Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3388

Timestamp:

Aug 27, 2013, 6:11:57 PM (6 years ago)

Author:

piccolo

Message:

partial commit

Files:

: 3 edited

LTS/Simulation.ma (modified) (5 diffs)
LTS/Traces.ma (modified) (3 diffs)
src/ERTL/ERTLToLTLProof.ma (modified) (15 diffs)

Legend:

: Unmodified
: Added
: Removed

LTS/Simulation.ma

-                      r3387
+                      r3388
  ∀s1,s1'. as_syntactical_succ S s1 s → Crel … rel s1 s1' → as_syntactical_succ S s1' s'.
 record simulation_conditions (S : abstract_status) (rel : relations S) : Type[0] ≝
+record simulation_conditions (S : abstract_status) (rel : relations S) : Prop ≝
  { simulate_tau:
      ∀s1,s2,s1' : S.
 …
       Srel … rel s1 s2 →
       ∃s2'. ∃t: raw_trace S s2 s2'.
         Srel … rel s2 s2' ∧ silent_trace … t
+        Srel … rel s1' s2' ∧ silent_trace … t
  ; simulate_label:
      ∀s1,s2,l,s1'.
       as_execute S (cost_act (Some ? l)) s1 s1' →
+      as_classify … s1' ≠ cl_io →
       Srel … rel s1 s2 →
       ∃s2',s2'',s2'''.
        ∃t1: raw_trace S s2 s2'.
        as_execute … (cost_act (Some ? l)) s2' s2'' ∧
+       as_execute … (cost_act (Some ? l)) s2' s2'' ∧ as_classify … s2'' ≠ cl_io ∧
        ∃t3: raw_trace S s2'' s2'''.
         Srel … rel  s1' s2''' ∧ silent_trace … t1 ∧ silent_trace … t3
 …
       is_call_post_label … s1 →
       as_execute … (call_act f l) s1 s1' →
+      as_classify … s1' ≠ cl_io →
       Srel … rel s1 s2 →
       ∃s2',s2'',s2'''.
        ∃t1: raw_trace S s2 s2'.
+       as_classify … s2' ≠ cl_jump ∧
        as_execute … (call_act f l) s2' s2'' ∧
+       bool_to_Prop(is_call_post_label … s2') ∧
+       as_classify … s2'' ≠ cl_io ∧
        ∃t3: raw_trace S s2'' s2'''.
         Srel … rel s1' s2''' ∧ silent_trace … t1 ∧ silent_trace … t3
 …
      ∀s1,s2,s1' : S.∀l.
       as_execute S (ret_act (Some ? l)) s1 s1' →
+      as_classify … s1' ≠ cl_io →
       Srel  … rel s1 s2 →
       ∃s2',s2'',s2'''.
        ∃t1: raw_trace S s2 s2'.
+       as_classify … s2' ≠ cl_jump ∧
        as_execute … (ret_act (Some ? l)) s2' s2'' ∧
+       as_classify … s2'' ≠ cl_io ∧
        ∃t3: raw_trace S s2'' s2'''.
         Srel … rel s2 s2''' ∧ silent_trace … t1 ∧ silent_trace … t3
+        Srel … rel s1' s2''' ∧ silent_trace … t1 ∧ silent_trace … t3
  ; simulate_call_n:
      ∀s1,s2,s1' : S.∀f,l.
 …
+lemma append_premeasurable_silent : ∀S : abstract_status.
+∀st1',st1,st2 : S.∀t : raw_trace S st1 st2.∀t' : raw_trace S st1' st1.
+pre_measurable_trace … t → pre_silent_trace … t' → as_classify … st1' ≠ cl_io →
+pre_measurable_trace … (t' @ t).
+#S #st1' #st1 #st2 #t #t' lapply t -t elim t'
+[ #st #t #Hpre #_ #_ whd in ⊢ (????%); assumption]
+#s1 #s2 #s3 #l #prf #tl #IH #t #Hpre #H inversion H in ⊢ ?;
+[ #s #EQ1 #EQ2 destruct #EQ destruct]
+#s1' #s2' #s3' #prf' #tl' #Hclass #silent_tl' #_ #EQ1 #EQ2 #EQ3
+destruct #_ #Hs1' whd in ⊢ (????%); %2
+[ assumption
+| %{(None ?)} %
+| @IH try assumption >Hclass % #EQ destruct
+]
+qed.
+definition is_trace_non_empty : ∀S : abstract_status.∀st1,st2.
+raw_trace S st1 st2 → bool ≝
+λS,st1,st2,t.match t with [ t_base _ ⇒ false | _ ⇒ true ].
+lemma append_well_formed_silent : ∀S : abstract_status.
+∀st1',st1,st2 : S.∀t : raw_trace S st1 st2.∀t' : raw_trace S st1' st1.
+well_formed_trace … t → pre_silent_trace … t' →
+(is_trace_non_empty … t' → as_classify … st1' = cl_other) →
+well_formed_trace … (t' @ t).
+#S #st1' #st1 #st2 #t #t' lapply t -t elim t'
+[ #st #t #H #_ #_ assumption ]
+#s1' #s2' #s3' #l #prf #tl #IH #t #well_formed_t #H
+inversion H in ⊢ ?;
+[ #st #EQ1 #EQ2 #EQ3 destruct]
+#st1'' #st2' #st3' #prf' #tl' #Hclass #silent_tl #_
+#EQ1 destruct #EQ #EQ1 destruct #_ #Hclass1 %2
+[2: >(Hclass1 I) % #EQ destruct]
+@IH try assumption #_ assumption
+qed.
+lemma get_cost_label_invariant_for_append_silent_trace_l :∀S : abstract_status.
+∀st1,st2,st3 : S.∀t1 : raw_trace S st1 st2.∀t2 : raw_trace S st2 st3.
+pre_silent_trace … t1 →
+get_costlabels_of_trace … (t1 @ t2) = get_costlabels_of_trace … t2.
+#S #st1 #st2 #st3 #t1 elim t1
+[#st #t2 #_ %] #st1' #st2' #st3' #l' #prf #tl #IH #t2 #H
+inversion H in ⊢ ?; [ #st #EQ1 #EQ2 #EQ3 destruct]
+#st1'' #st2'' #st3'' #prf'' #tl'' #Hclass #Htl'' #_ #EQ1 #EQ2 #EQ3 destruct
+#_ whd in ⊢ (??%?); >IH [%] assumption
+qed.
+(*
+lemma raw_trace_ind_r : ∀S : abstract_status.
+∀P : (∀st1,st2.raw_trace S st1 st2 → Prop).
+(∀st : S.P … (t_base … st)) →
+(∀st1,st2,st3,l.
+ ∀prf : as_execute S l st2 st3.
+ ∀tl : raw_trace S st1 st2. P … tl → P … (tl @ (t_ind … prf … (t_base … st3)))) →
+∀st1,st2 : S.∀t : raw_trace S st1 st2.P … t.
+#S #P #base #ind #st1 #st2 #t elim t [ assumption]
+#st1 #st2 #st3 #l #prf #raw #IH
+*)
 theorem simulates_pre_mesurable:
  ∀S : abstract_status.∀rel : relations S.
  ∀s1,s1' : S. ∀t1: raw_trace S s1 s1'.
+  simulation_conditions S rel →
   pre_measurable_trace … t1 →
+  well_formed_trace … t1 → ∀s2.Srel … rel s1 s2 →
+  ∃s2'. ∃t2: raw_trace … s1' s2'.
+  well_formed_trace … t1 → ∀s2 : S.
+  as_classify … s2 ≠ cl_io → Srel … rel s1 s2 →
+  ∃s2'. ∃t2: raw_trace … s2 s2'.
     pre_measurable_trace … t2 ∧
     well_formed_trace … t2 ∧
     get_costlabels_of_trace … t1 = get_costlabels_of_trace … t2 ∧
+    Srel … rel s2 s2'.
+cases daemon (*TODO*)
+qed.
+    Srel … rel s1' s2'.
+#S #rel #s1 #s1' #t1 #good #pre_measurable elim pre_measurable
+[ #st #H1 #well_formed #s2 #H2 #REL %{s2} %{(t_base …)}
+  /8 by refl, pm_empty, wf_empty, conj/
+| #st1 #st2 #st3 #l #execute #tl #ClASS ** [|#c] #EQ destruct
+  #pre_measurable_tl #IH #well_formed #s2 #classify_s2 #REL
+  [ cases(simulate_tau … good … execute … REL) #s2'' * #t_s2'' * #RELst2s2''
+    * #silent_ts2'' #Hclass_s2 cases(IH … RELst2s2'')
+    [2: cases(well_formed_trace_inv … well_formed)
+         [2: * #st2''' * #l''' * #prf''' * #tl''' ** #H #_
+             #EQ destruct(EQ) assumption
+         | *
+            [2: * #st2''' * #l''' * #prf''' * #tl''' ** #H #_ #EQ destruct
+                assumption
+            | * #EQ1 #EQ2 destruct
+            ]
+         ]
+    |3: @(silent_io … silent_ts2'')  assumption
+    ]
+    #s3 * #ts3 *** #pre_meas_ts3 #well_formed_ts3 #EQcost #RELst3s3
+    %{s3} %{(t_s2'' @ ts3)} % [2: assumption] %
+    [ %
+      [ @append_premeasurable_silent assumption
+      | @append_well_formed_silent assumption
+      ]
+    | whd in ⊢ (??%?); >EQcost >get_cost_label_invariant_for_append_silent_trace_l
+      [% | assumption]
+    ]
+  | cases(simulate_label … good … execute … REL)
+    [2: cases pre_measurable_tl
+        [ #st #H @H
+        | #st1 #st2 #st3 #l #prf #tl #H #_ #_ @H
+        | #st1 #st2 #st3 #l #H #_ #tl #_ #_ @H
+        | #st1 #st2 #st3 #l #_ #tl #H #_ #_ #_ @H
+        | #st1 #st2 #st3 #st4 #st5 #l1 #l2 #_ #t1 #t2 #_ #H #_ #_ #_ #_ #_ #_ #_ @H
+        ]
+    ]
+    #s2'' * #s2''' * #s2'''' * #t_s2'' ** #exe_s2''' #CLASS' * #t_s2'''' ** #RELst2_s2''''
+    * #sil_ts2'' #Hclass_s2 * #sil_t_s2'''' #Hclass_s2''' cases(IH … RELst2_s2'''')
+    [2: cases(well_formed_trace_inv … well_formed)
+         [2: * #st2''' * #l''' * #prf''' * #tl''' ** #H #_
+             #EQ destruct(EQ) assumption
+         | *
+            [2: * #st2''' * #l''' * #prf''' * #tl''' ** #H #_ #EQ destruct
+                assumption
+            | * #EQ1 #EQ2 destruct
+            ]
+         ]
+    |3: @(silent_io … sil_t_s2'''') assumption
+    ]
+    #s3 * #t_s3 *** #pre_s3 #well_s3 #EQcost #RElst3s3 %{s3}
+    %{(t_s2'' @ (t_ind … exe_s2''' …))}  [ @(t_s2'''' @ t_s3) ] % [2: assumption]
+    %
+    [ %
+      [ @append_premeasurable_silent try assumption %2
+        [ @(silent_io … t_s2'') assumption
+        | %{(Some ? c)} %
+        ]
+        @append_premeasurable_silent assumption
+      | @append_well_formed_silent try assumption inversion(as_classify … s2'')
+        #Hclass
+        [ %3 [2: %{c} %]
+        |*: %2 [2,4: >Hclass % #EQ destruct]
+        ]
+        @append_well_formed_silent assumption
+      ]
+    | whd in ⊢ (??%?); >EQcost >get_cost_label_invariant_for_append_silent_trace_l
+      [2: assumption] whd in ⊢ (???%);
+      >get_cost_label_invariant_for_append_silent_trace_l
+      [ % | assumption]
+    ]
+  ]
+| #s2 #s2' #s2'' #l #class_s2 #exe_s2_s2' #tl whd in ⊢ (% → ?); * #ret_lab #EQ destruct(EQ)
+  #pre_meas_tl #IH #H inversion H
+  [ #s3 #EQ1 #EQ2 destruct #ABS destruct(ABS) ]
+  #st1 #st2 #st3 #l #exe_st1_st2 #tl' #wf_tl'
+  [ #class_no_jump | whd in ⊢ (% → ?); * #nf #EQ destruct(EQ) ]
+  #_ #EQ1 #EQ2 #EQ3 destruct #_ -H #s2 #class_s2 #RELst1s2
+  cases(simulate_ret_l … good … exe_st1_st2 … RELst1s2)
+  [2: inversion pre_meas_tl
+      try #x1 try #x2 try #x3 try #x4 try #x5 try #x6
+      try #x11 try #x12 try #x13 try #x14 try #x15 try #x16
+      try #x17 try #x18 try #x19 try #x20 try #x21 try #x22
+      try #x37 try #x38 try #x39 try #x30 try #x31 try #x32 try #x33
+      destruct assumption ]
+  #s2' * #s2'' * #s2''' * #t1 *** #j_s2' #exe_s2'' #class_s2'' * #t2 ** #rel_s2_s2'''
+  #sil_t1 #sil_t2
+  cases(IH … wf_tl' … rel_s2_s2''')
+  [2: @(silent_io … (proj1 … sil_t2)) assumption]
+  #s2_fin * #t_fin *** #pre_t_fin #wf_t_fin #EQcost #REL
+  %{s2_fin} %{(t1 @ (t_ind … exe_s2'' … t2) @ t_fin)} % [2: assumption]
+  % [2: whd in ⊢ (??%?);
+        >(get_cost_label_invariant_for_append_silent_trace_l … (proj1 … sil_t1))
+        whd in ⊢ (???%);
+        >(get_cost_label_invariant_for_append_silent_trace_l … (proj1 … sil_t2))
+        @eq_f assumption ]
+  %
+  [ @append_premeasurable_silent try assumption [2: @(proj1 … sil_t1)]
+    %3
+    [ @(silent_io … (proj1 … sil_t1)) assumption
+    | whd %{ret_lab} %
+    | @append_premeasurable_silent try assumption @(proj1 … sil_t2)
+    ]
+  | @append_well_formed_silent
+    [ %2 try assumption @append_well_formed_silent try assumption
+      [ @(proj1 … sil_t2)
+      | @(proj2 … sil_t2)
+      ]
+    | @(proj1 … sil_t1)
+    | @(proj2 … sil_t1)
+    ]
+  ]
+| #s2 #s2' #s2'' #l #exe_s2_s2' #tl #class_s2 whd in ⊢ (% → ?); * #f * #lab #EQ destruct
+  #post #pre_tl #IH #H inversion H [ #s3 #EQ1 #EQ2 destruct #ABS destruct(ABS) ]
+  #st1 #st2 #st3 #l #exe_st1_st2 #tl' #wf_tl'
+  [#class_no_jump | whd in ⊢ (% → ?); * #nf #EQ destruct(EQ) ]
+   #_ #EQ1 #EQ2 #EQ3 destruct #_ -H #s2 #io_s2 #REL_st1_s2
+   cases(simulate_call_pl … good … post … exe_st1_st2 … REL_st1_s2)
+   [2: inversion pre_tl
+      try #x1 try #x2 try #x3 try #x4 try #x5 try #x6
+      try #x11 try #x12 try #x13 try #x14 try #x15 try #x16
+      try #x17 try #x18 try #x19 try #x20 try #x21 try #x22
+      try #x37 try #x38 try #x39 try #x30 try #x31 try #x32 try #x33
+      destruct assumption ]
+   #s2' * #s2'' * #s2''' * #t1 **** #j_s2' #exe_s2'' #post' #io_s2'' * #t2 ** #REL #sil_t1 #sil_t2
+   cases(IH … wf_tl' … REL)
+   [2: @(silent_io … (proj1 … sil_t2)) assumption ]
+   #s2_fin * #t_fin *** #pre_t_fin #wf_t_fin #EQcost #REL1 %{s2_fin}
+   %{(t1 @ (t_ind … exe_s2'' … t2) @ t_fin)} % [2: assumption] %
+   [2: whd in ⊢ (??%?);
+        >(get_cost_label_invariant_for_append_silent_trace_l … (proj1 … sil_t1))
+        whd in ⊢ (???%);
+        >(get_cost_label_invariant_for_append_silent_trace_l … (proj1 … sil_t2))
+        @eq_f assumption ]
+   %
+   [ @append_premeasurable_silent try assumption [2: @(proj1 … sil_t1)]
+     %4 try assumption
+     [ @(silent_io … (proj1 … sil_t1)) assumption
+     | whd %{f} %{lab} %
+     | @append_premeasurable_silent try assumption @(proj1 … sil_t2)
+     ]
+   | @append_well_formed_silent
+     [ %2 try assumption @append_well_formed_silent try assumption
+        [ @(proj1 … sil_t2)
+        | @(proj2 … sil_t2)
+        ]
+     | @(proj1 …  sil_t1)
+     | @(proj2 … sil_t1)
+     ]
+   ]
+| cases daemon (*TODO*)
+]
+qed.
+   #st3 #l #class_st1 #exe #tl * #x #EQ destruct(EQ) #pre_tl #IH
+  #well_formed #s2 #class_s2 #REL cases(simulate_ret_l … good … exe … REL)
+  #s2'' * #s2''' * #s2'''' * #t1 * #exe' * #t2 ** #Rs2s2'''' #t1_sil #t2_sil
+  xxxxxxxxx
+ #st4 #st5 #l1 #l2 * #x #EQ whd in ⊢ (% → ?);
+      @append_premeasurable_silent
+    xxxxxxxxxxxxxx
+  ]
+|*: cases daemon (*TODO*)
+]
+qed.*)
 (* IDEA: aggiungere stati di I/O e cambiare la semantica del linguaggio

LTS/Traces.ma

-                      r3387
+                      r3388
                   well_formed_trace … tl → is_non_silent_cost_act l →
                   well_formed_trace … (t_ind … prf … tl).
+(*  | wf_cons_io : ∀st1,st2,st3 : S.∀l : ActionLabel.
+                 ∀prf : as_execute S l st1 st2.∀tl : raw_trace S st2 st3.
+                 well_formed_trace … tl → as_classify … st1 = cl_io →
+                 is_non_silent_cost_act l → well_formed_trace … (t_ind … prf … tl).*)
+lemma well_formed_trace_inv :
+∀S : abstract_status.∀st1,st2 : S.∀t : raw_trace S st1 st2.
+well_formed_trace … t →
+(st1 = st2 ∧ t ≃ t_base S st1) ∨
+(∃st1'.∃l.∃prf : as_execute S l st1 st1'.∃tl : raw_trace S st1' st2.
+well_formed_trace … tl ∧ as_classify … st1 ≠ cl_jump ∧
+t ≃ t_ind … prf … tl) ∨
+(∃st1'.∃l.∃ prf : as_execute S l st1 st1'.∃ tl : raw_trace S st1' st2.
+ well_formed_trace … tl ∧ is_non_silent_cost_act l ∧ t ≃ t_ind … prf … tl). (* ∨
+(∃st1'.∃l.∃prf : as_execute S l st1 st1'.∃tl : raw_trace S st1' st2.
+ well_formed_trace … tl ∧ as_classify … st1 = cl_io ∧
+ is_non_silent_cost_act l ∧ t ≃ t_ind … prf … tl).*)
+#S #st1 #st2 #t #H inversion H
+[ #st #EQ1 #EQ2 destruct(EQ1 EQ2) #EQ destruct(EQ) #_ /5 by refl_jmeq, or_introl, conj/
+| #st1' #st2' #st3' #l #prf' #tl' #Htl #Hclass #_ #EQ2 #EQ3 #EQ4 destruct #_
+  %  %2 %{st2'} %{l} %{prf'} %{tl'} /4 by conj/
+| #st1' #st2' #st3' #l #prf #tl #Htl #Hl #_ #EQ2 #EQ3 #EQ4 destruct #_ %2 %{st2'}
+  %{l} %{prf} %{tl} % // % //
+(*| #st1' #st2' #st3' #l #prf #tl #Htl #Hclass #is_non_silent #_ #EQ1 #EQ2 #EQ3
+  destruct #_ %2 %{st2'} %{l} %{prf} %{tl} /5 by conj/ *)
+]
+qed.
 let rec append_on_trace (S : abstract_status) (st1 : S) (st2 : S) (st3 : S)
 …
 λS,st1,st2,st3,t1,t2.∃t3 : raw_trace … st1 st2.t2 = t3 @ t1.
 inductive silent_trace (S : abstract_status) :
+inductive pre_silent_trace (S : abstract_status) :
 ∀st1,st2 : S.raw_trace S st1 st2 → Prop ≝
 | silent_empty : ∀st : S.silent_trace … (t_base S st)
+| silent_empty : ∀st : S.pre_silent_trace … (t_base S st)
 | silent_cons : ∀st1,st2,st3 : S.∀prf : as_execute S (cost_act (None ?)) st1 st2.
+                ∀tl : raw_trace S st2 st3. silent_trace … tl →
+                silent_trace … (t_ind … prf … tl).
+                ∀tl : raw_trace S st2 st3. as_classify … st2 = cl_other → pre_silent_trace … tl →
+                pre_silent_trace … (t_ind … prf … tl).
+lemma silent_io : ∀S : abstract_status.
+∀s1,s2 : S. ∀t : raw_trace … s1 s2. pre_silent_trace … t → as_classify … s1 ≠ cl_io →
+as_classify … s2 ≠ cl_io.
+#S #s1 #s2 #t elim t [ #st #_ #Hclass @Hclass]
+#st1 #st2 #st3 #l #prf #tl #IH #H inversion H
+[ #st' #EQ1 #EQ2 destruct #EQ destruct]
+#st1' #st2' #st3' #prf' #tl' #Hclass #silent_tl' #_ #EQ1 #EQ2 destruct
+#EQ destruct #_ #Hclass' @IH [ assumption ] >Hclass % #EQ destruct
+qed.
+definition is_trace_non_empty : ∀S : abstract_status.∀st1,st2.
+raw_trace S st1 st2 → bool ≝
+λS,st1,st2,t.match t with [ t_base _ ⇒ false | _ ⇒ true ].
+definition silent_trace : ∀S : abstract_status.∀st1,st2 : S.
+raw_trace S st1 st2 → Prop ≝ λS,st1,st2,t.pre_silent_trace … t ∧
+(is_trace_non_empty … t → as_classify … st1 = cl_other).
+lemma silent_is_well_formed : ∀S : abstract_status.∀st1,st2 : S.
+∀t : raw_trace S st1 st2. silent_trace … t → well_formed_trace … t.
+#S #st1 #st2 #t elim t -t
+[ #st #_ %]
+#st1' #st2' #st3' #l #prf #tl #IH * #H #cl %2
+[2: >cl % #EQ destruct]
+@IH inversion H in ⊢ ?; [ #st #EQ1 #EQ2 #EQ3 destruct]
+#st1'' #st2'' #st3'' #prf' #tl' #H1 #Htl' #_ #EQ1 #EQ2 #EQ3 destruct #_
+% [ assumption | #_ assumption]
+qed.
 inductive pre_measurable_trace (S : abstract_status) :
 …
                       is_unlabelled_ret_act l2 →
                       pre_measurable_trace … (t_ind … prf … (t1 @ (t_ind … prf' … t2))).
+lemma pre_measurable_trace_inv : ∀S : abstract_status.
+∀st1,st2 : S.∀t : raw_trace … st1 st2. pre_measurable_trace … t →
+(st1 = st2 ∧ as_classify … st1 ≠ cl_io ∧ t ≃ t_base … st1) ∨
+(∃st1' : S.∃l.∃prf : as_execute S l st1 st1'.∃tl.
+ t = t_ind … prf … tl ∧ as_classify … st1 ≠ cl_io ∧ is_cost_act l ∧
+ pre_measurable_trace … tl) ∨
+(∃st1' : S.∃l.∃prf : as_execute S l st1 st1'.∃tl.
+ t = t_ind … prf … tl ∧
+ as_classify … st1 ≠ cl_io ∧ is_labelled_ret_act l ∧ pre_measurable_trace … tl) ∨
+(∃st1' : S .∃l.∃prf : as_execute S l st1 st1'.∃tl.
+ t = t_ind … prf … tl ∧ as_classify … st1 ≠ cl_io ∧ is_call_act l ∧
+ (bool_to_Prop (is_call_post_label … st1)) ∧ pre_measurable_trace … tl) ∨
+(∃st1',st1'',st1''' : S.∃l1,l2.∃prf : as_execute S l1 st1 st1'.
+ ∃t1 : raw_trace S st1' st1''.∃t2 : raw_trace S st1''' st2.
+ ∃prf' : as_execute S l2 st1'' st1'''.
+ t = t_ind … prf … (t1 @ (t_ind … prf' … t2)) ∧ as_classify … st1 ≠cl_io ∧
+ as_classify … st1'' ≠ cl_io ∧ is_call_act l1 ∧
+ bool_to_Prop (¬ is_call_post_label … st1) ∧
+ pre_measurable_trace … t1 ∧ pre_measurable_trace … t2 ∧
+ as_syntactical_succ S st1 st1''' ∧ is_unlabelled_ret_act l2).
+#S #st1 #st2 #t #H inversion H
+[ #st #Hclass #EQ1 #EQ2 destruct #EQ destruct #_ %%%%% // % //
+| #st1' #st2' #st3' #l #prf #tl #Hst1' #Hl #Htl #_ #EQ1 #EQ2 #EQ3 destruct #_
+  %%%%2 %{st2'} %{l} %{prf} %{tl} % // % // % //
+| #st1' #st2' #st3' #l #Hst1 #prf #tl #Hl #Htl #_ #EQ1 #EQ2 #EQ3 destruct #_
+  %%%2 %{st2'} %{l} %{prf} %{tl} % // % // % //
+| #st1' #st2' #st3' #l #prf #tl #Hst1 #Hl #H1st1 #Htl #_ #EQ1 #EQ2 #EQ3 destruct #_
+  % %2 %{st2'} %{l} %{prf} %{tl} % // % // % // % //
+| #st1' #st2' #st3' #st4' #st5' #l1 #l2 #prf #t1 #t2 #prf' #Hst1' #Hst3' #Hl1
+  #H1st1'  #Ht1 #Ht2 #succ #Hl2 #_ #_ #EQ1 #EQ2 #EQ3 destruct #_ %2
+  %{st2'} %{st3'} %{st4'} %{l1} %{(ret_act (None ?))} %{prf} %{t1} %{t2}
+  %{prf'} /12 by conj/
+]
+qed.

src/ERTL/ERTLToLTLProof.ma

-                      r3372
+                      r3388
 λlocalss,live_fun,color_fun,R,hw1,hw2,mem.
 hwreg_retrieve_sp hw1 = hwreg_retrieve_sp hw2 ∧
 ∀r : Register.live_fun (inr ?? r) → hwreg_retrieve hw1 r ≠ BVundef →
+∀r : Register.r ≠ RegisterCarry → live_fun (inr ?? r) → hwreg_retrieve hw1 r ≠ BVundef →
 match color_fun (inr ?? r) with
 [ decision_colour r' ⇒ R (hwreg_retrieve hw1 r) (hwreg_retrieve hw2 r')
 …
 ].
+xxxxxxxxxxxxx
+(*
 let rec frames_relation_aux (prog : ertl_program) (stacksize : ident → option ℕ)
 (color_f : (Σb:block.block_region b=Code) →  option (list register → vertex → decision))
 …
       (λd.acc (callee_saved_remap (pc_block (funct_pc hd)) init_regs color_f d))
       init_regs
+].
+(*
+].*)
 let rec frames_relation_aux (fix_comp : fixpoint_computer)
 (build : coloured_graph_computer) (prog : ertl_program) (R : beval → beval → Prop)
 …
       (λd.acc (callee_saved_remap fix_comp build prog (pc_block (funct_pc hd)) init_regs d))
       init_regs
 ].*)
+].
 definition frames_relation :
+(*
 ∀prog : ertl_program.(ident → option ℕ) → (beval → beval → Prop) →
 ((Σb:block.block_region b=Code) →  option(list register → vertex → decision)) →
 …
 λprog,stacksize,R,color_fun,live_fun,frames,regs,m,init_regs.
 frames_relation_aux prog stacksize color_fun live_fun R frames regs m (λx.x) init_regs.
+(*
+*)
 fixpoint_computer → coloured_graph_computer →
 ertl_program → (beval → beval → Prop) → list ERTL_frame →
 …
  frames_relation_aux fix_comp build prog R frames regs m (λx.x) init_regs.
+(*
 definition register_of_bitvector :  BitVector 6 → option Register≝
 λvect.
 …
 definition gen_state_rel :
+∀prog : ertl_program.(ident → option ℕ) → ? →
+((Σb:block.block_region b=Code) → option (list register → vertex → decision)) →
+((Σb:block.block_region b=Code)→ option (list register → live_type)) →
+? → ? →
+(block → list register) →
+lbl_funct_type → regs_funct_type →
+joint_state_relation ERTL_semantics LTL_semantics ≝
+λprog,stacksizes,init,color_f,live_f,color_fun,live_fun,init_regs,f_lbls,f_regs,pc,st1,st2.
+fixpoint_computer → coloured_graph_computer →
+ertl_program →  (block → list register) → lbl_funct_type → regs_funct_type →
+local_live_type →  (vertex → decision) →
+joint_state_relation ERTL_semantics LTL_semantics ≝
+λfix_comp,colour,prog,init_regs,f_lbls,f_regs,live_fun,color_fun,pc,st1,st2.
+let m1 ≝ (\snd (\fst (ertl_to_ltl fix_comp colour prog))) in
+let stacksizes ≝ lookup_stack_cost … m1 in
 let ge ≝ joint_globalenv ERTL_semantics prog stacksizes in
+let init ≝ translate_data fix_comp colour in
 ∃f,fn,ssize.
 fetch_internal_function … ge (pc_block pc) = return 〈f,fn〉 ∧
 …
 | Some frames ⇒
    mem_relation prog stacksizes R f st1 (m … st1) (m … st2) ∧
    frames_relation prog stacksizes R color_f live_f frames (regs … st2) (m … st2) init_regs ∧
    hw_relation (joint_if_local_stacksize … fn) (live_fun fn (point_of_pc ERTL_semantics pc))
     (color_fun fn) R (\snd (regs … st1)) (regs … st2) (m … st2) ∧
+   frames_relation fix_comp colour prog R frames (regs … st2) (m … st2) init_regs ∧
+   hw_relation (joint_if_local_stacksize … fn) live_fun
+    color_fun R (\snd (regs … st1)) (regs … st2) (m … st2) ∧
    make_is_relation_from_beval R (istack … st1) (istack … st2) ∧
+   (live_fun fn (point_of_pc ERTL_semantics pc)
+    (inr ?? RegisterCarry) → carry … st1 = carry … st2) ∧
+   ((live_fun (inr ?? RegisterCarry)) → carry … st1 ≠ BBundef → carry … st1 = carry … st2) ∧
    stack_usage … st1 = stack_usage … st2 ∧
    ∃ptr.sp … st2 = return ptr ∧
     le ((nat_of_bitvector … (offv (poff … ptr))) + ssize) (2^16 -1) ∧
     plus (nat_of_bitvector … (offv (poff … ptr))) (stack_usage … st2) = 2^16 ∧
+    ps_relation (joint_if_local_stacksize … fn)
+     (live_fun fn (point_of_pc ERTL_semantics pc))
+     (color_fun fn)
+     R ptr (\fst (regs … st1)) 〈regs … st2,m … st2〉
+    ps_relation (joint_if_local_stacksize … fn) live_fun
+     color_fun R ptr (\fst (regs … st1)) 〈regs … st2,m … st2〉
 ].
 …
 ertl_program →  (block → list register) → lbl_funct_type → regs_funct_type →
 joint_state_relation ERTL_semantics LTL_semantics ≝
+λfix_comp,build,prog,init_regs,f_lbls,f_regs,pc.
+let after ≝ λfn,callee.analyse_liveness fix_comp (prog_names … prog) fn callee in
+let before ≝ λfn,callee.livebefore … fn callee (after fn callee) in
+let coloured_graph ≝ λfn,callee.build … fn (after fn callee) callee in
+λfix_comp,build,prog,init_regs,f_lbls,f_regs,pc,st1,st2.
 let m1 ≝ (\snd (\fst (ertl_to_ltl fix_comp build prog))) in
 let stacksizes ≝ lookup_stack_cost … m1 in
+let init ≝ translate_data fix_comp build in
+gen_state_rel prog stacksizes init
+ (λbl.
+   match fetch_internal_function …
+          (joint_globalenv ERTL_semantics prog stacksizes) bl with
+   [ OK x ⇒ Some ? (λcallee.colouring … (coloured_graph (\snd x) callee))
+   | Error e ⇒ None ?
+   ])
+ (λbl.
+   match fetch_internal_function …
+          (joint_globalenv ERTL_semantics prog stacksizes) bl with
+   [ OK x ⇒ Some ? (λcallee,l,v.
+                     in_lattice v ((before (\snd x) callee) l) ∧
+                     match v with
+                     [ inl r ⇒ true
+                     | inr R ⇒ all … (λR'.¬ eq_Register R' R) RegisterAlwaysDead
+                     ])
+   | Error e ⇒ None ?
+   ]) (λfn.colouring … (coloured_graph fn (init_regs (pc_block pc))))
+   (λfn,l,v. in_lattice v (before fn (init_regs (pc_block pc)) l) ∧
+             match v with
+let ge ≝ joint_globalenv ERTL_semantics prog stacksizes in
+∃f,fn.
+fetch_internal_function … ge (pc_block pc) = return 〈f,fn〉 ∧
+let after ≝ analyse_liveness fix_comp (prog_names … prog) fn (init_regs (pc_block pc)) in
+let before ≝ livebefore … fn (init_regs (pc_block pc)) after in
+let coloured_graph ≝ build … fn after (init_regs (pc_block pc)) in
+gen_state_rel fix_comp build prog init_regs f_lbls f_regs
+(λv.in_lattice v (before (point_of_pc ERTL_semantics pc)) ∧
+       match v with
              [ inl r ⇒ true
              | inr R ⇒ all … (λR'.¬ eq_Register R' R) RegisterAlwaysDead
              ])
+    init_regs f_lbls f_regs pc.
+(colouring … coloured_graph) pc st1 st2.
 (*
 definition state_rel : fixpoint_computer → coloured_graph_computer →
 …
 lemma ps_reg_retrieve_hw_reg_retrieve_commute :
 ∀prog,stacksize,init,color_f,live_f,color_fun,live_fun.
+∀fix_comp,colour,prog,color_fun,live_fun.
 ∀init_regs : (block → list register).∀f_lbls,f_regs.∀f : ident.
 ∀fn : joint_closed_internal_function ERTL (prog_names … prog).
 ∀pc.
+let m1 ≝ (\snd (\fst (ertl_to_ltl fix_comp colour prog))) in
+let stacksize ≝ lookup_stack_cost … m1 in
 fetch_internal_function … (joint_globalenv ERTL_semantics prog stacksize)
  (pc_block pc) = return 〈f,fn〉→
+ let init ≝ translate_data fix_comp colour in
 gen_preserving2 ?? gen_res_preserve ??????
      (gen_state_rel prog stacksize init color_f live_f color_fun live_fun init_regs f_lbls f_regs pc)
+     (gen_state_rel fix_comp colour prog init_regs f_lbls f_regs live_fun color_fun pc)
      (λr,d.
+      bool_to_Prop
+        (live_fun fn (point_of_pc ERTL_semantics pc)
+          (inl ?? r)) ∧
+      d =
+      (color_fun fn (inl register Register r)))
+      bool_to_Prop (live_fun (inl ?? r)) ∧
+      d = (color_fun (inl register Register r)))
      (λbv,bv'.bv = sigma_beval prog stacksize init init_regs f_lbls f_regs bv') …
      (λst1.ps_reg_retrieve (regs … st1))
      (λst,d.m_map Res ?? (\fst …)
       (read_arg_decision (joint_if_local_stacksize ?? fn) st d)).
 #prog #stacksize #init #color_f #live_f #color_fun #live_fun #init_regs #f_lbls
+#fix_comp #colour #prog #color_fun #live_fun #init_regs #f_lbls
 #f_regs #f #fn #pc #EQfn #st1 #st2 #r #d
 whd in match gen_state_rel; normalize nodelta * #f1 * #fn1 * #ssize
 …
 qed.
-lemma vertex_retrieve_read_arg_decision_commute :
-∀prog,stacksize,init,color_f,live_f,color_fun,live_fun.
-∀init_regs : (block → list register).∀f_lbls,f_regs.∀f : ident.
-∀fn : joint_closed_internal_function ERTL (prog_names … prog).
-∀pc.
-fetch_internal_function … (joint_globalenv ERTL_semantics prog stacksize)
- (pc_block pc) = return 〈f,fn〉→
-gen_preserving2 ?? gen_res_preserve ??????
-     (gen_state_rel prog stacksize init color_f live_f color_fun live_fun init_regs f_lbls f_regs pc)
-     (λv,d.
-      bool_to_Prop
-        (live_fun fn (point_of_pc ERTL_semantics pc) v) ∧
-      d =
-      (color_fun fn v))
-     (λx,y.\fst x = sigma_beval prog stacksize init init_regs f_lbls f_regs (\fst y) ∧
-            gen_state_rel prog stacksize init color_f live_f color_fun
-            live_fun init_regs f_lbls f_regs pc (\snd x) (\snd y)) …
-     (λst1,v.! bv ← ertl_vertex_retrieve (regs … st1) v;
-              return〈bv,st1〉)
-     (λst,d.(read_arg_decision (joint_if_local_stacksize ?? fn) st d)).
-#prog #stacksize #init #color_f #live_f #color_fun #live_fun #init_regs #f_lbls #f_regs
-#f #fn #pc #EQfn #st1 #st2 *
-[ @ps_reg_retrieve_hw_reg_retrieve_commute assumption] #R #d * #f1 * #fn1 * #ssize
-** >EQfn whd in ⊢ (??%% → ?); #EQ1 destruct(EQ1) #_ cases(st_frms ??) [*] #frames
-normalize nodelta ***** #_ #H1 #_ #_ #_ #_ * #live_R #EQ destruct(EQ) #bv #EQbv
-lapply((proj2 ?? H1 …) R live_R ?)
-[ % #ABS whd in match ertl_vertex_retrieve in EQbv; normalize nodelta in EQbv;
-  >ABS in EQbv; normalize nodelta whd in ⊢ (???% → ?); #EQ destruct(EQ) ]
- cases(color_fun ??) normalize nodelta [#n1 | #R1 ] lapply(ertl_vertex_retrieve_ok_on_hw_regs … EQbv)
- #EQ destruct(EQ)
-[ inversion (hwreg_retrieve_sp ?) normalize nodelta [2: #e #_ *] #sp #EQsp
-  inversion(beloadv ??) normalize nodelta [ #_ *] #bv1 #EQbv1 #Hbv1 %{bv1}
-  % [2: assumption] whd in match m_map; whd in match read_arg_decision; normalize nodelta
-  @pair_elim #off_h #off_l #EQoff >m_return_bind >m_return_bind @('bind_inversion EQsp)
-  #ptr1 #EQptr1 @match_reg_elim
-   [2: #_ whd in ⊢ (??%% → ?); #EQ destruct] #prf whd in ⊢ (??%% → ?); #EQ destruct
-   cases(shift_pointer_commute
-         (bitvector_of_nat 16 (joint_if_local_stacksize … fn1 +n1)) (carry … st2) …
-         〈hwreg_retrieve (regs LTL_semantics st2) RegisterSPL,
-          hwreg_retrieve (regs LTL_semantics st2) RegisterSPH〉 …)
-   [3: %
-   |5: >EQptr1 in ⊢ (??%?); >m_return_bind whd in match xpointer_of_pointer; normalize nodelta
-       @match_reg_elim [2: >prf in ⊢ (% → ?); #EQ destruct] #prf1 >m_return_bind %
-   |*:
+   ]
-   #x * >EQoff normalize nodelta #H @('bind_inversion H) -H #val1 #EQval1
-   #H @('bind_inversion H) -H #val2 #EQval2 #EQx #EQ destruct(EQ)
-   >EQval1 >m_return_bind >EQval2 >m_return_bind >EQx >m_return_bind >EQbv1 >m_return_bind %
-| #EQ %{(hwreg_retrieve (regs … st2) R1)} %{(refl …)} assumption
+]
-qed.
 lemma hwreg_retrieve_sp_insensitive_to_set_other : ∀b,rgs.
 hwreg_retrieve_sp (hwreg_set_other b rgs) = hwreg_retrieve_sp rgs.
 …
 qed.
+lemma shift_pointer_inj : ∀n,ptr.∀b1,b2 : BitVector n.
+nat_of_bitvector … (offv (poff … ptr)) + nat_of_bitvector … b1 ≤ 2^16 - 1 →
+nat_of_bitvector … (offv (poff … ptr)) + nat_of_bitvector … b2 ≤ 2^16 - 1 →
+shift_pointer n ptr b1 = shift_pointer n ptr b2 →
+b1 = b2.
+lemma vertex_retrieve_read_arg_decision_commute :
+∀fix_comp,colour,prog,color_fun,live_fun.
+∀init_regs : (block → list register).∀f_lbls,f_regs.∀f : ident.
+∀fn : joint_closed_internal_function ERTL (prog_names … prog).
+∀pc.
+let m1 ≝ (\snd (\fst (ertl_to_ltl fix_comp colour prog))) in
+let stacksize ≝ lookup_stack_cost … m1 in
+fetch_internal_function … (joint_globalenv ERTL_semantics prog stacksize)
+ (pc_block pc) = return 〈f,fn〉→
+ let init ≝ translate_data fix_comp colour in
+(∀v.∀R. color_fun v = decision_colour R → R = RegisterDPL ∨ R = RegisterDPH → ¬ live_fun v) →
+bool_to_Prop (¬ live_fun (inr ?? RegisterDPL)) →
+bool_to_Prop (¬ live_fun (inr ?? RegisterDPH)) →
+gen_preserving2 ?? gen_res_preserve ??????
+     (gen_state_rel fix_comp colour prog init_regs f_lbls f_regs live_fun color_fun pc)
+     (λv,d.v ≠ (inr ?? RegisterCarry) ∧ bool_to_Prop(live_fun v) ∧ d = (color_fun v))
+     (λx,y.\fst x = sigma_beval prog stacksize init init_regs f_lbls f_regs (\fst y) ∧
+          gen_state_rel fix_comp colour prog init_regs f_lbls f_regs
+           (update_fun … eq_vertex live_fun (inr ?? RegisterCarry) false)
+           color_fun pc (\snd x) (\snd y)) …
+     (λst1,v.! bv ← ertl_vertex_retrieve (regs … st1) v;
+              return〈bv,st1〉)
+     (λst,d.(read_arg_decision (joint_if_local_stacksize ?? fn) st d)).
+#fix_comp #colour #prog #color_fun #live_fun #init_regs #f_lbls #f_regs
+#f #fn #pc #EQfn #Hvert #Hdpl #Hdph #st1 #st2 *
+[ #r #d #Rst1st2 ** #_ #live_r #colour_d * #bv #st #H @('bind_inversion H) -H
+  #bv1 whd in match ertl_vertex_retrieve; normalize nodelta #EQbv1
+  whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+  cases (ps_reg_retrieve_hw_reg_retrieve_commute … EQfn … Rst1st2 … EQbv1)
+  [3: % assumption |2:] #fbv * whd in match m_map; normalize nodelta
+  #H @('bind_inversion H) -H * #fbv1 #st2' #EQfbv1 whd in ⊢ (??%% → ?);
+  #EQ destruct(EQ) #EQ destruct(EQ) %{〈fbv,st2'〉} %{EQfbv1} % [%]
+  whd in match read_arg_decision in EQfbv1; normalize nodelta in EQfbv1;
+  destruct cases (color_fun ?) in EQfbv1; [#n | #R] normalize nodelta
+  [2: whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+  | @pair_elim #high #low #EQhl >m_return_bind >m_return_bind #H @('bind_inversion H) -H
+    #val1 #EQval1 #H @('bind_inversion H) -H #val2 #EQval2 #H @('bind_inversion H)
+    -H #ptr #EQptr #H @('bind_inversion H) -H #fbv1 #H lapply(opt_eq_from_res ???? H)
+    -H #EQfbv1 whd in ⊢ (??%% → ?); #EQ destruct(EQ) whd in match set_carry;
+    normalize nodelta
+  ]
+  cases Rst1st2 #f1 * #fn1 * #ssize ** >EQfn whd in ⊢ (??%% → ?);
+  #EQ destruct(EQ) #EQssize inversion(st_frms ??) [1,3: #_ *] #frames #EQframes
+  normalize nodelta ****** #Hmem #Hframes #Hhw #His #Hcarry #Hstack #Hpsregs
+  %{f1} %{fn1} %{ssize} % [1,3: % assumption] >EQframes normalize nodelta %
+  [2,4: cases Hpsregs -Hpsregs #ptr *** #EQptr #H1 #H2 #H3 %{ptr} %
+    [1,3: % [2,4: assumption] % [1,2,4: assumption]
+         change with (hwreg_retrieve_sp ?) in ⊢ (??%?);
+         >hwreg_retrieve_sp_insensitive_to_regstore
+         [ >hwreg_retrieve_sp_insensitive_to_regstore [ assumption]]
+         normalize % #EQ destruct
+    |*: #r1 #d1 * whd in match update_fun; normalize nodelta #r1_live #EQ destruct(EQ)
+        #bv1 #EQbv1 [ @(H3 … EQbv1) % //] cases(H3 … EQbv1) [3: % [ assumption | % ] |2:]
+        #bv1' inversion(color_fun ?) [ #n | #R ] #EQcol normalize nodelta *
+        [ #H lapply(opt_eq_from_res ???? H) -H #EQbv1'
+        | whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+        ]
+        #EQ destruct(EQ) [ %{bv1'} % [ >EQbv1' % | %]]
+        %{(hwreg_retrieve (regs … st2) R)} % [2: %] >hwreg_retrieve_hwregstore_miss
+        [ >hwreg_retrieve_hwregstore_miss [%]] % #H lapply(Hvert … EQcol ?)
+        [1,3: [%2|%] assumption] >r1_live *
+    ]
+  |*: % [2,4: assumption] % [2,4: *] % [2,4: assumption] %
+      [2,4: [2: whd >hwreg_retrieve_sp_insensitive_to_regstore
+               [ >hwreg_retrieve_sp_insensitive_to_regstore ] ]
+            [2,3,4,5: normalize % #EQ destruct(EQ) |*: %{(proj1 ?? Hhw)} ]
+            #r1 * #r1_no_c whd in match update_fun; normalize nodelta
+            @eq_vertex_elim [1,3: #EQ destruct(EQ) @⊥ @r1_no_c % ] #_
+            normalize nodelta #r1_live #r1_no_undef [2: @(proj2 … Hhw) [%] assumption]
+            lapply(proj2 ?? Hhw … r1_live r1_no_undef) [% assumption]
+            inversion(color_fun ?) normalize nodelta [ #n #_ #H @H]
+            #R1 #HR1 #H >hwreg_retrieve_hwregstore_miss
+            [ >hwreg_retrieve_hwregstore_miss [ @H ] ] % #H1
+            lapply(Hvert … HR1 ?) [1,3: [%2|%] assumption] >r1_live *
+            #H1 #H2 assumption
+      |*: % [1,2,3: assumption ] cases daemon (*TODO in a separate lemma *)
+      ]
+  ]
+]
+#Reg #dec #Rst1st2 *** #Reg_nocarry #Reg_live #EQ destruct(EQ) * #bv #st1'
+#H @('bind_inversion H) -H #bv1 #EQbv1 whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+cases Rst1st2 #f1 * #fn1 * #ssize ** >EQfn whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+#EQsszie inversion(st_frms ??) [ #_ *] #frames #EQframes normalize nodelta ******
+#Hmem #Hframes #Hhw #His #Hcarry #Hstack #Hps cut(? : Prop)
+[3: #H_nocarry lapply(proj2 ?? Hhw … Reg_live H_nocarry)
+    [% #EQ destruct(EQ) @Reg_nocarry %] cases(color_fun ?) normalize nodelta
+    [ #n inversion(hwreg_retrieve_sp ?) normalize nodelta [2: #e #_ *]
+      #ptr #EQptr inversion(beloadv ??) [#_ *] #bv2 #EQbv2 normalize nodelta
+      #Hbv2 @('bind_inversion EQptr) #ptr1 #EQptr1 @match_reg_elim
+      [2: #_ whd in ⊢ (??%% → ?); #EQ destruct(EQ)] #prf whd in ⊢ (??%% → ?);
+      #EQ destruct(EQ)
+      cases(shift_pointer_commute (bitvector_of_nat 16 (joint_if_local_stacksize … fn1 +n))
+                (carry … st2) …
+                〈hwreg_retrieve (regs LTL_semantics st2) RegisterSPL,
+                 hwreg_retrieve (regs LTL_semantics st2) RegisterSPH〉 …)
+     [5: >EQptr1 in ⊢ (??(????%?)?); >m_return_bind whd in match xpointer_of_pointer;
+         normalize nodelta @match_reg_elim [2: >prf in ⊢ (% → ?); #EQ destruct(EQ)]
+         #prf1 >m_return_bind %
+      |3: %
+      |*:
+      ]
+      @pair_elim #ptr_h #ptr_l #EQvsplit #ptr2 * #H @('bind_inversion H) -H #val1
+      #EQval1 #H @('bind_inversion H) -H #val2 #EQval2 #EQptr2 #EQ destruct(EQ)
+      %
+      [ % [ @bv2]
+      | %
+        [ whd in match read_arg_decision; normalize nodelta >EQvsplit in ⊢ (??%?);
+          normalize nodelta >m_return_bind >m_return_bind >EQval1 in ⊢ (??%?);
+          >m_return_bind >EQval2 in ⊢ (??%?); >m_return_bind >EQptr2 in ⊢ (??%?);
+          >m_return_bind >EQbv2 in ⊢ (??%?); %
+        | % [ <Hbv2 whd in match ertl_vertex_retrieve in EQbv1; normalize nodelta in EQbv1;
+              cases(hwreg_retrieve ??) in EQbv1; normalize nodelta
+              try (whd in ⊢ (??%% → ?); #EQ destruct(EQ) %)
+              try (#x1 whd in ⊢ (??%% → ?); #EQ destruct(EQ) %)
+              try (#x1 #x2 whd in ⊢ (??%% → ?); #EQ destruct(EQ) %)
+              #x1 #x2 #x3 whd in ⊢ (??%% → ?); #EQ destruct(EQ) % ]
+          %{f1} %{fn1} %{ssize} % [ %{EQfn} assumption ] >EQframes normalize nodelta
+          %
+          [2: cases Hps #ptr3 *** change with (hwreg_retrieve_sp ?) in ⊢ (??%? → ?);
+           >EQptr in ⊢ (% → ?); whd in ⊢ (??%% → ?); #EQ destruct(EQ) #H1 #H2 #H3
+           %{(«ptr1,prf»)} whd in match set_regs; normalize nodelta
+           %
+           [ %
+             [ % [2: assumption] change with (hwreg_retrieve_sp ?) in ⊢ (??%?);
+               >hwreg_retrieve_sp_insensitive_to_regstore
+               [ >hwreg_retrieve_sp_insensitive_to_regstore [ assumption] ]
+               % normalize #EQ destruct
+             | assumption
+             ]
+           ]
+           #r1 #d1 * whd in match update_fun; normalize nodelta #live_r1 #EQ destruct(EQ)
+           #bev #EQbev cases(H3 … (color_fun (inl ?? r1)) … EQbev) [2: %{live_r1} %]
+           #bev1 inversion(color_fun ?) normalize nodelta [#n #_ #H1 %{bev1} assumption]
+           #R1 #EQR1 * whd in ⊢ (??%% → ?); #EQ1 #EQ2 destruct %{(hwreg_retrieve (regs … st2) R1)}
+           % [2: %] >hwreg_retrieve_hwregstore_miss [ >hwreg_retrieve_hwregstore_miss [%]]
+           % #H lapply(Hvert … EQR1 ?) [1,3: [%2|%] assumption ] >live_r1 *
+          | % [2: assumption] % [2: *] % [2: assumption ] % cases daemon (*TODO*)
+          ]
+        ]
+      ]
+    | cases daemon (*TODO*)
+    ]
+|
+| whd in match ertl_vertex_retrieve in EQbv1; normalize nodelta in EQbv1;
+  cases(hwreg_retrieve ??) in EQbv1; normalize nodelta
+  [ whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+  |*: try( #H1 #H2 #H3 #H4) try( #H1 #H2 #H3) try( #H1 #H2) try( #H1) % #EQ destruct
+  ]
+]
+qed.
+definition ertl_vertex_store : vertex → beval → state ERTL_state → state ERTL_state ≝
+λv,bv,st.match v with
+[ inl r ⇒ set_regs ERTL_state 〈reg_store r bv (\fst (regs … st)),\snd (regs … st)〉 st
+| inr r ⇒ set_regs ERTL_state 〈\fst (regs … st),hwreg_store r bv (\snd (regs … st))〉 st
+].
+lemma state_rel_insensitive_to_dead_write_decision :
+∀fix_comp,colour,prog,color_fun,live_fun.
+∀init_regs : (block → list register).∀f_lbls,f_regs.∀f : ident.
+∀fn : joint_closed_internal_function ERTL (prog_names … prog).
+∀pc.
+let m1 ≝ (\snd (\fst (ertl_to_ltl fix_comp colour prog))) in
+let stacksize ≝ lookup_stack_cost … m1 in
+fetch_internal_function … (joint_globalenv ERTL_semantics prog stacksize)
+ (pc_block pc) = return 〈f,fn〉→
+∀r : Register.
+In … RegisterAlwaysDead r →
+∀bv.(∀v.color_fun v = (decision_colour r) → ¬ live_fun v) →
+gen_preserving ?? gen_res_preserve ????
+   (gen_state_rel fix_comp colour prog init_regs f_lbls f_regs live_fun color_fun pc)
+   (gen_state_rel fix_comp colour prog init_regs f_lbls f_regs live_fun color_fun pc)
+   (m_return …)
+   (λst.write_decision (joint_if_local_stacksize ?? fn) (decision_colour r) bv st).
+#fix_comp #colour #prog #color_fun #live_fun #init_regs #f_lbls #f_regs #f #fn #pc
+#EQfn #r #r_forb #bv #Hr #st1 #st2 #Rst1st2 #st1' whd in ⊢ (??%% → ?);
+#EQ destruct(EQ) %
+[2: % [ whd in match write_decision; normalize nodelta >m_return_bind %] |]
+cases Rst1st2 #f1 * #fn1 * #ssize ** >EQfn whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+#EQssize inversion(st_frms ??); [ #_ * ] #frames #EQframes normalize nodelta
+****** #Hmem #Hframes #Hhw #His #Hcarry #Hstack * #sp *** #EQsp #H1 #H2 #Hps
+%{f1} %{fn1} %{ssize} % [ %{EQfn} assumption ] >EQframes normalize nodelta
+%
+[2: %{sp} %
+   [ % [2: assumption ] % [2: assumption ]
+     change with (hwreg_retrieve_sp ?) in ⊢ (??%?); whd in match set_regs;
+     normalize nodelta >hwreg_retrieve_sp_insensitive_to_regstore
+     [ assumption ] % #EQ destruct(EQ) cases r_forb
+     [1,3: normalize #EQ destruct(EQ) ] *
+     [1,3: normalize #EQ destruct(EQ) ] *
+     [1,3: normalize #EQ destruct(EQ) ] *
+     [1,3: normalize #EQ destruct(EQ) ] *
+     [1,3: normalize #EQ destruct(EQ) ] *
+   | whd #r1 #d1 * #live_r1 #EQ destruct(EQ) #bv1 #EQbv1
+     cases(Hps … (color_fun (inl ?? r1)) …  EQbv1) [2: % // ]
+     #bv2 inversion(color_fun ?) normalize nodelta
+     [#n #_ * #EQ1 #EQ2 destruct %{bv2} %{EQ1} % ]
+     #R #EQR * whd in ⊢ (??%% → ?); #EQ1 #EQ2 destruct
+     %{(hwreg_retrieve (regs … st2) R)} % [2: %]
+     whd in match set_regs; normalize nodelta
+     >hwreg_retrieve_hwregstore_miss [%] % #EQ destruct
+     lapply(Hr … EQR) >live_r1 *
+   ]
+]
+% [2: assumption] % [2: assumption ] % [2: assumption] cases daemon (*TODO*)
+qed.
+lemma beloadv_ok_bestorev_ok :
+∀m,ptr,bv,bv'.beloadv m ptr = return bv →
+∃m'.bestorev m ptr bv' = return m'.
 cases daemon (*TODO*)
 qed.
+include alias "arithmetics/nat.ma".
+lemma vertex_retrieve_write_decision_commute :
+∀fix_comp,colour,prog,color_fun,live_fun.
+∀init_regs : (block → list register).∀f_lbls,f_regs.∀f : ident.
+∀fn : joint_closed_internal_function ERTL (prog_names … prog).
+∀pc.
+let m1 ≝ (\snd (\fst (ertl_to_ltl fix_comp colour prog))) in
+let stacksize ≝ lookup_stack_cost … m1 in
+fetch_internal_function … (joint_globalenv ERTL_semantics prog stacksize)
+ (pc_block pc) = return 〈f,fn〉→
+ let init ≝ translate_data fix_comp colour in
+(∀v.∀R. color_fun v = decision_colour R → R = RegisterDPL ∨ R = RegisterDPH → ¬ live_fun v) →
+bool_to_Prop (¬ live_fun (inr ?? RegisterDPL)) →
+bool_to_Prop (¬ live_fun (inr ?? RegisterDPH)) →
+(∀v.∀n : ℕ.color_fun v = decision_spill n → le n (joint_if_stacksize … fn)) →
+gen_preserving ?? gen_res_preserve ????
+     (λx,y.gen_state_rel fix_comp colour prog init_regs f_lbls f_regs live_fun
+             color_fun pc (\snd (\fst x)) (\snd (\fst y)) ∧
+           (\fst (\fst x)) = sigma_beval prog stacksize init init_regs f_lbls f_regs (\fst (\fst y)) ∧
+           (\snd x) ≠ (inr ?? RegisterCarry) ∧ bool_to_Prop(live_fun (\snd x)) ∧
+           (\snd y) = (color_fun (\snd x)) ∧
+           (∃bv'.ertl_vertex_retrieve (regs … (\snd (\fst x))) (\snd x) = return bv') ∧
+           (∀v'.v' ≠ (\snd x) → bool_to_Prop (live_fun v') → color_fun v' = (\snd y) →
+                False))
+     (gen_state_rel fix_comp colour prog init_regs f_lbls f_regs
+         (update_fun … eq_vertex live_fun (inr ?? RegisterCarry) false)
+         color_fun pc) …
+     (λx.return ertl_vertex_store (\snd x) (\fst (\fst x)) (\snd (\fst x)))
+     (λx.write_decision (joint_if_local_stacksize ?? fn) (\snd x) (\fst (\fst x)) (\snd (\fst x))).
+#fix_comp #colour #prog #color_fun #live_fun #init_regs #f_lbls #f_regs #f #fn #pc
+#EQfn #Hdpl_dph #dpl_dead #dph_dead #Hspill ** #bv1 #st1 * #r ** #bv2 #st2 #d ******* #f1 * #fn1 * #sszie **
+>EQfn whd in ⊢ (??%% → ?); #EQ destruct(EQ) #EQsszie inversion(st_frms …) [1,3: #_ *]
+#frames #EQframes normalize nodelta ****** #Hmem #Hframes #Hhw #His #Hcarry #Hstack
+* #sp *** change with (hwreg_retrieve_sp ?) in ⊢ (??%? → ?); #EQsp #H1 #H2 #Hps #EQ destruct(EQ)
+[ #_ | * #r_nocarry ] #live_r #EQ destruct(EQ) * #bv' #EQbv' #Hinterf #st1' whd in ⊢ (??%% → ?);
+whd in match ertl_vertex_store; normalize nodelta #EQ destruct(EQ)
+[ cases(Hps … EQbv') [3: % [ assumption | %] |*:] #bv'' inversion(color_fun …)
+  [ #n | #R ] #EQcol normalize nodelta *
+  [ #H lapply(opt_eq_from_res ???? H) -H #EQbv''
+  | whd in ⊢ (??%% → ?); #EQ1
+  ]
+  #EQ2 destruct
+  [ @('bind_inversion EQsp) #ptr #EQptr @match_reg_elim #prf whd in ⊢ (??%% → ?); #EQ destruct
+    cases(shift_pointer_commute (bitvector_of_nat 16 (joint_if_local_stacksize … fn1 +n))
+                (carry … st2) …
+                〈hwreg_retrieve (regs LTL_semantics st2) RegisterSPL,
+                 hwreg_retrieve (regs LTL_semantics st2) RegisterSPH〉 …)
+    [3: %
+    |5: >EQptr in ⊢ (??%?); >m_return_bind whd in match xpointer_of_pointer; normalize nodelta
+        @match_reg_elim [2: >prf in ⊢ (% → ?); #EQ destruct] #prf' >m_return_bind %
+    |*:
+    ]
+    #ptr1 @pair_elim #x1 #x2 #EQx1x2 * #H @('bind_inversion H) -H #x1' #EQx1'
+    #H @('bind_inversion H) -H #x2' #EQx2' #EQptr1 #EQ destruct(EQ)
+    cases(beloadv_ok_bestorev_ok … bv2 … EQbv'') #m' #EQm'
+    % [2: %
+          [ whd in match write_decision; normalize nodelta
+            >EQx1x2 in ⊢ (??%?); normalize nodelta >m_return_bind
+            >m_return_bind >EQx1' in ⊢ (??%?); >m_return_bind
+            >EQx2' in ⊢ (??%?); >m_return_bind >EQptr1 in ⊢ (??%?);
+            >m_return_bind >EQm' in ⊢ (??%?); >m_return_bind %
+          | whd %{f1} %{fn1} %{sszie} % [ % assumption ] >EQframes normalize nodelta
+            %
+            [2: %{(«ptr,prf»)} %
+                [ % [2: assumption] % [2: assumption]
+                change with (hwreg_retrieve_sp ?) in ⊢ (??%?); whd in match set_m;
+                whd in match set_regs; normalize nodelta
+                >hwreg_retrieve_sp_insensitive_to_regstore
+                [ >hwreg_retrieve_sp_insensitive_to_regstore [assumption]]
+                % normalize #EQ destruct ] #r1 #d1 * whd in match update_fun;
+                normalize nodelta #liv_r1 #EQ destruct(EQ) #val1
+                cut(eq_identifier … r r1 ∨ ¬ eq_identifier … r r1)
+                [ @eq_identifier_elim #_ // ] @eq_identifier_elim
+                [ #EQ destruct(EQ) #_ whd in match reg_retrieve; whd in match reg_store;
+                  normalize nodelta >lookup_add_hit whd in ⊢ (??%% → ?); #EQ destruct
+                  %{bv2} >EQcol normalize nodelta % [2: %] whd in match set_m; whd in match set_regs;
+                  normalize nodelta >beloadv_bestorev_hit [% | @EQm' |*:]
+                | #r_neq_r1 #_ whd in match reg_retrieve; whd in match reg_store;
+                  normalize nodelta >lookup_add_miss
+                  [2: % #EQ destruct cases r_neq_r1 #H @H %]
+                  change with (ps_reg_retrieve ??) in ⊢ (??%? → ?);
+                  #EQval1 cases(Hps … EQval1) [3: % [ assumption | %] |*:]
+                  #val2 inversion(color_fun ?) [ #n1 | #R1 ] #col_r1 normalize nodelta *
+                  [ #H lapply(opt_eq_from_res ???? H) -H #EQval2 | whd in ⊢ (??%% → ?); #EQ1 ]
+                  #EQ2 %{val2} destruct %
+                  [2,4: % |3: >hwreg_retrieve_hwregstore_miss [ >hwreg_retrieve_hwregstore_miss [%]]
+                  % #EQ destruct(EQ) lapply(Hdpl_dph … col_r1 ?) [1,3: [ %2 | %] %]
+                  >liv_r1 * ]
+                  whd in match set_m; whd in match set_regs; normalize nodelta
+                  cut(eqb … n n1 ∨ ¬ eqb … n n1) [ @eqb_elim #_ //]
+                  @eqb_elim
+                  [ #EQ destruct(EQ) #_ >(beloadv_bestorev_hit …  EQm')
+                    whd in ⊢ (??%%); @eq_f
+                    cases(Hinterf (inl ?? r1) ? liv_r1 ?)
+                    [ % #EQ destruct cases r_neq_r1 #H @H %
+                    | >EQcol >col_r1 %
+                    ]
+                  | * #n_no_n1 #_ >(beloadv_bestorev_miss … EQm')
+                    [ >EQval2 % ]
+                    % #ABS @n_no_n1
+                    @(injective_plus_r (joint_if_local_stacksize … fn1))
+                    @(eq_bitvector_of_nat_to_eq … (shift_pointer_injective … ABS))
+                    whd change with (plus 1 ?) in ⊢ (?%?);
+                    @monotonic_le_plus_r @(transitive_le … H1)
+                    [ cut (joint_if_local_stacksize … fn1 + n ≤ sszie)
+                      [ cases daemon (*TODO an invariant to be added*) ]
+                      | cut (joint_if_local_stacksize … fn1 + n1 ≤ sszie)
+                      [ cases daemon (*TODO an invariant to be added*) ]
+                    ]
+                    #H2 @(transitive_le … H2) @le_plus_n
+                  ]
+                ]
+            | % [2: assumption ] % [2: *] % [2: assumption] %
+              [2: % [ >(proj1 … Hhw) >hwreg_retrieve_sp_insensitive_to_regstore
+                      [ >hwreg_retrieve_sp_insensitive_to_regstore [%]] normalize % #EQ destruct]
+                    #r1 * #r1_nocarry whd in match update_fun; normalize nodelta @eq_vertex_elim
+                    [ #EQ @⊥ destruct(EQ) @r1_nocarry %] #_ normalize nodelta
+                    #live_r1 #r1_noundef inversion(color_fun ?)
+                    [ #n1 | #r1'] #col_r1 normalize nodelta
+                    [ >hwreg_retrieve_sp_insensitive_to_regstore
+                      [ >hwreg_retrieve_sp_insensitive_to_regstore ]
+                      [2,3,4,5: normalize % #EQ destruct]
+                      >EQsp normalize nodelta whd in match set_m; normalize nodelta
+                      cases daemon (*TODO*)
+                    | >hwreg_retrieve_hwregstore_miss
+                      [ >hwreg_retrieve_hwregstore_miss ] [2,3: % #EQ destruct(EQ)
+                      lapply(Hdpl_dph … col_r1 ?) [1,3: [ %2 | % ] %] >live_r1 * ]
+                      lapply(proj2 … Hhw r1 … live_r1 r1_noundef) [% assumption]
+                      >col_r1 normalize nodelta #H @H
+                    ]
+              | cases daemon (*TODO*)
+              ]
+            ]
+       ]
+    |
+    ]
+  |  cases daemon (*TODO*)
+  ]
+| cases daemon (*TODO*)
+]
+qed.
+xxxxxxx
+                         @transitive_le\
+                         check plus lapply injective_S whd in match injective;
+                        normalize nodelta change with(plus ? 1 ≤ 2 ^16); check injective_plus_l
+   %
+  [2,4: %
+        [1,3: whd in match write_decision; normalize nodelta [2: %] @pair_elim
+              #h_l #h_h #EQh >m_return_bind >m_return_bind
+              @('bind_inversion EQsp) #ptr #EQptr @match_reg_elim #prf whd in ⊢ (??%% → ?);
+              #EQ destruct(EQ)
+              cases(shift_pointer_commute (bitvector_of_nat 16 (joint_if_local_stacksize … fn1 +n))
+                (carry … st2) …
+                〈hwreg_retrieve (regs LTL_semantics st2) RegisterSPL,
+                 hwreg_retrieve (regs LTL_semantics st2) RegisterSPH〉 …)
+              [
+ inversion(color_fun …) [1,3: #n |*: #R ] #EQcol %
+[2: %
+    [ whd in match write_decision; normalize nodelta
+[ cases(Hps … EQbv')
+#Rst1st2 ****
+#EQ destruct(EQ) [ #_ | * #r_nocarry] #live_r #EQ destruct(EQ) #Hinterf #st1'
+whd in ⊢ (??%% → ?); #EQ destruct(EQ) cases Rst1st2
+[ cases(Hps … r)
 (*
 …
 cases daemon qed.  *)
+lemma move_preserve :
+∀fix_comp,colour,prog,init.
+∀color_f : ((Σb:block.block_region b=Code) → option (list register → vertex → decision)).
+∀live_f : ((Σb:block.block_region b=Code)→ option (list register → live_type)).
+∀color_fun : (joint_closed_internal_function ERTL (prog_names … prog) → vertex → decision).
+∀live_fun : (joint_closed_internal_function ERTL (prog_names … prog) → label → vertex → bool).
+let p_out ≝ (\fst (\fst (ertl_to_ltl fix_comp colour prog))) in
+let m1 ≝ (\snd (\fst (ertl_to_ltl fix_comp colour prog))) in
+let stacksizes ≝ lookup_stack_cost … m1 in
+ ∀init_regs : block → list register.∀f_lbls,f_regs. ∀pc,carry_lives_after.
+ ∀src,dest : decision.
+ ∀f.∀fn : joint_closed_internal_function ? (prog_names … prog).
+ fetch_internal_function … (joint_globalenv ERTL_semantics prog stacksizes)
+ (pc_block pc) = return 〈f,fn〉 →
+∀v1,v2. color_fun fn v1 = src →
+color_fun fn v2 = dest →
+v2 ≠ (inr ?? RegisterCarry) →
+live_fun fn (point_of_pc ERTL_semantics pc) v1 →
+invariant_for_move src →
+(∀v. live_fun fn (point_of_pc ERTL_semantics pc) v →
+     color_fun fn v ≠ decision_colour RegisterDPL ∧
+     color_fun fn v ≠ decision_colour RegisterDPH ∧
+     color_fun fn v ≠ decision_colour RegisterST1) →
+live_fun fn (point_of_pc ERTL_semantics pc)
+ (inr ?? RegisterCarry) = carry_lives_after →
+gen_preserving ?? gen_res_preserve ????
+(λst1,st2.
+ gen_state_rel prog stacksizes init color_f live_f color_fun live_fun init_regs
+  f_lbls f_regs pc st1 st2 ∧
+ ∃bv.ertl_vertex_retrieve (regs … st1) v1 = return bv ∧
+ (∀v.live_fun fn (point_of_pc ERTL_semantics pc) v → v ≠ v1 → v ≠ v2 →
+     color_fun fn v = dest →
+     ertl_vertex_retrieve (regs … st1) v = return bv) ∧
+ (∀ptr.
+  sp … st2 = return ptr →
+  match dest with
+  [ decision_spill n ⇒
+        ∀bv.bestorev (m … st2)
+         (shift_pointer ? ptr (bitvector_of_nat 16 ((joint_if_local_stacksize … fn) + n)))
+         bv ≠ None ?
+ | _ ⇒ True
+ ]))
+(gen_state_rel prog stacksizes init color_f live_f
+ (λfn.update_fun ?? eq_vertex (color_fun fn) v1 dest)
+ (λfn.update_fun ?? (eq_identifier …) (live_fun fn) (point_of_pc ERTL_semantics pc)
+   (update_fun ?? eq_vertex (live_fun fn (point_of_pc ERTL_semantics pc)) v2
+    (eq_decision src dest)))
+ init_regs f_lbls f_regs pc)
+(m_return ??)
+(repeat_eval_seq_no_pc LTL_semantics (mk_prog_params LTL_semantics p_out stacksizes) f
+   (move (prog_names … prog) (joint_if_local_stacksize … fn) carry_lives_after dest src)).
+#fix_comp #colour #prog #init #color_f #live_f #color_fun #live_fun #init_regs #f_lbls
+#f_regs #pc #carry_live #src #dst #f #fn #EQfn #v1 #v2 #EQsrc
+#EQdst * #v2_noCarry #v1_live #Hsrc #dst_spec #EQcarry_live #st1 #st2 * #Rst1st2 * #bv ** #EQbv
+#Hv1v2 #Hdst >move_spec [2: assumption]
+cases(vertex_retrieve_read_arg_decision_commute … init … EQfn … Rst1st2 … EQbv)
+[3: %{v1_live} % |2: ] #bv1 * whd in match m_map; normalize nodelta
+#H @('bind_inversion H) -H * #bv2 #st2' #EQread_arg whd in ⊢ (??%% → ?); #EQ1 #EQ2
+destruct(EQ1 EQ2) cases src in EQsrc Hsrc; normalize nodelta -src
+[ #n1 | #R1 ] #EQcol_src * [2: #R1_noDPL #R1_noDPH ] cases dst in EQdst Hdst Hv1v2 dst_spec;
+[1,3: #n2 |*: #R2 ] #EQcol_dst normalize nodelta [1,2: #Hn2 |*: #_] #Hv1v2 #dst_spec
+>EQcol_src in EQread_arg; #EQread_arg >EQread_arg whd in EQread_arg : (??%%);
+[2,4: lapply EQread_arg -EQread_arg @pair_elim #off_h_src #off_l_src #EQoff_src
+      >m_return_bind >m_return_bind #H @('bind_inversion H) -H #val1_src #EQval1_src
+      #H @('bind_inversion H) -H #val2_src #EQval2_src #H @('bind_inversion H) -H
+      #ptr_shift_src #EQptr_shift_src #H @('bind_inversion H) -H #bv_src #H
+      lapply(opt_eq_from_res ???? H) -H #EQbv_src whd in ⊢ (??%% → ?); #EQread_arg ]
+destruct(EQread_arg) >m_return_bind #st1' whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+cases Rst1st2 #f1 * #fn1 * #ssize ** >EQfn whd in ⊢ (??%% → ?); #EQ1 destruct(EQ1)
+#EQssize inversion(st_frms ??) normalize nodelta [1,3,5,7: #_ *] #frames #EQframes ******
+#Hmem #Hframes #Hhw_reg #His #Hcarry #Hsu * #sp ***
+change with (hwreg_retrieve_sp ?) in ⊢ (??%? → ?); #EQsp #Hssize #Hstack_usage #Hps_reg
+[ @eqb_elim normalize nodelta [ #EQ destruct(EQ) %{st2} %{(refl …)} | * #src_dest_spec ]
+| @eq_Register_elim normalize nodelta [ #EQ destruct(EQ) | * #R2_noA ]
+| @eq_Register_elim normalize nodelta [ #EQ destruct(EQ) | * #R1_noA ]
+| @eq_Register_elim normalize nodelta
+   [ #EQ destruct(EQ) %{st2'} %{(refl …)}
+   | * #src_dest_spec @eq_Register_elim normalize nodelta [#EQ destruct(EQ) | * #R2_noA >m_return_bind ]
+   ]
+]
+[1,7: @(update_color_lemma … EQfn)
+  [1,3: @(update_live_fun_lemma … EQfn) [1,3: assumption] @eq_decision_elim
+    [2,4: * #H @⊥ @H %] #_ normalize nodelta inversion(live_fun ??)
+    [1,3: #_ @I] normalize nodelta >EQcol_dst normalize nodelta cases v2 in EQcol_dst; [1,3: #r |*: #R ] #EQcol_dst #v2_dead
+    normalize nodelta #bv1 whd in match ertl_vertex_retrieve; normalize nodelta #EQbv1
+    >EQcol_dst normalize nodelta
+    [1,3: %{sp} %{EQsp} cases v1 in EQcol_src v1_live EQbv; [1,3: #r1 |*: #R1] #EQcol_src
+          #v1_live whd in match ertl_vertex_retrieve; normalize nodelta
+          [1,2: #EQbv cases(Hps_reg r1 (decision_spill n2) … EQbv) [2,4: % assumption] #bv2
+          normalize nodelta
+   @(update_color_lemma … EQfn)
+    cases daemon (*TODO: it follows by extensionality:
+                          maybe to be merged with other proof obbligations *)
+  ]
+  * #src_dest_spec
+[2,4:
+[1,3: whd in EQread_arg : (??%%); destruct(EQread_arg) @eq_Register_elim normalize nodelta
+ [ #EQ destruct(EQ) @('bind_inversion EQsp) #ptr #EQptr @match_reg_elim
+   [2: #_ whd in ⊢ (??%% → ?); #EQ destruct] #prf whd in ⊢ (??%% → ?);
+   #EQ destruct(EQ)
+   cases(shift_pointer_commute
+         (bitvector_of_nat 16 (joint_if_local_stacksize … fn1 +n2)) (carry … st2') …
+         〈hwreg_retrieve (regs LTL_semantics st2') RegisterSPL,
+          hwreg_retrieve (regs LTL_semantics st2') RegisterSPH〉 …)
+   [3: %
+   |5: >EQptr in ⊢ (??%?); >m_return_bind whd in match xpointer_of_pointer; normalize nodelta
+       @match_reg_elim [2: >prf in ⊢ (% → ?); #EQ destruct] #prf1 >m_return_bind %
+   |*:
+   ]
+   #x * @pair_elim #offh #offl #EQoff #H @('bind_inversion H) -H #val1 #EQval1
+   #H @('bind_inversion H) -H #val2 #EQval2 #EQx #EQ destruct(EQ) %
+   [2: %
+       [ whd in match write_decision; whd in match set_regs; whd in match set_carry;
+         normalize nodelta > EQoff in ⊢ (??%?); normalize nodelta
+         >m_return_bind >m_return_bind >hwreg_retrieve_hwregstore_miss
+         [ >EQval1 in ⊢ (??%?); >m_return_bind >hwreg_retrieve_hwregstore_miss
+           [ >EQval2 in ⊢ (??%?); >m_return_bind >EQx in ⊢ (??%?); >m_return_bind
+             >(opt_to_opt_safe … (Hn2 … EQsp …)) >m_return_bind <commute_if
+             whd in match set_m; normalize nodelta %
+           ]
+         ]
+         normalize % #EQ destruct
+       | %{f1} %{fn1} %{ssize} % [ %{EQfn EQssize} ]
+         >EQframes normalize nodelta %
+         [ % [2: cases carry_live normalize nodelta assumption ]
+           % [2: whd in match update_fun; normalize nodelta @eq_identifier_elim
+                 [2: * #H @⊥ @H %] #_ normalize nodelta
+                 @eq_vertex_elim [ #EQ destruct @⊥ @v2_noCarry %] #_
+                 @eq_decision_elim [ #EQ destruct] #_ normalize nodelta
+                 destruct #H >H normalize nodelta @Hcarry assumption ]
+           % [2: @if_elim #_ assumption ] %
+           [2: whd in match update_fun; normalize nodelta @eq_identifier_elim
+               [2: * #H @⊥ @H %] #_ normalize nodelta %
+               [ cases carry_live normalize nodelta
+                 [ >hwreg_retrieve_sp_insensitive_to_set_other]
+                 >hwreg_retrieve_sp_insensitive_to_regstore
+                 [1,4: >hwreg_retrieve_sp_insensitive_to_regstore
+                   [1,4: >hwreg_retrieve_sp_insensitive_to_regstore
+                      [1,4:  @(proj1 … Hhw_reg) ] ] ]
+                 % normalize #EQ destruct
+               | #R' @eq_vertex_elim normalize nodelta [ #_ @eq_decision_elim [#EQ destruct] #_ *]
+                 #v2_noR' #live_R' @eq_vertex_elim
+                 [ #EQ destruct(EQ) normalize nodelta cases carry_live in EQcarry_live;
+                   #EQcarry_live normalize nodelta
+                   [ >hwreg_retrieve_sp_insensitive_to_set_other]
+                   >hwreg_retrieve_sp_insensitive_to_regstore
+                   [1,4: >hwreg_retrieve_sp_insensitive_to_regstore
+                     [1,4: >hwreg_retrieve_sp_insensitive_to_regstore ]]
+                   [1,4: |*: % normalize #EQ destruct]
+                   try >EQsp in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ?]); normalize nodelta
+                   @opt_safe_elim #m' #EQm' >(beloadv_bestorev_hit … EQm')
+                   normalize nodelta whd in EQbv : (??%%);
+                   cut(∀A,a1,a2. OK A a1 = OK A a2 → a1 = a2)
+                   [1,3: #H1 #H2 #H3 #H4 destruct %] #AUX
+                   @(AUX … EQbv)
+                 | #v1_noR' normalize nodelta
+                   cut(bool_to_Prop(eq_decision (decision_spill n2) (color_fun fn1 (inr ?? R'))) ∨
+                       bool_to_Prop(¬ eq_decision (decision_spill n2) (color_fun fn1 (inr ?? R'))))
+                   [ @eq_decision_elim #_ [%%|%2%]] *
+                   [ @eq_decision_elim [2: #_ *] #EQ lapply(sym_eq ??? EQ) -EQ #EQcolR'
+                     #_ >EQcolR' normalize nodelta cases carry_live
+                     [ >hwreg_retrieve_sp_insensitive_to_set_other]
+                     >hwreg_retrieve_sp_insensitive_to_regstore
+                     [1,4: >hwreg_retrieve_sp_insensitive_to_regstore
+                     [1,4: >hwreg_retrieve_sp_insensitive_to_regstore ]]
+                     [1,4: |*: % normalize #EQ destruct]
+                     try >EQsp in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]); normalize nodelta
+                     @opt_safe_elim #m' #EQm' >(beloadv_bestorev_hit … EQm') normalize nodelta
+                     lapply(Hv1v2 (inr ?? R') live_R' v1_noR' v2_noR' EQcolR')
+                     whd in match ertl_vertex_retrieve;  normalize nodelta
+                     whd in ⊢ (??%% → ?); cut(∀A,a1,a2. OK A a1 = OK A a2 → a1 = a2)
+                     [1,3: #H1 #H2 #H3 #H4 destruct %] #AUX #EQ
+                     >(AUX ??? EQ) %
+                   | @eq_decision_elim [ #_ *] #Hnodet_R' #_ inversion(color_fun ??)
+                     [ #n3 #EQn3 normalize nodelta cases carry_live
+                       [ >hwreg_retrieve_sp_insensitive_to_set_other]
+                       >hwreg_retrieve_sp_insensitive_to_regstore
+                       [1,4: >hwreg_retrieve_sp_insensitive_to_regstore
+                       [1,4: >hwreg_retrieve_sp_insensitive_to_regstore ]]
+                       [1,4: |*: % normalize #EQ destruct]
+                       try >EQsp in ⊢ (match % with [ _ ⇒ ? | _ ⇒ ? ]); normalize nodelta
+                       @opt_safe_elim #m' #EQm' >(beloadv_bestorev_miss … EQm')
+                       [1,3: lapply(proj2 ?? Hhw_reg R' live_R') >EQn3 normalize nodelta
+                             >EQsp normalize nodelta #H @H ]
+                       % #ABS >EQn3 in Hnodet_R'; * #H @H @eq_f -H
+                       @(injective_plus_r … (joint_if_local_stacksize … fn1))
+                       cut(? : Prop)
+                       [3,6: cut(? : Prop)
+                         [3,6: #H1 #H2 @(eq_bitvector_of_nat_to_eq 16)
+                               [1,4: @H1 |2,5: @H2 ]
+                               @(shift_pointer_inj … ABS) >nat_of_bitvector_bitvector_of_nat_inverse
+                               try assumption @(transitive_le … Hssize)
+                               @monotonic_le_plus_r cases daemon (*TODO*)
+                         |1,4:
+                         |*: cases daemon (*TODO*)
+                         ]
+                       |1,4:
+                       |*: cases daemon (*TODO*)
+                       ]
+                     | #R'' #EQR'' normalize nodelta cases carry_live normalize nodelta
+                       [ >hwreg_retrieve_insensitive_to_set_other ]
+                       >hwreg_retrieve_hwregstore_miss
+                       [1,3: >hwreg_retrieve_hwregstore_miss
+                             [1,3: >hwreg_retrieve_hwregstore_miss
+                                 [1,3: lapply(proj2 ?? Hhw_reg R' live_R') > EQR''
+                                       normalize nodelta #H @H ] ] ]
+                        cases(dst_spec … live_R') * >EQR'' * #H1 * #H2 * #H3 % #EQ destruct(EQ)
+                        try(@H1 %) try(@H2 %) try(@H3 %)
+                         [@H3 try @H1 try @H2 try assumption
+                       cases daemon (*hypothesis on colouring function to be added TODO *)
+                     ]
+                              lapply EQssize whd in ⊢ (??%% → ?);
+                             whd in match ertl_to_ltl; normalize nodelta whd in match (stack_cost ??);
+                             whd in ⊢ (??%% → ?);
+                 xxxxxxxx
+                    <EQbv destruct(EQbv)
+                    whd in match hwreg_retrieve_sp;
+                   normalize nodelta
+          @eq_vertex_elim
+                | normalize nodelta
+       %{live_fun1} %{color_fun1} %
+         [%
+           [ %{EQfn}
+cases src in EQsrc Hsrc; -src normalize nodelta
+[ #n1 | #R1 ] #EQcol_src * [2: #R1_noDPL #R1_noDPH] cases dst in EQdst Hdst;
+[1,3: #n2 |*: #R2 ] #EQcol_dst normalize nodelta [1,2: #Hn2 |*: #_]
+#st1' whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+cases daemon (*TODO*)
+qed.
+(*
 lemma state_rel_insensitive_to_forbidden_Reg :
  ∀fix_comp,colour,prog,init_regs,f_lbls,f_regs,pc.
 …
+]
 qed.
+*)
 …
 whd in match acca_retrieve; normalize nodelta
 change with (ps_reg_retrieve ??) in ⊢ (??%? → ?);
+#EQbv #EQb whd in match state_pc_rel; normalize nodelta ** #Rst1st2 #_ #_
+#t_fn #_ #z1 #z2 #z3 #z4 #z5 #z6 #z7 #z8 whd #EQinit_regs
+#EQbv #EQb whd in match state_pc_rel; normalize nodelta **
+whd in match state_rel; normalize nodelta * #f1 * #fn1 *
+>(proj1 … (fetch_statement_inv … EQfetch)) whd in ⊢ (???% → ?); #EQ destruct(EQ)
+#Rst1st2 #_ #_ #t_fn #_ #z1 #z2 #z3 #z4 #z5 #z6 #z7 #z8 whd #EQinit_regs
 whd normalize nodelta %{(refl …)} #mid #_ <EQinit_regs
+>map_eval_add_dummy_variance_id >move_spec normalize nodelta
+[2: whd inversion(colouring …) normalize nodelta [#n #_ @I] #R
+    #EQR
+    cases(colouring_is_never_forbidden … (proj1 … (fetch_statement_inv … EQfetch)) … EQR)
+    #_ * #_ * #H1 * #H2 #_ %{H1 H2} ]
+cases(vertex_retrieve_read_arg_decision_commute … (proj1 … (fetch_statement_inv … EQfetch)) … (inl ?? r) … Rst1st2 …)
+[2: *
+   [ #r1 #R #EQR * #EQ destruct
+     cases(colouring_is_never_forbidden … (proj1 … (fetch_statement_inv … EQfetch)) … EQR)
+     #_ * #_ * * #H1 * * #H2 #_ @⊥ try( @H1 %) @H2 %
+   | #R1 #R2 >hdw_same_colouring #EQ destruct * #EQ destruct cases(in_lattice …) %
+   ]
+|3,4: cases(in_lattice …) %
+|6: % [2: %] % [ % #EQ destruct]
+    >(all_used_are_live_before fix_comp … (proj2 … (fetch_statement_inv … EQfetch)))
+    [% | % | @set_member_singl]
+|8: whd in match ertl_vertex_retrieve; normalize nodelta >EQbv in ⊢ (??%?); %
+|*:
+]
+* #bv' #st2' * #EQst2' * #EQ destruct(EQ) #Rst1st2' >EQst2' >m_return_bind >m_return_bind
+>m_return_bind >m_return_bind
+cases(state_rel_insensitive_to_dead_write_decision … (proj1 … (fetch_statement_inv … EQfetch)) … RegisterA … bv' … Rst1st2' … (refl …))
+[2: %%
+|3: * [#r #EQr cases(colouring_is_never_forbidden … (proj1 … (fetch_statement_inv … EQfetch)) … EQr) * #H @⊥ @H %
+      | #R >hdw_same_colouring #EQ destruct(EQ) whd in match update_fun; normalize nodelta
+        cases(in_lattice …) %
+      ]
+]
+#st2'' * #EQst2'' #Rst1st2'' >EQst2'' inversion(colouring …) normalize nodelta
+[ #n | #R] #EQcol <commute_if % [2,4: %{(refl …)} |*:] %
+[1,3: %{f1} %{fn1} % [1,3: @if_elim #_ @(proj1 ?? (fetch_statement_inv … EQfetch)) ]
+  cases Rst1st2'' #f2 * #fn2 * #ssize ** >(proj1 ?? (fetch_statement_inv … EQfetch))
+  whd in ⊢ (??%% → ?); #EQ destruct #EQssize inversion(st_frms …) [1,3: #_ *]
+  #frames #EQframes ****** #Hmem #Hframes #Hhw #His #_ #Hstack * #sp *** #EQsp
+  #H1 #H2 #Hps %{f2} %{fn2} %{ssize} %
+  [1,3: @if_elim #_ %{(proj1 … (fetch_statement_inv … EQfetch))} assumption]
+  >EQframes normalize nodelta %
+  [2,4: %{sp}
+      [| @eq_Register_elim
+         [ #EQ destruct(EQ)
+           cases(colouring_is_never_forbidden …
+                         (proj1 … (fetch_statement_inv … EQfetch)) … EQcol)
+           * #ABS #_ @⊥ @ABS % ]
+         #RnoA normalize nodelta ] %
+      [2,4: #r1 #d1 * @andb_elim @if_elim <commute_if in ⊢ (% → ?);
+            whd in match (pc_block ?); >point_of_pc_of_point #r1_live *
+            [ <commute_if in ⊢ (% → ?); ] whd in match (pc_block ?); #EQ
+            destruct(EQ) #v1 #EQv1 cases(Hps … EQv1)
+            [3,6: % [2,4: %] whd in match update_fun; normalize nodelta
+                  whd in match (livebefore ?????);
+                  change with (stmt_at ??? (point_of_pc ERTL_semantics ?)) in
+                           ⊢ (?(?(??match % with [_ ⇒ ? | _ ⇒ ? ])?));
+                  >(proj2 … (fetch_statement_inv … EQfetch)) normalize nodelta
+                  whd in match statement_semantics; normalize nodelta
+                  @andb_Prop [2,4: @I]
+                  @set_member_union1 @set_member_diff [2,4: @set_member_empty]
+                  @(set_member_subset_if … r1_live)
+                  lapply(included_livebefore_livebeafter_stmt_labels
+                                 fix_comp … (init_regs (pc_block (pc … st1))) …
+                                 (proj2 ?? (fetch_statement_inv … EQfetch))
+                                 (if b then ltrue else lfalse) ?)
+                   [1,3: cases b normalize nodelta
+                          whd in match stmt_labels; whd in match stmt_explicit_labels;
+                          whd in match step_labels; normalize nodelta
+                          [1,3: >memb_cons [1,3: @I |*: @memb_hd] |*: >memb_hd @I ] ]
+                   whd in match (l_included ???); cases(set_subset (identifier ?) ??)
+                   [1,3: #_ @I] @if_elim **
+            |*:
+            ]
+            #v1' inversion(colouring …) normalize nodelta
+            [1,3: #n #EQn * #H1 #EQ destruct(EQ) %{v1'} % [2,4: %]
+                  [ >(commute_if ????? (λx.m LTL_semantics x))
+                    whd in match (m ??); @if_elim #_ ]
+                  whd in match write_decision in EQst2''; normalize nodelta in EQst2'';
+                  >m_return_bind in EQst2''; whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+                  assumption
+            |*: #R #EQR * whd in ⊢ (??%% → ?); #EQ1 #EQ2 destruct(EQ1 EQ2)
+                %{(hwreg_retrieve (regs … st2'') R)} % [2,3,4: % ]
+                @if_elim #_ whd in match set_regs; normalize nodelta
+                [ >hwreg_retrieve_insensitive_to_set_other ]
+                >hwreg_retrieve_hwregstore_miss
+                [1,3: whd in match write_decision in EQst2''; normalize nodelta in EQst2'';
+                      >m_return_bind in EQst2''; whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+                      >hwreg_retrieve_hwregstore_miss [1,3: %] ]
+                % #EQ destruct(EQ)
+                cases(colouring_is_never_forbidden …
+                         (proj1 … (fetch_statement_inv … EQfetch)) … EQR)
+                * #ABS #_ @ABS %
+            ]
+      |*: % try % try assumption
+          [1,3: change with (hwreg_retrieve_sp ?) in ⊢ (??%?);
+                [ @if_elim #_ whd in match set_regs; normalize nodelta
+                  [ >hwreg_retrieve_sp_insensitive_to_set_other ]
+                  >hwreg_retrieve_sp_insensitive_to_regstore
+                  [1,4: whd in match write_decision in EQst2'';
+                        normalize nodelta in EQst2''; >m_return_bind in EQst2'';
+                        whd in ⊢ (??%% → ?); #EQ destruct(EQ)
+                        change with (hwreg_retrieve_sp ?) in EQsp : (??%?);
+                        >hwreg_retrieve_sp_insensitive_to_regstore in EQsp;
+                        [1,4: //]
+                  ]
+                  % normalize #EQ destruct
+               | @eq_Register_elim [2: #_ assumption ] #EQ destruct(EQ)
+                 cases(colouring_is_never_forbidden …
+                         (proj1 … (fetch_statement_inv … EQfetch)) … EQcol)
+                 * #ABS #_ @⊥ @ABS %
+               ]
+          |*:
 cases(ps_reg_retrieve_hw_reg_retrieve_commute prog ???? init_regs f_lbls
 f_regs f fn (pc … st1) ?????????)

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 3388

Legend:

LTS/Simulation.ma

LTS/Traces.ma

src/ERTL/ERTLToLTLProof.ma

Download in other formats: