Context Navigation

← Previous Change
Next Change →

memoryInjections.ma

Timestamp:

Nov 15, 2012, 6:12:57 PM (7 years ago)

Author:

garnier

Message:

Floats are gone from the front-end. Some trace amount might remain in RTL/RTLabs, but this should be easily fixable.
Also, work-in-progress in Clight/memoryInjections.ma

File:

: 1 edited

src/Clight/memoryInjections.ma (modified) (35 diffs)

Legend:

: Unmodified
: Added
: Removed

src/Clight/memoryInjections.ma

-                      r2448
+                      r2468
 include "Clight/Cexec.ma".
+include "Clight/MemProperties.ma".
 include "Clight/frontend_misc.ma".
 …
    not allow to prove that the semantics for pointer less-than comparisons is
    conserved). *)
-(* --------------------------------------------------------------------------- *)
-(* Some general lemmas on bitvectors (offsets /are/ bitvectors) *)
-(* --------------------------------------------------------------------------- *)
-lemma add_with_carries_n_O : ∀n,bv. add_with_carries n bv (zero n) false = 〈bv,zero n〉.
-#n #bv whd in match (add_with_carries ????); elim bv //
-#n #hd #tl #Hind whd in match (fold_right2_i ????????);
->Hind normalize
-cases n in tl;
-[ 1: #tl cases hd normalize @refl
-| 2: #n' #tl cases hd normalize @refl ]
-qed.
-lemma addition_n_0 : ∀n,bv. addition_n n bv (zero n) = bv.
-#n #bv whd in match (addition_n ???);
->add_with_carries_n_O //
-qed.
-lemma replicate_Sn : ∀A,sz,elt.
-  replicate A (S sz) elt = elt ::: (replicate A sz elt).
-// qed.
-lemma zero_Sn : ∀n. zero (S n) = false ::: (zero n). // qed.
-lemma negation_bv_Sn : ∀n. ∀xa. ∀a : BitVector n. negation_bv … (xa ::: a) = (notb xa) ::: (negation_bv … a).
-#n #xa #a normalize @refl qed.
-(* useful facts on carry_of *)
-lemma carry_of_TT : ∀x. carry_of true true x = true. // qed.
-lemma carry_of_TF : ∀x. carry_of true false x = x. // qed.
-lemma carry_of_FF : ∀x. carry_of false false x = false. // qed.
-lemma carry_of_lcomm : ∀x,y,z. carry_of x y z = carry_of y x z. * * * // qed.
-lemma carry_of_rcomm : ∀x,y,z. carry_of x y z = carry_of x z y. * * * // qed.
-definition one_bv ≝ λn. (\fst (add_with_carries … (zero n) (zero n) true)).
-lemma one_bv_Sn_aux : ∀n. ∀bits,flags : BitVector (S n).
-    add_with_carries … (zero (S n)) (zero (S n)) true = 〈bits, flags〉 →
-    add_with_carries … (zero (S (S n))) (zero (S (S n))) true = 〈false ::: bits, false ::: flags〉.
-#n elim n
-[ 1: #bits #flags elim (BitVector_Sn … bits) #hd_bits * #tl_bits #Heq_bits
-     elim (BitVector_Sn … flags) #hd_flags * #tl_flags #Heq_flags
-     >(BitVector_O … tl_flags) >(BitVector_O … tl_bits)
-     normalize #Heq destruct (Heq) @refl
-| 2: #n' #Hind #bits #flags elim (BitVector_Sn … bits) #hd_bits * #tl_bits #Heq_bits
-     destruct #Hind >add_with_carries_Sn >replicate_Sn
-     whd in match (zero ?) in Hind; lapply Hind
-     elim (add_with_carries (S (S n'))
-            (false:::replicate bool (S n') false)
-            (false:::replicate bool (S n') false) true) #bits #flags #Heq destruct
-            normalize >add_with_carries_Sn in Hind;
-     elim (add_with_carries (S n') (replicate bool (S n') false)
-                    (replicate bool (S n') false) true) #flags' #bits'
-     normalize
-     cases (match bits' in Vector return λsz:ℕ.(λfoo:Vector bool sz.bool) with
-            [VEmpty⇒true|VCons (sz:ℕ)   (cy:bool)   (tl:(Vector bool sz))⇒cy])
-     normalize #Heq destruct @refl
-] qed.
-lemma one_bv_Sn : ∀n. one_bv (S (S n)) = false ::: (one_bv (S n)).
-#n lapply (one_bv_Sn_aux n)
-whd in match (one_bv ?) in ⊢ (? → (??%%));
-elim (add_with_carries (S n) (zero (S n)) (zero (S n)) true) #bits #flags
-#H lapply (H bits flags (refl ??)) #H2 >H2 @refl
-qed.
-lemma increment_to_addition_n_aux : ∀n. ∀a : BitVector n.
-    add_with_carries ? a (zero n) true = add_with_carries ? a (one_bv n) false.
-#n
-elim n
-[ 1: #a >(BitVector_O … a) normalize @refl
-| 2: #n' cases n'
-     [ 1: #Hind #a elim (BitVector_Sn ? a) #xa * #tl #Heq destruct
-          >(BitVector_O … tl) normalize cases xa @refl
-     | 2: #n'' #Hind #a elim (BitVector_Sn ? a) #xa * #tl #Heq destruct
-          >one_bv_Sn >zero_Sn
-          lapply (Hind tl)
-          >add_with_carries_Sn >add_with_carries_Sn
-          #Hind >Hind elim (add_with_carries (S n'') tl (one_bv (S n'')) false) #bits #flags
-          normalize nodelta elim (BitVector_Sn … flags) #flags_hd * #flags_tl #Hflags_eq >Hflags_eq
-          normalize nodelta @refl
-] qed.
-(* In order to use associativity on increment, we hide it under addition_n. *)
-lemma increment_to_addition_n : ∀n. ∀a : BitVector n. increment ? a = addition_n ? a (one_bv n).
-#n
-whd in match (increment ??) in ⊢ (∀_.??%?);
-whd in match (addition_n ???) in ⊢ (∀_.???%);
-#a lapply (increment_to_addition_n_aux n a)
-#Heq >Heq cases (add_with_carries n a (one_bv n) false) #bits #flags @refl
-qed.
-(* Explicit formulation of addition *)
-(* Explicit formulation of the last carry bit *)
-let rec ith_carry (n : nat) (a,b : BitVector n) (init : bool) on n : bool ≝
-match n return λx. BitVector x → BitVector x → bool with
-[ O ⇒ λ_,_. init
-| S x ⇒ λa',b'.
-  let hd_a ≝ head' … a' in
-  let hd_b ≝ head' … b' in
-  let tl_a ≝ tail … a' in
-  let tl_b ≝ tail … b' in
-  carry_of hd_a hd_b (ith_carry x tl_a tl_b init)
-] a b.
-lemma ith_carry_unfold : ∀n. ∀init. ∀a,b : BitVector (S n).
-  ith_carry ? a b init = (carry_of (head' … a) (head' … b) (ith_carry ? (tail … a) (tail … b) init)).
-#n #init #a #b @refl qed.
-lemma ith_carry_Sn : ∀n. ∀init. ∀xa,xb. ∀a,b : BitVector n.
-  ith_carry ? (xa ::: a) (xb ::: b) init = (carry_of xa xb (ith_carry ? a b init)). // qed.
-(* correction of [ith_carry] *)
-lemma ith_carry_ok : ∀n. ∀init. ∀a,b,res_ab,flags_ab : BitVector (S n).
-  〈res_ab,flags_ab〉 = add_with_carries ? a b init →
-  head' … flags_ab = ith_carry ? a b init.
-#n elim n
-[ 1: #init #a #b #res_ab #flags_ab
-     elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a
-     elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b
-     elim (BitVector_Sn … res_ab) #hd_res * #tl_res #Heq_res
-     elim (BitVector_Sn … flags_ab) #hd_flags * #tl_flags #Heq_flags
-     destruct
-     >(BitVector_O … tl_a) >(BitVector_O … tl_b)
-     cases hd_a cases hd_b cases init normalize #Heq destruct (Heq)
-     @refl
-| 2: #n' #Hind #init #a #b #res_ab #flags_ab
-     elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a
-     elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b
-     elim (BitVector_Sn … res_ab) #hd_res * #tl_res #Heq_res
-     elim (BitVector_Sn … flags_ab) #hd_flags * #tl_flags #Heq_flags
-     destruct
-     lapply (Hind … init tl_a tl_b tl_res tl_flags)
-     >add_with_carries_Sn >(ith_carry_Sn (S n'))
-     elim (add_with_carries (S n') tl_a tl_b init) #res_ab #flags_ab
-     elim (BitVector_Sn … flags_ab) #hd_flags_ab * #tl_flags_ab #Heq_flags_ab >Heq_flags_ab
-     normalize nodelta cases hd_flags_ab normalize nodelta
-     whd in match (head' ? (S n') ?); #H1 #H2
-     destruct (H2) lapply (H1 (refl ??)) whd in match (head' ???); #Heq <Heq @refl
-] qed.
-(* Explicit formulation of ith bit of an addition, with explicit initial carry bit. *)
-definition ith_bit ≝ λ(n : nat).λ(a,b : BitVector n).λinit.
-match n return λx. BitVector x → BitVector x → bool with
-[ O ⇒ λ_,_. init
-| S x ⇒ λa',b'.
-  let hd_a ≝ head' … a' in
-  let hd_b ≝ head' … b' in
-  let tl_a ≝ tail … a' in
-  let tl_b ≝ tail … b' in
-  xorb (xorb hd_a hd_b) (ith_carry x tl_a tl_b init)
-] a b.
-lemma ith_bit_unfold : ∀n. ∀init. ∀a,b : BitVector (S n).
-  ith_bit ? a b init =  xorb (xorb (head' … a) (head' … b)) (ith_carry ? (tail … a) (tail … b) init).
-#n #a #b // qed.
-lemma ith_bit_Sn : ∀n. ∀init. ∀xa,xb. ∀a,b : BitVector n.
-  ith_bit ? (xa ::: a) (xb ::: b) init =  xorb (xorb xa xb) (ith_carry ? a b init). // qed.
-(* correction of ith_bit *)
-lemma ith_bit_ok : ∀n. ∀init. ∀a,b,res_ab,flags_ab : BitVector (S n).
-  〈res_ab,flags_ab〉 = add_with_carries ? a b init →
-  head' … res_ab = ith_bit ? a b init.
-#n
-cases n
-[ 1: #init #a #b #res_ab #flags_ab
-     elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a
-     elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b
-     elim (BitVector_Sn … res_ab) #hd_res * #tl_res #Heq_res
-     elim (BitVector_Sn … flags_ab) #hd_flags * #tl_flags #Heq_flags
-     destruct
-     >(BitVector_O … tl_a) >(BitVector_O … tl_b)
-     >(BitVector_O … tl_flags) >(BitVector_O … tl_res)
-     normalize cases init cases hd_a cases hd_b normalize #Heq destruct @refl
-| 2: #n' #init #a #b #res_ab #flags_ab
-     elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a
-     elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b
-     elim (BitVector_Sn … res_ab) #hd_res * #tl_res #Heq_res
-     elim (BitVector_Sn … flags_ab) #hd_flags * #tl_flags #Heq_flags
-     destruct
-     lapply (ith_carry_ok … init tl_a tl_b tl_res tl_flags)
-     #Hcarry >add_with_carries_Sn elim (add_with_carries ? tl_a tl_b init) in Hcarry;
-     #res #flags normalize nodelta elim (BitVector_Sn … flags) #hd_flags' * #tl_flags' #Heq_flags'
-     >Heq_flags' normalize nodelta cases hd_flags' normalize nodelta #H1 #H2 destruct (H2)
-     cases hd_a cases hd_b >ith_bit_Sn whd in match (head' ???) in H1 ⊢ %;
-     <(H1 (refl ??)) @refl
-] qed.
-(* Transform a function from bit-vectors to bits into a vector by folding *)
-let rec bitvector_fold (n : nat) (v : BitVector n) (f : ∀sz. BitVector sz → bool) on v : BitVector n ≝
-match v with
-[ VEmpty ⇒ VEmpty ?
-| VCons sz elt tl ⇒
-  let bit ≝ f ? v in
-  bit ::: (bitvector_fold ? tl f)
-].
-(* Two-arguments version *)
-let rec bitvector_fold2 (n : nat) (v1, v2 : BitVector n) (f : ∀sz. BitVector sz → BitVector sz → bool) on v1 : BitVector n ≝
-match v1  with
-[ VEmpty ⇒ λ_. VEmpty ?
-| VCons sz elt tl ⇒ λv2'.
-  let bit ≝ f ? v1 v2 in
-  bit ::: (bitvector_fold2 ? tl (tail … v2') f)
-] v2.
-lemma bitvector_fold2_Sn : ∀n,x1,x2,v1,v2,f.
-  bitvector_fold2 (S n) (x1 ::: v1) (x2 ::: v2) f = (f ? (x1 ::: v1) (x2 ::: v2)) ::: (bitvector_fold2 … v1 v2 f). // qed.
-(* These functions pack all the relevant information (including carries) directly. *)
-definition addition_n_direct ≝ λn,v1,v2,init. bitvector_fold2 n v1 v2 (λn,v1,v2. ith_bit n v1 v2 init).
-lemma addition_n_direct_Sn : ∀n,x1,x2,v1,v2,init.
-  addition_n_direct (S n) (x1 ::: v1) (x2 ::: v2) init = (ith_bit ? (x1 ::: v1) (x2 ::: v2) init) ::: (addition_n_direct … v1 v2 init). // qed.
-lemma tail_Sn : ∀n. ∀x. ∀a : BitVector n. tail … (x ::: a) = a. // qed.
-(* Prove the equivalence of addition_n_direct with add_with_carries *)
-lemma addition_n_direct_ok : ∀n,carry,v1,v2.
-  (\fst (add_with_carries n v1 v2 carry)) = addition_n_direct n v1 v2 carry.
-#n elim n
-[ 1: #carry #v1 #v2 >(BitVector_O … v1) >(BitVector_O … v2) normalize @refl
-| 2: #n' #Hind #carry #v1 #v2
-     elim (BitVector_Sn … v1) #hd1 * #tl1 #Heq1
-     elim (BitVector_Sn … v2) #hd2 * #tl2 #Heq2
-     lapply (Hind carry tl1 tl2)
-     lapply (ith_bit_ok ? carry v1 v2)
-     lapply (ith_carry_ok ? carry v1 v2)
-     destruct
-     #Hind >addition_n_direct_Sn
-     >ith_bit_Sn >add_with_carries_Sn
-     elim (add_with_carries n' tl1 tl2 carry) #bits #flags normalize nodelta
-     cases (match flags in Vector return λsz:ℕ.(λfoo:Vector bool sz.bool) with
-            [VEmpty⇒carry|VCons (sz:ℕ)   (cy:bool)   (tl:(Vector bool sz))⇒cy])
-     normalize nodelta #Hcarry' lapply (Hcarry' ?? (refl ??))
-     whd in match head'; normalize nodelta
-     #H1 #H2 >H1 >H2 @refl
-] qed.
-lemma addition_n_direct_ok2 : ∀n,carry,v1,v2.
-  (let 〈a,b〉 ≝ add_with_carries n v1 v2 carry in a) = addition_n_direct n v1 v2 carry.
-#n #carry #v1 #v2 <addition_n_direct_ok
-cases (add_with_carries ????) //
-qed.
-(* trivially lift associativity to our new setting *)
-lemma associative_addition_n_direct : ∀n. ∀carry1,carry2. ∀v1,v2,v3 : BitVector n.
-  addition_n_direct ? (addition_n_direct ? v1 v2 carry1) v3 carry2 =
-  addition_n_direct ? v1 (addition_n_direct ? v2 v3 carry1) carry2.
-#n #carry1 #carry2 #v1 #v2 #v3
-<addition_n_direct_ok <addition_n_direct_ok
-<addition_n_direct_ok <addition_n_direct_ok
-lapply (associative_add_with_carries … carry1 carry2 v1 v2 v3)
-elim (add_with_carries n v2 v3 carry1) #bits #carries normalize nodelta
-elim (add_with_carries n v1 v2 carry1) #bits' #carries' normalize nodelta
-#H @(sym_eq … H)
-qed.
-lemma commutative_addition_n_direct : ∀n. ∀v1,v2 : BitVector n.
-  addition_n_direct ? v1 v2 false = addition_n_direct ? v2 v1 false.
-#n #v1 #v2 /by associative_addition_n, addition_n_direct_ok/
-qed.
-definition increment_direct ≝ λn,v. addition_n_direct n v (one_bv ?) false.
-definition twocomp_neg_direct ≝ λn,v. increment_direct n (negation_bv n v).
-(* fold andb on a bitvector. *)
-let rec andb_fold (n : nat) (b : BitVector n) on b : bool ≝
-match b with
-[ VEmpty ⇒ true
-| VCons sz elt tl ⇒
-  andb elt (andb_fold ? tl)
-].
-lemma andb_fold_Sn : ∀n. ∀x. ∀b : BitVector n. andb_fold (S n) (x ::: b) = andb x (andb_fold … n b). // qed.
-lemma andb_fold_inversion : ∀n. ∀elt,x. andb_fold (S n) (elt ::: x) = true → elt = true ∧ andb_fold n x = true.
-#n #elt #x cases elt normalize #H @conj destruct (H) try assumption @refl
-qed.
-lemma ith_increment_carry : ∀n. ∀a : BitVector (S n).
-  ith_carry … a (one_bv ?) false = andb_fold … a.
-#n elim n
-[ 1: #a elim (BitVector_Sn … a) #hd * #tl #Heq >Heq >(BitVector_O … tl)
-     cases hd normalize @refl
-| 2: #n' #Hind #a
-     elim (BitVector_Sn … a) #hd * #tl #Heq >Heq
-     lapply (Hind … tl) #Hind >one_bv_Sn
-     >ith_carry_Sn whd in match (andb_fold ??);
-     cases hd >Hind @refl
-] qed.
-lemma ith_increment_bit : ∀n. ∀a : BitVector (S n).
-  ith_bit … a (one_bv ?) false = xorb (head' … a) (andb_fold … (tail … a)).
-#n #a
-elim (BitVector_Sn … a) #hd * #tl #Heq >Heq
-whd in match (head' ???);
--a cases n in tl;
-[ 1: #tl >(BitVector_O … tl) cases hd normalize try //
-| 2: #n' #tl >one_bv_Sn >ith_bit_Sn
-     >ith_increment_carry >tail_Sn
-     cases hd try //
-] qed.
-(* Lemma used to prove involutivity of two-complement negation *)
-lemma twocomp_neg_involutive_aux : ∀n. ∀v : BitVector (S n).
-   (andb_fold (S n) (negation_bv (S n) v) =
-    andb_fold (S n) (negation_bv (S n) (addition_n_direct (S n) (negation_bv (S n) v) (one_bv (S n)) false))).
-#n elim n
-[ 1: #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq >(BitVector_O … tl) cases hd @refl
-| 2: #n' #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq
-     lapply (Hind tl) -Hind #Hind >negation_bv_Sn >one_bv_Sn >addition_n_direct_Sn
-     >andb_fold_Sn >ith_bit_Sn >negation_bv_Sn >andb_fold_Sn <Hind
-     cases hd normalize nodelta
-     [ 1: >xorb_false >(xorb_comm false ?) >xorb_false
-     | 2: >xorb_false >(xorb_comm true ?) >xorb_true ]
-     >ith_increment_carry
-     cases (andb_fold (S n') (negation_bv (S n') tl)) @refl
-] qed.
-(* Test of the 'direct' approach: proof of the involutivity of two-complement negation. *)
-lemma twocomp_neg_involutive : ∀n. ∀v : BitVector n. twocomp_neg_direct ? (twocomp_neg_direct ? v) = v.
-#n elim n
-[ 1: #v >(BitVector_O v) @refl
-| 2: #n' cases n'
-     [ 1: #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq
-          >(BitVector_O … tl) normalize cases hd @refl
-     | 2: #n'' #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq
-          lapply (Hind tl) -Hind #Hind <Hind in ⊢ (???%);
-          whd in match twocomp_neg_direct; normalize nodelta
-          whd in match increment_direct; normalize nodelta
-          >(negation_bv_Sn ? hd tl) >one_bv_Sn >(addition_n_direct_Sn ? (¬hd) false ??)
-          >ith_bit_Sn >negation_bv_Sn >addition_n_direct_Sn >ith_bit_Sn
-          generalize in match (addition_n_direct (S n'')
-                                                   (negation_bv (S n'')
-                                                   (addition_n_direct (S n'') (negation_bv (S n'') tl) (one_bv (S n'')) false))
-                                                   (one_bv (S n'')) false); #tail
-          >ith_increment_carry >ith_increment_carry
-          cases hd normalize nodelta
-          [ 1: normalize in match (xorb false false); >(xorb_comm false ?) >xorb_false >xorb_false
-          | 2: normalize in match (xorb true false); >(xorb_comm true ?) >xorb_true >xorb_false ]
-          <twocomp_neg_involutive_aux
-          cases (andb_fold (S n'') (negation_bv (S n'') tl)) @refl
+      ]
-] qed.
-lemma bitvector_cons_inj_inv : ∀n. ∀a,b. ∀va,vb : BitVector n. a ::: va = b ::: vb → a =b ∧ va = vb.
-#n #a #b #va #vb #H destruct (H) @conj @refl qed.
-lemma bitvector_cons_eq : ∀n. ∀a,b. ∀v : BitVector n. a = b → a ::: v = b ::: v. // qed.
-(* Injectivity of increment *)
-lemma increment_inj : ∀n. ∀a,b : BitVector n.
-  increment_direct ? a = increment_direct ? b →
-  a = b ∧ (ith_carry n a (one_bv n) false = ith_carry n b (one_bv n) false).
-#n whd in match increment_direct; normalize nodelta elim n
-[ 1: #a #b >(BitVector_O … a) >(BitVector_O … b) normalize #_ @conj //
-| 2: #n' cases n'
-   [ 1: #_ #a #b
-        elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a >Heq_a
-        elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b >Heq_b
-        >(BitVector_O … tl_a) >(BitVector_O … tl_b) cases hd_a cases hd_b
-        normalize #H @conj try //
-   | 2: #n'' #Hind #a #b
-        elim (BitVector_Sn … a) #hd_a * #tl_a #Heq_a >Heq_a
-        elim (BitVector_Sn … b) #hd_b * #tl_b #Heq_b >Heq_b
-        lapply (Hind … tl_a tl_b) -Hind #Hind
-        >one_bv_Sn >addition_n_direct_Sn >ith_bit_Sn
-        >addition_n_direct_Sn >ith_bit_Sn >xorb_false >xorb_false
-        #H elim (bitvector_cons_inj_inv … H) #Heq1 #Heq2
-        lapply (Hind Heq2) * #Heq3 #Heq4
-        cut (hd_a = hd_b)
-        [ 1: >Heq4 in Heq1; #Heq5 lapply (xorb_inj (ith_carry ? tl_b (one_bv ?) false) hd_a hd_b)
-             * #Heq6 #_ >xorb_comm in Heq6; >(xorb_comm  ? hd_b) #Heq6 >(Heq6 Heq5)
-             @refl ]
-        #Heq5 @conj [ 1: >Heq3 >Heq5 @refl ]
-        >ith_carry_Sn >ith_carry_Sn >Heq4 >Heq5 @refl
-] qed.
-(* Inverse of injecivity of increment, does not lose information (cf increment_inj) *)
-lemma increment_inj_inv : ∀n. ∀a,b : BitVector n.
-  a = b → increment_direct ? a = increment_direct ? b. // qed.
-(* A more general result. *)
-lemma addition_n_direct_inj : ∀n. ∀x,y,delta: BitVector n.
-  addition_n_direct ? x delta false = addition_n_direct ? y delta false →
-  x = y ∧ (ith_carry n x delta false = ith_carry n y delta false).
-#n elim n
-[ 1: #x #y #delta >(BitVector_O … x) >(BitVector_O … y) >(BitVector_O … delta) * @conj @refl
-| 2: #n' #Hind #x #y #delta
-     elim (BitVector_Sn … x) #hdx * #tlx #Heqx >Heqx
-     elim (BitVector_Sn … y) #hdy * #tly #Heqy >Heqy
-     elim (BitVector_Sn … delta) #hdd * #tld #Heqd >Heqd
-     >addition_n_direct_Sn >ith_bit_Sn
-     >addition_n_direct_Sn >ith_bit_Sn
-     >ith_carry_Sn >ith_carry_Sn
-     lapply (Hind … tlx tly tld) -Hind #Hind #Heq
-     elim (bitvector_cons_inj_inv … Heq) #Heq_hd #Heq_tl
-     lapply (Hind Heq_tl) -Hind * #HindA #HindB
-     >HindA >HindB >HindB in Heq_hd; #Heq_hd
-     cut (hdx = hdy)
-     [ 1: cases hdd in Heq_hd; cases (ith_carry n' tly tld false)
-          cases hdx cases hdy normalize #H try @H try @refl
-          >H try @refl ]
-     #Heq_hd >Heq_hd @conj @refl
-] qed.
-(* We also need it the other way around. *)
-lemma addition_n_direct_inj_inv : ∀n. ∀x,y,delta: BitVector n.
-  x ≠ y → (* ∧ (ith_carry n x delta false = ith_carry n y delta false). *)
-   addition_n_direct ? x delta false ≠ addition_n_direct ? y delta false.
-#n elim n
-[ 1: #x #y #delta >(BitVector_O … x) >(BitVector_O … y) >(BitVector_O … delta) * #H @(False_ind … (H (refl ??)))
-| 2: #n' #Hind #x #y #delta
-     elim (BitVector_Sn … x) #hdx * #tlx #Heqx >Heqx
-     elim (BitVector_Sn … y) #hdy * #tly #Heqy >Heqy
-     elim (BitVector_Sn … delta) #hdd * #tld #Heqd >Heqd
-     #Hneq
-     cut (hdx ≠ hdy ∨ tlx ≠ tly)
-     [ @(eq_bv_elim … tlx tly)
-       [ #Heq_tl >Heq_tl >Heq_tl in Hneq;
-         #Hneq cut (hdx ≠ hdy) [ % #Heq_hd >Heq_hd in Hneq; *
-                                 #H @H @refl ]
-         #H %1 @H
-       | #H %2 @H ] ]
-     -Hneq #Hneq
-     >addition_n_direct_Sn >addition_n_direct_Sn
-     >ith_bit_Sn >ith_bit_Sn cases Hneq
-     [ 1: #Hneq_hd
-          lapply (addition_n_direct_inj … tlx tly tld)
-          @(eq_bv_elim … (addition_n_direct ? tlx tld false) (addition_n_direct ? tly tld false))
-          [ 1: #Heq -Hind #Hind elim (Hind Heq) #Heq_tl >Heq_tl #Heq_carry >Heq_carry
-               % #Habsurd elim (bitvector_cons_inj_inv … Habsurd) -Habsurd
-               lapply Hneq_hd
-               cases hdx cases hdd cases hdy cases (ith_carry ? tly tld false)
-               normalize in ⊢ (? → % → ?); #Hneq_hd #Heq_hd #_
-               try @(absurd … Heq_hd Hneq_hd)
-               elim Hneq_hd -Hneq_hd #Hneq_hd @Hneq_hd
-               try @refl try assumption try @(sym_eq … Heq_hd)
-          | 2: #Htl_not_eq #_ % #Habsurd elim (bitvector_cons_inj_inv … Habsurd) #_
-               elim Htl_not_eq -Htl_not_eq #HA #HB @HA @HB ]
-     | 2: #Htl_not_eq lapply (Hind tlx tly tld Htl_not_eq) -Hind #Hind
-          % #Habsurd elim (bitvector_cons_inj_inv … Habsurd) #_
-          elim Hind -Hind #HA #HB @HA @HB ]
-] qed.
-lemma carry_notb : ∀a,b,c. notb (carry_of a b c) = carry_of (notb a) (notb b) (notb c). * * * @refl qed.
-lemma increment_to_carry_aux : ∀n. ∀a : BitVector (S n).
-   ith_carry (S n) a (one_bv (S n)) false
-   = ith_carry (S n) a (zero (S n)) true.
-#n elim n
-[ 1: #a elim (BitVector_Sn ? a) #hd_a * #tl_a #Heq >Heq >(BitVector_O … tl_a) @refl
-| 2: #n' #Hind #a elim (BitVector_Sn ? a) #hd_a * #tl_a #Heq >Heq
-     lapply (Hind tl_a) #Hind
-     >one_bv_Sn >zero_Sn >ith_carry_Sn >ith_carry_Sn >Hind @refl
-] qed.
-lemma neutral_addition_n_direct_aux : ∀n. ∀v. ith_carry n v (zero n) false = false.
-#n elim n //
-#n' #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq >zero_Sn
->ith_carry_Sn >(Hind tl) cases hd @refl.
-qed.
-lemma neutral_addition_n_direct : ∀n. ∀v : BitVector n.
-  addition_n_direct ? v (zero ?) false = v.
-#n elim n
-[ 1: #v >(BitVector_O … v) normalize @refl
-| 2: #n' #Hind #v elim (BitVector_Sn … v) #hd * #tl #Heq >Heq
-     lapply (Hind … tl) #H >zero_Sn >addition_n_direct_Sn
-     >ith_bit_Sn >H >xorb_false >neutral_addition_n_direct_aux
-     >xorb_false @refl
-] qed.
-lemma increment_to_carry_zero : ∀n. ∀a : BitVector n. addition_n_direct ? a (one_bv ?) false = addition_n_direct ? a (zero ?) true.
-#n elim n
-[ 1: #a >(BitVector_O … a) normalize @refl
-| 2: #n' cases n'
-     [ 1: #_ #a elim (BitVector_Sn … a) #hd_a * #tl_a #Heq >Heq >(BitVector_O … tl_a) cases hd_a @refl
-     | 2: #n'' #Hind #a
-          elim (BitVector_Sn … a) #hd_a * #tl_a #Heq >Heq
-          lapply (Hind tl_a) -Hind #Hind
-          >one_bv_Sn >zero_Sn >addition_n_direct_Sn >ith_bit_Sn
-          >addition_n_direct_Sn >ith_bit_Sn
-          >xorb_false >Hind @bitvector_cons_eq
-          >increment_to_carry_aux @refl
+     ]
-] qed.
-lemma increment_to_carry : ∀n. ∀a,b : BitVector n.
-  addition_n_direct ? a (addition_n_direct ? b (one_bv ?) false) false = addition_n_direct ? a b true.
-#n #a #b >increment_to_carry_zero <associative_addition_n_direct
->neutral_addition_n_direct @refl
-qed.
-lemma increment_direct_ok : ∀n,v. increment_direct n v = increment n v.
-#n #v whd in match (increment ??);
->addition_n_direct_ok <increment_to_carry_zero @refl
-qed.
-(* Prove -(a + b) = -a + -b *)
-lemma twocomp_neg_plus : ∀n. ∀a,b : BitVector n.
-  twocomp_neg_direct ? (addition_n_direct ? a b false) = addition_n_direct ? (twocomp_neg_direct … a) (twocomp_neg_direct … b) false.
-whd in match twocomp_neg_direct; normalize nodelta
-lapply increment_inj_inv
-whd in match increment_direct; normalize nodelta
-#H #n #a #b
-<associative_addition_n_direct @H
->associative_addition_n_direct >(commutative_addition_n_direct ? (one_bv n))
->increment_to_carry
--H lapply b lapply a -b -a
-cases n
-[ 1: #a #b >(BitVector_O … a) >(BitVector_O … b) @refl
-| 2: #n' #a #b
-     cut (negation_bv ? (addition_n_direct ? a b false)
-           = addition_n_direct ? (negation_bv ? a) (negation_bv ? b) true ∧
-          notb (ith_carry ? a b false) = (ith_carry ? (negation_bv ? a) (negation_bv ? b) true))
-     [ -n lapply b lapply a elim n'
-     [ 1: #a #b elim (BitVector_Sn … a) #hd_a * #tl_a #Heqa >Heqa >(BitVector_O … tl_a)
-          elim (BitVector_Sn … b) #hd_b * #tl_b #Heqb >Heqb >(BitVector_O … tl_b)
-          cases hd_a cases hd_b normalize @conj @refl
-     | 2: #n #Hind #a #b
-          elim (BitVector_Sn … a) #hd_a * #tl_a #Heqa >Heqa
-          elim (BitVector_Sn … b) #hd_b * #tl_b #Heqb >Heqb
-          lapply (Hind tl_a tl_b) * #H1 #H2
-          @conj
-          [ 2: >ith_carry_Sn >negation_bv_Sn >negation_bv_Sn >ith_carry_Sn
-               >carry_notb >H2 @refl
-          | 1: >addition_n_direct_Sn >ith_bit_Sn >negation_bv_Sn
-               >negation_bv_Sn >negation_bv_Sn
-               >addition_n_direct_Sn >ith_bit_Sn >H1 @bitvector_cons_eq
-               >xorb_lneg >xorb_rneg >notb_notb
-               <xorb_rneg >H2 @refl
+          ]
-      ] ]
-      * #H1 #H2 @H1
-] qed.
-lemma addition_n_direct_neg : ∀n. ∀a.
- (addition_n_direct n a (negation_bv n a) false) = replicate ?? true
- ∧ (ith_carry n a (negation_bv n a) false = false).
-#n elim n
-[ 1: #a >(BitVector_O … a) @conj @refl
-| 2: #n' #Hind #a elim (BitVector_Sn … a) #hd * #tl #Heq >Heq
-     lapply (Hind … tl) -Hind * #HA #HB
-     @conj
-     [ 2: >negation_bv_Sn >ith_carry_Sn >HB cases hd @refl
-     | 1: >negation_bv_Sn >addition_n_direct_Sn
-          >ith_bit_Sn >HB >xorb_false >HA
-          @bitvector_cons_eq elim hd @refl
+     ]
-] qed.
-(* -a + a = 0 *)
-lemma bitvector_opp_direct : ∀n. ∀a : BitVector n. addition_n_direct ? a (twocomp_neg_direct ? a) false = (zero ?).
-whd in match twocomp_neg_direct;
-whd in match increment_direct;
-normalize nodelta
-#n #a <associative_addition_n_direct
-elim (addition_n_direct_neg … a) #H #_ >H
--H -a
-cases n try //
-#n'
-cut ((addition_n_direct (S n') (replicate bool ? true) (one_bv ?) false = (zero (S n')))
-       ∧ (ith_carry ? (replicate bool (S n') true) (one_bv (S n')) false = true))
-[ elim n'
-     [ 1: @conj @refl
-     | 2: #n' * #HA #HB @conj
-          [ 1: >replicate_Sn >one_bv_Sn  >addition_n_direct_Sn
-               >ith_bit_Sn >HA >zero_Sn @bitvector_cons_eq >HB @refl
-          | 2: >replicate_Sn >one_bv_Sn >ith_carry_Sn >HB @refl ]
+     ]
-] * #H1 #H2 @H1
-qed.
-(* Lift back the previous result to standard operations. *)
-lemma twocomp_neg_direct_ok : ∀n. ∀v. twocomp_neg_direct ? v = two_complement_negation n v.
-#n #v whd in match twocomp_neg_direct; normalize nodelta
-whd in match increment_direct; normalize nodelta
-whd in match two_complement_negation; normalize nodelta
->increment_to_addition_n <addition_n_direct_ok
-whd in match addition_n; normalize nodelta
-elim (add_with_carries ????) #a #b @refl
-qed.
-lemma two_complement_negation_plus : ∀n. ∀a,b : BitVector n.
-  two_complement_negation ? (addition_n ? a b) = addition_n ? (two_complement_negation ? a) (two_complement_negation ? b).
-#n #a #b
-lapply (twocomp_neg_plus ? a b)
->twocomp_neg_direct_ok >twocomp_neg_direct_ok >twocomp_neg_direct_ok
-<addition_n_direct_ok <addition_n_direct_ok
-whd in match addition_n; normalize nodelta
-elim (add_with_carries n a b false) #bits #flags normalize nodelta
-elim (add_with_carries n (two_complement_negation n a) (two_complement_negation n b) false) #bits' #flags'
-normalize nodelta #H @H
-qed.
-lemma bitvector_opp_addition_n : ∀n. ∀a : BitVector n. addition_n ? a (two_complement_negation ? a) = (zero ?).
-#n #a lapply (bitvector_opp_direct ? a)
->twocomp_neg_direct_ok <addition_n_direct_ok
-whd in match (addition_n ???);
-elim (add_with_carries n a (two_complement_negation n a) false) #bits #flags #H @H
-qed.
-lemma neutral_addition_n : ∀n. ∀a : BitVector n. addition_n ? a (zero ?) = a.
-#n #a
-lapply (neutral_addition_n_direct n a)
-<addition_n_direct_ok
-whd in match (addition_n ???);
-elim (add_with_carries n a (zero n) false) #bits #flags #H @H
-qed.
-lemma injective_addition_n : ∀n. ∀x,y,delta : BitVector n.
-  addition_n ? x delta = addition_n ? y delta → x = y.
-#n #x #y #delta
-lapply (addition_n_direct_inj … x y delta)
-<addition_n_direct_ok <addition_n_direct_ok
-whd in match addition_n; normalize nodelta
-elim (add_with_carries n x delta false) #bitsx #flagsx
-elim (add_with_carries n y delta false) #bitsy #flagsy
-normalize #H1 #H2 elim (H1 H2) #Heq #_ @Heq
-qed.
-lemma injective_inv_addition_n : ∀n. ∀x,y,delta : BitVector n.
-  x ≠ y → addition_n ? x delta ≠ addition_n ? y delta.
-#n #x #y #delta
-lapply (addition_n_direct_inj_inv … x y delta)
-<addition_n_direct_ok <addition_n_direct_ok
-whd in match addition_n; normalize nodelta
-elim (add_with_carries n x delta false) #bitsx #flagsx
-elim (add_with_carries n y delta false) #bitsy #flagsy
-normalize #H1 #H2 @(H1 H2)
-qed.
 …
 lemma eqZb_reflexive : ∀x:Z. eqZb x x = true. #x /2/. qed.
+(* --------------------------------------------------------------------------- *)
+(* Some shorthands for conversion functions from BitVectorZ. *)
+(* --------------------------------------------------------------------------- *)
+definition Zoub ≝ Z_of_unsigned_bitvector.
+definition boZ ≝ bitvector_of_Z.
+(* Offsets are just bitvectors packed inside some useless and annoying constructor. *)
+definition Zoo ≝ λx. Zoub ? (offv x).
+definition boo ≝ λx. mk_offset (boZ ? x).
 (* --------------------------------------------------------------------------- *)
 …
 (* Front-end values. *)
 inductive value_eq (E : embedding) : val → val → Prop ≝
 | undef_eq : ∀v.
   value_eq E Vundef v
+| undef_eq :
+  value_eq E Vundef Vundef
 | vint_eq : ∀sz,i.
   value_eq E (Vint sz i) (Vint sz i)
-| vfloat_eq : ∀f.
-  value_eq E (Vfloat f) (Vfloat f)
 | vnull_eq :
   value_eq E Vnull Vnull
 …
   load_value_of_type ty m1 b1 off1 = Some ? v1 →
   (∃v2. load_value_of_type ty m2 b2 off2 = Some ? v2 ∧ value_eq E v1 v2).
+(* Adapted from Compcert's Memory *)
+definition non_aliasing : embedding → mem → Prop ≝
+  λE,m.
+  ∀b1,b2,b1',b2',delta1,delta2.
+  b1 ≠ b2 →
+  E b1 = Some ? 〈b1',delta1〉 →
+  E b2 = Some ? 〈b2',delta2〉 →
+  (b1' ≠ b2') ∨
+  high_bound m b1 + (Zoo delta1) ≤ low_bound m b2 + (Zoo delta2) ∨
+  high_bound m b2 + (Zoo delta2) ≤ low_bound m b1 + (Zoo delta1).
 (* Definition of a memory injection *)
 record memory_inj (E : embedding) (m1 : mem) (m2 : mem) : Type[0] ≝
+record memory_inj (E : embedding) (m1 : mem) (m2 : mem) : Prop ≝
 { (* Load simulation *)
   mi_inj : load_sim_ptr E m1 m2;
 …
   (* Regions are preserved *)
   mi_region : ∀b,b',o'. E b = Some ? 〈b',o'〉 → block_region b = block_region b';
+  (* Disjoint blocks are mapped to disjoint blocks. Note that our condition is stronger than compcert's.
+   * This may cause some problems if we reuse this def for the translation from Clight to Cminor, where
+   * all variables are allocated in the same block. *)
+  mi_disjoint : ∀b1,b2,b1',b2',o1',o2'.
+                b1 ≠ b2 →
+                E b1 = Some ? 〈b1',o1'〉 →
+                E b2 = Some ? 〈b2',o2'〉 →
+                b1' ≠ b2'
+}.
+(* Definition of a memory extension. /!\ Not equivalent to the compcert concept. /!\
+ * A memory extension is a [memory_inj] with some particular blocks designated as
+ * being writeable. *)
+alias id "meml" = "cic:/matita/basics/lists/list/mem.fix(0,2,1)".
+record memory_ext (E : embedding) (m1 : mem) (m2 : mem) : Type[0] ≝
+{ me_inj : memory_inj E m1 m2;
+  (* A list of blocks where we can write freely *)
+  me_writeable : list block;
+  (* These blocks are valid *)
+  me_writeable_valid : ∀b. meml ? b me_writeable → valid_block m2 b;
+  (* And pointers to m1 are oblivious to these blocks *)
+  me_writeable_ok : ∀p,p'.
+                     valid_pointer m1 p = true →
+                     pointer_translation p E = Some ? p' →
+                     ¬ (meml ? (pblock p') me_writeable)
+  (* sub-blocks do not overlap (non-aliasing property) *)
+  mi_nonalias : non_aliasing E m1
 }.
 …
   ∀E,p1,v. value_eq E (Vptr p1) v → ∃p2. v = Vptr p2 ∧ pointer_translation p1 E = Some ? p2.
 #E #p1 #v #Heq inversion Heq
 [ 1: #v #Habsurd destruct (Habsurd)
+[ 1: #Habsurd destruct (Habsurd)
 | 2: #sz #i #Habsurd destruct (Habsurd)
+| 3: #f #Habsurd destruct (Habsurd)
+| 4:  #Habsurd destruct (Habsurd)
+| 5: #p1' #p2 #Heq #Heqv #Heqv2 #_ destruct
+| 3:  #Habsurd destruct (Habsurd)
+| 4: #p1' #p2 #Heq #Heqv #Heqv2 #_ destruct
      %{p2} @conj try @refl try assumption
 ] qed.
 …
 lemma value_eq_inversion :
   ∀E,v1,v2. ∀P : val → val → Prop. value_eq E v1 v2 →
   (∀v. P Vundef v) →
+  (P Vundef Vundef) →
   (∀sz,i. P (Vint sz i) (Vint sz i)) →
-  (∀f. P (Vfloat f) (Vfloat f)) →
   (P Vnull Vnull) →
   (∀p1,p2. pointer_translation p1 E = Some ? p2 → P (Vptr p1) (Vptr p2)) →
   P v1 v2.
 #E #v1 #v2 #P #Heq #H1 #H2 #H3 #H4 #H5
+#E #v1 #v2 #P #Heq #H1 #H2 #H3 #H4
 inversion Heq
 [ 1: #v #Hv1 #Hv2 #_ destruct @H1
+[ 1: #Hv1 #Hv2 #_ destruct @H1
 | 2: #sz #i #Hv1 #Hv2 #_ destruct @H2
+| 3: #f #Hv1 #Hv2 #_ destruct @H3
+| 4: #Hv1 #Hv2 #_ destruct @H4
+| 5: #p1 #p2 #Hembed #Hv1 #Hv2 #_ destruct @H5 // ] qed.
+| 3: #Hv1 #Hv2 #_ destruct @H3
+| 4: #p1 #p2 #Hembed #Hv1 #Hv2 #_ destruct @H4 // ] qed.
 (* If we succeed to load something by value from a 〈b,off〉 location,
    [b] is a valid block. *)
 …
 #ty #m * #brg #bid #off #v
 cases ty
 [ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
 | 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
+[ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
+| #structname #fieldspec | #unionname #fieldspec | #id ]
 whd in match (load_value_of_type ????);
 [ 1,7,8: #_ #Habsurd destruct (Habsurd) ]
+[ 1,6,7: #_ #Habsurd destruct (Habsurd) ]
 #Hmode
 [ 1,2,3,6: [ 1: elim sz | 2: elim fsz ]
+[ 1,2,5: [ 1: elim sz ]
      normalize in match (typesize ?);
      whd in match (loadn ???);
 …
 #ty #m * #brg #bid #off #v
 cases ty
 [ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
 | 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
+[ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
+| #structname #fieldspec | #unionname #fieldspec | #id ]
 whd in match (load_value_of_type ????);
 [ 1,7,8: #_ #Habsurd destruct (Habsurd) ]
+[ 1,6,7: #_ #Habsurd destruct (Habsurd) ]
 #Hmode
 [ 1,2,3,6: [ 1: elim sz | 2: elim fsz ]
+[ 1,2,5: [ 1: elim sz  ]
      normalize in match (typesize ?);
      whd in match (loadn ???);
 …
 ] qed.
-lemma valid_block_from_bool : ∀b,m. Zltb (block_id b) (nextblock m) = true → valid_block m b.
-* #rg #id #m normalize
-elim id /2/ qed.
-lemma valid_block_to_bool : ∀b,m. valid_block m b → Zltb (block_id b) (nextblock m) = true.
-* #rg #id #m normalize
-elim id /2/ qed.
 lemma load_by_value_success_valid_block :
   ∀ty,m,b,off,v.
 …
     valid_block m b.
 #ty #m #b #off #v #Haccess_mode #Hload
 @valid_block_from_bool
+@Zltb_true_to_Zlt
 elim (load_by_value_success_valid_ptr_aux ty m b off v Haccess_mode Hload) * //
 qed.
 …
 qed.
+(* Making explicit the contents of memory_inj for load_value_of_type *)
+(* Making explicit the contents of memory_inj for load_value_of_type.
+ * Equivalent to Lemma 59 of Leroy & Blazy *)
 lemma load_value_of_type_inj : ∀E,m1,m2,b1,off1,v1,b2,off2,ty.
     memory_inj E m1 m2 →
 …
 lapply (refl ? (access_mode ty))
 cases ty
 [ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
 | 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
+[ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
+| #structname #fieldspec | #unionname #fieldspec | #id ]
 normalize in ⊢ ((???%) → ?); #Hmode #Hyp
 [ 1,7,8: normalize in Hyp; destruct (Hyp)
 | 5,6: normalize in Hyp ⊢ %; destruct (Hyp) /3 by ex_intro, conj, vptr_eq/ ]
+[ 1,6,7: normalize in Hyp; destruct (Hyp)
+| 4,5: normalize in Hyp ⊢ %; destruct (Hyp) /3 by ex_intro, conj, vptr_eq/ ]
 lapply (load_by_value_success_valid_pointer … Hmode … Hyp) #Hvalid_pointer
 lapply (mi_inj … Hinj b1 off1 b2 off2 … Hvalid_pointer Hembed Hyp) #H @H
 qed.
+qed.
 (* -------------------------------------- *)
 …
 whd in Halloc:(??%?); destruct (Halloc)
 whd in match (beloadv ??) in ⊢ (??%%);
 lapply (valid_block_to_bool … Hvalid) #Hlt
+lapply (Zlt_to_Zltb_true … Hvalid) #Hlt
 >Hlt >(zlt_succ … Hlt)
 normalize nodelta whd in match (update_block ?????); whd in match (eq_block ??);
 cut (eqZb (block_id block) next = false)
 [ lapply (Zltb_true_to_Zlt … Hlt) #Hlt' @eqZb_false /2/ ] #Hneq
+[ lapply (Zltb_true_to_Zlt … Hlt) #Hlt' @eqZb_false /2 by not_to_not/ ] #Hneq
 >Hneq cases (eq_region ??) normalize nodelta  @refl
 qed.
 …
 (* Memory allocation preserves [memory_inj] *)
 lemma alloc_memory_inj :
+  ∀E:embedding.∀m1,m2,m2',z1,z2,r,new_block. ∀H:memory_inj E m1 m2.
+  ∀E:embedding.
+  ∀m1,m2,m2',z1,z2,r,new_block.
+  ∀H:memory_inj E m1 m2.
   alloc m2 z1 z2 r = 〈m2', new_block〉 →
   memory_inj E m1 m2'.
 …
   lapply (refl ? (access_mode ty))
   cases ty in Hload_eq;
   [ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
   | 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
+  [ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
+  | #structname #fieldspec | #unionname #fieldspec | #id ]
   #Hload normalize in ⊢ ((???%) → ?); #Haccess
   [ 1,7,8: normalize in Hload; destruct (Hload)
   | 2,3,4,9: whd in match (load_value_of_type ????);
+  [ 1,6,7: normalize in Hload; destruct (Hload)
+  | 2,3,8: whd in match (load_value_of_type ????);
      whd in match (load_value_of_type ????);
      lapply (load_by_value_success_valid_block … Haccess Hload)
 …
      <(alloc_loadn_conservation … Halloc … Hvalid_block)
      @Hload
   | 5,6: whd in match (load_value_of_type ????) in Hload ⊢ %; @Hload ]
+  | 4,5: whd in match (load_value_of_type ????) in Hload ⊢ %; @Hload ]
 | 2: @(mi_freeblock … Hmemory_inj)
 | 3: #p #p' #Hvalid #Hptr_trans lapply (mi_valid_pointers … Hmemory_inj p p' Hvalid Hptr_trans)
 …
      cases (eq_region br' r) normalize #H @H
 | 4: @(mi_region … Hmemory_inj)
+| 5: @(mi_disjoint … Hmemory_inj)
+] qed.
+(* Memory allocation induces a memory extension. *)
+lemma alloc_memory_ext :
+  ∀E:embedding.∀m1,m2,m2',z1,z2,r,new_block. ∀H:memory_inj E m1 m2.
+  alloc m2 z1 z2 r = 〈m2', new_block〉 →
+  memory_ext E m1 m2'.
+#E #m1 #m2 #m2' #z1 #z2 #r * #new_block #Hblock_region_eq #Hmemory_inj #Halloc
+lapply (alloc_memory_inj … Hmemory_inj Halloc)
+#Hinj' %
+[ 1: @Hinj'
+| 2: @[new_block]
+| 3: #b normalize in ⊢ (%→ ?); * [ 2: #H @(False_ind … H) ]
+      #Heq destruct (Heq) whd elim m2 in Halloc;
+      #Hcontents #nextblock #Hnextblock
+      whd in ⊢ ((??%?) → ?); #Heq destruct (Heq)
+      /2/
+| 4: * #b #o * #b' #o' #Hvalid_ptr #Hembed %
+     normalize in ⊢ (% → ?); * [ 2: #H @H ]
+     #Heq destruct (Heq)
+     lapply (mi_valid_pointers … Hmemory_inj … Hvalid_ptr Hembed)
+     whd in ⊢ (% → ?);
+     (* contradiction because ¬ (valid_block m2 new_block)  *)
+     elim m2 in Halloc;
+     #contents_m2 #nextblock_m2 #Hnextblock_m2
+     whd in ⊢ ((??%?) → ?);
+     #Heq_alloc destruct (Heq_alloc)
+     normalize
+     lapply (irreflexive_Zlt nextblock_m2)
+     @Zltb_elim_Type0
+     [ #H * #Habsurd @(False_ind … (Habsurd H)) ] #_ #_ normalize #Habsurd destruct (Habsurd)
+] qed.
+| 5: @(mi_nonalias … Hmemory_inj)
+qed.
+(* ---------------------------------------------------------- *)
+(* Lemma 40 of the paper of Leroy & Blazy on the memory model
+ * and related lemmas *)
 lemma bestorev_beloadv_conservation :
 …
 #mA #mB #wb #wo #v #Hstore #rb #ro #Hneq #ty
 cases ty
+[ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
+| 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ] try //
+[ 1: elim sz | 2: elim fsz | 3: | 4: ]
+[ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
+| #structname #fieldspec | #unionname #fieldspec | #id ]
+//
+[ 1: elim sz ]
 whd in ⊢ (??%%);
 >(bestorev_loadn_conservation … Hstore … Hneq) @refl
 qed.
+(* Writing in the "extended" part of a memory preserves the underlying injection *)
+lemma bestorev_memory_ext_to_load_sim :
+(* lift [bestorev_load_value_of_type_conservation] to storen *)
+lemma storen_load_value_of_type_conservation :
+  ∀l,mA,mB,wb,wo.
+    storen mA (mk_pointer wb wo) l = Some ? mB →
+    ∀rb,ro. eq_block wb rb = false →
+    ∀ty.load_value_of_type ty mA rb ro = load_value_of_type ty mB rb ro.
+#l elim l
+[ 1: #mA #mB #wb #wo normalize #Heq destruct //
+| 2: #hd #tl #Hind #mA #mB #wb #wo #Hstoren
+     cases (some_inversion ????? Hstoren) #mA' * #Hbestorev #Hstoren'
+     whd in match (shift_pointer ???) in Hstoren':(??%?); #rb #ro #Hneq_block #ty
+     lapply (Hind ???? Hstoren' … ro … Hneq_block ty) #Heq1
+     lapply (bestorev_load_value_of_type_conservation … Hbestorev … ro … Hneq_block ty) #Heq2
+     //
+] qed.
+definition typesize' ≝ λty. typesize (typ_of_type ty).
+lemma storen_load_value_of_type_conservation_in_block_high :
+  ∀E,mA,mB,mC,wo,l.
+    memory_inj E mA mB →
+    ∀blo. storen mB (mk_pointer blo wo) l = Some ? mC →
+    ∀b1,delta. E b1 = Some ? 〈blo,delta〉 →
+    high_bound mA b1 + Zoo delta < Zoo wo →
+    ∀ty,off.
+       Zoo off + Z_of_nat (typesize' ty) < high_bound mA b1 →
+       low_bound … mA b1 ≤ Zoo off →
+       Zoo off < high_bound … mA b1 →
+       load_value_of_type ty mB blo (mk_offset (addition_n ? (offv off) (offv delta))) =
+       load_value_of_type ty mC blo (mk_offset (addition_n ? (offv off) (offv delta))).
+#E #mA #mB #mC #wo #data #Hinj #blo #Hstoren #b1 #delta #Hembed #Hhigh #ty
+(* need some stuff asserting that if a ptr is valid at the start of a write it's valid at the end. *)
+cases data in Hstoren;
+[ 1: normalize in ⊢ (% → ?); #Heq destruct //
+| 2: #xd #data ]
+#Hstoren
+cases ty
+[ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
+| #structname #fieldspec | #unionname #fieldspec | #id ]#off #Hofflt #Hlow_load #Hhigh_load try @refl
+whd in match (load_value_of_type ????) in ⊢ (??%%);
+[ 1: lapply (storen_to_valid_pointer … Hstoren) * * #Hbounds #Hbefore #Hafter
+     lapply Hofflt -Hofflt lapply Hlow_load -Hlow_load lapply Hhigh_load -Hhigh_load
+     lapply off -off whd in match typesize'; normalize nodelta
+     generalize in match (typesize ?); #n elim n try //
+     #n' #Hind #o #Hhigh_load #Hlow_load #Hlt
+     whd in match (loadn ???) in ⊢ (??%%);
+     whd in match (beloadv ??) in ⊢ (??%%);
+     cases (valid_pointer_to_Prop … Hbefore) * #HltB_store #HlowB_store #HhighB_store
+     cases (valid_pointer_to_Prop … Hafter) * #HltC_store #HlowC_store #HhighC_store
+     >(Zlt_to_Zltb_true … HltB_store) >(Zlt_to_Zltb_true … HltC_store) normalize nodelta
+     cut (Zleb (low (blocks mB blo)) (Z_of_unsigned_bitvector ? (addition_n ? (offv o) (offv delta))) = true)
+     [ 1: (* Notice that:
+                low mA b1 ≤ o < high mA b1
+             hence, since E b1 = 〈blo, delta〉 with delta >= 0
+                low mB blo ≤ (low mA b1 + delta) ≤ o+delta < (high mA b1 + delta) ≤ high mB blo *)
+          @cthulhu ]
+     #HA >HA >andb_lsimpl_true -HA
+     cut (Zltb (Z_of_unsigned_bitvector ? (addition_n ? (offv o) (offv delta))) (high (blocks mB blo)) = true)
+     [ 1: (* Same argument as above *) @cthulhu ]
+     #HA >HA normalize nodelta -HA
+     cut (Zleb (low (blocks mC blo)) (Z_of_unsigned_bitvector ? (addition_n ? (offv o) (offv delta))) = true)
+     [ 1: (* Notice that storen does not modify the bounds of a block. Related lemma present in [MemProperties].
+             This cut follows from this lemma (which needs some info on the size of the data written, which we
+             have but must make explicit) and from the first cut. *)
+          @cthulhu ]
+     #HA >HA >andb_lsimpl_true -HA
+     cut (Zltb (Z_of_unsigned_bitvector ? (addition_n ? (offv o) (offv delta))) (high (blocks mC blo)) = true)
+     [ 1: (* Same argument as above *) @cthulhu ]
+     #HA >HA normalize nodelta -HA
+     normalize in match (bitvector_of_nat ??); whd in match (shift_pointer ???);
+     whd in match (shift_offset ???); >commutative_addition_n >associative_addition_n
+     lapply (Hind (mk_offset (addition_n offset_size (sign_ext 2 ? [[false; true]]) (offv o))) ???)
+     [ 1: (* Provable from Hlt *) @cthulhu
+     | 2: (* Provable from Hlow_load, need to make a "succ" commute from bitvector to Z *) @cthulhu
+     | 3: (* Provable from Hlt, again *) @cthulhu ]
+     cases (loadn mB (mk_pointer blo
+              (mk_offset (addition_n ? (addition_n ?
+                 (sign_ext 2 offset_size [[false; true]]) (offv o)) (offv delta)))) n')
+     normalize nodelta
+     cases (loadn mC (mk_pointer blo
+              (mk_offset (addition_n ? (addition_n ?
+                 (sign_ext 2 offset_size [[false; true]]) (offv o)) (offv delta)))) n')
+     normalize nodelta try //
+     [ 1,2: #l #Habsurd destruct ]
+     #l1 #l2 #Heq
+     cut (contents (blocks mB blo) (Z_of_unsigned_bitvector ? (addition_n ? (offv o) (offv delta))) =
+          contents (blocks mC blo) (Z_of_unsigned_bitvector ? (addition_n ? (offv o) (offv delta))))
+     [ 1: (* Follows from Hhigh, indirectly *) @cthulhu ]
+     #Hcontents_eq >Hcontents_eq whd in match (be_to_fe_value ??) in ⊢ (??%%);
+     cases (contents (blocks mC blo) (Z_of_unsigned_bitvector ? (addition_n ? (offv o) (offv delta))))
+     normalize nodelta try //
+     (* Ok this is going to be more painful than what I thought. *)
+     @cthulhu
+| *: @cthulhu
+] qed.
+lemma storen_load_value_of_type_conservation_in_block_low :
+  ∀E,mA,mB,mC,wo,l.
+    memory_inj E mA mB →
+    ∀blo. storen mB (mk_pointer blo wo) l = Some ? mC →
+    ∀b1,delta. E b1 = Some ? 〈blo,delta〉 →
+    Zoo wo < low_bound mA b1 + Zoo delta →
+    ∀ty,off.
+       Zoo off + Z_of_nat (typesize' ty) < high_bound mA b1 →
+       low_bound … mA b1 ≤ Zoo off →
+       Zoo off < high_bound … mA b1 →
+       load_value_of_type ty mB blo (mk_offset (addition_n ? (offv off) (offv delta))) =
+       load_value_of_type ty mC blo (mk_offset (addition_n ? (offv off) (offv delta))).
+@cthulhu
+qed.
+(* Writing in the "extended" part of a memory preserves the underlying injection. *)
+lemma bestorev_memory_inj_to_load_sim :
   ∀E,mA,mB,mC.
+  ∀Hext:memory_ext E mA mB.
+  ∀wb,wo,v. meml ? wb (me_writeable … Hext) →
+  bestorev mB (mk_pointer wb wo) v = Some ? mC →
+  ∀Hext:memory_inj E mA mB.
+  ∀block2. ∀i : offset. ∀ty : type.
+  (∀block1,delta.
+    E block1 = Some ? 〈block2, delta〉 →
+    (high_bound mA block1 + (Zoo delta) < (Zoo i)) ∨ (Zoo i + (sizeof ty) ≤ (low_bound mA block1 + (Zoo delta)))) →
+  ∀v.store_value_of_type ty mB block2 i v = Some ? mC →
   load_sim_ptr E mA mC.
+#E #mA #mB #mC #Hext #wb #wo #v #Hwb #Hstore whd
+#b1 #off1 #b2 #off2 #ty #v1 #Hvalid #Hembed #Hload
+(* Show that (wb ≠ b2) by showing b2 ∉ (me_writeable ...) *)
+lapply (me_writeable_ok … Hext (mk_pointer b1 off1) (mk_pointer b2 off2) Hvalid Hembed) #Hb2
+lapply (mem_not_mem_neq … Hwb Hb2) #Hwb_neq_b2
+cut ((eq_block wb b2) = false) [ @neq_block_eq_block_false @Hwb_neq_b2 ] #Heq_block_false
+<(bestorev_load_value_of_type_conservation … Hstore … Heq_block_false)
+@(mi_inj … (me_inj … Hext) … Hvalid  … Hembed …  Hload)
+qed.
+(* Writing in the "extended" part of a memory preserves the whole memory injection *)
+lemma bestorev_memory_ext_to_memory_inj :
+#E #mA #mB #mC #Hinj #block2 #i #storety
+cases storety
+[ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
+| #structname #fieldspec | #unionname #fieldspec | #id ]#Hout #storeval #Hstore whd
+#b1 #off1 #b2 #off2 #ty #readval #Hvalid #Hptr_trans #Hload_value
+whd in Hstore:(??%?);
+[  1,5,6,7,8: destruct ]
+[ 1:
+lapply (mi_inj … Hinj … Hvalid … Hptr_trans … Hload_value)
+lapply Hload_value -Hload_value
+cases ty
+[ | #sz' #sg' | #ptr_ty' | #array_ty' #array_sz' | #domain' #codomain'
+| #structname' #fieldspec' | #unionname' #fieldspec' | #id' ]
+#Hload_value
+(* Prove that the contents of mB where v1 was were untouched. *)
+* #readval' * #Hload_value2 #Hvalue_eq %{readval'} @conj try assumption
+cases (some_inversion ????? Hptr_trans) * #b2' #delta' * #Hembed -Hptr_trans normalize nodelta
+#Heq destruct (Heq)
+@(eq_block_elim  … b2 block2)
+[ 2,4,6,8: #Hblocks_neq <Hload_value2 @sym_eq @(storen_load_value_of_type_conservation … Hstore)
+           @not_eq_block @sym_neq @Hblocks_neq
+| 1,3,5,7: #Heq destruct (Heq) lapply (Hout … Hembed) *
+           [ 1,3,5,7: #Hhigh <Hload_value2 -Hload_value2 @sym_eq
+                      lapply (load_by_value_success_valid_ptr_aux … Hload_value) //
+                      * * #Hlt #Hlowb_off1 #Hhighb_off1
+                      lapply (Zleb_true_to_Zle … Hlowb_off1) #Hlow_off1 -Hlowb_off1
+                      lapply (Zltb_true_to_Zlt … Hhighb_off1) #Hhigh_off1 -Hhighb_off1
+                      @(storen_load_value_of_type_conservation_in_block_high … Hinj … Hstore … Hembed)
+                      try //
+                      (* remaining stuff provable from Hload_value  *)
+                      @cthulhu
+           | 2,4,6,8: #Hlow <Hload_value2 -Hload_value2 @sym_eq
+                      lapply (load_by_value_success_valid_ptr_aux … Hload_value) //
+                      * * #Hlt #Hlowb_off1 #Hhighb_off1
+                      lapply (Zleb_true_to_Zle … Hlowb_off1) #Hlow_off1 -Hlowb_off1
+                      lapply (Zltb_true_to_Zlt … Hhighb_off1) #Hhigh_off1 -Hhighb_off1
+                      @(storen_load_value_of_type_conservation_in_block_low … Hinj … Hstore … Hembed)
+                      try //
+                      [ 1,3,5,7: (* deductible from Hlow + (sizeof ?) > 0 *) @cthulhu
+                      | 2,4,6,8: (* deductible from Hload_value *) @cthulhu ]
+           ]
+]
+| *: (* exactly the same proof as above  *) @cthulhu ]
+qed.
+(* Lift the above result to memory_inj
+ * This is Lemma 40 of Leroy & Blazy *)
+lemma bestorev_memory_inj_to_memory_inj :
   ∀E,mA,mB,mC.
+  ∀Hext:memory_ext E mA mB.
+  ∀wb,wo,v. meml ? wb (me_writeable … Hext) →
+  bestorev mB (mk_pointer wb wo) v = Some ? mC →
+  ∀Hext:memory_inj E mA mB.
+  ∀block2. ∀i : offset. ∀ty : type.
+  (∀block1,delta.
+    E block1 = Some ? 〈block2, delta〉 →
+    (high_bound mA block1 + (Zoo delta) < (Zoo i)) ∨ (Zoo i + (sizeof ty) ≤ (low_bound mA block1 + (Zoo delta)))) →
+  ∀v.store_value_of_type ty mB block2 i v = Some ? mC →
   memory_inj E mA mC.
+#E #mA * #contentsB #nextblockB #HnextblockB #mC
+#Hext #wb #wo #v #Hwb #Hstore
+%
+[ 1: @(bestorev_memory_ext_to_load_sim … Hext … Hwb Hstore) ]
+elim Hext in Hwb; * #Hinj #Hvalid #Hcodomain #Hregion #Hdisjoint #writeable #Hwriteable_valid #Hwriteable_ok
+#Hmem
+[ 1: @Hvalid | 3: @Hregion | 4: @Hdisjoint ] -Hvalid -Hregion -Hdisjoint
+whd in Hstore:(??%?); lapply (Hwriteable_valid … Hmem)
+normalize in ⊢ (% → ?); #Hlt_wb
+#p #p' #HvalidA #Hembed lapply (Hcodomain … HvalidA Hembed) -Hcodomain
+normalize in match (valid_pointer ??) in ⊢ (% → %);
+>(Zlt_to_Zltb_true … Hlt_wb) in Hstore; normalize nodelta
+cases (Zleb (low (contentsB wb)) (Z_of_unsigned_bitvector offset_size (offv wo))
+       ∧Zltb (Z_of_unsigned_bitvector offset_size (offv wo)) (high (contentsB wb)))
+normalize nodelta
+[ 2: #Habsurd destruct (Habsurd) ]
+#Heq destruct (Heq)
+cases (Zltb (block_id (pblock p')) nextblockB) normalize nodelta
+[ 2: #H @H ]
+whd in match (update_block ?????);
+cut (eq_block (pblock p') wb = false)
+[ 2: #Heq >Heq normalize nodelta #H @H ]
+@neq_block_eq_block_false @sym_neq
+@(mem_not_mem_neq writeable … Hmem)
+@(Hwriteable_ok … HvalidA Hembed)
+qed.
+(* It even preserves memory extensions, with the same writeable blocks.  *)
+lemma bestorev_memory_ext_to_memory_ext :
+  ∀E,mA,mB.
+  ∀Hext:memory_ext E mA mB.
+  ∀wb,wo,v. meml ? wb (me_writeable … Hext) →
+  ∀mC.bestorev mB (mk_pointer wb wo) v = Some ? mC →
+  ΣExt:memory_ext E mA mC.(me_writeable … Hext = me_writeable … Ext).
+#E #mA #mB #Hext #wb #wo #v #Hmem #mC #Hstore
+%{(mk_memory_ext …
+      (bestorev_memory_ext_to_memory_inj … Hext … Hmem … Hstore)
+      (me_writeable … Hext)
+      ?
+      (me_writeable_ok … Hext)
+ )} try @refl
+#b #Hmemb
+lapply (me_writeable_valid … Hext b Hmemb)
+lapply (me_writeable_valid … Hext wb Hmem)
+elim mB in Hstore; #contentsB #nextblockB #HnextblockB #Hstore #Hwb_valid #Hb_valid
+lapply Hstore normalize in Hwb_valid Hb_valid ⊢ (% → ?);
+>(Zlt_to_Zltb_true … Hwb_valid) normalize nodelta
+cases (if Zleb (low (contentsB wb)) (Z_of_unsigned_bitvector 16 (offv wo))
+       then Zltb (Z_of_unsigned_bitvector 16 (offv wo)) (high (contentsB wb))
+       else false)
+normalize [ 2: #Habsurd destruct (Habsurd) ]
+#Heq destruct (Heq) @Hb_valid
+qed.
+(* Lift [bestorev_memory_ext_to_memory_ext] to storen *)
+lemma storen_memory_ext_to_memory_ext :
+  ∀E,mA,l,mB,mC.
+  ∀Hext:memory_ext E mA mB.
+  ∀wb,wo. meml ? wb (me_writeable … Hext) →
+  storen mB (mk_pointer wb wo) l = Some ? mC →
+  memory_ext E mA mC.
+#E #mA #l elim l
+[ 1: #mB #mC #Hext #wb #wo #Hmem normalize in ⊢ (% → ?); #Heq destruct (Heq)
+     @Hext
+| 2: #hd #tl #Hind #mB #mC #Hext #wb #wo #Hmem
+     whd in ⊢ ((??%?) → ?);
+     lapply (bestorev_memory_ext_to_memory_ext … Hext … wb wo hd Hmem)
+     cases (bestorev mB (mk_pointer wb wo) hd)
+     normalize nodelta
+     [ 1: #H #Habsurd destruct (Habsurd) ]
+     #mD #H lapply (H mD (refl ??)) * #HextD #Heq #Hstore
+     @(Hind … HextD … Hstore)
+     <Heq @Hmem
+] qed.
+(* Lift [storen_memory_ext_to_memory_ext] to store_value_of_type *)
+lemma store_value_of_type_memory_ext_to_memory_ext :
+  ∀E,mA,mB,mC.
+  ∀Hext:memory_ext E mA mB.
+  ∀wb,wo. meml ? wb (me_writeable … Hext) →
+  ∀ty,v.store_value_of_type ty mB wb wo v = Some ? mC →
+  memory_ext E mA mC.
+#E #mA #mB #mC #Hext #wb #wo #Hmem #ty #v
+cases ty
+[ 1: | 2: #sz #sg | 3: #fsz | 4: #ptr_ty | 5: #array_ty #array_sz | 6: #domain #codomain
+| 7: #structname #fieldspec | 8: #unionname #fieldspec | 9: #id ]
+whd in ⊢ ((??%?) → ?);
+[ 1,5,6,7,8: #Habsurd destruct (Habsurd) ]
+#Hstore
+@(storen_memory_ext_to_memory_ext … Hext … Hmem … Hstore)
+qed.
+(* Commutation results of standard binary operations with value_eq. *)
+#E #mA #mB #mC #Hinj #block2 #i #ty #Hout #v #Hstore %
+lapply (bestorev_memory_inj_to_load_sim … Hinj … Hout … Hstore) #Hsim try //
+cases Hinj #Hsim' #Hnot_valid #Hvalid #Hregion #Hnonalias try assumption
+#p #p' #Hptr #Hptr_trans lapply (Hvalid p p' Hptr Hptr_trans) #Hvalid
+cases ty in Hstore;
+[ | #sz' #sg' | #ptr_ty' | #array_ty' #array_sz' | #domain' #codomain'
+| #structname' #fieldspec' | #unionname' #fieldspec' | #id' ]
+whd in ⊢ ((??%?) → ?);
+[ 1,4,5,6,7: #Habsurd destruct ]
+cases (fe_to_be_values ??)
+[ 1,3,5,7: whd in ⊢ ((??%?) → ?); #Heq <Hvalid -Hvalid destruct @refl
+| *: #hd #tl #Hstoren cases (storen_to_valid_pointer … Hstoren) * * #Hbounds #Hnext #_ #_
+     @valid_pointer_of_Prop cases (valid_pointer_to_Prop … Hvalid) * #Hnext' #Hlow #Hhigh
+     @conj try @conj try assumption >Hnext try //
+     cases (Hbounds (pblock p')) #HA #HB
+     whd in match (low_bound ??); whd in match (high_bound ??);
+     >HA >HB try assumption
+] qed.
+(* ---------------------------------------------------------- *)
+(* Lemma 41 of the paper of Leroy & Blazy on the memory model
+ * and related lemmas *)
+(* The back-end might contain something similar to this lemma. *)
+lemma be_to_fe_value_ptr :
+  ∀b,o. (be_to_fe_value ASTptr (fe_to_be_values ASTptr (Vptr (mk_pointer b o))) = Vptr (mk_pointer b o)).
+#b * #o whd in ⊢ (??%%); normalize cases b #br #bid normalize nodelta
+cases br normalize nodelta >eqZb_z_z normalize nodelta
+cases (vsplit_eq bool 7 8 … o) #lhs * #rhs #Heq
+<(vsplit_prod … Heq) >eq_v_true normalize nodelta try @refl
+* //
+qed.
+lemma value_eq_to_be_and_back_again :
+  ∀E,ty,v1,v2.
+  value_eq E v1 v2 →
+  ast_typ_consistent_with_value ty v1 →
+  ast_typ_consistent_with_value ty v2 →
+  value_eq E (be_to_fe_value ty (fe_to_be_values ty v1 )) (be_to_fe_value ty (fe_to_be_values ty v2)).
+#E #ty #v1 #v2 #Hvalue_eq
+@(value_eq_inversion … Hvalue_eq) try //
+[ 1: cases ty //
+| 2: #sz #i cases ty
+     [ 2: @False_ind
+     | 1: #sz' #sg #H whd in ⊢ (% → ?); #Heq
+          lapply (fe_to_be_to_fe_value … H) #H >H // ]
+| 3: #p1 #p2 #Hembed cases ty
+     [ 1: #sz #sg @False_ind
+     | 2: #_ #_
+          cases p1 in Hembed; #b1 #o1
+          cases p2 #b2 #o2 whd in ⊢ ((??%%) → ?); #H
+          cases (some_inversion ????? H) * #b3 #o3 * #Hembed
+          normalize nodelta #Heq >be_to_fe_value_ptr >be_to_fe_value_ptr
+          destruct %4 whd in match (pointer_translation ??);
+          >Hembed normalize nodelta @refl
+     ]
+] qed.
+lemma storen_parallel_memory_exists :
+  ∀E,m1,m2,m1',b1,i,b2,delta,ty,v1,v2.
+  memory_inj E m1 m2 →
+  value_eq E v1 v2 →
+  storen m1 (mk_pointer b1 i) (fe_to_be_values ty v1) = Some ? m1' →
+  E b1 = Some ? 〈b2, delta〉 →
+  ∃m2'. storen m2 (mk_pointer b2 (offset_plus i delta)) (fe_to_be_values ty v2) = Some ? m2'.
+@cthulhu qed.
+  (*
+#E #m1 #m2 #m1' #b1 #i #b2 #delta #ty #v1 #v2 #Hinj #Hvalue_eq
+@(value_eq_inversion … Hvalue_eq)
+[ 1: #v #Hstoren *)
+lemma storen_parallel_aux :
+  ∀E,m1,m2.
+  ∀Hinj:memory_inj E m1 m2.
+  ∀v1,v2. value_eq E v1 v2 →
+  ∀b1,b2,delta. E b1 = Some ? 〈b2, delta〉 →
+  ∀ty,i,m1'.
+  ast_typ_consistent_with_value ty v1 →
+  ast_typ_consistent_with_value ty v2 →
+  storen m1 (mk_pointer b1 i) (fe_to_be_values ty v1) = Some ? m1' →
+  ∃m2'. storen m2 (mk_pointer b2 (offset_plus i delta)) (fe_to_be_values ty v2) = Some ? m2' ∧
+        memory_inj E m1' m2'.
+#E #m1 #m2 #Hinj #v1 #v2 #Hvalue_eq #b1 #b2 #delta #Hembed #ty #i #m1' #Hok1 #Hok2
+#Hstoren lapply (storen_to_valid_pointer_fe_to_be … Hstoren)
+* * * #Hblocks_eq1 #Hnextblock1 #Hvalid_m1 #Hvalid_m1'
+lapply (mi_valid_pointers … Hinj … (mk_pointer b1 i) (mk_pointer b2 (offset_plus i delta)) Hvalid_m1 ?)
+[ 1: whd in ⊢ (??%%); >Hembed @refl ]
+#Hvalid_m2
+cases (valid_pointer_to_Prop … Hvalid_m2) * #Hnextblock2 #Hlow2 #Hhigh2
+@cthulhu
+qed.
+lemma foo :
+  ∀E,m1,m2.
+  ∀Hinj:memory_inj E m1 m2.
+  ∀v1,v2. value_eq E v1 v2 →
+  ∀b1,b2,delta. E b1 = Some ? 〈b2, delta〉 →
+  ∀ty,i,m1'. store_value_of_type ty m1 b1 i v1 = Some ? m1' →
+  ∃m2'. store_value_of_type ty m2 b2 (offset_plus i delta) v2 = Some ? m2' ∧
+         memory_inj E m1' m2'.
+#E #m1 #m2 #Hinj #v1 #v2 #Hvalue_eq #b1 #b2 #delta #Hembed #ty #i #m1' #Hstore
+@cthulhu qed.
+(* ------------------------------------------------------------------------- *)
+(* Commutation results of standard unary and binary operations with value_eq. *)
 lemma unary_operation_value_eq :
   ∀E,op,v1,v2,ty.
 …
 #E #op #v1 #v2 #ty #Hvalue_eq #r1
 inversion Hvalue_eq
 [ 1: #v #Hv1 #Hv2 #_ destruct
+[ 1: #v #Hv1 #Hv2 destruct
      cases op normalize
      [ 1: cases ty [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+     [ 1: cases ty [ | #sz #sg | #ty | #ty #n | #tl #ty | #id #fl | #id #fl | #ty ]
           normalize #Habsurd destruct (Habsurd)
      | 3: cases ty [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+     | 3: cases ty [ | #sz #sg | #ty | #ty #n | #tl #ty | #id #fl | #id #fl | #ty ]
           normalize #Habsurd destruct (Habsurd)
      | 2: #Habsurd destruct (Habsurd) ]
 | 2: #vsz #i #Hv1 #Hv2 #_
      cases op
+     [ 1: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+     [ 1: cases ty [ | #sz #sg | #ty | #ty #n | #tl #ty | #id #fl | #id #fl | #ty ]
           whd in ⊢ ((??%?) → ?); whd in match (sem_unary_operation ???);
           [ 2: cases (eq_intsize sz vsz) normalize nodelta #Heq1 destruct
 …
           #Heq1 destruct %{(Vint vsz (exclusive_disjunction_bv (bitsize_of_intsize vsz) i (mone vsz)))} @conj //
      | 3: whd in match (sem_unary_operation ???);
+          cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          cases ty [ | #sz #sg | #ty | #ty #n | #tl #ty | #id #fl | #id #fl | #ty ]
           normalize nodelta
           whd in ⊢ ((??%?) → ?);
 …
                %{(Vint vsz (two_complement_negation (bitsize_of_intsize vsz) i))} @conj //
           | *: #Habsurd destruct (Habsurd) ] ]
 | 3: #f #Hv1 #Hv2 #_ destruct  whd in match (sem_unary_operation ???);
+| 3: #Hv1 #Hv2 #_ destruct  whd in match (sem_unary_operation ???);
      cases op normalize nodelta
+     [ 1: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          whd in match (sem_notbool ??);
+          #Heq1 destruct
+          cases (Fcmp Ceq f Fzero) /3 by ex_intro, vint_eq, conj/
+     | 2: normalize #Habsurd destruct (Habsurd)
+     | 3: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+          whd in match (sem_neg ??);
+          #Heq1 destruct /3 by ex_intro, vfloat_eq, conj/ ]
+| 4: #Hv1 #Hv2 #_ destruct  whd in match (sem_unary_operation ???);
+     cases op normalize nodelta
+     [ 1: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+     [ 1: cases ty   [ | #sz #sg | #ty | #ty #n | #tl #ty | #id #fl | #id #fl | #ty ]
           whd in match (sem_notbool ??);
           #Heq1 destruct /3 by ex_intro, vint_eq, conj/
      | 2: normalize #Habsurd destruct (Habsurd)
+     | 3: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+     | 3: cases ty    [ | #sz #sg | #ty | #ty #n | #tl #ty | #id #fl | #id #fl | #ty ]
           whd in match (sem_neg ??);
           #Heq1 destruct ]
 | 5: #p1 #p2 #Hptr_translation #Hv1 #Hv2 #_  whd in match (sem_unary_operation ???);
+| 4: #p1 #p2 #Hptr_translation #Hv1 #Hv2 #_  whd in match (sem_unary_operation ???);
      cases op normalize nodelta
+     [ 1: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+     [ 1: cases ty [ | #sz #sg | #ty | #ty #n | #tl #ty | #id #fl | #id #fl | #ty ]
           whd in match (sem_notbool ??);
           #Heq1 destruct /3 by ex_intro, vint_eq, conj/
      | 2: normalize #Habsurd destruct (Habsurd)
+     | 3: cases ty
+          [ 1: | 2: #sz #sg | 3: #fl | 4: #ty | 5: #ty #n | 6: #tl #ty | 7: #id #fl | 8: #id #fl | 9: #ty ]
+     | 3: cases ty [ | #sz #sg | #ty | #ty #n | #tl #ty | #id #fl | #id #fl | #ty ]
           whd in match (sem_neg ??);
           #Heq1 destruct ]
 …
 #E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
 @(value_eq_inversion E … Hvalue_eq1)
 [ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[ 1: | 2: #sz #i | 3: | 4: #p1 #p2 #Hembed ]
 [ 1: whd in match (sem_add ????); normalize nodelta
      cases (classify_add ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #n #ty #sz #sg | 4: #n #sz #sg #ty | 5: #ty1' #ty2' ]
+     [ 1: #sz #sg | 2: #n #ty #sz #sg | 3: #n #sz #sg #ty | 4: #ty1' #ty2' ]
      #Habsurd destruct (Habsurd)
 | 2: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
      cases (classify_add ty1 ty2) normalize nodelta
      [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
      [ 2,3,5: #Habsurd destruct (Habsurd) ]
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tn #ty #tsz #tsg | 3: #tn #tsz #tsg #ty | 4: #ty1' #ty2' ]
+     [ 2,4: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
      [ 1,2,4,5,6,7,9: #Habsurd destruct (Habsurd) ]
+     [ 1,5: | 2,6: #sz' #i' | 3,7: | 4,8: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,7: #Habsurd destruct (Habsurd) ]
      [ 1: @intsize_eq_elim_elim
           [ 1: #_ #Habsurd destruct (Habsurd)
 …
                #Heq >Heq @refl ]
+     ]
+(* | 3: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tn #ty #tsz #tsg | 3: #tn #tsz #tsg #ty | 4: #ty1' #ty2' ]
+     [ 1,3,4: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: | 2: #sz' #i'| 3: | 4: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5,7: #Habsurd destruct (Habsurd) ]
+     #Heq >Heq %{r1} @conj //
+     /3 by ex_intro, conj, vfloat_eq/ *)
 | 3: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tn #ty #tsz #tsg | 3: #tn #tsz #tsg #ty | 4: #ty1' #ty2' ]
+     [ 1,3,4: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: | 2: #sz' #i' | 3: | 4: #p1' #p2' #Hembed' ]
      [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+| 4: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
+     cases (classify_add ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     @eq_bv_elim
+     @eq_bv_elim
      [ 1: normalize nodelta #Heq1 #Heq2 destruct /3 by ex_intro, conj, vnull_eq/
      | 2: #_ normalize nodelta #Habsurd destruct (Habsurd) ]
 | 5: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
+| 4: whd in match (sem_add ????); whd in match (sem_add ????); normalize nodelta
      cases (classify_add ty1 ty2) normalize nodelta
      [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
      [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     [ 1: #tsz #tsg | 2: #tn #ty #tsz #tsg | 3: #tn #tsz #tsg #ty | 4: #ty1' #ty2' ]
+     [ 1,3,4: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1: | 2: #sz' #i' | 3: | 4: #p1' #p2' #Hembed' ]
      [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
      #Heq destruct (Heq)
 …
 #E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
 @(value_eq_inversion E … Hvalue_eq1)
 [ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[  | #sz #i | 3: | 4: #p1 #p2 #Hembed ]
 [ 1: whd in match (sem_sub ????); normalize nodelta
      cases (classify_sub ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #n #ty #sz #sg | 4: #n #sz #sg #ty | 5: #ty1' #ty2' ]
+     [ #sz #sg | #n #ty #sz #sg | #n #sz #sg #ty |#ty1' #ty2' ]
      #Habsurd destruct (Habsurd)
 | 2: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
      cases (classify_sub ty1 ty2) normalize nodelta
      [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
      [ 2,3,5: #Habsurd destruct (Habsurd) ]
+     [ 1: #tsz #tsg | 2: #tn #ty #tsz #tsg | 3: #tn #tsz #tsg #ty | 4: #ty1' #ty2' ]
+     [ 2,3,4: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
      [ 1,2,4,5,6,7,8,9,10: #Habsurd destruct (Habsurd) ]
+     [  | #sz' #i' | | #p1' #p2' #Hembed' ]
+     [ 1,3,4: #Habsurd destruct (Habsurd) ]
      @intsize_eq_elim_elim
       [ 1: #_ #Habsurd destruct (Habsurd)
 …
           /3 by ex_intro, conj, vint_eq/
+      ]
 | 3: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
      cases (classify_sub ty1 ty2) normalize nodelta
      [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
      [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+(*| 3: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     cases (classify_sub ty1 ty2) normalize nodelta
+     [ 1: #tsz #tsg | 2: #tn #ty #tsz #tsg | 3: #tn #tsz #tsg #ty | 4: #ty1' #ty2' ]
+     [ 1,4: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [  | #sz' #i' |  |  #p1' #p2' #Hembed' ]
      [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
      #Heq destruct (Heq)
      /3 by ex_intro, conj, vfloat_eq/
 | 4: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+     /3 by ex_intro, conj, vfloat_eq/ *)
+| 3: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
      cases (classify_sub ty1 ty2) normalize nodelta
      [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
      [ 1,2,5: #Habsurd destruct (Habsurd) ]
+     [ 1: #tsz #tsg | 2: #tn #ty #tsz #tsg | 3: #tn #tsz #tsg #ty | 4: #ty1' #ty2' ]
+     [ 1,4: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
      [ 1,2,4,5,6,7,9,10: #Habsurd destruct (Habsurd) ]
+     [ 1,5: | 2,6: #sz' #i' | 3,7: | 4,8: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,7,8: #Habsurd destruct (Habsurd) ]
      [ 1: @eq_bv_elim [ 1: normalize nodelta #Heq1 #Heq2 destruct /3 by ex_intro, conj, vnull_eq/
                       | 2: #_ normalize nodelta #Habsurd destruct (Habsurd) ]
      | 2: #Heq destruct (Heq) /3 by ex_intro, conj, vnull_eq/ ]
 | 5: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
+| 4: whd in match (sem_sub ????); whd in match (sem_sub ????); normalize nodelta
      cases (classify_sub ty1 ty2) normalize nodelta
      [ 1: #tsz #tsg | 2: #tfsz | 3: #tn #ty #tsz #tsg | 4: #tn #tsz #tsg #ty | 5: #ty1' #ty2' ]
      [ 1,2,5: #Habsurd destruct (Habsurd) ]
+     [ 1: #tsz #tsg | 2: #tn #ty #tsz #tsg | 3: #tn #tsz #tsg #ty | 4: #ty1' #ty2' ]
+     [ 1,4: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1,6: #v' | 2,7: #sz' #i' | 3,8: #f' | 4,9: | 5,10: #p1' #p2' #Hembed' ]
      [ 1,2,4,5,6,7,8,9: #Habsurd destruct (Habsurd) ]
+     [ 1,5: | 2,6: #sz' #i' | 3,7: | 4,8: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5,6,7: #Habsurd destruct (Habsurd) ]
      #Heq destruct (Heq)
      [ 1: %{(Vptr (neg_shift_pointer_n (bitsize_of_intsize sz') p2 (sizeof ty) i'))} @conj try @refl
 …
 #E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
 @(value_eq_inversion E … Hvalue_eq1)
 [ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[  | #sz #i | 3: | 4: #p1 #p2 #Hembed ]
 [ 1: whd in match (sem_mul ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
      #Habsurd destruct (Habsurd)
 | 2: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
      [ 2,3: #Habsurd destruct (Habsurd) ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
+     [ 2: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
      [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     [  | #sz' #i' |  |  #p1' #p2' #Hembed' ]
+     [ 1,3,4: #Habsurd destruct (Habsurd) ]
      @intsize_eq_elim_elim
       [ 1: #_ #Habsurd destruct (Habsurd)
 …
 | 3: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
+     [ 1,2: #Habsurd destruct (Habsurd) ]
 | 4: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
      #Habsurd destruct (Habsurd)
+| 5: whd in match (sem_mul ????); whd in match (sem_mul ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+] qed.
+] qed.
 lemma div_value_eq :
 …
 #E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
 @(value_eq_inversion E … Hvalue_eq1)
 [ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[  | #sz #i | 3: | 4: #p1 #p2 #Hembed ]
 [ 1: whd in match (sem_div ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
      #Habsurd destruct (Habsurd)
 | 2: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
      [ 2,3: #Habsurd destruct (Habsurd) ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
+     [ 2: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
      [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     [  | #sz' #i' |  |  #p1' #p2' #Hembed' ]
+     [ 1,3,4: #Habsurd destruct (Habsurd) ]
      elim sg normalize nodelta
      @intsize_eq_elim_elim
 …
 | 3: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1,3: #Habsurd destruct (Habsurd) ]
+     @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
+     [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [ 1,2,4,5: #Habsurd destruct (Habsurd) ]
+     #Heq destruct (Heq)
+     /3 by ex_intro, conj, vfloat_eq/
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
+     [ 1,2: #Habsurd destruct (Habsurd) ]
 | 4: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
      #Habsurd destruct (Habsurd)
+| 5: whd in match (sem_div ????); whd in match (sem_div ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+] qed.
+] qed.
 lemma mod_value_eq :
 …
 #E #v1 #v2 #v1' #v2' #ty1 #ty2 #Hvalue_eq1 #Hvalue_eq2 #r1
 @(value_eq_inversion E … Hvalue_eq1)
 [ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[  | #sz #i | 3: | 4: #p1 #p2 #Hembed ]
 [ 1: whd in match (sem_mod ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
      #Habsurd destruct (Habsurd)
 | 2: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
      cases (classify_aop ty1 ty2) normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
      [ 2,3: #Habsurd destruct (Habsurd) ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
+     [ 2: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
      [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     [  | #sz' #i' |  |  #p1' #p2' #Hembed' ]
+     [ 1,3,4: #Habsurd destruct (Habsurd) ]
      elim sg normalize nodelta
      @intsize_eq_elim_elim
 …
                    #H destruct (H)
                   /3 by ex_intro, conj, vint_eq/ ]
+     ]
+| 3: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 4: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+     ]
+| *: whd in match (sem_mod ????); whd in match (sem_mod ????); normalize nodelta
+     cases (classify_aop ty1 ty2) normalize nodelta #foo #bar #Habsurd destruct (Habsurd)
 ] qed.
 …
 #E #v1 #v2 #v1' #v2' #Hvalue_eq1 #Hvalue_eq2 #r1
 @(value_eq_inversion E … Hvalue_eq1)
 [ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[  | #sz #i | 3: | 4: #p1 #p2 #Hembed ]
 [ 2:
      @(value_eq_inversion E … Hvalue_eq2)
      [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
+     [  | #sz' #i' |  |  #p1' #p2' #Hembed' ]
      [ 2: whd in match (sem_shl ??);
           cases (lt_u ???) normalize nodelta
 …
 #E #v1 #v2 #v1' #v2' #ty #ty' #Hvalue_eq1 #Hvalue_eq2 #r1
 @(value_eq_inversion E … Hvalue_eq1)
 [ 1: #v | 2: #sz #i | 3: #f | 4: | 5: #p1 #p2 #Hembed ]
+[  | #sz #i | 3: | 4: #p1 #p2 #Hembed ]
 whd in match (sem_shr ????); whd in match (sem_shr ????);
 [ 1: cases (classify_aop ty ty') normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
      #Habsurd destruct (Habsurd)
 | 2: cases (classify_aop ty ty') normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
      [ 2,3: #Habsurd destruct (Habsurd) ]
+     [ 1: #sz #sg | 2: #ty1' #ty2' ]
+     [ 2: #Habsurd destruct (Habsurd) ]
      @(value_eq_inversion E … Hvalue_eq2) normalize nodelta
      [ 1: #v' | 2: #sz' #i' | 3: #f' | 4: | 5: #p1' #p2' #Hembed' ]
      [ 1,3,4,5: #Habsurd destruct (Habsurd) ]
+     [  | #sz' #i' |  |  #p1' #p2' #Hembed' ]
+     [ 1,3,4: #Habsurd destruct (Habsurd) ]
      elim sg normalize nodelta
      cases (lt_u ???) normalize nodelta #Heq destruct (Heq)
      /3 by ex_intro, conj, refl, vint_eq/
 | 3: cases (classify_aop ty ty') normalize nodelta
      [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+| *: cases (classify_aop ty ty') normalize nodelta
+     #foo #bar
      #Habsurd destruct (Habsurd)
+| 4: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+| 5: cases (classify_aop ty ty') normalize nodelta
+     [ 1: #sz #sg | 2: #fsz | 3: #ty1' #ty2' ]
+     #Habsurd destruct (Habsurd)
+] qed.
+] qed.
 lemma eq_offset_translation : ∀delta,x,y. cmp_offset Ceq (offset_plus x delta) (offset_plus y delta) = cmp_offset Ceq x y.

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 2468 for src/Clight/memoryInjections.ma

Legend:

src/Clight/memoryInjections.ma

Download in other formats: