Changeset 2556

Timestamp:

Dec 14, 2012, 2:54:06 PM (8 years ago)

Author:

tranquil

Message:

in joint semantics and traces: added a last popped calling address to state_pc, in order to have a strong enough as_after_return in joint (due to graph languages having one-to-many predecessors)
in lineariseProof: one axiom left (tailcall case)

Location:

src/joint

Files:

• Traces.ma (modified) (6 diffs)
• lineariseProof.ma (modified) (27 diffs)
• semantics.ma (modified) (10 diffs)

src/joint/Traces.ma

@@ -5 +5 @@
  { globals: list ident
  ; sparams:> sem_params
- ; exit: program_counter
  ; ev_genv: genv sparams globals
 (* ; io_env : state sparams → ∀o:io_out.res (io_in o) *)
@@ -47 +46 @@
 ≝
 λpars.
-(* Invariant: a -1 block is unused in common/Globalenvs *)
-let b ≝ mk_block Code (-1) in
-let ptr ≝ mk_program_counter «b, refl …» one in
 let p ≝ prog pars in
 mk_evaluation_params
   (prog_var_names … p)
   (prog_spars pars)
-  ptr
   (mk_genv_gen ?? (globalenv_noinit ? p) ? (stack_sizes pars))
  (* (prog_io pars) *).
@@ -76 +71 @@
   let m ≝ alloc_mem … p in
   let 〈m,spb〉 ≝ alloc … m 0 external_ram_size XData in
-  let 〈m,ispb〉 ≝ alloc … m 0 internal_ram_size XData in
-  let dummy_pc ≝ mk_program_counter «mk_block Code (-1), refl …» one in
   let spp : xpointer ≝
     «mk_pointer spb (mk_offset (bitvector_of_Z ? external_ram_size)),
@@ -84 +77 @@
   let main ≝ prog_main … p in
   let st0 ≝ mk_state pars (empty_framesT …) empty_is (BBbit false) (empty_regsT … spp) m in
-  (* use exit sem_globals as ra and call_dest_for_main as dest *)
-  let st0' ≝ mk_state_pc … (set_sp … spp st0) (exit sem_globals) in
-  ! st0'' ← save_frame ?? sem_globals true (call_dest_for_main … pars) st0' ;
-  let st_pc0 ≝ mk_state_pc ? st0'' dummy_pc in
-  ! bl ← block_of_call … ge (inl … main) st_pc0;
+  (* use exit_pc as ra and call_dest_for_main as dest *)
+  let st0' ≝ mk_state_pc … (set_sp … spp st0) exit_pc exit_pc in
+  ! st0_no_pc ← save_frame ?? sem_globals true (call_dest_for_main … pars) st0' ;
+  let st0'' ≝ set_no_pc … st0_no_pc st0' in
+  ! bl ← block_of_call … ge (inl … main) st0'';
   ! 〈i, fn〉 ← fetch_function … ge bl ;
   match fn with
   [ Internal ifn ⇒
-    ! st' ← eval_internal_call … ge i ifn (call_args_for_main … pars) st_pc0 ;
+    ! st' ← eval_internal_call … ge i ifn (call_args_for_main … pars) st0'' ;
     let pc' ≝ pc_of_point … bl (joint_if_entry … ifn) in
-    return mk_state_pc … st' pc'
+    return mk_state_pc … st' pc' exit_pc
   | External _ ⇒ Error … [MSG BadMain; CTX ? main] (* External main not supported: why? *)
   ].
@@ -231 +224 @@
   match \snd x with
   [ sequential s next ⇒
+    last_pop … s2 = pc … s1 ∧
     pc … s2 = succ_pc p (pc … s1) next
   | _ ⇒ False (* never happens *)
@@ -374 +368 @@
       ])
    (* as_after_return ≝ *) (joint_after_ret p)
-   (* as_final ≝ *) (λs.is_final p  (globals ?) (ev_genv p) (exit p) s ≠ None ?)
+   (* as_final ≝ *) (λs.is_final p  (globals ?) (ev_genv p) exit_pc s ≠ None ?)
    (* as_call_ident ≝ *) (joint_call_ident p)
    (* as_tailcall_ident ≝ *) (joint_tailcall_ident p).

src/joint/lineariseProof.ma

@@ -627 +627 @@
     #p #p' #graph_prog #sigma #st #prf @opt_to_opt_safe qed.
 
+lemma sigma_pc_irr :
+  ∀p,p',graph_prog,sigma,pc1,pc2,prf1,prf2.
+  pc1 = pc2 →
+  sigma_pc p p' graph_prog sigma pc1 prf1 =
+  sigma_pc p p' graph_prog sigma pc2 prf2.
+#p #p' #graph_prog #sigma #pc1 #pc2 #prf1 #prf2
+#EQ destruct(EQ) % qed.
+
 definition well_formed_state_pc :
  ∀p,p',graph_prog,sigma.
@@ -632 +640 @@
   state_pc (make_sem_graph_params p p') → Prop ≝
  λp,p',prog,sigma,gsss,st.
- well_formed_pc p p' prog sigma (pc … st) ∧ well_formed_state … gsss st.
+ well_formed_pc p p' prog sigma (last_pop … st) ∧
+ well_formed_pc p p' prog sigma (pc … st) ∧
+ well_formed_state … gsss st.
  
 definition sigma_state_pc :
@@ -646 +656 @@
 ≝
  λp,p',graph_prog,sigma,gsss,s,prf.
- let pc' ≝ sigma_pc … (proj1 … prf) in
+ let last_pop' ≝ sigma_pc … (proj1 … (proj1 … prf)) in
+ let pc' ≝ sigma_pc … (proj2 … (proj1 … prf)) in
  let st' ≝ sigma_state … (proj2 … prf) in
- mk_state_pc ? st' pc'.
+ mk_state_pc ? st' pc' last_pop'.
 (*
 definition sigma_function_name :
@@ -660 +671 @@
   ∀M : MonadProps.∀X,Y,f,l.
   All X (λx.∃y.f x = return y) l → ∃l'.m_list_map M X Y f l = return l'.
-  cases daemon qed.
+  #M #X #Y #f #l elim l -l
+  [ * %{[ ]} %
+  | #hd #tl #IH * * #y #EQ #H cases (IH H) #ys #EQ'
+    %{(y :: ys)}
+    change with (! y ← ? ;  ? = ?)
+    >EQ >m_return_bind
+    change with (! acc ← m_list_map ????? ; ? = ?) >EQ'
+    @m_return_bind
+qed.
 
 definition helper_def_store__commute :
@@ -717 +736 @@
     (λr.pair_reg_move_ ? ? (p' ?) r mv)
     (λr.pair_reg_move_ ? ? (p' ?) r mv)
-; allocate_locals_commute :
+; allocate_locals__commute :
   ∀loc, r1, prf1. ∃ prf2.
   allocate_locals_ ? ? (p' ?) loc (sigma_regs p p' graph_prog sigma gsss r1 prf1) =
@@ -724 +743 @@
   ∀dest,fl.
   preserving … res_preserve …
-    (λst : state_pc ?.λprf.
-      mk_state_pc …
-        (sigma_state … gsss st (proj2 ?? prf))
-        (sigma_pc p p' graph_prog sigma (pc … st) (proj1 ?? prf)))
+    (sigma_state_pc … gsss)
     (sigma_state … gsss)
     (save_frame ?? (p' ?) fl dest)
@@ -776 +792 @@
   preserving … res_preserve …
     (sigma_state … gsss)
-    (λst : state_pc ?.λprf.
-      mk_state_pc …
-        (sigma_state … gsss st (proj2 ?? prf))
-        (sigma_pc p p' graph_prog sigma (pc … st) (proj1 ?? prf)))
+    (sigma_state_pc … gsss)
   (pop_frame ?? (p' ?) … (ev_genv (graph_prog_params … graph_prog stack_sizes)) 
             curr_id curr_fn)
@@ -785 +798 @@
             curr_id (\fst (linearise_int_fun … curr_fn))) 
 }.
+
+lemma wf_set_regs : ∀p,p',graph_prog,sigma,gss,st,r.
+well_formed_state p p' graph_prog sigma gss st →
+well_formed_regs … gss r →
+well_formed_state … gss (set_regs … r st).
+#p #p' #graph_prog #sigma #gss #st #r
+*** #H1 #H2 #_ #H4 #H3
+%{H4} %{H3} %{H2} @H1
+qed.
+
+lemma allocate_locals_def :
+  ∀p,F,p',loc,locs,st.
+  allocate_locals p F p' (loc::locs) st =
+  (let st' ≝ allocate_locals p F p' locs st in
+   set_regs … (allocate_locals_ p F p' loc (regs … st')) st').
+#p #F #p' #loc #locs #st % qed.
+
+lemma allocate_locals_commute :
+  ∀p,p',graph_prog,sigma.
+  ∀gss : good_state_sigma p p' graph_prog sigma. 
+  ∀locs, st1, prf1. ∃ prf2.
+  allocate_locals ? ? (p' ?) locs (sigma_state … gss st1 prf1) =
+  sigma_state … gss (allocate_locals ? ? (p' ?) locs st1) prf2.
+#p #p' #gp #sigma #gss #locs elim locs -locs
+[ #st1 #prf1 %{prf1} % ]
+#loc #tl #IH #st1 #prf1
+letin st2 ≝ (sigma_state … st1 prf1)
+cases (IH st1 prf1)
+letin st1' ≝ (allocate_locals ??? tl st1)
+letin st2' ≝ (allocate_locals ??? tl st2)
+#prf' #EQ'
+cases (allocate_locals__commute … gss loc (regs … st1') ?)
+[2: @hide_prf cases prf' ** // ]
+#prf'' #EQ''
+% [ @hide_prf @wf_set_regs assumption ]
+change with (set_regs ? (allocate_locals_ ??? loc (regs ? st1')) st1')
+  in match (allocate_locals ??? (loc::tl) st1);
+change with (set_regs ? (allocate_locals_ ??? loc (regs ? st2')) st2')
+  in match (allocate_locals ??? (loc::tl) st2);
+>EQ' >EQ'' %
+qed.
 
 lemma store_commute :
@@ -1557 +1611 @@
     (* call_rel ≝ *) (λs1,s2.
       ∃prf:well_formed_state_pc p p' graph_prog sigma gss s1.
-      pc ? s2 = sigma_pc … (pc ? s1) (proj1 … prf))
+      pc ? s2 = sigma_pc … (pc ? s1) (proj2 … (proj1 … prf)))
     (* sim_final ≝ *) ?.
 #st1 #st2 * #prf #EQ2
@@ -1563 +1617 @@
 >EQ2
 whd in ⊢ (%→%);
-whd in match (exit ?);
-letin exit_pc ≝ (mk_program_counter «mk_block Code (-1), refl …» one)
 #H lapply (opt_to_opt_safe … H)
 @opt_safe_elim -H #res #_ whd in match is_final; normalize nodelta
@@ -1570 +1622 @@
 #H  @('bind_inversion H) -H
 ** #id #int_f #stmt
-#stmt_spec cases (fetch_statement_sigma_commute ???????? good (proj1 … prf) stmt_spec)
+#stmt_spec cases (fetch_statement_sigma_commute ???????? good (proj2 … (proj1 … prf)) stmt_spec)
 cases stmt in stmt_spec; -stmt normalize nodelta
 [1,3: [ #a #b #_| #a #b #c #d #e] #_ #_ #ABS whd in ABS : (???%); destruct(ABS)]
@@ -1598 +1650 @@
 [ #st #prf @mfr_bind [3: @pop_frame_commute |*:]
   #st' #prf' @eq_program_counter_elim  
-  [ #EQ_pc >(sigma_pc_exit … EQ_pc) normalize nodelta
+  [ #EQ_pc normalize nodelta
+    change with (sigma_pc ??????) in match (pc ??);
+    >(sigma_pc_exit … EQ_pc) normalize nodelta
     @mfr_bind [3: @read_result_commute |*:]
     #lbv #prf_lbv @opt_safe_elim #lbv' #EQ_lbv'
@@ -1641 +1695 @@
 qed.
 
+lemma as_label_sigma_commute :
+  ∀p,p',graph_prog,stack_sizes,sigma,gss.good_sigma p graph_prog sigma →
+  ∀st,prf.
+  as_label (lin_abstract_status p p' (linearise … graph_prog) stack_sizes)
+    (sigma_state_pc p p' graph_prog sigma gss st prf) =
+  as_label (graph_abstract_status p p' graph_prog stack_sizes) st.
+#p #p' #graph_prog #stack_sizes #sigma #gss #good * #st #pc #popped
+** #prf1 #prf2 #prf3
+change with (as_label_of_pc ?? = as_label_of_pc ??)
+change with (sigma_pc ??????) in match (as_pc_of ??);
+change with pc in match (as_pc_of ??);
+whd in match sigma_pc; normalize nodelta
+@opt_safe_elim #pc'
+whd in match sigma_pc_opt; normalize nodelta
+@eqZb_elim #Hbl normalize nodelta
+[ whd in ⊢ (??%%→??%%); #EQ destruct(EQ)
+  whd in match fetch_statement; normalize nodelta
+  >(fetch_internal_function_no_minus_one … graph_prog … Hbl)
+  >(fetch_internal_function_no_minus_one … (linearise … graph_prog) … Hbl) %
+| #H @('bind_inversion H) * #i #f -H
+  inversion (fetch_internal_function … (pc_block pc))
+  [2: #e #_ whd in ⊢ (??%%→?); #ABS destruct(ABS) ]
+  * #i' #f' #EQfetch whd in ⊢ (??%%→?); #EQ destruct(EQ)
+  #H @('bind_inversion H) #n #EQsigma whd in ⊢ (??%%→?); #EQ destruct(EQ)
+  whd in ⊢ (??%%);
+  whd in match fetch_statement; normalize nodelta >EQfetch
+  >(fetch_internal_function_transf … graph_prog 
+    (λvars,fn.\fst (linearise_int_fun … fn)) … EQfetch)
+  >m_return_bind >m_return_bind
+  cases (good f) * #_ #all_labels_in #spec
+  cases (spec … EQsigma) #s ** cases s -s
+  [ * [#s|#a#lbl]#nxt|#s|*] normalize nodelta #EQstmt_at #_
+  [ * #EQstmt_at' #_ | * [ * #EQstmt_at' #_ | #EQstmt_at' ] | #EQstmt_at' ]
+  whd in match point_of_pc; normalize nodelta >point_of_offset_of_point
+  >EQstmt_at >EQstmt_at' normalize nodelta %
+qed.
+  
 lemma set_istack_sigma_commute :
 ∀p,p',graph_prog,sigma,gss,st,is,prf1,prf2,prf3.
@@ -1841 +1932 @@
 λA,B,C,D,P,Q,f,g,pr,prf.〈f ? (proj1 … prf), g ? (proj2 … prf)〉.
 
-lemma wf_set_regs : ∀p,p',graph_prog,sigma,gss,st,r.
-well_formed_state p p' graph_prog sigma gss st →
-well_formed_regs … gss r →
-well_formed_state … gss (set_regs … r st).
-#p #p' #graph_prog #sigma #gss #st #r
-*** #H1 #H2 #_ #H4 #H3
-%{H4} %{H3} %{H2} @H1
-qed.
-
 lemma wf_set_is : ∀p,p',graph_prog,sigma,gss,st,is.
 well_formed_state p p' graph_prog sigma gss st →
@@ -1907 +1989 @@
   [1,2: (* COMMENT, COST_LABEL *) #_ @mfr_return
   | (* MOVE *) #mv_sig #st #prf'
-    @(mfr_bind … (sigma_regs … gss))
-    [ @pair_reg_move_commute
-    | #r #prf @mfr_return @wf_set_regs assumption
-    ]
+    @mfr_bind [3: @pair_reg_move_commute |*:]
+    #r #prf @mfr_return @wf_set_regs assumption
   | (* POP *)
     #a #st #prf
@@ -1922 +2002 @@
   | (* PUSH *)
      #a #st #prf
-     @(mfr_bind … (sigma_beval p p' graph_prog sigma))
-     [ @acca_arg_retrieve_commute
-     | #bv #prf_bv
-       @(mfr_bind … (sigma_is p p' graph_prog sigma))
-       [ @is_push_sigma_commute
-       | #is #prf_is @mfr_return @wf_set_is assumption
-       ]
-     ]
+     @mfr_bind [3: @acca_arg_retrieve_commute |*:]
+     #bv #prf_bv
+     @mfr_bind [3: @is_push_sigma_commute |*:]
+     #is #prf_is @mfr_return @wf_set_is assumption
   | (*C_ADDRESS*) 
     #sy
@@ -1954 +2030 @@
   | (*C_OPACCS*)
     #op #a #b #arg1 #arg2 #st #prf
-    @(mfr_bind … (sigma_beval p p' graph_prog sigma))
-    [ @acca_arg_retrieve_commute ]
+    @mfr_bind [3: @acca_arg_retrieve_commute |*: ]
     #bv1 #bv1_prf
-    @(mfr_bind … (sigma_beval p p' graph_prog sigma))
-    [ @accb_arg_retrieve_commute ]
+    @mfr_bind [3: @accb_arg_retrieve_commute |*: ]
     #bv2 #bv2_prf
-    @(mfr_bind … (combine_strong …
-        (sigma_beval p p' graph_prog sigma)
-        (sigma_beval p p' graph_prog sigma)))
-    [ @beopaccs_sigma_commute ]
+    @mfr_bind [3: @beopaccs_sigma_commute |*: ]
     * #res1 #res2 * #res1_prf #res2_prf
     @(mfr_bind … (sigma_state … gss))
@@ -1974 +2045 @@
   | (*C_OP1*)
     #op #a #arg #st #prf
-    @(mfr_bind … (sigma_beval p p' graph_prog sigma))
-    [ @acca_retrieve_commute ]
+    @mfr_bind [3: @acca_retrieve_commute |*: ]
     #bv #bv_prf
-    @(mfr_bind … (sigma_beval p p' graph_prog sigma))
-    [ @beop1_sigma_commute ]
+    @mfr_bind [3: @beop1_sigma_commute |*: ]
     #res #res_prf
     @mfr_bind [3: @acca_store__commute |*: ]
@@ -1984 +2053 @@
   | (*C_OP2*)
     #op #a #arg1 #arg2 #st #prf
-    @(mfr_bind … (sigma_beval p p' graph_prog sigma))
-    [ @acca_arg_retrieve_commute ]
+    @mfr_bind [3: @acca_arg_retrieve_commute |*: ]
     #bv1 #bv1_prf
-    @(mfr_bind … (sigma_beval p p' graph_prog sigma))
-    [ @snd_arg_retrieve_commute ]
+    @mfr_bind [3: @snd_arg_retrieve_commute |*: ]
     #bv2 #bv2_prf
-    @mfr_bind
-    [3: @beop2_sigma_commute |*: ]
+    @mfr_bind [3: @beop2_sigma_commute |*: ]
     * #res1 #carry' #res1_prf
     @(mfr_bind … (sigma_state … gss))
@@ -2044 +2110 @@
  qed.
 
-lemma eval_seq_no_call_no_goto_ok :
+lemma eval_seq_no_call_ok :
  ∀p,p',graph_prog.
  let lin_prog ≝ linearise p graph_prog in
  ∀stack_sizes.
- ∀sigma.∀gss : good_state_sigma p p' graph_prog sigma.
+ ∀sigma.good_sigma p graph_prog sigma → 
+ ∀gss : good_state_sigma p p' graph_prog sigma.
  ∀st,st',f,fn,stmt,nxt.no_call ?? stmt →
  ∀prf : well_formed_state_pc … gss st.
-   fetch_statement (make_sem_lin_params p p') …
-    (globalenv_noinit ? lin_prog) (pc … (sigma_state_pc … st prf)) =
-      return 〈f, \fst (linearise_int_fun … fn),
-        sequential … (step_seq (mk_lin_params p) … stmt) it〉 →
-   eval_seq_no_pc … (ev_genv … (graph_prog_params … graph_prog stack_sizes))
-      f fn stmt st = return st' →
- let st_pc' ≝ mk_state_pc ? st'
-  (succ_pc (make_sem_graph_params p p') …
-    (pc … st) nxt) in
- ∀prf'.
- succ_pc (make_sem_lin_params p p') (sigma_pc … (pc … st) (proj1 … prf)) it =
-   sigma_pc p p' graph_prog sigma
-    (succ_pc (make_sem_graph_params p p') (pc … st) nxt) prf' →
- ∃prf''.
+   fetch_statement (make_sem_graph_params p p') …
+    (globalenv_noinit ? graph_prog) (pc … st) =
+      return 〈f, fn,  sequential … (step_seq (mk_graph_params p) … stmt) nxt〉 →
+   eval_state … (ev_genv … (graph_prog_params … graph_prog stack_sizes)) st =
+    return st' →
+ ∃prf'.
  ∃taf : trace_any_any_free (lin_abstract_status p p' lin_prog stack_sizes)
   (sigma_state_pc … gss st prf)
-  (sigma_state_pc … gss st_pc' prf'').
+  (sigma_state_pc … gss st' prf').
  bool_to_Prop (taaf_non_empty … taf).
-#p #p' #graph_prog #stack_sizes #sigma #gss #st #st' #f #fn #stmt #nxt #stmt_no_call
-#prf #EQfetch' #EQeval #prf' #EQsucc_pc
-cases (eval_seq_no_pc_sigma_commute … gss … EQeval) [2: @(proj2 … prf)]
-#prf'' #EQeval'
-% [ @hide_prf % assumption ]
-%{(taaf_step … (taa_base …) …)} [3: % ]
-[ whd whd in ⊢ (??%?); >EQfetch' normalize nodelta
+#p #p' #graph_prog #stack_sizes #sigma #good #gss #st #st' #f #fn #stmt #nxt #stmt_no_call
+#prf #EQfetch
+whd in match eval_state; normalize nodelta >EQfetch
+>m_return_bind whd in match eval_statement_no_pc;
+whd in match eval_statement_advance; normalize nodelta
+@'bind_inversion #st_no_pc' #EQeval
+>no_call_advance [2: assumption]
+whd in ⊢ (??%%→?); #EQ destruct(EQ)
+cases (fetch_statement_sigma_commute … good … (proj2 … (proj1 … prf)) … EQfetch)
+normalize nodelta #_ * #EQfetch' *
+#prf_nxt #nxt_spec
+lapply (err_eq_from_io ????? EQeval) -EQeval #EQeval
+cases (eval_seq_no_pc_sigma_commute … gss … (proj2 … prf) … EQeval)
+#st_no_pc_prf
+#EQeval'
+%{(hide_prf …)} [ %{st_no_pc_prf} %{prf_nxt} cases st in prf; -st #st #pc #popped ** // ]
+cases nxt_spec -nxt_spec
+[ #nxt_spec %{(taaf_step … (taa_base …) …) I}
+| * #nxt_spec #pc_of_label_spec %{(taaf_step … (taa_step … (taa_base …))…) I}
+]
+[1,6:
+  whd whd in ⊢ (??%?); >EQfetch' normalize nodelta
   whd in match joint_classify_step; normalize nodelta
   >no_call_other try % assumption
-| whd whd in match eval_state; normalize nodelta >EQfetch' >m_return_bind
+|2,5:
+  whd whd in match eval_state; normalize nodelta
+  change with (sigma_pc ??????) in match (pc ??);
+  try >EQfetch' in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
   whd in match eval_statement_no_pc; normalize nodelta
-  >EQeval' >m_return_bind
+  try >EQeval' in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
   whd in match eval_statement_advance; normalize nodelta
-  >no_call_advance [2: assumption ]
-  whd in match (next ???);
-  >EQsucc_pc %
-]
-qed.
-
-lemma eval_seq_no_call_goto_ok :
- ∀p,p',graph_prog.
- let lin_prog ≝ linearise p graph_prog in
- ∀stack_sizes.
- ∀sigma.∀gss : good_state_sigma p p' graph_prog sigma.
- ∀st,st',f,fn,stmt,nxt.no_call ?? stmt →
- ∀prf : well_formed_state_pc … gss st.
-  fetch_statement (make_sem_lin_params p p') …
-    (globalenv_noinit ? lin_prog) (pc … (sigma_state_pc … st prf)) =
-      return 〈f, \fst (linearise_int_fun … fn),
-        sequential … (step_seq (mk_lin_params p) … stmt) it〉 →
-   eval_seq_no_pc … (ev_genv … (graph_prog_params … graph_prog stack_sizes))
-      f fn stmt st = return st' →
- let st_pc' ≝ mk_state_pc ? st'
-  (succ_pc (make_sem_graph_params p p') …
-    (pc … st) nxt) in
- ∀prf'.
- fetch_statement (make_sem_lin_params p p') …
-   (globalenv_noinit … lin_prog)
-     (succ_pc (make_sem_lin_params p p') (sigma_pc … (pc … st) (proj1 … prf)) it) =
-   return 〈f, \fst (linearise_int_fun … fn), final (mk_lin_params p) … (GOTO … nxt)〉 →
- pc_of_label (make_sem_lin_params p p') ?
-                (globalenv_noinit ? (linearise p … graph_prog))
-                (pc_block (pc … st))
-                nxt = return sigma_pc p p' graph_prog sigma
-    (succ_pc (make_sem_graph_params p p') (pc … st) nxt) prf' →
- ∃prf''.
- ∃taf : trace_any_any_free (lin_abstract_status p p' lin_prog stack_sizes)
-  (sigma_state_pc … gss st prf)
-  (sigma_state_pc … gss st_pc' prf'').
- bool_to_Prop (taaf_non_empty … taf).
-#p #p' #graph_prog #stack_sizes #sigma #gss #st #st' #f #fn #stmt #nxt #stmt_no_call
-#prf #EQfetch' #EQeval #prf' #EQsucc_pc #EQ_pc_of_label
-cases (eval_seq_no_pc_sigma_commute … gss … EQeval) [2: @(proj2 … prf)]
-#prf'' #EQeval'
-% [ @hide_prf % assumption ]
-%{(taaf_step … (taa_step … (taa_base …)) …)} [7: % ]
-[4: whd whd in ⊢ (??%?); >EQfetch' normalize nodelta
-  whd in match joint_classify_step; normalize nodelta
-  >no_call_other try % assumption
-|3: whd whd in match eval_state; normalize nodelta >EQfetch' in ⊢ (??%?);
-  >m_return_bind in ⊢ (??%?);
-  whd in match eval_statement_no_pc; normalize nodelta
-  >EQeval' in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
+  >no_call_advance try assumption
+  whd in match (next ???) in ⊢ (??%?);
+  [ >nxt_spec %
+  | %
+  ]
+|3:
+  whd whd in ⊢ (??%?); >nxt_spec normalize nodelta %
+|4:
+  whd whd in match eval_state; normalize nodelta
+  >nxt_spec >m_return_bind >m_return_bind
   whd in match eval_statement_advance; normalize nodelta
-  >no_call_advance in ⊢ (??%?); [2: assumption ]
-  whd in match (next ???) in ⊢ (??%?);
-  >EQsucc_pc in ⊢ (??%?); %
-|1: whd whd in ⊢ (??%?); >EQsucc_pc %
-|5: %* #H @H -H whd in ⊢ (??%?);  >EQsucc_pc %
-|2: whd whd in match eval_state; normalize nodelta
-  >EQsucc_pc >m_return_bind >m_return_bind whd in match eval_statement_advance;
-  normalize nodelta whd in match goto; normalize nodelta
+  whd in match goto; normalize nodelta
   whd in match (pc_block ?); >pc_block_sigma_commute
-  >EQ_pc_of_label %
-|*:
+  >pc_of_label_spec %
+|7: %* #H @H -H
+  whd in ⊢ (??%?); >nxt_spec %
+|8:
 ]
 qed.
@@ -2170 +2202 @@
     #bv2 #bv2_prf
     @(mfr_bind … (λptr.λ_:True.ptr))
-    [ lapply bv2_prf lapply bv2 lapply bv1_prf lapply bv1
-      @bv_pc_other
-      [ #pc1 #p #bv1_prf #bv2 #bv2_prf @res_preserve_error ]
-      #bv1 #bv1_no_pc #bv1_prf
-      @bv_pc_other
-      [ cases bv1 in bv1_prf;
-        [||#a #b #c| #a | #a | #a #b | #a #b ] #bv1_prf
-        #pc2 #p #bv2_prf @res_preserve_error ]
-      #bv2 #bv2_no_pc #bv2_prf
-      >sigma_bv_no_pc try assumption
-      >sigma_bv_no_pc try assumption
-      whd #ptr #EQ %{I EQ}
-   ] #ptr *
-   @if_elim #_ [ @mfr_return | @res_preserve_error ] %
+    [ change with (pointer_of_address 〈?,?〉) in
+      match (pointer_of_bevals ?);
+      change with (pointer_of_address 〈?,?〉) in
+      match (pointer_of_bevals [sigma_beval ??????;?]);
+      @sigma_ptr_commute % assumption
+    ] #ptr *
+    @if_elim #_ [ @mfr_return | @res_preserve_error ] %
  ]
 |4: #bl * @opt_to_res_preserve #x #EQ %{I} @EQ
@@ -2190 +2215 @@
 qed.
 
-    
+lemma fetch_function_no_minus_one :
+  ∀F,V,i,p,bl.
+  block_id (pi1 … bl) = -1 →
+  fetch_function … (globalenv (λvars.fundef (F vars)) V i p)
+    bl = Error … [MSG BadFunction].
+ #F#V#i#p ** #r #id #EQ1 #EQ2 destruct
+  whd in match fetch_function; normalize nodelta
+  >globalenv_no_minus_one
+  cases (symbol_for_block ???) normalize //
+qed.
+
 lemma eval_call_ok :
  ∀p,p',graph_prog.
@@ -2203 +2238 @@
       return 〈f, fn,
         sequential … (CALL (mk_graph_params p) … called args dest ) nxt〉 →
-   eval_seq_advance ?? (ev_genv … (graph_prog_params … graph_prog stack_sizes))
-      (CALL … called args dest) nxt st = return st' →
+   eval_state … (ev_genv … (graph_prog_params … graph_prog stack_sizes)) st =
+    return st' →
 (* let st_pc' ≝ mk_state_pc ? st'
   (succ_pc (make_sem_graph_params p p') …
@@ -2228 +2263 @@
 #p #p' #graph_prog #stack_sizes #sigma #good #gss #st #st1 #f #fn 
 #called #args #dest #nxt #prf #fetch_spec 
-cases(fetch_statement_sigma_commute … good (proj1 … prf) … fetch_spec) #_
+cases(fetch_statement_sigma_commute … good (proj2 … (proj1 … prf)) … fetch_spec) #_
 normalize nodelta * #lin_fetch_spec #_
+whd in match eval_state in ⊢ (%→?); normalize nodelta >fetch_spec
+>m_return_bind >m_return_bind whd in match eval_statement_advance;
 whd in match eval_seq_advance; whd in match eval_seq_call; normalize nodelta
 @('bind_inversion) #bl #H lapply (err_eq_from_io ????? H) -H #bl_spec
@@ -2236 +2273 @@
 [2:#H @('bind_inversion H) -H #st' #H #_ @('bind_inversion H) -H #vals #_
   @'bind_inversion #vals' #_ whd in ⊢ (??%%→?); #ABS destruct(ABS) ]
-#H %
+#H lapply (err_eq_from_io ????? H) -H
+#H @('bind_inversion H) -H #st_no_pc #save_frame_spec
+>m_bind_bind
+#H @('bind_inversion H) -H #stack_size #H lapply (opt_eq_from_res ???? H) -H
+whd in match (stack_sizes ?);
+#stack_size_spec
+>m_bind_bind
+#H @('bind_inversion H) -H #st_no_pc' #set_call_spec
+>m_return_bind whd in ⊢ (??%%→?);
+whd in match set_no_pc; normalize nodelta #EQ destruct(EQ)
+%
 [  @hide_prf 
   whd in match joint_classify; normalize nodelta >fetch_spec >m_return_bind
@@ -2242 +2289 @@
   whd in match joint_classify_seq; normalize nodelta
   >bl_spec >m_return_bind >int_f_spec normalize nodelta %
-| %
+| cases(block_of_call_sigma_commute p p' graph_prog sigma gss ?? (proj2 … prf) ? 
+            bl_spec)
+  * #lin_bl_spec
+  generalize in match (fetch_function_transf … graph_prog …
+      (λvars.transf_fundef … (λf_in.\fst(linearise_int_fun ?? f_in)))
+      … int_f_spec : fetch_function … (globalenv_noinit … (linearise … graph_prog)) bl = ?) in ⊢ ?;
+  #lin_int_f_spec
+  %
   [ @hide_prf whd in match joint_classify; normalize nodelta >lin_fetch_spec
     >m_return_bind normalize nodelta whd in match joint_classify_step; 
     whd in match joint_classify_seq; normalize nodelta
-    cases bl in bl_spec int_f_spec; #reg #reg_prf -bl #reg_spec #int_f_spec 
-    cases(block_of_call_sigma_commute p p' graph_prog sigma gss ?? (proj2 … prf) ? 
-            reg_spec)
-    * #EQ >EQ -EQ >m_return_bind
-    lapply(fetch_function_transf ?????
-      (λvars.transf_fundef … (λf_in.\fst(linearise_int_fun ?? f_in))) ????) 
-        [ 
-        | @(Internal ? fn)
-        | @id 
-        | assumption assumption 
-        | 
-        |
-        | % 
-          [@(prog_vars … graph_prog)  
-          |@(prog_funct … graph_prog) 
-          |@(prog_main … graph_prog) 
-          ]
-        ]
-      [>int_f_spec % | | |] #EQ >EQ normalize nodelta % 
-   | %
-     [2: %
-         [  change with ((λx.joint_call_ident (lin_prog_params p p' (linearise p graph_prog) stack_sizes)
-              (mk_Sig ? ? ? x)) ? = (λx.joint_call_ident ? (mk_Sig ? ? ? x)) ?)
-            whd in match joint_call_ident in ⊢ (??(%?)?); normalize nodelta in ⊢ (??(%?)?); 
-            whd in match (pc ?); >lin_fetch_spec in ⊢ (??(%?)?); normalize nodelta in ⊢ (??%?);
-            whd in match joint_call_ident in ⊢ (???(%?)); normalize nodelta in ⊢ (???(%?)); 
-            >fetch_spec in ⊢ (???(%?)); normalize nodelta >bl_spec in ⊢ (???%);
-            >m_return_bind in ⊢ (???%);
-         |  whd in match eval_state; normalize nodelta 
-            >lin_fetch_spec in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
-             whd in match eval_statement_no_pc; normalize nodelta 
-             whd in match eval_seq_no_pc; normalize nodelta 
-             >m_return_bind in ⊢ (??%?);
-             whd in match eval_statement_advance; whd in match eval_seq_advance; 
-             whd in match eval_seq_call; normalize nodelta
+    >lin_bl_spec >m_return_bind
+    >lin_int_f_spec %
+   | cases (save_frame_commute … gss … save_frame_spec) in ⊢ ?;
+    [2: @hide_prf cases st in prf; // ]
+    #st_no_pc_wf #lin_save_frame_spec
+     cases (setup_call_commute … gss … st_no_pc_wf … set_call_spec) in ⊢ ?;
+     #st_no_pc_wf' #lin_set_call_spec
+     cases (allocate_locals_commute … gss … (joint_if_locals … fn) … st_no_pc_wf')
+     #st_no_pc_wf'' #lin_allocate_locals_spec
+     cut
+      (∃prf.sigma_pc p p' graph_prog sigma (pc_of_point (make_sem_graph_params p p') bl (joint_if_entry ?? fn)) prf =
+      pc_of_point (make_sem_lin_params p p') bl 0)
+     [ cases (good fn) * #entry_in #_ #_
+       % [ @hide_prf % | whd in match sigma_pc; normalize nodelta @opt_safe_elim #pc ]
+       whd in match sigma_pc_opt; normalize nodelta
+       >eqZb_false whd in match (pc_block ?);
+       [2,4: % #EQbl
+        >(fetch_function_no_minus_one … graph_prog … EQbl) in int_f_spec;
+        whd in ⊢ (???%→?); #ABS destruct(ABS) ]
+       normalize nodelta whd in match fetch_internal_function;
+       normalize nodelta >int_f_spec >m_return_bind >point_of_pc_of_point
+       >entry_in whd in ⊢ (??%%→?); #EQ destruct(EQ) %
+     ] * #entry_prf #entry_spec
+      % [ @hide_prf %{st_no_pc_wf''} %{entry_prf} @(proj1 … (proj1 … prf)) ]
+      % [ whd in match joint_call_ident; normalize nodelta
+          >lin_fetch_spec in ⊢ (??match % with [ _ ⇒ ? | _ ⇒ ?]?);
+          >fetch_spec in ⊢ (???match % with [ _ ⇒ ? | _ ⇒ ?]);
+          normalize nodelta
+          >lin_bl_spec >bl_spec >m_return_bind >m_return_bind
+          whd in match fetch_internal_function; normalize nodelta
+          >lin_int_f_spec >int_f_spec %
+        | whd in match eval_state; normalize nodelta 
+          >lin_fetch_spec in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
+           whd in match eval_statement_no_pc; normalize nodelta 
+           whd in match eval_seq_no_pc; normalize nodelta 
+           >m_return_bind in ⊢ (??%?);
+           whd in match eval_statement_advance; whd in match eval_seq_advance; 
+           whd in match eval_seq_call; normalize nodelta
+           >lin_bl_spec in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
+           >lin_int_f_spec in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
+           normalize nodelta
+           >lin_save_frame_spec >m_return_bind
+           >m_bind_bind whd in match (stack_sizes ?);
+           >stack_size_spec >m_return_bind
+           >lin_set_call_spec >m_return_bind
+           >lin_allocate_locals_spec
+           <entry_spec %
          ]
-         cases(block_of_call_sigma_commute p p' graph_prog sigma gss ?? (proj2 … prf) ? 
-             bl_spec) * #EQ >EQ in ⊢ (??%?); >m_return_bind in ⊢ (??%?); -EQ 
-         [ whd in match fetch_internal_function; normalize nodelta >int_f_spec in ⊢ (???%);
-           >m_return_bind in ⊢ (???%); normalize nodelta ]
-         lapply(fetch_function_transf ?????
-                (λvars.transf_fundef … (λf_in.\fst(linearise_int_fun ?? f_in))) ????)
-            [ 
-            | 2,12: @(Internal ? fn)
-            | 3,13: @id 
-            | 4,14: assumption assumption 
-            | 5,15:
-            | 6,16:
-            |7,17: % 
-               [1,4: @(prog_vars … graph_prog)  
-               |2,5: @(prog_funct … graph_prog) 
-               |3,6: @(prog_main … graph_prog) 
-               ]
-            ]
-         [1,5: >int_f_spec % |*:] #EQ >EQ in ⊢ (??%?); -EQ 
-          >m_return_bind in ⊢ (??%?); normalize nodelta [ %]
-      ]
-  ]
-]
-[2: @hide_prf] 
-lapply (err_eq_from_io ????? H) -H #H @('bind_inversion H)
-#st' #st_spec' #H @('bind_inversion H) -H #st'' #st_spec'' 
-whd in ⊢ (??%% → ?); #EQ destruct(EQ) [ % ]
-[2,3: elim(save_frame_commute p p' graph_prog sigma gss … prf … st_spec')
-      #wf_st' #sigma_st_spec' [2: >sigma_st_spec' in ⊢ (??%?); >m_return_bind in ⊢ (??%?);]
-      lapply st_spec'' -st_spec''  whd in match eval_internal_call; normalize nodelta 
-      #H @('bind_inversion H) -H #dim_s #dim_s_spec #H 
-      [ >dim_s_spec in ⊢ (??%?); >m_return_bind in ⊢ (??%?);]
-      elim(bind_inversion ????? H) -H #st''' * #st_spec'''
-      elim(setup_call_commute p p' graph_prog sigma gss … wf_st' … st_spec''')
-      #wf_st''' #sigma_st_spec''' whd in ⊢ (??%% → ?); 
-      whd in match allocate_locals; whd in match set_regs; normalize nodelta 
-      #EQ destruct(EQ)
-]
-[  >sigma_st_spec''' in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
-   whd in match sigma_state_pc; normalize nodelta
-   change with (return mk_state_pc (make_sem_lin_params p p') ? ? = ?)
-   cut(∀A,semp,pc,pc',st,st'.∀ f : ? → A.pc = pc' ∧ st = st' → 
-          f(mk_state_pc semp st pc) = f(mk_state_pc semp st' pc'))
-   [#A #H1 #H2 #H3 #H4 #H5 #f * #H8 #H9 //]
-   #APP @APP %
-]
-[1,4: [whd in match sigma_pc; normalize nodelta @opt_safe_elim #lin_pc | whd in match well_formed_pc;]
-      whd in match sigma_pc_opt; normalize nodelta @if_elim 
-      [1,3: @eqZb_elim [2,4: #_ *] #EQbl cases bl in EQbl int_f_spec; *
-            #reg #pos #reg_prf normalize in ⊢ (% → ?);
-            #EQbl whd in match fetch_function; normalize nodelta
-            >EQbl cases(symbol_for_block ???) 
-            [1,3: whd in ⊢ (??%% → ?); #ABS destruct(ABS)]
-            #id1 >m_return_bind inversion(find_funct_ptr ???) 
-            [1,3:#_ whd in ⊢ (??%% → ?); #ABS destruct(ABS)]
-            #z lapply(globalenv_no_minus_one ??? graph_prog) [1,3: @(λn.[Init_space n])]
-            #EQ  
-            change with ((find_funct_ptr ? (globalenv_noinit ? graph_prog) ? = ?) → ?)
-            change with ((find_funct_ptr ? (globalenv_noinit ? graph_prog) ? = ?)) in EQ;
-            cases reg in ⊢ (% → ?); 
-            [1,3: whd in match find_funct_ptr; normalize nodelta #ABS destruct(ABS)
-            |2,4: >EQ #ABS destruct(ABS)
-            ]
-      |2,4: #_ whd in match fetch_internal_function; normalize nodelta
-            whd in match (pc_block ?); >int_f_spec >m_return_bind
-             >point_of_pc_of_point lapply(good fn) ** #EQ #_ #_ >EQ -EQ 
-              >m_return_bind [2:%] whd in ⊢ (??%? → ?); #EQ destruct(EQ)
-              %
-      ]
-| whd in match sigma_state; normalize nodelta 
-  cut(∀A,semp,fr,fr',is,is',c,c',r,r',m,m'.∀ f : ? → A.
-      fr = fr' ∧ is = is' ∧ c = c' ∧ r = r' ∧ m = m'→ 
-          f(mk_state semp fr is c r m) = f(mk_state semp fr' is' c' r' m'))
-  [#A #semp #fr #fr' #is #is' #c #c' #r #r' #m #m' #f **** //]
-  #APP @APP % [% [% [% [%]]]] // [whd in match sigma_is; normalize nodelta % |3:
-  whd in match sigma_mem; normalize nodelta %]
-|  % [2:  @(proj2 … wf_st')] % [  %  [ @(proj1 … (proj1 … (proj1 … wf_st'))) | 
-          @(proj2 … (proj1 … (proj1 … wf_st')))] ]
-]
-[ change with (? = (λx.sigma_regs ? ? ? ? ? (foldr ? ? ? ? x) ?)?)
-  [ cut((joint_if_locals (lin_prog_params p p' (linearise p graph_prog) stack_sizes)
-   (globals (lin_prog_params p p' (linearise p graph_prog) stack_sizes))
-   (\fst  (linearise_int_fun p
-                (globals (graph_prog_params p p' graph_prog stack_sizes)) fn))) = (joint_if_locals (graph_prog_params p p' graph_prog stack_sizes)
-   (globals (graph_prog_params p p' graph_prog stack_sizes)) fn))
-   [%] #EQ >EQ 
-    elim(joint_if_locals (graph_prog_params p p' graph_prog stack_sizes)
-     (globals (graph_prog_params p p' graph_prog stack_sizes)) fn) in ⊢ (??%(?%));
-  | @hide_prf elim x
-  ]
-| @hide_prf elim(joint_if_locals (graph_prog_params p p' graph_prog stack_sizes)
-     (globals (graph_prog_params p p' graph_prog stack_sizes)) fn)
-]
-[3,5: whd in match (foldr ? ? ???); @(proj2 … (proj1 … wf_st'))
-|4,6: #locs_t #tl_list #wf_regs_tail whd in match (foldr ? ? ???);
-      elim(allocate_locals_commute p p' graph_prog sigma gss locs_t 
-               ? wf_regs_tail) #wf_regs_locs_t #_ assumption
-|*: normalize nodelta
-    [  whd in match (foldr ? ? ???) in ⊢ (??%%); %
-    | #locs_t #tl_list #EQtl whd in match (foldr ?????) in ⊢ (??%%);
-      >EQtl
-      lapply(allocate_locals_commute p p' graph_prog sigma gss locs_t 
-        (foldr (localsT ?) (regsT ?) (allocate_locals_ ???) (regs ? st') tl_list) ?)
-      [2: * #x #H >H % |]
-    ]
-]
+       ]
+     ]
 qed.          
                 
 lemma eval_goto_ok :
-lemma eval_tailcall_ok 
- :
-lemma eval_cond_cond_ok :
-lemma eval_cond_fcond_ok :
+ ∀p,p',graph_prog.
+ let lin_prog ≝ linearise p graph_prog in
+ ∀stack_sizes.
+ ∀sigma.good_sigma p graph_prog sigma → 
+ ∀gss : good_state_sigma p p' graph_prog sigma.
+ ∀st,st',f,fn,nxt.
+ ∀prf : well_formed_state_pc … gss st.
+   fetch_statement (make_sem_graph_params p p') …
+    (globalenv_noinit ? graph_prog) (pc … st) =
+      return 〈f, fn,  final … (GOTO (mk_graph_params p) … nxt)〉 →
+   eval_state … (ev_genv … (graph_prog_params … graph_prog stack_sizes)) st =
+    return st' →
+ ∃prf'.
+ ∃taf : trace_any_any_free (lin_abstract_status p p' lin_prog stack_sizes)
+  (sigma_state_pc … gss st prf)
+  (sigma_state_pc … gss st' prf').
+ bool_to_Prop (taaf_non_empty … taf).
+#p #p' #graph_prog #stack_sizes #sigma #good #gss #st #st' #f #fn
+#nxt #prf #EQfetch
+whd in match eval_state; normalize nodelta >EQfetch
+>m_return_bind >m_return_bind
+whd in match eval_statement_advance; normalize nodelta
+whd in match goto; normalize nodelta
+#H lapply (err_eq_from_io ????? H) -H
+#H @('bind_inversion H) #pc'
+@('bind_inversion EQfetch) * #curr_i #curr_fn #EQfetchfn
+#H @('bind_inversion H) -H #stmt' #_ whd in ⊢ (??%%→?);
+#EQ destruct(EQ)
+>(graph_pc_of_label … EQfetchfn) whd in ⊢ (??%%→??%%→?);
+#EQ1 #EQ2 destruct
+cases (fetch_statement_sigma_commute … good … (proj2 … (proj1 … prf)) … EQfetch)
+normalize nodelta ** #prf' #EQpc_of_label' *
+#EQfetch'
+-H
+%
+[ @hide_prf cases st in prf prf'; -st #st #pc #popped ** #H1 #H2 #H3
+  #H4 %{H3} %{H1 H4} ]
+%{(taaf_step … (taa_base …) …) I}
+[ whd whd in ⊢ (??%?); >EQfetch' %
+| whd whd in match eval_state; normalize nodelta
+  >EQfetch' >m_return_bind >m_return_bind
+  whd in match eval_statement_advance; whd in match goto;
+  normalize nodelta >pc_block_sigma_commute >EQpc_of_label'
+  >m_return_bind %
+]
+qed.
+
+lemma eval_cond_ok :
+∀p,p',graph_prog.
+let lin_prog ≝ linearise p graph_prog in
+∀stack_sizes.
+∀sigma.good_sigma p graph_prog sigma → 
+∀gss : good_state_sigma p p' graph_prog sigma.
+∀st,st',f,fn,a,ltrue,lfalse.
+∀prf : well_formed_state_pc … gss st.
+ fetch_statement (make_sem_graph_params p p') …
+  (globalenv_noinit ? graph_prog) (pc … st) =
+    return 〈f, fn,  sequential … (COND (mk_graph_params p) … a ltrue) lfalse〉 →
+ eval_state … (ev_genv … (graph_prog_params … graph_prog stack_sizes)) st =
+  return st' →
+as_costed (joint_abstract_status (graph_prog_params p p' graph_prog stack_sizes))
+  st' →
+∃prf'.
+∃taf : trace_any_any_free (lin_abstract_status p p' lin_prog stack_sizes)
+(sigma_state_pc … gss st prf)
+(sigma_state_pc … gss st' prf').
+bool_to_Prop (taaf_non_empty … taf).
+#p #p' #graph_prog #stack_sizes #sigma #good #gss #st #st' #f #fn
+#a #ltrue #lfalse #prf #EQfetch
+whd in match eval_state; normalize nodelta >EQfetch
+>m_return_bind >m_return_bind
+whd in match eval_statement_advance; normalize nodelta
+#H @('bind_inversion (err_eq_from_io ????? H))
+@bv_pc_other [ #pc' #p #_ whd in ⊢ (??%%→?); #ABS destruct(ABS) ]
+#bv #bv_no_pc #EQretrieve
+cut
+  (∃prf'.acca_retrieve ?? (p' ?) (sigma_state_pc p p' graph_prog sigma gss st prf) a =
+    return sigma_beval p p' graph_prog sigma bv prf')
+[ @acca_retrieve_commute assumption ]
+* #bv_prf >(sigma_bv_no_pc … bv_no_pc) #EQretrieve'
+-H #H @('bind_inversion H) *
+#EQbool normalize nodelta -H
+[ whd in match goto; normalize nodelta
+  #H @('bind_inversion H) -H #pc'
+  @('bind_inversion EQfetch) * #curr_i #curr_fn #EQfetchfn
+  #H @('bind_inversion H) -H #stmt' #_ whd in ⊢ (??%%→?);
+  #EQ destruct(EQ)
+  >(graph_pc_of_label … EQfetchfn) whd in ⊢ (??%%→??%%→?);
+  #EQ1 #EQ2 destruct
+| whd in ⊢ (??%%→?);
+  #EQ destruct(EQ)
+]
+#ncost
+cases (fetch_statement_sigma_commute … good … (proj2 … (proj1 … prf)) … EQfetch)
+normalize nodelta ** #prf' #EQpc_of_label' ** #prf'' **
+#EQfetch' #nxt_spec
+% [1,3,5,7: @hide_prf
+  cases st in prf prf' prf'';
+  -st #st #pc #popped ** #H1 #H2 #H3 #H4 #H5
+  %{H3} %{H1} assumption ]
+%{(taaf_step_jump … (taa_base …) …) I}
+[1,4,7,10: whd
+  >(as_label_sigma_commute … good) assumption
+|2,5,8,11: whd whd in ⊢ (??%?);
+  >EQfetch' %
+|*: whd whd in match eval_state; normalize nodelta >EQfetch'
+  >m_return_bind >m_return_bind
+  whd in match eval_statement_advance; normalize nodelta >EQretrieve'
+  >m_return_bind >EQbool >m_return_bind normalize nodelta
+  [1,2: whd in match goto; normalize nodelta
+    >pc_block_sigma_commute >EQpc_of_label' %
+  |3: whd in match next; normalize nodelta >nxt_spec %
+  |4: whd in match goto; normalize nodelta
+    >pc_block_sigma_commute >nxt_spec %
+  ]
+]
+qed.
+
 lemma eval_return_ok :
+∀p,p',graph_prog.
+let lin_prog ≝ linearise p graph_prog in
+∀stack_sizes.
+∀sigma.∀good : good_sigma p graph_prog sigma.
+∀gss : good_state_sigma p p' graph_prog sigma.
+∀st,st',f,fn.
+∀prf : well_formed_state_pc … gss st.
+ fetch_statement (make_sem_graph_params p p') …
+  (globalenv_noinit ? graph_prog) (pc … st) =
+    return 〈f, fn,  final … (RETURN (mk_graph_params p) … )〉 →
+ eval_state … (ev_genv … (graph_prog_params … graph_prog stack_sizes)) st =
+  return st' →
+joint_classify (lin_prog_params … (linearise … graph_prog) stack_sizes)
+  (sigma_state_pc … st prf) = Some ? cl_return ∧
+∃prf'.
+∃st2_after_ret.
+∃taf : trace_any_any_free (lin_abstract_status p p' lin_prog stack_sizes)
+st2_after_ret
+(sigma_state_pc … gss st' prf').
+(if taaf_non_empty … taf then
+  ¬as_costed (joint_abstract_status (lin_prog_params p p' (linearise … graph_prog) stack_sizes))
+    st2_after_ret
+ else True) ∧
+eval_state … (ev_genv …  (lin_prog_params … (linearise … graph_prog) stack_sizes))
+  (sigma_state_pc … st prf) =
+return st2_after_ret ∧
+ret_rel … (linearise_status_rel … gss good) st' st2_after_ret.
+#p #p' #graph_prog #stack_sizes #sigma #good #gss #st #st' #f #fn
+#prf #EQfetch
+whd in match eval_state; normalize nodelta >EQfetch
+>m_return_bind >m_return_bind
+whd in match eval_statement_advance; normalize nodelta
+#H lapply (err_eq_from_io ????? H) -H
+#H @('bind_inversion H) -H #st1' #EQpop
+cut (∃prf'.
+  (pop_frame … (ev_genv (lin_prog_params ? p' (linearise ? graph_prog) stack_sizes))
+    f (\fst (pi1 ?? (linearise_int_fun ?? fn))) (sigma_state … gss st (proj2 … prf)))
+   = return sigma_state_pc … gss st1' prf')
+[ @pop_frame_commute assumption ]
+* #prf' #EQpop' >m_bind_bind
+#H @('bind_inversion H) ** #call_i #call_fn
+* [ * [ #s | #a #lbl ] #nxt | #s | * ] normalize nodelta
+#EQfetch_ret -H
+whd in ⊢ (??%%→?); #EQ destruct(EQ) whd in match (next ???); >graph_succ_pc
+cases (fetch_statement_sigma_commute … good … (proj2 … (proj1 … prf)) … EQfetch)
+#_ normalize nodelta #EQfetch'
+cases (fetch_statement_sigma_commute … good … (proj2 … (proj1 … prf')) … EQfetch_ret)
+normalize nodelta
+#all_labels_in
+* #EQfetch_ret' * #prf'' * [2: * ] #nxt_spec [2:| #EQpc_of_label']
+% [1,3: whd in match joint_classify; normalize nodelta
+  >EQfetch' >m_return_bind % ]
+% [1,3: @hide_prf cases prf' * #_ #H1 #H2 %{H2} %{H1 prf''} ]
+[ % [2: %{(taaf_base …)} |]
+  % [ %{I} ]
+  [ >EQfetch' >m_return_bind >m_return_bind normalize nodelta
+    whd in match eval_return; normalize nodelta
+    >EQpop' >m_return_bind
+    whd in match next_of_pc; normalize nodelta
+    >EQfetch_ret' >m_return_bind whd in match next; normalize nodelta
+    >nxt_spec %
+  | * #s1_pre #s1_call
+    cases (joint_classify_call … s1_call)
+    * #calling_i #calling * #call_spec * #arg * #dest * #nxt * #bl
+    * #called_i * #called ** #EQfetch_call #EQbl #EQfetch_called
+    * #s2_pre #s2_call
+    whd in ⊢ (%→?); >EQfetch_call * #EQ #_
+    * #s1_pre_prf #EQpc_s2_pre
+    whd >EQpc_s2_pre
+    <(sigma_pc_irr … EQ) [2: @hide_prf @(proj2 … (proj1 … prf')) ]
+    >EQfetch_ret' % [ % | >nxt_spec % ]
+  ]
+| % [2: %{(taaf_step … (taa_base …) …)} |*:]
+  [3: % [ % normalize nodelta ]
+    [2: >EQfetch' in ⊢ (??%?);
+      >m_return_bind in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
+      normalize nodelta
+      whd in match eval_return; normalize nodelta
+      >EQpop' in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
+      whd in match next_of_pc; normalize nodelta
+      >EQfetch_ret' in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
+      whd in match next; normalize nodelta %
+    |1: normalize nodelta %* #H @H -H
+      whd in ⊢ (??%?); >nxt_spec %
+    |3: * #s1_pre #s1_call
+      cases (joint_classify_call … s1_call)
+      * #calling_i #calling * #call_spec * #arg * #dest * #nxt' * #bl
+      * #called_i * #called ** #EQfetch_call #EQbl #EQfetch_called
+      * #s2_pre #s2_call
+      whd in ⊢ (%→?); >EQfetch_call * #EQ #_
+      * #s1_pre_prf #EQpc_s2_pre
+      whd >EQpc_s2_pre
+      <(sigma_pc_irr … EQ) [2: @hide_prf @(proj2 … (proj1 … prf')) ]
+      >EQfetch_ret' %%
+    ]
+  |1: whd whd in ⊢ (??%?); >nxt_spec %
+  |2: whd whd in match eval_state; normalize nodelta
+    >nxt_spec >m_return_bind >m_return_bind
+    whd in match eval_statement_advance; whd in match goto; normalize nodelta
+    whd in match (pc_block ?); >pc_block_sigma_commute
+    >EQpc_of_label' >m_return_bind % whd in match (set_pc ???); %
+  |*:
+  ]
+]
+qed.
+
+(* TODO *)
+axiom eval_tailcall_ok :
+∀p,p',graph_prog.
+let lin_prog ≝ linearise p graph_prog in
+∀stack_sizes.
+∀sigma.good_sigma p graph_prog sigma → 
+∀gss : good_state_sigma p p' graph_prog sigma.
+∀st,st',f,fn,fl,called,args.
+∀prf : well_formed_state_pc … gss st.
+ fetch_statement (make_sem_graph_params p p') …
+  (globalenv_noinit ? graph_prog) (pc … st) =
+    return 〈f, fn,  final … (TAILCALL (mk_graph_params p) … fl called args)〉 →
+ eval_state … (ev_genv … (graph_prog_params … graph_prog stack_sizes)) st =
+  return st' →
+  let st2_pre_call ≝ sigma_state_pc … gss st prf in
+  ∃is_tailcall, is_tailcall'.
+  ∃prf'.
+  let st2_after_call ≝ sigma_state_pc … gss st' prf' in
+  joint_tailcall_ident (lin_prog_params … (linearise … graph_prog) stack_sizes) «st2_pre_call, is_tailcall'» =
+  joint_tailcall_ident (graph_prog_params … graph_prog stack_sizes) «st, is_tailcall» ∧
+  eval_state … (ev_genv … (lin_prog_params … (linearise … graph_prog) stack_sizes))
+    st2_pre_call = return st2_after_call.
 
 
@@ -2432 +2636 @@
 change with
   (eval_state (make_sem_graph_params p p') (prog_var_names ???) ?? = ? → ?)
-whd in match eval_state in ⊢ (%→?); normalize nodelta
-@'bind_inversion
-** #curr_f #curr_fn #stmt #H lapply (err_eq_from_io ????? H) -H #EQfetch_stmt
-cases (fetch_statement_inv … EQfetch_stmt) #EQfetchfn #_
-@'bind_inversion
-#st1_no_pc' #ex lapply (err_eq_from_io ????? ex) -ex #ex #ex_advance
-* #wf_prf #st2_EQ
-
-cases (fetch_statement_sigma_commute … good … (hide_prf … (proj1 … wf_prf)) EQfetch_stmt) 
-cases stmt in EQfetch_stmt ex ex_advance; -stmt
+#EQeval
+@('bind_inversion EQeval)
+** #curr_f #curr_fn #stmt #H lapply (err_eq_from_io ????? H) -H #EQfetch
+#_ * #prf #EQst2
+cases stmt in EQfetch; -stmt
 [ @cond_call_other
   [ #a #ltrue | #f #args #dest | #s #s_no_call ] #nxt | #s | * ]
 normalize nodelta
-#EQfetch_stmt
-whd in match eval_statement_no_pc in ⊢ (%→?); normalize nodelta
-#ex
-[| whd in match eval_statement_advance in ⊢ (%→?);
-  whd in match eval_seq_advance in ⊢ (%→?);
+#EQfetch
+change with (joint_classify ??) in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]);
+[ (* COND *)
+  whd in match joint_classify; normalize nodelta;
+  >EQfetch in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]);
   normalize nodelta
-| whd in match eval_statement_advance in ⊢ (%→?);
+  #ncost
+  cases (eval_cond_ok … good … prf EQfetch EQeval ncost)
+  #prf' * #taf #taf_ne
+  destruct(EQst2)
+  % [2: %{taf} |*:]
+  >taf_ne normalize nodelta
+  % [ %{I} %{prf'} % ]
+  whd >(as_label_sigma_commute … good) %
+|  (* CALL *)
+  cases (eval_call_ok … good … prf EQfetch EQeval)
+  #is_call * #is_call' *
+  #prf' * #eq_call #EQeval'
+  destruct(EQst2)
+  >is_call in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]); normalize nodelta
+  #ignore %{«?, is_call'»}
+  % [ %{eq_call} %{prf} % ]
+  % [2: % [2: %{(taa_base …)} %{(taa_base …)} % [ %{EQeval'} %{prf'} % ]] |*:]
+  whd >(as_label_sigma_commute … good) %
+| (* SEQ *)
+  whd in match joint_classify; normalize nodelta;
+  >EQfetch in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]);
   normalize nodelta
-  >(no_call_advance (mk_prog_params (make_sem_graph_params p p')
-    graph_prog stack_sizes))   in ⊢ (%→?); try assumption
-]
-#ex_advance
-#all_labels_in
-letin lin_prog ≝ (linearise … graph_prog)
-lapply (refl … (eval_state …  (ev_genv (mk_prog_params (make_sem_lin_params p p') lin_prog stack_sizes)) st2))
-whd in match eval_state in ⊢ (???%→?);
->st2_EQ in ⊢ (???%→?); normalize nodelta
-[ (* COND *)
-| (* CALL *)
-| (* SEQ *)
-  #ex'
-  * #lin_fetch_stmt #next_spec
-  whd in match (as_classify ??) in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? | _ ⇒ ? | _ ⇒ ? ]);
-  >EQfetch_stmt in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? | _ ⇒ ? | _ ⇒ ? ]);
-  normalize nodelta
-  whd in match joint_classify_step;
-  normalize nodelta
-  >no_call_other in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? | _ ⇒ ? | _ ⇒ ? ]);
-  try assumption
-  normalize nodelta
-  >lin_fetch_stmt in ex' : (???%) ⊢ ?; >m_return_bind in ⊢ (???%→?);
-  whd in match eval_statement_no_pc in ⊢ (???%→?);
-  normalize nodelta
-  cases (eval_seq_no_pc_sigma_commute … gss … ex) in ⊢ ?;
-  [2: @hide_prf @(proj2 … wf_prf) ]
-  #st1_no_pc_wf #EQ >EQ in ⊢ (???%→?); -EQ 
-   >m_return_bind in ⊢ (???%→?);
-  whd in match eval_statement_advance in ⊢ (%→?);
-  normalize nodelta
-  >(no_call_advance (mk_prog_params (make_sem_lin_params p p')
-    lin_prog stack_sizes))   in ⊢ (%→?); try assumption
-  whd in match (next ???) in ⊢ (%→?);
-  change with (sigma_pc ????? (hide_prf ??)) in match (pc ??) in ⊢ (%→?);
-  #ex'
-  cases next_spec
-  #succ_pc_nxt_wf *
-  [ #succ_pc_commute >succ_pc_commute in ex' ⊢ ?;
-    #ex'
-    % [2: %{(taaf_step … (taa_base …) …)} [2: @ex' ] |*:]
-    whd
-    [ whd in ⊢ (??%?);
-      >lin_fetch_stmt normalize nodelta
-      whd in match joint_classify_step; normalize nodelta
-      @no_call_other assumption
-    | normalize nodelta
-      cut (? : Prop)
-      [3: #H % [ % [ % | @H ]] |*:]
-      [ (* TODO lemma : sem_rel → label_rel *)
-        cases daemon
-      | whd in ex_advance : (??%%); destruct(ex_advance)
-        % [ % assumption | % ]
-      ]
-    ]
-  | #fetch_GOTO
-    cases (all_labels_in) #wf_next #_
-    cases (pc_of_label_sigma_commute … p' … good … EQfetchfn ?)
-    [2: @nxt |3: cases daemon ]
-    #wf_next' #EQ
-    % [2: %{(taaf_step … (taa_step … (taa_base …) …) …)}
-      [3: @ex'
-      |2: whd
-        whd in match eval_state; normalize nodelta
-        >fetch_GOTO in ⊢ (??%?); >m_return_bind in ⊢ (??%?);
-         >m_return_bind in ⊢ (??%?);
-        whd in match eval_statement_advance; normalize nodelta
-        whd in match goto; normalize nodelta
-        whd in match (pc_block ?);
-        >sigma_pblock_eq_lemma >EQ in ⊢ (??%?); %
-      |7: normalize nodelta
-        cut (? : Prop)
-        [3: #H % [ % [ % | @H ]] |*:]
-        [ (* TODO lemma : sem_rel → label_rel *)
-          cases daemon
-        | whd in ex_advance : (??%%); destruct(ex_advance)
-          % [ % assumption | % ]
-        ]
-      |5: % * #H @H -H whd in ⊢ (??%?); >fetch_GOTO %
-      |4: whd whd in ⊢ (??%?);
-        >lin_fetch_stmt normalize nodelta
-        whd in match joint_classify_step; normalize nodelta
-        @no_call_other assumption
-      |1: whd whd in ⊢ (??%?);
-        >fetch_GOTO normalize nodelta %
-      |*:
-      ]
-    |*:
-    ]
-  ]
-| (* FIN *)
-]
-
-#stmt_spec
-
-
-cases (eval_statement_no_pc_sigma_commute … gss … (hide_prf … (proj2 … wf_prf)) ex) in ⊢ ?;
-#wf_st1_no_pc_prf #ex' >ex' in ⊢ (???%→?); >m_return_bind in ⊢ (???%→?);
-
-whd in match (as_classify ??) in ⊢ (?→?→match % with [ _ ⇒ ? | _ ⇒ ? | _ ⇒ ? | _ ⇒ ? ]);
->EQfetch_stmt in ⊢ (?→?→match % with [ _ ⇒ ? | _ ⇒ ? | _ ⇒ ? | _ ⇒ ? ]);
-normalize nodelta
-
-normalize nodelta
-[ whd in match joint_classify_step; @cond_call_other 
-  [ (* COND *) #a #lbltrue #nxt
-    #ex whd in match eval_statement_advance in ⊢ (%→%→?); normalize nodelta
-    #H @('bind_inversion (err_eq_from_io ????? H)) -H @bv_pc_other
-    [ #bv_pc #p #bv whd in ⊢ (??%%→?); #ABS destruct(ABS) ]
-    #bv #bv_no_pc #EQretrieve
-    cases (retrieve_commute … (acca_retrieve_commute … gss) … wf_st1_no_pc_prf … EQretrieve)
-    #ignore >(sigma_bv_no_pc … bv_no_pc)
-    change with (acca_retrieve ?? (make_sem_lin_params p p') ?? = ? → ?)
-    #EQretrieve' >EQretrieve' in ⊢ (?→%→?); >m_return_bind in ⊢ (?→%→?);
-    #H @('bind_inversion H) -H * normalize nodelta #EQbool_of_bv
-    >EQbool_of_bv in ⊢ (?→%→?); >m_return_bind in ⊢ (?→%→?); normalize nodelta
-    [ whd in match goto; normalize nodelta
-      >(graph_pc_of_label … EQfetchfn) whd in ⊢ (??%%→?);
-      #EQ destruct(EQ) #ex_advance #ex_advance'
-      % [2: %{(tal_base_not_return …)} [3: @ex_advance'
-  | (* CALL *) #f #args #dest #nxt
-  | (* other *) #stmt #no_call #nxt
-  ] normalize nodelta
-  [ #ex 
-    #ex_advance #ex_advance'
-  | whd in ⊢ (??%%→?); #EQ destruct(EQ)
-    #H @('bind_inversion H) -H #called_block
-    #H lapply (err_eq_from_io ????? H) -H #EQcalled_block
-    #H @('bind_inversion H) -H * #called * #called_fn
-    #H lapply (err_eq_from_io ????? H) -H #EQcalled
+  whd in match joint_classify_step; normalize nodelta
+  >no_call_other [2: assumption ] normalize nodelta
+  cases (eval_seq_no_call_ok … good … prf EQfetch EQeval) [2: assumption ]
+  #prf' * #taf #taf_ne
+  destruct(EQst2)
+  % [2: %{taf} |*:]
+  >taf_ne normalize nodelta % [ %{I} ]
+  [ %{prf'} % | whd >(as_label_sigma_commute … good) % ]
+| (* FIN *) cases s in EQfetch;
+  [ (* GOTO *) #lbl #EQfetch
+    whd in match joint_classify; normalize nodelta;
+    >EQfetch in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]);
     normalize nodelta
-    [ #H lapply (err_eq_from_io ????? H) -H ]
-    #H @('bind_inversion H) -H
-     | @('bind_inversion H) ] -H #st1_no_pc'' #save_frame_EQ ]
-    #ex_advance #ex_advance'
-    whd in match joint_classify_seq; normalize nodelta
-    >EQcalled_block in ⊢ (?→match % with [ _ ⇒ ? | _ ⇒ ? | _ ⇒ ? | _ ⇒ ? ]);
-    
-    cut (∀p,p',graph_prog,sigma,gss,st,f,bl.
-        ∀prf : well_formed_state p p' graph_prog sigma gss st.
-        block_of_call (make_sem_graph_params p p') ?
-          (globalenv_noinit ? graph_prog) st f = return bl →
-        block_of_call (make_sem_lin_params p p') ?
-          (globalenv_noinit ? (linearise … graph_prog))
-          (sigma_state … st prf) f = return bl)
-      [1,3: (*TODO lemma *) cases daemon ] #block_of_call_sigma_commute
-      whd in match eval_seq_advance; normalize nodelta
-      >(block_of_call_sigma_commute … EQcalled_block) in ⊢ (???%→?);
-      >m_return_bind in ⊢ (???%→?);
-      >(fetch_function_transf … EQcalled :
-        fetch_function … (globalenv_noinit … lin_prog) called_block = ?) in ⊢ (???%→?);
-      >m_return_bind in ⊢ (???%→?);
-      whd in match (transf_fundef); normalize nodelta
-        
-        
-      #block_of_call_sigma_commute
-    @match_int_fun #called_descr #EQcalled_descr
-    [ #H @('bind_inversion H) -H #st1_frame_saved #EQ_frame_saved ]
-    #ex_advance
-    cut 
-      (∀A,B.∀prog : program (λvars.fundef (A vars)) ℕ.
-      ∀trans : ∀vars.A vars → B vars.
-      let prog_out : program (λvars.fundef (B vars)) ℕ ≝
-        transform_program ??? prog (λvars.transf_fundef … (trans vars)) in
-      ∀i.is_function … (globalenv_noinit … prog) i →
-       is_function … (globalenv_noinit … prog_out) i) [1,3: (* TODO lemma *) cases daemon ]
-    #f_propagate
-    letin sigma_function ≝ (λA,B,prog,trans.
-      λf : Σi.is_function ? (globalenv_noinit ? prog) i.
-      «pi1 ?? f, f_propagate A B prog trans ? (pi2 ?? f)») in ⊢ ?; (* TODO def *)
-    cut (∀p,p',graph_prog.
-      let lin_prog ≝ linearise ? graph_prog in
-      ∀sigma.∀gss : good_state_sigma … graph_prog sigma.
-      ∀f,st,fn.
-      ∀prf : well_formed_state … gss st.
-      function_of_call (make_sem_graph_params p p') … (globalenv_noinit … graph_prog)
-        st f = return fn →
-      function_of_call (make_sem_lin_params p p') … (globalenv_noinit … lin_prog)
-        (sigma_state … gss st prf) f = return sigma_function … fn)
-        [1,3: (* TODO lemma *) cases daemon ]
-    #function_of_call_sigma_commute
-    whd in match joint_classify_step; whd in match joint_classify_seq;
-    normalize nodelta #next_spec
-    >(function_of_call_sigma_commute … EQcalled) in ⊢ (%→?);
-    >m_return_bind in ⊢ (%→?);
-    @match_int_fun
-    [2,3: #EQdescr' lapply EQdescr'
-      >description_of_function_transf in EQdescr';
-      
-    
-    whd in match sigma_beval; normalize nodelta
-    cases bv
-    [|| #ptr1 #ptr2 #p | #by | #p | #ptr #p | #bv_pc #p ]
-    whd in match (sigma_beval_opt ?????) in ⊢ (%→%→?);
-    [7: #ignore #_ 
-    #ignore whd in match (opt_safe ???) in ⊢ (%→?); #EQretrieve
-    whd in match (bool_of_beval ?) in ⊢ (% → ?);
-    3: >no_call_advance [2: @no_call]
-  
-
-
-generalize in match wf_pc in ⊢ ?;
-whd in ⊢ (%→?);
-inversion (sigma_pc_opt ?????) in ⊢ (%→?); [ #_ * #ABS elim (ABS ?) % ]
-#lin_pc 
-whd in match (sigma_pc_opt) in ⊢ (%→?); normalize nodelta
->EQfunc_of_block in ⊢ (%→?); >m_return_bind in ⊢ (%→?);
-#H elim (bind_opt_inversion ????? H) in ⊢ ?; -H #lin_pt *
-#EQsigma whd in ⊢ (??%?→?); #EQ destruct(EQ) #_
-elim (good_local … EQsigma) -good_local
-#stmt' *
-change with (stmt_at ?? (joint_if_code ?? graph_fun) ? = ? → ?)
->EQstmt_at #EQ lapply (sym_eq ??? EQ) -EQ #EQ destruct(EQ)
-#H elim (opt_Exists_elim … H) -H * #lbl_opt #lin_stmt normalize nodelta
->(prog_if_of_function_transform … fn) in ⊢ (%→?); [2: % ]
-change with graph_fun in match (if_of_function ?? fn) in ⊢ (%→?);
-letin lin_fun ≝ (\fst  (linearise_int_fun p globals graph_fun))
-change with globals in match (prog_var_names ?? graph_prog) in ⊢ (%→?);
-*
-#EQnth_opt ** #opt_lbl_spec #EQ destruct(EQ) #next_spec
-destruct(EQst2)
-whd in match eval_state in ⊢ (???%→?); normalize nodelta
-(* resolve classifier *)
-[ *
-  [ #stmt #nxt
-    whd in match eval_statement in ⊢ (?→%→?); normalize nodelta
-    #EQfetch #EQeval #EQstmt_at #EQnth_opt #next_spec
-    whd in match (graph_to_lin_statement ???) in ⊢ (%→?);
-    whd in match eval_statement in ⊢ (%→?); normalize nodelta
-    elim (IO_bind_inversion ??????? EQeval) #st1_no_pc *
-    #EQeval_no_pc #EQeval_pc
-    >(eval_seq_no_pc_sigma_commute … EQeval_no_pc)
-    [2: (*TODO lemma eval_seq_no_pc_wf *) @hide_prf cases daemon ]
-        >m_return_bind
-    cases stmt in EQfetch EQeval_no_pc EQeval_pc EQstmt_at EQnth_opt next_spec;
-    [14: #f #args #dest
-    | #c
-    | #lbl
-    | #move_sig
-    | #a
-    | #a
-    | #sy #sy_prf #dpl #dph
-    | #op #a #b #arg1 #arg2
-    | #op #a #arg
-    | #op #a #arg1 #arg2 
-    ||
-    | #a #dpl #dph
-    | #dpl #dph #a
-    | #s_ext
-    ]
-    [ (* CALL *)
-    |(*:*)
-      normalize nodelta
-      #EQfetch #EQeval_no_pc #EQeval_pc #EQstmt_at #EQnth_opt #next_spec
-      whd in match eval_seq_pc; normalize nodelta
-      #ex1
-      cases next_spec
-      [ #EQnext_sigma
-        %[2: %{(taaf_step … (taa_base …) ex1 ?)}
-         [ cases daemon (* TODO lemma joint_classify_sigma_commute *) ]|]
-        normalize nodelta
-        cut (? : Prop) [3: #R' % [ %{I R'} ] |*:]
-        [ cases daemon (* TODO lemma joint_label_sigma_commute *)
-        | %
-          [ (* TODO lemma well_formed_state_pc_preserve? *) @hide_prf cases daemon
-          | whd in match eval_seq_pc in EQeval_pc;
-            whd in EQeval_pc : (??%%); whd in EQeval_pc : (??(????%)?);
-            destruct (EQeval_pc)
-            whd in ⊢ (??%%);
-            change with (sigma_pc ??????) in match
-              (pc ? (sigma_state_pc ???????));
-            whd in match (succ_pc ????) in ⊢ (??%%);
-            whd in match (point_of_succ ???) in ⊢ (??%%);
-            >(point_of_pc_sigma_commute … EQfunc_of_block EQsigma)
-            whd in match sigma_pc in ⊢ (???%);
-            whd in match sigma_pc_opt in ⊢ (???%); normalize nodelta
-            @opt_safe_elim #pc'
-            >EQfunc_of_block >m_return_bind
-            whd in match point_of_pc; normalize nodelta
-            >point_of_offset_of_point
-            >EQnext_sigma whd in ⊢ (??%?→?);
-            whd in match pc_of_point; normalize nodelta
-            #EQ destruct(EQ)
-            >sigma_pblock_eq_lemma %
-          ]
-        ]
-      | -next_spec #next_spec
-        %
-      
-      
-        whd in ⊢ (?→???%→?);
-        generalize in ⊢ (??%? → ???(????%) → ?); |*: skip]  | #a #lbltrue #next
-  ] #next change with label in next;
-| *
-  [ #lbl
-  | 
-  | #fl #f #args
+    cases (eval_goto_ok … good … prf EQfetch EQeval)
+    #prf' * #taf #taf_ne
+    destruct(EQst2)
+    % [2: %{taf} |*:]
+    >taf_ne normalize nodelta % [ %{I} ]
+    [ %{prf'} % | whd >(as_label_sigma_commute … good) % ]
+  | (* RETURN *) #EQfetch
+    whd in match joint_classify; normalize nodelta;
+    >EQfetch in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]);
+    normalize nodelta
+    cases (eval_return_ok … good … prf EQfetch EQeval)
+    #is_ret' *
+    #prf' * #after_ret * #taf ** #taf_prf #EQeval' #ret_prf
+    destruct(EQst2)
+    % [2: % [2: % [2: %{(taa_base …)} %{taf} ]] |*:]
+    % [2: whd >(as_label_sigma_commute … good) % ]
+    %{ret_prf}
+    % [2: %{prf'} % ]
+    %{EQeval'}
+    %{taf_prf is_ret'}
+  | (* TAILCALL *) #fl #called #args #EQfetch
+    cases (eval_tailcall_ok … good … prf EQfetch EQeval)
+    #is_tailcall * #is_tailcall' *
+    #prf' * #eq_call #EQeval'
+    destruct(EQst2)
+    >is_tailcall in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]); normalize nodelta
+    #ignore %{«?, is_tailcall'»}
+    %{eq_call}
+    % [2: % [2: %{(taa_base …)} %{(taa_base …)} % [ %{EQeval'} %{prf'} % ]] |*:]
+    whd >(as_label_sigma_commute … good) %
   ]
 ]
-whd in match eval_statement in ⊢ (?→%→?); normalize nodelta
-#EQfetch #EQeval #EQstmt_at #EQnth_opt #next_spec
-normalize nodelta
-whd in match (graph_to_lin_statement ???) in ⊢ (%→?);
-whd in match eval_statement in ⊢ (%→?); normalize nodelta
-[ >m_return_bind in ⊢ (%→?);
-  >m_return_bind in EQeval;
-
-
-
-  (* common for all non-call seq *)
-  >m_return_bind in ⊢ (%→?);
-  whd in ⊢ (??%%→?); #EQ destruct(EQ)
-  >m_return_bind in ⊢ (%→?);
-
-  
-  #ex1
-lapply (refl … (eval_state ? globals (ev_genv (lin_prog_params p p' lin_prog lin_stack_sizes)) st2))
-
-whd in match (point_of_pc ???);
-whd in match (point_of_succ ???);
-whd in match sigma_pc in ⊢ (???%); normalize nodelta @opt_safe_elim
-#pc' #H
-elim (bind_opt_inversion ????? H) #fn * #EQbl
--H #H  
-elim (bind_opt_inversion ????? H) -H #n * #EQsigma whd in ⊢ (??%?→?);
-#EQ destruct(EQ)
-whd in match (succ_pc ????);
-whd in match (point_of_succ ???);
-change with (point_of_offset ???) in match (point_of_pc ???);
->point_of_offset_of_point
-whd in match sigma_pc; normalize nodelta @opt_safe_elim
-#pc' whd in match sigma_pc_opt; normalize nodelta
-
-  
-  
-        whd in match (succ_pc ????);
-                
-        change with next in match (offset_of_point ???) in ⊢ (???%);
-whd in fetch_statement_spec : (??()%);
-cases cl in classified_st1_cl; -cl #classified_st1_cl whd
-[4:
- >rel_st1_st2 -st2 letin lin_prog ≝ (linearise ? graph_prog)
- cases (good (pi1 ?? fn)) [2: cases daemon (* TODO *) ]
- #sigma_entry_is_zero #sigma_spec
- lapply (sigma_spec (point_of_pc … (make_sem_graph_params … p') (pc … st1)))
- -sigma_spec #sigma_spec cases (sigma_spec ??) [3: @opt_to_opt_safe cases daemon (* TO REDO *) |2: skip ]
- -sigma_spec #graph_stmt * #graph_lookup_ok #sigma_spec
- cases (opt_Exists_elim … sigma_spec) in ⊢ ?;
- * #optlabel #lin_stm * #lin_lookup_ok whd in ⊢ (% → ?); ** #labels_preserved
- #related_lin_stm_graph_stm
- 
- inversion (stmt_implicit_label ???)
- [ whd in match (opt_All ???); #stmt_implicit_spec #_
-   letin st2_opt' ≝ (eval_state …
-               (ev_genv (lin_prog_params … lin_prog lin_stack_sizes))
-               (sigma_state_pc … wf_st1))
-   cut (∃st2': lin_abstract_status p p' lin_prog lin_stack_sizes. st2_opt' = return st2')
-   [cases daemon (* TODO, needs lemma? *)] * #st2' #st2_spec'
-   normalize nodelta in st2_spec'; -st2_opt'
-   %{st2'} %{(taaf_step … (taa_base …) …)}
-   [ cases daemon (* TODO, together with the previous one? *)
-   | @st2_spec' ]
-   %[%] [%]
-   [ whd whd in match eval_state in st2_spec'; normalize nodelta in st2_spec';
-     >(fetch_statement_sigma_commute … good … fetch_statement_spec) in st2_spec';
-     >m_return_bind
-     (* Case analysis over the possible statements *)
-     inversion graph_stmt in stmt_implicit_spec; normalize nodelta
-     [ #stmt #lbl #_ #abs @⊥ normalize in abs; destruct(abs) ]
-     XXXXXXXXXX siamo qua, caso GOTO e RETURN
-   | cases daemon (* TODO, after the definition of label_rel, trivial *) ]
-   ]
- | ....
-qed.
-
-
-
-
-
-[ *
-  [ *
-    [ letin C_COMMENT ≝ 0 in ⊢ ?; #c
-    | letin C_COST_LABEL ≝ 0 in ⊢ ?; #lbl
-    | letin C_MOVE       ≝ 0 in ⊢ ?; #move_sig
-    | letin C_POP        ≝ 0 in ⊢ ?; #a
-    | letin C_PUSH       ≝ 0 in ⊢ ?; #a
-    | letin C_ADDRESS    ≝ 0 in ⊢ ?; #sy #sy_prf #dpl #dph
-    | letin C_OPACCS     ≝ 0 in ⊢ ?; #op #a #b #arg1 #arg2
-    | letin C_OP1        ≝ 0 in ⊢ ?; #op #a #arg
-    | letin C_OP2        ≝ 0 in ⊢ ?; #op #a #arg1 #arg2 
-    | letin C_CLEAR_CARRY ≝ 0 in ⊢ ?;
-    | letin C_SET_CARRY  ≝ 0 in ⊢ ?;
-    | letin C_LOAD       ≝ 0 in ⊢ ?; #a #dpl #dph
-    | letin C_STORE      ≝ 0 in ⊢ ?; #dpl #dph #a
-    | letin C_CALL       ≝ 0 in ⊢ ?; #f #args #dest
-    | letin C_EXT        ≝ 0 in ⊢ ?; #s_ext
-    ]
-  | letin C_COND ≝ 0 in ⊢ ?; #a #lbltrue
-  ] #next change with label in next;
-| *
-  [ letin C_GOTO ≝ 0 in ⊢ ?; #lbl
-  | letin C_RETURN ≝ 0 in ⊢ ?; 
-  | letin C_TAILCALL ≝ 0 in ⊢ ?; #fl #f #args
-  ]
-]
+qed.

src/joint/semantics.ma

@@ -68 +68 @@
   { st_no_pc :> state semp
   ; pc : program_counter
+  (* for correctness reasons: pc of last popped calling address (exit_pc at the start) *)
+  ; last_pop : program_counter
   }.
+
+(* special program counter that is guaranteed to not correspond to anything *)
+definition exit_pc : program_counter ≝
+  mk_program_counter «mk_block Code (-1), refl …» one.
 
 definition set_m: ∀p. bemem → state p → state p ≝
@@ -87 +93 @@
 
 definition set_pc: ∀p. ? → state_pc p → state_pc p ≝
- λp,pc,st. mk_state_pc … (st_no_pc … st) pc.
+ λp,pc,st. mk_state_pc … (st_no_pc … st) pc (last_pop … st).
 
 definition set_no_pc: ∀p. ? → state_pc p → state_pc p ≝
- λp,s,st. mk_state_pc … s (pc … st).
+ λp,s,st. mk_state_pc … s (pc … st) (last_pop … st).
+
+definition set_last_pop: ∀p. ? → state_pc p → state_pc p ≝
+ λp,s,st. mk_state_pc … (st_no_pc … st) (pc … st) s.
 
 definition set_frms: ∀p:sem_state_params. framesT p → state p → state p ≝
@@ -356 +365 @@
  λp,globals,ge,l,st.
   ! newpc ← pc_of_label … ge (pc_block (pc … st)) l ;
-  return mk_state_pc … st newpc.
+  return set_pc … newpc st.
 
 (*
@@ -366 +375 @@
  λp,l,st.
  let newpc ≝ succ_pc … (pc … st) l in
- mk_state_pc … st newpc.
+ set_pc … newpc st.
 
 axiom NoSuccessor : String.
@@ -374 +383 @@
   ! 〈id_fn, stmt〉 ← fetch_statement … ge pc ;
   match stmt with
-  [ sequential _ nxt ⇒ return nxt
+  [ sequential s nxt ⇒
+    match s with
+    [ step_seq _ => return nxt
+    | COND _ _ => Error … [MSG NoSuccessor]
+    ]
   | _ ⇒ Error … [MSG NoSuccessor]
   ].
@@ -493 +506 @@
 ! stack_size ← opt_to_res … [MSG MissingStackSize; CTX … i] (stack_sizes … ge i) ;
 ! st' ← setup_call … stack_size (joint_if_params … globals fn) args st ;
-return allocate_locals … p (joint_if_locals … fn) st.
+return allocate_locals … p (joint_if_locals … fn) st'.
 
 definition is_inl : ∀A,B.A+B → bool ≝ λA,B,x.match x with [ inl _ ⇒ true | _ ⇒ false ].
@@ -507 +520 @@
   ! st'' ← eval_internal_call p globals ge i ifd args st' ;
   let pc ≝ pc_of_point p bl (joint_if_entry … ifd) in
-  return mk_state_pc … st'' pc
+  return mk_state_pc … st'' pc (last_pop … st)
 | External efd ⇒
   ! st' ← eval_external_call … efd args dest st ;
-  return mk_state_pc … st' (succ_pc p (pc … st) nxt)
+  return mk_state_pc … st' (succ_pc p (pc … st) nxt) (last_pop … st)
 ].
 
@@ -544 +557 @@
 ! st' ← pop_frame … ge curr_id curr_fn st ;
 ! nxt ← next_of_pc … ge (pc … st') ;
-return next … nxt st' (* now address pushed on stack are calling ones! *).
+return
+  set_last_pop … (pc … st') (next … nxt st') (* now address pushed on stack are calling ones! *).
 
 definition eval_tailcall ≝
@@ -556 +570 @@
   ! st' ← eval_internal_call p globals ge i ifd args st ;
   let pc ≝ pc_of_point p bl (joint_if_entry … ifd) in
-  return mk_state_pc … st' pc
+  return mk_state_pc … st' pc (last_pop … st)
 | External efd ⇒
   let curr_dest ≝ joint_if_result ?? curr_fn in
@@ -604 +618 @@
   ! 〈id,fn,s〉 ← fetch_statement … ge (pc … st) : IO ???;
   ! st' ← eval_statement_no_pc … ge id fn s st : IO ???;
-  let st'' ≝ mk_state_pc … st' (pc … st) in
+  let st'' ≝ set_no_pc … st' st in
   eval_statement_advance … ge id fn s st''.