
-     lapply (pos_compare_to_Prop b c)
-     cases (pos_compare b c) whd in ⊢ (% → ?); #Hbc
-     [ 1: >(le_to_leb_true b c) normalize nodelta
-          >(le_to_leb_true b c) normalize nodelta
-          /2/
-     | 2: destruct >reflexive_leb normalize nodelta
-          >reflexive_leb //
-     | 3: >(not_le_to_leb_false b c) normalize nodelta
-          >reflexive_leb /2/ ]
-| 3: >(not_le_to_leb_false a b) normalize nodelta /2/
-     lapply (pos_compare_to_Prop b c)
-     cases (pos_compare b c) whd in ⊢ (% → ?); #Hbc
-     [ 1: >(le_to_leb_true b c) normalize nodelta /2/
-     | 2: destruct >reflexive_leb normalize nodelta @refl
-     | 3: >(not_le_to_leb_false b c) normalize nodelta
-          >(not_le_to_leb_false a b) normalize nodelta
-          >(not_le_to_leb_false a c) normalize nodelta
-          lapply (transitive_le … Hbc (le_S_weaken … Hab))
-          #Hca /2/
+     ]
-] qed.
 lemma max_id_associative : ∀v1, v2, v3. max_id (max_id v1 v2) v3 = max_id v1 (max_id v2 v3).
 * #a * #b * #c whd in match (max_id ??) in ⊢ (??%%); >associative_max //
 qed.
+(*
+lemma max_of_expr_rewrite :
+  ∀e,id. max_of_expr e id = max_id (max_of_expr e (an_identifier SymbolTag one)) id.
+@(expr_ind2 … (λed,t. ∀id. max_of_expr (Expr ed t) id=max_id (max_of_expr (Expr ed t) (an_identifier SymbolTag one)) id))
+[ 1: #ed #t // ]
+[ 1: #sz #i | 2: #fl | 3: #var_id | 4: #e1 | 5: #e1 | 6: #op #e1 | 7: #op #e1 #e2 | 8: #cast_ty #e1
+| 9: #cond #iftrue #iffalse | 10: #e1 #e2 | 11: #e1 #e2 | 12: #sizeofty | 13: #e1 #field | 14: #cost #e1 ]
+#ty
+[ 3: * #id_p whd in match (max_of_expr ??); cases var_id #var_p normalize nodelta
+     whd in match (max_id ??) in ⊢ (???%);
+     >max_one_neutral // ]
+[ 1,2,11: * * //
+| 3,4,5,7,13: #Hind #id whd in match (max_of_expr (Expr ??) ?) in ⊢ (??%%); @Hind
+| 6,9,10: #Hind1 #Hind2 #id whd in match (max_of_expr (Expr ??) ?) in ⊢ (??%%);
+     >(Hind1 (max_of_expr e2 (an_identifier SymbolTag one)))
+     >max_id_associative
+     >Hind1
+     cases (max_of_expr e1 ?)
+     #v1 <Hind2 @refl
+| 8: #Hind1 #Hind2 #Hind3 #id whd in match (max_of_expr (Expr ??) ?) in ⊢ (??%%);
+     >Hind1 in ⊢ (??%?); >Hind2 in ⊢ (??%?); >Hind3 in ⊢ (??%?);
+     >Hind1 in ⊢ (???%); >Hind2 in ⊢ (???%);
+     >max_id_associative >max_id_associative @refl
+| 12: #Hind #id whd in match (max_of_expr (Expr ??) ?) in ⊢ (??%%);
+      cases field #p normalize nodelta
+      >Hind cases (max_of_expr e1 ?) #e'
+      cases id #id'
+      whd in match (max_id ??); normalize nodelta
+      whd in match (max_id ??); >associative_max @refl
+] qed.
+*)
 lemma fresh_max_split : ∀a,b,u. fresh_for_univ SymbolTag (max_id a b) u → fresh_for_univ ? a u ∧ fresh_for_univ ? b u.
 * #a * #b * #u normalize
 …
      <Hind <max_id_commutative >max_id_associative >(max_id_commutative b ?) @refl
 ] qed.
-(* -----------------------------------------------------------------------------
-   Stuff on memory and environments extensions.
-   Let us recap: the memory model of a function is in two layers. An environment
-   (type [env]) maps identifiers to blocks, and a memory maps blocks
-   switch_removal introduces new, fresh variables. What is to be noted is that
-   switch_removal modifies both the contents of the "disjoint" part of memory, but
-   also where the data is allocated. The first solution considered was to consider
-   an extensional equivalence relation on values, saying that equivalent pointers
-   point to equivalent values. This has to be a coinductive relation, in order to
-   take into account cyclic data structures. Rather than using coinductive types,
-   we use the compcert solution, using so-called memory embeddings.
-   ---------------------------------------------------------------------------- *)
-(* ---------------- *)
-(* auxillary lemmas *)
-lemma zlt_succ : ∀a,b. Zltb a b = true → Zltb a (Zsucc b) = true.
-#a #b #HA
-lapply (Zltb_true_to_Zlt … HA) #HA_prop
-@Zlt_to_Zltb_true /2/
-qed.
-lemma zlt_succ_refl : ∀a. Zltb a (Zsucc a) = true.
-#a @Zlt_to_Zltb_true /2/ qed.
-(*
-definition le_offset : offset → offset → bool.
-  λx,y. Zleb (offv x) (offv y).
-*)
-lemma not_refl_absurd : ∀A:Type[0].∀x:A. x ≠ x → False. /2/. qed.
-lemma eqZb_reflexive : ∀x:Z. eqZb x x = true. #x /2/. qed.
-(* When equality on A is decidable, [mem A elt l] is too. *)
-lemma mem_dec : ∀A:Type[0]. ∀eq:(∀a,b:A. a = b ∨ a ≠ b). ∀elt,l. mem A elt l ∨ ¬ (mem A elt l).
-#A #dec #elt #l elim l
-[ 1: normalize %2 /2/
-| 2: #hd #tl #Hind
-     elim (dec elt hd)
-     [ 1: #Heq >Heq %1 /2/
-     | 2: #Hneq cases Hind
-        [ 1: #Hmem %1 /2/
-        | 2: #Hnmem %2 normalize
-              % #H cases H
-              [ 1: lapply Hneq * #Hl #Eq @(Hl Eq)
-              | 2: lapply Hnmem * #Hr #Hmem @(Hr Hmem) ]
-] ] ]
-qed.
-lemma block_eq_dec : ∀a,b:block. a = b ∨ a ≠ b.
-#a #b @(eq_block_elim … a b) /2/ qed.
-lemma mem_not_mem_neq : ∀l,elt1,elt2. (mem block elt1 l) → ¬ (mem block elt2 l) → elt1 ≠ elt2.
-#l #elt1 #elt2 elim l
-[ 1: normalize #Habsurd @(False_ind … Habsurd)
-| 2: #hd #tl #Hind normalize #Hl #Hr
-   cases Hl
-   [ 1: #Heq >Heq
-        @(eq_block_elim … hd elt2)
-        [ 1: #Heq >Heq /2 by not_to_not/
-        | 2: #x @x ]
-   | 2: #Hmem1 cases (mem_dec … block_eq_dec elt2 tl)
-        [ 1: #Hmem2 % #Helt_eq cases Hr #H @H %2 @Hmem2
-        | 2: #Hmem2 @Hind //
+        ]
+   ]
-] qed.
-lemma neq_block_eq_block_false : ∀b1,b2:block. b1 ≠ b2 → eq_block b1 b2 = false.
-#b1 #b2 * #Hb
-@(eq_block_elim … b1 b2)
-[ 1: #Habsurd @(False_ind … (Hb Habsurd))
-| 2: // ] qed.
-(* Type of blocks in a particular region. *)
-definition block_in : region → Type[0] ≝ λrg. Σb. (block_region b) = rg.
-(* An embedding is a function from blocks to (blocks+offset). *)
-definition embedding ≝ block → option (block × offset).
-definition offset_plus : offset → offset → offset ≝
-  λo1,o2. mk_offset (addition_n ? (offv o1) (offv o2)).
-(* Prove that (zero n) is a neutral element for (addition_n n) *)
-lemma add_with_carries_n_O : ∀n,bv. add_with_carries n bv (zero n) false = 〈bv,zero n〉.
-#n #bv whd in match (add_with_carries ????); elim bv //
-#n #hd #tl #Hind whd in match (fold_right2_i ????????);
->Hind normalize
-cases n in tl;
-[ 1: #tl cases hd normalize @refl
-| 2: #n' #tl cases hd normalize @refl ]
-qed.
-lemma addition_n_0 : ∀n,bv. addition_n n bv (zero n) = bv.
-#n #bv whd in match (addition_n ???);
->add_with_carries_n_O //
-qed.
-lemma offset_plus_0 : ∀o. offset_plus o (mk_offset (zero ?)) = o.
-* #o
-whd in match (offset_plus ??);
->addition_n_0 @refl
-qed.
-(* Translates a pointer through an embedding. *)
-definition pointer_translation : ∀p:pointer. ∀E:embedding. option pointer ≝
-λp,E.
-match p with
-[ mk_pointer pblock poff ⇒
-   match E pblock with
-   [ None ⇒ None ?
-   | Some loc ⇒
-    let 〈dest_block,dest_off〉 ≝ loc in
-    let ptr ≝ (mk_pointer dest_block (offset_plus poff dest_off)) in
-    Some ? ptr
+   ]
-].
-(* We parameterise the "equivalence" relation on values with an embedding. *)
-(* Front-end values. *)
-inductive value_eq (E : embedding) : val → val → Prop ≝
-| undef_eq : ∀v.
-  value_eq E Vundef v
-| vint_eq : ∀sz,i.
-  value_eq E (Vint sz i) (Vint sz i)
-| vfloat_eq : ∀f.
-  value_eq E (Vfloat f) (Vfloat f)
-| vnull_eq :
-  value_eq E Vnull Vnull
-| vptr_eq : ∀p1,p2.
-  pointer_translation p1 E = Some ? p2 →
-  value_eq E (Vptr p1) (Vptr p2).
-(* [load_sim] states the fact that each successful load in [m1] is matched by a load in [m2] s.t.
- * the values are equivalent. *)
-definition load_sim ≝
-λ(E : embedding).λ(m1 : mem).λ(m2 : mem).
- ∀b1,off1,b2,off2,ty,v1.
-  valid_block m1 b1 →  (* We need this because it is not provable from [load_value_of_type ty m1 b1 off1] when loading by-ref *)
-  E b1 = Some ? 〈b2,off2〉 →
-  load_value_of_type ty m1 b1 off1 = Some ? v1 →
-  (∃v2. load_value_of_type ty m2 b2 (offset_plus off1 off2) = Some ? v2 ∧ value_eq E v1 v2).
-definition load_sim_ptr ≝
-λ(E : embedding).λ(m1 : mem).λ(m2 : mem).
- ∀b1,off1,b2,off2,ty,v1.
-  valid_pointer m1 (mk_pointer b1 off1) = true →  (* We need this because it is not provable from [load_value_of_type ty m1 b1 off1] when loading by-ref *)
-  pointer_translation (mk_pointer b1 off1) E = Some ? (mk_pointer b2 off2) →
-  load_value_of_type ty m1 b1 off1 = Some ? v1 →
-  (∃v2. load_value_of_type ty m2 b2 off2 = Some ? v2 ∧ value_eq E v1 v2).
-(* Definition of a memory injection *)
-record memory_inj (E : embedding) (m1 : mem) (m2 : mem) : Type[0] ≝
-{ (* Load simulation *)
-  mi_inj : load_sim_ptr E m1 m2;
-  (* Invalid blocks are not mapped *)
-  mi_freeblock : ∀b. ¬ (valid_block m1 b) → E b = None ?;
-  (* Valid pointers are mapped to valid pointers*)
-  mi_valid_pointers : ∀p,p'.
-                       valid_pointer m1 p = true →
-                       pointer_translation p E = Some ? p' →
-                       valid_pointer m2 p' = true;
-  (* Blocks in the codomain are valid *)
-  (* mi_incl : ∀b,b',o'. E b = Some ? 〈b',o'〉 → valid_block m2 b'; *)
-  (* Regions are preserved *)
-  mi_region : ∀b,b',o'. E b = Some ? 〈b',o'〉 → block_region b = block_region b';
-  (* Disjoint blocks are mapped to disjoint blocks. Note that our condition is stronger than compcert's.
-   * This may cause some problems if we reuse this def for the translation from Clight to Cminor, where
-   * all variables are allocated in the same block. *)
-  mi_disjoint : ∀b1,b2,b1',b2',o1',o2'.
-                b1 ≠ b2 →
-                E b1 = Some ? 〈b1',o1'〉 →
-                E b2 = Some ? 〈b2',o2'〉 →
-                b1' ≠ b2'
-}.
-(* Definition of a memory extension. /!\ Not equivalent to the compcert concept. /!\
- * A memory extension is a [memory_inj] with some particular blocks designated as
- * being writeable. *)
-alias id "meml" = "cic:/matita/basics/lists/list/mem.fix(0,2,1)".
-record memory_ext (E : embedding) (m1 : mem) (m2 : mem) : Type[0] ≝
-{ me_inj : memory_inj E m1 m2;
-  (* A list of blocks where we can write freely *)
-  me_writeable : list block;
-  (* These blocks are valid *)
-  me_writeable_valid : ∀b. meml ? b me_writeable → valid_block m2 b;
-  (* And pointers to m1 are oblivious to these blocks *)
-  me_writeable_ok : ∀p,p'.
-                     valid_pointer m1 p = true →
-                     pointer_translation p E = Some ? p' →
-                     ¬ (meml ? (pblock p') me_writeable)
-}.
-(* ---------------------------------------------------------------------------- *)
-(* End of the definitions on memory injections. Now, on to proving some lemmas. *)
-(* A particular inversion. *)
-lemma value_eq_ptr_inversion :
-  ∀E,p1,v. value_eq E (Vptr p1) v → ∃p2. v = Vptr p2 ∧ pointer_translation p1 E = Some ? p2.
-#E #p1 #v #Heq inversion Heq
-[ 1: #v #Habsurd destruct (Habsurd)
-| 2: #sz #i #Habsurd destruct (Habsurd)
-| 3: #f #Habsurd destruct (Habsurd)
-| 4:  #Habsurd destruct (Habsurd)
-| 5: #p1' #p2 #Heq #Heqv #Heqv2 #_ destruct
-     %{p2} @conj try @refl try assumption
-] qed.
-(* A cleaner version of inversion for [value_eq] *)
-lemma value_eq_inversion :
-  ∀E,v1,v2. ∀P : val → val → Prop. value_eq E v1 v2 →
-  (∀v. P Vundef v) →
-  (∀sz,i. P (Vint sz i) (Vint sz i)) →
-  (∀f. P (Vfloat f) (Vfloat f)) →
-  (P Vnull Vnull) →
-  (∀p1,p2. pointer_translation p1 E = Some ? p2 → P (Vptr p1) (Vptr p2)) →
-  P v1 v2.
-#E #v1 #v2 #P #Heq #H1 #H2 #H3 #H4 #H5
-inversion Heq
-[ 1: #v #Hv1 #Hv2 #_ destruct @H1
-| 2: #sz #i #Hv1 #Hv2 #_ destruct @H2
-| 3: #f #Hv1 #Hv2 #_ destruct @H3
-| 4: #Hv1 #Hv2 #_ destruct @H4
-| 5: #p1 #p2 #Hembed #Hv1 #Hv2 #_ destruct @H5 // ] qed.
-(* If we succeed to load something by value from a 〈b,off〉 location,
-   [b] is a valid block. *)
-lemma load_by_value_success_valid_block_aux :
-  ∀ty,m,b,off,v.
-    access_mode ty = By_value (typ_of_type ty) →
-    load_value_of_type ty m b off = Some ? v →
-    Zltb (block_id b) (nextblock m) = true.
-#ty #m * #brg #bid #off #v
-cases ty
-[ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
-| 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
-whd in match (load_value_of_type ????);
-[ 1,7,8: #_ #Habsurd destruct (Habsurd) ]
-#Hmode
-[ 1,2,3,6: [ 1: elim sz | 2: elim fsz ]
-     normalize in match (typesize ?);
-     whd in match (loadn ???);
-     whd in match (beloadv ??);
-     cases (Zltb bid (nextblock m)) normalize nodelta
-     try // #Habsurd destruct (Habsurd)
-| *: normalize in Hmode; destruct (Hmode)
-] qed.
-(* If we succeed in loading some data from a location, then this loc is a valid pointer. *)
-lemma load_by_value_success_valid_ptr_aux :
-  ∀ty,m,b,off,v.
-    access_mode ty = By_value (typ_of_type ty) →
-    load_value_of_type ty m b off = Some ? v →
-    Zltb (block_id b) (nextblock m) = true ∧
-    Zleb (low_bound m b) (Z_of_unsigned_bitvector ? (offv off)) = true ∧
-    Zltb (Z_of_unsigned_bitvector ? (offv off)) (high_bound m b) = true.
-#ty #m * #brg #bid #off #v
-cases ty
-[ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
-| 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
-whd in match (load_value_of_type ????);
-[ 1,7,8: #_ #Habsurd destruct (Habsurd) ]
-#Hmode
-[ 1,2,3,6: [ 1: elim sz | 2: elim fsz ]
-     normalize in match (typesize ?);
-     whd in match (loadn ???);
-     whd in match (beloadv ??);
-     cases (Zltb bid (nextblock m)) normalize nodelta
-     cases (Zleb (low (blocks m (mk_block brg bid)))
-                  (Z_of_unsigned_bitvector offset_size (offv off)))
-     cases (Zltb (Z_of_unsigned_bitvector offset_size (offv off)) (high (blocks m (mk_block brg bid))))
-     normalize nodelta
-     #Heq destruct (Heq)
-     try /3 by conj, refl/
-| *: normalize in Hmode; destruct (Hmode)
-] qed.
-lemma valid_block_from_bool : ∀b,m. Zltb (block_id b) (nextblock m) = true → valid_block m b.
-* #rg #id #m normalize
-elim id /2/ qed.
-lemma valid_block_to_bool : ∀b,m. valid_block m b → Zltb (block_id b) (nextblock m) = true.
-* #rg #id #m normalize
-elim id /2/ qed.
-lemma load_by_value_success_valid_block :
-  ∀ty,m,b,off,v.
-    access_mode ty = By_value (typ_of_type ty) →
-    load_value_of_type ty m b off = Some ? v →
-    valid_block m b.
-#ty #m #b #off #v #Haccess_mode #Hload
-@valid_block_from_bool
-elim (load_by_value_success_valid_ptr_aux ty m b off v Haccess_mode Hload) * //
-qed.
-lemma load_by_value_success_valid_pointer :
-  ∀ty,m,b,off,v.
-    access_mode ty = By_value (typ_of_type ty) →
-    load_value_of_type ty m b off = Some ? v →
-    valid_pointer m (mk_pointer b off).
-#ty #m #b #off #v #Haccess_mode #Hload normalize
-elim (load_by_value_success_valid_ptr_aux ty m b off v Haccess_mode Hload)
-* #H1 #H2 #H3 >H1 >H2 normalize nodelta
->Zle_to_Zleb_true try //
-lapply (Zlt_to_Zle … (Zltb_true_to_Zlt … H3)) /2/
-qed.
-(* Making explicit the contents of memory_inj for load_value_of_type *)
-lemma load_value_of_type_inj : ∀E,m1,m2,b1,off1,v1,b2,off2,ty.
-    memory_inj E m1 m2 →
-    value_eq E (Vptr (mk_pointer b1 off1)) (Vptr (mk_pointer b2 off2)) →
-    load_value_of_type ty m1 b1 off1 = Some ? v1 →
-    ∃v2. load_value_of_type ty m2 b2 off2 = Some ? v2 ∧ value_eq E v1 v2.
-#E #m1 #m2 #b1 #off1 #v1 #b2 #off2 #ty #Hinj #Hvalue_eq
-lapply (value_eq_ptr_inversion … Hvalue_eq) * #p2 * #Hp2_eq #Hembed destruct
-lapply (refl ? (access_mode ty))
-cases ty
-[ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
-| 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
-normalize in ⊢ ((???%) → ?); #Hmode #Hyp
-[ 1,7,8: normalize in Hyp; destruct (Hyp)
-| 5,6: normalize in Hyp ⊢ %; destruct (Hyp) /3 by ex_intro, conj, vptr_eq/ ]
-lapply (load_by_value_success_valid_pointer … Hmode … Hyp) #Hvalid_pointer
-lapply (mi_inj … Hinj b1 off1 b2 off2 … Hvalid_pointer Hembed Hyp) #H @H
-qed.
-(* -------------------------------------- *)
-(* Lemmas pertaining to memory allocation *)
-(* A valid block stays valid after an alloc. *)
-lemma alloc_valid_block_conservation :
-  ∀m,m',z1,z2,r,new_block.
-  alloc m z1 z2 r = 〈m', new_block〉 →
-  ∀b. valid_block m b → valid_block m' b.
-#m #m' #z1 #z2 #r * #b' #Hregion_eq
-elim m #contents #nextblock #Hcorrect whd in match (alloc ????);
-#Halloc destruct (Halloc)
-#b whd in match (valid_block ??) in ⊢ (% → %); /2/
-qed.
-(* Allocating a new zone produces a valid block. *)
-lemma alloc_valid_new_block :
-  ∀m,m',z1,z2,r,new_block.
-  alloc m z1 z2 r = 〈m', new_block〉 →
-  valid_block m' new_block.
-* #contents #nextblock #Hcorrect #m' #z1 #z2 #r * #new_block #Hregion_eq
-whd in match (alloc ????); whd in match (valid_block ??);
-#Halloc destruct (Halloc) /2/
-qed.
-(* All data in a valid block is unchanged after an alloc. *)
-lemma alloc_beloadv_conservation :
-  ∀m,m',block,offset,z1,z2,r,new_block.
-    valid_block m block →
-    alloc m z1 z2 r = 〈m', new_block〉 →
-    beloadv m (mk_pointer block offset) = beloadv m' (mk_pointer block offset).
-* #contents #next #Hcorrect #m' #block #offset #z1 #z2 #r #new_block #Hvalid #Halloc
-whd in Halloc:(??%?); destruct (Halloc)
-whd in match (beloadv ??) in ⊢ (??%%);
-lapply (valid_block_to_bool … Hvalid) #Hlt
->Hlt >(zlt_succ … Hlt)
-normalize nodelta whd in match (update_block ?????); whd in match (eq_block ??);
-cut (eqZb (block_id block) next = false)
-[ lapply (Zltb_true_to_Zlt … Hlt) #Hlt' @eqZb_false /2/ ] #Hneq
->Hneq cases (eq_region ??) normalize nodelta  @refl
-qed.
-(* Lift [alloc_beloadv_conservation] to loadn *)
-lemma alloc_loadn_conservation :
-  ∀m,m',z1,z2,r,new_block.
-    alloc m z1 z2 r = 〈m', new_block〉 →
-    ∀n. ∀block,offset.
-    valid_block m block →
-    loadn m (mk_pointer block offset) n = loadn m' (mk_pointer block offset) n.
-#m #m' #z1 #z2 #r #new_block #Halloc #n
-elim n try //
-#n' #Hind #block #offset #Hvalid_block
-whd in ⊢ (??%%);
->(alloc_beloadv_conservation … Hvalid_block Halloc)
-cases (beloadv m' (mk_pointer block offset)) //
-#bev normalize nodelta
-whd in match (shift_pointer ???); >Hind try //
-qed.
-(* Memory allocation preserves [memory_inj] *)
-lemma alloc_memory_inj :
-  ∀E:embedding.∀m1,m2,m2',z1,z2,r,new_block. ∀H:memory_inj E m1 m2.
-  alloc m2 z1 z2 r = 〈m2', new_block〉 →
-  memory_inj E m1 m2'.
-#E #m1 #m2 #m2' #z1 #z2 #r * #new_block #Hregion #Hmemory_inj #Halloc
+%
-[ 1:
-  whd
-  #b1 #off1 #b2 #off2 #ty #v1 #Hvalid #Hembed #Hload
-  elim (mi_inj E m1 m2 Hmemory_inj b1 off1 b2 off2 … ty v1 Hvalid Hembed Hload)
-  #v2 * #Hload_eq #Hvalue_eq %{v2} @conj try //
-  lapply (refl ? (access_mode ty))
-  cases ty in Hload_eq;
-  [ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
-  | 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
-  #Hload normalize in ⊢ ((???%) → ?); #Haccess
-  [ 1,7,8: normalize in Hload; destruct (Hload)
-  | 2,3,4,9: whd in match (load_value_of_type ????);
-     whd in match (load_value_of_type ????);
-     lapply (load_by_value_success_valid_block … Haccess Hload)
-     #Hvalid_block
-     whd in match (load_value_of_type ????) in Hload;
-     <(alloc_loadn_conservation … Halloc … Hvalid_block)
-     @Hload
-  | 5,6: whd in match (load_value_of_type ????) in Hload ⊢ %; @Hload ]
-| 2: @(mi_freeblock … Hmemory_inj)
-| 3: #p #p' #Hvalid #Hptr_trans lapply (mi_valid_pointers … Hmemory_inj p p' Hvalid Hptr_trans)
-     elim m2 in Halloc; #contentmap #nextblock #Hnextblock
-     elim p' * #br' #bid' #o' #Halloc whd in Halloc:(??%?) ⊢ ?; destruct (Halloc)
-     whd in match (valid_pointer ??) in ⊢ (% → %);
-     @Zltb_elim_Type0
-     [ 2: normalize #_ #Habsurd destruct (Habsurd) ]
-     #Hbid' cut (Zltb bid' (Zsucc nextblock) = true) [ lapply (Zlt_to_Zltb_true … Hbid') @zlt_succ ]
-     #Hbid_succ >Hbid_succ whd in match (low_bound ??) in ⊢ (% → %);
-     whd in match (high_bound ??) in ⊢ (% → %);
-     whd in match (update_block ?????);
-     whd in match (eq_block ??);
-     cut (eqZb bid' nextblock = false) [ 1: @eqZb_false /2 by not_to_not/ ]
-     #Hbid_neq >Hbid_neq
-     cases (eq_region br' r) normalize #H @H
-| 4: @(mi_region … Hmemory_inj)
-| 5: @(mi_disjoint … Hmemory_inj)
-] qed.
-(* Memory allocation induces a memory extension. *)
-lemma alloc_memory_ext :
-  ∀E:embedding.∀m1,m2,m2',z1,z2,r,new_block. ∀H:memory_inj E m1 m2.
-  alloc m2 z1 z2 r = 〈m2', new_block〉 →
-  memory_ext E m1 m2'.
-#E #m1 #m2 #m2' #z1 #z2 #r * #new_block #Hblock_region_eq #Hmemory_inj #Halloc
-lapply (alloc_memory_inj … Hmemory_inj Halloc)
-#Hinj' %
-[ 1: @Hinj'
-| 2: @[new_block]
-| 3: #b normalize in ⊢ (%→ ?); * [ 2: #H @(False_ind … H) ]
-      #Heq destruct (Heq) whd elim m2 in Halloc;
-      #Hcontents #nextblock #Hnextblock
-      whd in ⊢ ((??%?) → ?); #Heq destruct (Heq)
-      /2/
-| 4: * #b #o * #b' #o' #Hvalid_ptr #Hembed %
-     normalize in ⊢ (% → ?); * [ 2: #H @H ]
-     #Heq destruct (Heq)
-     lapply (mi_valid_pointers … Hmemory_inj … Hvalid_ptr Hembed)
-     whd in ⊢ (% → ?);
-     (* contradiction because ¬ (valid_block m2 new_block)  *)
-     elim m2 in Halloc;
-     #contents_m2 #nextblock_m2 #Hnextblock_m2
-     whd in ⊢ ((??%?) → ?);
-     #Heq_alloc destruct (Heq_alloc)
-     normalize
-     lapply (irreflexive_Zlt nextblock_m2)
-     @Zltb_elim_Type0
-     [ #H * #Habsurd @(False_ind … (Habsurd H)) ] #_ #_ normalize #Habsurd destruct (Habsurd)
-] qed.
-lemma bestorev_beloadv_conservation :
-  ∀mA,mB,wb,wo,v.
-    bestorev mA (mk_pointer wb wo) v = Some ? mB →
-    ∀rb,ro. eq_block wb rb = false →
-    beloadv mA (mk_pointer rb ro) = beloadv mB (mk_pointer rb ro).
-#mA #mB #wb #wo #v #Hstore #rb #ro #Hblock_neq
-whd in ⊢ (??%%);
-elim mB in Hstore; #contentsB #nextblockB #HnextblockB
-normalize in ⊢ (% → ?);
-cases (Zltb (block_id wb) (nextblock mA)) normalize nodelta
-[ 2: #Habsurd destruct (Habsurd) ]
-cases (if Zleb (low (blocks mA wb)) (Z_of_unsigned_bitvector 16 (offv wo))
-       then Zltb (Z_of_unsigned_bitvector 16 (offv wo)) (high (blocks mA wb))
-       else false) normalize nodelta
-[ 2: #Habsurd destruct (Habsurd) ]
-#Heq destruct (Heq) elim rb in Hblock_neq; #rr #rid elim wb #wr #wid
-cases rr cases wr normalize try //
-@(eqZb_elim … rid wid)
-[ 1,3: #Heq destruct (Heq) >(eqZb_reflexive wid) #Habsurd destruct (Habsurd) ]
-try //
-qed.
-(* lift [bestorev_beloadv_conservation to [loadn] *)
-lemma bestorev_loadn_conservation :
-  ∀mA,mB,n,wb,wo,v.
-    bestorev mA (mk_pointer wb wo) v = Some ? mB →
-    ∀rb,ro. eq_block wb rb = false →
-    loadn mA (mk_pointer rb ro) n = loadn mB (mk_pointer rb ro) n.
-#mA #mB #n
-elim n
-[ 1: #wb #wo #v #Hstore #rb #ro #Hblock_neq normalize @refl
-| 2: #n' #Hind #wb #wo #v #Hstore #rb #ro #Hneq
-     whd in ⊢ (??%%);
-     >(bestorev_beloadv_conservation … Hstore … Hneq)
-     >(Hind … Hstore … Hneq) @refl
-] qed.
-(* lift [bestorev_loadn_conservation] to [load_value_of_type] *)
-lemma bestorev_load_value_of_type_conservation :
-  ∀mA,mB,wb,wo,v.
-    bestorev mA (mk_pointer wb wo) v = Some ? mB →
-    ∀rb,ro. eq_block wb rb = false →
-    ∀ty.load_value_of_type ty mA rb ro = load_value_of_type ty mB rb ro.
-#mA #mB #wb #wo #v #Hstore #rb #ro #Hneq #ty
-cases ty
-[ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
-| 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ] try //
-[ 1: elim sz | 2: elim fsz | 3: | 4: ]
-whd in ⊢ (??%%);
->(bestorev_loadn_conservation … Hstore … Hneq) @refl
-qed.
-(* Writing in the "extended" part of a memory preserves the underlying injection *)
-lemma bestorev_memory_ext_to_load_sim :
-  ∀E,mA,mB,mC.
-  ∀Hext:memory_ext E mA mB.
-  ∀wb,wo,v. meml ? wb (me_writeable … Hext) →
-  bestorev mB (mk_pointer wb wo) v = Some ? mC →
-  load_sim_ptr E mA mC.
-#E #mA #mB #mC #Hext #wb #wo #v #Hwb #Hstore whd
-#b1 #off1 #b2 #off2 #ty #v1 #Hvalid #Hembed #Hload
-(* Show that (wb ≠ b2) by showing b2 ∉ (me_writeable ...) *)
-lapply (me_writeable_ok … Hext (mk_pointer b1 off1) (mk_pointer b2 off2) Hvalid Hembed) #Hb2
-lapply (mem_not_mem_neq … Hwb Hb2) #Hwb_neq_b2
-cut ((eq_block wb b2) = false) [ @neq_block_eq_block_false @Hwb_neq_b2 ] #Heq_block_false
-<(bestorev_load_value_of_type_conservation … Hstore … Heq_block_false)
-@(mi_inj … (me_inj … Hext) … Hvalid  … Hembed …  Hload)
-qed.
-(* Writing in the "extended" part of a memory preserves the whole memory injection *)
-lemma bestorev_memory_ext_to_memory_inj :
-  ∀E,mA,mB,mC.
-  ∀Hext:memory_ext E mA mB.
-  ∀wb,wo,v. meml ? wb (me_writeable … Hext) →
-  bestorev mB (mk_pointer wb wo) v = Some ? mC →
-  memory_inj E mA mC.
-#E #mA * #contentsB #nextblockB #HnextblockB #mC
-#Hext #wb #wo #v #Hwb #Hstore
+%
-[ 1: @(bestorev_memory_ext_to_load_sim … Hext … Hwb Hstore) ]
-elim Hext in Hwb; * #Hinj #Hvalid #Hcodomain #Hregion #Hdisjoint #writeable #Hwriteable_valid #Hwriteable_ok
-#Hmem
-[ 1: @Hvalid | 3: @Hregion | 4: @Hdisjoint ] -Hvalid -Hregion -Hdisjoint
-whd in Hstore:(??%?); lapply (Hwriteable_valid … Hmem)
-normalize in ⊢ (% → ?); #Hlt_wb
-#p #p' #HvalidA #Hembed lapply (Hcodomain … HvalidA Hembed) -Hcodomain
-normalize in match (valid_pointer ??) in ⊢ (% → %);
->(Zlt_to_Zltb_true … Hlt_wb) in Hstore; normalize nodelta
-cases (Zleb (low (contentsB wb)) (Z_of_unsigned_bitvector offset_size (offv wo))
-       ∧Zltb (Z_of_unsigned_bitvector offset_size (offv wo)) (high (contentsB wb)))
-normalize nodelta
-[ 2: #Habsurd destruct (Habsurd) ]
-#Heq destruct (Heq)
-cases (Zltb (block_id (pblock p')) nextblockB) normalize nodelta
-[ 2: // ]
-whd in match (update_block ?????);
-cut (eq_block (pblock p') wb = false)
-[ 2: #Heq >Heq normalize nodelta #H @H ]
-@neq_block_eq_block_false @sym_neq
-@(mem_not_mem_neq writeable … Hmem)
-@(Hwriteable_ok … HvalidA Hembed)
-qed.
-(* It even preserves memory extensions, with the same writeable blocks.  *)
-lemma bestorev_memory_ext_to_memory_ext :
-  ∀E,mA,mB.
-  ∀Hext:memory_ext E mA mB.
-  ∀wb,wo,v. meml ? wb (me_writeable … Hext) →
-  ∀mC.bestorev mB (mk_pointer wb wo) v = Some ? mC →
-  ΣExt:memory_ext E mA mC.(me_writeable … Hext = me_writeable … Ext).
-#E #mA #mB #Hext #wb #wo #v #Hmem #mC #Hstore
-%{(mk_memory_ext …
-      (bestorev_memory_ext_to_memory_inj … Hext … Hmem … Hstore)
-      (me_writeable … Hext)
+      ?
-      (me_writeable_ok … Hext)
- )} try @refl
-#b #Hmemb
-lapply (me_writeable_valid … Hext b Hmemb)
-lapply (me_writeable_valid … Hext wb Hmem)
-elim mB in Hstore; #contentsB #nextblockB #HnextblockB #Hstore #Hwb_valid #Hb_valid
-lapply Hstore normalize in Hwb_valid Hb_valid ⊢ (% → ?);
->(Zlt_to_Zltb_true … Hwb_valid) normalize nodelta
-cases (if Zleb (low (contentsB wb)) (Z_of_unsigned_bitvector 16 (offv wo))
-       then Zltb (Z_of_unsigned_bitvector 16 (offv wo)) (high (contentsB wb))
-       else false)
-normalize [ 2: #Habsurd destruct (Habsurd) ]
-#Heq destruct (Heq) @Hb_valid
-qed.
-(* Lift [bestorev_memory_ext_to_memory_ext] to storen *)
-lemma storen_memory_ext_to_memory_ext :
-  ∀E,mA,l,mB,mC.
-  ∀Hext:memory_ext E mA mB.
-  ∀wb,wo. meml ? wb (me_writeable … Hext) →
-  storen mB (mk_pointer wb wo) l = Some ? mC →
-  memory_ext E mA mC.
-#E #mA #l elim l
-[ 1: #mB #mC #Hext #wb #wo #Hmem normalize in ⊢ (% → ?); #Heq destruct (Heq)
-     @Hext
-| 2: #hd #tl #Hind #mB #mC #Hext #wb #wo #Hmem
-     whd in ⊢ ((??%?) → ?);
-     lapply (bestorev_memory_ext_to_memory_ext … Hext … wb wo hd Hmem)
-     cases (bestorev mB (mk_pointer wb wo) hd)
-     normalize nodelta
-     [ 1: #H #Habsurd destruct (Habsurd) ]
-     #mD #H lapply (H mD (refl ??)) * #HextD #Heq #Hstore
-     @(Hind … HextD … Hstore)
-     <Heq @Hmem
-] qed.
-(* Lift [storen_memory_ext_to_memory_ext] to store_value_of_type *)
-lemma store_value_of_type_memory_ext_to_memory_ext :
-  ∀E,mA,mB,mC.
-  ∀Hext:memory_ext E mA mB.
-  ∀wb,wo. meml ? wb (me_writeable … Hext) →
-  ∀ty,v.store_value_of_type ty mB wb wo v = Some ? mC →
-  memory_ext E mA mC.
-#E #mA #mB #mC #Hext #wb #wo #Hmem #ty #v
-cases ty
-[ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
-| 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
-whd in ⊢ ((??%?) → ?);
-[ 1,5,6,7,8: #Habsurd destruct (Habsurd) ]
-#Hstore
-@(storen_memory_ext_to_memory_ext … Hext … Hmem … Hstore)
-qed.
-(* End of the memory injection-related stuff. *)
-(* ------------------------------------------ *)
 (* Lookup functions in list environments (used to type local variables in functions) *)
 …
 ].
+(* --------------------------------------------------------------------------- *)
+(* Memory extensions (limited form on memoryInjection.ma). Note that we state the
+   properties at the back-end level. *)
+(* --------------------------------------------------------------------------- *)
+(*
+definition block_DeqSet : DeqSet ≝ mk_DeqSet block eq_blockb ?.
+* #r1 #id1 * #r2 #id2 @(eqZb_elim … id1 id2)
+[ 1: #Heq >Heq cases r1 cases r2 normalize
+     >eqZb_reflexive normalize @conj #H destruct (H)
+     try @refl
+| 2: #Hneq cases r1 cases r2 normalize
+     >(eqZb_false … Hneq) normalize @conj
+     #H destruct (H) elim Hneq #H @(False_ind … (H (refl ??)))
+] qed. *)
+(* [load_sim] states the fact that each successful load in [m1] is matched by a load in [m2] s.t. the back-end values are equal. *)
+definition load_sim ≝
+λ(m1 : mem).λ(m2 : mem).
+ ∀ptr,bev.
+  beloadv m1 ptr = Some ? bev →
+  beloadv m2 ptr = Some ? bev.
+(* The [valid_pointer] property is too weak to be preserved by [free]. We use the following guard. *)
+(* definition freed_pointer ≝ λ(m : mem).λ(p : pointer).
+  low_bound m (pblock p) = OZ ∧
+  high_bound m (pblock p) = OZ. *)
+(* definition in_bounds_pointer ≝ λm,p. ∀A,f.∃res. do_if_in_bounds A m p f = Some ? res. *)
+definition in_bounds_pointer ≝ λm,p. ∀A,f.∃res. do_if_in_bounds A m p f = Some ? res.
+definition outbound_pointer ≝ λm,p.
+   Zltb (block_id (pblock p)) (nextblock m) = true ∧
+   Zleb (low_bound m (pblock p)) (Z_of_unsigned_bitvector offset_size (offv (poff p))) = true ∧
+   high_bound m (pblock p) = Z_of_unsigned_bitvector … (offv (poff p)).
+lemma valid_pointer_def : ∀m,p. valid_pointer m p = true ↔ in_bounds_pointer m p ∨ outbound_pointer m p.
+#m #p @conj
+[ 1: whd in match (valid_pointer m p); whd in match (in_bounds_pointer ??);
+     whd in match (outbound_pointer ??);
+     whd in match (do_if_in_bounds); normalize nodelta
+     cases (Zltb (block_id (pblock p)) (nextblock m))
+     [ 2: >andb_lsimpl_false normalize nodelta #Habsurd destruct (Habsurd) ]
+     >andb_lsimpl_true normalize nodelta
+     cases (Zleb (low_bound m (pblock p)) (Z_of_unsigned_bitvector offset_size (offv (poff p))))
+     [ 2: normalize nodelta #Habsurd destruct (Habsurd) ]
+     >andb_lsimpl_true normalize nodelta
+     lapply (Zltb_to_Zleb_true (Z_of_unsigned_bitvector offset_size (offv (poff p))) (high_bound m (pblock p)))
+     elim (Zltb_dec (Z_of_unsigned_bitvector offset_size (offv (poff p))) (high_bound m (pblock p)))
+     [ 1: #H >H #_ normalize nodelta #_ %1 #A #f /2 by ex_intro/
+     | 2: * #_ #H1 #_ #H2 >(Zleb_true_to_Zleb_true_to_eq … H1 H2) %2 @conj try @conj @refl ]
+| 2: whd in match (valid_pointer ??); *
+     [ 1: whd in match (in_bounds_pointer ??); #H
+          lapply (H bool (λblock,contents,off. true))
+          * #foo whd in match (do_if_in_bounds ????);
+          cases (Zltb (block_id (pblock p)) (nextblock m)) normalize nodelta
+          [ 2: #Habsurd destruct (Habsurd) ]
+          >andb_lsimpl_true
+          cases (Zleb (low (blocks m (pblock p))) (Z_of_unsigned_bitvector offset_size (offv (poff p))))
+          normalize nodelta
+          [ 2: #Habsurd destruct (Habsurd) ]
+          >andb_lsimpl_true
+          elim (Zltb_dec (Z_of_unsigned_bitvector offset_size (offv (poff p))) (high (blocks m (pblock p))))
+          [ 1: #H >(Zltb_to_Zleb_true … H) #_ @refl
+          | 2: * #Hnlt #Hle >Hnlt normalize nodelta #Habsurd destruct (Habsurd) ]
+     | 2: whd in match (outbound_pointer ??); * * #Hlt #Hleb >Hlt >Hleb
+          #Hhigh >Hhigh >andb_lsimpl_true
+          lapply (reflexive_Zle … (Z_of_unsigned_bitvector offset_size (offv (poff p))))
+          #Hle >(Zle_to_Zleb_true … Hle) @refl
+     ]
+] qed.
+(*
+lemma freed_pointer_dec : ∀m,p. freed_pointer m p ∨ (¬freed_pointer m p).
+#m #p
+whd in match (freed_pointer ??);
+cases (low_bound m (pblock p))
+[ 2,3: #low %2 % * #H destruct (H) ]
+cases (high_bound m (pblock p))
+[ 1: %1 @conj @refl | 2,3: #low %2 % * #_ #H destruct (H) ]
+qed. *)
+(* In the limited setting of switch removal, a memory extension is a list of fresh blocks
+ * to which we can write. *)
+record sr_memext (m1 : mem) (m2 : mem) : Type[0] ≝
+{ me_inj : load_sim m1 m2;
+  (* A list of blocks where we can write freely *)
+  me_writeable : list block;
+  (* These blocks are valid *)
+  me_writeable_valid : ∀b. meml ? b me_writeable → valid_block m2 b;
+  (* And pointers to m1 are oblivious to these blocks *)
+  me_writeable_ok : ∀p.valid_pointer m1 p = true →
+                     ¬ (meml ? (pblock p) me_writeable);
+  (* Valid pointers are still valid in m2. One could think that this is superfluous as
+     being implied by me_inj, and it is but for a small detail: valid_pointer allows a pointer
+     to be one off the end of a block bound. The internal check in beloadv does not.
+     valid_pointer should be understood as "pointer making sense" rather than "pointer from
+     which you can load stuff". [mi_valid_pointers] is used for instance when proving the
+     semantics preservation for equality testing (where we check that the pointers we
+     compare are valid before being equal).
+  *)
+  me_valid_pointers : ∀p. (* ¬ (freed_pointer m1 p) → *)
+                       valid_pointer m1 p = true →
+                       valid_pointer m2 p = true
+}.
 (* [disjoint_extension e1 m1 e2 m2 types ext] states that [e2] is an extension
    of the environment [e1] s.t. the new binders are in [new], and such that those
 …
 definition disjoint_extension ≝
 λ(e1 : env). λ(m1 : mem). λ(e2 : env). λ(m2 : mem).
 λ(new : list (ident × type)). λ(E:embedding). λ(Hext: memory_ext E m1 m2).
+λ(new : list (ident × type)). λ(Hext: sr_memext m1 m2).
   ∀id. match mem_assoc_env id new with
        [ true ⇒
 …
             ∧ meml ? b (me_writeable … Hext)
             ∧ lookup ?? e1 id = None ?
+       | false ⇒
+         match lookup ?? e1 id with
+         [ None ⇒ lookup ?? e2 id = None ?
+         | Some b1 ⇒
+           match lookup ?? e2 id with
+           [ None ⇒ False
+           | Some b2 ⇒
+             valid_block m1 b1 ∧
+             value_eq E (Vptr (mk_pointer b1 zero_offset)) (Vptr (mk_pointer b2 zero_offset))
+           ]
+         ]
+       | false ⇒ lookup ?? e1 id = lookup ?? e2 id
        ].
+(* Lift load_sim to loadn. *)
+lemma load_sim_loadn :
+ ∀m1,m2. load_sim m1 m2 →
+ ∀sz,p,res. loadn m1 p sz = Some ? res → loadn m2 p sz = Some ? res.
+#m1 #m2 #Hload_sim #sz
+elim sz
+[ 1: #p #res #H @H
+| 2: #n' #Hind #p #res
+     whd in match (loadn ???);
+     whd in match (loadn m2 ??);
+     lapply (Hload_sim p)
+     cases (beloadv m1 p) normalize nodelta
+     [ 1: #_ #Habsurd destruct (Habsurd) ]
+     #bval #H >(H ? (refl ??)) normalize nodelta
+     lapply (Hind (shift_pointer 2 p (bitvector_of_nat 2 1)))
+     cases (loadn m1 (shift_pointer 2 p (bitvector_of_nat 2 1)) n')
+     normalize nodelta
+     [ 1: #_ #Habsurd destruct (Habsurd) ]
+     #res' #H >(H ? (refl ??)) normalize
+     #H @H
+] qed.
+(* Lift load_sim to front-end values. *)
+lemma load_sim_fe :
+  ∀m1,m2. load_sim m1 m2 →
+  ∀ptr,ty,v.load_value_of_type ty m1 (pblock ptr) (poff ptr) = Some ? v →
+            load_value_of_type ty m2 (pblock ptr) (poff ptr) = Some ? v.
+#m1 #m2 #Hloadsim #ptr #ty #v
+cases ty
+[ 1: | 2: #sz #sg | 3: #fsz | 4: #ptrty | 5: #arrayty #arraysz | 6: #argsty #retty
+| 7: #sid #fields | 8: #uid #fields | 9: #cptr_id ]
+whd in match (load_value_of_type ????) in ⊢ ((??%?) → (??%?));
+[ 1,7,8: #Habsurd destruct (Habsurd)
+| 5,6: #H @H
+| 2,3,4,9:
+  generalize in match (mk_pointer (pblock ptr) (poff ptr));
+  elim (typesize ?)
+  [ 1,3,5,7: #p #H @H
+  | 2,4,6,8: #n' #Hind #p
+      lapply (load_sim_loadn … Hloadsim (S n') p)
+      cases (loadn m1 p (S n')) normalize nodelta
+      [ 1,3,5,7: #_ #Habsurd destruct (Habsurd) ]
+      #bv #H >(H ? (refl ??)) #H @H
+  ]
+] qed.
+(* Lemmas relating memory extensions to [free] *)
+(* Successful beloadv implies valid_pointer. The converse is *NOT* true. *)
+lemma beloadv_to_valid_pointer : ∀m,ptr,res. beloadv m ptr = Some ? res → valid_pointer m ptr = true.
+* #contents #next #nextpos #ptr #res
+whd in match (beloadv ??);
+whd in match (valid_pointer ??);
+cases (Zltb (block_id (pblock ptr)) next)
+normalize nodelta
+[ 2: #Habsurd destruct (Habsurd) ]
+>andb_lsimpl_true
+whd in match (low_bound ??);
+whd in match (high_bound ??);
+cases (Zleb (low (contents (pblock ptr)))
+        (Z_of_unsigned_bitvector offset_size (offv (poff ptr))))
+[ 2: >andb_lsimpl_false normalize #Habsurd destruct (Habsurd) ]
+>andb_lsimpl_true
+normalize nodelta #H
+@Zltb_to_Zleb_true
+cases (Zltb (Z_of_unsigned_bitvector offset_size (offv (poff ptr))) (high (contents (pblock ptr)))) in H;
+try // normalize #Habsurd destruct (Habsurd) qed.
+lemma low_free_eq : ∀m,b1,b2. b1 ≠ b2 → low (blocks m b1) = low (blocks (free m b2) b1).
+* #contents #next #nextpos * #br1 #bid1 * #br2 #bid2 normalize
+@(eqZb_elim … bid1 bid2)
+[ 1: #Heq >Heq cases br1 cases br2 normalize
+     [ 1,4: * #H @(False_ind … (H (refl ??))) ]
+     #_ @refl
+| 2: cases br1 cases br2 normalize #_ #_ @refl ]
+qed.
+lemma high_free_eq : ∀m,b1,b2. b1 ≠ b2 → high (blocks m b1) = high (blocks (free m b2) b1).
+* #contents #next #nextpos * #br1 #bid1 * #br2 #bid2 normalize
+@(eqZb_elim … bid1 bid2)
+[ 1: #Heq >Heq cases br1 cases br2 normalize
+     [ 1,4: * #H @(False_ind … (H (refl ??))) ]
+     #_ @refl
+| 2: cases br1 cases br2 normalize #_ #_ @refl ]
+qed.
+lemma beloadv_free_blocks_neq :
+  ∀m,block,pblock,poff,res.
+  beloadv (free m block) (mk_pointer pblock poff) = Some ? res → pblock ≠ block.
+* #contents #next #nextpos * #br #bid * #pbr #pbid #poff #res
+normalize
+cases (Zltb pbid next) normalize nodelta
+[ 2: #Habsurd destruct (Habsurd) ]
+cases pbr cases br normalize nodelta
+[ 2,3: #_ % #Habsurd destruct (Habsurd) ]
+@(eqZb_elim pbid bid) normalize nodelta
+#Heq destruct (Heq)
+[ 1,3: >free_not_in_bounds normalize nodelta #Habsurd destruct (Habsurd) ]
+#_ % #H destruct (H) elim Heq #H @H @refl
+qed.
+(*
+lemma be_to_fe_value_inj : ∀bv1,bv2.
+    be_to_fe_value (ASTint I8 Unsigned) [bv1]
+  = be_to_fe_value (ASTint I8 Unsigned) [bv2] → bv1 = bv2.
+#bv1 #bv2
+whd in match (be_to_fe_value ??);
+whd in match (be_to_fe_value ??);
+cases bv1 normalize nodelta
+[ 1: cases bv2 normalize nodelta
+     [ 1: #H @refl | 2:
+try //
+[ cases bv2 *)
+lemma beloadv_free_beloadv :
+  ∀m,block,ptr,res.
+    beloadv (free m block) ptr = Some ? res →
+    beloadv m ptr = Some ? res.
+* #contents #next #nextpos #block * #pblock #poff #res
+#H lapply (beloadv_free_blocks_neq … H) #Hblocks_neq
+lapply H
+whd in match (beloadv ??);
+whd in match (beloadv ??) in ⊢ (? → %);
+whd in match (nextblock (free ??));
+cases (Zltb (block_id pblock) next)
+[ 2: normalize #Habsurd destruct (Habsurd) ]
+normalize nodelta
+<(low_free_eq … Hblocks_neq)
+<(high_free_eq … Hblocks_neq)
+whd in match (free ??);
+whd in match (update_block ?????);
+@(eq_block_elim … pblock block)
+[ 1: #Habsurd >Habsurd in Hblocks_neq; * #H @(False_ind … (H (refl ??))) ]
+#_ normalize nodelta
+#H @H
+qed.
+lemma beloadv_free_beloadv2 :
+  ∀m,block,ptr,res.
+  pblock ptr ≠ block →
+  beloadv m ptr = Some ? res →
+  beloadv (free m block) ptr = Some ? res.
+* #contents #next #nextpos #block * #pblock #poff #res #Hneq
+whd in match (beloadv ??);
+whd in match (beloadv ??) in ⊢ (? → %);
+whd in match (nextblock (free ??));
+cases (Zltb (block_id pblock) next)
+[ 2: normalize #Habsurd destruct (Habsurd) ]
+normalize nodelta
+<(low_free_eq … Hneq)
+<(high_free_eq … Hneq)
+whd in match (free ??);
+whd in match (update_block ?????);
+@(eq_block_elim … pblock block)
+[ 1: #Habsurd >Habsurd in Hneq; * #H @(False_ind … (H (refl ??))) ]
+#_ normalize nodelta
+#H @H
+qed.
+lemma beloadv_free_simulation :
+  ∀m1,m2,block,ptr,res.
+  ∀mem_hyp : sr_memext m1 m2.
+  beloadv (free m1 block) ptr = Some ? res → beloadv (free m2 block) ptr = Some ? res.
+* #contents1 #nextblock1 #nextpos1 * #contents2 #nextblock2 #nextpos2
+* #br #bid * * #pr #pid #poff #res *
+#Hload_sim #Hme_writeable #Hme_writeable_valid #Hptr_not_mem #Hvalid_conserv
+#Hload
+lapply (beloadv_free_beloadv … Hload) #Hload_before_free
+lapply (beloadv_free_blocks_neq … Hload) #Hblocks_neq
+@beloadv_free_beloadv2
+[ 1: @Hblocks_neq ]
+@Hload_sim assumption
+qed.
+lemma in_bounds_free_to_in_bounds : ∀m,b,p. in_bounds_pointer (free m b) p → in_bounds_pointer m p.
+#m #b #p whd in match (in_bounds_pointer ??) in ⊢ (% → %);
+#H #A #f elim (H bool (λ_,_,_.true)) #foo whd in match (do_if_in_bounds ????) in ⊢ (% → %);
+elim (Zltb_dec … (block_id (pblock p)) (nextblock (free m b)))
+[ 1: #Hlt >Hlt normalize nodelta
+     @(eq_block_elim … b (pblock p))
+     [ 1: #Heq >Heq whd in match (free ??);
+          whd in match (update_block ?????); >eq_block_b_b
+          normalize nodelta normalize in match (low ?);
+          >Zltb_unsigned_OZ >andb_comm >andb_lsimpl_false normalize nodelta
+          #Habsurd destruct (Habsurd)
+     | 2: #Hblock_neq whd in match (free ? ?);
+          whd in match (update_block ?????);
+          >(not_eq_block_rev … Hblock_neq) normalize nodelta
+          cases (Zleb (low_bound m (pblock p)) (Z_of_unsigned_bitvector offset_size (offv (poff p))))
+          [ 2: >andb_lsimpl_false normalize nodelta #Habsurd destruct (Habsurd) ]
+          >andb_lsimpl_true
+          lapply (Zltb_to_Zleb_true (Z_of_unsigned_bitvector offset_size (offv (poff p)))
+                                     (high (blocks m (pblock p))))
+          cases (Zltb (Z_of_unsigned_bitvector offset_size (offv (poff p))) (high (blocks m (pblock p))))
+          [ 2: #_ normalize nodelta #Habsurd destruct (Habsurd) ]
+          normalize nodelta #H #_ /2 by ex_intro/
+     ]
+| 2: * #Hlt #Hle >Hlt normalize nodelta #Habsurd destruct (Habsurd) ]
+qed.
+lemma outbound_free_to_outbound : ∀m,b,p. outbound_pointer (free m b) p → outbound_pointer m p.
+#m #b #p whd in match (free ??);
+whd in match (outbound_pointer ??) in ⊢ (% → %);
+whd in match (update_block ????);
+whd in match (low_bound ??); whd in match (high_bound ??);
+@(eq_block_elim … (pblock p) b) normalize nodelta
+[ 1: #Heq >Heq cases (Zltb ? (nextblock m))
+     [ 2: * * #Habsurd destruct (Habsurd) ]
+     * * #_ whd in match (low ?); whd in match (high ?);
+     #H1 #H2 <H2 in H1; normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd)
+| 2: #Hneq #H @H ]
+qed.
+lemma valid_free_to_valid : ∀m,b,p. valid_pointer (free m b) p = true → valid_pointer m p = true.
+#m #b #p #Hvalid
+lapply (valid_pointer_def … m p) * #_ #Hdef @Hdef
+elim (valid_pointer_def … (free m b) p) #H #_
+elim (H Hvalid)
+[ 1: #Hin %1 @in_bounds_free_to_in_bounds assumption
+| 2: #Hout %2 @outbound_free_to_outbound assumption ]
+qed.
+lemma valid_after_free : ∀m,b,p. valid_pointer (free m b) p = true → b ≠ pblock p.
+#m #b #p
+whd in match (valid_pointer ??);
+whd in match (free ??);
+whd in match (update_block ????);
+whd in match (low_bound ??);
+whd in match (high_bound ??);
+@(eq_block_elim … b (pblock p))
+[ 1: #Heq >Heq >eq_block_b_b normalize nodelta
+     whd in match (low ?); whd in match (high ?);
+     cases (Zltb ? (nextblock m))
+     [ 2: >andb_lsimpl_false normalize nodelta #Habsurd destruct (Habsurd) ]
+     >andb_lsimpl_true >free_not_valid #Habsurd destruct (Habsurd)
+| 2: #Hneq #_ @Hneq ]
+qed.
+lemma valid_pointer_free : ∀m1,m2. sr_memext m1 m2 → ∀p,b. valid_pointer (free m1 b) p = true → valid_pointer (free m2 b) p = true.
+#m1 #m2 #Hext #p #b #Hvalid
+lapply (valid_free_to_valid … Hvalid) #Hvalid_before_free
+lapply (me_valid_pointers … Hext … Hvalid_before_free)
+lapply (valid_after_free … Hvalid) #Hneq
+whd in match (free ??);
+whd in match (update_block ????);
+whd in match (valid_pointer ??) in ⊢ (% → %);
+whd in match (low_bound ??) in ⊢ (% → %);
+whd in match (high_bound ??) in ⊢ (% → %);
+>(not_eq_block_rev … Hneq) normalize nodelta #H @H
+qed.
+(* Performing a [free] preserves memory extensions. *)
+lemma free_memory_ext :
+  ∀m1,m2,bl.
+   sr_memext m1 m2 →
+   sr_memext (free m1 bl) (free m2 bl).
+#m1 #m2 #bl #Hext
+%
+[ 1: @(λptr,bev. beloadv_free_simulation m1 m2 bl ptr bev Hext)
+| 2: @(filter ? (λwb. notb (eq_block wb bl)) (me_writeable … Hext))
+| 3: #b #Hmem
+     cut (mem block b (me_writeable m1 m2 Hext))
+     [ elim (me_writeable m1 m2 Hext) in Hmem;
+       [ 1: #H @H
+       | 2: #h #tl #Hind whd in match (filter ???);
+            @(eq_block_elim … h bl) normalize in match (notb ?); normalize nodelta
+            [ 1: #Heq #H whd in match (meml ???); destruct %2 @Hind @H
+            | 2: #Hneq whd in match (meml ???) in ⊢ (% → %); *
+                 [ 1: #H %1 @H
+                 | 2: #H %2 @Hind @H ] ] ] ]
+    #Hmem2 lapply (me_writeable_valid … Hmem2)
+    elim m2 #contents #nextblock #pos elim b #br #bid
+    normalize #H @H
+| 4: #p #Hvalid elim (valid_pointer_free_ok_alt … Hvalid)
+     [ 1: #Heq >Heq elim (me_writeable m1 m2 Hext)
+        [ 1: normalize % //
+        | 2: #hd #tl #Hind
+             whd in match (filter ???);
+             @(eq_block_elim … hd bl) normalize in match (notb ?); normalize nodelta
+             [ 1: #Heq @Hind
+             | 2: #Hneq whd in match (meml ???); % *
+                  [ 1: #Heq elim Hneq #H @H @(sym_eq … Heq)
+                  | 2: #H elim Hind #Hind @Hind @H ] ] ]
+    | 2: * #_ #Hvalid lapply (me_writeable_ok … Hext … Hvalid)
+        * #Hyp % #Htarget @Hyp
+        elim (me_writeable m1 m2 Hext) in Htarget;
+        [ 1: normalize //
+        | 2: #hd #tl #Hind
+             whd in match (filter ???);
+             @(eq_block_elim … hd bl) normalize in match (notb ?); normalize nodelta
+             [ 1: #Heq whd in match (meml ???) in ⊢ (? → %);
+                  #H %2 @Hind @H
+             | 2: #Hneq whd in match (meml ???);
+                  whd in match (meml ???) in ⊢ (? → %); *
+                  [ 1: #H %1 @H
+                  | 2: #H %2@Hind @H ] ] ] ]
+| 5: #p @valid_pointer_free @Hext
+] qed.
+lemma free_list_memory_ext :
+  ∀l,m1,m2.
+   sr_memext m1 m2 →
+   sr_memext (free_list m1 l) (free_list m2 l).
+#l elim l
+[ 1: #m1 #m2 #H @H
+| 2: #hd #tl #Hind #m1 #m2 #H >free_list_cons >free_list_cons
+     @free_memory_ext @Hind @H
+] qed.
+(* Extend the previous lemma to [free_list] *)
+lemma beloadv_free_list_memory_ext :
+  ∀m1,m2,blocks,ptr,res.
+  ∀mem_hyp : sr_memext m1 m2.
+  beloadv (free_list m1 blocks) ptr = Some ? res → beloadv (free_list m2 blocks) ptr = Some ? res.
+#m1 #m2 #blocks #mtr #res #Hext #Hload
+lapply (free_list_memory_ext blocks … Hext) #Hext_list
+lapply (me_inj … Hext_list) #H @H @Hload
+qed.
+(* Prove that memory extensions are preserved by free.*)
+(*
+lemma memext_free_conservation :
+  ∀m1,m2 : mem.
+  ∀mem_hyp : sr_memext m1 m2.
+  ∀env,env_ext.
+  ∀new_vars.
+  ∀env_hyp : disjoint_extension env m1 env_ext m2 new_vars mem_hyp.
+   (sr_memext (free_list m1 (blocks_of_env env))
+     (free_list m2 (blocks_of_env env_ext))).
+#m1 #m2 * #Hloadsim #Hwriteable #Hwritevalid #Holdnotwriteable #Hvalidok #env #env_ext #new_vars
+whd in ⊢ (% → ?); #Hdisjoint *)
 (* In proofs, [disjoint_extension] is not enough. When a variable lookup arises, if
 …
 qed. *)
 (* "generic" simulation relation on [res ?] *)
 definition res_sim ≝
   λ(A : Type[0]).
-  λ(eq : A → A → Prop).
   λ(r1, r2 : res A).
   ∀a1. r1 = OK ? a1 → ∃a2. r2 = OK ? a2 ∧ eq a1 a2.
+  ∀a. r1 = OK ? a → r2 = OK ? a.
 (* Specialisation of [res_sim] to match [exec_expr] *)
+definition exec_expr_sim ≝ λE.
+  res_sim (val × trace) (λr1,r2. value_eq E (\fst r1) (\fst r2) ∧ (\snd r1 = \snd r2)).
+definition exec_expr_sim ≝ res_sim (val × trace).
 (* Specialisation of [res_sim] to match [exec_lvalue] *)
+definition exec_lvalue_sim ≝ λE.
+  res_sim (block × offset × trace)
+    (λr1,r2.
+      let 〈b1,o1,tr1〉 ≝ r1 in
+      let 〈b2,o2,tr2〉 ≝ r2 in
+      value_eq E (Vptr (mk_pointer b1 o1)) (Vptr (mk_pointer b2 o2)) ∧ tr1 = tr2).
+definition exec_lvalue_sim ≝ res_sim (block × offset × trace).
 lemma load_value_of_type_dec : ∀ty, m, b, o. load_value_of_type ty m b o = None ? ∨ ∃r. load_value_of_type ty m b o = Some ? r.
 #ty #m #b #o cases (load_value_of_type ty m b o)
 [ 1: %1 // | 2: #v %2 /2 by ex_intro/ ] qed.
-(*
-lemma switch_removal_alloc_extension : ∀f, f', vars, env, env', m, m'.
-   env = \fst (exec_alloc_variables empty_env m ((fn_params f) @ (fn_vars f))) →
-   〈f',vars〉 = function_switch_removal f →
-   env' = \fst (exec_alloc_variables empty_env m' ((fn_params f) @ vars @ (fn_vars f))) →
-   environment_extension env env' vars.
-#f #f'
-cut (∀l:list (ident × type). [ ] @ l = l) [ // ] #nil_append
-cases (fn_params f) cases (fn_vars f)
-[ 1: #vars >append_nil >append_nil >nil_append elim vars
-   [ 1: #env #env' #m #m' normalize in ⊢ (% → ? → % → ?); #Henv1 #_ #Henv2 destruct //
-   | 2: #hd #tl #Hind #env #env' #m #m' #Henv1 #Heq
-        whd in ⊢ ((???(???%)) → ?);
- #Henv #Hswrem #Henv'
-#id
-*)
-(*
-lemma substatement_fresh : ∀s,u.
-    fresh_for_statement s u →
-    substatement_P s (λs'. fresh_for_statement s' u) (λe. fresh_for_expression e u).
-#s #u @(statement_ind2 ? (λls.fresh_for_labeled_statements ls u → substatement_ls ls (λs':statement.fresh_for_statement s' u)) … s)
-try /by I/
-[ 1: #e1 #e2 #H lapply (fresh_max_split … H) * #H1 #H2 whd @conj assumption
-| 2: *
-    [ 1: #e #args whd in ⊢ (% → %); #H lapply (fresh_max_split ??? H) *
-         #Hfresh_e #Hfresh_args @conj try assumption
-         normalize nodelta in Hfresh_args;
-         >max_id_commutative in Hfresh_args; >max_id_one_neutral
-         #Hfresh_args
-    | 2: #ret #e #args whd in ⊢ (% → %); #H lapply (fresh_max_split ??? H) *
-         #Hfresh_e #H lapply (fresh_max_split ??? H) *
-         #Hfresh_ret #Hfresh_args @conj try @conj try assumption ]
-    elim args in Hfresh_args;
-    [ 1,3: //
-    | 2,4: #hd #tl #Hind whd in match (foldl ?????); whd in match (All ???);
-            >foldl_max #H elim (fresh_max_split ??? H) #Hu #HAll @conj
-            [ 1,3: @Hu
-            | 2,4: @Hind assumption ] ]
-| 3: #s1 #s2 #_ #_
-     whd in ⊢ (% → ?); #H lapply (fresh_max_split … H) *
-     whd in match (substatement_P ??); /2/
-| 4: #e #cond #iftrue #iffalse #_
-     whd in ⊢ (% → ?); #H lapply (fresh_max_split … H) *
-     #Hexpr #H2 lapply (fresh_max_split … H2) * /2/
-| 5,6: #e #stm #_
-     whd in ⊢ (% → ?); #H lapply (fresh_max_split … H) * /2/
-| 7: #init #cond #step #body #_ #_ #_ #H lapply (fresh_max_split … H) *
-      #H1 #H2 elim (fresh_max_split … H1) #Hinit #Hcond
-      elim (fresh_max_split … H2) #Hstep #Hbody whd @conj try @conj try @conj /3/
-| 8: #ret #H whd elim ret in H; try //
-| 9: #expr #ls #Hind #H whd @conj
-     [ 1: elim (fresh_max_split … H) //
-     | 2: @Hind elim (fresh_max_split … H) // ]
-| 10: #l #body #Hind #H whd elim (fresh_max_split … H) //
-| 11: #sz #i #hd #tl #Hhd #Htl #H whd
-     elim (fresh_max_split … H) #Htl_fresh #Hhd_fresh @conj //
-     @Htl //
-] qed.
-*)
-(* Eliminating switches introduces fresh variables. [environment_extension] characterizes
- * a local environment extended by some local variables. *)
-(* lookup on environment extension *)
-(*
-lemma extension_lookup :
-  ∀map, map', ext, id, result.
-  environment_extension map map' ext →
-  lookup ?? map id = Some ? result →
-  lookup ?? map' id = Some ? result.
-#map #map' #ext #id #result #Hext lapply (Hext id)
-cases (mem_assoc_env ??) normalize nodelta
-[ 1: * * #ext_result #H1 >H1 #Habsurd destruct (Habsurd)
-| 2: #H >H // ] qed.
-*)
-(* Extending a map by an empty list of variables yields an observationally equivalent
- * environment. *)
-(*
-lemma environment_extension_nil : ∀en,en':env. (environment_extension en en' [ ]) → imap_eq ?? en en'.
-* #map1 * #map2 whd in ⊢ (% → ?); #Hext whd % #id #v #H
-[ 1: lapply (Hext (an_identifier ? id)) whd in match (lookup ????); normalize nodelta
-     cases (lookup_opt block id map2) normalize
-     [ 1: >H #H2 >H2 @refl
-     | 2: #b >H cases v
-          [ 1: normalize * #H @(False_ind … H)
-          | 2: #block normalize // ] ]
-| 2: lapply (Hext (an_identifier ? id)) whd in match (lookup ????); normalize nodelta
-     >H cases v normalize try //
-     #block cases (lookup_opt ? id map1) normalize try //
-     * #H @(False_ind … H)
-] qed. *)
-(* If two identifier maps are observationally equal, then they contain the same bocks.
- * see maps_obsequiv.ma for the details of the proof. *)
-(*
-lemma blocks_of_env_eq : ∀e,e'. imap_eq ?? e e' → blocks_of_env e = blocks_of_env e'.
-* #map1 * #map2 normalize #Hpmap_eq lapply (pmap_eq_fold … Hpmap_eq) #Hfold
->Hfold @refl
-qed.
-*)
 (* Simulation relations. *)
 …
       (Kcall r (\fst (function_switch_removal f)) en' k').
 (*
  en' = exec_alloc_variables en m (\snd (function_switch_removal f))
 …
 *)
+inductive switch_state_sim : state → state → Prop ≝
+| sws_state : ∀u,f,s,k,k',m,m',result.
+    ∀env, env', f', vars.
+    ∀E:embedding.
+    ∀Hext:memory_ext E m m'.
+    fresh_for_statement s u →
+    (*
+    env = \fst (exec_alloc_variables empty_env m ((fn_params f) @ (fn_vars f))) →
+    env' = \fst (exec_alloc_variables empty_env m' ((fn_params f) @ vars @ (fn_vars f))) →
+    *)
+    〈f',vars〉 = function_switch_removal f →
+    disjoint_extension env m env' m' vars E Hext →
+    switch_removal s (map ?? (fst ??) vars) u = Some ? result →
+    switch_cont_sim (map ?? (fst ??) vars) k k' →
+(*  env = \fst (exec_alloc_variables empty_env m ((fn_params f) @ (fn_vars f))) →
+    env' = \fst (exec_alloc_variables empty_env m' ((fn_params f) @ vars @ (fn_vars f))) →  *)
+record switch_removal_globals (F:Type[0]) (t:F → F) (ge:genv_t F) (ge':genv_t F) : Prop ≝ {
+  rg_find_symbol: ∀s.
+    find_symbol ? ge s = find_symbol ? ge' s;
+  rg_find_funct: ∀v,f.
+    find_funct ? ge v = Some ? f →
+    find_funct ? ge' v = Some ? (t f);
+  rg_find_funct_ptr: ∀b,f.
+    find_funct_ptr ? ge b = Some ? f →
+    find_funct_ptr ? ge' b = Some ? (t f)
+}.
+(* This record aims to shorten the definition of the simulation relation on states more readeable. *)
+inductive switch_state_sim (ge : genv) : state → state → Prop ≝
+| sws_state :
+ (* current statement *)
+ ∀sss_statement  : statement.
+ (* statement after transformation *)
+ ∀sss_result     : swret statement.
+ (* label universe *)
+ ∀sss_lu         : universe SymbolTag.
+ (* [sss_lu] must be fresh *)
+ ∀sss_lu_fresh   : fresh_for_statement sss_statement sss_lu.
+ (* current function *)
+ ∀sss_func       : function.
+ (* current function after translation *)
+ ∀sss_func_tr    : function.
+ (* variables generated during conversion of the function *)
+ ∀sss_new_vars   : list (ident × type).
+ (* statement of the transformation *)
+ ∀sss_func_hyp   : 〈sss_func_tr, sss_new_vars〉 = function_switch_removal sss_func.
+ (* memory state before conversion *)
+ ∀sss_m          : mem.
+ (* memory state after conversion *)
+ ∀sss_m_ext      : mem.
+ (* environment before conversion *)
+ ∀sss_env        : env.
+ (* environment after conversion *)
+ ∀sss_env_ext    : env.
+ (* continuation before conversion *)
+ ∀sss_k          : cont.
+ (* continuation after conversion *)
+ ∀sss_k_ext      : cont.
+ (* memory "injection" *)
+ ∀sss_mem_hyp    : sr_memext sss_m sss_m_ext.
+ (* The extended environment does not interfer with the old one. *)
+ ∀sss_env_hyp    : disjoint_extension sss_env sss_m sss_env_ext sss_m_ext sss_new_vars sss_mem_hyp.
+ (* conversion of the current statement, using the variables produced during the conversion of the current function *)
+ ∀sss_result_hyp : switch_removal sss_statement (map ?? (fst ??) sss_new_vars) sss_lu = Some ? sss_result.
+ (* simulation between the continuations before and after conversion. *)
+ ∀sss_k_hyp      : switch_cont_sim (map ?? (fst ??) sss_new_vars) sss_k sss_k_ext.
+ ext_fresh_for_genv sss_new_vars ge →
     switch_state_sim
+      (State f s k env m)
+      (State f' (ret_st ? result) k' env' m')
+      ge
+      (State sss_func sss_statement sss_k sss_env sss_m)
+      (State sss_func_tr (ret_st … sss_result) sss_k_ext sss_env_ext sss_m_ext)
 | sws_callstate : ∀vars, fd,args,k,k',m.
     switch_cont_sim vars k k' →
+    switch_state_sim (Callstate fd args k m) (Callstate (fundef_switch_removal fd) args k' m)
+| sws_returnstate : ∀vars,res,k,k',m.
+    switch_cont_sim vars k k' →
+    switch_state_sim (Returnstate res k m) (Returnstate res k' m)
+    switch_state_sim ge (Callstate fd args k m) (Callstate (fundef_switch_removal fd) args k' m)
+| sws_returnstate :
+ ∀ssr_vars.
+ ∀ssr_result.
+ ∀ssr_k       : cont.
+ ∀ssr_k_ext   : cont.
+ ∀ssr_m       : mem.
+ ∀ssr_m_ext   : mem.
+ ∀ssr_mem_hyp : sr_memext ssr_m ssr_m_ext.
+    switch_cont_sim ssr_vars ssr_k ssr_k_ext →
+    switch_state_sim ge (Returnstate ssr_result ssr_k ssr_m) (Returnstate ssr_result ssr_k_ext ssr_m_ext)
 | sws_finalstate : ∀r.
     switch_state_sim (Finalstate r) (Finalstate r).
+    switch_state_sim ge (Finalstate r) (Finalstate r).
 lemma call_cont_swremoval : ∀fv,k,k'.
 …
 #ge #P #s #t * #s' * #Hexec #HP %1{… Hexec HP}  (* %{E0} normalize >(append_nil ? t) %1{????? Hexec HP} *)
 qed.
+(*
+lemma eventually_now : ∀ge,P,s,t. (∃s'.exec_step ge s = Value io_out io_in ? 〈t,s'〉 ∧ P s') →
+                                      ∃t'.eventually ge P s (t ⧺ t').
+#ge #P #s #t * #s' * #Hexec #HP %{E0} normalize >(append_nil ? t) %1{????? Hexec HP}
+qed.
+*)
 lemma eventually_later : ∀ge,P,s,t.
    (∃s',tstep.exec_step ge s = Value io_out io_in ? 〈tstep,s'〉 ∧ ∃tnext. t = tstep ⧺ tnext ∧ eventually ge P s' tnext) →
 …
 qed.
-(* lift value_eq to option block *)
-definition option_block_eq ≝ λE,ob1,ob2.
-match ob1 with
-[ None ⇒
-  match ob2 with
-  [ None ⇒ True
-  | Some _ ⇒ False ]
-| Some b1 ⇒
-  match ob2 with
-  [ None ⇒ False
-  | Some b2 ⇒ value_eq E (Vptr (mk_pointer b1 zero_offset)) (Vptr (mk_pointer b2 zero_offset))  ]
-].
-definition value_eq_opt ≝ λE,ov1,ov2.
-match ov1 with
-[ None ⇒
-  match ov2 with
-  [ None ⇒ True
-  | Some _ ⇒ False ]
-| Some v1 ⇒
-  match ov2 with
-  [ None ⇒ False
-  | Some v2 ⇒
-    value_eq E v1 v2 ]
-].
-record switch_removal_globals (E : embedding) (F:Type[0]) (t:F → F) (ge:genv_t F) (ge':genv_t F) : Prop ≝ {
-  rg_find_symbol: ∀s.
-    option_block_eq E (find_symbol ? ge s) (find_symbol ? ge' s);
-  rg_find_funct: ∀v,f.
-    find_funct ? ge v = Some ? f →
-    find_funct ? ge' v = Some ? (t f);
-  rg_find_funct_ptr: ∀b,f.
-    find_funct_ptr ? ge b = Some ? f →
-    find_funct_ptr ? ge' b = Some ? (t f)
-}.
 lemma exec_lvalue_expr_elim :
+  ∀E,r1,r2,Pok,Qok.
+  ∀H:exec_lvalue_sim E r1 r2.
+  (∀bo1,bo2,tr.
+    let 〈b1,o1〉 ≝ bo1 in
+    let 〈b2,o2〉 ≝ bo2 in
+    value_eq E (Vptr (mk_pointer b1 o1)) (Vptr (mk_pointer b2 o2)) →
+    match Pok 〈bo1,tr〉 with
+  ∀r1,r2,Pok,Qok.
+  exec_lvalue_sim r1 r2 →
+  (∀val,trace.
+    match Pok 〈val,trace〉 with
     [ Error err ⇒ True
     | OK vt1 ⇒
       let 〈val1,trace1〉 ≝ vt1 in
       match Qok 〈bo2,tr〉 with
+    | OK pvt ⇒
+      let 〈pval,ptrace〉 ≝ pvt in
+      match Qok 〈val,trace〉 with
       [ Error err ⇒ False
       | OK vt2 ⇒
         let 〈val2,trace2〉 ≝ vt2 in
         trace1 = trace2 ∧ value_eq E val1 val2
+      | OK qvt ⇒
+        let 〈qval,qtrace〉 ≝ qvt in
+        ptrace = qtrace ∧ pval = qval
+      ]
     ]) →
   exec_expr_sim E
+    ]) →
+  exec_expr_sim
     (match r1 with [ OK x ⇒ Pok x | Error err ⇒ Error ? err ])
     (match r2 with [ OK x ⇒ Qok x | Error err ⇒ Error ? err ]).
+#E #r1 #r2 #Pok #Qok whd in ⊢ (% → ?);
+#r1 #r2 #Pok #Qok whd in ⊢ (% → ?);
+elim r1
+[ 2:  #error #_ #_ normalize #a #Habsurd destruct (Habsurd)
+| 1: normalize nodelta #a #H lapply (H a (refl ??))
+     #Hr2 >Hr2 normalize #H #a' elim a * #b #o #tr
+     lapply (H 〈b, o〉 tr) #H1 #H2 >H2 in H1;
+     normalize nodelta elim a' in H2; #pval #ptrace #Hpok
+     normalize nodelta cases (Qok 〈b,o,tr〉)
+     [ 2: #error normalize #Habsurd @(False_ind … Habsurd)
+     | 1: * #qval #qtrace normalize nodelta * #Htrace #Hval
+          destruct @refl
+] ] qed.
+lemma exec_expr_expr_elim :
+  ∀r1,r2,Pok,Qok.
+  exec_expr_sim r1 r2 →
+  (∀val,trace.
+    match Pok 〈val,trace〉 with
+    [ Error err ⇒ True
+    | OK pvt ⇒
+      let 〈pval,ptrace〉 ≝ pvt in
+      match Qok 〈val,trace〉 with
+      [ Error err ⇒ False
+      | OK qvt ⇒
+        let 〈qval,qtrace〉 ≝ qvt in
+        ptrace = qtrace ∧ pval = qval
+      ]
+    ]) →
+  exec_expr_sim
+    (match r1 with [ OK x ⇒ Pok x | Error err ⇒ Error ? err ])
+    (match r2 with [ OK x ⇒ Qok x | Error err ⇒ Error ? err ]).
+#r1 #r2 #Pok #Qok whd in ⊢ (% → ?);
 elim r1
 [ 2: #error #_ #_ normalize #a1 #Habsurd destruct (Habsurd)
+| 1: normalize nodelta #a1 #H lapply (H a1 (refl ??))
+     * #a2 * #Hr2 >Hr2 normalize nodelta
+     elim a1 * #b1 #o1 #tr1
+     elim a2 * #b2 #o2 #tr2 normalize nodelta
+     * #Hvalue_eq #Htrace_eq #H2
+     destruct (Htrace_eq)
+     lapply (H2 〈b1, o1〉 〈b2, o2〉 tr2 Hvalue_eq)
+     cases (Pok 〈b1, o1, tr2〉)
+     [ 2: #error #_ normalize #a1' #Habsurd destruct (Habsurd)
+     | 1: * #v1 #tr1' normalize nodelta #H3 whd
+          * #v1' #tr1'' #Heq destruct (Heq)
+          cases (Qok 〈b2,o2,tr2〉) in H3;
+          [ 2: #error #Hfalse @(False_ind … Hfalse)
+          | 1: * #v2 #tr2 normalize nodelta * #Htrace_eq destruct (Htrace_eq)
+               #Hvalue_eq' %{〈v2,tr2〉} @conj try @conj //
+| 1: normalize nodelta #a #H lapply (H a (refl ??))
+     #Hr2 >Hr2 normalize nodelta #H
+     elim a in Hr2; #val #trace
+     lapply (H … val trace)
+     cases (Pok 〈val, trace〉)
+     [ 2: #error normalize #_ #_ #a' #Habsurd destruct (Habsurd)
+     | 1: * #pval #ptrace normalize nodelta
+          cases (Qok 〈val,trace〉)
+          [ 2: #error normalize #Hfalse @(False_ind … Hfalse)
+          | 1: * #qval #qtrace normalize nodelta * #Htrace_eq #Hval_eq
+               #Hr2_eq destruct #a #H @H
 ] ] ] qed.
+lemma exec_expr_expr_elim :
+  ∀E,r1,r2,Pok,Qok.
+  ∀H:exec_expr_sim E r1 r2.
+  (∀v1,v2,trace.
+    value_eq E v1 v2 →
+    match Pok 〈v1,trace〉 with
+    [ Error err ⇒ True
+    | OK vt1 ⇒
+      let 〈val1,trace1〉 ≝ vt1 in
+      match Qok 〈v2,trace〉 with
+      [ Error err ⇒ False
+      | OK vt2 ⇒
+        let 〈val2,trace2〉 ≝ vt2 in
+        trace1 = trace2 ∧ value_eq E val1 val2
+      ]
+    ]) →
+  exec_expr_sim E
+    (match r1 with [ OK x ⇒ Pok x | Error err ⇒ Error ? err ])
+    (match r2 with [ OK x ⇒ Qok x | Error err ⇒ Error ? err ]).
+#E #r1 #r2 #Pok #Qok whd in ⊢ (% → ?);
+elim r1
+[ 2: #error #_ #_ normalize #a1 #Habsurd destruct (Habsurd)
+| 1: normalize nodelta #a1 #H lapply (H a1 (refl ??))
+     * #a2 * #Hr2 >Hr2 normalize nodelta
+     elim a1 #v1 #tr1
+     elim a2 #v2 #tr2 normalize nodelta
+     * #Hvalue_eq #Htrace_eq #H2
+     destruct (Htrace_eq)
+     lapply (H2 v1 v2 tr2 Hvalue_eq)
+     cases (Pok 〈v1, tr2〉)
+     [ 2: #error #_ normalize #a1' #Habsurd destruct (Habsurd)
+     | 1: * #v1 #tr1' normalize nodelta #H3 whd
+          * #v1' #tr1'' #Heq destruct (Heq)
+          cases (Qok 〈v2,tr2〉) in H3;
+          [ 2: #error #Hfalse @(False_ind … Hfalse)
+          | 1: * #v2 #tr2 normalize nodelta * #Htrace_eq destruct (Htrace_eq)
+               #Hvalue_eq' %{〈v2,tr2〉} @conj try @conj //
+] ] ] qed.
+(* Commutation results of standard binary operations with value_eq. *)
+lemma unary_operation_value_eq :
+  ∀E,op,v1,v2,ty.
+   value_eq E v1 v2 →
+   ∀r1.
+   sem_unary_operation op v1 ty = Some ? r1 →
+    ∃r2.sem_unary_operation op v2 ty = Some ? r2 ∧ value_eq E r1 r2.
+#E #op #v1 #v2 #ty #Hvalue_eq #r1
+inversion Hvalue_eq
+[ 1: #v #Hv1 #Hv2 #_ destruct
+     cases op normalize
+     [ 1: cases ty [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          normalize #Habsurd destruct (Habsurd)
+     | 3: cases ty [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          normalize #Habsurd destruct (Habsurd)
+     | 2: #Habsurd destruct (Habsurd) ]
+| 2: #vsz #i #Hv1 #Hv2 #_
+     cases op
+     [ 1: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          whd in ⊢ ((??%?) → ?); whd in match (sem_unary_operation ???);
+          [ 2: cases (eq_intsize sz vsz) normalize nodelta #Heq1 destruct
+               %{(of_bool (eq_bv (bitsize_of_intsize vsz) i (zero (bitsize_of_intsize vsz))))}
+               cases (eq_bv (bitsize_of_intsize vsz) i (zero (bitsize_of_intsize vsz))) @conj
+               //
+          | *: #Habsurd destruct (Habsurd) ]
+     | 2: whd in match (sem_unary_operation ???);
+          #Heq1 destruct %{(Vint vsz (exclusive_disjunction_bv (bitsize_of_intsize vsz) i (mone vsz)))} @conj //
+     | 3: whd in match (sem_unary_operation ???);
+          cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          normalize nodelta
+          whd in ⊢ ((??%?) → ?);
+          [ 2: cases (eq_intsize sz vsz) normalize nodelta #Heq1 destruct
+               %{(Vint vsz (two_complement_negation (bitsize_of_intsize vsz) i))} @conj //
+          | *: #Habsurd destruct (Habsurd) ] ]
+| 3: #f #Hv1 #Hv2 #_ destruct  whd in match (sem_unary_operation ???);
+     cases op normalize nodelta
+     [ 1: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          whd in match (sem_notbool ??);
+          #Heq1 destruct
+          cases (Fcmp Ceq f Fzero) /3 by ex_intro, vint_eq, conj/
+     | 2: normalize #Habsurd destruct (Habsurd)
+     | 3: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          whd in match (sem_neg ??);
+          #Heq1 destruct /3 by ex_intro, vfloat_eq, conj/ ]
+| 4: #Hv1 #Hv2 #_ destruct  whd in match (sem_unary_operation ???);
+     cases op normalize nodelta
+     [ 1: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          whd in match (sem_notbool ??);
+          #Heq1 destruct /3 by ex_intro, vint_eq, conj/
+     | 2: normalize #Habsurd destruct (Habsurd)
+     | 3: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          whd in match (sem_neg ??);
+          #Heq1 destruct ]
+| 5: #p1 #p2 #Hptr_translation #Hv1 #Hv2 #_  whd in match (sem_unary_operation ???);
+     cases op normalize nodelta
+     [ 1: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          whd in match (sem_notbool ??);
+          #Heq1 destruct /3 by ex_intro, vint_eq, conj/
+     | 2: normalize #Habsurd destruct (Habsurd)
+     | 3: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          whd in match (sem_neg ??);
+          #Heq1 destruct ]
+]
+qed.
+lemma commutative_add_with_carries : ∀n,a,b,carry. add_with_carries n a b carry = add_with_carries n b a carry.
+#n elim n
+[ 1: #a #b #carry
+     lapply (BitVector_O … a) lapply (BitVector_O … b) #H1 #H2 destruct @refl
+| 2: #n' #Hind #a #b #carry
+     lapply (BitVector_Sn … a) lapply (BitVector_Sn … b)
+     * #bhd * #btl #Heqb
+     * #ahd * #atl #Heqa destruct
+     lapply (Hind atl btl carry)
+     whd in match (add_with_carries ????) in ⊢ ((??%%) →  (??%%));
+     normalize in match (rewrite_l ??????);
+lemma load_value_of_type_inj : ∀m1,m2,b,off,ty.
+    sr_memext m1 m2 → ∀v.
+    load_value_of_type ty m1 b off = Some ? v →
+    load_value_of_type ty m2 b off = Some ? v.
+#m1 #m2 #b #off #ty #Hinj #v
+@(load_sim_fe … (me_inj … Hinj) (mk_pointer b off))
+qed.
+(* Conservation of the smenantics of binary operators *)
+lemma sim_sem_binary_operation : ∀op,v1,v2,e1,e2,m1,m2.
+  ∀Hext:sr_memext m1 m2. ∀res.
+  sem_binary_operation op v1 (typeof e1) v2 (typeof e2) m1 = Some ? res →
+  sem_binary_operation op v1 (typeof e1) v2 (typeof e2) m2 = Some ? res.
+#op #v1 #v2 #e1 #e2 #m1 #m2 #Hmemext #res cases op
+whd in match (sem_binary_operation ??????);
+try //
+whd in match (sem_binary_operation ??????);
+elim m1 in Hmemext; #contents1 #nextblocks1 #Hnextpos1
+elim m2 #contents2 #nextblocks2 #Hnextpos2
+* #Hptrsim #writeable #Hvalid #Hdisjoint #Hvalid_cons
+whd in match (sem_cmp ??????);
+whd in match (sem_cmp ??????);
+[ 1: cases (classify_cmp (typeof e1) (typeof e2))
      normalize nodelta
+     #Heq >Heq
+     generalize in match (fold_right2_i ????????); * #res #carries
+     [ 1: #sz #sg try //
+     | 2: #opt #ty
+          cases v1 normalize nodelta
+          [ 1: | 2: #sz #i | 3: #fl | 4: | 5: #ptr ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          cases v2 normalize nodelta
+          [ 1: | 2: #sz' #i' | 3: #fl' | 4: | 5: #ptr' ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          lapply (Hvalid_cons ptr)
+          elim (freed_pointer_dec … (mk_mem contents1 nextblocks1 Hnextpos1) ptr)
+          [ 2: #Hnot_freed #Hvalid lapply (Hvalid … Hnot_freed)
+               cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr)
+               [ 2: >andb_lsimpl_false normalize nodelta #_ #Habsurd destruct (Habsurd) ]
+               #Hvalid >(Hvalid (refl ??))
+               lapply (Hvalid_cons ptr')
+               elim (freed_pointer_dec … (mk_mem contents1 nextblocks1 Hnextpos1) ptr')
+               [ 2: #Hnot_freed' #Hvalid' lapply (Hvalid' … Hnot_freed')
+                    cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr')
+                    [ 2: >andb_lsimpl_true #_ normalize nodelta #Habsurd destruct (Habsurd) ]
+                    #H' >(H' (refl ??)) >andb_lsimpl_true #Hres @Hres
+               | 1: normalize in ⊢ (% → ?); * #Hlow' #Hhigh' #_
+                    >andb_lsimpl_true >andb_lsimpl_true
+                    whd in match (valid_pointer ??);
+                    whd in match (low_bound ??);
+                    whd in match (high_bound ??);
+                    >Hlow' >Hhigh' >Zleb_unsigned_OZ >andb_comm >andb_lsimpl_true
+                    whd in match (valid_pointer ??);
+               cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr')
+               [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+               #H' >(H' (refl ??)) #Hok @Hok
+          | 1:
+          ]
+     | 3: #fsz #H @H
+     | 4: #ty1 #ty2 #H @H ]
+| 2: cases (classify_cmp (typeof e1) (typeof e2))
      normalize nodelta
+     cases ahd cases bhd @refl
+     [ 1: #sz #sg try //
+     | 2: #opt #ty
+          cases v1 normalize nodelta
+          [ 1: | 2: #sz #i | 3: #fl | 4: | 5: #ptr ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          cases v2 normalize nodelta
+          [ 1: | 2: #sz' #i' | 3: #fl' | 4: | 5: #ptr' ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          lapply (Hvalid_cons ptr)
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr)
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H >(H (refl ??))
+          lapply (Hvalid_cons ptr')
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr')
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H' >(H' (refl ??)) #Hok @Hok
+     | 3: #fsz #H @H
+     | 4: #ty1 #ty2 #H @H ]
+| 3: cases (classify_cmp (typeof e1) (typeof e2))
+     normalize nodelta
+     [ 1: #sz #sg try //
+     | 2: #opt #ty
+          cases v1 normalize nodelta
+          [ 1: | 2: #sz #i | 3: #fl | 4: | 5: #ptr ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          cases v2 normalize nodelta
+          [ 1: | 2: #sz' #i' | 3: #fl' | 4: | 5: #ptr' ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          lapply (Hvalid_cons ptr)
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr)
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H >(H (refl ??))
+          lapply (Hvalid_cons ptr')
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr')
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H' >(H' (refl ??)) #Hok @Hok
+     | 3: #fsz #H @H
+     | 4: #ty1 #ty2 #H @H ]
+| 4: cases (classify_cmp (typeof e1) (typeof e2))
+     normalize nodelta
+     [ 1: #sz #sg #H @H
+     | 2: #opt #ty
+          cases v1 normalize nodelta
+          [ 1: | 2: #sz #i | 3: #fl | 4: | 5: #ptr ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          cases v2 normalize nodelta
+          [ 1: | 2: #sz' #i' | 3: #fl' | 4: | 5: #ptr' ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          lapply (Hvalid_cons ptr)
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr)
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H >(H (refl ??))
+          lapply (Hvalid_cons ptr')
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr')
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H' >(H' (refl ??)) #Hok @Hok
+     | 3: #fsz #H @H
+     | 4: #ty1 #ty2 #H @H ]
+| 5: cases (classify_cmp (typeof e1) (typeof e2))
+     normalize nodelta
+     [ 1: #sz #sg #H @H
+     | 2: #opt #ty
+          cases v1 normalize nodelta
+          [ 1: | 2: #sz #i | 3: #fl | 4: | 5: #ptr ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          cases v2 normalize nodelta
+          [ 1: | 2: #sz' #i' | 3: #fl' | 4: | 5: #ptr' ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          lapply (Hvalid_cons ptr)
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr)
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H >(H (refl ??))
+          lapply (Hvalid_cons ptr')
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr')
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H' >(H' (refl ??)) #Hok @Hok
+     | 3: #fsz #H @H
+     | 4: #ty1 #ty2 #H @H ]
+| 6: cases (classify_cmp (typeof e1) (typeof e2))
+     normalize nodelta
+     [ 1: #sz #sg #H @H
+     | 2: #opt #ty
+          cases v1 normalize nodelta
+          [ 1: | 2: #sz #i | 3: #fl | 4: | 5: #ptr ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          cases v2 normalize nodelta
+          [ 1: | 2: #sz' #i' | 3: #fl' | 4: | 5: #ptr' ]
+          [ 1,2,3: #Habsurd destruct (Habsurd)
+          | 4: #H @H ]
+          lapply (Hvalid_cons ptr)
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr)
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H >(H (refl ??))
+          lapply (Hvalid_cons ptr')
+          cases (valid_pointer (mk_mem contents1 nextblocks1 Hnextpos1) ptr')
+          [ 2: #_ normalize #Habsurd destruct (Habsurd) ]
+          #H' >(H' (refl ??)) #Hok @Hok
+     | 3: #fsz #H @H
+     | 4: #ty1 #ty2 #H @H ]
 ] qed.
+lemma commutative_addition_n : ∀n,a,b. addition_n n a b = addition_n n b a.
+#n #a #b whd in match (addition_n ???) in ⊢ (??%%); >commutative_add_with_carries
+@refl
+qed.
+(* -------------------------------------------------------------------------- *)
+(* Associativity proof for addition_n. The proof relies on the observation
+ * that the two carries (inner and outer) in the associativity equation are not
+ * independent. In fact, the global carry can be encoded in a three-valued bits
+ * (versus 2 full bits, i.e. 4 possibilites, for two carries). *)
+inductive ternary : Type[0] ≝
+| Zero_carry : ternary
+| One_carry : ternary
+| Two_carry : ternary.
+definition carry_0 ≝ λcarry.
+    match carry with
+    [ Zero_carry ⇒ 〈false, Zero_carry〉
+    | One_carry ⇒ 〈true, Zero_carry〉
+    | Two_carry ⇒ 〈false, One_carry〉 ].
+definition carry_1 ≝ λcarry.
+    match carry with
+    [ Zero_carry ⇒ 〈true, Zero_carry〉
+    | One_carry ⇒ 〈false, One_carry〉
+    | Two_carry ⇒ 〈true, One_carry〉 ].
+definition carry_2 ≝ λcarry.
+    match carry with
+    [ Zero_carry ⇒ 〈false, One_carry〉
+    | One_carry ⇒ 〈true, One_carry〉
+    | Two_carry ⇒ 〈false, Two_carry〉 ].
+definition carry_3 ≝ λcarry.
+    match carry with
+    [ Zero_carry ⇒ 〈true, One_carry〉
+    | One_carry ⇒ 〈false, Two_carry〉
+    | Two_carry ⇒ 〈true, Two_carry〉 ].
+(* Count the number of true bits in {xa,xb,xc} and compute the new bit along the new carry,
+   according to the last one. *)
+definition ternary_carry_of ≝ λxa,xb,xc,carry.
+if xa then
+  if xb then
+    if xc then
+      carry_3 carry
+    else
+      carry_2 carry
+  else
+    if xc then
+      carry_2 carry
+    else
+      carry_1 carry
+else
+  if xb then
+    if xc then
+      carry_2 carry
+    else
+      carry_1 carry
+  else
+    if xc then
+      carry_1 carry
+    else
+      carry_0 carry.
+let rec canonical_add (n : nat) (a,b,c : BitVector n) (init : ternary) on a : (BitVector n × ternary) ≝
+match a in Vector return λsz.λ_. BitVector sz → BitVector sz → (BitVector sz × ternary) with
+[ VEmpty ⇒ λ_,_. 〈VEmpty ?, init〉
+| VCons sz' xa tla ⇒ λb',c'.
+  let xb ≝ head' … b' in
+  let xc ≝ head' … c' in
+  let tlb ≝ tail … b' in
+  let tlc ≝ tail … c' in
+  let 〈bits, last〉 ≝ canonical_add ? tla tlb tlc init in
+  let 〈bit, carry〉 ≝ ternary_carry_of xa xb xc last in
+  〈bit ::: bits, carry〉
+] b c.
+(* convert the classical carries (inner and outer) to ternary) *)
+definition carries_to_ternary ≝ λcarry1,carry2.
+  if carry1
+  then if carry2
+       then Two_carry
+       else One_carry
+  else if carry2
+       then One_carry
+       else Zero_carry.
+lemma add_with_carries_Sn : ∀n,a_hd,a_tl,b_hd,b_tl,carry.
+  add_with_carries (S n) (a_hd ::: a_tl) (b_hd ::: b_tl) carry =
+   (let 〈lower_bits,carries〉 ≝ add_with_carries n a_tl b_tl carry in
+    let last_carry ≝
+    match carries in Vector return λsz:ℕ.(λfoo:Vector bool sz.bool) with
+    [VEmpty⇒carry
+    |VCons (sz:ℕ) (cy:bool) (tl:(Vector bool sz))⇒cy]
+    in
+    if last_carry then
+      let bit   ≝ xorb (xorb a_hd b_hd) true in
+      let carry ≝ carry_of a_hd b_hd true in
+      〈bit:::lower_bits,carry:::carries〉
+    else
+      let bit ≝ xorb (xorb a_hd b_hd) false in
+      let carry ≝ carry_of a_hd b_hd false in
+      〈bit:::lower_bits,carry:::carries〉).
+#n #a_hd #a_tl #b_hd #b_tl #carry
+whd in match (add_with_carries ????);
+normalize nodelta
+<add_with_carries_unfold
+cases (add_with_carries n a_tl b_tl carry)
+#lower_bits #carries normalize nodelta
+elim n in a_tl b_tl lower_bits carries;
+[ 1: #a_tl #b_tl #lower_bits #carries
+     >(BitVector_O … carries) normalize nodelta
+     cases carry normalize nodelta
+     cases a_hd cases b_hd //
+| 2: #n' #Hind #a_tl #b_tl #lower_bits #carries
+     lapply (BitVector_Sn … carries) * #carries_hd * #carries_tl
+     #Heq >Heq normalize nodelta
+     cases carries_hd cases a_hd cases b_hd normalize nodelta
+     //
+] qed.
+(* Correction of [canonical_add], left side. Note the invariant on carries. *)
+lemma canonical_add_left : ∀n,carry1,carry2,a,b,c.
+  let 〈res_ab,flags_ab〉 ≝ add_with_carries n a b carry1 in
+  let 〈res_ab_c,flags_ab_c〉 ≝ add_with_carries n res_ab c carry2 in
+  let 〈res_canonical, last_carry〉 ≝ canonical_add ? a b c (carries_to_ternary carry1 carry2) in
+  res_ab_c = res_canonical
+  ∧ (match n return λx. BitVector x → BitVector x → Prop with
+     [ O ⇒ λ_.λ_. True
+     | S _ ⇒ λflags_ab',flags_ab_c'. carries_to_ternary (head' … flags_ab') (head' … flags_ab_c') = last_carry
+     ] flags_ab flags_ab_c).
+#n elim n
+[ 1: #carry1 #carry2 #a #b #c >(BitVector_O … a) >(BitVector_O … b) >(BitVector_O … c) try @conj try //
+| 2: #n' #Hind #carry1 #carry2 #a #b #c
+     elim (BitVector_Sn … a) #xa * #a' #Heq_a
+     elim (BitVector_Sn … b) #xb * #b' #Heq_b
+     elim (BitVector_Sn … c) #xc * #c' #Heq_c
+     lapply (Hind … carry1 carry2 a' b' c') -Hind
+     destruct >add_with_carries_Sn
+     elim (add_with_carries … a' b' carry1) #Hres_ab #Hflags_ab normalize nodelta
+     lapply Hflags_ab lapply Hres_ab lapply c' lapply b' lapply a'
+     -Hflags_ab -Hres_ab -c' -b' -a'
+     cases n'
+     [ 1: #a' #b' #c' #Hres_ab #Hflags_ab normalize nodelta
+          >(BitVector_O … a') >(BitVector_O … b') >(BitVector_O … c')
+          >(BitVector_O … Hres_ab) >(BitVector_O … Hflags_ab)
+          normalize nodelta #_
+          cases carry1 cases carry2 cases xa cases xb cases xc normalize @conj try //
+     | 2: #n' #a' #b' #c' #Hres_ab #Hflags_ab normalize nodelta
+          elim (BitVector_Sn … Hflags_ab) #hd_flags_ab * #tl_flags_ab #Heq_flags_ab >Heq_flags_ab
+          normalize nodelta
+          elim (BitVector_Sn … Hres_ab) #hd_res_ab * #tl_res_ab #Heq_res_ab >Heq_res_ab
+          cases hd_flags_ab in Heq_flags_ab; #Heq_flags_ab normalize nodelta
+          >add_with_carries_Sn
+          elim (add_with_carries (S n') (hd_res_ab:::tl_res_ab) c' carry2) #res_ab_c #flags_ab_c
+          normalize nodelta
+          elim (BitVector_Sn … flags_ab_c) #hd_flags_ab_c * #tl_flags_ab_c #Heq_flags_ab_c >Heq_flags_ab_c
+          normalize nodelta
+          cases hd_flags_ab_c in Heq_flags_ab_c; #Heq_flags_ab_c
+          normalize nodelta
+          whd in match (canonical_add (S (S ?)) ? ? ? ?);
+          whd in match (tail ???); whd in match (tail ???);
+          elim (canonical_add (S n') a' b' c' (carries_to_ternary carry1 carry2)) #res_canonical #last_carry normalize
+          * #Hres_ab_is_canonical #Hlast_carry <Hlast_carry normalize
+          >Hres_ab_is_canonical
+          cases xa cases xb cases xc try @conj try @refl
+     ]
+] qed.
+(* Symmetric. The two sides are most certainly doable in a single induction, but lazyness
+   prevails over style.  *)
+lemma canonical_add_right : ∀n,carry1,carry2,a,b,c.
+  let 〈res_bc,flags_bc〉 ≝ add_with_carries n b c carry1 in
+  let 〈res_a_bc,flags_a_bc〉 ≝ add_with_carries n a res_bc carry2 in
+  let 〈res_canonical, last_carry〉 ≝ canonical_add ? a b c (carries_to_ternary carry1 carry2) in
+  res_a_bc = res_canonical
+  ∧ (match n return λx. BitVector x → BitVector x → Prop with
+     [ O ⇒ λ_.λ_. True
+     | S _ ⇒ λflags_bc',flags_a_bc'. carries_to_ternary (head' … flags_bc') (head' … flags_a_bc') = last_carry
+     ] flags_bc flags_a_bc).
+#n elim n
+[ 1: #carry1 #carry2 #a #b #c >(BitVector_O … a) >(BitVector_O … b) >(BitVector_O … c) try @conj try //
+| 2: #n' #Hind #carry1 #carry2 #a #b #c
+     elim (BitVector_Sn … a) #xa * #a' #Heq_a
+     elim (BitVector_Sn … b) #xb * #b' #Heq_b
+     elim (BitVector_Sn … c) #xc * #c' #Heq_c
+     lapply (Hind … carry1 carry2 a' b' c') -Hind
+     destruct >add_with_carries_Sn
+     elim (add_with_carries … b' c' carry1) #Hres_bc #Hflags_bc normalize nodelta
+     lapply Hflags_bc lapply Hres_bc lapply c' lapply b' lapply a'
+     -Hflags_bc -Hres_bc -c' -b' -a'
+     cases n'
+     [ 1: #a' #b' #c' #Hres_bc #Hflags_bc normalize nodelta
+          >(BitVector_O … a') >(BitVector_O … b') >(BitVector_O … c')
+          >(BitVector_O … Hres_bc) >(BitVector_O … Hflags_bc)
+          normalize nodelta #_
+          cases carry1 cases carry2 cases xa cases xb cases xc normalize @conj try //
+     | 2: #n' #a' #b' #c' #Hres_bc #Hflags_bc normalize nodelta
+          elim (BitVector_Sn … Hflags_bc) #hd_flags_bc * #tl_flags_bc #Heq_flags_bc >Heq_flags_bc
+          normalize nodelta
+          elim (BitVector_Sn … Hres_bc) #hd_res_bc * #tl_res_bc #Heq_res_bc >Heq_res_bc
+          cases hd_flags_bc in Heq_flags_bc; #Heq_flags_bc normalize nodelta
+          >add_with_carries_Sn
+          elim (add_with_carries (S n') a' (hd_res_bc:::tl_res_bc) carry2) #res_a_bc #flags_a_bc
+          normalize nodelta
+          elim (BitVector_Sn … flags_a_bc) #hd_flags_a_bc * #tl_flags_a_bc #Heq_flags_a_bc >Heq_flags_a_bc
+          normalize nodelta
+          cases (hd_flags_a_bc) in Heq_flags_a_bc; #Heq_flags_a_bc
+          whd in match (canonical_add (S (S ?)) ????);
+          whd in match (tail ???); whd in match (tail ???);
+          elim (canonical_add (S n') a' b' c' (carries_to_ternary carry1 carry2)) #res_canonical #last_carry normalize
+          * #Hres_bc_is_canonical #Hlast_carry <Hlast_carry normalize
+          >Hres_bc_is_canonical
+          cases xa cases xb cases xc try @conj try @refl
+     ]
+] qed.
+(* Note that we prove a result more general that just associativity: we can vary the carries. *)
+lemma associative_add_with_carries :
+  ∀n,carry1,carry2,a,b,c.
+  (\fst (add_with_carries n a (let 〈res,flags〉 ≝ add_with_carries n b c carry1 in res) carry2))
+   =
+  (\fst (add_with_carries n (let 〈res,flags〉 ≝ add_with_carries n a b carry1 in res) c carry2)).
+#n cases n
+[ 1: #carry1 #carry2 #a #b #c
+      >(BitVector_O … a) >(BitVector_O … b) >(BitVector_O … c)
+      normalize try @refl
+| 2: #n' #carry1 #carry2 #a #b #c
+     lapply (canonical_add_left … carry1 carry2 a b c)
+     lapply (canonical_add_right … carry1 carry2 a b c)
+     normalize nodelta
+     elim (add_with_carries (S n') b c carry1) #res_bc #flags_bc
+     elim (add_with_carries (S n') a b carry1) #res_ab #flags_ab
+     normalize nodelta
+     elim (add_with_carries (S n') a res_bc carry2) #res_a_bc #flags_a_bc
+     normalize nodelta
+     elim (add_with_carries (S n') res_ab c carry2) #res_ab_c #flags_ab_c
+     normalize nodelta
+     cases (canonical_add ? a b c (carries_to_ternary carry1 carry2)) #canonical_bits #last_carry
+     normalize nodelta
+     * #HA #HB * #HC #HD destruct @refl
+] qed.
+(* This closes the proof of associativity for bitvector addition. *)
+lemma associative_addition_n : ∀n,a,b,c. addition_n n a (addition_n n b c) = addition_n n (addition_n n a b) c.
+#n #a #b #c
+whd in match (addition_n ???) in ⊢ (??%%);
+whd in match (addition_n n b c);
+whd in match (addition_n n a b);
+lapply (associative_add_with_carries … false false a b c)
+elim (add_with_carries n b c false) #bc_bits #bc_flags
+elim (add_with_carries n a b false) #ab_bits #ab_flags
+normalize nodelta
+elim (add_with_carries n a bc_bits false) #a_bc_bits #a_bc_flags
+elim (add_with_carries n ab_bits c false) #ab_c_bits #ab_c_flags
+normalize
+#H @H
+qed.
+(* value_eq lifts to addition *)
+lemma add_value_eq :
+  ∀E,v1,v2,v1',v2',ty1,ty2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   (* memory_inj E m1 m2 →  This injection seems useless TODO *)
+   ∀r1. (sem_add v1 ty1 v1' ty2=Some val r1→
+           ∃r2:val.sem_add v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: whd in match (sem_add ????); normalize nodelta
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #n #ty #sz #sg | 4: #n #sz #sg #ty | 5: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 2,3,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,6,7,9: #Habsurd destruct (Habsurd) ]
+     [ 1: @intsize_eq_elim_elim
+          [ 1: #_ #Habsurd destruct (Habsurd)
+          | 2: #Heq destruct (Heq) normalize nodelta
+               #Heq destruct (Heq)
+               /3 by ex_intro, conj, vint_eq/ ]
+     | 2: @eq_bv_elim normalize nodelta #Heq1 #Heq2 destruct
+          /3 by ex_intro, conj, vint_eq/
+     | 3: #Heq destruct (Heq)
+          normalize in Hembed'; elim p1' in Hembed'; #b1' #o1' normalize nodelta #Hembed
+          %{(Vptr (shift_pointer_n (bitsize_of_intsize sz) p2' (sizeof ty) i))} @conj try @refl
+          @vptr_eq whd in match (pointer_translation ??);
+          cases (E b1') in Hembed;
+          [ 1: normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd)
+          | 2: * #block #offset normalize nodelta #Heq destruct (Heq)
+               whd in match (shift_pointer_n ????);
+               cut (offset_plus (shift_offset_n (bitsize_of_intsize sz) o1' (sizeof ty) i) offset =
+                    (shift_offset_n (bitsize_of_intsize sz) (mk_offset (addition_n ? (offv o1') (offv offset))) (sizeof ty) i))
+               [ 1: whd in match (offset_plus ??);
+                    whd in match (shift_offset_n ????) in ⊢ (??%%);
+                    >commutative_addition_n >associative_addition_n
+                    <(commutative_addition_n … (offv offset) (offv o1')) @refl ]
+               #Heq >Heq @refl ]
+     ]
+| 3: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+| 4: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     @eq_bv_elim
+     [ 1: normalize nodelta #Heq1 #Heq2 destruct /3 by ex_intro, conj, vnull_eq/
+     | 2: #_ normalize nodelta #Habsurd destruct (Habsurd) ]
+| 5: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     %{(Vptr (shift_pointer_n (bitsize_of_intsize sz') p2 (sizeof ty) i'))} @conj try @refl
+     @vptr_eq whd in match (pointer_translation ??) in Hembed ⊢ %;
+     elim p1 in Hembed; #b1 #o1 normalize nodelta
+     cases (E b1)
+     [ 1: normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd)
+     | 2: * #block #offset normalize nodelta #Heq destruct (Heq)
+          whd in match (shift_pointer_n ????);
+          whd in match (shift_offset_n ????) in ⊢ (??%%);
+          whd in match (offset_plus ??);
+          whd in match (offset_plus ??);
+          >commutative_addition_n >(associative_addition_n … offset_size ?)
+          >(commutative_addition_n ? (offv offset) ?) @refl
+     ]
+] qed.
+lemma map_Sn : ∀A,B:Type[0].∀n,f,hd.∀tl:Vector A n.
+  map A B (S n) f (hd ::: tl) = (f hd) ::: (map A B n f tl).
+#A #B #n #f #hd #tl normalize @refl qed.
+lemma replicate_Sn : ∀A,sz,elt.
+  replicate A (S sz) elt = elt ::: (replicate A sz elt).
+// qed.
+lemma zero_Sn : ∀n. zero (S n) = false ::: (zero n). // qed.
+lemma negation_bv_Sn : ∀n. ∀xa. ∀a : BitVector n. negation_bv … (xa ::: a) = (notb xa) ::: (negation_bv … a).
+#n #xa #a normalize @refl qed.
+(* useful facts on xorb *)
+lemma xorb_neg : ∀a,b. notb (xorb a b) = xorb a (notb b). * * @refl qed.
+lemma xorb_false : ∀a. xorb a false = a. * @refl qed.
+lemma xorb_true : ∀a. xorb a true = (¬a). * @refl qed.
+lemma xorb_comm : ∀a,b. xorb a b = xorb b a. * * @refl qed.
+lemma xorb_assoc : ∀a,b,c. xorb a (xorb b c) = xorb (xorb a b) c. * * * @refl qed.
+lemma xorb_lneg : ∀a,b. xorb (¬a) b = (¬xorb a b). * * @refl qed.
+lemma xorb_rneg : ∀a,b. xorb a (¬b) = (¬xorb a b). * * @refl qed.
+lemma xorb_inj : ∀a,b,c. xorb a b = xorb a c ↔ b = c. * * * @conj try // normalize try // qed.
+(* useful facts on carry_of *)
+lemma carry_of_TT : ∀x. carry_of true true x = true. // qed.
+lemma carry_of_TF : ∀x. carry_of true false x = x. // qed.
+lemma carry_of_FF : ∀x. carry_of false false x = false. // qed.
+lemma carry_of_lcomm : ∀x,y,z. carry_of x y z = carry_of y x z. * * * // qed.
+lemma carry_of_rcomm : ∀x,y,z. carry_of x y z = carry_of x z y. * * * // qed.
+(* useful facts on various boolean operations *)
+lemma andb_lsimpl_true : ∀x. andb true x = x. // qed.
+lemma andb_lsimpl_false : ∀x. andb false x = false. normalize // qed.
+lemma andb_comm : ∀x,y. andb x y = andb y x. // qed.
+lemma notb_true : notb true = false. // qed.
+lemma notb_false : notb false = true. % #H destruct qed.
+lemma notb_fold : ∀x. if x then false else true = (¬x). // qed.
+(*
+let rec one_bv (n : nat) on n : BitVector n ≝
+match n return λx. BitVector x with
+[ O ⇒ [[]]
+| S x' ⇒
+  match x' return λx. x = x' → BitVector (S x) with
+  [ O ⇒ λ_. [[true]]
+  | S x ⇒ λH. ? ] (refl ? x') ].
+>H @(false ::: (one_bv x'))
+qed.
+*)
+definition one_bv ≝ λn. (\fst (add_with_carries … (zero n) (zero n) true)).
+lemma one_bv_Sn_aux : ∀n. ∀bits,flags : BitVector (S n).
+    add_with_carries … (zero (S n)) (zero (S n)) true = 〈bits, flags〉 →
+    add_with_carries … (zero (S (S n))) (zero (S (S n))) true = 〈false ::: bits, false ::: flags〉.
+#n elim n
+[ 1: #bits #flags elim (BitVector_Sn … bits) #hd_bits * #tl_bits #Heq_bits
+     elim (BitVector_Sn … flags) #hd_flags * #tl_flags #Heq_flags
+     >(BitVector_O … tl_flags) >(BitVector_O … tl_bits)
+     normalize #Heq destruct (Heq) @refl
+| 2: #n' #Hind #bits #flags elim (BitVector_Sn … bits) #hd_bits * #tl_bits #Heq_bits
+     destruct #Hind >add_with_carries_Sn >replicate_Sn
+     whd in match (zero ?) in Hind; lapply Hind
+     elim (add_with_carries (S (S n'))
+            (false:::replicate bool (S n') false)
+            (false:::replicate bool (S n') false) true) #bits #flags #Heq destruct
+            normalize >add_with_carries_Sn in Hind;
+     elim (add_with_carries (S n') (replicate bool (S n') false)
+                    (replicate bool (S n') false) true) #flags' #bits'
+     normalize
+     cases (match bits' in Vector return λsz:ℕ.(λfoo:Vector bool sz.bool) with
+            [VEmpty⇒true|VCons (sz:ℕ)   (cy:bool)   (tl:(Vector bool sz))⇒cy])
+     normalize #Heq destruct @refl
+] qed.
+lemma one_bv_Sn : ∀n. one_bv (S (S n)) = false ::: (one_bv (S n)).
+#n lapply (one_bv_Sn_aux n)
+whd in match (one_bv ?) in ⊢ (? → (??%%));
+elim (add_with_carries (S n) (zero (S n)) (zero (S n)) true) #bits #flags
+#H lapply (H bits flags (refl ??)) #H2 >H2 @refl
+qed.
+lemma increment_to_addition_n_aux : ∀n. ∀a : BitVector n.
+    add_with_carries ? a (zero n) true = add_with_carries ? a (one_bv n) false.
+#n
+elim n
+[ 1: #a >(BitVector_O … a) normalize @refl
+| 2: #n' cases n'
+     [ 1: #Hind #a elim (BitVector_Sn ? a) #xa * #tl #Heq destruct
+          >(BitVector_O … tl) normalize cases xa @refl
+     | 2: #n'' #Hind #a elim (BitVector_Sn ? a) #xa * #tl #Heq destruct
+          >one_bv_Sn >zero_Sn
+          lapply (Hind tl)
+          >add_with_carries_Sn >add_with_carries_Sn
+          #Hind >Hind elim (add_with_carries (S n'') tl (one_bv (S n'')) false) #bits #flags
+          normalize nodelta elim (BitVector_Sn … flags) #flags_hd * #flags_tl #Hflags_eq >Hflags_eq
+          normalize nodelta @refl
+] qed.
+(* In order to use associativity on increment, we hide it under addition_n. *)
+lemma increment_to_addition_n : ∀n. ∀a : BitVector n. increment ? a = addition_n ? a (one_bv n).
+#n
+whd in match (increment ??) in ⊢ (∀_.??%?);
+whd in match (addition_n ???) in ⊢ (∀_.???%);
+#a lapply (increment_to_addition_n_aux n a)
+#Heq >Heq cases (add_with_carries n a (one_bv n) false) #bits #flags @refl
+qed.
+(* Explicit formulation of addition *)
+(* Explicit formulation of the last carry bit *)
+let rec ith_carry (n : nat) (a,b : BitVector n) (init : bool) on n : bool ≝
+match n return λx. BitVector x → BitVector x → bool with
+[ O ⇒ λ_,_. init
+| S x ⇒ λa',b'.
+  let hd_a ≝ head' … a' in
+  let hd_b ≝ head' … b' in
+  let tl_a ≝ tail … a' in
+  let tl_b ≝ tail … b' in
+  carry_of hd_a hd_b (ith_carry x tl_a tl_b init)
+] a b.
+lemma ith_carry_unfold : ∀n. ∀init. ∀a,b : BitVector (S n).
+  ith_carry ? a b init = (carry_of (head' … a) (head' … b) (ith_carry ? (tail … a) (tail … b) init)).
+#n #init #a #b @refl qed.
+lemma ith_carry_Sn : ∀n. ∀init. ∀xa,xb. ∀a,b : BitVector n.
+  ith_carry ? (xa ::: a) (xb ::: b) init = (carry_of xa xb (ith_carry ? a b init)). // qed.
+(* correction of [ith_carry] *)
+lemma ith_carry_ok : ∀n. ∀init. ∀a,b,res_ab,flags_ab : BitVector (S n).
+  〈res_ab,flags_ab〉 = add_with_carries ? a b init →
+  head' … flags_ab = ith_carry ? a b init.
+#n elim n
+[ 1: #init #a #b #res_ab #flags_ab
+     elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a
+     elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b
+     elim (BitVector_Sn … res_ab) #hd_res * #tl_res #Heq_res
+     elim (BitVector_Sn … flags_ab) #hd_flags * #tl_flags #Heq_flags
+     destruct
+     >(BitVector_O … tl_a) >(BitVector_O … tl_b)
+     cases hd_a cases hd_b cases init normalize #Heq destruct (Heq)
+     @refl
+| 2: #n' #Hind #init #a #b #res_ab #flags_ab
+     elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a
+     elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b
+     elim (BitVector_Sn … res_ab) #hd_res * #tl_res #Heq_res
+     elim (BitVector_Sn … flags_ab) #hd_flags * #tl_flags #Heq_flags
+     destruct
+     lapply (Hind … init tl_a tl_b tl_res tl_flags)
+     >add_with_carries_Sn >(ith_carry_Sn (S n'))
+     elim (add_with_carries (S n') tl_a tl_b init) #res_ab #flags_ab
+     elim (BitVector_Sn … flags_ab) #hd_flags_ab * #tl_flags_ab #Heq_flags_ab >Heq_flags_ab
+     normalize nodelta cases hd_flags_ab normalize nodelta
+     whd in match (head' ? (S n') ?); #H1 #H2
+     destruct (H2) lapply (H1 (refl ??)) whd in match (head' ???); #Heq <Heq @refl
+] qed.
+(* Explicit formulation of ith bit of an addition, with explicit initial carry bit. *)
+definition ith_bit ≝ λ(n : nat).λ(a,b : BitVector n).λinit.
+match n return λx. BitVector x → BitVector x → bool with
+[ O ⇒ λ_,_. init
+| S x ⇒ λa',b'.
+  let hd_a ≝ head' … a' in
+  let hd_b ≝ head' … b' in
+  let tl_a ≝ tail … a' in
+  let tl_b ≝ tail … b' in
+  xorb (xorb hd_a hd_b) (ith_carry x tl_a tl_b init)
+] a b.
+lemma ith_bit_unfold : ∀n. ∀init. ∀a,b : BitVector (S n).
+  ith_bit ? a b init =  xorb (xorb (head' … a) (head' … b)) (ith_carry ? (tail … a) (tail … b) init).
+#n #a #b // qed.
+lemma ith_bit_Sn : ∀n. ∀init. ∀xa,xb. ∀a,b : BitVector n.
+  ith_bit ? (xa ::: a) (xb ::: b) init =  xorb (xorb xa xb) (ith_carry ? a b init). // qed.
+(* correction of ith_bit *)
+lemma ith_bit_ok : ∀n. ∀init. ∀a,b,res_ab,flags_ab : BitVector (S n).
+  〈res_ab,flags_ab〉 = add_with_carries ? a b init →
+  head' … res_ab = ith_bit ? a b init.
+#n
+cases n
+[ 1: #init #a #b #res_ab #flags_ab
+     elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a
+     elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b
+     elim (BitVector_Sn … res_ab) #hd_res * #tl_res #Heq_res
+     elim (BitVector_Sn … flags_ab) #hd_flags * #tl_flags #Heq_flags
+     destruct
+     >(BitVector_O … tl_a) >(BitVector_O … tl_b)
+     >(BitVector_O … tl_flags) >(BitVector_O … tl_res)
+     normalize cases init cases hd_a cases hd_b normalize #Heq destruct @refl
+| 2: #n' #init #a #b #res_ab #flags_ab
+     elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a
+     elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b
+     elim (BitVector_Sn … res_ab) #hd_res * #tl_res #Heq_res
+     elim (BitVector_Sn … flags_ab) #hd_flags * #tl_flags #Heq_flags
+     destruct
+     lapply (ith_carry_ok … init tl_a tl_b tl_res tl_flags)
+     #Hcarry >add_with_carries_Sn elim (add_with_carries ? tl_a tl_b init) in Hcarry;
+     #res #flags normalize nodelta elim (BitVector_Sn … flags) #hd_flags' * #tl_flags' #Heq_flags'
+     >Heq_flags' normalize nodelta cases hd_flags' normalize nodelta #H1 #H2 destruct (H2)
+     cases hd_a cases hd_b >ith_bit_Sn whd in match (head' ???) in H1 ⊢ %;
+     <(H1 (refl ??)) @refl
+] qed.
+(* Transform a function from bit-vectors to bits into a vector by folding *)
+let rec bitvector_fold (n : nat) (v : BitVector n) (f : ∀sz. BitVector sz → bool) on v : BitVector n ≝
+match v with
+[ VEmpty ⇒ VEmpty ?
+| VCons sz elt tl ⇒
+  let bit ≝ f ? v in
+  bit ::: (bitvector_fold ? tl f)
+].
+(* Two-arguments version *)
+let rec bitvector_fold2 (n : nat) (v1, v2 : BitVector n) (f : ∀sz. BitVector sz → BitVector sz → bool) on v1 : BitVector n ≝
+match v1  with
+[ VEmpty ⇒ λ_. VEmpty ?
+| VCons sz elt tl ⇒ λv2'.
+  let bit ≝ f ? v1 v2 in
+  bit ::: (bitvector_fold2 ? tl (tail … v2') f)
+] v2.
+lemma bitvector_fold2_Sn : ∀n,x1,x2,v1,v2,f.
+  bitvector_fold2 (S n) (x1 ::: v1) (x2 ::: v2) f = (f ? (x1 ::: v1) (x2 ::: v2)) ::: (bitvector_fold2 … v1 v2 f). // qed.
+(* These functions pack all the relevant information (including carries) directly. *)
+definition addition_n_direct ≝ λn,v1,v2,init. bitvector_fold2 n v1 v2 (λn,v1,v2. ith_bit n v1 v2 init).
+lemma addition_n_direct_Sn : ∀n,x1,x2,v1,v2,init.
+  addition_n_direct (S n) (x1 ::: v1) (x2 ::: v2) init = (ith_bit ? (x1 ::: v1) (x2 ::: v2) init) ::: (addition_n_direct … v1 v2 init). // qed.
+lemma tail_Sn : ∀n. ∀x. ∀a : BitVector n. tail … (x ::: a) = a. // qed.
+(* Prove the equivalence of addition_n_direct with add_with_carries *)
+lemma addition_n_direct_ok : ∀n,carry,v1,v2.
+  (\fst (add_with_carries n v1 v2 carry)) = addition_n_direct n v1 v2 carry.
+#n elim n
+[ 1: #carry #v1 #v2 >(BitVector_O … v1) >(BitVector_O … v2) normalize @refl
+| 2: #n' #Hind #carry #v1 #v2
+     elim (BitVector_Sn … v1) #hd1 * #tl1 #Heq1
+     elim (BitVector_Sn … v2) #hd2 * #tl2 #Heq2
+     lapply (Hind carry tl1 tl2)
+     lapply (ith_bit_ok ? carry v1 v2)
+     lapply (ith_carry_ok ? carry v1 v2)
+     destruct
+     #Hind >addition_n_direct_Sn
+     >ith_bit_Sn >add_with_carries_Sn
+     elim (add_with_carries n' tl1 tl2 carry) #bits #flags normalize nodelta
+     cases (match flags in Vector return λsz:ℕ.(λfoo:Vector bool sz.bool) with
+            [VEmpty⇒carry|VCons (sz:ℕ)   (cy:bool)   (tl:(Vector bool sz))⇒cy])
+     normalize nodelta #Hcarry' lapply (Hcarry' ?? (refl ??))
+     whd in match head'; normalize nodelta
+     #H1 #H2 >H1 >H2 @refl
+] qed.
+(* trivially lift associativity to our new setting *)
+lemma associative_addition_n_direct : ∀n. ∀carry1,carry2. ∀v1,v2,v3 : BitVector n.
+  addition_n_direct ? (addition_n_direct ? v1 v2 carry1) v3 carry2 =
+  addition_n_direct ? v1 (addition_n_direct ? v2 v3 carry1) carry2.
+#n #carry1 #carry2 #v1 #v2 #v3
+<addition_n_direct_ok <addition_n_direct_ok
+<addition_n_direct_ok <addition_n_direct_ok
+lapply (associative_add_with_carries … carry1 carry2 v1 v2 v3)
+elim (add_with_carries n v2 v3 carry1) #bits #carries normalize nodelta
+elim (add_with_carries n v1 v2 carry1) #bits' #carries' normalize nodelta
+#H @(sym_eq … H)
+qed.
+lemma commutative_addition_n_direct : ∀n. ∀v1,v2 : BitVector n.
+  addition_n_direct ? v1 v2 false = addition_n_direct ? v2 v1 false.
+#n #v1 #v2 /by associative_addition_n, addition_n_direct_ok/
+qed.
+definition increment_direct ≝ λn,v. addition_n_direct n v (one_bv ?) false.
+definition twocomp_neg_direct ≝ λn,v. increment_direct n (negation_bv n v).
+(* fold andb on a bitvector. *)
+let rec andb_fold (n : nat) (b : BitVector n) on b : bool ≝
+match b with
+[ VEmpty ⇒ true
+| VCons sz elt tl ⇒
+  andb elt (andb_fold ? tl)
+].
+lemma andb_fold_Sn : ∀n. ∀x. ∀b : BitVector n. andb_fold (S n) (x ::: b) = andb x (andb_fold … n b). // qed.
+lemma andb_fold_inversion : ∀n. ∀elt,x. andb_fold (S n) (elt ::: x) = true → elt = true ∧ andb_fold n x = true.
+#n #elt #x cases elt normalize #H @conj destruct (H) try assumption @refl
+qed.
+lemma ith_increment_carry : ∀n. ∀a : BitVector (S n).
+  ith_carry … a (one_bv ?) false = andb_fold … a.
+#n elim n
+[ 1: #a elim (BitVector_Sn … a) #hd * #tl #Heq >Heq >(BitVector_O … tl)
+     cases hd normalize @refl
+| 2: #n' #Hind #a
+     elim (BitVector_Sn … a) #hd * #tl #Heq >Heq
+     lapply (Hind … tl) #Hind >one_bv_Sn
+     >ith_carry_Sn whd in match (andb_fold ??);
+     cases hd >Hind @refl
+] qed.
+lemma ith_increment_bit : ∀n. ∀a : BitVector (S n).
+  ith_bit … a (one_bv ?) false = xorb (head' … a) (andb_fold … (tail … a)).
+#n #a
+elim (BitVector_Sn … a) #hd * #tl #Heq >Heq
+whd in match (head' ???);
+-a cases n in tl;
+[ 1: #tl >(BitVector_O … tl) cases hd normalize try //
+| 2: #n' #tl >one_bv_Sn >ith_bit_Sn
+     >ith_increment_carry >tail_Sn
+     cases hd try //
+] qed.
+(* Lemma used to prove involutivity of two-complement negation *)
+lemma twocomp_neg_involutive_aux : ∀n. ∀v : BitVector (S n).
+   (andb_fold (S n) (negation_bv (S n) v) =
+    andb_fold (S n) (negation_bv (S n) (addition_n_direct (S n) (negation_bv (S n) v) (one_bv (S n)) false))).
+#n elim n
+[ 1: #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq >(BitVector_O … tl) cases hd @refl
+| 2: #n' #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq
+     lapply (Hind tl) -Hind #Hind >negation_bv_Sn >one_bv_Sn >addition_n_direct_Sn
+     >andb_fold_Sn >ith_bit_Sn >negation_bv_Sn >andb_fold_Sn <Hind
+     cases hd normalize nodelta
+     [ 1: >xorb_false >(xorb_comm false ?) >xorb_false
+     | 2: >xorb_false >(xorb_comm true ?) >xorb_true ]
+     >ith_increment_carry
+     cases (andb_fold (S n') (negation_bv (S n') tl)) @refl
+] qed.
+(* Test of the 'direct' approach: proof of the involutivity of two-complement negation. *)
+lemma twocomp_neg_involutive : ∀n. ∀v : BitVector n. twocomp_neg_direct ? (twocomp_neg_direct ? v) = v.
+#n elim n
+[ 1: #v >(BitVector_O v) @refl
+| 2: #n' cases n'
+     [ 1: #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq
+          >(BitVector_O … tl) normalize cases hd @refl
+     | 2: #n'' #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq
+          lapply (Hind tl) -Hind #Hind <Hind in ⊢ (???%);
+          whd in match twocomp_neg_direct; normalize nodelta
+          whd in match increment_direct; normalize nodelta
+          >(negation_bv_Sn ? hd tl) >one_bv_Sn >(addition_n_direct_Sn ? (¬hd) false ??)
+          >ith_bit_Sn >negation_bv_Sn >addition_n_direct_Sn >ith_bit_Sn
+          generalize in match (addition_n_direct (S n'')
+                                                   (negation_bv (S n'')
+                                                   (addition_n_direct (S n'') (negation_bv (S n'') tl) (one_bv (S n'')) false))
+                                                   (one_bv (S n'')) false); #tail
+          >ith_increment_carry >ith_increment_carry
+          cases hd normalize nodelta
+          [ 1: normalize in match (xorb false false); >(xorb_comm false ?) >xorb_false >xorb_false
+          | 2: normalize in match (xorb true false); >(xorb_comm true ?) >xorb_true >xorb_false ]
+          <twocomp_neg_involutive_aux
+          cases (andb_fold (S n'') (negation_bv (S n'') tl)) @refl
+      ]
+] qed.
+lemma bitvector_cons_inj_inv : ∀n. ∀a,b. ∀va,vb : BitVector n. a ::: va = b ::: vb → a =b ∧ va = vb.
+#n #a #b #va #vb #H destruct (H) @conj @refl qed.
+lemma bitvector_cons_eq : ∀n. ∀a,b. ∀v : BitVector n. a = b → a ::: v = b ::: v. // qed.
+(* Injectivity of increment *)
+lemma increment_inj : ∀n. ∀a,b : BitVector n.
+  increment_direct ? a = increment_direct ? b →
+  a = b ∧ (ith_carry n a (one_bv n) false = ith_carry n b (one_bv n) false).
+#n whd in match increment_direct; normalize nodelta elim n
+[ 1: #a #b >(BitVector_O … a) >(BitVector_O … b) normalize #_ @conj //
+| 2: #n' cases n'
+   [ 1: #_ #a #b
+        elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a >Heq_a
+        elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b >Heq_b
+        >(BitVector_O … tl_a) >(BitVector_O … tl_b) cases hd_a cases hd_b
+        normalize #H @conj try //
+   | 2: #n'' #Hind #a #b
+        elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a >Heq_a
+        elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b >Heq_b
+        lapply (Hind … tl_a tl_b) -Hind #Hind
+        >one_bv_Sn >addition_n_direct_Sn >ith_bit_Sn
+        >addition_n_direct_Sn >ith_bit_Sn >xorb_false >xorb_false
+        #H elim (bitvector_cons_inj_inv … H) #Heq1 #Heq2
+        lapply (Hind Heq2) * #Heq3 #Heq4
+        cut (hd_a = hd_b)
+        [ 1: >Heq4 in Heq1; #Heq5 lapply (xorb_inj (ith_carry ? tl_b (one_bv ?) false) hd_a hd_b)
+             * #Heq6 #_ >xorb_comm in Heq6; >(xorb_comm  ? hd_b) #Heq6 >(Heq6 Heq5)
+             @refl ]
+        #Heq5 @conj [ 1: >Heq3 >Heq5 @refl ]
+        >ith_carry_Sn >ith_carry_Sn >Heq4 >Heq5 @refl
+] qed.
+(* Inverse of injecivity of increment, does not lose information (cf increment_inj) *)
+lemma increment_inj_inv : ∀n. ∀a,b : BitVector n.
+  a = b → increment_direct ? a = increment_direct ? b. // qed.
+lemma carry_notb : ∀a,b,c. notb (carry_of a b c) = carry_of (notb a) (notb b) (notb c). * * * @refl qed.
+lemma increment_to_carry_aux : ∀n. ∀a : BitVector (S n).
+   ith_carry (S n) a (one_bv (S n)) false
+   = ith_carry (S n) a (zero (S n)) true.
+#n elim n
+[ 1: #a elim (BitVector_Sn ? a) #hd_a * #tl_a #Heq >Heq >(BitVector_O … tl_a) @refl
+| 2: #n' #Hind #a elim (BitVector_Sn ? a) #hd_a * #tl_a #Heq >Heq
+     lapply (Hind tl_a) #Hind
+     >one_bv_Sn >zero_Sn >ith_carry_Sn >ith_carry_Sn >Hind @refl
+] qed.
+lemma neutral_addition_n_direct_aux : ∀n. ∀v. ith_carry n v (zero n) false = false.
+#n elim n //
+#n' #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq >zero_Sn
+>ith_carry_Sn >(Hind tl) cases hd @refl.
+qed.
+lemma neutral_addition_n_direct : ∀n. ∀v : BitVector n.
+  addition_n_direct ? v (zero ?) false = v.
+#n elim n
+[ 1: #v >(BitVector_O … v) normalize @refl
+| 2: #n' #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq
+     lapply (Hind … tl) #H >zero_Sn >addition_n_direct_Sn
+     >ith_bit_Sn >H >xorb_false >neutral_addition_n_direct_aux
+     >xorb_false @refl
+] qed.
+lemma increment_to_carry_zero : ∀n. ∀a : BitVector n. addition_n_direct ? a (one_bv ?) false = addition_n_direct ? a (zero ?) true.
+#n elim n
+[ 1: #a >(BitVector_O … a) normalize @refl
+| 2: #n' cases n'
+     [ 1: #_ #a elim (BitVector_Sn … a) #hd_a * #tl_a #Heq >Heq >(BitVector_O … tl_a) cases hd_a @refl
+     | 2: #n'' #Hind #a
+          elim (BitVector_Sn … a) #hd_a * #tl_a #Heq >Heq
+          lapply (Hind tl_a) -Hind #Hind
+          >one_bv_Sn >zero_Sn >addition_n_direct_Sn >ith_bit_Sn
+          >addition_n_direct_Sn >ith_bit_Sn
+          >xorb_false >Hind @bitvector_cons_eq
+          >increment_to_carry_aux @refl
+     ]
+] qed.
+lemma increment_to_carry : ∀n. ∀a,b : BitVector n.
+  addition_n_direct ? a (addition_n_direct ? b (one_bv ?) false) false = addition_n_direct ? a b true.
+#n #a #b >increment_to_carry_zero <associative_addition_n_direct
+>neutral_addition_n_direct @refl
+qed.
+(* Prove -(a + b) = -a + -b *)
+lemma twocomp_neg_plus : ∀n. ∀a,b : BitVector n.
+  twocomp_neg_direct ? (addition_n_direct ? a b false) = addition_n_direct ? (twocomp_neg_direct … a) (twocomp_neg_direct … b) false.
+whd in match twocomp_neg_direct; normalize nodelta
+lapply increment_inj_inv
+whd in match increment_direct; normalize nodelta
+#H #n #a #b
+<associative_addition_n_direct @H
+>associative_addition_n_direct >(commutative_addition_n_direct ? (one_bv n))
+>increment_to_carry
+-H lapply b lapply a -b -a
+cases n
+[ 1: #a #b >(BitVector_O … a) >(BitVector_O … b) @refl
+| 2: #n' #a #b
+     cut (negation_bv ? (addition_n_direct ? a b false)
+           = addition_n_direct ? (negation_bv ? a) (negation_bv ? b) true ∧
+          notb (ith_carry ? a b false) = (ith_carry ? (negation_bv ? a) (negation_bv ? b) true))
+     [ -n lapply b lapply a elim n'
+     [ 1: #a #b elim (BitVector_Sn … a) #hd_a * #tl_a #Heqa >Heqa >(BitVector_O … tl_a)
+          elim (BitVector_Sn … b) #hd_b * #tl_b #Heqb >Heqb >(BitVector_O … tl_b)
+          cases hd_a cases hd_b normalize @conj @refl
+     | 2: #n #Hind #a #b
+          elim (BitVector_Sn … a) #hd_a * #tl_a #Heqa >Heqa
+          elim (BitVector_Sn … b) #hd_b * #tl_b #Heqb >Heqb
+          lapply (Hind tl_a tl_b) * #H1 #H2
+          @conj
+          [ 2: >ith_carry_Sn >negation_bv_Sn >negation_bv_Sn >ith_carry_Sn
+               >carry_notb >H2 @refl
+          | 1: >addition_n_direct_Sn >ith_bit_Sn >negation_bv_Sn
+               >negation_bv_Sn >negation_bv_Sn
+               >addition_n_direct_Sn >ith_bit_Sn >H1 @bitvector_cons_eq
+               >xorb_lneg >xorb_rneg >notb_notb
+               <xorb_rneg >H2 @refl
+          ]
+      ] ]
+      * #H1 #H2 @H1
+] qed.
+lemma addition_n_direct_neg : ∀n. ∀a.
+ (addition_n_direct n a (negation_bv n a) false) = replicate ?? true
+ ∧ (ith_carry n a (negation_bv n a) false = false).
+#n elim n
+[ 1: #a >(BitVector_O … a) @conj @refl
+| 2: #n' #Hind #a elim (BitVector_Sn … a) #hd * #tl #Heq >Heq
+     lapply (Hind … tl) -Hind * #HA #HB
+     @conj
+     [ 2: >negation_bv_Sn >ith_carry_Sn >HB cases hd @refl
+     | 1: >negation_bv_Sn >addition_n_direct_Sn
+          >ith_bit_Sn >HB >xorb_false >HA
+          @bitvector_cons_eq elim hd @refl
+     ]
+] qed.
+(* -a + a = 0 *)
+lemma bitvector_opp_direct : ∀n. ∀a : BitVector n. addition_n_direct ? a (twocomp_neg_direct ? a) false = (zero ?).
+whd in match twocomp_neg_direct;
+whd in match increment_direct;
+normalize nodelta
+#n #a <associative_addition_n_direct
+elim (addition_n_direct_neg … a) #H #_ >H
+-H -a
+cases n try //
+#n'
+cut ((addition_n_direct (S n') (replicate bool ? true) (one_bv ?) false = (zero (S n')))
+       ∧ (ith_carry ? (replicate bool (S n') true) (one_bv (S n')) false = true))
+[ elim n'
+     [ 1: @conj @refl
+     | 2: #n' * #HA #HB @conj
+          [ 1: >replicate_Sn >one_bv_Sn  >addition_n_direct_Sn
+               >ith_bit_Sn >HA >zero_Sn @bitvector_cons_eq >HB @refl
+          | 2: >replicate_Sn >one_bv_Sn >ith_carry_Sn >HB @refl ]
+     ]
+] * #H1 #H2 @H1
+qed.
+(* Lift back the previous result to standard operations. *)
+lemma twocomp_neg_direct_ok : ∀n. ∀v. twocomp_neg_direct ? v = two_complement_negation n v.
+#n #v whd in match twocomp_neg_direct; normalize nodelta
+whd in match increment_direct; normalize nodelta
+whd in match two_complement_negation; normalize nodelta
+>increment_to_addition_n <addition_n_direct_ok
+whd in match addition_n; normalize nodelta
+elim (add_with_carries ????) #a #b @refl
+qed.
+lemma two_complement_negation_plus : ∀n. ∀a,b : BitVector n.
+  two_complement_negation ? (addition_n ? a b) = addition_n ? (two_complement_negation ? a) (two_complement_negation ? b).
+#n #a #b
+lapply (twocomp_neg_plus ? a b)
+>twocomp_neg_direct_ok >twocomp_neg_direct_ok >twocomp_neg_direct_ok
+<addition_n_direct_ok <addition_n_direct_ok
+whd in match addition_n; normalize nodelta
+elim (add_with_carries n a b false) #bits #flags normalize nodelta
+elim (add_with_carries n (two_complement_negation n a) (two_complement_negation n b) false) #bits' #flags'
+normalize nodelta #H @H
+qed.
+lemma bitvector_opp_addition_n : ∀n. ∀a : BitVector n. addition_n ? a (two_complement_negation ? a) = (zero ?).
+#n #a lapply (bitvector_opp_direct ? a)
+>twocomp_neg_direct_ok <addition_n_direct_ok
+whd in match (addition_n ???);
+elim (add_with_carries n a (two_complement_negation n a) false) #bits #flags #H @H
+qed.
+lemma neutral_addition_n : ∀n. ∀a : BitVector n. addition_n ? a (zero ?) = a.
+#n #a
+lapply (neutral_addition_n_direct n a)
+<addition_n_direct_ok
+whd in match (addition_n ???);
+elim (add_with_carries n a (zero n) false) #bits #flags #H @H
+qed.
+lemma subtraction_delta : ∀x,y,delta.
+  subtraction offset_size
+    (addition_n offset_size x delta)
+    (addition_n offset_size y delta) =
+  subtraction offset_size x y.
+#x #y #delta whd in match subtraction; normalize nodelta
+(* Remove all the equal parts on each side of the equation. *)
+<associative_addition_n
+>two_complement_negation_plus
+<(commutative_addition_n … (two_complement_negation ? delta))
+>(associative_addition_n ? delta) >bitvector_opp_addition_n
+>(commutative_addition_n ? (zero ?)) >neutral_addition_n
+@refl
+qed.
+(* Offset subtraction is invariant by translation *)
+lemma sub_offset_translation :
+ ∀n,x,y,delta. sub_offset n x y = sub_offset n (offset_plus x delta) (offset_plus y delta).
+#n #x #y #delta
+whd in match (sub_offset ???) in ⊢ (??%%);
+elim x #x' elim y #y' elim delta #delta'
+whd in match (offset_plus ??);
+whd in match (offset_plus ??);
+>subtraction_delta @refl
+qed.
+(* value_eq lifts to addition *)
+lemma sub_value_eq :
+  ∀E,v1,v2,v1',v2',ty1,ty2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_sub v1 ty1 v1' ty2=Some val r1→
+           ∃r2:val.sem_sub v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #n #ty #sz #sg | 4: #n #sz #sg #ty | 5: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 2,3,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,6,7,8,9,10: #Habsurd destruct (Habsurd) ]
+     @intsize_eq_elim_elim
+      [ 1: #_ #Habsurd destruct (Habsurd)
+      | 2: #Heq destruct (Heq) normalize nodelta
+           #Heq destruct (Heq)
+          /3 by ex_intro, conj, vint_eq/
+      ]
+| 3: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+| 4: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,2,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,6,7,9,10: #Habsurd destruct (Habsurd) ]
+     [ 1: @eq_bv_elim [ 1: normalize nodelta #Heq1 #Heq2 destruct /3 by ex_intro, conj, vnull_eq/
+                      | 2: #_ normalize nodelta #Habsurd destruct (Habsurd) ]
+     | 2: #Heq destruct (Heq) /3 by ex_intro, conj, vnull_eq/ ]
+| 5: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,2,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,6,7,8,9: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     [ 1: %{(Vptr (neg_shift_pointer_n (bitsize_of_intsize sz') p2 (sizeof ty) i'))} @conj try @refl
+          @vptr_eq whd in match (pointer_translation ??) in Hembed ⊢ %;
+          elim p1 in Hembed; #b1 #o1 normalize nodelta
+          cases (E b1)
+          [ 1: normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd)
+          | 2: * #block #offset normalize nodelta #Heq destruct (Heq)
+               whd in match (offset_plus ??) in ⊢ (??%%);
+               whd in match (neg_shift_pointer_n ????) in ⊢ (??%%);
+               whd in match (neg_shift_offset_n ????) in ⊢ (??%%);
+               whd in match (subtraction) in ⊢ (??%%); normalize nodelta
+               generalize in match (short_multiplication ???); #mult
+               /3 by associative_addition_n, commutative_addition_n, refl/
+          ]
+     | 2: lapply Heq @eq_block_elim
+          [ 2: #_ normalize nodelta #Habsurd destruct (Habsurd)
+          | 1: #Hpblock1_eq normalize nodelta
+               elim p1 in Hpblock1_eq Hembed Hembed'; #b1 #off1
+               elim p1' #b1' #off1' whd in ⊢ (% → % → ?); #Hpblock1_eq destruct (Hpblock1_eq)
+               whd in ⊢ ((??%?) → (??%?) → ?);
+               cases (E b1') normalize nodelta
+               [ 1: #Habsurd destruct (Habsurd) ]
+               * #dest_block #dest_off normalize nodelta
+               #Heq_ptr1 #Heq_ptr2 destruct >eq_block_identity normalize nodelta
+               cases (eqb (sizeof tsg) O) normalize nodelta
+               [ 1: #Habsurd destruct (Habsurd)
+               | 2: >(sub_offset_translation 32 off1 off1' dest_off)
+                    cases (division_u 31
+                            (sub_offset 32 (offset_plus off1 dest_off) (offset_plus off1' dest_off))
+                            (repr (sizeof tsg)))
+                    [ 1: normalize nodelta #Habsurd destruct (Habsurd)
+                    | 2: #r1' normalize nodelta #Heq2 destruct (Heq2)
+                         /3 by ex_intro, conj, vint_eq/ ]
+    ] ] ]
+] qed.
+lemma mul_value_eq :
+  ∀E,v1,v2,v1',v2',ty1,ty2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_mul v1 ty1 v1' ty2=Some val r1→
+           ∃r2:val.sem_mul v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 2,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     @intsize_eq_elim_elim
+      [ 1: #_ #Habsurd destruct (Habsurd)
+      | 2: #Heq destruct (Heq) normalize nodelta
+           #Heq destruct (Heq)
+          /3 by ex_intro, conj, vint_eq/
+      ]
+| 3: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+| 4: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+] qed.
+lemma div_value_eq :
+  ∀E,v1,v2,v1',v2',ty1,ty2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_div v1 ty1 v1' ty2=Some val r1→
+           ∃r2:val.sem_div v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 2,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     elim sg normalize nodelta
+     @intsize_eq_elim_elim
+     [ 1,3: #_ #Habsurd destruct (Habsurd)
+     | 2,4: #Heq destruct (Heq) normalize nodelta
+            @(match (division_s (bitsize_of_intsize sz') i i') with
+              [ None ⇒ ?
+              | Some bv' ⇒ ? ])
+            [ 1: normalize  #Habsurd destruct (Habsurd)
+            | 2: normalize #Heq destruct (Heq)
+                 /3 by ex_intro, conj, vint_eq/
+            | 3,4: elim sz' in i' i; #i' #i
+                   normalize in match (pred_size_intsize ?);
+                   generalize in match division_u; #division_u normalize
+                   @(match (division_u ???) with
+                    [ None ⇒ ?
+                    | Some bv ⇒ ?]) normalize nodelta
+                   #H destruct (H)
+                  /3 by ex_intro, conj, vint_eq/ ]
+     ]
+| 3: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+| 4: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+] qed.
+lemma mod_value_eq :
+  ∀E,v1,v2,v1',v2',ty1,ty2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_mod v1 ty1 v1' ty2=Some val r1→
+           ∃r2:val.sem_mod v2 ty1 v2' ty2=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 2,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     elim sg normalize nodelta
+     @intsize_eq_elim_elim
+     [ 1,3: #_ #Habsurd destruct (Habsurd)
+     | 2,4: #Heq destruct (Heq) normalize nodelta
+            @(match (modulus_s (bitsize_of_intsize sz') i i') with
+              [ None ⇒ ?
+              | Some bv' ⇒ ? ])
+            [ 1: normalize  #Habsurd destruct (Habsurd)
+            | 2: normalize #Heq destruct (Heq)
+                 /3 by ex_intro, conj, vint_eq/
+            | 3,4: elim sz' in i' i; #i' #i
+                   generalize in match modulus_u; #modulus_u normalize
+                   @(match (modulus_u ???) with
+                    [ None ⇒ ?
+                    | Some bv ⇒ ?]) normalize nodelta
+                   #H destruct (H)
+                  /3 by ex_intro, conj, vint_eq/ ]
+     ]
+| 3: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 4: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+] qed.
+(* boolean ops *)
+lemma and_value_eq :
+  ∀E,v1,v2,v1',v2'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_and v1 v1'=Some val r1→
+           ∃r2:val.sem_and v2 v2'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 2: #sz #i
+     @(value_eq_inversion E … Hvalue_eq2)
+     [ 2: #sz' #i' whd in match (sem_and ??);
+          @intsize_eq_elim_elim
+          [ 1: #_ #Habsurd destruct (Habsurd)
+          | 2: #Heq destruct (Heq) normalize nodelta
+               #Heq destruct (Heq) /3 by ex_intro,conj,vint_eq/ ]
+] ]
+normalize in match (sem_and ??); #arg1 destruct
+normalize in match (sem_and ??); #arg2 destruct
+normalize in match (sem_and ??); #arg3 destruct
+normalize in match (sem_and ??); #arg4 destruct
+qed.
+lemma or_value_eq :
+  ∀E,v1,v2,v1',v2'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_or v1 v1'=Some val r1→
+           ∃r2:val.sem_or v2 v2'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 2: #sz #i
+     @(value_eq_inversion E … Hvalue_eq2)
+     [ 2: #sz' #i' whd in match (sem_or ??);
+          @intsize_eq_elim_elim
+          [ 1: #_ #Habsurd destruct (Habsurd)
+          | 2: #Heq destruct (Heq) normalize nodelta
+               #Heq destruct (Heq) /3 by ex_intro,conj,vint_eq/ ]
+] ]
+normalize in match (sem_or ??); #arg1 destruct
+normalize in match (sem_or ??); #arg2 destruct
+normalize in match (sem_or ??); #arg3 destruct
+normalize in match (sem_or ??); #arg4 destruct
+qed.
+lemma xor_value_eq :
+  ∀E,v1,v2,v1',v2'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_xor v1 v1'=Some val r1→
+           ∃r2:val.sem_xor v2 v2'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 2: #sz #i
+     @(value_eq_inversion E … Hvalue_eq2)
+     [ 2: #sz' #i' whd in match (sem_xor ??);
+          @intsize_eq_elim_elim
+          [ 1: #_ #Habsurd destruct (Habsurd)
+          | 2: #Heq destruct (Heq) normalize nodelta
+               #Heq destruct (Heq) /3 by ex_intro,conj,vint_eq/ ]
+] ]
+normalize in match (sem_xor ??); #arg1 destruct
+normalize in match (sem_xor ??); #arg2 destruct
+normalize in match (sem_xor ??); #arg3 destruct
+normalize in match (sem_xor ??); #arg4 destruct
+qed.
+lemma shl_value_eq :
+  ∀E,v1,v2,v1',v2'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_shl v1 v1'=Some val r1→
+           ∃r2:val.sem_shl v2 v2'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 2:
+     @(value_eq_inversion E … Hvalue_eq2)
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 2: whd in match (sem_shl ??);
+          cases (lt_u ???) normalize nodelta
+          [ 1: #Heq destruct (Heq) /3 by ex_intro,conj,vint_eq/
+          | 2: #Habsurd destruct (Habsurd)
+          ]
+     | *: whd in match (sem_shl ??); #Habsurd destruct (Habsurd) ]
+| *: whd in match (sem_shl ??); #Habsurd destruct (Habsurd) ]
+qed.
+lemma shr_value_eq :
+  ∀E,v1,v2,v1',v2',ty,ty'.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   ∀r1. (sem_shr v1 ty v1' ty'=Some val r1→
+           ∃r2:val.sem_shr v2 ty v2' ty'=Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty #ty' #Hvalue_eq1 #Hvalue_eq2 #r1
+@(value_eq_inversion E … Hvalue_eq1)
+[ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+whd in match (sem_shr ????); whd in match (sem_shr ????);
+[ 1: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 2: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 2,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     elim sg normalize nodelta
+     cases (lt_u ???) normalize nodelta #Heq destruct (Heq)
+     /3 by ex_intro, conj, refl, vint_eq/
+| 3: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 4: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+] qed.
+lemma monotonic_Zlt_Zsucc: monotonic Z Zlt Zsucc.
+whd #x #y #Hlt lapply (Zlt_to_Zle … Hlt) #Hle lapply (Zle_to_Zlt … Hle)
+/3 by monotonic_Zle_Zplus_r, Zle_to_Zlt/ qed.
+lemma monotonic_Zlt_Zpred: monotonic Z Zlt Zpred.
+whd #x #y #Hlt lapply (Zlt_to_Zle … Hlt) #Hle lapply (Zle_to_Zlt … Hle)
+/3 by monotonic_Zle_Zpred, Zle_to_Zlt/ qed.
+lemma antimonotonic_Zle_Zsucc: ∀x,y. Zsucc x ≤ Zsucc y → x ≤ y.
+#x #y #H lapply (monotonic_Zle_Zpred … H) >Zpred_Zsucc >Zpred_Zsucc #H @H
+qed.
+(*
+lemma antimonotonic_Zle_Zpred: ∀x,y. Zpred x ≤ Zpred y → x ≤ y.
+#x #y #H lapply (monotonic_Zle_Zsucc … H) >Zsucc_Zpred >Zsucc_Zpred #H @H
+qed. *)
+lemma antimonotonic_Zlt_Zsucc: ∀x,y. Zsucc x < Zsucc y → x < y.
+#x #y #Hlt lapply (Zle_to_Zlt … (antimonotonic_Zle_Zsucc … (Zlt_to_Zle … Hlt)))
+>Zpred_Zsucc #H @H
+qed.
+lemma antimonotonic_Zlt_Zpred: ∀x,y. Zpred x < Zpred y → x < y.
+#x #y #Hlt lapply (monotonic_Zlt_Zsucc … Hlt) >Zsucc_Zpred >Zsucc_Zpred #H @H
+qed.
+lemma not_Zlt_to_Zltb_false : ∀n,m. n ≮ m → Zltb n m = false.
+#n #m #Hnlt
+@Zltb_elim_Type0
+[ 1: elim Hnlt #H0 #H1 @(False_ind … (H0 H1))
+| 2: #_ @refl ] qed.
+lemma Zplus_eq_eq : ∀x,y,delta:Z. eqZb x y = eqZb (x + delta) (y + delta).
+#x #y #delta
+@eqZb_elim
+[ 1: #Heq >Heq >eqZb_z_z @refl
+| 2: * #Hneq cut (x+delta ≠ y + delta)
+     [ 1: % #H cut (x = y) [ 1: @(injective_Zplus_l delta) @H ] #H' @Hneq @H' ]
+     #H @sym_eq @eqZb_false @H ] qed.
+lemma Zltb_Zsucc : ∀x,y. Zltb x y = Zltb (Zsucc x) (Zsucc y).
+#x #y
+@(Zltb_elim_Type0 … x y)
+[ 1: #Hlt @sym_eq lapply (monotonic_Zlt_Zsucc … Hlt) #Hlt' @(Zlt_to_Zltb_true … Hlt')
+| 2: #Hnlt @sym_eq @not_Zlt_to_Zltb_false % #Hltsucc
+      lapply (antimonotonic_Zlt_Zsucc … Hltsucc) #Hlt
+      @(absurd … Hlt Hnlt)
+] qed.
+lemma Zltb_Zpred : ∀x,y. Zltb x y = Zltb (Zpred x) (Zpred y).
+#x #y
+@(Zltb_elim_Type0 … x y)
+[ 1: #Hlt @sym_eq
+lapply (monotonic_Zlt_Zpred … Hlt) #Hlt' @(Zlt_to_Zltb_true … Hlt')
+| 2: #Hnlt @sym_eq @not_Zlt_to_Zltb_false % #Hltsucc
+      lapply (antimonotonic_Zlt_Zpred … Hltsucc) #Hlt
+      @(absurd … Hlt Hnlt)
+] qed.
+lemma Zplus_pos_lt_lt : ∀x,y.∀delta. Zltb x y = Zltb (x + (pos delta)) (y + (pos delta)).
+#x #y #delta @(pos_elim … delta)
+[ 1: >(sym_Zplus x) >(sym_Zplus y) <Zsucc_Zplus_pos_O <Zsucc_Zplus_pos_O
+     >Zltb_Zsucc @refl
+| 2: #n #Hind >Hind >Zltb_Zsucc
+     >(sym_Zplus x) >(sym_Zplus y)
+     <Zplus_Zsucc <Zplus_Zsucc
+     >(sym_Zplus ? x) >(sym_Zplus ? y)
+     normalize in match (Zsucc ?); @refl
+] qed.
+lemma Zplus_neg_lt_lt : ∀x,y.∀delta. Zltb x y = Zltb (x + (neg delta)) (y + (neg delta)).
+#x #y #delta @(pos_elim … delta)
+[ 1: >(sym_Zplus x) >(sym_Zplus y) <Zpred_Zplus_neg_O <Zpred_Zplus_neg_O
+     >Zltb_Zpred @refl
+| 2: #n #Hind >Hind >Zltb_Zpred
+     >(sym_Zplus x) >(sym_Zplus y)
+     <Zplus_Zpred <Zplus_Zpred
+     >(sym_Zplus ? x) >(sym_Zplus ? y)
+     normalize in match (Zpred ?); @refl
+] qed.
+(* I would not be surprised for a simpler proof that mine to exist. *)
+lemma Zplus_lt_lt : ∀x,y,delta:Z. Zltb x y = Zltb (x + delta) (y + delta).
+#x #y #delta
+cases delta
+[ 1: >Zplus_z_OZ >Zplus_z_OZ @refl
+| 2: #p @Zplus_pos_lt_lt
+| 3: #p @Zplus_neg_lt_lt
+] qed.
+(* offset equality is invariant by translation *)
+lemma eq_offset_translation : ∀delta,x,y. cmp_offset Ceq (offset_plus x delta) (offset_plus y delta) = cmp_offset Ceq x y.
+#delta #x #y normalize
+elim delta #zdelta @sym_eq @cthulhu qed. (* @Zplus_eq_eq qed.*)
+lemma neq_offset_translation : ∀delta,x,y. cmp_offset Cne (offset_plus x delta) (offset_plus y delta) = cmp_offset Cne x y.
+@cthulhu qed.
+(* #delta #x #y normalize
+elim delta #zdelta @sym_eq <Zplus_eq_eq qed. *)
+lemma cmp_offset_translation : ∀op,delta,x,y.
+   cmp_offset op x y = cmp_offset op (offset_plus x delta) (offset_plus y delta). @cthulhu qed.
+(*
+* #delta #x #y normalize
+elim delta #zdelta
+[ 1: @Zplus_eq_eq
+| 2: <Zplus_eq_eq @refl
+| 3: @Zplus_lt_lt
+| 4: <Zplus_lt_lt @refl
+| 5: @Zplus_lt_lt
+| 6: <Zplus_lt_lt @refl
+qed. *)
+lemma cmp_value_eq :
+  ∀E,v1,v2,v1',v2',ty,ty',m1,m2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   memory_inj E m1 m2 →
+   ∀op,r1. (sem_cmp op v1 ty v1' ty' m1 = Some val r1→
+           ∃r2:val.sem_cmp op v2 ty v2' ty' m2 = Some val r2∧value_eq E r1 r2).
+#E #v1 #v2 #v1' #v2' #ty #ty' #m1 #m2 #Hvalue_eq1 #Hvalue_eq2 #Hinj #op #r1
+elim m1 in Hinj; #contmap1 #nextblock1 #Hnextblock1 elim m2 #contmap2 #nextblock2 #Hnextblock2 #Hinj
+whd in match (sem_cmp ??????) in ⊢ ((??%?) → %);
+cases (classify_cmp ty ty') normalize nodelta
+[ 1: #tsz #tsg
+     @(value_eq_inversion E … Hvalue_eq1) normalize nodelta
+     [ 1: #v #Habsurd destruct (Habsurd)
+     | 3: #f #Habsurd destruct (Habsurd)
+     | 4: #Habsurd destruct (Habsurd)
+     | 5: #p1 #p2 #Hembed #Habsurd destruct (Habsurd) ]
+     #sz #i
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v #Habsurd destruct (Habsurd)
+     | 3: #f #Habsurd destruct (Habsurd)
+     | 4: #Habsurd destruct (Habsurd)
+     | 5: #p1 #p2 #Hembed #Habsurd destruct (Habsurd) ]
+     #sz' #i' cases tsg normalize nodelta
+     @intsize_eq_elim_elim
+     [ 1,3: #Hneq #Habsurd destruct (Habsurd)
+     | 2,4: #Heq destruct (Heq) normalize nodelta
+            #Heq destruct (Heq)
+            [ 1: cases (cmp_int ????) whd in match (of_bool ?);
+            | 2: cases (cmpu_int ????) whd in match (of_bool ?); ]
+              /3 by ex_intro, conj, vint_eq/ ]
+| 3: #fsz
+     @(value_eq_inversion E … Hvalue_eq1) normalize nodelta
+     [ 1: #v #Habsurd destruct (Habsurd)
+     | 2: #sz #i #Habsurd destruct (Habsurd)
+     | 4: #Habsurd destruct (Habsurd)
+     | 5: #p1 #p2 #Hembed #Habsurd destruct (Habsurd) ]
+     #f
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v #Habsurd destruct (Habsurd)
+     | 2: #sz #i #Habsurd destruct (Habsurd)
+     | 4: #Habsurd destruct (Habsurd)
+     | 5: #p1 #p2 #Hembed #Habsurd destruct (Habsurd) ]
+     #f'
+     #Heq destruct (Heq) cases (Fcmp op f f')
+     /3 by ex_intro, conj, vint_eq/
+| 4: #ty1 #ty2 #Habsurd destruct (Habsurd)
+| 2: #optn #typ
+     @(value_eq_inversion E … Hvalue_eq1) normalize nodelta
+     [ 1: #v #Habsurd destruct (Habsurd)
+     | 2: #sz #i #Habsurd destruct (Habsurd)
+     | 3: #f #Habsurd destruct (Habsurd)
+     | 5: #p1 #p2 #Hembed ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1,6: #v #Habsurd destruct (Habsurd)
+     | 2,7: #sz #i #Habsurd destruct (Habsurd)
+     | 3,8: #f #Habsurd destruct (Habsurd)
+     | 5,10: #p1' #p2' #Hembed' ]
+     [ 2,3: cases op whd in match (sem_cmp_mismatch ?);
+          #Heq destruct (Heq)
+          [ 1,3: %{Vfalse} @conj try @refl @vint_eq
+          | 2,4: %{Vtrue} @conj try @refl @vint_eq ]
+     | 4: cases op whd in match (sem_cmp_match ?);
+          #Heq destruct (Heq)
+          [ 2,4: %{Vfalse} @conj try @refl @vint_eq
+          | 1,3: %{Vtrue} @conj try @refl @vint_eq ] ]
+     lapply (mi_valid_pointers … Hinj p1' p2')
+     lapply (mi_valid_pointers … Hinj p1 p2)
+     cases (valid_pointer (mk_mem ???) p1')
+     [ 2: #_ #_ >commutative_andb normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd) ]
+     cases (valid_pointer (mk_mem ???) p1)
+     [ 2: #_ #_ normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd) ]
+     #H1 #H2 lapply (H1 (refl ??) Hembed) #Hvalid1 lapply (H2 (refl ??) Hembed') #Hvalid2
+     >Hvalid1 >Hvalid2 normalize nodelta -H1 -H2
+     elim p1 in Hembed; #b1 #o1
+     elim p1' in Hembed'; #b1' #o1'
+     whd in match (pointer_translation ??);
+     whd in match (pointer_translation ??);
+     @(eq_block_elim … b1 b1')
+     [ 1: #Heq destruct (Heq)
+          cases (E b1') normalize nodelta
+          [ 1: #Habsurd destruct (Habsurd) ]
+          * #eb1' #eo1' normalize nodelta
+          #Heq1 #Heq2 #Heq3 destruct
+          >eq_block_identity normalize nodelta
+          <cmp_offset_translation
+          cases (cmp_offset ???) normalize nodelta
+          /3 by ex_intro, conj, vint_eq/
+     | 2: #Hneq lapply (mi_disjoint … Hinj b1 b1')
+          cases (E b1') [ 1: #_ normalize nodelta #Habsurd destruct (Habsurd) ]
+          * #eb1 #eo1
+          cases (E b1) [ 1: #_ normalize nodelta #_ #Habsurd destruct (Habsurd) ]
+          * #eb1' #eo1' normalize nodelta #H #Heq1 #Heq2 destruct
+          lapply (H ???? Hneq (refl ??) (refl ??))
+          #Hneq_block >(neq_block_eq_block_false … Hneq_block) normalize nodelta
+          elim op whd in match (sem_cmp_mismatch ?); #Heq destruct (Heq)
+          /3 by ex_intro, conj, vint_eq/
+     ]
+] qed.
+(* Commutation result for binary operators. *)
+lemma binary_operation_value_eq :
+  ∀E,op,v1,v2,v1',v2',ty1,ty2,m1,m2.
+   value_eq E v1 v2 →
+   value_eq E v1' v2' →
+   memory_inj E m1 m2 →
+   ∀r1.
+   sem_binary_operation op v1 ty1 v1' ty2 m1 = Some ? r1 →
+   ∃r2.sem_binary_operation op v2 ty1 v2' ty2 m2 = Some ? r2 ∧ value_eq E r1 r2.
+#E #op #v1 #v2 #v1' #v2' #ty1 #ty2 #m1 #m2 #Hvalue_eq1 #Hvalue_eq2 #Hinj #r1
+cases op
+whd in match (sem_binary_operation ??????);
+whd in match (sem_binary_operation ??????);
+[ 1: @add_value_eq try assumption
+| 2: @sub_value_eq try assumption
+| 3: @mul_value_eq try assumption
+| 4: @div_value_eq try assumption
+| 5: @mod_value_eq try assumption
+| 6: @and_value_eq try assumption
+| 7: @or_value_eq try assumption
+| 8: @xor_value_eq try assumption
+| 9: @shl_value_eq try assumption
+| 10: @shr_value_eq try assumption
+| *: @cmp_value_eq try assumption
+] qed.
+lemma cast_value_eq :
+ ∀E,m1,m2,v1,v2. (* memory_inj E m1 m2 → *) value_eq E v1 v2 →
+  ∀ty,cast_ty,res. exec_cast m1 v1 ty cast_ty = OK ? res →
+  ∃res'. exec_cast m2 v2 ty cast_ty = OK ? res' ∧ value_eq E res res'.
+#E #m1 #m2 #v1 #v2 (* #Hmemory_inj *) #Hvalue_eq #ty #cast_ty #res
+@(value_eq_inversion … Hvalue_eq)
+[ 1: #v normalize #Habsurd destruct (Habsurd)
+| 2: #vsz #vi whd in match (exec_cast ????);
+     cases ty
+     [ 1: | 2: #sz #sg | 3: #fl | 4: #ptrty | 5: #arrayty #n | 6: #tl #retty | 7: #id #fl | 8: #id #fl | 9: #comptrty ]
+     normalize nodelta
+     [ 1,3,7,8,9: #Habsurd destruct (Habsurd)
+     | 2: @intsize_eq_elim_elim
+          [ 1: #Hneq #Habsurd destruct (Habsurd)
+          | 2: #Heq destruct (Heq) normalize nodelta
+               cases cast_ty
+               [ 1: | 2: #csz #csg | 3: #cfl | 4: #cptrty | 5: #carrayty #cn
+               | 6: #ctl #cretty | 7: #cid #cfl | 8: #cid #cfl | 9: #ccomptrty ]
+               normalize nodelta
+               [ 1,7,8,9: #Habsurd destruct (Habsurd)
+               | 2: #Heq destruct (Heq) /3 by ex_intro, conj, vint_eq/
+               | 3: #Heq destruct (Heq) /3 by ex_intro, conj, vfloat_eq/
+               | 4,5,6: whd in match (try_cast_null ?????); normalize nodelta
+                    @eq_bv_elim
+                    [ 1,3,5: #Heq destruct (Heq) >eq_intsize_identity normalize nodelta
+                         whd in match (m_bind ?????);
+                         #Heq destruct (Heq) /3 by ex_intro, conj, vnull_eq/
+                    | 2,4,6: #Hneq >eq_intsize_identity normalize nodelta
+                         whd in match (m_bind ?????);
+                         #Habsurd destruct (Habsurd) ] ]
+          ]
+     | 4,5,6: whd in match (try_cast_null ?????); normalize nodelta
+          @eq_bv_elim
+          [ 1,3,5: #Heq destruct (Heq) normalize nodelta
+               whd in match (m_bind ?????); #Habsurd destruct (Habsurd)
+          | 2,4,6: #Hneq normalize nodelta
+               whd in match (m_bind ?????); #Habsurd destruct (Habsurd) ]
+     ]
+| 3: #f whd in match (exec_cast ????);
+     cases ty
+     [ 1: | 2: #sz #sg | 3: #fl | 4: #ptrty | 5: #arrayty #n
+     | 6: #tl #retty | 7: #id #fl | 8: #id #fl | 9: #comptrty ]
+     normalize nodelta
+     [ 1,2,4,5,6,7,8,9: #Habsurd destruct (Habsurd) ]
+     cases cast_ty
+     [ 1: | 2: #csz #csg | 3: #cfl | 4: #cptrty | 5: #carrayty #cn
+     | 6: #ctl #cretty | 7: #cid #cfl | 8: #cid #cfl | 9: #ccomptrty ]
+     normalize nodelta
+     [ 1,4,5,6,7,8,9: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     [ 1: /3 by ex_intro, conj, vint_eq/
+     | 2: /3 by ex_intro, conj, vfloat_eq/ ]
+| 4: whd in match (exec_cast ????);
+     cases ty
+     [ 1: | 2: #sz #sg | 3: #fl | 4: #ptrty | 5: #arrayty #n
+     | 6: #tl #retty | 7: #id #fl | 8: #id #fl | 9: #comptrty ]
+     normalize
+     [ 1,2,3,7,8,9: #Habsurd destruct (Habsurd) ]
+     cases cast_ty normalize nodelta
+     [ 1,10,19: #Habsurd destruct (Habsurd)
+     | 2,11,20: #csz #csg #Habsurd destruct (Habsurd)
+     | 3,12,21: #cfl #Habsurd destruct (Habsurd)
+     | 4,13,22: #cptrty #Heq destruct (Heq) /3 by ex_intro, conj, vnull_eq/
+     | 5,14,23: #carrayty #cn #Heq destruct (Heq) /3 by ex_intro, conj, vnull_eq/
+     | 6,15,24: #ctl #cretty #Heq destruct (Heq) /3 by ex_intro, conj, vnull_eq/
+     | 7,16,25: #cid #cfl #Habsurd destruct (Habsurd)
+     | 8,17,26: #cid #cfl #Habsurd destruct (Habsurd)
+     | 9,18,27: #ccomptrty #Habsurd destruct (Habsurd) ]
+| 5: #p1 #p2 #Hembed whd in match (exec_cast ????);
+     cases ty
+     [ 1: | 2: #sz #sg | 3: #fl | 4: #ptrty | 5: #arrayty #n
+     | 6: #tl #retty | 7: #id #fl | 8: #id #fl | 9: #comptrty ]
+     normalize
+     [ 1,2,3,7,8,9: #Habsurd destruct (Habsurd) ]
+     cases cast_ty normalize nodelta
+     [ 1,10,19: #Habsurd destruct (Habsurd)
+     | 2,11,20: #csz #csg #Habsurd destruct (Habsurd)
+     | 3,12,21: #cfl #Habsurd destruct (Habsurd)
+     | 4,13,22: #cptrty #Heq destruct (Heq) %{(Vptr p2)} @conj try @refl @vptr_eq assumption
+     | 5,14,23: #carrayty #cn #Heq destruct (Heq)
+                %{(Vptr p2)} @conj try @refl @vptr_eq assumption
+     | 6,15,24: #ctl #cretty #Heq destruct (Heq)
+                %{(Vptr p2)} @conj try @refl @vptr_eq assumption
+     | 7,16,25: #cid #cfl #Habsurd destruct (Habsurd)
+     | 8,17,26: #cid #cfl #Habsurd destruct (Habsurd)
+     | 9,18,27: #ccomptrty #Habsurd destruct (Habsurd) ]
+qed.
+lemma bool_of_val_value_eq :
+ ∀E,v1,v2. value_eq E v1 v2 →
+   ∀ty,b.exec_bool_of_val v1 ty = OK ? b → exec_bool_of_val v2 ty = OK ? b.
+#E #v1 #v2 #Hvalue_eq #ty #b
+@(value_eq_inversion … Hvalue_eq) //
+[ 1: #v #H normalize in H; destruct (H)
+| 2: #p1 #p2 #Hembed #H @H ] qed.
 (* Simulation relation on expressions *)
 lemma sim_related_globals : ∀ge,ge',en1,m1,en2,m2,ext.
+  ∀E:embedding.
+  ∀Hext:memory_ext E m1 m2.
+  switch_removal_globals E ? fundef_switch_removal ge ge' →
+  disjoint_extension en1 m1 en2 m2 ext E Hext →
+  ∀Hext:sr_memext m1 m2.
+  switch_removal_globals ? fundef_switch_removal ge ge' →
+  disjoint_extension en1 m1 en2 m2 ext Hext →
   ext_fresh_for_genv ext ge →
   (∀e. exec_expr_sim E (exec_expr ge en1 m1 e) (exec_expr ge' en2 m2 e)) ∧
   (∀ed, ty. exec_lvalue_sim E (exec_lvalue' ge en1 m1 ed ty) (exec_lvalue' ge' en2 m2 ed ty)).
 #ge #ge' #en1 #m1 #en2 #m2 #ext #E #Hext #Hrelated #Hdisjoint #Hext_fresh_for_genv
+  (∀e. exec_expr_sim (exec_expr ge en1 m1 e) (exec_expr ge' en2 m2 e)) ∧
+  (∀ed, ty. exec_lvalue_sim (exec_lvalue' ge en1 m1 ed ty) (exec_lvalue' ge' en2 m2 ed ty)).
+#ge #ge' #en1 #m1 #en2 #m2 #ext #Hext #Hrelated #Hdisjoint #Hext_fresh_for_genv
 @expr_lvalue_ind_combined
 [ 1: #csz #cty #i #a1
 …
        cases (exec_lvalue' ge en1 m1 ? ty) in Hind;
        [ 2,4,6: #error #_ normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd)
        | 1,3,5: #b1 #H elim (H b1 (refl ??)) #b2 *
            elim b1 * #bl1 #o1 #tr1 elim b2 * #bl2 #o2 #tr2
            #Heq >Heq normalize nodelta * #Hvalue_eq #Htrace_eq
+       | 1,3,5: normalize nodelta #b1 #H lapply (H b1 (refl ??)) #Heq >Heq
+           normalize nodelta
+           elim b1 * #bl1 #o1 #tr1 (* elim b2 * #bl2 #o2 #tr2 *)
            whd in match (load_value_of_type' ???);
            whd in match (load_value_of_type' ???);
            lapply (load_value_of_type_inj E … (\fst a1) … ty (me_inj … Hext) Hvalue_eq)
+           lapply (load_value_of_type_inj m1 m2 bl1 o1 ty Hext)
            cases (load_value_of_type ty m1 bl1 o1)
            [ 1,3,5: #_ #Habsurd normalize in Habsurd; destruct (Habsurd)
+           | 2,4,6: #v #Hyp normalize in ⊢ (% → ?); #Heq destruct (Heq)
+                    elim (Hyp (refl ??)) #v2 * #Hload #Hvalue_eq >Hload
+                    normalize /4 by ex_intro, conj/
+           | 2,4,6: #v #H normalize in ⊢ (% → ?); #Heq destruct (Heq)
+                    >(H v (refl ??)) @refl
   ] ] ]
 | 4: #v #ty whd * * #b1 #o1 #tr1
+| 4: #v #ty whd * * #b #o #tr
      whd in match (exec_lvalue' ?????);
      whd in match (exec_lvalue' ?????);
 …
      | 2: normalize nodelta
           cases (lookup ?? en1 v) normalize nodelta
+          [ 1: #Hlookup2 >Hlookup2 normalize nodelta
+               lapply (rg_find_symbol … Hrelated v)
+               cases (find_symbol ???) normalize
+               [ 1: #_ #Habsurd destruct (Habsurd)
+               | 2: #block cases (lookup ?? (symbols clight_fundef ge') v)
+                    [ 1: normalize nodelta #Hfalse @(False_ind … Hfalse)
+                    | 2: #block' normalize #Hvalue_eq #Heq destruct (Heq)
+                         %{〈block',mk_offset (zero offset_size),[]〉} @conj try @refl
+                         normalize /2/
+                ] ]
+         | 2: #block
+          [ 1: #Hlookup2 <Hlookup2 normalize nodelta
+               lapply (rg_find_symbol … Hrelated v) #Heq_find_sym >Heq_find_sym
+               #H @H
+          | 2: #block
               cases (lookup ?? en2 v) normalize nodelta
+              [ 1: #Hfalse @(False_ind … Hfalse)
+              | 2: #b * #Hvalid_block #Hvalue_eq #Heq destruct (Heq)
+                   %{〈b, zero_offset, E0〉} @conj try @refl
+                   normalize /2/
+    ] ] ]
+              [ 1: #Habsurd destruct (Habsurd)
+              | 2: #b #Heq destruct (Heq) #H @H ]
+          ]
+    ]
 | 5: #e #ty whd in ⊢ (% → %);
      whd in match (exec_lvalue' ?????);
      whd in match (exec_lvalue' ?????);
      cases (exec_expr ge en1 m1 e)
+     [ 1: * #v1 #tr1 #H elim (H 〈v1,tr1〉 (refl ??)) * #v1' #tr1' * #Heq >Heq normalize nodelta
+          * elim v1 normalize nodelta
+          [ 1: #_ #_ #a1 #Habsurd destruct (Habsurd)
+          | 2: #sz #i #_ #_ #a1  #Habsurd destruct (Habsurd)
+          | 3: #fl #_ #_ #a1 #Habsurd destruct (Habsurd)
+          | 4: #_ #_ #a1 #Habsurd destruct (Habsurd)
+          | 5: #ptr #Hvalue_eq lapply (value_eq_ptr_inversion … Hvalue_eq) * #p2 * #Hp2_eq
+               >Hp2_eq in Hvalue_eq; elim ptr #b1 #o1 elim p2 #b2 #o2
+               #Hvalue_eq normalize
+               cases (E b1) [ 1: normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd) ]
+               * #b2' #o2' normalize #Heq destruct (Heq) #Htrace destruct (Htrace)
+               * * #b1' #o1' #tr1'' #Heq2 destruct (Heq2) normalize
+               %{〈b2,mk_offset (addition_n ? (offv o1') (offv o2')),tr1''〉} @conj try @refl
+               normalize @conj // ]
+     [ 1: * #v1 #tr1 #H elim (H 〈v1,tr1〉 (refl ??)) * #v1' #tr1' #H @H
      | 2: #error #_ normalize #a1 #Habsurd destruct (Habsurd) ]
 | 6: #ty #e #ty'
 …
      cases ty
      [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
      * #b1 #o1 * #b2 #o2 normalize nodelta try /2 by I/
      #tr #H @conj try @refl try assumption
+     * #b #o normalize nodelta try /2 by I/
+     #tr @conj try @refl
 | 7: #ty #op #e
+     #Hsim @(exec_expr_expr_elim … Hsim) #v1 #v2 #trace #Hvalue_eq
+     lapply (unary_operation_value_eq E op v1 v2 (typeof e) Hvalue_eq)
+     cases (sem_unary_operation op v1 (typeof e)) normalize nodelta
+     [ 1: #_ @I
+     | 2: #r1 #H elim (H r1 (refl ??)) #r1' * #Heq >Heq
+           normalize /2/ ]
+     #Hsim @(exec_expr_expr_elim … Hsim) #v #trace
+     cases (sem_unary_operation op v (typeof e)) normalize nodelta
+     try @I
+     #v @conj @refl
 | 8: #ty #op #e1 #e2 #Hsim1 #Hsim2
      @(exec_expr_expr_elim … Hsim1) #v1 #v2 #trace #Hvalue_eq
+     @(exec_expr_expr_elim … Hsim1) #v #trace
      cases (exec_expr ge en1 m1 e2) in Hsim2;
      [ 2: #error // ]
      * #val #trace normalize in ⊢ (% → ?); #Hsim2
      elim (Hsim2 ? (refl ??)) * #val2 #trace2 * #Hexec2 * #Hvalue_eq2 #Htrace >Hexec2
      whd in match (m_bind ?????); whd in match (m_bind ?????);
      lapply (binary_operation_value_eq E op … (typeof e1) (typeof e2) ?? Hvalue_eq Hvalue_eq2 (me_inj … Hext))
      cases (sem_binary_operation op v1 (typeof e1) val (typeof e2) m1)
      [ 1: #_ // ]
      #opval #Hop elim (Hop ? (refl ??)) #opval' * #Hopval_eq  #Hvalue_eq_opval
      >Hopval_eq normalize destruct /2 by conj/
+     * #pval #ptrace normalize in ⊢ (% → ?); #Hsim2
+     whd in match (m_bind ?????);
+     >(Hsim2 ? (refl ??))
+     whd in match (m_bind ?????);
+     lapply (sim_sem_binary_operation op v pval e1 e2 m1 m2 Hext)
+     cases (sem_binary_operation op v (typeof e1) pval (typeof e2) m1)
+     [ 1: #_ // ] #val #H >(H val (refl ??))
+     normalize destruct @conj @refl
 | 9: #ty #cast_ty #e #Hsim @(exec_expr_expr_elim … Hsim)
+     #v1 #v2 #trace #Hvalue_eq lapply (cast_value_eq E m1 m2 … Hvalue_eq (typeof e) cast_ty)
+     cases (exec_cast m1 v1 (typeof e) cast_ty)
+     [ 2: #error #_ normalize @I
+     | 1: #res #H lapply (H res (refl ??)) whd in match (m_bind ?????);
+          * #res' * #Hexec_cast >Hexec_cast #Hvalue_eq normalize nodelta
+          @conj // ]
+     #v #tr
+     cut (exec_cast m1 v (typeof e) cast_ty = exec_cast m2 v (typeof e) cast_ty)
+     [ @refl ]
+     #Heq >Heq
+     cases (exec_cast m2 v (typeof e) cast_ty)
+     [ 2: //
+     | 1: #v normalize @conj @refl ]
 | 10: #ty #e1 #e2 #e3 #Hsim1 #Hsim2 #Hsim3
+     @(exec_expr_expr_elim … Hsim1) #v1 #v2 #trace #Hvalue_eq
+     lapply (bool_of_val_value_eq E v1 v2 Hvalue_eq (typeof e1))
+     @(exec_expr_expr_elim … Hsim1) #v #tr
      cases (exec_bool_of_val ? (typeof e1)) #b
+     [ 2: #_ normalize @I ]
+     #H lapply (H ? (refl ??)) #Hexec >Hexec normalize
+     [ 2: normalize @I ]
      cases b normalize nodelta
+     whd in match (m_bind ?????);
+     whd in match (m_bind ?????);
+     normalize nodelta
      [ 1: (* true branch *)
           cases (exec_expr ge en1 m1 e2) in Hsim2;
           [ 2: #error normalize #_ @I
+          | 1: * #e2v #e2tr normalize #H elim (H ? (refl ??))
+               * #e2v' #e2tr' * #Hexec2 >Hexec2 * #Hvalue_eq2 #Htrace_eq2 normalize
+                    destruct @conj try // ]
+          | 1: * #e2v #e2tr normalize #H >(H ? (refl ??)) normalize nodelta
+               @conj @refl ]
      | 2: (* false branch *)
           cases (exec_expr ge en1 m1 e3) in Hsim3;
           [ 2: #error normalize #_ @I
+          | 1: * #e3v #e3tr normalize #H elim (H ? (refl ??))
+               * #e3v' #e3tr' * #Hexec3 >Hexec3 * #Hvalue_eq3 #Htrace_eq3 normalize
+               destruct @conj // ] ]
+          | 1: * #e3v #e3tr normalize #H >(H ? (refl ??)) normalize nodelta
+               @conj @refl ] ]
 | 11,12: #ty #e1 #e2 #Hsim1 #Hsim2
+     @(exec_expr_expr_elim … Hsim1) #v1 #v1' #trace #Hvalue_eq
+     lapply (bool_of_val_value_eq E v1 v1' Hvalue_eq (typeof e1))
+     cases (exec_bool_of_val v1 (typeof e1))
+     [ 2,4:  #error #_ normalize @I ]
+     #b cases b #H lapply (H ? (refl ??)) #Heq >Heq
+     @(exec_expr_expr_elim … Hsim1) #v #tr
+     cases (exec_bool_of_val v (typeof e1))
+     [ 2,4: #error normalize @I ]
+     *
      whd in match (m_bind ?????);
      whd in match (m_bind ?????);
      [ 2,3: normalize @conj try @refl try @vint_eq ]
+     [ 2,3: normalize @conj try @refl ]
      cases (exec_expr ge en1 m1 e2) in Hsim2;
      [ 2,4: #error #_ normalize @I ]
+     * #v2 #tr2 whd in ⊢ (% → %); #H2 normalize nodelta elim (H2 ? (refl ??))
+     * #v2' #tr2' * #Heq2 * #Hvalue_eq2 #Htrace2 >Heq2 normalize nodelta
+     lapply (bool_of_val_value_eq E v2 v2' Hvalue_eq2 (typeof e2))
+     * #v2 #tr2 whd in ⊢ (% → %); #H2 normalize nodelta >(H2 ? (refl ??))
+     normalize nodelta
      cases (exec_bool_of_val v2 (typeof e2))
+     [ 2,4: #error #_ normalize @I ]
+     #b2 #H3 lapply (H3 ? (refl ??)) #Heq3 >Heq3 normalize nodelta
+     destruct @conj try @conj //
+     cases b2 whd in match (of_bool ?); @vint_eq
+     [ 2,4: #error normalize @I ]
+     * normalize @conj @refl
 | 13: #ty #ty' cases ty
      [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n
      | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+     whd in match (exec_expr ????); whd
+     * #v #trace #Heq destruct %{〈Vint sz (repr sz (sizeof ty')), E0〉}
+     @conj try @refl @conj //
+| 14: #ty #ed #aggregty #i #Hsim whd * * #b #o #tr normalize nodelta
+     whd in match (exec_expr ????); whd #a #H @H
+| 14: #ty #ed #aggregty #i #Hsim whd * * #b #o #tr
     whd in match (exec_lvalue' ?????);
     whd in match (exec_lvalue' ge' en2 m2 (Efield (Expr ed aggregty) i) ty);
 …
     cases (exec_lvalue' ge en1 m1 ed ?) in Hsim;
     [ 2,4: #error #_ normalize in ⊢ (% → ?); #Habsurd destruct (Habsurd) ]
+    * * #b1 #o1 #tr1 whd in ⊢ (% → ?); #H elim (H ? (refl ??))
+    * * #b1' #o1' #tr1' * #Hexec normalize nodelta * #Hvalue_eq #Htrace_eq
+    whd in match (exec_lvalue ????); >Hexec normalize nodelta
+    [ 2: #Heq destruct (Heq) %{〈 b1',o1',tr1'〉} @conj //
+         normalize @conj // ]
+    cases (field_offset i fl')
+    [ 2: #error normalize #Habsurd destruct (Habsurd) ]
+    #offset whd in match (m_bind ?????); #Heq destruct (Heq)
+    whd in match (m_bind ?????);
+    %{〈b1',shift_offset (bitsize_of_intsize I32) o1' (repr I32 offset),tr1'〉} @conj
+    destruct // normalize nodelta @conj try @refl @vptr_eq
+    -H lapply (value_eq_ptr_inversion … Hvalue_eq) * #p2 * #Hptr_eq
+    whd in match (pointer_translation ??);
+    whd in match (pointer_translation ??);
+    cases (E b)
+    [ 1: normalize nodelta #Habsurd destruct (Habsurd) ]
+    * #b' #o' normalize nodelta #Heq destruct (Heq) destruct (Hptr_eq)
+    cut (offset_plus (mk_offset (addition_n offset_size
+                                      (offv o1)
+                                      (sign_ext (bitsize_of_intsize I32) offset_size (repr I32 offset)))) o'
+          = (shift_offset (bitsize_of_intsize I32) (offset_plus o1 o') (repr I32 offset)))
+    [ whd in match (shift_offset ???) in ⊢ (???%);
+      whd in match (offset_plus ??) in ⊢ (??%%);
+      /3 by associative_addition_n, commutative_addition_n, refl/ ]
+    #Heq >Heq @refl
+    * * #b1 #o1 #tr1 whd in ⊢ (% → ?); #H
+    whd in match (exec_lvalue ge' en2 m2 (Expr ed ?));
+     >(H ? (refl ??)) normalize nodelta #H @H
 | 15: #ty #l #e #Hsim
      @(exec_expr_expr_elim … Hsim) #v1 #v2 #trace #Hvalue_eq normalize nodelta @conj //
+     @(exec_expr_expr_elim … Hsim) #v #tr normalize nodelta @conj //
 | 16: *
   [ 1: #sz #i | 2: #fl | 3: #var_id | 4: #e1 | 5: #e1 | 6: #op #e1 | 7: #op #e1 #e2 | 8: #cast_ty #e1
 …
   #ty normalize in ⊢ (% → ?);
   [ 3,4,13: @False_ind
   | *: #_ normalize #a1 #Habsurd destruct (Habsurd) ]
+  | *: #_ normalize #a1 #Habsurd @Habsurd ]
 ] qed.
 …
 ] qed.
+(*
+lemma exec_expr_related : ∀ge,ge',e,m,cond,v,tr.
+  exec_expr ge e m cond = OK ? 〈v,tr〉 →
+  (res_sim ? (exec_expr ge e m cond) (exec_expr ge' e m cond)) →
+  exec_expr ge' e m cond = OK ? 〈v,tr〉.
+#ge #ge' #e #m #cond #v #tr #H *
+[ 1: #Hsim >(Hsim ? H) //
+| 2: * #error >H #Habsurd destruct (Habsurd) ]
+qed. *)
+(*
+lemma switch_simulation :
+∀ge,ge',e,m,cond,f,condsz,condval,switchcases,k,k',condtr,u.
+ switch_cont_sim k k' →
+ (exec_expr ge e m cond=OK (val×trace) 〈Vint condsz condval,condtr〉) →
+ fresh_for_statement (Sswitch cond switchcases) u →
+ ∃tr'.
+ (eventually ge'
+  (λs2':state
+   .switch_state_sim
+    (State f
+     (seq_of_labeled_statement (select_switch condsz condval switchcases))
+     (Kswitch k) e m) s2')
+  (State (function_switch_removal f) (sw_rem (Sswitch cond switchcases) u) k' e m)
+  tr').
+#ge #ge' #e #m #cond #f #condsz #condval #switchcases #k #k' #tr #u #Hsim_cont #Hexec_cond #Hfresh
+whd in match (sw_rem (Sswitch cond switchcases) u);
+whd in match (switch_removal (Sswitch cond switchcases) u);
+cases switchcases in Hfresh;
+[ 1: #default_statement #Hfresh_for_default
+     whd in match (switch_removal_branches ??);
+     whd in match (select_switch ???); whd in match (seq_of_labeled_statement ?);
+     elim (switch_removal_eq default_statement u)
+     #default_statement' * #Hdefault_statement_sf * #Hnew_vars * #u' #Hdefault_statement_eq >Hdefault_statement_eq
+     normalize nodelta
+     cut (u' = (\snd (switch_removal default_statement u)))
+     [ 1: >Hdefault_statement_eq // ] #Heq_u'
+     cut (fresh_for_statement (Sswitch cond (LSdefault default_statement)) u')
+     [ 1: >Heq_u' @switch_removal_fresh @Hfresh_for_default ] -Heq_u' #Heq_u'
+     lapply (fresh_for_univ_still_fresh u' ? Heq_u') cases (fresh ? u')
+     #switch_tmp #uv2 #Hfreshness lapply (Hfreshness ?? (refl ? 〈switch_tmp, uv2〉))
+     -Hfreshness #Heq_uv2 (* We might need to produce some lookup hypotheses here *)
+     normalize nodelta
+     whd in match (simplify_switch (Expr ??) ?? uv2);
+     lapply (fresh_for_univ_still_fresh uv2 ? Heq_uv2) cases (fresh ? uv2)
+     #exit_label #uv3 #Hfreshness lapply (Hfreshness ?? (refl ? 〈exit_label, uv3〉))
+     -Hfreshness #Heq_uv3
+     normalize nodelta whd in match (add_starting_lbl_list ????);
+     lapply (fresh_for_univ_still_fresh uv3 ? Heq_uv3) cases (fresh ? uv3)
+     #default_lab #uv4 #Hfreshness lapply (Hfreshness ?? (refl ? 〈default_lab, uv4〉))
+     -Hfreshness #Heq_uv4
+     normalize nodelta
+     @(eventually_later ge' ?? E0)
+     whd in match (exec_step ??);
+     %{(State (function_switch_removal f)
+          (Sassign (Expr (Evar switch_tmp) (typeof cond)) cond)
+          (Kseq
+          (Ssequence
+            (Slabel default_lab (convert_break_to_goto default_statement' exit_label))
+            (Slabel exit_label Sskip))
+          k') e m)} @conj try //
+     @(eventually_later ge' ?? E0)
+     whd in match (exec_step ??);
+@chthulhu | @chthulhu
+qed. *)
+(* Main theorem. To be ported and completed to memory injections. TODO *)
+(*
+theorem switch_removal_correction : ∀ge, ge'.
+  related_globals ? fundef_switch_removal ge ge' →
+  ∀s1, s1', tr, s2.
+  switch_state_sim s1 s1' →
+lemma some_inj : ∀A : Type[0]. ∀a,b : A. Some ? a = Some ? b → a = b. #A #a #b #H destruct (H) @refl qed.
+lemma prod_eq_lproj : ∀A,B : Type[0]. ∀a : A. ∀b : B. ∀c : A × B. 〈a,b〉 = c → a = \fst c.
+#A #B #a #b * #a' #b' #H destruct @refl
+qed.
+lemma prod_eq_rproj : ∀A,B : Type[0]. ∀a : A. ∀b : B. ∀c : A × B. 〈a,b〉 = c → b = \snd c.
+#A #B #a #b * #a' #b' #H destruct @refl
+qed.
+(* Main theorem. To be ported and completed to memory injections. TODO *)
+theorem switch_removal_correction :
+  ∀ge,ge',s1, s1', tr, s2.
+  switch_removal_globals ? fundef_switch_removal ge ge' →
+  switch_state_sim ge s1 s1' →
   exec_step ge s1 = Value … 〈tr,s2〉 →
   eventually ge' (λs2'. switch_state_sim s2 s2') s1' tr.
 #ge #ge' #Hrelated #s1 #s1' #tr #s2 #Hsim_state #Hexec_step
+  eventually ge' (λs2'. switch_state_sim ge s2 s2') s1' tr.
+#ge #ge' #st1 #st1' #tr #st2 #Hrelated #Hsim_state
 inversion Hsim_state
 [ 1: (* regular state *)
+  #u #f #s #k #k' #m #m' #result #en #en' #f' #vars
+  #Hu_fresh #Hen_eq #Hf_eq #Hen_eq' #Hswitch_removal #Hsim_cont #Hs1_eq #Hs1_eq' #_
+  lapply (sim_related_globals ge ge' e m Hrelated) *
+  #Hexpr_related #Hlvalue_related
+  >Hs1_eq in Hexec_step; whd in ⊢ ((??%?) → ?);
+  cases s in Hu_fresh Heq_env;
+theorem switch_removal_correction : ∀ge, ge'.
+  related_globals ? fundef_switch_removal ge ge' →
+  ∀s1, s1', tr, s2.
+  switch_state_sim s1 s1' →
+  exec_step ge s1 = Value … 〈tr,s2〉 →
+  eventually ge' (λs2'. switch_state_sim s2 s2') s1' tr.
+#ge #ge' #Hrelated #s1 #s1' #tr #s2 #Hsim_state #Hexec_step
+inversion Hsim_state
+[ 1: (* regular state *)
+  #u #f #s #k #k' #e #e' #m #m' #Hu_fresh #Heq_env #Hsim_cont #Hs1_eq #Hs1_eq' #_
+  lapply (sim_related_globals ge ge' e m Hrelated) *
+  #Hexpr_related #Hlvalue_related
+  >Hs1_eq in Hexec_step; whd in ⊢ ((??%?) → ?);
+  cases s in Hu_fresh Heq_env;
+  (* Perform the intros for the statements*)
+  #sss_statement #sss_result #sss_lu #sss_lu_fresh #sss_func #sss_func_tr #sss_new_vars
+  #sss_func_hyp #sss_m #sss_m_ext #sss_env #sss_env_ext #sss_k #sss_k_ext #sss_mem_hyp
+  #sss_env_hyp #sss_result_hyp #sss_k_hyp #Hext_fresh_for_ge
+  elim (sim_related_globals … ge ge'
+             sss_env sss_m sss_env_ext sss_m_ext sss_new_vars
+             sss_mem_hyp Hrelated sss_env_hyp Hext_fresh_for_ge)
+  #Hsim_expr #Hsim_lvalue #Hst1_eq #Hst1_eq' #_
+  cases sss_statement in sss_lu_fresh sss_result_hyp;
+  (* Perform the intros for the statements *)
   [ 1: | 2: #lhs #rhs | 3: #retv #func #args | 4: #stm1 #stm2 | 5: #cond #iftrue #iffalse | 6: #cond #body
   | 7: #cond #body | 8: #init #cond #step #body | 9,10: | 11: #retval | 12: #cond #switchcases | 13: #lab #body
   | 14: #lab | 15: #cost #body ]
   #Hu_fresh #Heq_env
+  #sss_lu_fresh #sss_result_hyp
   [ 1: (* Skip *)
+    whd in match (sw_rem ??);
+    inversion Hsim_cont normalize nodelta
+    [ 1: #Hk #Hk' #_ #Hexec_step
+         @(eventually_now ????) whd in match (exec_step ??); >fn_return_simplify
+         cases (fn_return f) in Hexec_step;
+         [ 1,10: | 2,11: #sz #sg | 3,12: #fsz | 4,13: #rg #ptr_ty | 5,14: #rg #array_ty #array_sz | 6,15: #domain #codomain
+         | 7,16: #structname #fieldspec | 8,17: #unionname #fieldspec | 9,18: #rg #id ]
+    whd in match (switch_removal ???) in sss_result_hyp;
+    <(some_inj ??? sss_result_hyp)
+    inversion sss_k_hyp normalize nodelta
+    [ 1: #fvs #Hfvs_eq #Hk #Hk' #_ #Hexec_step
+         @(eventually_now ????) whd in match (exec_step ??);
+         >(prod_eq_lproj ????? sss_func_hyp)
+         >fn_return_simplify
+         whd in match (exec_step ??) in Hexec_step;
+         cases (fn_return sss_func) in Hexec_step;
+         [ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
+         | 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
          normalize nodelta
+         [ 1,2: #H whd in match (ret ??) in H ⊢ %; destruct (H)
+                %{(Returnstate Vundef Kstop (free_list m' (blocks_of_env e')))} @conj try //
+         whd in ⊢ ((??%?) → ?);
+         [ 1: #H destruct (H) %{(Returnstate Vundef Kstop (free_list sss_m_ext (blocks_of_env sss_env_ext)))}
+              @conj try @refl %3{(map (ident×type) ident \fst sss_new_vars)} try //
+                %{(Returnstate Vundef Kstop (free1_list sss_m_ext (blocks_of_env sss_env_ext)))} @conj try //
                 normalize in Heq_env; destruct (Heq_env)
                 %3 //
 …
   *)
+(*
+lemma exec_expr_related : ∀ge,ge',e,m,cond,v,tr.
+  exec_expr ge e m cond = OK ? 〈v,tr〉 →
+  (res_sim ? (exec_expr ge e m cond) (exec_expr ge' e m cond)) →
+  exec_expr ge' e m cond = OK ? 〈v,tr〉.
+#ge #ge' #e #m #cond #v #tr #H *
+[ 1: #Hsim >(Hsim ? H) //
+| 2: * #error >H #Habsurd destruct (Habsurd) ]
+qed. *)
+(*
+lemma switch_simulation :
+∀ge,ge',e,m,cond,f,condsz,condval,switchcases,k,k',condtr,u.
+ switch_cont_sim k k' →
+ (exec_expr ge e m cond=OK (val×trace) 〈Vint condsz condval,condtr〉) →
+ fresh_for_statement (Sswitch cond switchcases) u →
+ ∃tr'.
+ (eventually ge'
+  (λs2':state
+   .switch_state_sim
+    (State f
+     (seq_of_labeled_statement (select_switch condsz condval switchcases))
+     (Kswitch k) e m) s2')
+  (State (function_switch_removal f) (sw_rem (Sswitch cond switchcases) u) k' e m)
+  tr').
+#ge #ge' #e #m #cond #f #condsz #condval #switchcases #k #k' #tr #u #Hsim_cont #Hexec_cond #Hfresh
+whd in match (sw_rem (Sswitch cond switchcases) u);
+whd in match (switch_removal (Sswitch cond switchcases) u);
+cases switchcases in Hfresh;
+[ 1: #default_statement #Hfresh_for_default
+     whd in match (switch_removal_branches ??);
+     whd in match (select_switch ???); whd in match (seq_of_labeled_statement ?);
+     elim (switch_removal_eq default_statement u)
+     #default_statement' * #Hdefault_statement_sf * #Hnew_vars * #u' #Hdefault_statement_eq >Hdefault_statement_eq
+     normalize nodelta
+     cut (u' = (\snd (switch_removal default_statement u)))
+     [ 1: >Hdefault_statement_eq // ] #Heq_u'
+     cut (fresh_for_statement (Sswitch cond (LSdefault default_statement)) u')
+     [ 1: >Heq_u' @switch_removal_fresh @Hfresh_for_default ] -Heq_u' #Heq_u'
+     lapply (fresh_for_univ_still_fresh u' ? Heq_u') cases (fresh ? u')
+     #switch_tmp #uv2 #Hfreshness lapply (Hfreshness ?? (refl ? 〈switch_tmp, uv2〉))
+     -Hfreshness #Heq_uv2 (* We might need to produce some lookup hypotheses here *)
+     normalize nodelta
+     whd in match (simplify_switch (Expr ??) ?? uv2);
+     lapply (fresh_for_univ_still_fresh uv2 ? Heq_uv2) cases (fresh ? uv2)
+     #exit_label #uv3 #Hfreshness lapply (Hfreshness ?? (refl ? 〈exit_label, uv3〉))
+     -Hfreshness #Heq_uv3
+     normalize nodelta whd in match (add_starting_lbl_list ????);
+     lapply (fresh_for_univ_still_fresh uv3 ? Heq_uv3) cases (fresh ? uv3)
+     #default_lab #uv4 #Hfreshness lapply (Hfreshness ?? (refl ? 〈default_lab, uv4〉))
+     -Hfreshness #Heq_uv4
+     normalize nodelta
+     @(eventually_later ge' ?? E0)
+     whd in match (exec_step ??);
+     %{(State (function_switch_removal f)
+          (Sassign (Expr (Evar switch_tmp) (typeof cond)) cond)
+          (Kseq
+          (Ssequence
+            (Slabel default_lab (convert_break_to_goto default_statement' exit_label))
+            (Slabel exit_label Sskip))
+          k') e m)} @conj try //
+     @(eventually_later ge' ?? E0)
+     whd in match (exec_step ??);
+@chthulhu | @chthulhu
+qed. *)

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 2332 for src/Clight/switchRemoval.ma

Legend:

src/Clight/switchRemoval.ma

Download in other formats: