Changeset 2594 for src/Clight/memoryInjections.ma

Timestamp:

Jan 29, 2013, 8:28:44 PM (8 years ago)

Author:

garnier

Message:

Some fixes in memory injections, and some holes filled.

File:

• src/Clight/memoryInjections.ma (modified) (26 diffs)

src/Clight/memoryInjections.ma

@@ -98 +98 @@
 (* Lemmas related to freeing memory and pointer validity. *)
 (* --------------------------------------------------------------------------- *)   
-(*
-lemma nextblock_free_ok : ∀m,b. nextblock m = nextblock (free m b).
-* #contents #next #posnext * #rg #id
-normalize @refl
-qed.
-
-lemma low_bound_free_ok : ∀m,b,ptr.
-   b ≠ (pblock ptr) →
-   Zleb (low_bound (free m b) (pblock ptr)) (Z_of_unsigned_bitvector offset_size (offv (poff ptr))) =
-   Zleb (low_bound m (pblock ptr)) (Z_of_unsigned_bitvector offset_size (offv (poff ptr))).
-* #contents #next #nextpos * #brg #bid * * #prg #pid #poff normalize
-cases prg cases brg normalize nodelta try //
-@(eqZb_elim pid bid)
-[ 1,3: #Heq >Heq * #Habsurd @(False_ind … (Habsurd (refl ??)))
-| 2,4: #_ #_ @refl
-] qed.
-
-lemma high_bound_free_ok : ∀m,b,ptr.
-   b ≠ (pblock ptr) →
-   Zleb (Z_of_unsigned_bitvector offset_size (offv (poff ptr))) (high_bound (free m b) (pblock ptr)) =
-   Zleb (Z_of_unsigned_bitvector offset_size (offv (poff ptr))) (high_bound m (pblock ptr)).
-* #contents #next #nextpos * #brg #bid * * #prg #pid #poff normalize
-cases prg cases brg normalize nodelta try //
-@(eqZb_elim pid bid)
-[ 1,3: #Heq >Heq * #Habsurd @(False_ind … (Habsurd (refl ??)))
-| 2,4: #_ #_ @refl
-] qed.
-
-lemma valid_pointer_free_ok : ∀b : block. ∀m,ptr.
-   valid_pointer m ptr = true →
-   pblock ptr ≠ b →
-   valid_pointer (free m b) ptr = true.
-* #br #bid * #contents #next #posnext * * #pbr #pbid #poff
-normalize
-@(eqZb_elim pbid bid)
-[ 1: #Heqid >Heqid cases pbr cases br normalize
-     [ 1,4: #_ * #Habsurd @(False_ind … (Habsurd (refl ??))) ]
-     cases (Zltb bid next) normalize nodelta
-     [ 2,4: #Habsurd destruct (Habsurd) ]
-     //
-| 2: #Hneqid cases pbr cases br normalize try // ]
-qed.
-
-lemma valid_pointer_free_list_ok : ∀blocks : list block. ∀m,ptr.
-   valid_pointer m ptr = true →
-   ¬ mem ? (pblock ptr) blocks →
-   valid_pointer (free_list m blocks) ptr = true.
-#blocks
-elim blocks
-[ 1: #m #ptr normalize #H #_ @H
-| 2: #b #tl #Hind #m #ptr #Hvalid
-     whd in match (mem block (pblock ptr) ?);
-     >free_list_cons * #Hguard
-     @valid_pointer_free_ok 
-     [ 2: % #Heq @Hguard %1 @Heq ]
-     @Hind
-     [ 1: @Hvalid
-     | 2: % #Hmem @Hguard %2 @Hmem ]
-] qed. *)
-
 
 lemma valid_pointer_ok_free : ∀b : block. ∀m,ptr.
@@ -367 +307 @@
     (high_bound m b) + (Zoo delta) < Z_two_power_nat 16
   ].
-    
+
 
 (* Adapted from Compcert's Memory *)
@@ -381 +321 @@
 (*    block_is_empty m b1' ∨ *)
     high_bound m b1 + (Zoo delta1) ≤ low_bound m b2 + (Zoo delta2) ∨
-    high_bound m b2 + (Zoo delta2) ≤ low_bound m b1 + (Zoo delta1)
+    high_bound m b2 + (Zoo delta2) ≤ low_bound m b1 + (Zoo delta1) ∨
+    block_is_empty m b1 ∨
+    block_is_empty m b2
   | inr Hneq ⇒ True
   ].
@@ -393 +335 @@
   mi_inj : load_sim_ptr E m1 m2;
   (* Invalid blocks are not mapped *)
-  (* mi_freeblock : ∀b. ¬ (valid_block m1 b) → E b = None ?; *)
+  mi_freeblock : ∀b. ¬ (valid_block m1 b) → E b = None ?;
   (* Valid pointers are mapped to valid pointers *)
   mi_valid_pointers : ∀p,p'. 
@@ -427 +369 @@
 definition empty_injection : memory_inj (λx. None ?) empty empty.
 %
-[ 1: whd #b1 #off1 #b2 #off2 #ty #v1 #Hvalid #Hptr_trans #Hload
-     normalize in Hptr_trans; destruct
-| 2: * #b #o #p' #_ normalize #Habsurd destruct
-| 3: #b #b' #off #Habsurd destruct
-| 4: #b #b' #o' #Habsurd destruct
-| 5: whd #H1 #H2 #H3 #H4 #H5 #H6 #H7 #H8 #H9 destruct
-| 6: #b whd @I
+[ whd #b1 #off1 #b2 #off2 #ty #v1 #Hvalid #Hptr_trans #Hload
+  normalize in Hptr_trans; destruct
+| #b #H @refl
+| * #b #o #p' #_ normalize #Habsurd destruct
+| #b #b' #off #Habsurd destruct
+| #b #b' #o' #Habsurd destruct
+| whd #H1 #H2 #H3 #H4 #H5 #H6 #H7 #H8 #H9 destruct
+| #b whd @I
 ] qed.
 
@@ -709 +652 @@
      @Hload
   | 4,5: whd in match (load_value_of_type ????) in Hload ⊢ %; @Hload ]
+| @(mi_freeblock … Hmemory_inj)
 | #p #p' #Hvalid #Hptr_trans lapply (mi_valid_pointers … Hmemory_inj p p' Hvalid Hptr_trans)
      elim m2 in Halloc; #contentmap #nextblock #Hnextblock
@@ -744 +688 @@
        try assumption ]
 ] qed.
-(*       
-   | @(eq_block_elim … new_block B)
-     [ 2: #H cases m2 in Halloc Hinbounds; #contents #nextblock #notnull
-       whd in ⊢ ((??%?) → ?); #Heq destruct (Heq)
-       >unfold_high_bound in Himpl ⊢ %;
-       whd in ⊢ (% → % → %);
-       >unfold_low_bound >unfold_high_bound
-       whd in match (update_block ?????); >eq_block_b_b
-       normalize nodelta * #HA #HB
-       >unfold_high_bound       
-       whd in match (update_block ?????) in ⊢ (% → %);
-       >(not_eq_block … (sym_neq ??? H)) normalize nodelta
-       try //
-     | (* absurd case *) #Heq destruct (Heq)
-       lapply (Hguard ?? (refl ??)) #Hvalid
-       (* hence new_block ≠ B *)
-       cases m2 in Halloc Hvalid; #contents #nextblock #notnull
-       whd in ⊢ ((??%?) → ?); #Heq destruct (Heq)
-       whd in ⊢ (% → ?); #Habsurd
-       lapply (irreflexive_Zlt nextblock) *
-       #H @False_ind @H @Habsurd
-     ]
-   ]
-]
-qed. *)
 
 
@@ -786 +705 @@
   memory_inj E m1' m2.
 
-(* Embed a fresh block inside an unmapped portion of the target
-   block. *)
+(* Embed a fresh block inside an unmapped portion of the target block.
+ * This is the equivalent of lemma 45 for Leroy&Blazy. *)
 axiom alloc_memory_inj_m1_to_m2 :
   ∀E:embedding.
@@ -829 +748 @@
 
 (* lemma 47 of L&B *)
+
+lemma free_loadn_sim_ptr_m2 :
+  ∀sz,m,b,b',o,res. 
+   b ≠ b' →
+   loadn m (mk_pointer b' o) sz = Some ? res →
+   loadn (free m b) (mk_pointer b' o) sz = Some ? res.
+#sz
+elim sz
+[ normalize //
+| #sz' #Hind #m #b #b' #o #res #Hneq whd in ⊢ ((??%?) → (??%?));
+  #H cases (some_inversion ????? H) -H #beres *
+  #Hbeloadv #Hloadn
+  lapply (beloadv_free_beloadv2 m b ??? Hbeloadv)
+  [ @sym_neq @Hneq ]
+  #Hbeloadv' >Hbeloadv' normalize nodelta
+  cases (some_inversion ????? Hloadn) -Hloadn #bevals * #Hloadn
+  #Heq destruct (Heq)
+  >(Hind … Hneq Hloadn) normalize nodelta @refl
+] qed.  
+
 lemma free_load_sim_ptr_m2 :
   ∀E:embedding.
@@ -844 +783 @@
              normalize %{(Vptr (mk_pointer b2 off2))} @conj try @refl
              %4 @Htrans ]
-#Hload <Hfree
-(* routine *)
-@cthulhu
-qed.
+lapply Htrans -Htrans lapply Hsim -Hsim lapply Hfree -Hfree
+cases m2 #contents2 #next2 #Hnext2
+whd in ⊢ ((??%?) → ?); #Hm2' destruct
+#Hsim #Htrans
+cases (some_inversion ????? Htrans) * #b2' #off2' * #Hembed normalize nodelta
+#Heq destruct (Heq) #Hload
+lapply (Hsim … Hvalid … Htrans … Hload)
+* #v2' * #Hload_before_free #Hvalue_eq
+@(eq_block_elim … b2 b)
+[ 1,3,5: #Heq destruct
+         lapply (Hunmapped b1 off2' Hembed) *
+         [ 1,3,5: #Hnot_valid lapply (valid_pointer_to_Prop … Hvalid)
+                  -Hvalid whd in match (valid_block ??) in Hnot_valid;
+                  * * #Hvalid #_ #_ @False_ind
+                  cases Hnot_valid #H @H @Hvalid
+         | *: whd in ⊢ (% → ?); #Hempty
+              lapply (valid_pointer_to_Prop … Hvalid)
+              -Hvalid * * #_ #Hlow #Hhigh
+              cut ((low_bound m1 b1 < high_bound m1 b1))
+              [ 1,3,5: /2 by Zle_to_Zlt_to_Zlt, Zlt_to_Zle_to_Zlt/ ]
+              #Hnonempty @False_ind -Hlow -Hhigh
+              lapply (Zlt_to_Zle_to_Zlt … Hnonempty Hempty)
+              #H cases (irreflexive_Zlt (low_bound m1 b1)) #H' @H' @H ]
+| *: #Hneq %{v2'} @conj try assumption
+     whd in match (load_value_of_type ????) in Hload_before_free:(??%?) ⊢ (??%?);
+     cases (some_inversion ????? Hload_before_free) -Hload_before_free
+     #bevals * #Hloadn #Heq
+     >(free_loadn_sim_ptr_m2 … Hloadn) normalize nodelta
+     try assumption @sym_neq @Hneq
+] qed.     
 
 lemma free_block_is_empty :
@@ -864 +829 @@
 qed.
 
+lemma high_bound_freed_block :
+  ∀m,b. high_bound (free m b) b = OZ.
+#m #b normalize
+cases (block_region b) normalize
+>eqZb_z_z normalize @refl
+qed.
+
+lemma low_bound_freed_block :
+  ∀m,b. low_bound (free m b) b = (pos one).
+#m #b normalize
+cases (block_region b) normalize
+>eqZb_z_z normalize @refl
+qed.
+
 (* Lemma 49 in Leroy&Blazy *)
-axiom free_non_aliasing_m1 :
+lemma free_non_aliasing_m1 :
   ∀E:embedding.
   ∀m1,m2,m1'.
@@ -873 +852 @@
 (* The proof proceeds by a first case analysis to see wether b lives in the
    same world as the non-aliasing blocks (if not : trivial), in this case
-   we proceed by a case analysis on the non-aliasing hypothesis in memory_inj. *)
-
+   we proceed to a second case analysis on the non-aliasing hypothesis in 
+   memory_inj. *)
+#E #m1 #m2 #m1' #Hinj #b #Hfree
+whd
+#b1 #b2 #b1' #b2' #delta1 #delta2 #Hneq
+#Hembed1 #Hembed2
+cases (block_decidable_eq ??) normalize nodelta
+[ 2: try // ]
+#Hblocks_eq destruct (Hblocks_eq)
+lapply Hembed1 -Hembed1
+lapply Hembed2 -Hembed2
+generalize in match b2';
+#target #Hembed2 #Hembed1
+lapply (mi_nonalias … Hinj … Hneq Hembed1 Hembed2)
+cases (block_decidable_eq ??)
+[ 2: * #Habsurd @False_ind @Habsurd @refl ] #Hrefl
+normalize nodelta <Hfree
+@(eq_block_elim … b1 b)
+[ #Heq destruct (Heq) #Hcase
+  %1 %2 whd
+  >high_bound_freed_block >low_bound_freed_block
+  //
+| #Hneq1 @(eq_block_elim … b2 b)
+  [ #Heq destruct (Heq) #Hcase
+    %2 whd
+    >high_bound_freed_block >low_bound_freed_block
+    // ] ]
+#Hneq2
+>unfold_high_bound >unfold_high_bound >unfold_high_bound >unfold_high_bound
+>unfold_low_bound >unfold_low_bound >unfold_low_bound >unfold_low_bound
+<(high_free_eq … Hneq1) <(high_free_eq … Hneq2)
+<(low_free_eq … Hneq1) <(low_free_eq … Hneq2)
+*
+[ 2: #H %2 whd >unfold_high_bound >unfold_low_bound
+     <(low_free_eq … Hneq2) <(high_free_eq … Hneq2) @H ]
+*
+[ 2: #H %1%2 whd >unfold_high_bound >unfold_low_bound
+     <(low_free_eq … Hneq1) <(high_free_eq … Hneq1) @H ]
+* #H
+[ %1 %1 %1 @H
+| %1 %1 %2 @H ]
+qed.
 
 (* Extending lemma 46 and 49 to memory injections *)
@@ -885 +904 @@
 #E #m1 #m2 #m1' #Hinj #b #Hfree
 cases Hinj
-#Hload_sim #Hvalid #Hnodangling #Hregion #Hnonalias #Himplementable
+#Hload_sim #Hfreeblock #Hvalid #Hnodangling #Hregion #Hnonalias #Himplementable
 % try assumption
 [ @(free_load_sim_ptr_m1 … Hload_sim … Hfree)
+| #bb #Hnot_valid lapply (Hfreeblock bb) #HA @HA % #HB
+  cases Hnot_valid #HC @HC <Hfree @HB
 | #p #p' #Hvalid_m1' #Hptr_translation @(Hvalid p p' ? Hptr_translation)
   <Hfree in Hvalid_m1'; @valid_free_to_valid
@@ -908 +929 @@
       normalize nodelta try @conj try // % try //
   ]
-] qed.    
-
-(*
-  #b0 #b' #o' #Hembed lapply (Himplementable b0 b' o' Hembed) *
-  #HA #HB @conj try //
-  cases m1 in Hfree HA; #contents1 #nextblock1 #Hpos1
-  whd in ⊢ ((??%%) → ? → ?); #Heq destruct (Heq)
-  whd in ⊢ (% → %); *
-  whd in match (low_bound ??) in ⊢ (% → % → %);
-  whd in match (high_bound ??) in ⊢ (% → % → %); #HA #HB
-  @(eq_block_elim … b0 b)
-  [ #H whd in match (update_block ?????); >H >eq_block_b_b @conj
-    normalize nodelta
-    normalize @conj try //
-  | #H whd in match (update_block ?????); >(not_eq_block … H) @conj
-    try // ] ]
-qed.*)
-
-(* Lifting lemma 47 to memory injs *)
+] qed.
+
+(* Lifting lemma 47 to memory injs - note that we require a much stronger condition
+ * on the freed block : no block of m1 can map to it. Not even an invalid block or
+ * an empty one.
+ * XXX this lemma is not given in Leroy&Blazy, and unless future developments requires
+ * it I will comment it out. XXX *) 
 lemma free_memory_inj_m2 :
   ∀E:embedding.
@@ -932 +941 @@
   memory_inj E m1 m2 →
   ∀b. free m2 b = m2' →
-      (∀b1,delta. E b1 = Some ? 〈b, delta〉 → ¬ (valid_block m1 b1) ∨ block_is_empty m1 b1) →
+      (∀b1,delta. E b1 = Some ? 〈b, delta〉 →
+      (¬ (valid_block m1 b1)) ∨ block_is_empty m1 b1) →  
       memory_inj E m1 m2'.
-#E #m1 #m2 #m2' #Hinj #b #Hfree #b1_not_mapped
+#E #m1 #m2 #m2' #Hinj #b #Hfree #b_not_mapped
 % cases Hinj try //
-#Hload_sim #Hvalid #Hnodangling #Hregion #Hnonalias #Himpl
-[ (* We succed performing a load from m1. Case analysis: if by-value, cannot map to freed block [b]
-     (otherwise contradiction), hence simulation proceeds through Hinj.
-     If not by-value, then simulation proceeds without examining the contents of the memory *)
-   @cthulhu
-| #p #p' #Hvalid #Hptr_trans
-  (* We now through Hinj that valid_pointer m2 p'=true,
-     if (pblock p') = b then  using b1_not_mapped and Hptr_trans we
-     know that the original pointer must be either invalid or empty,
-     hence contradiction with Hvalid
-     if (pblock p') ≠ b then straightforward simulation *)
-  @cthulhu
-| #bb #b' #o' #Hembed
-  lapply (Hnodangling bb b' o' Hembed) #Hvalid_before_free
-  (* cf case above *)
-  @cthulhu
+#Hload_sim #Hfreeblock #Hvalid #Hnodangling #Hregion #Hnonalias #Himpl
+[ @(free_load_sim_ptr_m2 … Hload_sim … Hfree) #b1 #delta #Hembed
+  @(b_not_mapped … b1 delta Hembed)
+| @Hfreeblock   
+| * #bp #op #p' #Hp_valid #Hptr_trans
+  @(eq_block_elim … (pblock p') b)
+  [ #Heq lapply (Hvalid … Hp_valid Hptr_trans) #Hp_valid' destruct (Heq)
+    cases (some_inversion ????? Hptr_trans)
+    * #bp' #op' * #Hembed normalize nodelta #Heq destruct (Heq)
+    cases (b_not_mapped … Hembed)
+    [ #Hnot_valid lapply (Hfreeblock … Hnot_valid) >Hembed #Habsurd destruct (Habsurd)
+    | #Hempty @False_ind lapply (valid_pointer_to_Prop … Hp_valid) * * #_
+      whd in Hempty; #Hle #Hlt
+      lapply (Zlt_to_Zle_to_Zlt … Hlt Hempty) #Hlt2
+      lapply (Zlt_to_Zle_to_Zlt … Hlt2 Hle) #Hlt3
+      @(absurd … Hlt3 (irreflexive_Zlt ?)) ]
+  | #Hneq lapply (Hvalid … Hp_valid Hptr_trans) <Hfree #HA
+    @valid_pointer_of_Prop lapply (valid_pointer_to_Prop … HA) -HA * *
+    #HA #HB #HC @conj try @conj try assumption
+    [ >unfold_low_bound <(low_free_eq m2 ?? Hneq) @HB
+    | >unfold_high_bound <(high_free_eq m2 ?? Hneq) @HC ]
+  ]
+| #bb #b' #o' #Hembed 
+  lapply (Hnodangling … Hembed) <Hfree //
 | @Hregion
 | #bb lapply (Himpl bb)
@@ -964 +982 @@
   #H [ 1,3,5: destruct (H) normalize nodelta try //
                @conj try //
-     | *: normalize nodelta cases HBLO try // ]     
+     | *: normalize nodelta cases HBLO try // ]
 ] qed.
 
@@ -978 +996 @@
   free_list m1 blocklist = m1' →
   memory_inj E m1' m2'.
-(* nothing particular here, application of various lemmas and induction over blocklist. *)  
-@cthulhu
-qed.
+#E #m1 #m2 #m1' #m2' #Hinj #blocklist #b2 #Hnot_mapped #Hfree2 #Hfree_list
+cut (memory_inj E m1' m2)
+[ <Hfree_list -Hfree_list
+  -Hnot_mapped
+  lapply Hinj -Hinj
+  lapply m1 -m1
+  elim blocklist
+  [ #m1 #Hinj @Hinj
+  | #hd #tl #Hind #m1 #Hinj
+    @(free_memory_inj_m1 ? (free_list m1 tl) ? (free (free_list m1 tl) hd) ? hd)
+    try @refl @(Hind … Hinj)
+  ]
+]
+#Hinj'
+@(free_memory_inj_m2 … Hinj' … Hfree2)
+#b1 #delta #Hembed %2
+lapply (Hnot_mapped … Hembed)
+lapply Hfree_list -Hfree_list
+generalize in match m1';
+generalize in match m1;
+elim blocklist
+[ #m1 #m1' whd in ⊢ ((??%%) → ?); #Heq destruct (Heq) @False_ind
+| #hd #tl #Hind #m1 #m1' #Hfree_list *
+  [ #Heq destruct whd
+    whd in match (free_list ??);
+    >unfold_high_bound >unfold_low_bound
+    whd in match (update_block ?????); >eq_block_b_b
+    normalize nodelta @I
+  | >free_list_cons in Hfree_list; #Hfree_list #H
+    <Hfree_list whd cases m1 #contents2 #n2 #Hn2
+    >unfold_high_bound >unfold_low_bound
+    whd in match (update_block ?????);
+    @(eq_block_elim … b1 hd)
+    [ #Heq normalize nodelta @I
+    | #Hneq normalize nodelta @(Hind … (mk_mem contents2 n2 Hn2) … (refl ??) … H)
+    ]
+  ]
+] qed.  
 
 (* ---------------------------------------------------------- *)
@@ -1232 +1285 @@
 #E #mA #mB #mC #Hinj #block2 #i #ty #Hout #v #Hstore %
 lapply (bestorev_memory_inj_to_load_sim … Hinj … Hout … Hstore) #Hsim try //
-cases Hinj #Hsim' #Hvalid #Hnodangling #Hregion #Hnonalias #Himpl try assumption
+cases Hinj #Hsim' #Hfreeblock #Hvalid #Hnodangling #Hregion #Hnonalias #Himpl try assumption
 [
   #p #p' #Hptr #Hptr_trans lapply (Hvalid p p' Hptr Hptr_trans) #Hvalid
@@ -1418 +1471 @@
 (* This lemma is not provable as in CompCert. In the following chunk of text, I'll try to
  * explain why, and how we might still be able to prove it given enough time.
-   I'll be refering to paper by Leroy & Blazy in the J.A.R.
+   I'll be refering to a paper by Leroy & Blazy in the J.A.R.
    In CompCert, when storing some data of size S in some location 〈block, offset〉, 
    what happens is that
@@ -1428 +1481 @@
    value fv, the story is the following :
    1) the value fv is marshalled into a list of back-end values (byte-sized) which correspond
-      to the actual size of the data in-memory. This list is then stored as-is at the
+      to the actual size of the data in-memory. 2) This list is then stored as-is at the
       location 〈block, offset〉.
       
@@ -1522 +1575 @@
   load_sim_ptr E m1' m2.
 #E #m1 #m2 #m1' #Hinj #ty #b #i #v #Hembed #Hstore
-cases Hinj #Hsim #Hvalid #Hnodangling #Hregion_eq #Hnonalias #Himpl
+cases Hinj #Hsim #Hfreeblock #Hvalid #Hnodangling #Hregion_eq #Hnonalias #Himpl
 cases ty in Hstore;
 [ | #sz #sg | #ptr_ty | #array_ty #array_sz | #domain #codomain
@@ -1562 +1615 @@
   #Hload @(Hsim … Hembed' … Hload) 
   @(load_by_value_success_valid_pointer … Hload) //
-] qed. 
+] qed.
 
 lemma store_value_of_type_memory_inj :
@@ -1574 +1627 @@
 %
 [ 1: @(store_value_of_type_load_sim … Hinj … Hnot_mapped … Hstore)
-| *: (* writing doesn't alter the bound, straightforward *) @cthulhu  ]
-qed. (* TODO *)
+| *: lapply (mem_bounds_after_store_value_of_type … Hstore)
+     * #H1 #H2
+    [ #b * #Hnot_valid @(mi_freeblock ??? Hinj)
+      % #H @Hnot_valid whd in H:% ⊢ %; >H1 @H
+    | #p #p' #Hvalid @(mi_valid_pointers ??? Hinj)
+      @valid_pointer_of_Prop lapply (valid_pointer_to_Prop … Hvalid)
+      >H1 cases (H2 (pblock p)) #HA #HB
+      >unfold_high_bound >unfold_low_bound
+      >unfold_high_bound >unfold_low_bound
+      >HA >HB //
+    | @(mi_nodangling … Hinj)
+    | @(mi_region … Hinj)
+    | whd #b1 #b2 #b1' #b2' #delta1 #delta2 #Hneq #Hembed1 #Hembed2
+      whd in match (block_is_empty ??);
+      whd in match (block_is_empty m1' b2);
+      >unfold_high_bound >unfold_low_bound
+      >unfold_high_bound >unfold_low_bound
+      cases (H2 b1) #HA #HB
+      cases (H2 b2) #HC #HD
+      >HA >HB >HC >HD
+      @(mi_nonalias ??? Hinj) assumption
+    | #bb whd
+      lapply (mi_nowrap ??? Hinj bb) whd in ⊢ (% → ?);
+      cases (E bb) normalize nodelta try // * #bb' #off
+      normalize nodelta
+      whd in match (block_implementable_bv ??);      
+      whd in match (block_implementable_bv m2 bb');
+      whd in match (block_implementable_bv m1' bb);
+      >unfold_high_bound >unfold_low_bound
+      >unfold_high_bound >unfold_low_bound
+      >unfold_high_bound
+      cases (H2 bb) #HA #HB
+      >HA >HB //
+    ]
+] qed.    
 
 (* ------------------------------------------------------------------------- *)
@@ -2251 +2337 @@
           cases (E bq1) [ 1: #_ #_ #_ normalize nodelta #Habsurd destruct (Habsurd) ]
           * #BLOq #DELTAq normalize nodelta
-          cases (E bp1) [ 1: #_ #_ #_ normalize nodelta #_ #Habsurd destruct (Habsurd) ]
+          cases (E bp1) [ 1: normalize nodelta #_ #_ #_ #_ #Habsurd destruct (Habsurd) ]
           * #BLOp #DELTAp normalize nodelta #Hnowrap1 #Hnowrap2 #H #Heq1 #Heq2 destruct
           cases op
@@ -2260 +2346 @@
           #H
           [ 2: #_ >(not_eq_block … H) normalize nodelta %{Vfalse} @conj try @refl %2
-          | 4: #_ >(not_eq_block … H) normalize nodelta >(not_eq_block … H) normalize nodelta %{Vtrue} @conj try @refl %2 ]          
+          | 4: #_ >(not_eq_block … H) normalize nodelta >(not_eq_block … H) normalize nodelta %{Vtrue} @conj try @refl %2 ]
           destruct (H) generalize in match BLOq in Hnowrap1 Hnowrap2 Hvalid2 Hvalid2' ⊢ %;
           #target_block * * #Himplq1 #Himpltarget #Hnowrap_q1
@@ -2268 +2354 @@
           * * #_ #Hlowq #Hhighq * * #_ #Hlowp #Hhighp
           >eq_block_b_b normalize nodelta
+          * 
+          [ 2,4: whd in ⊢ (% → ?); #Habsurd @False_ind
+                 cases (valid_pointer_to_Prop … Hvalid') * #_ #Hle #Hlt
+                 lapply (Zlt_to_Zle_to_Zlt … Hlt Habsurd) #Hlt'
+                 lapply (Zlt_to_Zle_to_Zlt … Hlt' Hle) #Hlt_refl
+                 @(absurd … Hlt_refl (irreflexive_Zlt ?)) ]
+          *
+          [ 2,4: whd in ⊢ (% → ?); #Habsurd @False_ind
+                 cases (valid_pointer_to_Prop … Hvalid) * #_ #Hle #Hlt
+                 lapply (Zlt_to_Zle_to_Zlt … Hlt Habsurd) #Hlt'
+                 lapply (Zlt_to_Zle_to_Zlt … Hlt' Hle) #Hlt_refl
+                 @(absurd … Hlt_refl (irreflexive_Zlt ?)) ]
           *
           #Hdisjoint