Context Navigation

← Previous Change
Next Change →

C-semantics

Timestamp:

Feb 9, 2011, 11:49:17 AM (10 years ago)

Author:

campbell

Message:

Port Clight semantics to the new-new matita syntax.

Location:

Deliverables/D3.1/C-semantics

Files:

: 23 edited

AST.ma (modified) (15 diffs)
Animation.ma (modified) (4 diffs)
Cexec.ma (modified) (24 diffs)
CexecComplete.ma (modified) (4 diffs)
CexecEquiv.ma (modified) (12 diffs)
CexecSound.ma (modified) (2 diffs)
Coqlib.ma (modified) (9 diffs)
CostLabel.ma (modified) (1 diff)
Csem.ma (modified) (60 diffs)
Csyntax.ma (modified) (39 diffs)
Errors.ma (modified) (7 diffs)
Events.ma (modified) (9 diffs)
Floats.ma (modified) (1 diff)
Globalenvs.ma (modified) (46 diffs)
IOMonad.ma (modified) (7 diffs)
Integers.ma (modified) (26 diffs)
Maps.ma (modified) (6 diffs)
Mem.ma (modified) (100 diffs)
Smallstep.ma (modified) (15 diffs)
Values.ma (modified) (40 diffs)
binary/Z.ma (modified) (16 diffs)
binary/positive.ma (modified) (21 diffs)
extralib.ma (modified) (20 diffs)

Legend:

: Unmodified
: Added
: Removed

Deliverables/D3.1/C-semantics/AST.ma

-                      r485
+                      r487
   the abstract syntax trees of many of the intermediate languages. *)
 include "datatypes/sums.ma".
+include "basics/types.ma".
 include "extralib.ma".
 include "Integers.ma".
 …
   etc) are represented by the type [positive] of positive integers. *)
 ndefinition ident ≝ Pos.
 ndefinition ident_eq : ∀x,y:ident. (x=y) + (x≠y).
 #x y; nlapply (pos_compare_to_Prop x y); ncases (pos_compare x y);
 ##[ #H; @2; /2/; ##| #H; @1; //; ##| #H; @2; /2/ ##] nqed.
+definition ident ≝ Pos.
+definition ident_eq : ∀x,y:ident. (x=y) + (x≠y).
+#x #y lapply (pos_compare_to_Prop x y); cases (pos_compare x y);
+[ #H %2 /2/; | #H %1 //; | #H %2 /2/ ] qed.
 (*
 (* XXX: we use nats for now, but if in future we use binary like compcert
         then the maps will be easier to define. *)
 ndefinition ident ≝ nat.
 ndefinition ident_eq : ∀x,y:ident. (x=y) + (x≠y).
 #x; nelim x;
 ##[ #y; ncases y; /3/;
 ##| #x'; #IH; #y; ncases y;
   ##[ @2; @; #H; ndestruct
   ##| #y'; nelim (IH y');
     ##[ #e; ndestruct; /2/
     ##| #ne; @2; /2/;
     ##]
   ##]
 ##] nqed.
+definition ident ≝ nat.
+definition ident_eq : ∀x,y:ident. (x=y) + (x≠y).
+#x elim x;
+[ #y cases y; /3/;
+| #x' #IH #y cases y;
+  [ %{2} % #H destruct
+  | #y' elim (IH y');
+    [ #e destruct; /2/
+    | #ne %{2} /2/;
+    ]
+  ]
+] qed.
 *)
 (* * The intermediate languages are weakly typed, using only two types:
 …
   numbers. *)
 ninductive typ : Type ≝
+inductive typ : Type[0] ≝
   | ASTint : typ
   | ASTfloat : typ.
 ndefinition typesize : typ → Z ≝ λty.
+definition typesize : typ → Z ≝ λty.
   match ty return λ_.Z with  [ ASTint ⇒ 4 | ASTfloat ⇒ 8 ].
 nlemma typesize_pos: ∀ty. typesize ty > 0.
 #ty; ncases ty; //; nqed.
 nlemma typ_eq: ∀t1,t2: typ. (t1=t2) + (t1≠t2).
 #t1;#t2;ncases t1;ncases t2;/2/; @2; napply nmk; #H; ndestruct; nqed.
 nlemma opt_typ_eq: ∀t1,t2: option typ. (t1=t2) + (t1≠t2).
 #t1;#t2;ncases t1;ncases t2;/2/;
 ##[ ##1,2: #ty; @2; napply nmk; #H; ndestruct;
+##| #ty1;#ty2; nelim (typ_eq ty1 ty2); /2/; #neq; @2; napply nmk;
     #H; ndestruct; /2/;
 ##] nqed.
+lemma typesize_pos: ∀ty. typesize ty > 0.
+#ty cases ty; //; qed.
+lemma typ_eq: ∀t1,t2: typ. (t1=t2) + (t1≠t2).
+#t1 #t2 cases t1;cases t2;/2/; %2 @nmk #H destruct; qed.
+lemma opt_typ_eq: ∀t1,t2: option typ. (t1=t2) + (t1≠t2).
+#t1 #t2 cases t1;cases t2;/2/;
+[ 1,2: #ty %2 @nmk #H destruct;
+| #ty1 #ty2 elim (typ_eq ty1 ty2); /2/; #neq %2 @nmk
+    #H destruct; /2/;
+] qed.
 (* * Additionally, function definitions and function calls are annotated
 …
   for the function. *)
 nrecord signature : Type ≝ {
+record signature : Type[0] ≝ {
   sig_args: list typ;
   sig_res: option typ
 }.
 ndefinition proj_sig_res : signature → typ ≝ λs.
+definition proj_sig_res : signature → typ ≝ λs.
   match sig_res s with
   [ None ⇒ ASTint
 …
 (* Memory spaces *)
 ninductive region : Type ≝
+inductive region : Type[0] ≝
   | Any : region
   | Data : region
 …
   | Code : region.
 ndefinition eq_region : region → region → bool ≝
+definition eq_region : region → region → bool ≝
 λr1,r2.
   match r1 with
 …
   ].
 nlemma eq_region_elim : ∀P:bool → Type. ∀r1,r2.
+lemma eq_region_elim : ∀P:bool → Type[0]. ∀r1,r2.
   (r1 = r2 → P true) → (r1 ≠ r2 → P false) →
   P (eq_region r1 r2).
 #P r1 r2; ncases r1; ncases r2; #Ptrue Pfalse;
+ntry ( napply Ptrue // );
 napply Pfalse; @; #E; ndestruct;
 nqed.
 ndefinition eq_region_dec : ∀r1,r2:region. (r1=r2)+(r1≠r2).
 #r1 r2; napply (eq_region_elim ? r1 r2); /2/; nqed.
+#P #r1 #r2 cases r1; cases r2; #Ptrue #Pfalse
+try ( @Ptrue // )
+@Pfalse % #E destruct;
+qed.
+definition eq_region_dec : ∀r1,r2:region. (r1=r2)+(r1≠r2).
+#r1 #r2 @(eq_region_elim ? r1 r2) /2/; qed.
 (* * Memory accesses (load and store instructions) are annotated by
 …
   chunk of memory being accessed. *)
 ninductive memory_chunk : Type[0] ≝
+inductive memory_chunk : Type[0] ≝
   | Mint8signed : memory_chunk     (*r 8-bit signed integer *)
   | Mint8unsigned : memory_chunk   (*r 8-bit unsigned integer *)
 …
 (* * Initialization data for global variables. *)
 ninductive init_data: Type[0] ≝
+inductive init_data: Type[0] ≝
   | Init_int8: int → init_data
   | Init_int16: int → init_data
 …
 programs are common to all languages. *)
 nrecord program (F,V: Type) : Type := {
+record program (F,V: Type[0]) : Type[0] := {
   prog_funct: list (ident × F);
   prog_main: ident;
 …
 }.
 ndefinition prog_funct_names ≝ λF,V: Type. λp: program F V.
+definition prog_funct_names ≝ λF,V: Type[0]. λp: program F V.
   map ?? (fst ident F) (prog_funct ?? p).
 ndefinition prog_var_names ≝ λF,V: Type. λp: program F V.
+definition prog_var_names ≝ λF,V: Type[0]. λp: program F V.
   map ?? (λx: ident × (list init_data) × region × V. fst ?? (fst ?? (fst ?? x))) (prog_vars ?? p).
 (*
 …
 *)
 ndefinition transf_program : ∀A,B. (A → B) → list (ident × A) → list (ident × B) ≝
+definition transf_program : ∀A,B. (A → B) → list (ident × A) → list (ident × B) ≝
 λA,B,transf,l.
   map ?? (λid_fn. 〈fst ?? id_fn, transf (snd ?? id_fn)〉) l.
 ndefinition transform_program : ∀A,B,V. (A → B) → program A V → program B V ≝
+definition transform_program : ∀A,B,V. (A → B) → program A V → program B V ≝
 λA,B,V,transf,p.
   mk_program B V
 …
     (prog_main A V p)
     (prog_vars A V p).
 nlemma transform_program_function:
+(*
+lemma transform_program_function:
   ∀A,B,V,transf,p,i,tf.
   in_list ? 〈i, tf〉 (prog_funct ?? (transform_program A B V transf p)) →
   ∃f. in_list ? 〈i, f〉 (prog_funct ?? p) ∧ transf f = tf.
 nnormalize; #A B V transf p i tf H; nelim (list_in_map_inv ????? H);
 #x; nelim x; #i' tf'; *; #e H; ndestruct; @tf'; /2/;
 nqed.
+normalize; #A #B #V #transf #p #i #tf #H elim (list_in_map_inv ????? H);
+#x elim x; #i' #tf' *; #e #H destruct; %{tf'} /2/;
+qed.
+*)
 (*
 End TRANSF_PROGRAM.
 …
   a type for such functions and some generic transformation functions. *)
 nrecord external_function : Type ≝ {
+record external_function : Type[0] ≝ {
   ef_id: ident;
   ef_sig: signature
 }.
 (*
 ninductive fundef (F: Type): Type ≝
+inductive fundef (F: Type): Type ≝
   | Internal: F → fundef F
   | External: external_function → fundef F.
 …
 Variable transf: A -> B.
 *)
 ndefinition transf_fundef : ∀A,B. (A→B) → fundef A → fundef B ≝
+definition transf_fundef : ∀A,B. (A→B) → fundef A → fundef B ≝
 λA,B,transf,fd.
   match fd with

Deliverables/D3.1/C-semantics/Animation.ma

-                      r478
+                      r487
    we stop at a continuation - it can be too large to work with. *)
 ndefinition get_input : ∀o:io_out. eventval → res (io_in o) ≝
+definition get_input : ∀o:io_out. eventval → res (io_in o) ≝
 λo,ev.
 match io_in_typ o return λt. res (eventval_type t) with
 …
 ].
 nlet rec up_to_nth_step (n:nat) (input:list eventval) (e:execution) (t:trace) : res (trace × state) ≝
+let rec up_to_nth_step (n:nat) (input:list eventval) (e:execution) (t:trace) : res (trace × state) ≝
 match n with
 [ O ⇒ match e with [ e_step tr s _ ⇒ OK ? 〈t⧺tr, s〉
 …
 ].
 ndefinition exec_up_to : clight_program → nat → list eventval → res (trace × state) ≝
+definition exec_up_to : clight_program → nat → list eventval → res (trace × state) ≝
 λp,n,i. up_to_nth_step n i (exec_inf p) E0.
 …
    For example,
    nremark exec: result ? (exec_up_to myprog 20 [EVint (repr 12)]).
    nnormalize;  (* you can examine the result here *)
    @; nqed.
+   example exec: result ? (exec_up_to myprog 20 [EVint (repr 12)]).
+   normalize  (* you can examine the result here *)
+   % qed.
  *)
 ninductive result (A:Type) : A → Type ≝
+inductive result (A:Type[0]) : A → Type[0] ≝
 | witness : ∀a:A. result A a.

Deliverables/D3.1/C-semantics/Cexec.ma

-                      r485
+                      r487
 include "IOMonad.ma".
+(*
 include "Plogic/russell_support.ma".
 ndefinition P_to_P_option_res : ∀A:Type[0].∀P:A → CProp[0].option (res A) → CProp[0] ≝
+*)
+definition P_to_P_option_res : ∀A:Type[0].∀P:A → CProp[0].option (res A) → CProp[0] ≝
   λA,P,a.match a with [ None ⇒ False | Some y ⇒ match y return λ_.CProp[0] with [ Error ⇒ True | OK z ⇒ P z ]].
 ndefinition err_inject : ∀A.∀P:A → Prop.∀a:option (res A).∀p:P_to_P_option_res A P a.res (sigma A P) ≝
+definition err_inject : ∀A.∀P:A → Prop.∀a:option (res A).∀p:P_to_P_option_res A P a.res (Sig A P) ≝
   λA.λP:A → Prop.λa:option (res A).λp:P_to_P_option_res A P a.
   (match a return λa'.a=a' → res (sigma A P) with
+  (match a return λa'.a=a' → res (Sig A P) with
    [ None ⇒ λe1.?
    | Some b ⇒ λe1.(match b return λb'.b=b' → ? with
      [ Error ⇒ λ_. Error ?
      | OK c ⇒ λe2. OK ? (sig_intro A P c ?)
+     | OK c ⇒ λe2. OK ? (dp A P c ?)
      ]) (refl ? b)
    ]) (refl ? a).
 ##[ nrewrite > e1 in p; nnormalize; *;
 ##| nrewrite > e1 in p; nrewrite > e2; nnormalize; //
 ##] nqed.
 ndefinition err_eject : ∀A.∀P: A → Prop. res (sigma A P) → res A ≝
+[ >e1 in p; normalize; *;
+| >e1 in p >e2 normalize; //
+] qed.
+definition err_eject : ∀A.∀P: A → Prop. res (Sig A P) → res A ≝
   λA,P,a.match a with [ Error ⇒ Error ? | OK b ⇒
     match b with [ sig_intro w p ⇒ OK ? w] ].
 ndefinition sig_eject : ∀A.∀P: A → Prop. sigma A P → A ≝
   λA,P,a.match a with [ sig_intro w p ⇒ w].
 ncoercion err_inject :
   ∀A.∀P:A → Prop.∀a.∀p:P_to_P_option_res ? P a.res (sigma A P) ≝ err_inject
   on a:option (res ?) to res (sigma ? ?).
 ncoercion err_eject : ∀A.∀P:A → Prop.∀c:res (sigma A P).res A ≝ err_eject
   on _c:res (sigma ? ?) to res ?.
 ncoercion sig_eject : ∀A.∀P:A → Prop.∀c:sigma A P.A ≝ sig_eject
   on _c:sigma ? ? to ?.
 ndefinition P_res: ∀A.∀P:A → Prop.res A → Prop ≝
+    match b with [ dp w p ⇒ OK ? w] ].
+definition sig_eject : ∀A.∀P: A → Prop. Sig A P → A ≝
+  λA,P,a.match a with [ dp w p ⇒ w].
+coercion err_inject :
+  ∀A.∀P:A → Prop.∀a.∀p:P_to_P_option_res ? P a.res (Sig A P) ≝ err_inject
+  on a:option (res ?) to res (Sig ? ?).
+coercion err_eject : ∀A.∀P:A → Prop.∀c:res (Sig A P).res A ≝ err_eject
+  on _c:res (Sig ? ?) to res ?.
+coercion sig_eject : ∀A.∀P:A → Prop.∀c:Sig A P.A ≝ sig_eject
+  on _c:Sig ? ? to ?.
+definition P_res: ∀A.∀P:A → Prop.res A → Prop ≝
   λA,P,a. match a with [ Error ⇒ True | OK v ⇒ P v ].
 ndefinition exec_bool_of_val : ∀v:val. ∀ty:type. res bool ≝
+definition exec_bool_of_val : ∀v:val. ∀ty:type. res bool ≝
   λv,ty. match v in val with
   [ Vint i ⇒ match ty with
 …
   ].
 nlemma bool_of_val_complete : ∀v,ty,r. bool_of_val v ty r → ∃b. r = of_bool b ∧ exec_bool_of_val v ty = OK ? b.
 #v ty r H; nelim H; #v t H'; nelim H';
   ##[ #i is s ne; @ true; @; //; nwhd in ⊢ (??%?); nrewrite > (eq_false … ne); //;
   ##| #p b i i0 s; @ true; @; //
   ##| #f s ne; @ true; @; //; nwhd in ⊢ (??%?); nrewrite > (Feq_zero_false … ne); //;
   ##| #i s; @ false; @; //;
   ##| #r r' t; @ false; @; //;
   ##| #s; @ false; @; //; nwhd in ⊢ (??%?); nrewrite > (Feq_zero_true …); //;
   ##]
 nqed.
+lemma bool_of_val_complete : ∀v,ty,r. bool_of_val v ty r → ∃b. r = of_bool b ∧ exec_bool_of_val v ty = OK ? b.
+#v #ty #r #H elim H; #v #t #H' elim H';
+  [ #i #is #s #ne %{ true} % //; whd in ⊢ (??%?); >(eq_false … ne) //;
+  | #p #b #i #i0 #s %{ true} % //
+  | #f #s #ne %{ true} % //; whd in ⊢ (??%?); >(Feq_zero_false … ne) //;
+  | #i #s %{ false} % //;
+  | #r #r' #t %{ false} % //;
+  | #s %{ false} % //; whd in ⊢ (??%?); >(Feq_zero_true …) //;
+  ]
+qed.
 (* Prove a few minor results to make proof obligations easy. *)
 nlemma bind_OK: ∀A,B,P,e,f.
+lemma bind_OK: ∀A,B,P,e,f.
   (∀v. e = OK A v → match f v with [ Error ⇒ True | OK v' ⇒ P v' ]) →
   match bind A B e f with [ Error ⇒ True | OK v ⇒ P v ].
 #A B P e f; nelim e; /2/; nqed.
 nlemma sig_bind_OK: ∀A,B. ∀P:A → Prop. ∀P':B → Prop. ∀e:res (sigma A P). ∀f:sigma A P → res B.
   (∀v:A. ∀p:P v. match f (sig_intro A P v p) with [ Error ⇒ True | OK v' ⇒ P' v'] ) →
   match bind (sigma A P) B e f with [ Error ⇒ True | OK v' ⇒ P' v' ].
 #A B P P' e f; nelim e;
+##[ #v0; nelim v0; #v Hv IH; napply IH;
+##| #_; napply I;
 ##] nqed.
 nlemma bind2_OK: ∀A,B,C,P,e,f.
+#A #B #P #e #f elim e; /2/; qed.
+lemma sig_bind_OK: ∀A,B. ∀P:A → Prop. ∀P':B → Prop. ∀e:res (Sig A P). ∀f:Sig A P → res B.
+  (∀v:A. ∀p:P v. match f (dp A P v p) with [ Error ⇒ True | OK v' ⇒ P' v'] ) →
+  match bind (Sig A P) B e f with [ Error ⇒ True | OK v' ⇒ P' v' ].
+#A #B #P #P' #e #f elim e;
+[ #v0 elim v0; #v #Hv #IH @IH
+| #_ @I
+] qed.
+lemma bind2_OK: ∀A,B,C,P,e,f.
   (∀v1,v2. e = OK ? 〈v1,v2〉 → match f v1 v2 with [ Error ⇒ True | OK v' ⇒ P v' ]) →
   match bind2 A B C e f with [ Error ⇒ True | OK v ⇒ P v ].
 #A B C P e f; nelim e; //; #v; ncases v; /2/; nqed.
 nlemma sig_bind2_OK: ∀A,B,C. ∀P:A×B → Prop. ∀P':C → Prop. ∀e:res (sigma (A×B) P). ∀f:A → B → res C.
+#A #B #C #P #e #f elim e; //; #v cases v; /2/; qed.
+lemma sig_bind2_OK: ∀A,B,C. ∀P:A×B → Prop. ∀P':C → Prop. ∀e:res (Sig (A×B) P). ∀f:A → B → res C.
   (∀v1:A.∀v2:B. P 〈v1,v2〉 → match f v1 v2 with [ Error ⇒ True | OK v' ⇒ P' v'] ) →
   match bind2 A B C e f with [ Error ⇒ True | OK v' ⇒ P' v' ].
 #A B C P P' e f; nelim e; //;
 #v0; nelim v0; #v; nelim v; #v1 v2 Hv IH; napply IH; //; nqed.
 nlemma opt_bind_OK: ∀A,B,P,e,f.
+#A #B #C #P #P' #e #f elim e; //;
+#v0 elim v0; #v elim v; #v1 #v2 #Hv #IH @IH //; qed.
+lemma opt_bind_OK: ∀A,B,P,e,f.
   (∀v. e = Some A v → match f v with [ Error ⇒ True | OK v' ⇒ P v' ]) →
   match bind A B (opt_to_res A e) f with [ Error ⇒ True | OK v ⇒ P v ].
 #A B P e f; nelim e; nnormalize; /2/; nqed.
 nlemma extract_subset_pair: ∀A,B,C,P. ∀e:{e:A×B | P e}. ∀Q:A→B→res C. ∀R:C→Prop.
+#A #B #P #e #f elim e; normalize; /2/; qed.
+(*
+lemma extract_subset_pair: ∀A,B,C,P. ∀e:{e:A×B | P e}. ∀Q:A→B→res C. ∀R:C→Prop.
   (∀a,b. eject ?? e = 〈a,b〉 → P 〈a,b〉 → match Q a b with [ OK v ⇒ R v | Error ⇒ True]) →
   match match eject ?? e with [ mk_pair a b ⇒ Q a b ] with [ OK v ⇒ R v | Error ⇒ True ].
 #A B C P e Q R; ncases e; #e'; ncases e'; nnormalize;
+##[ #H; napply (False_ind … H);
 ##| #e''; ncases e''; #a b Pab H; nnormalize; /2/;
 ##] nqed.
+  match match eject ?? e with [ pair a b ⇒ Q a b ] with [ OK v ⇒ R v | Error ⇒ True ].
+#A #B #C #P #e #Q #R cases e; #e' cases e'; normalize;
+[ #H @(False_ind … H)
+| #e'' cases e''; #a #b #Pab #H normalize; /2/;
+] qed.
+*)
 (*
 nremark err_later: ∀A,B. ∀e:res A. match e with [ Error ⇒ Error B | OK v ⇒ Error B ] = Error B.
 #A B e; ncases e; //; nqed.
+#A #B #e cases e; //; qed.
 *)
 ndefinition try_cast_null : ∀m:mem. ∀i:int. ∀ty:type. ∀ty':type. res val  ≝
+definition try_cast_null : ∀m:mem. ∀i:int. ∀ty:type. ∀ty':type. res val  ≝
 λm:mem. λi:int. λty:type. λty':type.
 match eq i zero with
 …
 ].
 ndefinition exec_cast : ∀m:mem. ∀v:val. ∀ty:type. ∀ty':type. res val ≝
+definition exec_cast : ∀m:mem. ∀v:val. ∀ty:type. ∀ty':type. res val ≝
 λm:mem. λv:val. λty:type. λty':type.
 match v with
 …
 | Vptr p b ofs ⇒
     do s ← match ty with [ Tpointer s _ ⇒ OK ? s | Tarray s _ _ ⇒ OK ? s | Tfunction _ _ ⇒ OK ? Code | _ ⇒ Error ? ];
     do u ← match eq_region_dec p s with [ inl _ ⇒ OK ? something | inr _ ⇒ Error ? ];
+    do u ← match eq_region_dec p s with [ inl _ ⇒ OK ? it | inr _ ⇒ Error ? ];
     do s' ← match ty' with
          [ Tpointer s _ ⇒ OK ? s | Tarray s _ _ ⇒ OK ? s | Tfunction _ _ ⇒ OK ? Code
 …
 | Vnull r ⇒
     do s ← match ty with [ Tpointer s _ ⇒ OK ? s | Tarray s _ _ ⇒ OK ? s | Tfunction _ _ ⇒ OK ? Code | _ ⇒ Error ? ];
     do u ← match eq_region_dec r s with [ inl _ ⇒ OK ? something | inr _ ⇒ Error ? ];
+    do u ← match eq_region_dec r s with [ inl _ ⇒ OK ? it | inr _ ⇒ Error ? ];
     do s' ← match ty' with
          [ Tpointer s _ ⇒ OK ? s | Tarray s _ _ ⇒ OK ? s | Tfunction _ _ ⇒ OK ? Code
 …
 ].
 ndefinition load_value_of_type' ≝
 λty,m,l. match l with [ mk_pair pl ofs ⇒ match pl with [ mk_pair psp loc ⇒
+definition load_value_of_type' ≝
+λty,m,l. match l with [ pair pl ofs ⇒ match pl with [ pair psp loc ⇒
   load_value_of_type ty m psp loc ofs ] ].
 …
    and use exec_lvalue'. *)
 nlet rec exec_expr (ge:genv) (en:env) (m:mem) (e:expr) on e : res (val×trace) ≝
+let rec exec_expr (ge:genv) (en:env) (m:mem) (e:expr) on e : res (val×trace) ≝
 match e with
 [ Expr e' ty ⇒
 …
   | Eaddrof a ⇒
       do 〈plo,tr〉 ← exec_lvalue ge en m a;
       OK ? 〈match plo with [ mk_pair pl ofs ⇒ match pl with [ mk_pair pcl loc ⇒ Vptr pcl loc ofs ] ], tr〉
+      OK ? 〈match plo with [ pair pl ofs ⇒ match pl with [ pair pcl loc ⇒ Vptr pcl loc ofs ] ], tr〉
   | Esizeof ty' ⇒ OK ? 〈Vint (repr (sizeof ty')), E0〉
   | Eunop op a ⇒
 …
 match e with [ Expr e' ty ⇒ exec_lvalue' ge en m e' ty ].
 nlemma P_res_to_P: ∀A,P,e,v.  P_res A P e → e = OK A v → P v.
 #A P e v H1 H2; nrewrite > H2 in H1; nwhd in ⊢ (% → ?); //; nqed.
+lemma P_res_to_P: ∀A,P,e,v.  P_res A P e → e = OK A v → P v.
+#A #P #e #v #H1 #H2 >H2 in H1; whd in ⊢ (% → ?); //; qed.
 (* We define a special induction principle tailored to the recursive definition
    above. *)
 ndefinition is_not_lvalue: expr_descr → Prop ≝
+definition is_not_lvalue: expr_descr → Prop ≝
 λe. match e with [ Evar _ ⇒ False | Ederef _ ⇒ False | Efield _ _ ⇒ False | _ ⇒ True ].
 ndefinition Plvalue ≝ λP:(expr → Prop).λe,ty.
+definition Plvalue ≝ λP:(expr → Prop).λe,ty.
 match e return λ_.Prop with [ Evar _ ⇒ P (Expr e ty) | Ederef _ ⇒ P (Expr e ty) | Efield _ _ ⇒ P (Expr e ty) | _ ⇒ True ].
 (* TODO: Can we do this sensibly with a map combinator? *)
 nlet rec exec_exprlist (ge:genv) (e:env) (m:mem) (l:list expr) on l : res (list val×trace) ≝
+let rec exec_exprlist (ge:genv) (e:env) (m:mem) (l:list expr) on l : res (list val×trace) ≝
 match l with
 [ nil ⇒ OK ? 〈nil val, E0〉
 …
 ].
+(* Don't really want to use subset rather than sigma here, but can't be bothered
+   with *another* set of coercions. XXX: why do I have to get the recursive
+   call's property manually? *)
+nlet rec exec_alloc_variables (en:env) (m:mem) (l:list (ident × type)) on l : { r:env × mem | alloc_variables en m l (\fst r) (\snd r) } ≝
+let rec exec_alloc_variables (en:env) (m:mem) (l:list (ident × type)) on l : env × mem ≝
 match l with
 [ nil ⇒ Some ? 〈en, m〉
+[ nil ⇒ 〈en, m〉
 | cons h vars ⇒
+  match h with [ mk_pair id ty ⇒
+    match alloc m 0 (sizeof ty) Any with [ mk_pair m1 b1 ⇒
+      match exec_alloc_variables (set … id b1 en) m1 vars with
+      [ sig_intro r p ⇒ r ]
+]]]. nwhd;
+##[ //;
+##| nelim (exec_alloc_variables (set ident ? ? c3 c7 en) c6 c1);
+    #H; nelim H; //; #H0; nelim H0; nnormalize; #en' m' IH;
+napply (alloc_variables_cons … IH); /2/;
+nqed.
+  match h with [ pair id ty ⇒
+    match alloc m 0 (sizeof ty) Any with [ pair m1 b1 ⇒
+      exec_alloc_variables (set … id b1 en) m1 vars
+]]].
 (* TODO: can we establish that length params = length vs in advance? *)
 nlet rec exec_bind_parameters (e:env) (m:mem) (params:list (ident × type)) (vs:list val) on params : res (Σm2:mem. bind_parameters e m params vs m2) ≝
+let rec exec_bind_parameters (e:env) (m:mem) (params:list (ident × type)) (vs:list val) on params : res mem ≝
   match params with
   [ nil ⇒ match vs with [ nil ⇒ Some ? (OK ? m) | cons _ _ ⇒ Some ? (Error ?) ]
   | cons idty params' ⇒ match idty with [ mk_pair id ty ⇒
+  [ nil ⇒ match vs with [ nil ⇒ OK ? m | cons _ _ ⇒ Error ? ]
+  | cons idty params' ⇒ match idty with [ pair id ty ⇒
       match vs with
       [ nil ⇒ Some ? (Error ?)
       | cons v1 vl ⇒ Some ? (
+      [ nil ⇒ Error ?
+      | cons v1 vl ⇒
           do b ← opt_to_res ? (get … id e);
           do m1 ← opt_to_res ? (store_value_of_type ty m Any b zero v1);
           err_eject ?? (exec_bind_parameters e m1 params' vl)) (* FIXME: don't want to have to eject here *)
+          exec_bind_parameters e m1 params' vl
+      ]
   ] ].
+nwhd; //;
+napply opt_bind_OK; #b eb;
+napply opt_bind_OK; #m1 em1;
+napply sig_bind_OK; #m2 Hm2;
+napply (bind_parameters_cons … eb em1 Hm2);
+nqed.
+alias id "Tint" = "cic:/matita/c-semantics/Csyntax/type.con(0,2,0)".
+alias id "Tfloat" = "cic:/matita/c-semantics/Csyntax/type.con(0,3,0)".
+ndefinition sz_eq_dec : ∀s1,s2:intsize. (s1 = s2) + (s1 ≠ s2).
+#s1; ncases s1; #s2; ncases s2; /2/; @2; @; #H; ndestruct; nqed.
+ndefinition sg_eq_dec : ∀s1,s2:signedness. (s1 = s2) + (s1 ≠ s2).
+#s1; ncases s1; #s2; ncases s2; /2/; @2; @; #H; ndestruct; nqed.
+ndefinition fs_eq_dec : ∀s1,s2:floatsize. (s1 = s2) + (s1 ≠ s2).
+#s1; ncases s1; #s2; ncases s2; /2/; @2; @; #H; ndestruct; nqed.
+nlet rec type_eq_dec (t1,t2:type) : (t1 = t2) + (t1 ≠ t2) ≝
+definition sz_eq_dec : ∀s1,s2:intsize. (s1 = s2) + (s1 ≠ s2).
+#s1 cases s1; #s2 cases s2; /2/; %2 ; % #H destruct; qed.
+definition sg_eq_dec : ∀s1,s2:signedness. (s1 = s2) + (s1 ≠ s2).
+#s1 cases s1; #s2 cases s2; /2/; %2 ; % #H destruct; qed.
+definition fs_eq_dec : ∀s1,s2:floatsize. (s1 = s2) + (s1 ≠ s2).
+#s1 cases s1; #s2 cases s2; /2/; %2 ; % #H destruct; qed.
+let rec type_eq_dec (t1,t2:type) : (t1 = t2) + (t1 ≠ t2) ≝
 match t1 return λt'. (t' = t2) + (t' ≠ t2) with
 [ Tvoid ⇒ match t2 return λt'. (Tvoid = t') + (Tvoid ≠ t') with [ Tvoid ⇒ inl ?? (refl ??) | _ ⇒ inr ?? (nmk ? (λH.?)) ]
 …
         | inr e ⇒ inr ?? (nmk ? (λH.match e with [ nmk e' ⇒ e' ? ])) ]
         | inr e ⇒ inr ?? (nmk ? (λH.match e with [ nmk e' ⇒ e' ? ])) ] ]
 ]. ndestruct; //; nqed.
 ndefinition assert_type_eq : ∀t1,t2:type. res (t1 = t2) ≝
+]. destruct; //; qed.
+definition assert_type_eq : ∀t1,t2:type. res (t1 = t2) ≝
 λt1,t2. match type_eq_dec t1 t2 with [ inl p ⇒ OK ? p | inr _ ⇒ Error ? ].
 nlet rec is_is_call_cont (k:cont) : (is_call_cont k) + (¬is_call_cont k) ≝
+let rec is_is_call_cont (k:cont) : (is_call_cont k) + (¬is_call_cont k) ≝
 match k return λk'.(is_call_cont k') + (¬is_call_cont k') with
 [ Kstop ⇒ ?
 …
 | _ ⇒ ?
 ].
 ##[ ##1,8: @1; //
 ##| ##*: @2; /2/
 ##] nqed.
 ndefinition is_Sskip : ∀s:statement. (s = Sskip) + (s ≠ Sskip) ≝
+[ 1,8: %1 ; //
+| *: %2 ; /2/
+] qed.
+definition is_Sskip : ∀s:statement. (s = Sskip) + (s ≠ Sskip) ≝
 λs.match s return λs'.(s' = Sskip) + (s' ≠ Sskip) with
 [ Sskip ⇒ inl ?? (refl ??)
 | _ ⇒ inr ?? (nmk ? (λH.?))
 ]. ndestruct;
 nqed.
+]. destruct
+qed.
 (* Checking types of values given to / received from an external function call. *)
 ndefinition eventval_type : ∀ty:typ. Type ≝
+definition eventval_type : ∀ty:typ. Type[0] ≝
 λty. match ty with [ ASTint ⇒ int | ASTfloat ⇒ float ].
 ndefinition mk_eventval: ∀ty:typ. eventval_type ty → eventval ≝
+definition mk_eventval: ∀ty:typ. eventval_type ty → eventval ≝
 λty:typ. match ty return λty'.eventval_type ty' → eventval with [ ASTint ⇒ λv.EVint v | ASTfloat ⇒ λv.EVfloat v ].
 ndefinition mk_val: ∀ty:typ. eventval_type ty → val ≝
+definition mk_val: ∀ty:typ. eventval_type ty → val ≝
 λty:typ. match ty return λty'.eventval_type ty' → val with [ ASTint ⇒ λv.Vint v | ASTfloat ⇒ λv.Vfloat v ].
 nlemma mk_val_correct: ∀ty:typ. ∀v:eventval_type ty.
+lemma mk_val_correct: ∀ty:typ. ∀v:eventval_type ty.
   eventval_match (mk_eventval ty v) ty (mk_val ty v).
 #ty; ncases ty; nnormalize; //; nqed.
 ndefinition convert_eventval : ∀ev:eventval. ∀ty:typ. res (Σv:val. eventval_match ev ty v) ≝
+#ty cases ty; normalize; //; qed.
+definition convert_eventval : ∀ev:eventval. ∀ty:typ. res val ≝
 λev,ty.
 match ty with
 [ ASTint ⇒ match ev with [ EVint i ⇒ Some ? (OK ? (Vint i)) | _ ⇒ Some ? (Error ?) ]
 | ASTfloat ⇒ match ev with [ EVfloat f ⇒ Some ? (OK ? (Vfloat f)) | _ ⇒ Some ? (Error ?) ]
 | _ ⇒ Some ? (Error ?)
 ]. nwhd; //; nqed.
 ndefinition check_eventval' : ∀v:val. ∀ty:typ. res (Σev:eventval. eventval_match ev ty v) ≝
+[ ASTint ⇒ match ev with [ EVint i ⇒ OK ? (Vint i) | _ ⇒ Error ? ]
+| ASTfloat ⇒ match ev with [ EVfloat f ⇒ OK ? (Vfloat f) | _ ⇒ Error ? ]
+| _ ⇒ Error ?
+].
+definition check_eventval' : ∀v:val. ∀ty:typ. res eventval ≝
 λv,ty.
 match ty with
 [ ASTint ⇒ match v with [ Vint i ⇒ Some ? (OK ? (EVint i)) | _ ⇒ Some ? (Error ?) ]
 | ASTfloat ⇒ match v with [ Vfloat f ⇒ Some ? (OK ? (EVfloat f)) | _ ⇒ Some ? (Error ?) ]
+[ ASTint ⇒ match v with [ Vint i ⇒ OK ? (EVint i) | _ ⇒ Error ? ]
+| ASTfloat ⇒ match v with [ Vfloat f ⇒ OK ? (EVfloat f) | _ ⇒ Error ? ]
 | _ ⇒ Some ? (Error ?)
 ]. nwhd; //; nqed.
 nlet rec check_eventval_list (vs: list val) (tys: list typ) : res (Σevs:list eventval. eventval_list_match evs tys vs) ≝
+].
+let rec check_eventval_list (vs: list val) (tys: list typ) : res (list eventval) ≝
 match vs with
 [ nil ⇒ match tys with [ nil ⇒ Some ? (OK ? (nil ?)) | _ ⇒ Some ? (Error ?) ]
+[ nil ⇒ match tys with [ nil ⇒ OK ? (nil ?) | _ ⇒ Error ? ]
 | cons v vt ⇒
   match tys with
   [ nil ⇒ Some ? (Error ?)
   | cons ty tyt ⇒ Some ? (
+  [ nil ⇒ Error ?
+  | cons ty tyt ⇒
     do ev ← check_eventval' v ty;
     do evt ← check_eventval_list vt tyt;
+    OK ? ((sig_eject ?? ev)::evt))
+  ]
+]. nwhd; //;
+napply sig_bind_OK; #ev Hev;
+napply sig_bind_OK; #evt Hevt;
+nnormalize; /2/;
+nqed.
+    OK ? (ev::evt)
+  ]
+].
 (* IO monad *)
 …
 (* Interactions are function calls that return a value and do not change
    the rest of the Clight program's state. *)
 nrecord io_out : Type ≝
+record io_out : Type[0] ≝
 { io_function: ident
 ; io_args: list eventval
 …
 }.
 ndefinition io_in ≝ λo. eventval_type (io_in_typ o).
 ndefinition do_io : ident → list eventval → ∀t:typ. IO io_out io_in (eventval_type t) ≝
+definition io_in ≝ λo. eventval_type (io_in_typ o).
+definition do_io : ident → list eventval → ∀t:typ. IO io_out io_in (eventval_type t) ≝
 λfn,args,t. Interact ??? (mk_io_out fn args t) (λres. Value ??? res).
 ndefinition ret: ∀T. T → (IO io_out io_in T) ≝
+definition ret: ∀T. T → (IO io_out io_in T) ≝
 λT,x.(Value ?? T x).
 (* execution *)
 ndefinition store_value_of_type' ≝
+definition store_value_of_type' ≝
 λty,m,l,v.
 match l with [ mk_pair pl ofs ⇒
   match pl with [ mk_pair pcl loc ⇒
+match l with [ pair pl ofs ⇒
+  match pl with [ pair pcl loc ⇒
     store_value_of_type ty m pcl loc ofs v ] ].
 nlet rec exec_step (ge:genv) (st:state) on st : (IO io_out io_in (trace × state)) ≝
+let rec exec_step (ge:genv) (st:state) on st : (IO io_out io_in (trace × state)) ≝
 match st with
 [ State f s k e m ⇒
 …
   | Sgoto lbl ⇒
       match find_label lbl (fn_body f) (call_cont k) with
       [ Some sk' ⇒ match sk' with [ mk_pair s' k' ⇒ ret ? 〈E0, State f s' k' e m〉 ]
+      [ Some sk' ⇒ match sk' with [ pair s' k' ⇒ ret ? 〈E0, State f s' k' e m〉 ]
       | None ⇒ Wrong ???
+      ]
 …
   match f0 with
   [ Internal f ⇒
     match exec_alloc_variables empty_env m ((fn_params f) @ (fn_vars f)) with [ mk_pair e m1 ⇒
       ! m2 ← err_to_io_sig … (exec_bind_parameters e m1 (fn_params f) vargs);
+    match exec_alloc_variables empty_env m ((fn_params f) @ (fn_vars f)) with [ pair e m1 ⇒
+      ! m2 ← exec_bind_parameters e m1 (fn_params f) vargs;
       ret ? 〈E0, State f (fn_body f) k e m2〉
+    ]
   | External f argtys retty ⇒
       ! evargs ← err_to_io_sig … (check_eventval_list vargs (typlist_of_typelist argtys));
+      ! evargs ← check_eventval_list vargs (typlist_of_typelist argtys);
       ! evres ← do_io f evargs (proj_sig_res (signature_of_type argtys retty));
       ret ? 〈Eextcall f evargs (mk_eventval ? evres), Returnstate (mk_val ? evres) k m〉
 …
     [ None ⇒ ret ? 〈E0, (State f Sskip k' e m)〉
     | Some r' ⇒
       match r' with [ mk_pair l ty ⇒
+      match r' with [ pair l ty ⇒
           ! m' ← store_value_of_type' ty m l res;
 …
 ].
 nlet rec make_initial_state (p:clight_program) : res (genv × state) ≝
+let rec make_initial_state (p:clight_program) : res (genv × state) ≝
   do ge ← globalenv Genv ?? p;
   do m0 ← init_mem Genv ?? p;
   do 〈sp,b〉 ← opt_to_res ? (find_symbol ? ? ge (prog_main ?? p));
   do u ← opt_to_res ? (match eq_region_dec sp Code with [ inl _ ⇒ Some ? something | inr _ ⇒ None ? ]);
+  do u ← opt_to_res ? (match eq_region_dec sp Code with [ inl _ ⇒ Some ? it | inr _ ⇒ None ? ]);
   do f ← opt_to_res ? (find_funct_ptr ? ? ge b);
   OK ? 〈ge,Callstate f (nil ?) Kstop m0〉.
 ndefinition is_final_state : ∀st:state. (Σr. final_state st r) + (¬∃r. final_state st r).
 #st; nelim st;
 ##[ #f s k e m; @2; @;*; #r H; ninversion H; #i m e; ndestruct;
 ##| #f l k m; @2; @;*; #r H; ninversion H; #i m e; ndestruct;
 ##| #v k m; ncases k;
   ##[ ncases v;
     ##[ ##2: #i; @1; @ i; //;
     ##| ##1: @2; @; *;   #r H; ninversion H; #i m e; ndestruct;
     ##| #f; @2; @; *;   #r H; ninversion H; #i m e; ndestruct;
     ##| #r; @2; @; *;   #r H; ninversion H; #i m e; ndestruct;
     ##| #r b of; @2; @; *;   #r H; ninversion H; #i m e; ndestruct;
     ##]
   ##| #a b; @2; @; *; #r H; ninversion H; #i m e; ndestruct;
   ##| ##3,4: #a b c; @2; @; *; #r H; ninversion H; #i m e; ndestruct;
   ##| ##5,6,8: #a b c d; @2; @; *; #r H; ninversion H; #i m e; ndestruct;
   ##| #a; @2; @; *; #r H; ninversion H; #i m e; ndestruct;
   ##]
 ##] nqed.
 nlet rec exec_steps (n:nat) (ge:genv) (s:state) :
+definition is_final_state : ∀st:state. (Sig ? (final_state st)) + (¬∃r. final_state st r).
+#st elim st;
+[ #f #s #k #e #m %2 ; % *; #r #H inversion H; #i #m #e destruct;
+| #f #l #k #m %2 ; % *; #r #H inversion H; #i #m #e destruct;
+| #v #k #m cases k;
+  [ cases v;
+    [ 2: #i %1 ; %{ i} //;
+    | 1: %2 ; % *;   #r #H inversion H; #i #m #e destruct;
+    | #f %2 ; % *;   #r #H inversion H; #i #m #e destruct;
+    | #r %2 ; % *;   #r #H inversion H; #i #m #e destruct;
+    | #r #b #of %2 ; % *;   #r #H inversion H; #i #m #e destruct;
+    ]
+  | #a #b %2 ; % *; #r #H inversion H; #i #m #e destruct;
+  | 3,4: #a #b #c %2 ; % *; #r #H inversion H; #i #m #e destruct;
+  | 5,6,8: #a #b #c #d %2 ; % *; #r #H inversion H; #i #m #e destruct;
+  | #a %2 ; % *; #r #H inversion H; #i #m #e destruct;
+  ]
+] qed.
+let rec exec_steps (n:nat) (ge:genv) (s:state) :
  IO io_out io_in (trace×state) ≝
 match is_final_state s with
 …
 (* A (possibly non-terminating) execution.   *)
 ncoinductive execution : Type ≝
+coinductive execution : Type[0] ≝
 | e_stop : trace → int → mem → execution
 | e_step : trace → state → execution → execution
 …
 | e_interact : ∀o:io_out. (io_in o → execution) → execution.
 ndefinition mem_of_state : state → mem ≝
+definition mem_of_state : state → mem ≝
 λs.match s with [ State f s k e m ⇒ m | Callstate f a k m ⇒ m | Returnstate r k m ⇒ m ].
 …
    state. *)
 nlet corec exec_inf_aux (ge:genv) (s:IO io_out io_in (trace×state)) : execution ≝
+let corec exec_inf_aux (ge:genv) (s:IO io_out io_in (trace×state)) : execution ≝
 match s with
 [ Wrong ⇒ e_wrong
 | Value v ⇒ match v with [ mk_pair t s' ⇒
+| Value v ⇒ match v with [ pair t s' ⇒
     match is_final_state s' with
     [ inl r ⇒ e_stop t (sig_eject … r) (mem_of_state s')
 …
 ndefinition exec_inf : clight_program → execution ≝
+definition exec_inf : clight_program → execution ≝
 λp.
   match make_initial_state p with
 …
   ].
 nremark execution_cases: ∀e.
+lemma execution_cases: ∀e.
  e = match e with [ e_stop tr r m ⇒ e_stop tr r m | e_step tr s e ⇒ e_step tr s e
  | e_wrong ⇒ e_wrong | e_interact o k ⇒ e_interact o k ].
 #e; ncases e; //; nqed.
 nlemma exec_inf_aux_unfold: ∀ge,s. exec_inf_aux ge s =
+#e cases e; //; qed.
+lemma exec_inf_aux_unfold: ∀ge,s. exec_inf_aux ge s =
 match s with
 [ Wrong ⇒ e_wrong
 | Value v ⇒ match v with [ mk_pair t s' ⇒
+| Value v ⇒ match v with [ pair t s' ⇒
     match is_final_state s' with
     [ inl r ⇒ e_stop t (sig_eject … r) (mem_of_state s')
 …
 | Interact out k' ⇒ e_interact out (λv. exec_inf_aux ge (k' v))
 ].
 #ge s; nrewrite > (execution_cases (exec_inf_aux …)); ncases s;
 ##[ #o k
 ##| #x; ncases x; #tr s'; ncases s';
   ##[ #fn st k env m
   ##| #fd args k mem
   ##| #v k mem; (* for final state check *) ncases k;
     ##[ ncases v; ##[ ##2,3: #v' ##| ##4: #r ##| ##5: #sp loc off ##]
     ##| #s' k' ##| ##3,4: #e s' k' ##| ##5,6: #e s' s'' k' ##| #k' ##| #a b c d ##]
   ##]
 ##| ##]
 nwhd in ⊢ (??%%); //;
 nqed.
+#ge #s >(execution_cases (exec_inf_aux …)) cases s;
+[ #o #k
+| #x cases x; #tr #s' cases s';
+  [ #fn #st #k #env #m
+  | #fd #args #k #mem
+  | #v #k #mem (* for final state check *) cases k;
+    [ cases v; [ 2,3: #v' | 4: #r | 5: #sp #loc #off ]
+    | #s' #k' | 3,4: #e #s' #k' | 5,6: #e #s' #s'' #k' | #k' | #a #b #c #d ]
+  ]
+| ]
+whd in ⊢ (??%%); //;
+qed.

Deliverables/D3.1/C-semantics/CexecComplete.ma

-                      r485
+                      r487
 include "Cexec.ma".
+include "Plogic/connectives.ma".
+ndefinition yields ≝ λA.λa:res A.λv':A.
+definition yields ≝ λA.λa:res A.λv':A.
 match a with [ OK v ⇒ v' = v | _ ⇒ False ].
 …
    that one particular one exists corresponding to a derivation in the inductive
    semantics.) *)
 nlet rec yieldsIO (A:Type) (a:IO io_out io_in A) (v':A) on a : Prop ≝
+let rec yieldsIO (A:Type[0]) (a:IO io_out io_in A) (v':A) on a : Prop ≝
 match a with [ Value v ⇒ v' = v | Interact _ k ⇒ ∃r.yieldsIO A (k r) v' | _ ⇒ False ].
 ndefinition yields_sig : ∀A,P. res (Σx:A. P x) → A → Prop ≝
 λA,P,e,v. match e with [ OK v' ⇒ match v' with [ sig_intro v'' _ ⇒ v = v'' ] | _ ⇒ False].
 nlet rec yieldsIO_sig (A:Type) (P:A → Prop) (e:IO io_out io_in (Σx:A. P x)) (v:A) on e : Prop ≝
+definition yields_sig : ∀A,P. res (Sig A P) → A → Prop ≝
+λA,P,e,v. match e with [ OK v' ⇒ match v' with [ dp v'' _ ⇒ v = v'' ] | _ ⇒ False].
+let rec yieldsIO_sig (A:Type[0]) (P:A → Prop) (e:IO io_out io_in (Sig A P)) (v:A) on e : Prop ≝
 match e with
 [ Value v' ⇒ match v' with [ sig_intro v'' _ ⇒ v = v'' ]
+[ Value v' ⇒ match v' with [ dp v'' _ ⇒ v = v'' ]
 | Interact _ k ⇒ ∃r.yieldsIO_sig A P (k r) v
 | _ ⇒ False].
 nlemma remove_io_sig: ∀A. ∀P:A → Prop. ∀a,v',p.
+lemma remove_io_sig: ∀A. ∀P:A → Prop. ∀a,v',p.
 yieldsIO A a v' →
 yieldsIO_sig A P (io_inject io_out io_in A (λx.P x) (Some ? a) p) v'.
 #A P a; nelim a;
+##[ #a k IH v' p H; nwhd in H ⊢ %; nelim H; #r H'; @ r; napply IH; napply H';
+##| #v v' p H; napply H;
 ##| #a b; *;
 ##] nqed.
 nlemma yields_eq: ∀A,a,v'. yields A a v' → a = OK ? v'.
 #A a v'; ncases a; //; nwhd in ⊢ (% → ?); *;
 nqed.
 nlemma yields_sig_eq: ∀A,P,e,v. yields_sig A P e v → ∃p. e = OK ? (sig_intro … v p).
 #A P e v; ncases e;
+##[ #vp; ncases vp; #v' p H; nwhd in H; nrewrite > H; @ p; napply refl;
 ##| *;
 ##] nqed.
 nlemma is_pointer_compat_true: ∀m,b,sp.
+yieldsIO_sig A P (io_inject io_out io_in A P (Some ? a) p) v'.
+#A #P #a elim a;
+[ #a #k #IH #v' #p #H whd in H ⊢ %; elim H; #r #H' %{ r} @IH @H'
+| #v #v' #p #H @H
+| #a #b *;
+] qed.
+lemma yields_eq: ∀A,a,v'. yields A a v' → a = OK ? v'.
+#A #a #v' cases a; //; whd in ⊢ (% → ?); *;
+qed.
+lemma yields_sig_eq: ∀A,P,e,v. yields_sig A P e v → ∃p. e = OK ? (dp … v p).
+#A #P #e #v cases e;
+[ #vp cases vp; #v' #p #H whd in H; >H %{ p} @refl
+| *;
+] qed.
+lemma is_pointer_compat_true: ∀m,b,sp.
   pointer_compat (block_space m b) sp →
   is_pointer_compat (block_space m b) sp = true.
 #m b sp H; nwhd in ⊢ (??%?);
 nelim (pointer_compat_dec (block_space m b) sp);
 ##[ //
+##| #H'; napply False_ind; napply (absurd … H H');
 ##] nqed.
 nlemma eq_region_dec_true: ∀s. eq_region_dec s s = inl ???.
+##[ #s; ncases s; napply refl;
 ##| ##skip
 ##] nqed.
 ntheorem is_det: ∀p,s,s'.
+#m #b #sp #H whd in ⊢ (??%?);
+elim (pointer_compat_dec (block_space m b) sp);
+[ //
+| #H' @False_ind @(absurd … H H')
+] qed.
+lemma eq_region_dec_true: ∀s. eq_region_dec s s = inl ???.
+[ #s cases s; @refl
+| skip
+] qed.
+theorem is_det: ∀p,s,s'.
 initial_state p s → initial_state p s' → s = s'.
 #p s s' H1 H2;
+ninversion H1; #b1 f1 ge1 m1 e11 e12 e13 e14 e15;
+ninversion H2; #b2 f2 ge2 m2 e21 e22 e23 e24 e25;
+nrewrite > e11 in e21; #e1; nrewrite > (?:ge1 = ge2) in e13 e14;
 ##[ ##2: ndestruct (e1) skip (e11); napply refl; ##]
 #e13 e14;
 nrewrite > e12 in e22; #e2; ndestruct (e2) skip (e12);
+nrewrite > e13 in e23; #e3; nrewrite > (?:b1 = b2) in e14;
+##[ nrewrite > e24; #e4; nrewrite > (?:f2 = f1);
   ##[ //;
   ##| ndestruct (e4) skip (e24 e25); //;
   ##]
 ##| ndestruct (e3) skip (e13); //
 ##] nqed.
 nlemma remove_res_sig: ∀A. ∀P:A → Prop. ∀a,v',p.
+#p #s #s' #H1 #H2
+inversion H1; #b1 #f1 #ge1 #m1 #e11 #e12 #e13 #e14 #e15
+inversion H2; #b2 #f2 #ge2 #m2 #e21 #e22 #e23 #e24 #e25
+>e11 in e21 #e1 >(?:ge1 = ge2) in e13 e14
+[ 2: destruct (e1) skip (e11); @refl ]
+#e13 #e14
+>e12 in e22 #e2 destruct (e2) skip (e12);
+>e13 in e23 #e3 >(?:b1 = b2) in e14
+[ >e24 #e4 >(?:f2 = f1)
+  [ //;
+  | destruct (e4) skip (e24 e25); //;
+  ]
+| destruct (e3) skip (e13); //
+] qed.
+lemma remove_res_sig: ∀A. ∀P:A → Prop. ∀a,v',p.
 yields A a v' →
 yields_sig A P (err_inject A (λx.P x) (Some ? a) p) v'.
 #A P a; ncases a;
+##[ #v v' p H; napply H;
 ##| #a b; *;
 ##] nqed.
 ntheorem the_initial_state:
+yields_sig A P (err_inject A P (Some ? a) p) v'.
+#A #P #a cases a;
+[ #v #v' #p #H @H
+| #a #b *;
+] qed.
+theorem the_initial_state:
   ∀p,s. initial_state p s → ∃ge. yields ? (make_initial_state p) 〈ge,s〉.
 #p s; ncases p; #fns main globs H;
 ninversion H;
 #b f ge m e1 e2 e3 e4 e5; @ge;
 nwhd in ⊢ (??%?);
+nrewrite > e1;
 nwhd in ⊢ (??%?);
+nrewrite > e2;
 nwhd in ⊢ (??%?);
+nrewrite > e3;
 nwhd in ⊢ (??%?);
+nrewrite > e4;
+nwhd; napply refl;
 nqed.
 nlemma cast_complete: ∀m,v,ty,ty',v'.
+#p #s cases p; #fns #main #globs #H
+inversion H;
+#b #f #ge #m #e1 #e2 #e3 #e4 #e5 %{ge}
+whd in ⊢ (??%?);
+>e1
+whd in ⊢ (??%?);
+>e2
+whd in ⊢ (??%?);
+>e3
+whd in ⊢ (??%?);
+>e4
+whd; @refl
+qed.
+lemma cast_complete: ∀m,v,ty,ty',v'.
   cast m v ty ty' v' → yields ? (exec_cast m v ty ty') v'.
 #m v ty ty' v' H;
 nelim H;
+##[ #m i sz1 sz2 sg1 sg2; napply refl;
+##| #m f sz szi sg; napply refl;
+##| #m i sz sz' sg; napply refl;
+##| #m f sz sz'; napply refl;
+##| #m sp sp' ty ty' b ofs H1 H2 H3;
     nelim H1; ##[ #sp1 ty1 ##| #sp1 ty1 n1 ##| #tys1 ty1; nletin sp1 ≝ Code ##]
     nwhd in ⊢ (??%?);
     ##[ ##1,2: nrewrite > (eq_region_dec_true …); nwhd in ⊢ (??%?); ##]
     nelim H2 in H3 ⊢ %; ##[ ##1,4,7: #sp2 ty2 ##| ##2,5,8: #sp2 ty2 n2 ##| ##3,6,9: #tys2 ty2; nletin sp2 ≝ Code ##]
     #H3; nwhd in ⊢ (??%?);
     nrewrite > (is_pointer_compat_true …); //;
 ##| #m sz si ty'' r H; ncases H; //;
+##| #m t t' r r' H H'; ncases H; ntry #a; ntry #b; ntry #c; ncases H'; ntry #d; ntry #e; ntry #f;
     nwhd in ⊢ (??%?); ntry napply refl; nrewrite > eq_region_dec_true; napply refl;
 ##] nqed.
+#m #v #ty #ty' #v' #H
+elim H;
+[ #m #i #sz1 #sz2 #sg1 #sg2 @refl
+| #m #f #sz #szi #sg @refl
+| #m #i #sz #sz' #sg @refl
+| #m #f #sz #sz' @refl
+| #m #sp #sp' #ty #ty' #b #ofs #H1 #H2 #H3
+    elim H1; [ #sp1 #ty1 | #sp1 #ty1 #n1 | #tys1 #ty1 letin sp1 ≝ Code ]
+    whd in ⊢ (??%?);
+    [ 1,2: >(eq_region_dec_true …) whd in ⊢ (??%?); ]
+    elim H2 in H3 ⊢ %; [ 1,4,7: #sp2 #ty2 | 2,5,8: #sp2 #ty2 #n2 | 3,6,9: #tys2 #ty2 letin sp2 ≝ Code ]
+    #H3 whd in ⊢ (??%?);
+    >(is_pointer_compat_true …) //;
+| #m #sz #si #ty'' #r #H cases H; //;
+| #m #t #t' #r #r' #H #H' cases H; try #a try #b try #c cases H'; try #d try #e try #f
+    whd in ⊢ (??%?); try @refl >eq_region_dec_true @refl
+] qed.
 (* Use to narrow down the choice of expression to just the lvalues. *)
 nlemma lvalue_expr: ∀ge,env,m,e,ty,sp,l,ofs,tr. ∀P:expr_descr → Prop.
+lemma lvalue_expr: ∀ge,env,m,e,ty,sp,l,ofs,tr. ∀P:expr_descr → Prop.
   eval_lvalue ge env m (Expr e ty) sp l ofs tr →
   (∀id. P (Evar id)) → (∀e'. P (Ederef e')) → (∀e',id. P (Efield e' id)) →
   P e.
 #ge env m e ty sp l ofs tr P H; napply (eval_lvalue_inv_ind … H);
 ##[ #id l ty e1 e2 e3 e4 e5 e6; ndestruct; //
 ##| #id sp l ty e1 e2 e3 e4 e5 e6 e7; ndestruct; //
 ##| #e ty sp l ofs tr H e1 e2 e3 e4 e5; ndestruct; //
 ##| #e id ty sp l ofs id' fs d tr H e1 e2;(* bogus? *) #_; #e3 e4 e5 e6 e7; ndestruct; //
 ##| #e id ty sp l ofs id' fs tr H e1;(* bogus? *) #_; #e2 e3 e4 e5 e6; ndestruct; //
 ##] nqed.
 nlemma bool_of_val_3_complete : ∀v,ty,r. bool_of_val v ty r → ∃b. r = of_bool b ∧ yields ? (exec_bool_of_val v ty) b.
 #v ty r H; nelim H; #v t H'; nelim H';
   ##[ #i is s ne; @ true; @; //; nwhd; nrewrite > (eq_false … ne); //;
   ##| #p b i i0 s; @ true; @; //
   ##| #f s ne; @ true; @; //; nwhd; nrewrite > (Feq_zero_false … ne); //;
   ##| #i s; @ false; @; //;
   ##| #r r' t; @ false; @; //;
   ##| #s; @ false; @; //; nwhd; nrewrite > (Feq_zero_true …); //;
   ##]
 nqed.
 nlemma bool_of_true: ∀v,ty. is_true v ty → yields ? (exec_bool_of_val v ty) true.
 #v ty H; nelim H;
   ##[ #i is s ne; nwhd; nrewrite > (eq_false … ne); //;
   ##| #p b i i0 s; //
   ##| #f s ne; nwhd; nrewrite > (Feq_zero_false … ne); //;
   ##]
 nqed.
 nlemma bool_of_false: ∀v,ty. is_false v ty → yields ? (exec_bool_of_val v ty) false.
 #v ty H; nelim H;
   ##[ #i s; //;
   ##| #r r' t; //;
   ##| #s; nwhd; nrewrite > (Feq_zero_true …); //;
   ##]
 nqed.
 nlemma expr_lvalue_complete: ∀ge,env,m.
+#ge #env #m #e #ty #sp #l #ofs #tr #P #H @(eval_lvalue_inv_ind … H)
+[ #id #l #ty #e1 #e2 #e3 #e4 #e5 #e6 destruct; //
+| #id #sp #l #ty #e1 #e2 #e3 #e4 #e5 #e6 #e7 destruct; //
+| #e #ty #sp #l #ofs #tr #H #e1 #e2 #e3 #e4 #e5 destruct; //
+| #e #id #ty #sp #l #ofs #id' #fs #d #tr #H #e1 #e2 (* bogus? *) #_ #e3 #e4 #e5 #e6 #e7 destruct; //
+| #e #id #ty #sp #l #ofs #id' #fs #tr #H #e1 (* bogus? *) #_ #e2 #e3 #e4 #e5 #e6 destruct; //
+] qed.
+lemma bool_of_val_3_complete : ∀v,ty,r. bool_of_val v ty r → ∃b. r = of_bool b ∧ yields ? (exec_bool_of_val v ty) b.
+#v #ty #r #H elim H; #v #t #H' elim H';
+  [ #i #is #s #ne %{ true} % //; whd; >(eq_false … ne) //;
+  | #p #b #i #i0 #s %{ true} % //
+  | #f #s #ne %{ true} % //; whd; >(Feq_zero_false … ne) //;
+  | #i #s %{ false} % //;
+  | #r #r' #t %{ false} % //;
+  | #s %{ false} % //; whd; >(Feq_zero_true …) //;
+  ]
+qed.
+lemma bool_of_true: ∀v,ty. is_true v ty → yields ? (exec_bool_of_val v ty) true.
+#v #ty #H elim H;
+  [ #i #is #s #ne whd; >(eq_false … ne) //;
+  | #p #b #i #i0 #s //
+  | #f #s #ne whd; >(Feq_zero_false … ne) //;
+  ]
+qed.
+lemma bool_of_false: ∀v,ty. is_false v ty → yields ? (exec_bool_of_val v ty) false.
+#v #ty #H elim H;
+  [ #i #s //;
+  | #r #r' #t //;
+  | #s whd; >(Feq_zero_true …) //;
+  ]
+qed.
+lemma expr_lvalue_complete: ∀ge,env,m.
 (∀e,v,tr. eval_expr ge env m e v tr → yields ? (exec_expr ge env m e) (〈v,tr〉)) ∧
 (∀e,sp,l,off,tr. eval_lvalue ge env m e sp l off tr → yields ? (exec_lvalue ge env m e) (〈〈〈sp,l〉,off〉,tr〉)).
 #ge env m;
 napply (combined_expr_lvalue_ind ge env m
+#ge #env #m
+@(combined_expr_lvalue_ind ge env m
   (λe,v,tr,H. yields ? (exec_expr ge env m e) (〈v,tr〉))
   (λe,sp,l,off,tr,H. yields ? (exec_lvalue ge env m e) (〈〈〈sp,l〉,off〉,tr〉)));
+##[ #i ty; napply refl;
+##| #f ty; napply refl;
+##| #e ty sp l off v tr H1 H2; napply (lvalue_expr … H1);
     ##[ #id ##| #e' ##| #e' id ##] #H3;
     nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H3);
     nwhd in ⊢ (??%?); nrewrite > H2; napply refl;
 ##| #e ty sp l off tr H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H2);
     napply refl;
+##| #ty' ty; napply refl;
 ##| #op e ty v1 v tr H1 H2 H3; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H3);
     nwhd in ⊢ (??%?); nrewrite > H2; napply refl;
 ##| #op e1 e2 ty v1 v2 v tr1 tr2 H1 H2 e3 H4 H5; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H4); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H5); nwhd in ⊢ (??%?);
     nrewrite > e3; napply refl;
 ##| #e1 e2 e3 ty v1 v2 tr1 tr2 H1 H2 H3 H4 H5; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H4); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_true ?? H2));
     nrewrite > (yields_eq ??? H5);
     napply refl;
 ##| #e1 e2 e3 ty v1 v2 tr1 tr2 H1 H2 H3 H4 H5; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H4); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_false ?? H2));
     nrewrite > (yields_eq ??? H5);
     napply refl;
 ##| #e1 e2 ty v1 tr H1 H2 H3; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H3); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_true ?? H2));
     napply refl;
 ##| #e1 e2 ty v1 v2 v tr1 tr2 H1 H2 H3 H4 H5 H6; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H5); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_false ?? H2));
     nrewrite > (yields_eq ??? H6); nwhd in ⊢ (??%?);
     nelim (bool_of_val_3_complete … H4); #b; *; #evb Hb;
     nrewrite > (yields_eq ??? Hb); nwhd in ⊢ (??%?); nrewrite < evb;
     napply refl;
 ##| #e1 e2 ty v1 tr H1 H2 H3; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H3); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_false ?? H2));
     napply refl;
 ##| #e1 e2 ty v1 v2 v tr1 tr2 H1 H2 H3 H4 H5 H6; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H5); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_true ?? H2));
     nrewrite > (yields_eq ??? H6); nwhd in ⊢ (??%?);
     nelim (bool_of_val_3_complete … H4); #b; *; #evb Hb;
     nrewrite > (yields_eq ??? Hb); nwhd in ⊢ (??%?); nrewrite < evb;
     napply refl;
 ##| #e ty ty' v1 v tr H1 H2 H3; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H3); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (cast_complete … H2));
     napply refl;
 ##| #e ty v l tr H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H2); nwhd in ⊢ (??%?);
     napply refl;
+[ #i #ty @refl
+| #f #ty @refl
+| #e #ty #sp #l #off #v #tr #H1 #H2 @(lvalue_expr … H1)
+    [ #id | #e' | #e' #id ] #H3
+    whd in ⊢ (??%?);
+    >(yields_eq ??? H3)
+    whd in ⊢ (??%?); >H2 @refl
+| #e #ty #sp #l #off #tr #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? H2)
+    @refl
+| #ty' #ty @refl
+| #op #e #ty #v1 #v #tr #H1 #H2 #H3 whd in ⊢ (??%?);
+    >(yields_eq ??? H3)
+    whd in ⊢ (??%?); >H2 @refl
+| #op #e1 #e2 #ty #v1 #v2 #v #tr1 #tr2 #H1 #H2 #e3 #H4 #H5 whd in ⊢ (??%?);
+    >(yields_eq ??? H4) whd in ⊢ (??%?);
+    >(yields_eq ??? H5) whd in ⊢ (??%?);
+    >e3 @refl
+| #e1 #e2 #e3 #ty #v1 #v2 #tr1 #tr2 #H1 #H2 #H3 #H4 #H5 whd in ⊢ (??%?);
+    >(yields_eq ??? H4) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_true ?? H2))
+    >(yields_eq ??? H5)
+    @refl
+| #e1 #e2 #e3 #ty #v1 #v2 #tr1 #tr2 #H1 #H2 #H3 #H4 #H5 whd in ⊢ (??%?);
+    >(yields_eq ??? H4) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_false ?? H2))
+    >(yields_eq ??? H5)
+    @refl
+| #e1 #e2 #ty #v1 #tr #H1 #H2 #H3 whd in ⊢ (??%?);
+    >(yields_eq ??? H3) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_true ?? H2))
+    @refl
+| #e1 #e2 #ty #v1 #v2 #v #tr1 #tr2 #H1 #H2 #H3 #H4 #H5 #H6 whd in ⊢ (??%?);
+    >(yields_eq ??? H5) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_false ?? H2))
+    >(yields_eq ??? H6) whd in ⊢ (??%?);
+    elim (bool_of_val_3_complete … H4); #b *; #evb #Hb
+    >(yields_eq ??? Hb) whd in ⊢ (??%?); <evb
+    @refl
+| #e1 #e2 #ty #v1 #tr #H1 #H2 #H3 whd in ⊢ (??%?);
+    >(yields_eq ??? H3) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_false ?? H2))
+    @refl
+| #e1 #e2 #ty #v1 #v2 #v #tr1 #tr2 #H1 #H2 #H3 #H4 #H5 #H6 whd in ⊢ (??%?);
+    >(yields_eq ??? H5) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_true ?? H2))
+    >(yields_eq ??? H6) whd in ⊢ (??%?);
+    elim (bool_of_val_3_complete … H4); #b *; #evb #Hb
+    >(yields_eq ??? Hb) whd in ⊢ (??%?); <evb
+    @refl
+| #e #ty #ty' #v1 #v #tr #H1 #H2 #H3 whd in ⊢ (??%?);
+    >(yields_eq ??? H3) whd in ⊢ (??%?);
+    >(yields_eq ??? (cast_complete … H2))
+    @refl
+| #e #ty #v #l #tr #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? H2) whd in ⊢ (??%?);
+    @refl
   (* lvalues *)
+##| #id l ty e1; nwhd in ⊢ (??%?); nrewrite > e1; napply refl;
+##| #id sp l ty e1 e2; nwhd in ⊢ (??%?); nrewrite > e1;
     nrewrite > e2; napply refl;
 ##| #e ty sp l ofs tr H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H2);
     napply refl;
 ##| #e i ty sp l ofs id fList delta tr H1 H2 H3 H4; ncases e in H2 H4 ⊢ %;
     #e' ty' H2; nwhd in H2:(??%?); nrewrite > H2; #H4; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H4); nwhd in ⊢ (??%?);
     nrewrite > H3; napply refl;
+##| #e i ty sp l ofs id fList tr; ncases e; #e' ty' H1 H2;
     nwhd in H2:(??%?); nrewrite > H2; #H3; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H3); napply refl;
 ##] nqed.
 ntheorem expr_complete:  ∀ge,env,m.
+| #id #l #ty #e1 whd in ⊢ (??%?); >e1 @refl
+| #id #sp #l #ty #e1 #e2 whd in ⊢ (??%?); >e1
+    >e2 @refl
+| #e #ty #sp #l #ofs #tr #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? H2)
+    @refl
+| #e #i #ty #sp #l #ofs #id #fList #delta #tr #H1 #H2 #H3 #H4 cases e in H2 H4 ⊢ %;
+    #e' #ty' #H2 whd in H2:(??%?); >H2 #H4 whd in ⊢ (??%?);
+    >(yields_eq ??? H4) whd in ⊢ (??%?);
+    >H3 @refl
+| #e #i #ty #sp #l #ofs #id #fList #tr cases e; #e' #ty' #H1 #H2
+    whd in H2:(??%?); >H2 #H3 whd in ⊢ (??%?);
+    >(yields_eq ??? H3) @refl
+] qed.
+theorem expr_complete:  ∀ge,env,m.
  ∀e,v,tr. eval_expr ge env m e v tr → yields ? (exec_expr ge env m e) (〈v,tr〉).
 #ge env m; nelim (expr_lvalue_complete ge env m); /2/; nqed.
 ntheorem exprlist_complete: ∀ge,env,m,es,vs,tr.
+#ge #env #m elim (expr_lvalue_complete ge env m); /2/; qed.
+theorem exprlist_complete: ∀ge,env,m,es,vs,tr.
   eval_exprlist ge env m es vs tr → yields ? (exec_exprlist ge env m es) (〈vs,tr〉).
 #ge env m es vs tr H; nelim H;
+##[ napply refl;
 ##| #e et v vt tr trt H1 H2 H3; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? H3);
     napply refl;
 ##] nqed.
 ntheorem lvalue_complete: ∀ge,env,m.
+#ge #env #m #es #vs #tr #H elim H;
+[ @refl
+| #e #et #v #vt #tr #trt #H1 #H2 #H3 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? H3)
+    @refl
+] qed.
+theorem lvalue_complete: ∀ge,env,m.
  ∀e,sp,l,off,tr. eval_lvalue ge env m e sp l off tr → yields ? (exec_lvalue ge env m e) (〈〈〈sp,l〉,off〉,tr〉).
 #ge env m; nelim (expr_lvalue_complete ge env m); /2/; nqed.
 nlet rec P_typelist (P:type → Prop) (l:typelist) on l : Prop ≝
+#ge #env #m elim (expr_lvalue_complete ge env m); /2/; qed.
+let rec P_typelist (P:type → Prop) (l:typelist) on l : Prop ≝
 match l with
 [ Tnil ⇒ True
 …
 ].
 nlet rec type_ind2l
+let rec type_ind2l
   (P:type → Prop) (Q:typelist → Prop)
   (vo:P Tvoid)
 …
   ].
 nlemma assert_type_eq_true: ∀t. ∃p.assert_type_eq t t = OK ? p.
 #t; nwhd in ⊢ (??(λ_.??%?)); ncases (type_eq_dec t t); #E;
 ##[ @ E; //
 ##| napply False_ind; napply (absurd ?? E); //
 ##] nqed.
 nlemma alloc_vars_complete: ∀env,m,l,env',m'.
+lemma assert_type_eq_true: ∀t. ∃p.assert_type_eq t t = OK ? p.
+#t whd in ⊢ (??(λ_.??%?)); cases (type_eq_dec t t); #E
+[ %{ E} //
+| @False_ind @(absurd ?? E) //
+] qed.
+lemma alloc_vars_complete: ∀env,m,l,env',m'.
   alloc_variables env m l env' m' →
+  ∃p.exec_alloc_variables env m l = sig_intro ?? (Some ? 〈env', m'〉) p.
+#env m l env' m' H; nelim H;
+##[ #env'' m''; @ ?; nwhd; //;
+##| #env1 m1 id ty l1 m2 loc m3 env2 H1 H2 H3;
+    nwhd in H1:(??%?) ⊢ (??(λ_.??%?));
+    ndestruct (H1);
+    nelim H3; #p3 e3; nrewrite > e3; nwhd in ⊢ (??(λ_.??%?)); @ ?; //;
+##] nqed.
+nlemma bind_params_complete: ∀e,m,params,vs,m2.
+  exec_alloc_variables env m l = 〈env', m'〉.
+#env #m #l #env' #m' #H elim H;
+[ #env'' #m'' %
+| #env1 #m1 #id #ty #l1 #m2 #loc #m3 #env2 #H1 #H2 #H3
+  < H3 whd in H1:(??%?) ⊢ (??%?)
+    destruct (H1) //
+] qed.
+lemma bind_params_complete: ∀e,m,params,vs,m2.
   bind_parameters e m params vs m2 →
+  yields_sig ?? (exec_bind_parameters e m params vs) m2.
+#e m params vs m2 H; nelim H;
+##[ //;
+##| #env1 m1 id ty l v tl loc m2 m3 H1 H2 H3 H4;
+    napply remove_res_sig;
+    nrewrite > H1; nwhd in ⊢ (??%?);
+    nrewrite > H2; nwhd in ⊢ (??%?);
+    nelim (yields_sig_eq ???? H4); #p4 e4; nrewrite > e4;
+    napply refl;
+##] nqed.
+nlemma eventval_match_complete': ∀ev,ty,v.
+  eventval_match ev ty v → yields_sig ?? (check_eventval' v ty) ev.
+#ev ty v H; nelim H; //; nqed.
+nlemma eventval_list_match_complete: ∀vs,tys,evs.
+  eventval_list_match evs tys vs → yields_sig ?? (check_eventval_list vs tys) evs.
+#vs tys evs H; nelim H;
+##[ //
+##| #e etl ty tytl v vtl H1 H2 H3; napply remove_res_sig;
+    nelim (yields_sig_eq ???? (eventval_match_complete' … H1)); #p1 e1; nrewrite > e1; nwhd in ⊢ (??%?);
+    nelim (yields_sig_eq ???? H3); #p3 e3; nrewrite > e3; nwhd in ⊢ (??%?);
+    napply refl;
+##] nqed.
+nlemma dec_true: ∀P:Prop.∀f:P + ¬P.∀p:P.∀Q:(P + ¬P) → Prop. (∀p'.Q (inl ?? p')) → Q f.
+#P f p Q H; ncases f;
+##[ napply H
+##| #np; napply False_ind; napply (absurd ? p np);
+##] nqed.
+nlemma dec_false: ∀P:Prop.∀f:P + ¬P.∀p:¬P.∀Q:(P + ¬P) → Prop. (∀p'.Q (inr ?? p')) → Q f.
+#P f p Q H; ncases f;
+##[ #np; napply False_ind; napply (absurd ? np p);
+##| napply H
+##] nqed.
+ntheorem step_complete: ∀ge,s,tr,s'.
+  yields ? (exec_bind_parameters e m params vs) m2.
+#e #m #params #vs #m2 #H elim H;
+[ //;
+| #env1 #m1 #id #ty #l #v #tl #loc #m2 #m3 #H1 #H2 #H3 #H4
+    whd in ⊢ (??%?)
+    >H1 whd in ⊢ (??%?);
+    >H2 whd in ⊢ (??%?);
+    @H4
+] qed.
+lemma eventval_match_complete': ∀ev,ty,v.
+  eventval_match ev ty v → yields ? (check_eventval' v ty) ev.
+#ev #ty #v #H elim H; //; qed.
+lemma eventval_list_match_complete: ∀vs,tys,evs.
+  eventval_list_match evs tys vs → yields ? (check_eventval_list vs tys) evs.
+#vs #tys #evs #H elim H;
+[ //
+| #e #etl #ty #tytl #v #vtl #H1 #H2 #H3 whd in ⊢ (??%?)
+    >(yields_eq ??? (eventval_match_complete' … H1)) whd in ⊢ (??%?)
+    >(yields_eq ??? H3) whd in ⊢ (??%?) //
+] qed.
+lemma dec_true: ∀P:Prop.∀f:P + ¬P.∀p:P.∀Q:(P + ¬P) → Prop. (∀p'.Q (inl ?? p')) → Q f.
+#P #f #p #Q #H cases f;
+[ @H
+| #np @False_ind @(absurd ? p np)
+] qed.
+lemma dec_false: ∀P:Prop.∀f:P + ¬P.∀p:¬P.∀Q:(P + ¬P) → Prop. (∀p'.Q (inr ?? p')) → Q f.
+#P #f #p #Q #H cases f;
+[ #np @False_ind @(absurd ? np p)
+| @H
+] qed.
+theorem step_complete: ∀ge,s,tr,s'.
   step ge s tr s' → yieldsIO ? (exec_step ge s) 〈tr,s'〉.
 #ge s tr s' H; nelim H;
 ##[ #f e e1 k e2 m sp loc ofs v m' tr1 tr2 H1 H2 H3; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (lvalue_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H2)); nwhd in ⊢ (??%?);
     nrewrite > H3; napply refl;
 ##| #f e eargs k ef m vf vargs f' tr1 tr2 H1 H2 H3 H4; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (exprlist_complete … H2)); nwhd in ⊢ (??%?);
     nrewrite > H3; nwhd in ⊢ (??%?);
     nrewrite > H4; nelim (assert_type_eq_true (fun_typeof e)); #pty ety; nrewrite > ety;
     napply refl;
 ##| #f el ef eargs k env m sp loc ofs vf vargs f' tr1 tr2 tr3 H1 H2 H3 H4 H5; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H2)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (exprlist_complete … H3)); nwhd in ⊢ (??%?);
     nrewrite > H4; nwhd in ⊢ (??%?);
     nrewrite > H5; nelim (assert_type_eq_true (fun_typeof ef)); #pty ety; nrewrite > ety;
     nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (lvalue_complete … H1)); nwhd in ⊢ (??%?);
     napply refl;
 ##| #f s1 s2 k env m; napply refl
 ##| ##5,6,7: #f s k env m; napply refl
 ##| #f e s1 s2 k env m v tr H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_true ?? H2));
     napply refl
 ##| #f e s1 s2 k env m v tr H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_false ?? H2));
     napply refl
 ##| #f e s k env m v tr H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_false ?? H2));
     napply refl
 ##| #f e s k env m v tr H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_true ?? H2));
     napply refl
+##| #f s1 e s2 k env m H; ncases H; #es1; nrewrite > es1; napply refl;
 ##| ##13,14: #f e s k env m; napply refl
 ##| #f s1 e s2 k env m v tr; *; #es1; nrewrite > es1; #H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_false ?? H2));
     napply refl
 ##| #f s1 e s2 k env m v tr; *; #es1; nrewrite > es1; #H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_true ?? H2));
     napply refl
+##| #f e s k env m; napply refl;
 ##| #f s1 e s2 s3 k env m nskip; nwhd in ⊢ (??%?); ncases (is_Sskip s1);
     ##[ #H; napply False_ind; napply (absurd ? H nskip)
     ##| #H; nwhd in ⊢ (??%?); napply refl ##]
 ##| #f e s1 s2 k env m v tr H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_false ?? H2));
     napply refl;
 ##| #f e s1 s2 k env m v tr H1 H2; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (bool_of_true ?? H2));
     napply refl;
+##| #f s1 e s2 s3 k env m; *; #es1; nrewrite > es1; napply refl;
+##| ##22,23: #f e s1 s2 k env m; napply refl;
+##| #f k env m H; nwhd in ⊢ (??%?); nrewrite > H; napply refl;
 ##| #f e k env m v tr H1 H2; nwhd in ⊢ (??%?);
     napply (dec_false ? (type_eq_dec (fn_return f) Tvoid) H1); #pf';
     nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H2)); nwhd in ⊢ (??%?);
     napply refl;
 ##| #f k env m; ncases k;
     ##[ #H1 H2; nwhd in ⊢ (??%?); nrewrite > H2; napply refl;
     ##| #s' k'; nwhd in ⊢ (% → ?); *;
     ##| ##3,4: #e' s' k'; nwhd in ⊢ (% → ?); *;
     ##| ##5,6: #e' s1' s2' k'; nwhd in ⊢ (% → ?); *;
     ##| #k'; nwhd in ⊢ (% → ?); *;
     ##| #r f' env' k' H1 H2; nwhd in ⊢ (??%?); nrewrite > H2; napply refl
     ##]
 ##| #f e s k env m i tr H1; nwhd in ⊢ (??%?);
     nrewrite > (yields_eq ??? (expr_complete … H1)); nwhd in ⊢ (??%?);
     napply refl
+##| #f s k env m; *; #es; nrewrite > es; napply refl;
 ##| #f k env m; napply refl
 ##| #f l s k env m; napply refl
+##| #f l k env m s k' H1; nwhd in ⊢ (??%?); nrewrite > H1; napply refl;
 ##| #f args k m1 env m2 m3 H1 H2; nwhd in ⊢ (??%?);
     nelim (alloc_vars_complete … H1); #p1 e1; nrewrite > e1; nwhd in ⊢ (??%?);
     nelim (yields_sig_eq ???? (bind_params_complete … H2)); #p2 e2; nrewrite > e2;
     napply refl;
 ##| #id tys rty args k m rv tr H; nwhd in ⊢ (??%?);
     ninversion H; #f' args' rv' eargs erv H1 H2 e1 e2 e3 e4; nrewrite < e1 in H1 H2;
     #H1 H2;
     nelim (yields_sig_eq ???? (eventval_list_match_complete … H1)); #p1 e1; nrewrite > e1; nwhd in ⊢ (??%?);
     nwhd; ninversion H2; #x e5 e6 e7; @ x; nwhd in ⊢ (??%?);
     napply refl
 ##| #v f env k m; napply refl
 ##| #v f env k m1 m2 sp loc ofs ty H; nwhd in ⊢ (??%?);
     nrewrite > H; napply refl
 ##| #f l s k env m; napply refl
 ##] nqed.
+#ge #s #tr #s' #H elim H;
+[ #f #e #e1 #k #e2 #m #sp #loc #ofs #v #m' #tr1 #tr2 #H1 #H2 #H3 whd in ⊢ (??%?);
+    >(yields_eq ??? (lvalue_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H2)) whd in ⊢ (??%?);
+    >H3 @refl
+| #f #e #eargs #k #ef #m #vf #vargs #f' #tr1 #tr2 #H1 #H2 #H3 #H4 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (exprlist_complete … H2)) whd in ⊢ (??%?);
+    >H3 whd in ⊢ (??%?);
+    >H4 elim (assert_type_eq_true (fun_typeof e)); #pty #ety >ety
+    @refl
+| #f #el #ef #eargs #k #env #m #sp #loc #ofs #vf #vargs #f' #tr1 #tr2 #tr3 #H1 #H2 #H3 #H4 #H5 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H2)) whd in ⊢ (??%?);
+    >(yields_eq ??? (exprlist_complete … H3)) whd in ⊢ (??%?);
+    >H4 whd in ⊢ (??%?);
+    >H5 elim (assert_type_eq_true (fun_typeof ef)); #pty #ety >ety
+    whd in ⊢ (??%?);
+    >(yields_eq ??? (lvalue_complete … H1)) whd in ⊢ (??%?);
+    @refl
+| #f #s1 #s2 #k #env #m @refl
+| 5,6,7: #f #s #k #env #m @refl
+| #f #e #s1 #s2 #k #env #m #v #tr #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_true ?? H2))
+    @refl
+| #f #e #s1 #s2 #k #env #m #v #tr #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_false ?? H2))
+    @refl
+| #f #e #s #k #env #m #v #tr #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_false ?? H2))
+    @refl
+| #f #e #s #k #env #m #v #tr #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_true ?? H2))
+    @refl
+| #f #s1 #e #s2 #k #env #m #H cases H; #es1 >es1 @refl
+| 13,14: #f #e #s #k #env #m @refl
+| #f #s1 #e #s2 #k #env #m #v #tr *; #es1 >es1 #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_false ?? H2))
+    @refl
+| #f #s1 #e #s2 #k #env #m #v #tr *; #es1 >es1 #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_true ?? H2))
+    @refl
+| #f #e #s #k #env #m @refl
+| #f #s1 #e #s2 #s3 #k #env #m #nskip whd in ⊢ (??%?); cases (is_Sskip s1);
+    [ #H @False_ind @(absurd ? H nskip)
+    | #H whd in ⊢ (??%?); @refl ]
+| #f #e #s1 #s2 #k #env #m #v #tr #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_false ?? H2))
+    @refl
+| #f #e #s1 #s2 #k #env #m #v #tr #H1 #H2 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    >(yields_eq ??? (bool_of_true ?? H2))
+    @refl
+| #f #s1 #e #s2 #s3 #k #env #m *; #es1 >es1 @refl
+| 22,23: #f #e #s1 #s2 #k #env #m @refl
+| #f #k #env #m #H whd in ⊢ (??%?); >H @refl
+| #f #e #k #env #m #v #tr #H1 #H2 whd in ⊢ (??%?);
+    @(dec_false ? (type_eq_dec (fn_return f) Tvoid) H1) #pf'
+    whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H2)) whd in ⊢ (??%?);
+    @refl
+| #f #k #env #m cases k;
+    [ #H1 #H2 whd in ⊢ (??%?); >H2 @refl
+    | #s' #k' whd in ⊢ (% → ?); *;
+    | 3,4: #e' #s' #k' whd in ⊢ (% → ?); *;
+    | 5,6: #e' #s1' #s2' #k' whd in ⊢ (% → ?); *;
+    | #k' whd in ⊢ (% → ?); *;
+    | #r #f' #env' #k' #H1 #H2 whd in ⊢ (??%?); >H2 @refl
+    ]
+| #f #e #s #k #env #m #i #tr #H1 whd in ⊢ (??%?);
+    >(yields_eq ??? (expr_complete … H1)) whd in ⊢ (??%?);
+    @refl
+| #f #s #k #env #m *; #es >es @refl
+| #f #k #env #m @refl
+| #f #l #s #k #env #m @refl
+| #f #l #k #env #m #s #k' #H1 whd in ⊢ (??%?); >H1 @refl
+| #f #args #k #m1 #env #m2 #m3 #H1 #H2 whd in ⊢ (??%?);
+    >(alloc_vars_complete … H1) whd in ⊢ (??%?);
+    >(yields_eq ??? (bind_params_complete … H2))
+    //
+| #id #tys #rty #args #k #m #rv #tr #H whd in ⊢ (??%?);
+    inversion H; #f' #args' #rv' #eargs #erv #H1 #H2 #e1 #e2 #e3 #e4 <e1 in H1 H2
+    #H1 #H2
+    >(yields_eq ??? (eventval_list_match_complete … H1)) whd in ⊢ (??%?);
+    whd; inversion H2; #x #e5 #e6 #e7 %{ x} whd in ⊢ (??%?);
+    @refl
+| #v #f #env #k #m @refl
+| #v #f #env #k #m1 #m2 #sp #loc #ofs #ty #H whd in ⊢ (??%?);
+    >H @refl
+| #f #l #s #k #env #m @refl
+] qed.

Deliverables/D3.1/C-semantics/CexecEquiv.ma

-                      r485
+                      r487
 include "extralib.ma".
+include "Plogic/jmeq.ma".
+include "Plogic/connectives.ma".
+include "basics/jmeq.ma".
 (* A "single execution" - where all of the input values are made explicit. *)
 ncoinductive s_execution : Type ≝
+coinductive s_execution : Type[0] ≝
 | se_stop : trace → int → mem → s_execution
 | se_step : trace → state → s_execution → s_execution
 …
 | se_interact : ∀o:io_out. (io_in o → execution) → io_in o → s_execution → s_execution.
 ncoinductive single_exec_of : execution → s_execution → Prop ≝
+coinductive single_exec_of : execution → s_execution → Prop ≝
 | seo_stop : ∀tr,r,m. single_exec_of (e_stop tr r m) (se_stop tr r m)
 | seo_step : ∀tr,s,e,se.
 …
 (* starting after state s, zero or more steps of execution e reach state s'
    after which comes e'. *)
 ninductive execution_isteps : trace → state → s_execution → state → s_execution → Prop ≝
+inductive execution_isteps : trace → state → s_execution → state → s_execution → Prop ≝
 | isteps_none : ∀s,e. execution_isteps E0 s e s e
 | isteps_one : ∀e,e',tr,tr',s,s',s0.
 …
     execution_isteps (tr⧺tr') s0 (se_interact o k i (se_step tr s e)) s' e'.
 nlemma isteps_trans: ∀tr1,tr2,s1,s2,s3,e1,e2,e3.
+lemma isteps_trans: ∀tr1,tr2,s1,s2,s3,e1,e2,e3.
   execution_isteps tr1 s1 e1 s2 e2 →
   execution_isteps tr2 s2 e2 s3 e3 →
   execution_isteps (tr1⧺tr2) s1 e1 s3 e3.
 #tr1 tr2 s1 s2 s3 e1 e2 e3 H1; nelim H1;
 ##[ #s e; //;
+##| #e e' tr tr' s1' s2' s3' H1 H2 H3;
     nrewrite > (Eapp_assoc …);
     napply isteps_one;
     napply H2; napply H3;
+##| #e e' o k i s1' s2' s3' tr tr' H1 H2 H3;
     nrewrite > (Eapp_assoc …);
     napply isteps_interact;
+#tr1 #tr2 #s1 #s2 #s3 #e1 #e2 #e3 #H1 elim H1;
+[ #s #e //;
+| #e #e' #tr #tr' #s1' #s2' #s3' #H1 #H2 #H3
+    >(Eapp_assoc …)
+    @isteps_one
+    @H2 @H3
+| #e #e' #o #k #i #s1' #s2' #s3' #tr #tr' #H1 #H2 #H3
+    >(Eapp_assoc …)
+    @isteps_interact
     /2/
 ##] nqed.
 nlemma exec_e_step: ∀ge,x,tr,s,e.
+] qed.
+lemma exec_e_step: ∀ge,x,tr,s,e.
   exec_inf_aux ge x = e_step tr s e →
   exec_inf_aux ge (exec_step ge s) = e.
 #ge x tr s e;
 nrewrite > (exec_inf_aux_unfold …); ncases x;
 ##[ #o k EXEC; nwhd in EXEC:(??%?); ndestruct
 ##| #y; ncases y; #tr' s'; nwhd in ⊢ (??%? → ?);
     ncases (is_final_state s'); #FINAL EXEC; nwhd in EXEC:(??%?); ndestruct;
     napply refl;
 ##| #EXEC; nwhd in EXEC:(??%?); ndestruct
 ##] nqed.
 nlemma exec_e_step_inv: ∀ge,x,tr,s,e.
+#ge #x #tr #s #e
+>(exec_inf_aux_unfold …) cases x;
+[ #o #k #EXEC whd in EXEC:(??%?); destruct
+| #y cases y; #tr' #s' whd in ⊢ (??%? → ?);
+    cases (is_final_state s'); #FINAL #EXEC whd in EXEC:(??%?); destruct;
+    @refl
+| #EXEC whd in EXEC:(??%?); destruct
+] qed.
+lemma exec_e_step_inv: ∀ge,x,tr,s,e.
   exec_inf_aux ge x = e_step tr s e →
   x = Value ??? 〈tr,s〉.
 #ge x tr s e;
 nrewrite > (exec_inf_aux_unfold …); ncases x;
 ##[ #o k EXEC; nwhd in EXEC:(??%?); ndestruct
 ##| #y; ncases y; #tr' s'; nwhd in ⊢ (??%? → ?);
     ncases (is_final_state s'); #FINAL EXEC; nwhd in EXEC:(??%?); ndestruct;
     napply refl;
 ##| #EXEC; nwhd in EXEC:(??%?); ndestruct
 ##] nqed.
 nlemma exec_e_step_inv2: ∀ge,x,tr,s,e.
+#ge #x #tr #s #e
+>(exec_inf_aux_unfold …) cases x;
+[ #o #k #EXEC whd in EXEC:(??%?); destruct
+| #y cases y; #tr' #s' whd in ⊢ (??%? → ?);
+    cases (is_final_state s'); #FINAL #EXEC whd in EXEC:(??%?); destruct;
+    @refl
+| #EXEC whd in EXEC:(??%?); destruct
+] qed.
+lemma exec_e_step_inv2: ∀ge,x,tr,s,e.
   exec_inf_aux ge x = e_step tr s e →
   ¬∃r.final_state s r.
 #ge x tr s e;
 nrewrite > (exec_inf_aux_unfold …); ncases x;
 ##[ #o k EXEC; nwhd in EXEC:(??%?); ndestruct
 ##| #y; ncases y; #tr' s'; nwhd in ⊢ (??%? → ?);
     ncases (is_final_state s'); #FINAL EXEC; nwhd in EXEC:(??%?); ndestruct;
     napply FINAL;
 ##| #EXEC; nwhd in EXEC:(??%?); ndestruct
 ##] nqed.
 ndefinition exec_from : genv → state → s_execution → Prop ≝
+#ge #x #tr #s #e
+>(exec_inf_aux_unfold …) cases x;
+[ #o #k #EXEC whd in EXEC:(??%?); destruct
+| #y cases y; #tr' #s' whd in ⊢ (??%? → ?);
+    cases (is_final_state s'); #FINAL #EXEC whd in EXEC:(??%?); destruct;
+    @FINAL
+| #EXEC whd in EXEC:(??%?); destruct
+] qed.
+definition exec_from : genv → state → s_execution → Prop ≝
 λge,s,se. single_exec_of (exec_inf_aux ge (exec_step ge s)) se.
 nlemma exec_from_step : ∀ge,s,tr,s',e.
+lemma exec_from_step : ∀ge,s,tr,s',e.
 exec_from ge s (se_step tr s' e) →
 exec_step ge s = Value ??? 〈tr,s'〉 ∧ exec_from ge s' e.
 #ge s0 tr0 s0' e0 H; ninversion H;
 ##[ #tr r m E1 E2; ndestruct
 ##| #tr s e se H1 H2 E; ndestruct (E);
     nrewrite > (exec_e_step_inv … H2);
     nrewrite < (exec_e_step … H2) in H1; #H1; @; //
 ##| #_; #E; ndestruct
 ##| #o k i se H1 H2 E; ndestruct
 ##] nqed.
 nlemma exec_from_interact : ∀ge,s,o,k,i,tr,s',e.
+#ge #s0 #tr0 #s0' #e0 #H inversion H;
+[ #tr #r #m #E1 #E2 destruct
+| #tr #s #e #se #H1 #H2 #E destruct (E);
+    >(exec_e_step_inv … H2)
+    <(exec_e_step … H2) in H1 #H1 % //
+| #_ #E destruct
+| #o #k #i #se #H1 #H2 #E destruct
+] qed.
+lemma exec_from_interact : ∀ge,s,o,k,i,tr,s',e.
 exec_from ge s (se_interact o k i (se_step tr s' e)) →
 step ge s tr s' ∧
 (*exec_step ge s = Value ??? 〈tr,s'〉 ∧*) exec_from ge s' e.
 #ge s0 o0 k0 i0 tr0 s0' e0 H; ninversion H;
 ##[ #tr r m E1 E2; ndestruct
 ##| #tr s e se H1 H2 E; ndestruct (E)
 ##| #_; #E; ndestruct
 ##| #o k i se H1 H2 E; ndestruct (E);
     nlapply (exec_step_sound ge s0);
     ncases (exec_step ge s0) in H2 ⊢ %;
     ##[ #o' k'; nrewrite > (exec_inf_aux_unfold …);
         #E'; nwhd in E':(??%?); ndestruct (E');
         #STEP;
         ninversion H1;
         ##[ #tr r m E1 E2; ndestruct
         ##| #tr' s' e' se' H2 H3 E2; ndestruct (E2);
             nrewrite < (exec_e_step … H3) in H2; #H2; @; //;
             nlapply (STEP i);
             nrewrite > (exec_e_step_inv … H3);
             #S; napply S;
         ##| #_; #E; ndestruct
         ##| #o k i se H1 H2 E; ndestruct
         ##]
     ##| #x; ncases x; #tr' s'; nrewrite > (exec_inf_aux_unfold …);
         nwhd in ⊢ (??%? → ?); ncases (is_final_state s');
         #F E; nwhd in E:(??%?); ndestruct
     ##| nrewrite > (exec_inf_aux_unfold …);
         #E'; nwhd in E':(??%?); ndestruct (E');
     ##]
 ##] nqed.
 nlemma exec_from_interact_stop : ∀ge,s,o,k,i,tr,r,m.
+#ge #s0 #o0 #k0 #i0 #tr0 #s0' #e0 #H inversion H;
+[ #tr #r #m #E1 #E2 destruct
+| #tr #s #e #se #H1 #H2 #E destruct (E)
+| #_ #E destruct
+| #o #k #i #se #H1 #H2 #E destruct (E);
+    lapply (exec_step_sound ge s0);
+    cases (exec_step ge s0) in H2 ⊢ %;
+    [ #o' #k' >(exec_inf_aux_unfold …)
+        #E' whd in E':(??%?); destruct (E');
+        #STEP
+        inversion H1;
+        [ #tr #r #m #E1 #E2 destruct
+        | #tr' #s' #e' #se' #H2 #H3 #E2 destruct (E2);
+            <(exec_e_step … H3) in H2 #H2 % //;
+            lapply (STEP i);
+            >(exec_e_step_inv … H3)
+            #S @S
+        | #_ #E destruct
+        | #o #k #i #se #H1 #H2 #E destruct
+        ]
+    | #x cases x; #tr' #s' >(exec_inf_aux_unfold …)
+        whd in ⊢ (??%? → ?); cases (is_final_state s');
+        #F #E whd in E:(??%?); destruct
+    | >(exec_inf_aux_unfold …)
+        #E' whd in E':(??%?); destruct (E');
+    ]
+] qed.
+lemma exec_from_interact_stop : ∀ge,s,o,k,i,tr,r,m.
 exec_from ge s (se_interact o k i (se_stop tr r m)) →
 step ge s tr (Returnstate (Vint r) Kstop m).
 #ge s0 o0 k0 i0 tr0 s0' e0 H; ninversion H;
 ##[ #tr r m E1 E2; ndestruct
 ##| #tr s e se H1 H2 E; ndestruct (E)
 ##| #_; #E; ndestruct
 ##| #o k i se H1 H2 E; ndestruct (E);
     nlapply (exec_step_sound ge s0);
     nrewrite > (exec_inf_aux_unfold …) in H2;
     ncases (exec_step ge s0);
     ##[ #o' k';
         #E'; nwhd in E':(??%?); ndestruct (E');
         #STEP;
         ninversion H1;
         ##[ #tr r m E1 E2; nlapply (STEP i); ndestruct;
             nrewrite > (exec_inf_aux_unfold …) in E1;
             ncases (k' i);
             ##[ #o2 k2 E; nwhd in E:(??%?); ndestruct (E)
             ##| #x; ncases x; #tr2 s2; nwhd in ⊢ (??%? → ?);
                 ncases (is_final_state s2);
                 ##[ #F; ncases F; #r' FINAL E; nwhd in E:(??%?);
                     ndestruct (E);
                     ninversion FINAL;
                     #r'' m'' E1 E2; ndestruct (E1 E2); //;
                 ##| #NF E; nwhd in E:(??%?); ndestruct (E)
                 ##]
             ##| #E; nwhd in E:(??%?); ndestruct (E)
             ##]
        ##| #tr s e e' H EXEC E; ndestruct (E)
        ##| #EXEC E; ndestruct (E)
        ##| #o2 k2 i2 e2 H EXEC E; ndestruct (E)
        ##]
    ##| #x; ncases x; #tr s; nwhd in ⊢ (??%? → ?);
        ncases (is_final_state s); #F E; nwhd in E:(??%?); ndestruct (E)
    ##| #E; nwhd in E:(??%?); ndestruct (E)
    ##]
 ##] nqed.
+#ge #s0 #o0 #k0 #i0 #tr0 #s0' #e0 #H inversion H;
+[ #tr #r #m #E1 #E2 destruct
+| #tr #s #e #se #H1 #H2 #E destruct (E)
+| #_ #E destruct
+| #o #k #i #se #H1 #H2 #E destruct (E);
+    lapply (exec_step_sound ge s0);
+    >(exec_inf_aux_unfold …) in H2;
+    cases (exec_step ge s0);
+    [ #o' #k'
+        #E' whd in E':(??%?); destruct (E');
+        #STEP
+        inversion H1;
+        [ #tr #r #m #E1 #E2 lapply (STEP i); destruct;
+            >(exec_inf_aux_unfold …) in E1;
+            cases (k' i);
+            [ #o2 #k2 #E whd in E:(??%?); destruct (E)
+            | #x cases x; #tr2 #s2 whd in ⊢ (??%? → ?);
+                cases (is_final_state s2);
+                [ #F cases F; #r' #FINAL #E whd in E:(??%?);
+                    destruct (E);
+                    inversion FINAL;
+                    #r'' #m'' #E1 #E2 destruct (E1 E2); //;
+                | #NF #E whd in E:(??%?); destruct (E)
+                ]
+            | #E whd in E:(??%?); destruct (E)
+            ]
+       | #tr #s #e #e' #H #EXEC #E destruct (E)
+       | #EXEC #E destruct (E)
+       | #o2 #k2 #i2 #e2 #H #EXEC #E destruct (E)
+       ]
+   | #x cases x; #tr #s whd in ⊢ (??%? → ?);
+       cases (is_final_state s); #F #E whd in E:(??%?); destruct (E)
+   | #E whd in E:(??%?); destruct (E)
+   ]
+] qed.
 (* NB: the E0 in the execs are irrelevant. *)
 nlemma several_steps: ∀ge,tr,e,e',s,s'.
+lemma several_steps: ∀ge,tr,e,e',s,s'.
   execution_isteps tr s e s' e' →
   exec_from ge s e →
   star (mk_transrel … step) ge s tr s' ∧
   exec_from ge s' e'.
 #ge tr0 e0 e0' s0 s0' H;
 nelim H;
 ##[ #s e EXEC; @; //;
+##| #e1 e2 tr1 tr2 s1 s2 s3 STEPS IH EXEC;
     nelim (exec_from_step … EXEC); #EXEC3 EXEC1;
     nelim (IH EXEC1);
     #STAR12 EXEC2; @; //;
     nlapply (exec_step_sound ge s3);
     nrewrite > EXEC3; #STEP3;
     napply (star_step (mk_transrel ?? step) … STEP3 STAR12);
     napply refl
+##| #e1 e2 o k i s1 s2 s3 tr1 tr2 STEPS IH EXEC;
     nelim (exec_from_interact … EXEC);
     #STEP3 EXEC1;
     nelim (IH EXEC1); #STAR EXEC2;
     @;
     ##[ napply (star_step (mk_transrel ?? step) … STEP3 STAR);
         napply refl
     ##| //
     ##]
 ##] nqed.
 ninductive execution_terminates : trace → state → s_execution → int → mem → Prop ≝
+#ge #tr0 #e0 #e0' #s0 #s0' #H
+elim H;
+[ #s #e #EXEC % //;
+| #e1 #e2 #tr1 #tr2 #s1 #s2 #s3 #STEPS #IH #EXEC
+    elim (exec_from_step … EXEC); #EXEC3 #EXEC1
+    elim (IH EXEC1);
+    #STAR12 #EXEC2 % //;
+    lapply (exec_step_sound ge s3);
+    >EXEC3 #STEP3
+    @(star_step (mk_transrel ?? step) … STEP3 STAR12)
+    @refl
+| #e1 #e2 #o #k #i #s1 #s2 #s3 #tr1 #tr2 #STEPS #IH #EXEC
+    elim (exec_from_interact … EXEC);
+    #STEP3 #EXEC1
+    elim (IH EXEC1); #STAR #EXEC2
+    %
+    [ @(star_step (mk_transrel ?? step) … STEP3 STAR)
+        @refl
+    | //
+    ]
+] qed.
+inductive execution_terminates : trace → state → s_execution → int → mem → Prop ≝
 | terminates : ∀s,s',tr,tr',r,e,m.
     execution_isteps tr s e s' (se_stop tr' r m) →
 …
     execution_terminates (tr⧺tr') s (se_step E0 s e) r m.
 ncoinductive execution_diverging : s_execution → Prop ≝
+coinductive execution_diverging : s_execution → Prop ≝
 | diverging_step : ∀s,e. execution_diverging e → execution_diverging (se_step E0 s e).
 (* Makes a finite number of interactions (including cost labels) before diverging. *)
 ninductive execution_diverges : trace → state → s_execution → Prop ≝
+inductive execution_diverges : trace → state → s_execution → Prop ≝
 | diverges_diverging: ∀tr,s,s',e,e'.
     execution_isteps tr s e s' e' →
 …
 (* NB: "reacting" includes hitting a cost label. *)
 ncoinductive execution_reacting : traceinf → state → s_execution → Prop ≝
+coinductive execution_reacting : traceinf → state → s_execution → Prop ≝
 | reacting: ∀tr,tr',s,s',e,e'.
     execution_reacting tr' s' e' →
 …
     execution_reacting (tr⧻tr') s e.
 ninductive execution_reacts : traceinf → state → s_execution → Prop ≝
+inductive execution_reacts : traceinf → state → s_execution → Prop ≝
 | reacts: ∀tr,s,e.
     execution_reacting tr s e →
     execution_reacts tr s (se_step E0 s e).
 ninductive execution_goes_wrong: trace → state → s_execution → state → Prop ≝
+inductive execution_goes_wrong: trace → state → s_execution → state → Prop ≝
 | go_wrong: ∀tr,s,s',e.
     execution_isteps tr s e s' se_wrong →
     execution_goes_wrong tr s (se_step E0 s e) s'.
 nlet corec silent_sound ge s e
+let corec silent_sound ge s e
   (H0:execution_diverging e)
   (EXEC:exec_from ge s e)
   : forever_silent (mk_transrel ?? step) … ge s ≝ ?.
 ncut (∃s2.∃e2.And (And (execution_diverging e2) (step ge s E0 s2)) (exec_from ge s2 e2));
+##[ ncases H0 in EXEC ⊢ %; #s1 e1 H1 EXEC;
     nelim (exec_from_step … EXEC);
     #EXEC0 EXEC1;
     @ s1; @ e1; @; //; @; //;
     nlapply (exec_step_sound ge s); nrewrite > EXEC0; nwhd in ⊢ (% → ?); //;
+##| *; #s2; *; #e2; *; *; #H2 STEP2 EXEC2;
     napply (forever_silent_intro (mk_transrel ?? step) … ge s s2 ? (silent_sound ge s2 e2 ??));
+cut (∃s2.∃e2.And (And (execution_diverging e2) (step ge s E0 s2)) (exec_from ge s2 e2));
+[ cases H0 in EXEC ⊢ %; #s1 #e1 #H1 #EXEC
+    elim (exec_from_step … EXEC);
+    #EXEC0 #EXEC1
+    %{ s1} %{ e1} % //; % //;
+    lapply (exec_step_sound ge s); >EXEC0 whd in ⊢ (% → ?); #H @H
+| *; #s2 *; #e2 *; *; #H2 #STEP2 #EXEC2
+    @(forever_silent_intro (mk_transrel ?? step) … ge s s2 ? (silent_sound ge s2 e2 ??))
     //;
 ##] nqed.
 nlemma final_step: ∀ge,tr,r,m,s.
+] qed.
+lemma final_step: ∀ge,tr,r,m,s.
   exec_from ge s (se_stop tr r m) →
   step ge s tr (Returnstate (Vint r) Kstop m).
 #ge tr r m s EXEC;
 nwhd in EXEC;
 ninversion EXEC;
 ##[ #tr' r' m' EXEC' E; ndestruct (E);
     nlapply (exec_step_sound ge s);
     nrewrite > (exec_inf_aux_unfold …) in EXEC';
     ncases (exec_step ge s);
     ##[ #o k EXEC'; nwhd in EXEC':(??%?); ndestruct (EXEC');
     ##| #x; ncases x; #tr'' s'; nwhd in ⊢ (??%? → ?);
         ncases (is_final_state s'); #F; ##[ ##1: ncases F; #r'' FINAL; ##]
         #EXEC'; nwhd in EXEC':(??%?); ndestruct (EXEC');
     ##| #EXEC'; nwhd in EXEC':(??%?); ndestruct (EXEC');
     ##]
     ninversion FINAL; #r''' m' E1 E2 H; ndestruct (E1 E2);
     napply H;
 ##| #tr' s' e' se' H EXEC' E; ndestruct
 ##| #EXEC' E; ndestruct
 ##| #o k i e H EXEC E; ndestruct
 ##] nqed.
 nlemma e_stop_inv: ∀ge,x,tr,r,m.
+#ge #tr #r #m #s #EXEC
+whd in EXEC;
+inversion EXEC;
+[ #tr' #r' #m' #EXEC' #E destruct (E);
+    lapply (exec_step_sound ge s);
+    >(exec_inf_aux_unfold …) in EXEC';
+    cases (exec_step ge s);
+    [ #o #k #EXEC' whd in EXEC':(??%?); destruct (EXEC');
+    | #x cases x; #tr'' #s' whd in ⊢ (??%? → ?);
+        cases (is_final_state s'); #F [ 1: cases F; #r'' #FINAL ]
+        #EXEC' whd in EXEC':(??%?); destruct (EXEC');
+    | #EXEC' whd in EXEC':(??%?); destruct (EXEC');
+    ]
+    inversion FINAL; #r''' #m' #E1 #E2 #H destruct (E1 E2);
+    @H
+| #tr' #s' #e' #se' #H #EXEC' #E destruct
+| #EXEC' #E destruct
+| #o #k #i #e #H #EXEC #E destruct
+] qed.
+lemma e_stop_inv: ∀ge,x,tr,r,m.
   exec_inf_aux ge x = e_stop tr r m →
   x = Value ??? 〈tr,Returnstate (Vint r) Kstop m〉.
 #ge x tr r m;
 nrewrite > (exec_inf_aux_unfold …); ncases x;
 ##[ #o k EXEC; nwhd in EXEC:(??%?); ndestruct;
 ##| #z; ncases z; #tr' s'; nwhd in ⊢ (??%? → ?); ncases (is_final_state s');
   ##[ #F; ncases F; #r' FINAL; ncases FINAL; #r'' m' EXEC; nwhd in EXEC:(??%?);
       ndestruct (EXEC); napply refl;
   ##| #F EXEC; nwhd in EXEC:(??%?); ndestruct (EXEC);
   ##]
 ##| #EXEC; nwhd in EXEC:(??%?); ndestruct (EXEC);
 ##] nqed.
 nlemma terminates_sound: ∀ge,tr,s,r,m,e.
+#ge #x #tr #r #m
+>(exec_inf_aux_unfold …) cases x;
+[ #o #k #EXEC whd in EXEC:(??%?); destruct;
+| #z cases z; #tr' #s' whd in ⊢ (??%? → ?); cases (is_final_state s');
+  [ #F cases F; #r' #FINAL cases FINAL; #r'' #m' #EXEC whd in EXEC:(??%?);
+      destruct (EXEC); @refl
+  | #F #EXEC whd in EXEC:(??%?); destruct (EXEC);
+  ]
+| #EXEC whd in EXEC:(??%?); destruct (EXEC);
+] qed.
+lemma terminates_sound: ∀ge,tr,s,r,m,e.
   execution_terminates tr s (se_step E0 s e) r m →
   exec_from ge s e →
   star (mk_transrel … step) ge s tr (Returnstate (Vint r) Kstop m).
 #ge tr0 s0 r m e0 H; ninversion H;
+##[ #s s' tr tr' r e m ESTEPS E1 E2 E3 E4 E5 EXEC;
     ndestruct (E1 E2 E3 E4 E5);
     ncases (several_steps … ESTEPS EXEC); #STARs' EXECs';
     napply (star_right … STARs');
     ##[ ##2: napply (final_step ge tr' r m s' … EXECs');
     ##| ##skip
     ##| napply refl
     ##]
+##| #s s' tr tr' r e m o k i ESTEPS E1 E2 E3 E4 E5 EXEC;
     ndestruct;
     ncases (several_steps … ESTEPS EXEC); #STARs' EXECs';
     napply (star_right … STARs');
     ##[ napply tr'
     ##| napply (exec_from_interact_stop … EXECs');
     ##| napply refl
     ##]
 ##] nqed.
 nlet corec reacts_sound ge tr s e
+#ge #tr0 #s0 #r #m #e0 #H inversion H;
+[ #s #s' #tr #tr' #r #e #m #ESTEPS #E1 #E2 #E3 #E4 #E5 #EXEC
+    destruct (E1 E2 E3 E4 E5);
+    cases (several_steps … ESTEPS EXEC); #STARs' #EXECs'
+    @(star_right … STARs')
+    [ 2: @(final_step ge tr' r m s' … EXECs')
+    | skip
+    | @refl
+    ]
+| #s #s' #tr #tr' #r #e #m #o #k #i #ESTEPS #E1 #E2 #E3 #E4 #E5 #EXEC
+    destruct;
+    cases (several_steps … ESTEPS EXEC); #STARs' #EXECs'
+    @(star_right … STARs')
+    [ @tr'
+    | @(exec_from_interact_stop … EXECs')
+    | @refl
+    ]
+] qed.
+let corec reacts_sound ge tr s e
   (REACTS:execution_reacting tr s e)
   (EXEC:exec_from ge s e) :
   forever_reactive (mk_transrel … step) ge s tr ≝ ?.
 ncut (∃s'.∃e'.∃tr'.∃tr''.(And (And (And (execution_reacting tr'' s' e') (execution_isteps tr' s e s' e')) (tr' ≠ E0)) (tr = tr'⧻tr'')));
 ##[ ninversion REACTS;
     #tr0 tr' s0 s' e0 e' EREACTS ESTEPS REACTED E1 E2 E3; ndestruct (E2 E3);
     @ s'; @ e'; @ tr0; @ tr'; @; ##[ @; ##[ @; //; ##| napply REACTED ##] ##| napply refl ##]
+##| *; #s'; *; #e'; *; #tr'; *; #tr'';
     *; *; *; #REACTS' ESTEPS REACTED APPTR;
 (*    nrewrite > APPTR;*)
     napply (match sym_eq ??? APPTR return λx.λ_.forever_reactive (mk_transrel genv state step) ge s x with [ refl ⇒ ? ]);
     @;
     ncases (several_steps … ESTEPS EXEC); #STEPS EXEC';
     ##[ ##2: napply STEPS;
     ##| ##skip
     ##| napply REACTED
     ##| napply reacts_sound;
       ##[ ##2: napply REACTS';
       ##| ##skip
       ##| napply EXEC'
       ##]
     ##]
 nqed.
 nlemma exec_from_wrong: ∀ge,s.
+cut (∃s'.∃e'.∃tr'.∃tr''.(And (And (And (execution_reacting tr'' s' e') (execution_isteps tr' s e s' e')) (tr' ≠ E0)) (tr = tr'⧻tr'')));
+[ inversion REACTS;
+    #tr0 #tr' #s0 #s' #e0 #e' #EREACTS #ESTEPS #REACTED #E1 #E2 #E3 destruct (E2 E3);
+    %{ s'} %{ e'} %{ tr0} %{ tr'} % [ % [ % //; | @REACTED ] | @refl ]
+| *; #s' *; #e' *; #tr' *; #tr''
+    *; *; *; #REACTS' #ESTEPS #REACTED #APPTR
+(*    >APPTR *)
+    @(match sym_eq ??? APPTR return λx.λ_.forever_reactive (mk_transrel genv state step) ge s x with [ refl ⇒ ? ])
+    %
+    cases (several_steps … ESTEPS EXEC); #STEPS #EXEC'
+    [ 2: @STEPS
+    | skip
+    | @REACTED
+    | @reacts_sound
+      [ 2: @REACTS'
+      | skip
+      | @EXEC'
+      ]
+    ]
+qed.
+lemma exec_from_wrong: ∀ge,s.
   exec_from ge s se_wrong →
   exec_step ge s = Wrong ???.
 #ge s H; nwhd in H;
 ninversion H;
 ##[ #tr r m EXEC E; ndestruct (E)
 ##| #tr s' e e' H EXEC E; ndestruct (E)
+##| nrewrite > (exec_inf_aux_unfold …);
     ncases (exec_step ge s);
   ##[ #o k EXEC; nwhd in EXEC:(??%?); ndestruct
   ##| #x; ncases x; #tr s'; nwhd in ⊢ (??%? → ?); ncases (is_final_state s');
       #F EXEC; nwhd in EXEC:(??%?); ndestruct
   ##| //
   ##]
 ##| #o k i e H EXEC E; ndestruct
 ##] nqed.
 nlemma exec_from_step_notfinal: ∀ge,s,tr,s',e.
+#ge #s #H whd in H;
+inversion H;
+[ #tr #r #m #EXEC #E destruct (E)
+| #tr #s' #e #e' #H #EXEC #E destruct (E)
+| >(exec_inf_aux_unfold …)
+    cases (exec_step ge s);
+  [ #o #k #EXEC whd in EXEC:(??%?); destruct
+  | #x cases x; #tr #s' whd in ⊢ (??%? → ?); cases (is_final_state s');
+      #F #EXEC whd in EXEC:(??%?); destruct
+  | //
+  ]
+| #o #k #i #e #H #EXEC #E destruct
+] qed.
+lemma exec_from_step_notfinal: ∀ge,s,tr,s',e.
   exec_from ge s (se_step tr s' e) →
   ¬(∃r. final_state s' r).
 #ge s tr s' e H; nwhd in H; ninversion H;
 ##[ #tr' r m EXEC E; ndestruct
 ##| #tr' s'' e' e'' H EXEC E; ndestruct (E);
     nrewrite > (exec_inf_aux_unfold …) in EXEC;
     ncases (exec_step ge s);
     ##[ #o k EXEC; nwhd in EXEC:(??%?); ndestruct
     ##| #x; ncases x; #tr1 s1; nwhd in ⊢ (??%? → ?); ncases (is_final_state s1);
         #F E; nwhd in E:(??%?); ndestruct; napply F;
     ##| #E; nwhd in E:(??%?); ndestruct
     ##]
 ##| #EXEC E; ndestruct
 ##| #o k i e' H EXEC E; ndestruct
 ##] nqed.
 nlemma exec_from_interact_step_notfinal: ∀ge,s,o,k,i,tr,s',e.
+#ge #s #tr #s' #e #H whd in H; inversion H;
+[ #tr' #r #m #EXEC #E destruct
+| #tr' #s'' #e' #e'' #H #EXEC #E destruct (E);
+    >(exec_inf_aux_unfold …) in EXEC;
+    cases (exec_step ge s);
+    [ #o #k #EXEC whd in EXEC:(??%?); destruct
+    | #x cases x; #tr1 #s1 whd in ⊢ (??%? → ?); cases (is_final_state s1);
+        #F #E whd in E:(??%?); destruct; @F
+    | #E whd in E:(??%?); destruct
+    ]
+| #EXEC #E destruct
+| #o #k #i #e' #H #EXEC #E destruct
+] qed.
+lemma exec_from_interact_step_notfinal: ∀ge,s,o,k,i,tr,s',e.
   exec_from ge s (se_interact o k i (se_step tr s' e)) →
   ¬(∃r. final_state s' r).
 #ge s o k i tr s' e H;
+@; *; #r F; ncases F in H; #r' m H;
 ninversion H;
 ##[ #tr' r m EXEC E; ndestruct
 ##| #tr' s'' e' e'' H EXEC E; ndestruct (E);
 ##| #EXEC E; ndestruct
 ##| #o' k' i' e' H EXEC E; ndestruct;
     nrewrite > (exec_inf_aux_unfold …) in EXEC;
     ncases (exec_step ge s);
     ##[ #o1 k1 EXEC1; nwhd in EXEC1:(??%?); ndestruct (EXEC1);
         ninversion H;
         ##[ #tr1 r1 m1 EXECK E; ndestruct (E);
         ##| #tr1 s1 e1 e2 H1 EXECK E; ndestruct (E);
             nrewrite > (exec_inf_aux_unfold …) in EXECK;
             ncases (k1 i');
             ##[ #o2 k2 EXECK; nwhd in EXECK:(??%?); ndestruct
             ##| #x; ncases x; #tr2 s2; nwhd in ⊢ (??%? → ?);
                 ncases (is_final_state s2); #F EXECK;
                 nwhd in EXECK:(??%?); ndestruct;
                 napply (absurd ?? F);
                 @ r'; //;
             ##| #E; nwhd in E:(??%?); ndestruct
             ##]
         ##| #EXECK E;  nwhd in E:(??%?); ndestruct
         ##| #o2 k2 i2 e2 H2 EXECK E; ndestruct
         ##]
     ##| #x; ncases x; #tr1 s1; nwhd in ⊢ (??%? → ?);
         ncases (is_final_state s1); #F E; nwhd in E:(??%?); ndestruct;
     ##| #E; nwhd in E:(??%?); ndestruct
     ##]
 ##] nqed.
 nlemma wrong_sound: ∀ge,tr,s,s',e.
+#ge #s #o #k #i #tr #s' #e #H
+% *; #r #F cases F in H; #r' #m #H
+inversion H;
+[ #tr' #r #m #EXEC #E destruct
+| #tr' #s'' #e' #e'' #H #EXEC #E destruct (E);
+| #EXEC #E destruct
+| #o' #k' #i' #e' #H #EXEC #E destruct;
+    >(exec_inf_aux_unfold …) in EXEC;
+    cases (exec_step ge s);
+    [ #o1 #k1 #EXEC1 whd in EXEC1:(??%?); destruct (EXEC1);
+        inversion H;
+        [ #tr1 #r1 #m1 #EXECK #E destruct (E);
+        | #tr1 #s1 #e1 #e2 #H1 #EXECK #E destruct (E);
+            >(exec_inf_aux_unfold …) in EXECK;
+            cases (k1 i');
+            [ #o2 #k2 #EXECK whd in EXECK:(??%?); destruct
+            | #x cases x; #tr2 #s2 whd in ⊢ (??%? → ?);
+                cases (is_final_state s2); #F #EXECK
+                whd in EXECK:(??%?); destruct;
+                @(absurd ?? F)
+                %{ r'} //;
+            | #E whd in E:(??%?); destruct
+            ]
+        | #EXECK #E  whd in E:(??%?); destruct
+        | #o2 #k2 #i2 #e2 #H2 #EXECK #E destruct
+        ]
+    | #x cases x; #tr1 #s1 whd in ⊢ (??%? → ?);
+        cases (is_final_state s1); #F #E whd in E:(??%?); destruct;
+    | #E whd in E:(??%?); destruct
+    ]
+] qed.
+lemma wrong_sound: ∀ge,tr,s,s',e.
   execution_goes_wrong tr s (se_step E0 s e) s' →
   exec_from ge s e →
 …
   nostep (mk_transrel … step) ge s' ∧
   (¬∃r. final_state s' r).
 #ge tr0 s0 s0' e0 WRONG; ninversion WRONG;
 #tr s s' e ESTEPS E1 E2 E3 E4 EXEC NOTFINAL; ndestruct (E1 E2 E3 E4);
 ncases (several_steps … ESTEPS EXEC);
 #STAR EXEC'; @;
+##[ @; ##[ napply STAR;
        ##| #badtr bads; @; #badSTEP;
            nlapply (step_complete … badSTEP);
            nrewrite > (exec_from_wrong … EXEC');
+#ge #tr0 #s0 #s0' #e0 #WRONG inversion WRONG;
+#tr #s #s' #e #ESTEPS #E1 #E2 #E3 #E4 #EXEC #NOTFINAL destruct (E1 E2 E3 E4);
+cases (several_steps … ESTEPS EXEC);
+#STAR #EXEC' %
+[ % [ @STAR
+       | #badtr #bads % #badSTEP
+           lapply (step_complete … badSTEP);
+           >(exec_from_wrong … EXEC')
            //;
        ##]
+##| @;
     nelim ESTEPS in NOTFINAL EXEC ⊢ %;
     ##[ #s1 e1 NF EX F; napply (absurd ? F NF);
     ##| #e1 e2 tr1 tr2 s1 s2 s3 ESTEPS1 IH NF EXEC;
         ncases (exec_from_step … EXEC); #EXEC3 EXEC1;
         napply (IH … EXEC1);
         napply (exec_from_step_notfinal … EXEC);
     ##| #e1 e2 o k i s1 s2 s3 tr1 tr2 ESTEPS1 IH NF EXEC;
         napply IH;
         ##[ napply (exec_from_interact_step_notfinal … EXEC);
         ##| ncases (exec_from_interact … EXEC); //;
         ##]
     ##]
 ##] nqed.
 ninductive execution_characterisation : state → s_execution → Prop ≝
+       ]
+| %
+    elim ESTEPS in NOTFINAL EXEC ⊢ %;
+    [ #s1 #e1 #NF #EX #F @(absurd ? F NF)
+    | #e1 #e2 #tr1 #tr2 #s1 #s2 #s3 #ESTEPS1 #IH #NF #EXEC
+        cases (exec_from_step … EXEC); #EXEC3 #EXEC1
+        @(IH … EXEC1)
+        @(exec_from_step_notfinal … EXEC)
+    | #e1 #e2 #o #k #i #s1 #s2 #s3 #tr1 #tr2 #ESTEPS1 #IH #NF #EXEC
+        @IH
+        [ @(exec_from_interact_step_notfinal … EXEC)
+        | cases (exec_from_interact … EXEC); //;
+        ]
+    ]
+] qed.
+inductive execution_characterisation : state → s_execution → Prop ≝
 | ec_terminates: ∀s,r,m,e,tr.
     execution_terminates tr s e r m →
 …
 (* bit of a hack to avoid inability to reduce term in match *)
 ndefinition interact_prop : ∀A:Type.(∀o:io_out. (io_in o → IO io_out io_in A) → Prop) → IO io_out io_in A → Prop ≝
+definition interact_prop : ∀A:Type[0].(∀o:io_out. (io_in o → IO io_out io_in A) → Prop) → IO io_out io_in A → Prop ≝
 λA,P,e. match e return λ_.Prop with [ Interact o k ⇒ P o k | _ ⇒ True ].
 nlemma err_does_not_interact: ∀A,B,P,e1,e2.
+lemma err_does_not_interact: ∀A,B,P,e1,e2.
   (∀x:B.interact_prop A P (e2 x)) →
   interact_prop A P (bindIO ?? B A (err_to_io ??? e1) e2).
 #A B P e1 e2 H;
 ncases e1; //; nqed.
 nlemma err2_does_not_interact: ∀A,B,C,P,e1,e2.
+#A #B #P #e1 #e2 #H
+cases e1; //; qed.
+lemma err2_does_not_interact: ∀A,B,C,P,e1,e2.
   (∀x,y.interact_prop A P (e2 x y)) →
   interact_prop A P (bindIO2 ?? B C A (err_to_io ??? e1) e2).
 #A B C P e1 e2 H;
 ncases e1; ##[ #z; ncases z; ##] //; nqed.
 nlemma err_sig_does_not_interact: ∀A,B,P.∀Q:B→Prop.∀e1,e2.
+#A #B #C #P #e1 #e2 #H
+cases e1; [ #z cases z; ] //; qed.
+lemma err_sig_does_not_interact: ∀A,B,P.∀Q:B→Prop.∀e1,e2.
   (∀x.interact_prop A P (e2 x)) →
   interact_prop A P (bindIO ?? (sigma B Q) A (err_to_io_sig ??? Q e1) e2).
 #A B P Q e1 e2 H;
 ncases e1; //; nqed.
 nlemma opt_does_not_interact: ∀A,B,P,e1,e2.
+  interact_prop A P (bindIO ?? (Sig B Q) A (err_to_io_sig ??? Q e1) e2).
+#A #B #P #Q #e1 #e2 #H
+cases e1; //; qed.
+lemma opt_does_not_interact: ∀A,B,P,e1,e2.
   (∀x:B.interact_prop A P (e2 x)) →
   interact_prop A P (bindIO ?? B A (opt_to_io ??? e1) e2).
 #A B P e1 e2 H;
 ncases e1; //; nqed.
 nlemma exec_step_interaction:
+#A #B #P #e1 #e2 #H
+cases e1; //; qed.
+lemma exec_step_interaction:
   ∀ge,s. interact_prop ? (λo,k. ∀i.∃tr.∃s'. k i = Value ??? 〈tr,s'〉 ∧ tr ≠ E0) (exec_step ge s).
+#ge s; ncases s;
+##[ #f st kk e m; ncases st;
+  ##[ ##11,14: #a ##| ##2,4,6,7,12,13,15: #a b ##| ##3,5: #a b c ##| ##8: #a b c d ##]
+  ##[ ##4,6,8,9: napply I ##]
+  nwhd in ⊢ (???%);
+  ##[ ncases a; ##[ ncases (fn_return f); //; ##| #e; nwhd nodelta in ⊢ (???%);
+                    ncases (type_eq_dec (fn_return f) Tvoid); #x; //; napply err2_does_not_interact; // ##]
+  ##| ncases (find_label a (fn_body f) (call_cont kk)); ##[ napply I ##| #z; ncases z; #x y; napply I ##]
+  ##| napply err2_does_not_interact; #x1 x2; napply err2_does_not_interact; #x3 x4; napply opt_does_not_interact; #x5; napply I
+  ##| ##4,7: napply err2_does_not_interact; #x1 x2; napply err_does_not_interact; #x3; napply I
+  ##| napply err2_does_not_interact; #x1 x2; ncases x1; //;
+  ##| napply err2_does_not_interact; #x1 x2; napply err2_does_not_interact; #x3 x4; napply opt_does_not_interact; #x5;  napply err_does_not_interact; #x6; ncases a;
+      ##[ napply I; ##| #x7; napply err2_does_not_interact; #x8 x9; napply I ##]
+  ##| ncases (is_Sskip a); #H; ##[ napply err2_does_not_interact; #x1 x2; napply err_does_not_interact; #x3; napply I
+      ##| napply I ##]
+  ##| ncases kk; ##[ ##1,8: ncases (fn_return f); //; ##| ##2,3,5,6,7: //;
+      ##| #z1 z2 z3; napply err2_does_not_interact; #x1 x2; napply err_does_not_interact; #x3; ncases x3; napply I ##]
+  ##| ncases kk; //;
+  ##| ncases kk; ##[ ##4: #z1 z2 z3;  napply err2_does_not_interact; #x1 x2; napply err_does_not_interact; #x3; ncases x3; napply I
+      ##| ##*: // ##]
+  ##]
+##| #f args kk m; ncases f;
+  ##[ #f'; nwhd in ⊢ (???%); ncases (exec_alloc_variables empty_env m (fn_params f'@fn_vars f'));
+      #x; ncases x; ##[ *; ##| #z; ncases z; #x1 x2 H;
+                        napply err_sig_does_not_interact; //; ##]
+#ge #s cases s;
+[ #f #st #kk #e #m cases st;
+  [ 11,14: #a | 2,4,6,7,12,13,15: #a #b | 3,5: #a #b #c | 8: #a #b #c #d ]
+  [ 4,6,8,9: @I ]
+  whd in ⊢ (???%);
+  [ cases a; [ cases (fn_return f); //; | #e whd nodelta in ⊢ (???%);
+                    cases (type_eq_dec (fn_return f) Tvoid); #x //; @err2_does_not_interact // ]
+  | cases (find_label a (fn_body f) (call_cont kk)); [ @I | #z cases z #x #y @I ]
+  | @err2_does_not_interact #x1 #x2 @err2_does_not_interact #x3 #x4 @opt_does_not_interact #x5 @I
+  | 4,7: @err2_does_not_interact #x1 #x2 @err_does_not_interact #x3 @I
+  | @err2_does_not_interact #x1 #x2 cases x1; //;
+  | @err2_does_not_interact #x1 #x2 @err2_does_not_interact #x3 #x4 @opt_does_not_interact #x5  @err_does_not_interact #x6 cases a;
+      [ @I | #x7 @err2_does_not_interact #x8 #x9 @I ]
+  | cases (is_Sskip a); #H [ @err2_does_not_interact #x1 #x2 @err_does_not_interact #x3 @I
+      | @I ]
+  | cases kk; [ 1,8: cases (fn_return f); //; | 2,3,5,6,7: //;
+      | #z1 #z2 #z3 @err2_does_not_interact #x1 #x2 @err_does_not_interact #x3 cases x3; @I ]
+  | cases kk; //;
+  | cases kk; [ 4: #z1 #z2 #z3  @err2_does_not_interact #x1 #x2 @err_does_not_interact #x3 cases x3; @I
+      | *: // ]
+  ]
+| #f #args #kk #m cases f;
+  [ #f' whd in ⊢ (???%); cases (exec_alloc_variables empty_env m (fn_params f'@fn_vars f'))
+    #x1 #x2 whd in ⊢ (???%) @err_does_not_interact //
   (* This is the only case that actually matters! *)
   ##| #fn argtys rty; nwhd in ⊢ (???%);
       napply  err_sig_does_not_interact; #x1;
       nwhd; #i; @; ##[ ##2: @; ##[ ##2: @; ##[ @; nwhd in ⊢ (??%?); napply refl;
         ##| @; #E; nwhd in E:(??%%); ndestruct (E); ##] ##] ##]
   ##]
 ##| #v kk m; nwhd in ⊢ (???%); ncases kk;
     ##[ ##8: #x1 x2 x3 x4; ncases x1;
       ##[ nwhd in ⊢ (???%); ncases v; // ##| #x5; nwhd in ⊢ (???%); ncases x5;
           #x6 x7; napply opt_does_not_interact; // ##]
     ##| ##*: // ##]
 ##] nqed.
+  | #fn #argtys #rty whd in ⊢ (???%);
+      @err_does_not_interact #x1
+      whd; #i % [ 2: % [ 2: % [ % whd in ⊢ (??%?); @refl
+        | % #E whd in E:(??%%); destruct (E); ] ] ]
+  ]
+| #v #kk #m whd in ⊢ (???%); cases kk;
+    [ 8: #x1 #x2 #x3 #x4 cases x1;
+      [ whd in ⊢ (???%); cases v; // | #x5 whd in ⊢ (???%); cases x5;
+          #x6 #x7 @opt_does_not_interact // ]
+    | *: // ]
+] qed.
 (* Some classical logic (roughly like a fragment of Coq's library) *)
 nlemma classical_doubleneg:
+lemma classical_doubleneg:
   ∀classic:(∀P:Prop.P ∨ ¬P).
   ∀P:Prop. ¬ (¬ P) → P.
 #classic P; *; #H;
 ncases (classic P);
 ##[ // ##| #H'; napply False_ind; /2/; ##]
 nqed.
 nlemma classical_not_all_not_ex:
+#classic #P *; #H
+cases (classic P);
+[ // | #H' @False_ind /2/; ]
+qed.
+lemma classical_not_all_not_ex:
   ∀classic:(∀P:Prop.P ∨ ¬P).
   ∀A:Type.∀P:A → Prop. ¬ (∀x. ¬ P x) → ∃x. P x.
 #classic A P; *; #H;
+napply (classical_doubleneg classic); @; *; #H';
+napply H; #x; @; #H''; napply H'; @x; napply H'';
 nqed.
 nlemma classical_not_all_ex_not:
+  ∀A:Type[0].∀P:A → Prop. ¬ (∀x. ¬ P x) → ∃x. P x.
+#classic #A #P *; #H
+@(classical_doubleneg classic) % *; #H'
+@H #x % #H'' @H' %{x} @H''
+qed.
+lemma classical_not_all_ex_not:
   ∀classic:(∀P:Prop.P ∨ ¬P).
   ∀A:Type.∀P:A → Prop. ¬ (∀x. P x) → ∃x. ¬ P x.
 #classic A P; *; #H;
+napply (classical_not_all_not_ex classic A (λx.¬ P x));
+@; #H'; napply H; #x; napply (classical_doubleneg classic);
+napply H';
 nqed.
 nlemma not_ex_all_not:
   ∀A:Type.∀P:A → Prop. ¬ (∃x. P x) → ∀x. ¬ P x.
 #A P; *; #H x; @; #H';
+napply H; @ x; napply H';
 nqed.
 nlemma not_imply_elim:
+  ∀A:Type[0].∀P:A → Prop. ¬ (∀x. P x) → ∃x. ¬ P x.
+#classic #A #P *; #H
+@(classical_not_all_not_ex classic A (λx.¬ P x))
+% #H' @H #x @(classical_doubleneg classic)
+@H'
+qed.
+lemma not_ex_all_not:
+  ∀A:Type[0].∀P:A → Prop. ¬ (∃x. P x) → ∀x. ¬ P x.
+#A #P *; #H #x % #H'
+@H %{ x} @H'
+qed.
+lemma not_imply_elim:
   ∀classic:(∀P:Prop.P ∨ ¬P).
   ∀P,Q:Prop. ¬ (P → Q) → P.
 #classic P Q; *; #H;
+napply (classical_doubleneg classic); @; *; #H';
+napply H; #H''; napply False_ind; napply H'; napply H'';
 nqed.
 nlemma not_imply_elim2:
+#classic #P #Q *; #H
+@(classical_doubleneg classic) % *; #H'
+@H #H'' @False_ind @H' @H''
+qed.
+lemma not_imply_elim2:
   ∀P,Q:Prop. ¬ (P → Q) → ¬ Q.
 #P Q; *; #H; @; #H';
+napply H; #_; napply H';
 nqed.
 nlemma imply_to_and:
+#P #Q *; #H % #H'
+@H #_ @H'
+qed.
+lemma imply_to_and:
   ∀classic:(∀P:Prop.P ∨ ¬P).
   ∀P,Q:Prop. ¬ (P → Q) → P ∧ ¬Q.
 #classic P Q H; @;
+##[ napply (not_imply_elim classic P Q H);
+##| napply (not_imply_elim2 P Q H);
 ##] nqed.
 nlemma not_and_to_imply:
+#classic #P #Q #H %
+[ @(not_imply_elim classic P Q H)
+| @(not_imply_elim2 P Q H)
+] qed.
+lemma not_and_to_imply:
   ∀classic:(∀P:Prop.P ∨ ¬P).
   ∀P,Q:Prop. ¬ (P ∧ Q) → P → ¬Q.
 #classic P Q; *; #H H';
 @; #H''; napply H; @; //;
 nqed.
 ninductive execution_not_over : s_execution → Prop ≝
+#classic #P #Q *; #H #H'
+% #H'' @H % //;
+qed.
+inductive execution_not_over : s_execution → Prop ≝
 | eno_step: ∀tr,s,e. execution_not_over (se_step tr s e)
 | eno_interact: ∀o,k,tr,s,e,i. execution_not_over (se_interact o k i (se_step tr s e)).
 nlemma eno_stop: ∀tr,r,m. execution_not_over (se_stop tr r m) → False.
 #tr0 r0 m0 H; ninversion H;
 ##[ #tr s e E; ndestruct
 ##| #o k tr s e i E; ndestruct
 ##] nqed.
 nlemma eno_wrong: execution_not_over se_wrong → False.
 #H; ninversion H;
 ##[ #tr s e E; ndestruct
 ##| #o k tr s e i E; ndestruct
 ##] nqed.
 nlet corec show_divergence s e
+lemma eno_stop: ∀tr,r,m. execution_not_over (se_stop tr r m) → False.
+#tr0 #r0 #m0 #H inversion H;
+[ #tr #s #e #E destruct
+| #o #k #tr #s #e #i #E destruct
+] qed.
+lemma eno_wrong: execution_not_over se_wrong → False.
+#H inversion H;
+[ #tr #s #e #E destruct
+| #o #k #tr #s #e #i #E destruct
+] qed.
+let corec show_divergence s e
  (NONTERMINATING:∀tr1,s1,e1. execution_isteps tr1 s e s1 e1 →
                  execution_not_over e1)
  (UNREACTIVE:∀tr2,s2,e2. execution_isteps tr2 s e s2 e2 → tr2 = E0)
  (CONTINUES:∀tr2,s2,o,k,i,e'. execution_isteps tr2 s e s2 (se_interact o k i e') → ∃tr3.∃s3.∃e3. e' = se_step tr3 s3 e3 ∧ tr3 ≠ E0)
+ (CONTINUES:∀tr2,s2,o,k,i,e'. execution_isteps tr2 s e s2 (se_interact o k i e') → ∃tr3.∃s3.∃e3. And (e' = se_step tr3 s3 e3) (tr3 ≠ E0))
  : execution_diverging e ≝ ?.
+nlapply (NONTERMINATING E0 s e ?); //;
+ncases e in UNREACTIVE NONTERMINATING CONTINUES ⊢ %;
+##[ #tr i m; #_; #_; #_; #ENO; nelim (eno_stop … ENO);
+##| #tr s' e' UNREACTIVE; nlapply (UNREACTIVE tr s' e' ?);
+  ##[ nrewrite < (E0_right tr) in ⊢ (?%????);
+      napply isteps_one; napply isteps_none;
+  ##| #TR; napply (match sym_eq ??? TR with [ refl ⇒ ? ]); (* nrewrite > TR in UNREACTIVE ⊢ %;*)
+      #NONTERMINATING CONTINUES; #_; @;
+      napply (show_divergence s');
+      ##[ #tr1 s1 e1 S; napply (NONTERMINATING tr1 s1 e1);
+        nchange in ⊢ (?%????) with (Eapp E0 tr1); napply isteps_one;
+        napply S;
+      ##| #tr2 s2 e2 S; nrewrite > TR in UNREACTIVE; #UNREACTIVE; napply (UNREACTIVE tr2 s2 e2);
+          nchange in ⊢ (?%????) with (Eapp E0 tr2);
+          napply isteps_one; napply S;
+      ##| #tr2 s2 o k i e2 S; napply (CONTINUES tr2 s2 o k i);
+          nchange in ⊢ (?%????) with (Eapp E0 tr2);
+          napply (isteps_one … S);
+      ##]
+  ##]
+##| #_; #_; #_; #ENO; nelim (eno_wrong … ENO);
+##| #o k i e' UNREACTIVE NONTERMINATING CONTINUES; #_;
+    nlapply (CONTINUES E0 s o k i e' (isteps_none …));
+    *; #tr'; *; #s'; *; #e'; *; #EXEC NOTSILENT;
+    napply False_ind; napply (absurd ?? NOTSILENT);
+    napply (UNREACTIVE … s' e');
+    nrewrite < (E0_right tr') in ⊢ (?%????);
+    nrewrite > EXEC;
+    napply isteps_interact; //;
+##] nqed.
+nlemma se_inv: ∀e1,e2.
+lapply (NONTERMINATING E0 s e ?); //;
+cases e in UNREACTIVE NONTERMINATING CONTINUES ⊢ %;
+[ #tr #i #m #_ #_ #_ #ENO elim (eno_stop … ENO);
+| #tr #s' #e' #UNREACTIVE lapply (UNREACTIVE tr s' e' ?);
+  [ <(E0_right tr) in ⊢ (?%????)
+      @isteps_one @isteps_none
+  | #TR @(match sym_eq ??? TR with [ refl ⇒ ? ]) (* >TR in UNREACTIVE ⊢ % *)
+      #NONTERMINATING #CONTINUES #_ %
+      @(show_divergence s')
+      [ #tr1 #s1 #e1 #S @(NONTERMINATING tr1 s1 e1)
+        change in ⊢ (?%????) with (Eapp E0 tr1); @isteps_one
+        @S
+      | #tr2 #s2 #e2 #S >TR in UNREACTIVE #UNREACTIVE @(UNREACTIVE tr2 s2 e2)
+          change in ⊢ (?%????) with (Eapp E0 tr2);
+          @isteps_one @S
+      | #tr2 #s2 #o #k #i #e2 #S @(CONTINUES tr2 s2 o k i)
+          change in ⊢ (?%????) with (Eapp E0 tr2);
+          @(isteps_one … S)
+      ]
+  ]
+| #_ #_ #_ #ENO elim (eno_wrong … ENO);
+| #o #k #i #e' #UNREACTIVE #NONTERMINATING #CONTINUES #_
+    lapply (CONTINUES E0 s o k i e' (isteps_none …));
+    *; #tr' *; #s' *; #e' *; #EXEC #NOTSILENT
+    @False_ind @(absurd ?? NOTSILENT)
+    @(UNREACTIVE … s' e')
+    <(E0_right tr') in ⊢ (?%????)
+    >EXEC
+    @isteps_interact //;
+] qed.
+(* XXX == > jmeq notation and coercion *)
+lemma jmeq_to_eq : ∀A:Type[0].∀a,b:A.jmeq A a A b → a = b.
+#A #a #b #E @gral @jm_to_eq_sigma @E
+qed.
+coercion jmeq_to_eq : ∀A:Type[0].∀a,b:A.∀p:jmeq A a A b.a = b ≝
+  jmeq_to_eq on _p: jmeq ???? to eq ???.
+notation > "hvbox(a break ≃ b)"
+  non associative with precedence 45
+for @{ 'jmeq ? $a ? $b }.
+notation < "hvbox(term 46 a break maction (≃) (≃\sub(t,u)) term 46 b)"
+  non associative with precedence 45
+for @{ 'jmeq $t $a $u $b }.
+interpretation "john major's equality" 'jmeq t x u y = (jmeq t x u y).
+(* XXX < == *)
+lemma se_inv: ∀e1,e2.
   single_exec_of e1 e2 →
   match e1 with
 …
   | e_interact o k ⇒ match e2 with [ se_interact o' k' i e ⇒ o' = o ∧ k' ≃ k ∧ single_exec_of (k' i) e | _ ⇒ False ]
   ].
 #e01 e02 H;
 ncases H;
 ##[ #tr r m; nwhd; @; ##[ @ ##] //
 ##| #tr s e1' e2' H'; nwhd; @; ##[ @ ##] //
 ##| nwhd; //
 ##| #o k i e H'; nwhd; @; ##[ @ ##] //
 ##] nqed.
 nlemma interaction_is_not_silent: ∀ge,o,k,i,tr,s,s',e.
+#e01 #e02 #H
+cases H;
+[ #tr #r #m whd; % [ % ] //
+| #tr #s #e1' #e2' #H' whd; % [ % ] //
+| whd; //
+| #o #k #i #e #H' whd; % [ % ] //
+] qed.
+lemma interaction_is_not_silent: ∀ge,o,k,i,tr,s,s',e.
   exec_from ge s (se_interact o k i (se_step tr s' e)) →
   tr ≠ E0.
 #ge o k i tr s s' e; nwhd in ⊢ (% → ?); nrewrite > (exec_inf_aux_unfold …);
 nlapply (exec_step_interaction ge s);
 ncases (exec_step ge s);
 ##[ #o' k' ; nwhd in ⊢ (% → ?%? → ?); #H K; ncases (se_inv … K);
     *; #E1 E2 H1; ndestruct (E1);
     nlapply (H i); *; #tr'; *; #s''; *; #K' TR;
     nrewrite > E2 in H1; #H1; nwhd in H1:(?%?); nrewrite > K' in H1;
     nrewrite > (exec_inf_aux_unfold …); nwhd in ⊢ (?%? → ?);
     ncases (is_final_state s'');
     ##[ #F; nwhd in ⊢ (?%? → ?); #S;
         napply False_ind; napply (absurd ? S); ncases (se_inv … S)
     ##| #NF S; nwhd in S:(?%?); ncases (se_inv … S);
         *; #E1 E2 S'; nrewrite < E1; napply TR
     ##]
 ##| #x; ncases x; #tr' s'' H; nwhd in ⊢ (?%? → ?);
     ncases (is_final_state s''); #F E; nwhd in E:(?%?);
     ninversion E;
     ##[ ##1,5: #tr1 e1 m1 E1 E2; ndestruct
     ##| ##2,6: #tr s1 e1 e2 H E1 E2; ndestruct
     ##| ##3,7: #E; ndestruct
     ##| ##4,8: #o1 k1 i1 e1 H1 E1 E2; ndestruct
     ##]
 ##| #_; #E; nwhd in E:(?%?);
     ninversion E;
     ##[ ##1,5: #tr1 e1 m1 E1 E2; ndestruct
     ##| ##2,6: #tr s1 e1 e2 H E1 E2; ndestruct
     ##| ##3,7: #E1 E2; ndestruct
     ##| ##4,8: #o1 k1 i1 e1 H1 E1 E2; ndestruct
     ##]
 ##] nqed.
 nlet corec reactive_traceinf' ge s e
+#ge #o #k #i #tr #s #s' #e whd in ⊢ (% → ?); >(exec_inf_aux_unfold …)
+lapply (exec_step_interaction ge s);
+cases (exec_step ge s);
+[ #o' #k' ; whd in ⊢ (% → ?%? → ?); #H #K cases (se_inv … K);
+    *; #E1 #E2 #H1 destruct (E1);
+    lapply (H i); *; #tr' *; #s'' *; #K' #TR
+    >E2 in H1 #H1 whd in H1:(?%?); >K' in H1
+    >(exec_inf_aux_unfold …) whd in ⊢ (?%? → ?);
+    cases (is_final_state s'');
+    [ #F whd in ⊢ (?%? → ?); #S
+        @False_ind @(absurd ? S) cases (se_inv … S)
+    | #NF #S whd in S:(?%?); cases (se_inv … S);
+        *; #E1 #E2 #S' <E1 @TR
+    ]
+| #x cases x; #tr' #s'' #H whd in ⊢ (?%? → ?);
+    cases (is_final_state s''); #F #E whd in E:(?%?);
+    inversion E;
+    [ 1,5: #tr1 #e1 #m1 #E1 #E2 destruct
+    | 2,6: #tr #s1 #e1 #e2 #H #E1 #E2 destruct
+    | 3,7: #E destruct
+    | 4,8: #o1 #k1 #i1 #e1 #H1 #E1 #E2 destruct
+    ]
+| #_ #E whd in E:(?%?);
+    inversion E;
+    [ 1,5: #tr1 #e1 #m1 #E1 #E2 destruct
+    | 2,6: #tr #s1 #e1 #e2 #H #E1 #E2 destruct
+    | 3,7: #E1 #E2 destruct
+    | 4,8: #o1 #k1 #i1 #e1 #H1 #E1 #E2 destruct
+    ]
+] qed.
+let corec reactive_traceinf' ge s e
   (EXEC:exec_from ge s e)
   (REACTIVE: ∀tr,s1,e1.
     execution_isteps tr s e s1 e1 →
     Σx.execution_isteps (\fst x) s1 e1 (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0)
+    (Sig ? (λx.execution_isteps (\fst x) s1 e1 (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0)))
   : traceinf' ≝ ?.
 nlapply (REACTIVE E0 s e (isteps_none …));
 *; #x; ncases x; #tr; #y; ncases y; #s' e'; *; #STEPS H;
+@ tr ? H;
+napply (reactive_traceinf' ge s' e' ?);
+##[ ncases (several_steps … STEPS EXEC); #_; //
+##| #tr1 s1 e1 STEPS1;
     napply REACTIVE;
     ##[ ##2:
         napply (isteps_trans … STEPS STEPS1);
     ##| ##skip
     ##]
 ##]
 nqed.
+lapply (REACTIVE E0 s e (isteps_none …));
+*; #x cases x; #tr #y cases y; #s' #e' *; #STEPS #H
+%{ tr ? H}
+@(reactive_traceinf' ge s' e' ?)
+[ cases (several_steps … STEPS EXEC); #_ #H' @H'
+| #tr1 #s1 #e1 #STEPS1
+    @REACTIVE
+    [ 2:
+        @(isteps_trans … STEPS STEPS1)
+    | skip
+    ]
+]
+qed.
 (* A slightly different version of the above, to work around a problem with the
    next result. *)
 nlet corec reactive_traceinf'' ge s e
+let corec reactive_traceinf'' ge s e
   (EXEC:exec_from ge s e)
   (REACTIVE0: Σx.execution_isteps (\fst x) s e (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0)
+  (REACTIVE0: Sig ? (λx.execution_isteps (\fst x) s e (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0))
   (REACTIVE: ∀tr,s1,e1.
     execution_isteps tr s e s1 e1 →
     Σx.execution_isteps (\fst x) s1 e1 (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0)
+    (Sig ? (λx.execution_isteps (\fst x) s1 e1 (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0)))
   : traceinf' ≝ ?.
+ncases REACTIVE0; #x; ncases x; #tr; #y; ncases y; #s' e'; *; #STEPS H;
+@ tr ? H;
+napply (reactive_traceinf'' ge s' e' ?);
+##[ ncases (several_steps … STEPS EXEC); #_; //
+##| napply (REACTIVE … STEPS);
+##| #tr1 s1 e1 STEPS1;
     napply REACTIVE;
     ##[ ##2:
         napply (isteps_trans … STEPS STEPS1);
     ##| ##skip
     ##]
 ##] nqed.
+cases REACTIVE0; #x cases x; #tr #y cases y; #s' #e' *; #STEPS #H
+%{ tr ? H}
+@(reactive_traceinf'' ge s' e' ?)
+[ cases (several_steps … STEPS EXEC); #_ #H' @H'
+| @(REACTIVE … STEPS)
+| #tr1 #s1 #e1 #STEPS1
+    @REACTIVE
+    [ 2:
+        @(isteps_trans … STEPS STEPS1)
+    | skip
+    ]
+] qed.
 (* We want to prove
 nlemma show_reactive : ∀ge,s.
+lemma show_reactive : ∀ge,s.
   ∀REACTIVE:∀tr,s1,e1.
     execution_isteps tr s (exec_inf_aux ge (exec_step ge s)) s1 e1 →
 …
 we can do case analysis on, then get it into the desired form afterwards.
 *)
 nlet corec show_reactive' ge s e
+let corec show_reactive' ge s e
   (EXEC:exec_from ge s e)
   (REACTIVE0: Σx.execution_isteps (\fst x) s e (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0)
+  (REACTIVE0: Sig ? (λx.execution_isteps (\fst x) s e (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0))
   (REACTIVE: ∀tr1,s1,e1.
     execution_isteps tr1 s e s1 e1 →
     Σx.execution_isteps (\fst x) s1 e1 (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0)
+    (Sig ? (λx.execution_isteps (\fst x) s1 e1 (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0)))
   : execution_reacting (traceinf_of_traceinf' (reactive_traceinf'' ge s e EXEC REACTIVE0 REACTIVE)) s e ≝ ?.
 (*nrewrite > (unroll_traceinf' (reactive_traceinf'' …));*)
+napply (match sym_eq ??? (unroll_traceinf' (reactive_traceinf'' …)) with [ refl ⇒ ? ]);
 ncases REACTIVE0;
 #x; ncases x; #tr1; #y; ncases y; #s1 e1; #z; ncases z; #STEPS NOTSILENT;
 nwhd in ⊢ (?(?%)??);
 (*nrewrite > (traceinf_traceinfp_app …);*)
+napply (match sym_eq ??? (traceinf_traceinfp_app …) with [ refl ⇒ ? ]);
+napply (reacting … STEPS NOTSILENT);
+napply show_reactive';
 nqed.
 nlemma show_reactive : ∀ge,s,e.
+(*>(unroll_traceinf' (reactive_traceinf'' …)) *)
+@(match sym_eq ??? (unroll_traceinf' (reactive_traceinf'' …)) with [ refl ⇒ ? ])
+cases REACTIVE0;
+#x cases x; #tr1 #y cases y; #s1 #e1 #z cases z; #STEPS #NOTSILENT
+whd in ⊢ (?(?%)??);
+(*>(traceinf_traceinfp_app …) *)
+@(match sym_eq ??? (traceinf_traceinfp_app …) with [ refl ⇒ ? ])
+@(reacting … STEPS NOTSILENT)
+@show_reactive'
+qed.
+lemma show_reactive : ∀ge,s,e.
   ∀EXEC:exec_from ge s e.
   ∀REACTIVE:∀tr,s1,e1.
     execution_isteps tr s e s1 e1 →
     Σx.execution_isteps (\fst x) s1 e1 (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0.
+    (Sig ? (λx.execution_isteps (\fst x) s1 e1 (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0)).
   execution_reacting (traceinf_of_traceinf' (reactive_traceinf'' ge s e EXEC ? REACTIVE)) s e.
+##[ #ge s e EXEC REACTIVE;
     napply show_reactive';
+##| napply (REACTIVE … (isteps_none …));
 ##] nqed.
 nlemma execution_characterisation_complete:
+[ #ge #s #e #EXEC #REACTIVE
+    @show_reactive'
+| @(REACTIVE … (isteps_none …))
+] qed.
+lemma execution_characterisation_complete:
   ∀classic:(∀P:Prop.P ∨ ¬P).
   ∀constructive_indefinite_description:(∀A:Type. ∀P:A→Prop. (∃x. P x) → Σx : A. P x).
+  ∀constructive_indefinite_description:(∀A:Type[0]. ∀P:A→Prop. (∃x. P x) → Sig A P).
    ∀ge,s,e.
    exec_from ge s e →
    execution_characterisation s (se_step E0 s e).
 #classic constructive_indefinite_description ge s e EXEC;
 ncases (classic (∀tr1,s1,e1. execution_isteps tr1 s e s1 e1 →
+#classic #constructive_indefinite_description #ge #s #e #EXEC
+cases (classic (∀tr1,s1,e1. execution_isteps tr1 s e s1 e1 →
                  execution_not_over e1));
+##[ #NONTERMINATING;
     ncases (classic (∃tr,s1,e1. execution_isteps tr s e s1 e1 ∧
+[ #NONTERMINATING
+    cases (classic (∃tr,s1,e1. execution_isteps tr s e s1 e1 ∧
                      ∀tr2,s2,e2. execution_isteps tr2 s1 e1 s2 e2 → tr2 = E0));
   ##[ *; #tr; *; #s1; *; #e1; *; #INITIAL UNREACTIVE;
       napply (ec_diverges … s ? tr);
       napply (diverges_diverging … INITIAL);
       napply (show_divergence s1 e1);
       ##[ #tr2 s2 e2 S; napply (NONTERMINATING (Eapp tr tr2) s2 e2);
           napply (isteps_trans … INITIAL S);
       ##| #tr2 s2 e2 S; napply (UNREACTIVE … S);
       ##| #tr2 s2 o k i e2 STEPS;
           nlapply (NONTERMINATING (Eapp tr tr2) s2 (se_interact o k i e2) ?);
           ##[ napply (isteps_trans … INITIAL STEPS) ##]
           #NOTOVER; ninversion NOTOVER;
           ##[ #tr' s' e' E; ndestruct (E);
           ##| #o' k' tr' s' e' i' E; ndestruct (E);
               @ tr'; @s'; @e'; @;//;
               ncases (several_steps … INITIAL EXEC); #_; #EXEC1;
               ncases (several_steps … STEPS EXEC1); #_; #EXEC2;
               napply (interaction_is_not_silent … EXEC2);
           ##]
       ##]
   ##| *; #NOTUNREACTIVE;
       ncut (∀tr,s1,e1.execution_isteps tr s e s1 e1 →
+  [ *; #tr *; #s1 *; #e1 *; #INITIAL #UNREACTIVE
+      @(ec_diverges … s ? tr)
+      @(diverges_diverging … INITIAL)
+      @(show_divergence s1 e1)
+      [ #tr2 #s2 #e2 #S @(NONTERMINATING (Eapp tr tr2) s2 e2)
+          @(isteps_trans … INITIAL S)
+      | #tr2 #s2 #e2 #S @(UNREACTIVE … S)
+      | #tr2 #s2 #o #k #i #e2 #STEPS
+          lapply (NONTERMINATING (Eapp tr tr2) s2 (se_interact o k i e2) ?);
+          [ @(isteps_trans … INITIAL STEPS) ]
+          #NOTOVER inversion NOTOVER;
+          [ #tr' #s' #e' #E destruct (E);
+          | #o' #k' #tr' #s' #e' #i' #E destruct (E);
+              %{ tr'} %{s'} %{e'} % //;
+              cases (several_steps … INITIAL EXEC); #_ #EXEC1
+              cases (several_steps … STEPS EXEC1); #_ #EXEC2
+              @(interaction_is_not_silent … EXEC2)
+          ]
+      ]
+  | *; #NOTUNREACTIVE
+      cut (∀tr,s1,e1.execution_isteps tr s e s1 e1 →
             ∃x.execution_isteps (\fst x) s1 e1 (\fst (\snd x)) (\snd (\snd x)) ∧ (\fst x) ≠ E0);
       ##[ #tr s1 e1 STEPS;
           napply (classical_doubleneg classic); @; #NOREACTION;
           napply NOTUNREACTIVE;
           @ tr; @s1; @e1; @; //;
           #tr2 s2 e2 STEPS2;
           nlapply (not_ex_all_not … NOREACTION); #NR1;
           nlapply (not_and_to_imply classic … (NR1 〈tr2,〈s2,e2〉〉)); #NR2;
           napply (classical_doubleneg classic);
           napply NR2; //;
       ##| #REACTIVE;
           napply ec_reacts;
           ##[ ##2: napply reacts;
                    napply (show_reactive ge s … EXEC);
                    #tr s1 e1 STEPS;
                    napply constructive_indefinite_description;
                    napply (REACTIVE … tr s1 e1 STEPS);
           ##| ##skip
           ##]
       ##]
   ##]
+      [ #tr #s1 #e1 #STEPS
+          @(classical_doubleneg classic) % #NOREACTION
+          @NOTUNREACTIVE
+          %{ tr} %{s1} %{e1} % //;
+          #tr2 #s2 #e2 #STEPS2
+          lapply (not_ex_all_not … NOREACTION); #NR1
+          lapply (not_and_to_imply classic … (NR1 〈tr2,〈s2,e2〉〉)); #NR2
+          @(classical_doubleneg classic)
+          @NR2 normalize //
+      | #REACTIVE
+          @ec_reacts
+          [ 2: @reacts
+                   @(show_reactive ge s … EXEC)
+                   #tr #s1 #e1 #STEPS
+                   @constructive_indefinite_description
+                   @(REACTIVE … tr s1 e1 STEPS)
+          | skip
+          ]
+      ]
+  ]
 ##| #NOTNONTERMINATING; nlapply (classical_not_all_ex_not classic … NOTNONTERMINATING);
     *; #tr NNT2; nlapply (classical_not_all_ex_not classic … NNT2);
     *; #s' NNT3; nlapply (classical_not_all_ex_not classic … NNT3);
     *; #e NNT4; nelim (imply_to_and classic … NNT4);
     ncases e;
     ##[ #tr' r m; #STEPS NOSTEP;
         napply (ec_terminates s r m ? (Eapp tr tr')); @;
         ##[ napply s'
         ##| napply STEPS
         ##]
     ##| #tr' s'' e' STEPS; *; #NOSTEP; napply False_rect_Type0;
         napply NOSTEP; //
     ##| #STEPS NOSTEP;
         napply (ec_wrong ? s s' tr); @; //;
+| #NOTNONTERMINATING lapply (classical_not_all_ex_not classic … NOTNONTERMINATING);
+    *; #tr #NNT2 lapply (classical_not_all_ex_not classic … NNT2);
+    *; #s' #NNT3 lapply (classical_not_all_ex_not classic … NNT3);
+    *; #e #NNT4 elim (imply_to_and classic … NNT4);
+    cases e;
+    [ #tr' #r #m #STEPS #NOSTEP
+        @(ec_terminates s r m ? (Eapp tr tr')) %
+        [ @s'
+        | @STEPS
+        ]
+    | #tr' #s'' #e' #STEPS *; #NOSTEP @False_rect_Type0
+        @NOSTEP //
+    | #STEPS #NOSTEP
+        @(ec_wrong ? s s' tr) % //;
     (* The following is stupidly complicated when most of the cases are impossible.
        It ought to be simplified. *)
     ##| #o k i e' STEPS NOSTEP;
         ncases e' in STEPS NOSTEP;
         ##[ #tr' r m STEPS NOSTEP;
             napply (ec_terminates s ???);
            ##[ ##4: napply (annoying_corner_case_terminates … STEPS); ##]
         ##| #tr1 s1 e1 STEPS; *; #NOSTEP;
             napply False_ind; napply NOSTEP; //
         ##| #STEPS NOSTEP;
             nlapply (exec_step_interaction ge s');
             ncases (several_steps … STEPS EXEC); #_;
             nwhd in ⊢ (% → ?);
             nrewrite > (exec_inf_aux_unfold …);
             ncases (exec_step ge s');
             ##[ #o1 k1 EXEC' H; nwhd in EXEC':(?%?) H;
                 ncases (se_inv … EXEC'); *; #E1 E2 H2; ndestruct (E1 E2);
                 ncases (H i); #tr1; *; #s1; *; #K E; nrewrite > K in H2;
                 nrewrite > (exec_inf_aux_unfold …);
                 nwhd in ⊢ (?%? → ?); ncases (is_final_state s1);
                 #F S; nwhd in S:(?%?); ncases (se_inv … S);
             ##| #x; ncases x; #tr' s'; nwhd in ⊢ (?%? → ?);
                 ncases (is_final_state s'); #F S; nwhd in S:(?%?);
                 ncases (se_inv … S);
             ##| #S; ncases (se_inv … S);
             ##]
         ##| #o1 k1 i1 e1 STEPS NOSTEP;
             nlapply (exec_step_interaction ge s');
             ncases (several_steps … STEPS EXEC); #_;
             nwhd in ⊢ (% → ?);
             nrewrite > (exec_inf_aux_unfold …);
             ncases (exec_step ge s');
             ##[ #o1 k1 EXEC' H; nwhd in EXEC':(?%?) H;
                 ncases (se_inv … EXEC'); *; #E1 E2 H2; ndestruct (E1 E2);
                 ncases (H i); #tr1; *; #s1; *; #K E; nrewrite > K in H2;
                 nrewrite > (exec_inf_aux_unfold …);
                 nwhd in ⊢ (?%? → ?); ncases (is_final_state s1);
                 #F S; nwhd in S:(?%?); ncases (se_inv … S);
             ##| #x; ncases x; #tr' s'; nwhd in ⊢ (?%? → ?);
                 ncases (is_final_state s'); #F S; nwhd in S:(?%?);
                 ncases (se_inv … S);
             ##| #S; ncases (se_inv … S);
             ##]
         ##]
     ##]
 ##]
 nqed.
 ninductive execution_matches_behavior: s_execution → program_behavior → Prop ≝
+    | #o #k #i #e' #STEPS #NOSTEP
+        cases e' in STEPS NOSTEP;
+        [ #tr' #r #m #STEPS #NOSTEP
+            @(ec_terminates s ???)
+           [ 4: @(annoying_corner_case_terminates … STEPS) ]
+        | #tr1 #s1 #e1 #STEPS *; #NOSTEP
+            @False_ind @NOSTEP //
+        | #STEPS #NOSTEP
+            lapply (exec_step_interaction ge s');
+            cases (several_steps … STEPS EXEC); #_
+            whd in ⊢ (% → ?);
+            >(exec_inf_aux_unfold …)
+            cases (exec_step ge s');
+            [ #o1 #k1 #EXEC' #H whd in EXEC':(?%?) H;
+                cases (se_inv … EXEC'); *; #E1 #E2 #H2 destruct (E1 E2);
+                cases (H i); #tr1 *; #s1 *; #K #E >K in H2
+                >(exec_inf_aux_unfold …)
+                whd in ⊢ (?%? → ?); cases (is_final_state s1);
+                #F #S whd in S:(?%?); cases (se_inv … S);
+            | #x cases x; #tr' #s' whd in ⊢ (?%? → ?);
+                cases (is_final_state s'); #F #S whd in S:(?%?);
+                cases (se_inv … S);
+            | #S cases (se_inv … S);
+            ]
+        | #o1 #k1 #i1 #e1 #STEPS #NOSTEP
+            lapply (exec_step_interaction ge s');
+            cases (several_steps … STEPS EXEC); #_
+            whd in ⊢ (% → ?);
+            >(exec_inf_aux_unfold …)
+            cases (exec_step ge s');
+            [ #o1 #k1 #EXEC' #H whd in EXEC':(?%?) H;
+                cases (se_inv … EXEC'); *; #E1 #E2 #H2 destruct (E1 E2);
+                cases (H i); #tr1 *; #s1 *; #K #E >K in H2
+                >(exec_inf_aux_unfold …)
+                whd in ⊢ (?%? → ?); cases (is_final_state s1);
+                #F #S whd in S:(?%?); cases (se_inv … S);
+            | #x cases x; #tr' #s' whd in ⊢ (?%? → ?);
+                cases (is_final_state s'); #F #S whd in S:(?%?);
+                cases (se_inv … S);
+            | #S cases (se_inv … S);
+            ]
+        ]
+    ]
+]
+qed.
+inductive execution_matches_behavior: s_execution → program_behavior → Prop ≝
 | emb_terminates: ∀s,e,tr,r,m.
     execution_terminates tr s e r m →
 …
     execution_matches_behavior se_wrong (Goes_wrong E0).
 nlemma exec_state_terminates: ∀tr,tr',s,s',e,r,m.
+lemma exec_state_terminates: ∀tr,tr',s,s',e,r,m.
   execution_terminates tr s (se_step tr' s' e) r m → s = s'.
 #tr tr' s s' e r m H; ninversion H;
 ##[ #s1 s2 tr1 tr2 r' e' m' H' E1 E2 E3 E4 E5; ndestruct; napply refl
 ##| #s1 s2 tr1 tr2 r' e' m' o k i H' E1 E2 E3 E4 E5; ndestruct; napply refl
 ##] nqed.
 nlemma exec_state_diverges: ∀tr,tr',s,s',e.
+#tr #tr' #s #s' #e #r #m #H inversion H;
+[ #s1 #s2 #tr1 #tr2 #r' #e' #m' #H' #E1 #E2 #E3 #E4 #E5 destruct; @refl
+| #s1 #s2 #tr1 #tr2 #r' #e' #m' #o #k #i #H' #E1 #E2 #E3 #E4 #E5 destruct; @refl
+] qed.
+lemma exec_state_diverges: ∀tr,tr',s,s',e.
   execution_diverges tr s (se_step tr' s' e) → s = s'.
 #tr tr' s s' e H; ninversion H;
 #tr1 s1 s2 e1 e2 H' E1 E2 E3 E4; ndestruct; napply refl; nqed.
 nlemma exec_state_reacts: ∀tr,tr',s,s',e.
+#tr #tr' #s #s' #e #H inversion H;
+#tr1 #s1 #s2 #e1 #e2 #H' #E1 #E2 #E3 #E4 destruct; @refl qed.
+lemma exec_state_reacts: ∀tr,tr',s,s',e.
   execution_reacts tr s (se_step tr' s' e) → s = s'.
 #tr tr' s s' e H; ninversion H;
 #tr1 s1 e1 H' E1 E2 E3; ndestruct; napply refl; nqed.
 nlemma exec_state_wrong: ∀tr,tr',s,s',s'',e.
+#tr #tr' #s #s' #e #H inversion H;
+#tr1 #s1 #e1 #H' #E1 #E2 #E3 destruct; @refl qed.
+lemma exec_state_wrong: ∀tr,tr',s,s',s'',e.
   execution_goes_wrong tr s (se_step tr' s' e) s'' → s = s'.
 #tr tr' s s' s'' e H; ninversion H;
 #tr1 s1 s2 e1 H' E1 E2 E3 E4; ndestruct; napply refl; nqed.
 nlemma behavior_of_execution: ∀s,e.
+#tr #tr' #s #s' #s'' #e #H inversion H;
+#tr1 #s1 #s2 #e1 #H' #E1 #E2 #E3 #E4 destruct; @refl qed.
+lemma behavior_of_execution: ∀s,e.
   execution_characterisation s e →
   ∃b:program_behavior. execution_matches_behavior e b.
 #s0 e0 exec;
 ncases exec;
+##[ #s r m e tr TERM;
     @ (Terminates tr r);
     napply (emb_terminates … TERM);
+##| #s e tr DIV;
     @ (Diverges tr);
     napply (emb_diverges … DIV);
+##| #s e tr REACTS;
     @ (Reacts tr);
     napply (emb_reacts … REACTS);
+##| #e s s' tr WRONG;
     @ (Goes_wrong tr);
     napply (emb_wrong … WRONG);
 ##] nqed.
 nlemma initial_state_not_final: ∀ge,s.
+#s0 #e0 #exec
+cases exec;
+[ #s #r #m #e #tr #TERM
+    %{ (Terminates tr r)}
+    @(emb_terminates … TERM)
+| #s #e #tr #DIV
+    %{ (Diverges tr)}
+    @(emb_diverges … DIV)
+| #s #e #tr #REACTS
+    %{ (Reacts tr)}
+    @(emb_reacts … REACTS)
+| #e #s #s' #tr #WRONG
+    %{ (Goes_wrong tr)}
+    @(emb_wrong … WRONG)
+] qed.
+lemma initial_state_not_final: ∀ge,s.
   initial_state ge s →
   ¬ ∃r.final_state s r.
 #ge s H; ncases H;
 #b f ge m E1 E2 E3 E4; @; *; #r H2;
 ninversion H2;
 #r' m' E5 E6; ndestruct (E5);
 nqed.
 nlemma initial_step: ∀ge,s,e.
+#ge #s #H cases H;
+#b #f #ge #m #E1 #E2 #E3 #E4 % *; #r #H2
+inversion H2;
+#r' #m' #E5 #E6 destruct (E5);
+qed.
+lemma initial_step: ∀ge,s,e.
   exec_inf_aux ge (Value ??? 〈E0,s〉) = e →
   ¬(∃r.final_state s r) →
   ∃e'.e = e_step E0 s e'.
 #ge s e; nrewrite > (exec_inf_aux_unfold …);
 nwhd in ⊢ (??%? → ?); ncases (is_final_state s);
+##[ #FINAL EXEC NOTFINAL;
     napply False_ind; napply (absurd ?? NOTFINAL);
     ncases FINAL;
     #r F; @r; napply F;
 ##| #F1 EXEC F2; nwhd in EXEC:(??%?); @; ##[ ##2: nrewrite < EXEC; napply refl ##]
 nqed.
 ntheorem exec_inf_equivalence:
+#ge #s #e >(exec_inf_aux_unfold …)
+whd in ⊢ (??%? → ?); cases (is_final_state s);
+[ #FINAL #EXEC #NOTFINAL
+    @False_ind @(absurd ?? NOTFINAL)
+    cases FINAL;
+    #r #F %{r} @F
+| #F1 #EXEC #F2 whd in EXEC:(??%?); % [ 2: <EXEC @refl ]
+qed.
+theorem exec_inf_equivalence:
   ∀classic:(∀P:Prop.P ∨ ¬P).
   ∀constructive_indefinite_description:(∀A:Type. ∀P:A→Prop. (∃x. P x) → Σx : A. P x).
+  ∀constructive_indefinite_description:(∀A:Type[0]. ∀P:A→Prop. (∃x. P x) → Sig A P).
   ∀p,e. single_exec_of (exec_inf p) e →
    ∃b.execution_matches_behavior e b ∧ exec_program p b.
 #classic constructive_indefinite_description p e;
 nwhd in ⊢ (?%? → ??(λ_.?(?%?)%));
 nlapply (make_initial_state_sound p);
 nlapply (the_initial_state p);
 ncases (make_initial_state p);
 ##[ #gs; ncases gs; #ge s INITIAL' INITIAL; nwhd in INITIAL ⊢ (?%? → ?);
     ncases INITIAL; #Ege INITIAL'';
     nrewrite > (exec_inf_aux_unfold …);
     nwhd in ⊢ (?%? → ?);
     ncases (is_final_state s);
     ##[ #F; napply False_ind;
         napply (absurd ?? (initial_state_not_final … INITIAL''));
         ncases F; #r F'; @r; napply F';
     ##| #NOTFINAL; nwhd in ⊢ (?%? → ?); ncases e;
         ##[ #tr r m EXEC0 ##| #tr s' e0 EXEC0 ##| #EXEC0 ##| #o k i e EXEC0 ##]
         ncases (se_inv … EXEC0); *; #E1 E2; nrewrite < E1; nrewrite < E2; #EXEC';
     nlapply (behavior_of_execution ??
+#classic #constructive_indefinite_description #p #e
+whd in ⊢ (?%? → ??(λ_.?(?%?)%));
+lapply (make_initial_state_sound p);
+lapply (the_initial_state p);
+cases (make_initial_state p);
+[ #gs cases gs; #ge #s #INITIAL' #INITIAL whd in INITIAL ⊢ (?%? → ?);
+    cases INITIAL; #Ege #INITIAL''
+    >(exec_inf_aux_unfold …)
+    whd in ⊢ (?%? → ?);
+    cases (is_final_state s);
+    [ #F @False_ind
+        @(absurd ?? (initial_state_not_final … INITIAL''))
+        cases F; #r #F' %{r} @F'
+    | #NOTFINAL whd in ⊢ (?%? → ?); cases e;
+        [ #tr #r #m #EXEC0 | #tr #s' #e0 #EXEC0 | #EXEC0 | #o #k #i #e #EXEC0 ]
+        cases (se_inv … EXEC0); *; #E1 #E2 <E1 <E2 #EXEC'
+    lapply (behavior_of_execution ??
               (execution_characterisation_complete classic constructive_indefinite_description ge s ? EXEC'));
         *; #b MATCHES; @b; @; //;
         #ge'; nrewrite > Ege; #Ege'; nrewrite > (?:ge' = ge); ##[ ##2: ndestruct (Ege') skip (INITIAL Ege EXEC0 EXEC'); // ##]
         ninversion MATCHES;
         ##[ #s0 e1 tr1 r m TERM EXEC BEHAVES; nrewrite < EXEC in TERM;
             #TERM;
             nlapply (exec_state_terminates … TERM); #E1;
             nrewrite > E1 in TERM; #TERM;
             napply (program_terminates (mk_transrel … step) ?? ge s);
             ##[ ##2: napply INITIAL''
             ##| ##3: napply (terminates_sound … TERM EXEC');
             ##| ##skip
             ##| //;
             ##]
         ##| #s0 e tr DIVERGES EXEC E2; nrewrite < EXEC in DIVERGES; #DIVERGES;
             nlapply (exec_state_diverges … DIVERGES);
             #E1; nrewrite > E1 in DIVERGES; #DIVERGES;
             ninversion DIVERGES; #tr' s1 s2 e1 e2 INITSTEPS DIVERGING E4 E5 E6;
             nrewrite < E4 in INITSTEPS ⊢ %; nrewrite < E5 in E6 ⊢ %; #E6 INITSTEPS;
             ncut (e0 = e1); ##[ ndestruct (E6) skip (MATCHES EXEC0 EXEC'); // ##]
             #E7; nrewrite < E7 in INITSTEPS; #INITSTEPS;
             ncases (several_steps … INITSTEPS EXEC'); #INITSTAR EXECDIV;
             napply (program_diverges (mk_transrel … step) ?? ge s … INITIAL'' INITSTAR);
             napply (silent_sound … DIVERGING EXECDIV);
         ##| #s0 e tr REACTS EXEC E2; nrewrite < EXEC in REACTS; #REACTS;
             nlapply (exec_state_reacts … REACTS);
             #E1; nrewrite > E1 in REACTS; #REACTS;
             ninversion REACTS; #tr' s' e'' REACTING E4 E5;
             nrewrite < E4 in REACTING ⊢ %; nrewrite < E5; #REACTING E6;
             ncut (e0 = e''); ##[ ndestruct (E6) skip (MATCHES EXEC0 EXEC'); // ##]
             #E7; nrewrite < E7 in REACTING; #REACTING;
             napply (program_reacts (mk_transrel … step) ?? ge s … INITIAL'');
             napply (reacts_sound … REACTING EXEC');
         ##| #e s1 s2 tr WRONG EXEC E2; nrewrite < EXEC in WRONG; #WRONG;
             nlapply (exec_state_wrong … WRONG);
             #E1; nrewrite > E1 in WRONG; #WRONG;
             ninversion WRONG; #tr' s1' s2' e'' GOESWRONG E4 E5 E6 E7;
             nrewrite < E4 in GOESWRONG ⊢ %; nrewrite < E5; nrewrite < E7; #GOESWRONG;
             ncut (e0 = e''); ##[ ndestruct (E6) skip (INITIAL MATCHES EXEC0 EXEC'); // ##]
             #E8; nrewrite < E8 in GOESWRONG; #GOESWRONG;
             nelim (wrong_sound … WRONG EXEC' NOTFINAL); *; #STAR STOP FINAL;
             napply (program_goes_wrong (mk_transrel … step) ?? ge s … INITIAL'' STAR STOP);
             #r; @; #F; napply (absurd ?? FINAL); @r; napply F;
         ##| #E; ndestruct (E);
         ##]
    ##]
 ##| nwhd in ⊢ ((∀_.? → %) → ?);
     #NOINIT; #_; #EXEC;
     @ (Goes_wrong E0); @;
     ##[ nwhd in EXEC:(?%?);
         ncases e in EXEC;
         ##[ #tr r m EXEC0 ##| #tr s' e0 EXEC0 ##| #EXEC0 ##| #o k i e EXEC0 ##]
         ncases (se_inv … EXEC0);
         napply emb_initially_wrong;
     ##| #ge Ege;
         napply program_goes_initially_wrong;
         #s; @; #INIT; ncases (NOINIT s INIT); #ge' H; napply H;
     ##]
 ##] nqed.
+        *; #b #MATCHES %{b} % //;
+        #ge' >Ege #Ege' >(?:ge' = ge) [ 2: destruct (Ege') skip (INITIAL Ege EXEC0 EXEC'); // ]
+        inversion MATCHES;
+        [ #s0 #e1 #tr1 #r #m #TERM #EXEC #BEHAVES <EXEC in TERM
+            #TERM
+            lapply (exec_state_terminates … TERM); #E1
+            >E1 in TERM #TERM
+            @(program_terminates (mk_transrel … step) ?? ge s)
+            [ 2: @INITIAL''
+            | 3: @(terminates_sound … TERM EXEC')
+            | skip
+            | //;
+            ]
+        | #s0 #e #tr #DIVERGES #EXEC #E2 <EXEC in DIVERGES #DIVERGES
+            lapply (exec_state_diverges … DIVERGES);
+            #E1 >E1 in DIVERGES #DIVERGES
+            inversion DIVERGES; #tr' #s1 #s2 #e1 #e2 #INITSTEPS #DIVERGING #E4 #E5 #E6
+            <E4 in INITSTEPS ⊢ % <E5 in E6 ⊢ % #E6 #INITSTEPS
+            cut (e0 = e1); [ destruct (E6) skip (MATCHES EXEC0 EXEC'); // ]
+            #E7 <E7 in INITSTEPS #INITSTEPS
+            cases (several_steps … INITSTEPS EXEC'); #INITSTAR #EXECDIV
+            @(program_diverges (mk_transrel … step) ?? ge s … INITIAL'' INITSTAR)
+            @(silent_sound … DIVERGING EXECDIV)
+        | #s0 #e #tr #REACTS #EXEC #E2 <EXEC in REACTS #REACTS
+            lapply (exec_state_reacts … REACTS);
+            #E1 >E1 in REACTS #REACTS
+            inversion REACTS; #tr' #s' #e'' #REACTING #E4 #E5
+            <E4 in REACTING ⊢ % <E5 #REACTING #E6
+            cut (e0 = e''); [ destruct (E6) skip (MATCHES EXEC0 EXEC'); // ]
+            #E7 <E7 in REACTING #REACTING
+            @(program_reacts (mk_transrel … step) ?? ge s … INITIAL'')
+            @(reacts_sound … REACTING EXEC')
+        | #e #s1 #s2 #tr #WRONG #EXEC #E2 <EXEC in WRONG #WRONG
+            lapply (exec_state_wrong … WRONG);
+            #E1 >E1 in WRONG #WRONG
+            inversion WRONG; #tr' #s1' #s2' #e'' #GOESWRONG #E4 #E5 #E6 #E7
+            <E4 in GOESWRONG ⊢ % <E5 <E7 #GOESWRONG
+            cut (e0 = e''); [ destruct (E6) skip (INITIAL Ege MATCHES EXEC0 EXEC'); // ]
+            #E8 <E8 in GOESWRONG #GOESWRONG
+            elim (wrong_sound … WRONG EXEC' NOTFINAL); *; #STAR #STOP #FINAL
+            @(program_goes_wrong (mk_transrel … step) ?? ge s … INITIAL'' STAR STOP)
+            #r % #F @(absurd ?? FINAL) %{r} @F
+        | #E destruct (E);
+        ]
+   ]
+| whd in ⊢ ((∀_.? → %) → ?);
+    #NOINIT #_ #EXEC
+    %{ (Goes_wrong E0)} %
+    [ whd in EXEC:(?%?);
+        cases e in EXEC;
+        [ #tr #r #m #EXEC0 | #tr #s' #e0 #EXEC0 | #EXEC0 | #o #k #i #e #EXEC0 ]
+        cases (se_inv … EXEC0);
+        @emb_initially_wrong
+    | #ge #Ege
+        @program_goes_initially_wrong
+        #s % #INIT cases (NOINIT s INIT); #ge' #H @H
+    ]
+] qed.

Deliverables/D3.1/C-semantics/CexecSound.ma

-                      r485
+                      r487
 include "Cexec.ma".
+include "Plogic/connectives.ma".
 nlemma exec_bool_of_val_sound: ∀v,ty,r.
+(*include "Plogic/connectives.ma".*)
+lemma exec_bool_of_val_sound: ∀v,ty,r.
  exec_bool_of_val v ty = OK ? r → bool_of_val v ty (of_bool r).
 #v ty r;
 ncases v; ##[ ##| #i ##| #f ##| #r1 ##| #r b of ##]
 ncases ty; ##[ ##2,11,20,29,38: #sz sg ##| ##3,12,21,30,39: #sz ##| ##4,13,22,31,40: #r ty ##| ##5,14,23,32,41: #r ty n ##| ##6,15,24,33,42: #args rty ##| ##7,8,16,17,25,26,34,35,43,44: #id fs ##| ##9,18,27,36,45: #r id ##]
 #H; nwhd in H:(??%?); ndestruct;
 ##[ nlapply (eq_spec i zero); nelim (eq i zero);
   ##[ #e; nrewrite > e; napply bool_of_val_false; //;
   ##| #ne; napply bool_of_val_true; /2/;
   ##]
 ##| nelim (eq_dec f Fzero);
   ##[ #e; nrewrite > e; nrewrite > (Feq_zero_true …); napply bool_of_val_false; //;
   ##| #ne; nrewrite > (Feq_zero_false …); //; napply bool_of_val_true; /2/;
   ##]
 ##| napply bool_of_val_false; //
 ##| napply bool_of_val_true; //
 ##] nqed.
 nlemma bool_val_distinct: Vtrue ≠ Vfalse.
+@; #H; nwhd in H:(??%%); ndestruct; napply (absurd ? e0 one_not_zero);
 nqed.
 nlemma bool_of: ∀v,ty,b. bool_of_val v ty (of_bool b) →
+#v #ty #r
+cases v; [ | #i | #f | #r1 | #r #b #of ]
+cases ty; [ 2,11,20,29,38: #sz #sg | 3,12,21,30,39: #sz | 4,13,22,31,40: #r #ty | 5,14,23,32,41: #r #ty #n | 6,15,24,33,42: #args #rty | 7,8,16,17,25,26,34,35,43,44: #id #fs | 9,18,27,36,45: #r #id ]
+#H whd in H:(??%?); destruct;
+[ lapply (eq_spec i zero); elim (eq i zero);
+  [ #e >e @bool_of_val_false //;
+  | #ne @bool_of_val_true /2/;
+  ]
+| elim (eq_dec f Fzero);
+  [ #e >e >(Feq_zero_true …) @bool_of_val_false //;
+  | #ne >(Feq_zero_false …) //; @bool_of_val_true /2/;
+  ]
+| @bool_of_val_false //
+| @bool_of_val_true //
+] qed.
+lemma bool_val_distinct: Vtrue ≠ Vfalse.
+% #H whd in H:(??%%); destruct; @(absurd ? e0 one_not_zero)
+qed.
+lemma bool_of: ∀v,ty,b. bool_of_val v ty (of_bool b) →
   if b then is_true v ty else is_false v ty.
 #v ty b; ncases b; #H; ninversion H; #v' ty' H' ev et ev; //;
+napply False_ind; napply (absurd ? ev ?);
+##[ ##2: napply sym_neq ##] napply bool_val_distinct;
 nqed.
 nlemma try_cast_null_sound: ∀m,i,ty,ty',v'. try_cast_null m i ty ty' = OK ? v' → cast m (Vint i) ty ty' v'.
 #m i ty ty' v';
 nwhd in ⊢ (??%? → ?);
 nlapply (eq_spec i zero); ncases (eq i zero);
+##[ #e; nrewrite > e;
     ncases ty; ##[ ##| #sz sg ##| #fs ##| #sp ty ##| #sp ty n ##| #args rty ##| #id fs ##| #id fs ##| #r id ##]
     nwhd in ⊢ (??%? → ?); #H; ndestruct;
     ncases ty' in H ⊢ %; ##[ ##| #sz sg ##| #fs ##| #sp ty ##| #sp ty n ##| #args rty ##| #id fs ##| #id fs ##| #r id ##]
     nwhd in ⊢ (??%? → ?); #H; ndestruct (H); napply cast_ip_z; //;
 ##| #_; nwhd in ⊢ (??%? → ?); #H; ndestruct
 ##]
 nqed.
 ndefinition exec_cast_sound : ∀m:mem. ∀v:val. ∀ty:type. ∀ty':type. ∀v':val. exec_cast m v ty ty' = OK ? v' → cast m v ty ty' v'.
 #m v ty ty' v';
 ncases v;
 ##[ #H; nwhd in H:(??%?); ndestruct;
 ##| #i; ncases ty;
   ##[ #H; nwhd in H:(??%?); ndestruct;
   ##| ##3: #a; #H; nwhd in H:(??%?); ndestruct;
   ##| ##7,8,9: #a b; #H; nwhd in H:(??%?); ndestruct;
   ##| #sz1 si1; ncases ty';
     ##[ #H; nwhd in H:(??%?); ndestruct;
     ##| ##3: #a; #H; nwhd in H:(??%?); ndestruct; //
     ##| ##2,7,8,9: #a b; #H; nwhd in H:(??%?); ndestruct; //
     ##| ##4,5,6: ##[ #sp ty''; nletin t ≝ (Tpointer sp ty'')
                  ##| #sp ty'' n; nletin t ≝ (Tarray sp ty'' n)
                  ##| #args rty; nletin t ≝ (Tfunction args rty) ##]
         nwhd in ⊢ (??%? → ?);
         nlapply (try_cast_null_sound m i (Tint sz1 si1) t v');
         ncases (try_cast_null m i (Tint sz1 si1) t);
         ##[ ##1,3,5: #v''; #H' e; napply H'; napply e;
         ##| ##*: #_; nwhd in ⊢ (??%? → ?); #H; ndestruct (H);
         ##]
     ##]
   ##| ##*: ##[ #sp ty''; nletin t ≝ (Tpointer sp ty'')
            ##| #sp ty'' n; nletin t ≝ (Tarray sp ty'' n)
            ##| #args rty; nletin t ≝ (Tfunction args rty) ##]
         nwhd in ⊢ (??%? → ?);
         nlapply (try_cast_null_sound m i t ty' v');
         ncases (try_cast_null m i t ty');
         ##[ ##1,3,5: #v''; #H' e; napply H'; napply e;
         ##| ##*: #_; nwhd in ⊢ (??%? → ?); #H; ndestruct (H);
         ##]
   ##]
 ##| #f; ncases ty;  ##[ ##3: #x; ##| ##2,4,6,7,8,9: #x y; ##| ##5: #x y z; ##]
                     ##[ ncases ty'; ##[ #e; ##| ##3: #a e; ##| ##2,4,6,7,8,9: #a b e; ##| #a b c e; ##]
                         nwhd in e:(??%?); ndestruct; //;
                     ##| ##*: #e; nwhd in e:(??%?); ndestruct
                     ##]
 ##| #r; ncases ty; ##[ ##3: #x; ##| ##2,4,6,7,8,9: #x y; ##| ##5: #x y z; ##]
     nwhd in ⊢ (??%? → ?); #H; ndestruct; ncases (eq_region_dec r ?) in H;
     nwhd in ⊢ (? → ??%? → ?); #H1 H2; ndestruct;
     ncases ty' in H2; nnormalize; ntry #a; ntry #b; ntry #c; ntry #d; ndestruct;
     napply cast_pp_z; //;
+##| #sp b of; nwhd in ⊢ (??%? → ?); #e;
     nelim (bind_inversion ????? e); #s; *; #es e';
     nelim (bind_inversion ????? e'); #u; *; #eu e'';
     nelim (bind_inversion ????? e''); #s'; *; #es' e''';
     ncut (type_region ty s);
     ##[ ncases ty in es:(??%?) ⊢ %; ##[ #e; ##| ##3: #a e; ##| ##2,4,6,7,8,9: #a b e; ##| #a b c e; ##]
         nwhd in e:(??%?); ndestruct; //;
     ##| #Hty;
         ncut (type_region ty' s');
         ##[ ncases ty' in es' ⊢ %; ##[ #e; ##| ##3: #a e; ##| ##2,4,6,7,8,9: #a b e; ##| #a b c e; ##]
             nwhd in e:(??%?); ndestruct; //;
         ##| #Hty';
             ncut (s = sp). nelim (eq_region_dec sp s) in eu; //; nnormalize; #_; #e; ndestruct.
             #e; nrewrite < e;
             nwhd in match (is_pointer_compat ??) in e''';
             ncases (pointer_compat_dec (block_space m b) s') in e'''; #Hcompat e''';
             nwhd in e''':(??%?); ndestruct (e'''); /2/
         ##]
     ##]
 ##] nqed.
 nlet rec expr_lvalue_ind
+#v #ty #b cases b; #H inversion H; #v' #ty' #H' #ev #et #ev //;
+@False_ind @(absurd ? ev ?)
+[ 2: @sym_neq ] @bool_val_distinct
+qed.
+lemma try_cast_null_sound: ∀m,i,ty,ty',v'. try_cast_null m i ty ty' = OK ? v' → cast m (Vint i) ty ty' v'.
+#m #i #ty #ty' #v'
+whd in ⊢ (??%? → ?);
+lapply (eq_spec i zero); cases (eq i zero);
+[ #e >e
+    cases ty; [ | #sz #sg | #fs | #sp #ty | #sp #ty #n | #args #rty | #id #fs | #id #fs | #r #id ]
+    whd in ⊢ (??%? → ?); #H destruct;
+    cases ty' in H ⊢ %; [ | #sz #sg | #fs | #sp #ty | #sp #ty #n | #args #rty | #id #fs | #id #fs | #r #id ]
+    whd in ⊢ (??%? → ?); #H destruct (H); @cast_ip_z //;
+| #_ whd in ⊢ (??%? → ?); #H destruct
+]
+qed.
+definition exec_cast_sound : ∀m:mem. ∀v:val. ∀ty:type. ∀ty':type. ∀v':val. exec_cast m v ty ty' = OK ? v' → cast m v ty ty' v'.
+#m #v #ty #ty' #v'
+cases v;
+[ #H whd in H:(??%?); destruct;
+| #i cases ty;
+  [ #H whd in H:(??%?); destruct;
+  | 3: #a #H whd in H:(??%?); destruct;
+  | 7,8,9: #a #b #H whd in H:(??%?); destruct;
+  | #sz1 #si1 cases ty';
+    [ #H whd in H:(??%?); destruct;
+    | 3: #a #H whd in H:(??%?); destruct; //
+    | 2,7,8,9: #a #b #H whd in H:(??%?); destruct; //
+    | 4,5,6: [ #sp #ty'' letin t ≝ (Tpointer sp ty'')
+                 | #sp #ty'' #n letin t ≝ (Tarray sp ty'' n)
+                 | #args #rty letin t ≝ (Tfunction args rty) ]
+        whd in ⊢ (??%? → ?);
+        lapply (try_cast_null_sound m i (Tint sz1 si1) t v');
+        cases (try_cast_null m i (Tint sz1 si1) t);
+        [ 1,3,5: #v'' #H' #e @H' @e
+        | *: #_ whd in ⊢ (??%? → ?); #H destruct (H);
+        ]
+    ]
+  | *: [ #sp #ty'' letin t ≝ (Tpointer sp ty'')
+           | #sp #ty'' #n letin t ≝ (Tarray sp ty'' n)
+           | #args #rty letin t ≝ (Tfunction args rty) ]
+        whd in ⊢ (??%? → ?);
+        lapply (try_cast_null_sound m i t ty' v');
+        cases (try_cast_null m i t ty');
+        [ 1,3,5: #v'' #H' #e @H' @e
+        | *: #_ whd in ⊢ (??%? → ?); #H destruct (H);
+        ]
+  ]
+| #f cases ty;  [ 3: #x | 2,4,6,7,8,9: #x #y | 5: #x #y #z ]
+                    [ cases ty'; [ #e | 3: #a #e | 2,4,6,7,8,9: #a #b #e | #a #b #c #e ]
+                        whd in e:(??%?); destruct; //;
+                    | *: #e whd in e:(??%?); destruct
+                    ]
+| #r cases ty; [ 3: #x | 2,4,6,7,8,9: #x #y | 5: #x #y #z ]
+    whd in ⊢ (??%? → ?); #H destruct; cases (eq_region_dec r ?) in H;
+    whd in ⊢ (? → ??%? → ?); #H1 #H2 destruct;
+    cases ty' in H2; normalize; try #a try #b try #c try #d destruct;
+    @cast_pp_z //;
+| #sp #b #of whd in ⊢ (??%? → ?); #e
+    elim (bind_inversion ????? e); #s *; #es #e'
+    elim (bind_inversion ????? e'); #u *; #eu #e''
+    elim (bind_inversion ????? e''); #s' *; #es' #e'''
+    cut (type_region ty s);
+    [ cases ty in es:(??%?) ⊢ %; [ #e | 3: #a #e | 2,4,6,7,8,9: #a #b #e | #a #b #c #e ]
+        whd in e:(??%?); destruct; //;
+    | #Hty
+        cut (type_region ty' s');
+        [ cases ty' in es' ⊢ %; [ #e | 3: #a #e | 2,4,6,7,8,9: #a #b #e | #a #b #c #e ]
+            whd in e:(??%?); destruct; //;
+        | #Hty'
+            cut (s = sp). elim (eq_region_dec sp s) in eu; //; normalize; #_ #e destruct.
+            #e <e
+            whd in match (is_pointer_compat ??) in e''';
+            cases (pointer_compat_dec (block_space m b) s') in e'''; #Hcompat #e'''
+            whd in e''':(??%?); destruct (e'''); /2/
+        ]
+    ]
+] qed.
+let rec expr_lvalue_ind
   (P:expr → Prop)
   (Q:expr_descr → type → Prop)
 …
   | Efield e' i ⇒ match e' return λe1.Q (Efield e1 i) ty with [ Expr e'' ty'' ⇒ fl ty e'' ty'' i (lvalue_expr_ind P Q ci cf lv vr dr ao uo bo ca cd ab ob sz fl co xx e'' ty'') ]
   | _ ⇒ xx ? ty ?
   ]. nwhd; napply I; nqed.
 ntheorem exec_expr_sound: ∀ge:genv. ∀en:env. ∀m:mem. ∀e:expr.
+  ]. whd; @I qed.
+theorem exec_expr_sound: ∀ge:genv. ∀en:env. ∀m:mem. ∀e:expr.
 (P_res ? (λx.eval_expr ge en m e (\fst x) (\snd x)) (exec_expr ge en m e)).
+#ge en m e; napply (expr_lvalue_ind ? (λe',ty.P_res ? (λr.eval_lvalue ge en m (Expr e' ty) (\fst (\fst (\fst r))) (\snd (\fst (\fst r))) (\snd (\fst r)) (\snd r)) (exec_lvalue' ge en m e' ty)) … e);
+##[ ##1,2: #ty c; nwhd; //;
+#ge #en #m #e @(expr_lvalue_ind ? (λe',ty.P_res ? (λr.eval_lvalue ge en m (Expr e' ty) (\fst (\fst (\fst r))) (\snd (\fst (\fst r))) (\snd (\fst r)) (\snd r)) (exec_lvalue' ge en m e' ty)) … e)
+(* XXX // fails [ 1,2: #ty #c whd //  *)
+[ #ty #c whd %
+| #ty #c whd %2
 (* expressions that are lvalues *)
+##| #e' ty; ncases e'; //; ##[ #i He' ##| #e He' ##| #e i He' ##] nwhd in He' ⊢ %;
+    napply bind2_OK; #x; ncases x; #y; ncases y; #sp loc ofs tr H;
+    napply opt_bind_OK;  #vl evl; nwhd in evl:(??%?); napply (eval_Elvalue … evl);
+    nrewrite > H in He'; #He'; napply He';
+##| #v ty;
+    nwhd in ⊢ (???%);
+    nlapply (refl ? (get ident PTree block v en));
+    ncases (get ident PTree block v en) in ⊢ (???% → %);
+    ##[ #eget; napply opt_bind_OK; #sploc; ncases sploc; #sp loc efind;
+        nwhd; napply (eval_Evar_global … eget efind);
+    ##| #loc eget; napply (eval_Evar_local … eget);
+    ##]
+##| #ty e He; nwhd in ⊢ (???%);
+    napply bind2_OK; #v; ncases v; //; #sp l ofs tr Hv; nwhd;
+    napply eval_Ederef; nrewrite > Hv in He; #He; napply He;
+##| #ty e'' ty'' He''; napply bind2_OK; #x; ncases x; #y; ncases y; #sp loc ofs tr H;
+    nwhd; napply eval_Eaddrof; nrewrite > H in He''; #He''; napply He'';
+##| #ty op e1 He1; napply bind2_OK; #v1 tr Hv1;
+    napply opt_bind_OK; #v ev;
+    napply (eval_Eunop … ev);
+    nrewrite > Hv1 in He1; #He1; napply He1;
+##| #ty op e1 e2 He1 He2;
+    napply bind2_OK; #v1 tr1 ev1; nrewrite > ev1 in He1; #He1;
+    napply bind2_OK; #v2 tr2 ev2; nrewrite > ev2 in He2; #He2;
+    napply opt_bind_OK; #v ev; nwhd in He1 He2; nwhd;
+    napply (eval_Ebinop … He1 He2 ev);
+##| #ty ty' e' He';
+    napply bind2_OK; #v tr Hv; nrewrite > Hv in He'; #He';
+    napply bind_OK; #v' ev';
+    napply (eval_Ecast … He' ?);
+    /2/;
+##| #ty e1 e2 e3 He1 He2 He3;
+    napply bind2_OK; #vb tr1 Hvb; nrewrite > Hvb in He1; #He1;
+    napply bind_OK; #b;
+    ncases b; #eb; nlapply (exec_bool_of_val_sound … eb); #Hb;
+    napply bind2_OK; #v tr Hv;
+    ##[ nrewrite > Hv in He2; #He2; nwhd in He2 Hv:(??%?) ⊢%;
+        napply (eval_Econdition_true … He1 ? He2);  napply (bool_of ??? Hb);
+    ##| nrewrite > Hv in He3; #He3; nwhd in He3 Hv:(??%?) ⊢%;
+        napply (eval_Econdition_false … He1 ? He3);  napply (bool_of ??? Hb);
+    ##]
+##| #ty e1 e2 He1 He2;
+    napply bind2_OK; #v1 tr1 Hv1; nrewrite > Hv1 in He1; #He1;
+    napply bind_OK; #b1; ncases b1; #eb1; nlapply (exec_bool_of_val_sound … eb1); #Hb1;
+    ##[ napply bind2_OK; #v2 tr2 Hv2; nrewrite > Hv2 in He2; #He2;
+        napply bind_OK; #b2 eb2;
+        napply (eval_Eandbool_2 … He1 … He2);
+        ##[ napply (bool_of … Hb1); ##| napply (exec_bool_of_val_sound … eb2); ##]
+    ##| napply (eval_Eandbool_1 … He1); napply (bool_of … Hb1);
+    ##]
+##| #ty e1 e2 He1 He2;
+    napply bind2_OK; #v1 tr1 Hv1; nrewrite > Hv1 in He1; #He1;
+    napply bind_OK; #b1; ncases b1; #eb1; nlapply (exec_bool_of_val_sound … eb1); #Hb1;
+    ##[ napply (eval_Eorbool_1 … He1); napply (bool_of … Hb1);
+    ##| napply bind2_OK; #v2 tr2 Hv2; nrewrite > Hv2 in He2; #He2;
+        napply bind_OK; #b2 eb2;
+        napply (eval_Eorbool_2 … He1 … He2);
+        ##[ napply (bool_of … Hb1); ##| napply (exec_bool_of_val_sound … eb2); ##]
+    ##]
+##| #ty ty'; nwhd; //
+##| #ty e' ty' i; ncases ty'; //;
+    ##[ #id fs He'; napply bind2_OK;  #x; ncases x; #sp l ofs H;
+        napply bind_OK; #delta Hdelta; nrewrite > H in He'; #He';
+        napply (eval_Efield_struct …  He' (refl ??) Hdelta);
+    ##| #id fs He'; napply bind2_OK;  #x; ncases x; #sp l ofs H;
+        nrewrite > H in He'; #He';
+        napply (eval_Efield_union … He' (refl ??));
+    ##]
+##| #ty l e' He'; napply bind2_OK; #v tr1 H; nrewrite > H in He'; #He';
+    napply (eval_Ecost … He');
+| #e' #ty cases e'; //; [ #i #He' | #e #He' | #e #i #He' ] whd in He' ⊢ %;
+    @bind2_OK #x cases x; #y cases y; #sp #loc #ofs #tr #H
+    @opt_bind_OK #vl #evl whd in evl:(??%?); @(eval_Elvalue … evl)
+    >H in He' #He' @He'
+| #v #ty
+    whd in ⊢ (???%);
+    lapply (refl ? (get ident PTree block v en));
+    cases (get ident PTree block v en) in ⊢ (???% → %);
+    [ #eget @opt_bind_OK #sploc cases sploc; #sp #loc #efind
+        whd; @(eval_Evar_global … eget efind)
+    | #loc #eget @(eval_Evar_local … eget)
+    ]
+| #ty #e #He whd in ⊢ (???%);
+    @bind2_OK #v cases v; //; #sp #l #ofs #tr #Hv whd;
+    @eval_Ederef >Hv in He #He @He
+| #ty #e'' #ty'' #He'' @bind2_OK #x cases x; #y cases y; #sp #loc #ofs #tr #H
+    whd; @eval_Eaddrof >H in He'' #He'' @He''
+| #ty #op #e1 #He1 @bind2_OK #v1 #tr #Hv1
+    @opt_bind_OK #v #ev
+    @(eval_Eunop … ev)
+    >Hv1 in He1 #He1 @He1
+| #ty #op #e1 #e2 #He1 #He2
+    @bind2_OK #v1 #tr1 #ev1 >ev1 in He1 #He1
+    @bind2_OK #v2 #tr2 #ev2 >ev2 in He2 #He2
+    @opt_bind_OK #v #ev whd in He1 He2; whd;
+    @(eval_Ebinop … He1 He2 ev)
+| #ty #ty' #e' #He'
+    @bind2_OK #v #tr #Hv >Hv in He' #He'
+    @bind_OK #v' #ev'
+    @(eval_Ecast … He' ?)
+    (* XXX /2/; *)
+    @(exec_cast_sound … ev')
+| #ty #e1 #e2 #e3 #He1 #He2 #He3
+    @bind2_OK #vb #tr1 #Hvb >Hvb in He1 #He1
+    @bind_OK #b
+    cases b; #eb lapply (exec_bool_of_val_sound … eb); #Hb
+    @bind2_OK #v #tr #Hv
+    [ >Hv in He2 #He2 whd in He2 Hv:(??%?) ⊢%;
+        @(eval_Econdition_true … He1 ? He2) @(bool_of ??? Hb)
+    | >Hv in He3 #He3 whd in He3 Hv:(??%?) ⊢%;
+        @(eval_Econdition_false … He1 ? He3) @(bool_of ??? Hb)
+    ]
+| #ty #e1 #e2 #He1 #He2
+    @bind2_OK #v1 #tr1 #Hv1 >Hv1 in He1 #He1
+    @bind_OK #b1 cases b1; #eb1 lapply (exec_bool_of_val_sound … eb1); #Hb1
+    [ @bind2_OK #v2 #tr2 #Hv2 >Hv2 in He2 #He2
+        @bind_OK #b2 #eb2
+        @(eval_Eandbool_2 … He1 … He2)
+        [ @(bool_of … Hb1) | @(exec_bool_of_val_sound … eb2) ]
+    | @(eval_Eandbool_1 … He1) @(bool_of … Hb1)
+    ]
+| #ty #e1 #e2 #He1 #He2
+    @bind2_OK #v1 #tr1 #Hv1 >Hv1 in He1 #He1
+    @bind_OK #b1 cases b1; #eb1 lapply (exec_bool_of_val_sound … eb1); #Hb1
+    [ @(eval_Eorbool_1 … He1) @(bool_of … Hb1)
+    | @bind2_OK #v2 #tr2 #Hv2 >Hv2 in He2 #He2
+        @bind_OK #b2 #eb2
+        @(eval_Eorbool_2 … He1 … He2)
+        [ @(bool_of … Hb1) | @(exec_bool_of_val_sound … eb2) ]
+    ]
+| #ty #ty' whd; (* XXX //*) @eval_Esizeof
+| #ty #e' #ty' #i cases ty'; //;
+    [ #id #fs #He' @bind2_OK #x cases x; #sp #l #ofs #H
+        @bind_OK #delta #Hdelta >H in He' #He'
+        @(eval_Efield_struct …  He' (refl ??) Hdelta)
+    | #id #fs #He' @bind2_OK #x cases x; #sp #l #ofs #H
+        >H in He' #He'
+        @(eval_Efield_union … He' (refl ??))
+    ]
+| #ty #l #e' #He' @bind2_OK #v #tr1 #H >H in He' #He'
+    @(eval_Ecost … He')
 (* exec_lvalue fails on non-lvalues. *)
 ##| #e' ty; ncases e';
     ##[ ##1,2,5,12: #a H ##| ##3,4: #a; * ##| ##13,14: #a b; * ##| ##6,8,10,11: #a b H ##| ##7,9: #a b c H ##]
     napply I;
 ##] nqed.
 nlemma addrof_eval_lvalue: ∀ge,en,m,e,sp,loc,off,tr,ty.
+| #e' #ty cases e';
+    [ 1,2,5,12: #a #H | 3,4: #a * | 13,14: #a #b * | 6,8,10,11: #a #b #H | 7,9: #a #b #c #H ]
+    @I
+] qed.
+lemma addrof_eval_lvalue: ∀ge,en,m,e,sp,loc,off,tr,ty.
 eval_expr ge en m (Expr (Eaddrof e) ty) (Vptr sp loc off) tr →
 eval_lvalue ge en m e sp loc off tr.
 #ge en m e sp loc off tr ty H; ninversion H;
 ##[ ##1,2,5: #a b H; napply False_ind; ndestruct (H);
+##| #a b c d e f g H1 i H2; nrewrite < H2 in H1; #H1; napply False_ind;
     napply (eval_lvalue_inv_ind … H1);
     ##[ #a b c d bad; ndestruct (bad);
     ##| #a b c d e f bad; ndestruct (bad);
     ##| #a b c d e f g bad; ndestruct (bad);
     ##| #a b c d e f g  h i j k l m n bad; napply False_ind; ndestruct (bad);
     ##| #a b c d e f g h i j k l bad; ndestruct (bad);
     ##]
+##| #e' ty' sp' loc' ofs' tr' H e1 e2 e3; ndestruct (e1 e2 e3); napply H;
 ##| #a b c d e f g h i bad; ndestruct (bad);
 ##| #a b c d e f g h i j k l k l bad; ndestruct (bad);
 ##| #a b c d e f g h i j k l m bad; ndestruct (bad);
 ##| #a b c d e f g h i j k l m bad; ndestruct (bad);
 ##| #a b c d e f g h bad; ndestruct (bad);
 ##| #a b c d e f g h i j k l m n bad; ndestruct (bad);
 ##| #a b c d e f g h bad; ndestruct (bad);
 ##| #a b c d e f g h i j k l m n bad;  ndestruct (bad);
 ##| #a b c d e f g h i bad; ndestruct (bad);
 ##| #a b c d e f g bad; ndestruct (bad);
 ##] nqed.
 nlemma addrof_exec_lvalue: ∀ge,en,m,e,sp,loc,off,tr,ty.
+#ge #en #m #e #sp #loc #off #tr #ty #H inversion H;
+[ 1,2,5: #a #b #H @False_ind destruct (H);
+| #a #b #c #d #e #f #g #H1 #i #H2 <H2 in H1 #H1 @False_ind
+    @(eval_lvalue_inv_ind … H1)
+    [ #a #b #c #d #bad destruct (bad);
+    | #a #b #c #d #e #f #bad destruct (bad);
+    | #a #b #c #d #e #f #g #bad destruct (bad);
+    | #a #b #c #d #e #f #g #h #i #j #k #l #m #n #bad @False_ind destruct (bad);
+    | #a #b #c #d #e #f #g #h #i #j #k #l #bad destruct (bad);
+    ]
+| #e' #ty' #sp' #loc' #ofs' #tr' #H #e1 #e2 #e3 destruct (e1 e2 e3); @H
+| #a #b #c #d #e #f #g #h #i #bad destruct (bad);
+| #a #b #c #d #e #f #g #h #i #j #k #l #k #l #bad destruct (bad);
+| #a #b #c #d #e #f #g #h #i #j #k #l #m #bad destruct (bad);
+| #a #b #c #d #e #f #g #h #i #j #k #l #m #bad destruct (bad);
+| #a #b #c #d #e #f #g #h #bad destruct (bad);
+| #a #b #c #d #e #f #g #h #i #j #k #l #m #n #bad destruct (bad);
+| #a #b #c #d #e #f #g #h #bad destruct (bad);
+| #a #b #c #d #e #f #g #h #i #j #k #l #m #n #bad  destruct (bad);
+| #a #b #c #d #e #f #g #h #i #bad destruct (bad);
+| #a #b #c #d #e #f #g #bad destruct (bad);
+] qed.
+lemma addrof_exec_lvalue: ∀ge,en,m,e,sp,loc,off,tr,ty.
 exec_lvalue ge en m e = OK ? 〈〈〈sp,loc〉,off〉,tr〉 →
 exec_expr ge en m (Expr (Eaddrof e) ty) = OK ? 〈Vptr sp loc off, tr〉.
 #ge en m e sp loc off tr ty H; nwhd in ⊢ (??%?);
 nrewrite > H; //;
 nqed.
 ntheorem exec_lvalue_sound: ∀ge,en,m,e.
+#ge #en #m #e #sp #loc #off #tr #ty #H whd in ⊢ (??%?);
+>H //;
+qed.
+theorem exec_lvalue_sound: ∀ge,en,m,e.
 P_res ? (λr.eval_lvalue ge en m e (\fst (\fst (\fst r))) (\snd (\fst (\fst r))) (\snd (\fst r)) (\snd r)) (exec_lvalue ge en m e).
 #ge en m e; nlapply (refl ? (exec_lvalue ge en m e));
 ncases (exec_lvalue ge en m e) in ⊢ (???% → %);
 ##[ #x; ncases x; #y; ncases y; #z; ncases z; #sp loc off tr H; nwhd;
     napply (addrof_eval_lvalue … Tvoid);
     nlapply (addrof_exec_lvalue … Tvoid H); #H';
     nlapply (exec_expr_sound ge en m (Expr (Eaddrof e) Tvoid));
     nrewrite > H'; #H''; napply H'';
+##| #_; nwhd; napply I;
 ##] nqed.
+#ge #en #m #e lapply (refl ? (exec_lvalue ge en m e));
+cases (exec_lvalue ge en m e) in ⊢ (???% → %);
+[ #x cases x; #y cases y; #z cases z; #sp #loc #off #tr #H whd;
+    @(addrof_eval_lvalue … Tvoid)
+    lapply (addrof_exec_lvalue … Tvoid H); #H'
+    lapply (exec_expr_sound ge en m (Expr (Eaddrof e) Tvoid));
+    >H' #H'' @H''
+| #_ whd; @I
+] qed.
 (* Plain equality versions of the above *)
 ndefinition exec_expr_sound' ≝ λge,en,m,e,v.
+definition exec_expr_sound' ≝ λge,en,m,e,v.
   λH:exec_expr ge en m e = OK ? v.
   P_res_to_P ???? (exec_expr_sound ge en m e) H.
 ndefinition exec_lvalue_sound' ≝ λge,en,m,e,sp,loc,off,tr.
+definition exec_lvalue_sound' ≝ λge,en,m,e,sp,loc,off,tr.
   λH:exec_lvalue ge en m e = OK ? 〈〈〈sp,loc〉,off〉,tr〉.
   P_res_to_P ???? (exec_lvalue_sound ge en m e) H.
+nlemma exec_exprlist_sound: ∀ge,e,m,l. P_res ? (λvltr:list val×trace. eval_exprlist ge e m l (\fst vltr) (\snd vltr)) (exec_exprlist ge e m l).
+#ge e m l; nelim l;
+ nwhd; //;
+ #e1 es; #IH;
+napply bind2_OK; #v tr1 Hv;
+napply bind2_OK; #vs tr2 Hvs;
+nwhd; napply eval_Econs;
+##[ napply (P_res_to_P … (exec_expr_sound ge e m e1) Hv);
+##| napply (P_res_to_P … IH Hvs);
+##] nqed.
+ntheorem exec_step_sound: ∀ge,st.
+lemma exec_exprlist_sound: ∀ge,e,m,l. P_res ? (λvltr:list val×trace. eval_exprlist ge e m l (\fst vltr) (\snd vltr)) (exec_exprlist ge e m l).
+#ge #e #m #l elim l;
+ whd; (* XXX //; *)
+[ %
+| #e1 #es #IH
+  @bind2_OK #v #tr1 #Hv
+  @bind2_OK #vs #tr2 #Hvs
+  whd; @eval_Econs
+  [ @(P_res_to_P … (exec_expr_sound ge e m e1) Hv)
+  | @(P_res_to_P … IH Hvs)
+  ]
+] qed.
+lemma exec_alloc_variables_sound : ∀l,en,m,en',m'.
+  exec_alloc_variables en m l = 〈en',m'〉 →
+  alloc_variables en m l en' m'.
+#l elim l
+[ #en #m #en' #m' #EXEC whd in EXEC:(??%?); destruct %
+| * #id #ty #t #IH #en #m #en' #m'
+  lapply (refl ? (alloc m O (sizeof ty) Any)) #ALLOC #EXEC
+  whd in EXEC:(??%?) ALLOC:(???%)
+ @(alloc_variables_cons … ALLOC)
+ @IH @EXEC
+qed.
+lemma exec_bind_parameters_sound : ∀ps,vs,en,m.
+  P_res ? (λm'. bind_parameters en m ps vs m') (exec_bind_parameters en m ps vs).
+#ps elim ps
+[ * //
+| * #id #ty #ps' #IH *
+    [ //
+    | #v #vs #en #m
+      @opt_bind_OK #b #GET
+      @opt_bind_OK #m' #STORE
+      lapply (refl ? (exec_bind_parameters en m' ps' vs))
+      cases (exec_bind_parameters en m' ps' vs) in ⊢ (???% → %) [2: #_ %]
+      #m'' #BIND
+      @(bind_parameters_cons … GET STORE)
+      lapply (IH vs en m') whd in ⊢ (% → ?) >BIND //
+    ]
+] qed.
+lemma check_eventval_list_sound : ∀vs,tys.
+  P_res ? (λevs. eventval_list_match evs tys vs) (check_eventval_list vs tys).
+#vs0 elim vs0
+[ * //
+| #v #vs #IH *
+  [ //
+  | #ty #tys whd in ⊢ (???%)
+    cases ty cases v // #v'
+    @bind_OK #evs #CHECK
+    @(evl_match_cons ??????? (P_res_to_P … CHECK)) //
+  ]
+] qed.
+theorem exec_step_sound: ∀ge,st.
   P_io ??? (λr. step ge st (\fst r) (\snd r)) (exec_step ge st).
+#ge st; ncases st;
+##[ #f s k e m; ncases s;
+  ##[ ncases k;
+    ##[ nwhd in ⊢ (?????%);
+        nlapply (refl ? (fn_return f)); ncases (fn_return f) in ⊢ (???% → %);
+        //; #H; nwhd;
+        napply step_skip_call; //;
+    ##| #s' k'; nwhd; //;
+    ##| #ex s' k'; napply step_skip_or_continue_while; @; //;
+    ##| #ex s' k';
+        napply res_bindIO2_OK; #v tr Hv;
+        nletin bexpr ≝ (exec_bool_of_val v (typeof ex));
+        nlapply (refl ? bexpr);
+        ncases bexpr in ⊢ (???% → %);
+        ##[ #b; ncases b; #eb; nlapply (exec_bool_of_val_sound … eb); #Hb;
+            nwhd in ⊢ (?????%);
+            ##[ napply (step_skip_or_continue_dowhile_true … (exec_expr_sound' … Hv));
+              ##[ @; // ##| napply (bool_of … Hb); ##]
+            ##| napply (step_skip_or_continue_dowhile_false … (exec_expr_sound' … Hv));
+              ##[ @; // ##| napply (bool_of … Hb); ##]
+            ##]
+        ##| #_; //;
+        ##]
+    ##| #ex s1 s2 k'; napply step_skip_or_continue_for2; @; //;
+    ##| #ex s1 s2 k'; napply step_skip_for3;
+    ##| #k'; napply step_skip_break_switch; @; //;
+    ##| #r f' e' k'; nwhd in ⊢ (?????%);
+        nlapply (refl ? (fn_return f)); ncases (fn_return f) in ⊢ (???% → %);
+        //; #H; nwhd;
+        napply step_skip_call; //;
+    ##]
+  ##| #ex1 ex2;
+    napply res_bindIO2_OK; #x; ncases x; #y; ncases y; #pcl loc ofs tr1 Hlval;
+    napply res_bindIO2_OK; #v2 tr2 Hv2;
+    napply opt_bindIO_OK; #m' em';
+    nwhd; napply (step_assign … (exec_lvalue_sound' … Hlval) (exec_expr_sound' … Hv2) em');
+  ##| #lex fex args;
+    napply res_bindIO2_OK; #vf tr1 Hvf0; nlapply (exec_expr_sound' … Hvf0); #Hvf;
+    napply res_bindIO2_OK; #vargs tr2 Hvargs0; nlapply (P_res_to_P ???? (exec_exprlist_sound …) Hvargs0); #Hvargs;
+    napply opt_bindIO_OK; #fd efd;
+    napply bindIO_OK; #ety;
+    ncases lex; nwhd;
+    ##[ napply (step_call_none … Hvf Hvargs efd ety);
+    ##| #lhs';
+        napply res_bindIO2_OK; #x; ncases x; #y; ncases y; #pcl loc ofs tr3 Hlocofs;
+        nwhd; napply (step_call_some … (exec_lvalue_sound' … Hlocofs) Hvf Hvargs efd ety);
+    ##]
+  ##| #s1 s2; nwhd; //;
+  ##| #ex s1 s2;
+    napply res_bindIO2_OK; #v tr Hv;
+    nletin bexpr ≝ (exec_bool_of_val v (typeof ex));
+    nlapply (refl ? bexpr); ncases bexpr in ⊢ (???% → %); //;
+    #b; ncases b; #eb; nlapply (exec_bool_of_val_sound … eb); #Hb;
+    ##[ napply (step_ifthenelse_true … (exec_expr_sound' … Hv)); napply (bool_of … Hb);
+    ##| napply (step_ifthenelse_false … (exec_expr_sound' … Hv)); napply (bool_of … Hb)
+    ##]
+  ##| #ex s';
+    napply res_bindIO2_OK; #v tr Hv;
+    nletin bexpr ≝ (exec_bool_of_val v (typeof ex));
+    nlapply (refl ? bexpr); ncases bexpr in ⊢ (???% → %); //;
+    #b; ncases b; #eb; nlapply (exec_bool_of_val_sound … eb); #Hb;
+    ##[ napply (step_while_true … (exec_expr_sound' … Hv)); napply (bool_of … Hb);
+    ##| napply (step_while_false … (exec_expr_sound' … Hv)); napply (bool_of … Hb);
+    ##]
+  ##| #ex s'; nwhd; //;
+  ##| #s1 ex s2 s3; nwhd in ⊢ (?????%); nelim (is_Sskip s1); #Hs1; nwhd in ⊢ (?????%);
+    ##[ nrewrite > Hs1;
+      napply res_bindIO2_OK; #v tr Hv;
+      nletin bexpr ≝ (exec_bool_of_val v (typeof ex));
+      nlapply (refl ? bexpr); ncases bexpr in ⊢ (???% → %); //;
+      #b; ncases b; #eb; nlapply (exec_bool_of_val_sound … eb); #Hb;
+      ##[ napply (step_for_true … (exec_expr_sound' … Hv)); napply (bool_of … Hb);
+      ##| napply (step_for_false … (exec_expr_sound' … Hv)); napply (bool_of … Hb);
+      ##]
+    ##| napply step_for_start; //;
+    ##]
+  ##| nwhd in ⊢ (?????%); ncases k; //;
+    ##[ #s' k'; nwhd; //;
+    ##| #ex s' k'; nwhd; //;
+    ##| #ex s' k'; nwhd; //;
+    ##| #ex s1 s2 k'; nwhd; //;
+    ##| #k'; napply step_skip_break_switch; @2; //;
+    ##]
+  ##| nwhd in ⊢ (?????%); ncases k; //;
+    ##[ #s' k'; nwhd; //;
+    ##| #ex s' k'; nwhd; napply step_skip_or_continue_while; @2; //;
+    ##| #ex s' k'; nwhd;
+      napply res_bindIO2_OK; #v tr Hv;
+      nletin bexpr ≝ (exec_bool_of_val v (typeof ex));
+      nlapply (refl ? bexpr); ncases bexpr in ⊢ (???% → %); //;
+      #b; ncases b; #eb; nlapply (exec_bool_of_val_sound … eb); #Hb;
+      ##[ napply (step_skip_or_continue_dowhile_true … (exec_expr_sound' … Hv));
+        ##[ @2; // ##| napply (bool_of … Hb); ##]
+      ##| napply (step_skip_or_continue_dowhile_false … (exec_expr_sound' … Hv));
+        ##[ @2; // ##| napply (bool_of … Hb); ##]
+      ##]
+    ##| #ex s1 s2 k'; nwhd; napply step_skip_or_continue_for2; @2; //
+    ##| #k'; nwhd; //;
+    ##]
+  ##| #r; nwhd in ⊢ (?????%); ncases r;
+    ##[ nwhd; nlapply (refl ? (fn_return f)); ncases (fn_return f) in ⊢ (???% → %); //; #H;
+        napply step_return_0; napply H;
+    ##| #ex; ncases (type_eq_dec (fn_return f) Tvoid); //; nwhd in ⊢ (% → ?????%); #Hnotvoid;
+        napply res_bindIO2_OK; #v tr Hv;
+        nwhd; napply (step_return_1 … Hnotvoid (exec_expr_sound' … Hv));
+    ##]
+  ##| #ex ls; napply res_bindIO2_OK; #v; ncases v; //; #n tr Hv;
+    napply step_switch; napply (exec_expr_sound' … Hv);
+  ##| #l s'; nwhd; //;
+  ##| #l; nwhd in ⊢ (?????%); nlapply (refl ? (find_label l (fn_body f) (call_cont k)));
+      ncases (find_label l (fn_body f) (call_cont k)) in ⊢ (???% → %); //;
+      #sk; ncases sk; #s' k' H;
+      napply (step_goto … H);
+  ##| #l s'; nwhd; //;
+  ##]
+##| #f0 vargs k m; nwhd in ⊢ (?????%); ncases f0;
+  ##[ #fn;
+    napply extract_subset_pair_io; #e m1 ealloc Halloc;
+    napply sig_bindIO_OK; #m2 Hbind;
+    nwhd; napply (step_internal_function … Halloc Hbind);
+  ##| #id argtys rty; napply sig_bindIO_OK; #evs Hevs;
+    napply bindIO_OK; #eres; nwhd;
+    napply step_external_function; @; ##[ napply Hevs; ##| napply mk_val_correct; ##]
+  ##]
+##| #v k' m'; nwhd in ⊢ (?????%); ncases k'; //;
+    #r f e k; nwhd in ⊢ (?????%); ncases r;
+  ##[ nwhd; //;
+  ##| #x; ncases x; #y; ncases y; #z; ncases z; #pcl b ofs ty;
+    napply opt_bindIO_OK; #m' em'; napply step_returnstate_1; nwhd in em':(??%?); //;
+  ##]
+##]
+nqed.
+nlemma make_initial_state_sound : ∀p. P_res ? (λgs.globalenv Genv ?? p = OK ? (\fst gs) ∧ initial_state p (\snd gs)) (make_initial_state p).
+#p; ncases p; #fns main vars;
+nwhd in ⊢ (???%);
+napply bind_OK; #ge Ege;
+napply bind_OK; #m Em;
+napply opt_bind_OK; #x; ncases x; #sp b esb;
+napply opt_bind_OK; #u ecode;
+napply opt_bind_OK; #f ef;
+ncases sp in esb ecode; #esb ecode; nwhd in ecode:(??%%); ##[ ##1,2,3,4,5: ndestruct (ecode); ##]
+nwhd; @; //; napply (initial_state_intro … Ege Em esb ef);
+nqed.
+ntheorem exec_steps_sound: ∀ge,n,st.
+#ge #st cases st;
+[ #f #s #k #e #m cases s;
+  [ cases k;
+    [ whd in ⊢ (?????%);
+        lapply (refl ? (fn_return f)); cases (fn_return f) in ⊢ (???% → %);
+        //; #H whd;
+        @step_skip_call //;
+    | #s' #k' whd; (* XXX //; *) @step_skip_seq
+    | #ex #s' #k' @step_skip_or_continue_while % //;
+    | #ex #s' #k'
+        @res_bindIO2_OK #v #tr #Hv
+        letin bexpr ≝ (exec_bool_of_val v (typeof ex));
+        lapply (refl ? bexpr);
+        cases bexpr in ⊢ (???% → %);
+        [ #b cases b; #eb lapply (exec_bool_of_val_sound … eb); #Hb
+            whd in ⊢ (?????%);
+            [ @(step_skip_or_continue_dowhile_true … (exec_expr_sound' … Hv))
+              [ % // | @(bool_of … Hb) ]
+            | @(step_skip_or_continue_dowhile_false … (exec_expr_sound' … Hv))
+              [ % // | @(bool_of … Hb) ]
+            ]
+        | #_ //;
+        ]
+    | #ex #s1 #s2 #k' @step_skip_or_continue_for2 % //;
+    | #ex #s1 #s2 #k' @step_skip_for3
+    | #k' @step_skip_break_switch % //;
+    | #r #f' #e' #k' whd in ⊢ (?????%);
+        lapply (refl ? (fn_return f)); cases (fn_return f) in ⊢ (???% → %);
+        //; #H whd;
+        @step_skip_call //;
+    ]
+  | #ex1 #ex2
+    @res_bindIO2_OK #x cases x; #y cases y; #pcl #loc #ofs #tr1 #Hlval
+    @res_bindIO2_OK #v2 #tr2 #Hv2
+    @opt_bindIO_OK #m' #em'
+    whd; @(step_assign … (exec_lvalue_sound' … Hlval) (exec_expr_sound' … Hv2) em')
+  | #lex #fex #args
+    @res_bindIO2_OK #vf #tr1 #Hvf0 lapply (exec_expr_sound' … Hvf0); #Hvf
+    @res_bindIO2_OK #vargs #tr2 #Hvargs0 lapply (P_res_to_P ???? (exec_exprlist_sound …) Hvargs0); #Hvargs
+    @opt_bindIO_OK #fd #efd
+    @bindIO_OK #ety
+    cases lex; whd;
+    [ @(step_call_none … Hvf Hvargs efd ety)
+    | #lhs'
+        @res_bindIO2_OK #x cases x; #y cases y; #pcl #loc #ofs #tr3 #Hlocofs
+        whd; @(step_call_some … (exec_lvalue_sound' … Hlocofs) Hvf Hvargs efd ety)
+    ]
+  | #s1 #s2 whd; (* XXX //; *) @step_seq
+  | #ex #s1 #s2
+    @res_bindIO2_OK #v #tr #Hv
+    letin bexpr ≝ (exec_bool_of_val v (typeof ex));
+    lapply (refl ? bexpr); cases bexpr in ⊢ (???% → %); //;
+    #b cases b; #eb lapply (exec_bool_of_val_sound … eb); #Hb
+    [ @(step_ifthenelse_true … (exec_expr_sound' … Hv)) @(bool_of … Hb)
+    | @(step_ifthenelse_false … (exec_expr_sound' … Hv)) @(bool_of … Hb)
+    ]
+  | #ex #s'
+    @res_bindIO2_OK #v #tr #Hv
+    letin bexpr ≝ (exec_bool_of_val v (typeof ex));
+    lapply (refl ? bexpr); cases bexpr in ⊢ (???% → %); //;
+    #b cases b; #eb lapply (exec_bool_of_val_sound … eb); #Hb
+    [ @(step_while_true … (exec_expr_sound' … Hv)) @(bool_of … Hb)
+    | @(step_while_false … (exec_expr_sound' … Hv)) @(bool_of … Hb)
+    ]
+  | #ex #s' whd; (* XXX //; *) @step_dowhile
+  | #s1 #ex #s2 #s3 whd in ⊢ (?????%); elim (is_Sskip s1); #Hs1 whd in ⊢ (?????%);
+    [ >Hs1
+      @res_bindIO2_OK #v #tr #Hv
+      letin bexpr ≝ (exec_bool_of_val v (typeof ex));
+      lapply (refl ? bexpr); cases bexpr in ⊢ (???% → %); //;
+      #b cases b; #eb lapply (exec_bool_of_val_sound … eb); #Hb
+      [ @(step_for_true … (exec_expr_sound' … Hv)) @(bool_of … Hb)
+      | @(step_for_false … (exec_expr_sound' … Hv)) @(bool_of … Hb)
+      ]
+    | @step_for_start //;
+    ]
+  | whd in ⊢ (?????%); cases k; //;
+    [ #s' #k' whd (* XXX // *) @step_break_seq
+    | #ex #s' #k' whd (* //; *) @step_break_while
+    | #ex #s' #k' whd (* //; *) @step_break_dowhile
+    | #ex #s1 #s2 #k' whd (* //; *) @step_break_for2
+    | #k' @step_skip_break_switch %2  //
+    ]
+  | whd in ⊢ (?????%); cases k; //;
+    [ #s' #k' whd; (* XXX //;*) @step_continue_seq
+    | #ex #s' #k' whd; @step_skip_or_continue_while %2 ; //;
+    | #ex #s' #k' whd;
+      @res_bindIO2_OK #v #tr #Hv
+      letin bexpr ≝ (exec_bool_of_val v (typeof ex));
+      lapply (refl ? bexpr); cases bexpr in ⊢ (???% → %); //;
+      #b cases b; #eb lapply (exec_bool_of_val_sound … eb); #Hb
+      [ @(step_skip_or_continue_dowhile_true … (exec_expr_sound' … Hv))
+        [ %2 ; // | @(bool_of … Hb) ]
+      | @(step_skip_or_continue_dowhile_false … (exec_expr_sound' … Hv))
+        [ %2 ; // | @(bool_of … Hb) ]
+      ]
+    | #ex #s1 #s2 #k' whd; @step_skip_or_continue_for2 %2 ; //
+    | #k' whd; (* XXX //;*) @step_continue_switch
+    ]
+  | #r whd in ⊢ (?????%); cases r;
+    [ whd; lapply (refl ? (fn_return f)); cases (fn_return f) in ⊢ (???% → %); //; #H
+        @step_return_0 @H
+    | #ex cases (type_eq_dec (fn_return f) Tvoid); //; whd in ⊢ (% → ?????%); #Hnotvoid
+        @res_bindIO2_OK #v #tr #Hv
+        whd; @(step_return_1 … Hnotvoid (exec_expr_sound' … Hv))
+    ]
+  | #ex #ls @res_bindIO2_OK #v cases v; //; #n #tr #Hv
+    @step_switch @(exec_expr_sound' … Hv)
+  | #l #s' whd; @step_label (* XXX //; *)
+  | #l whd in ⊢ (?????%); lapply (refl ? (find_label l (fn_body f) (call_cont k)));
+      cases (find_label l (fn_body f) (call_cont k)) in ⊢ (???% → %); //;
+      #sk cases sk; #s' #k' #H
+      @(step_goto … H)
+  | #l #s' whd; (* XXX //; *) @step_cost
+  ]
+| #f0 #vargs #k #m whd in ⊢ (?????%); cases f0;
+  [ #fn whd in ⊢ (?????%)
+    lapply (refl ? (exec_alloc_variables empty_env m (fn_params fn@fn_vars fn)))
+    cases (exec_alloc_variables empty_env m (fn_params fn@fn_vars fn)) in ⊢ (???% → %)
+    #en' #m' #ALLOC whd in ⊢ (?????%)
+    @res_bindIO_OK #m2 #BIND
+    whd; @(step_internal_function … (exec_alloc_variables_sound … ALLOC))
+    @(P_res_to_P … (exec_bind_parameters_sound …) BIND)
+  | #id #argtys #rty @res_bindIO_OK #evs #Hevs
+    @bindIO_OK #eres whd;
+    @step_external_function % [ @(P_res_to_P … (check_eventval_list_sound …) Hevs)
+                              | @mk_val_correct ]
+  ]
+| #v #k' #m' whd in ⊢ (?????%); cases k'; //;
+    #r #f #e #k whd in ⊢ (?????%); cases r;
+  [ whd; @step_returnstate_0
+  | #x cases x; #y cases y; #z cases z; #pcl #b #ofs #ty
+    @opt_bindIO_OK #m' #em' @step_returnstate_1 whd in em':(??%?); //;
+  ]
+]
+qed.
+lemma make_initial_state_sound : ∀p. P_res ? (λgs.globalenv Genv ?? p = OK ? (\fst gs) ∧ initial_state p (\snd gs)) (make_initial_state p).
+#p cases p; #fns #main #vars
+whd in ⊢ (???%);
+@bind_OK #ge #Ege
+@bind_OK #m #Em
+@opt_bind_OK #x cases x; #sp #b #esb
+@opt_bind_OK #u #ecode
+@opt_bind_OK #f #ef
+cases sp in esb ecode; #esb #ecode whd in ecode:(??%%); [ 1,2,3,4,5: destruct (ecode); ]
+whd; % [ whd in ⊢ (???(??%)) // | @(initial_state_intro … Ege Em esb ef) ]
+qed.
+theorem exec_steps_sound: ∀ge,n,st.
  P_io ??? (λts:trace×state. star (mk_transrel ?? step) ge st (\fst ts) (\snd ts))
  (exec_steps n ge st).
 #ge n; nelim n;
+##[ #st; nwhd in ⊢ (?????%); nelim (is_final_state st); #H; nwhd; //;
+##| #n' IH st; nwhd in ⊢ (?????%); nelim (is_final_state st); #H;
   ##[ nwhd; //;
   ##| napply (P_bindIO2_OK ????????? (exec_step_sound …)); #t s'; ncases s';
       ##[ #f s k e m; ##| #fd args k m; ##| #r k m; ##]
       nwhd in ⊢ (? → ?????(??????%?));
       ncases m; #mc mn mp; #Hstep;
       nwhd in ⊢ (?????(??????%?));
       napply (P_bindIO2_OK ????????? (IH …)); #t' s'' Hsteps;
       nwhd; napply (star_step ????????? Hsteps); ##[ ##2,5,8: napply Hstep; ##| ##3,6,9: // ##]
   ##]
 nqed.
+#ge #n elim n;
+[ #st whd in ⊢ (?????%); elim (is_final_state st); #H whd; %
+| #n' #IH #st whd in ⊢ (?????%); elim (is_final_state st); #H
+  [ whd; %
+  | @(P_bindIO2_OK ????????? (exec_step_sound …)) #t #s' cases s';
+      [ #f #s #k #e #m | #fd #args #k #m | #r #k #m ]
+      whd in ⊢ (? → ?????(??????%?));
+      cases m; #mc #mn #mp #Hstep
+      whd in ⊢ (?????(??????%?));
+      @(P_bindIO2_OK ????????? (IH …)) #t' #s'' #Hsteps
+      whd; @(star_step ????????? Hsteps) [ 2,5,8: @Hstep | 3,6,9: // ]
+  ]
+qed.

Deliverables/D3.1/C-semantics/Coqlib.ma

-                      r473
+                      r487
 include "binary/Z.ma".
 include "datatypes/sums.ma".
 include "datatypes/list.ma".
+include "basics/types.ma".
+include "basics/list.ma".
 include "extralib.ma".
 …
 (* * Properties of powers of two. *)
 nlemma two_power_nat_O : two_power_nat O = one.
 //; nqed.
 nlemma two_power_nat_pos : ∀n:nat. Z_two_power_nat n > 0.
 //; nqed.
 nlemma two_power_nat_two_p:
+lemma two_power_nat_O : two_power_nat O = one.
+// qed.
+lemma two_power_nat_pos : ∀n:nat. Z_two_power_nat n > 0.
+// qed.
+lemma two_power_nat_two_p:
   ∀x. Z_two_power_nat x = two_p (Z_of_nat x).
 #x; ncases x;
+##[ //;
+##| nnormalize; #p; nelim p; //; #p' H; nrewrite > (nat_succ_pos …); //;
 ##] nqed.
+#x cases x
+[ //
+| normalize #p elim p // #p' #H >(nat_succ_pos …) //
+] qed.
 (*
 Lemma two_p_monotone:
 …
 (*naxiom align : Z → Z → Z.*)
 ndefinition align ≝ λn: Z. λamount: Z.
+definition align ≝ λn: Z. λamount: Z.
   ((n + amount - 1) / amount) * amount.
 (*
 …
 (* * Mapping a function over an option type. *)
 ndefinition option_map ≝ λA,B.λf:A→B.λv:option A.
+definition option_map ≝ λA,B.λf:A→B.λv:option A.
   match v with [ Some v' ⇒ Some ? (f v') | None ⇒ None ? ].
 …
   induction l; simpl; congruence.
 Qed.
 *)
 nlemma list_in_map_inv:
   ∀A,B: Type. ∀f: A -> B. ∀l: list A. ∀y: B.
+*) (*
+lemma list_in_map_inv:
+  ∀A,B: Type[0]. ∀f: A -> B. ∀l: list A. ∀y: B.
   in_list ? y (map ?? f l) → ∃x:A. y = f x ∧ in_list ? x l.
 #A B f l; nelim l;
 …
       nelim (IH h H1); #x'; *; #IH1 IH2; @x'; @; /2/;
   ##]
 ##] nqed.
+##] nqed.*)
 (*
 Lemma list_append_map:
 …
 (* * [list_disjoint l1 l2] holds iff [l1] and [l2] have no elements
   in common. *)
 ndefinition list_disjoint : ∀A:Type. list A → list A → Prop ≝
+(*
+definition list_disjoint : ∀A:Type[0]. list A → list A → Prop ≝
   λA,l1,l2.
   ∀x,y: A. in_list A x l1 → in_list A y l2 → x ≠ y.
 nlemma list_disjoint_cons_left:
   ∀A: Type. ∀a: A. ∀l1,l2: list A.
+lemma list_disjoint_cons_left:
+  ∀A: Type[0]. ∀a: A. ∀l1,l2: list A.
   list_disjoint A (a :: l1) l2 → list_disjoint A l1 l2.
 #A;#a;#l1;#l2;nwhd in ⊢ (% → %); #H;
 …
 nwhd in ⊢ (% → %);
 #H;#x;#y;#H1;#H2; napply sym_neq; /2/;
+nqed.
+nqed.*)
 (*
 Lemma list_disjoint_dec:
 …
 (* * [list_norepet l] holds iff the list [l] contains no repetitions,
   i.e. no element occurs twice. *)
 ninductive list_norepet (A: Type) : list A → Prop ≝
+(*
+inductive list_norepet (A: Type[0]) : list A → Prop ≝
   | list_norepet_nil:
       list_norepet A (nil A)
   | list_norepet_cons:
       ∀hd,tl.
       ¬(in_list A hd tl) → list_norepet A tl → list_norepet A (hd :: tl).
+      ¬(in_list A hd tl) → list_norepet A tl → list_norepet A (hd :: tl).*)
 (*
 Lemma list_norepet_dec:

Deliverables/D3.1/C-semantics/CostLabel.ma

r177	r487
1	1	include "AST.ma".
2	2
3		ndefinition costlabel ≝ ident.
	3	definition costlabel ≝ ident.

Deliverables/D3.1/C-semantics/Csem.ma

-                      r485
+                      r487
   the null pointer) and the float 0.0 are false. *)
 ninductive is_false: val → type → Prop ≝
+inductive is_false: val → type → Prop ≝
   | is_false_int: ∀sz,sg.
       is_false (Vint zero) (Tint sz sg)
 …
       is_false (Vfloat Fzero) (Tfloat sz).
 ninductive is_true: val → type → Prop ≝
+inductive is_true: val → type → Prop ≝
   | is_true_int_int: ∀n,sz,sg.
       n ≠ zero →
 …
       is_true (Vfloat f) (Tfloat sz).
 ninductive bool_of_val : val → type → val → Prop ≝
+inductive bool_of_val : val → type → val → Prop ≝
   | bool_of_val_true: ∀v,ty.
          is_true v ty →
 …
   promoted [e2] to a float. *)
 nlet rec sem_neg (v: val) (ty: type) : option val ≝
+let rec sem_neg (v: val) (ty: type) : option val ≝
   match ty with
   [ Tint _ _ ⇒
 …
   ].
 nlet rec sem_notint (v: val) : option val ≝
+let rec sem_notint (v: val) : option val ≝
   match v with
   [ Vint n ⇒ Some ? (Vint (xor n mone))
 …
   ].
 nlet rec sem_notbool (v: val) (ty: type) : option val ≝
+let rec sem_notbool (v: val) (ty: type) : option val ≝
   match ty with
   [ Tint _ _ ⇒
 …
   ].
 nlet rec sem_add (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
+let rec sem_add (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
   match classify_add t1 t2 with
   [ add_case_ii ⇒                       (**r integer addition *)
 …
 ].
 nlet rec sem_sub (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
+let rec sem_sub (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
   match classify_sub t1 t2 with
   [ sub_case_ii ⇒                (**r integer subtraction *)
 …
   ].
 nlet rec sem_mul (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
+let rec sem_mul (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
  match classify_mul t1 t2 with
   [ mul_case_ii ⇒
 …
 ].
 nlet rec sem_div (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
+let rec sem_div (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
   match classify_div t1 t2 with
   [ div_case_I32unsi ⇒
 …
   ].
 nlet rec sem_mod (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
+let rec sem_mod (v1:val) (t1:type) (v2: val) (t2:type) : option val ≝
   match classify_mod t1 t2 with
   [ mod_case_I32unsi ⇒
 …
   ].
 nlet rec sem_and (v1,v2: val) : option val ≝
+let rec sem_and (v1,v2: val) : option val ≝
   match v1 with
   [ Vint n1 ⇒ match v2 with
 …
   ].
 nlet rec sem_or (v1,v2: val) : option val ≝
+let rec sem_or (v1,v2: val) : option val ≝
   match v1 with
   [ Vint n1 ⇒ match v2 with
 …
   ].
 nlet rec sem_xor (v1,v2: val) : option val ≝
+let rec sem_xor (v1,v2: val) : option val ≝
   match v1 with
   [ Vint n1 ⇒ match v2 with
 …
   ].
 nlet rec sem_shl (v1,v2: val): option val ≝
+let rec sem_shl (v1,v2: val): option val ≝
   match v1 with
   [ Vint n1 ⇒ match v2 with
 …
   | _ ⇒ None ? ].
 nlet rec sem_shr (v1: val) (t1: type) (v2: val) (t2: type): option val ≝
+let rec sem_shr (v1: val) (t1: type) (v2: val) (t2: type): option val ≝
   match classify_shr t1 t2 with
   [ shr_case_I32unsi ⇒
 …
    ].
 nlet rec sem_cmp_mismatch (c: comparison): option val ≝
+let rec sem_cmp_mismatch (c: comparison): option val ≝
   match c with
   [ Ceq =>  Some ? Vfalse
 …
   ].
 nlet rec sem_cmp_match (c: comparison): option val ≝
+let rec sem_cmp_match (c: comparison): option val ≝
   match c with
   [ Ceq =>  Some ? Vtrue
 …
   ].
 nlet rec sem_cmp (c:comparison)
+let rec sem_cmp (c:comparison)
                   (v1: val) (t1: type) (v2: val) (t2: type)
                   (m: mem): option val ≝
 …
   ].
 ndefinition sem_unary_operation
+definition sem_unary_operation
             : unary_operation → val → type → option val ≝
   λop,v,ty.
 …
   ].
 nlet rec sem_binary_operation
+let rec sem_binary_operation
     (op: binary_operation)
     (v1: val) (t1: type) (v2: val) (t2:type)
 …
   resulting in value [v2].  *)
 nlet rec cast_int_int (sz: intsize) (sg: signedness) (i: int) : int ≝
+let rec cast_int_int (sz: intsize) (sg: signedness) (i: int) : int ≝
   match sz with
   [ I8 ⇒ match sg with [ Signed ⇒ sign_ext 8 i | Unsigned ⇒ zero_ext 8 i ]
 …
   ].
 nlet rec cast_int_float (si : signedness) (i: int) : float ≝
+let rec cast_int_float (si : signedness) (i: int) : float ≝
   match si with
   [ Signed ⇒ floatofint i
 …
   ].
 nlet rec cast_float_int (si : signedness) (f: float) : int ≝
+let rec cast_float_int (si : signedness) (f: float) : int ≝
   match si with
   [ Signed ⇒ intoffloat f
 …
   ].
 nlet rec cast_float_float (sz: floatsize) (f: float) : float ≝
+let rec cast_float_float (sz: floatsize) (f: float) : float ≝
   match sz with
   [ F32 ⇒ singleoffloat f
 …
   ].
 ninductive type_region : type → region → Prop ≝
+inductive type_region : type → region → Prop ≝
 | type_rgn_pointer : ∀s,t. type_region (Tpointer s t) s
 | type_rgn_array : ∀s,t,n. type_region (Tarray s t n) s
 …
 | type_rgn_code : ∀tys,ty. type_region (Tfunction tys ty) Code.
 ninductive cast : mem → val → type → type → val → Prop ≝
+inductive cast : mem → val → type → type → val → Prop ≝
   | cast_ii:   ∀m,i,sz2,sz1,si1,si2.            (**r int to int  *)
       cast m (Vint i) (Tint sz1 si1) (Tint sz2 si2)
 …
   and function pointers to their definitions.  (See module [Globalenvs].) *)
 ndefinition genv ≝ (genv_t Genv) fundef.
+definition genv ≝ (genv_t Genv) fundef.
 (* * The local environment maps local variables to block references.
 …
   block. *)
 ndefinition env ≝ (tree_t ? PTree) block. (* map variable -> location *)
 ndefinition empty_env: env ≝ (empty …).
+definition env ≝ (tree_t ? PTree) block. (* map variable -> location *)
+definition empty_env: env ≝ (empty …).
 (* * [load_value_of_type ty m b ofs] computes the value of a datum
 …
   reference, the pointer [Vptr b ofs] is returned. *)
 nlet rec load_value_of_type (ty: type) (m: mem) (psp:region) (b: block) (ofs: int) : option val ≝
+let rec load_value_of_type (ty: type) (m: mem) (psp:region) (b: block) (ofs: int) : option val ≝
   match access_mode ty with
   [ By_value chunk ⇒ loadv chunk m (Vptr psp b ofs)
 …
   This is allowed only if [ty] indicates an access by value. *)
 nlet rec store_value_of_type (ty_dest: type) (m: mem) (psp:region) (loc: block) (ofs: int) (v: val) : option mem ≝
+let rec store_value_of_type (ty_dest: type) (m: mem) (psp:region) (loc: block) (ofs: int) (v: val) : option mem ≝
   match access_mode ty_dest with
   [ By_value chunk ⇒ storev chunk m (Vptr psp loc ofs) v
 …
   and memory state. *)
 ninductive alloc_variables: env → mem →
+inductive alloc_variables: env → mem →
                             list (ident × type) →
                             env → mem → Prop ≝
 …
   [m1] is the initial memory state and [m2] the final memory state. *)
 ninductive bind_parameters: env →
+inductive bind_parameters: env →
                            mem → list (ident × type) → list val →
                            mem → Prop ≝
 …
 (* * Return the list of blocks in the codomain of [e]. *)
 ndefinition blocks_of_env : env → list block ≝ λe.
+definition blocks_of_env : env → list block ≝ λe.
   map ?? (λx. snd ?? x) (elements ??? e).
 …
   of the selector expression. *)
 nlet rec select_switch (n: int) (sl: labeled_statements)
+let rec select_switch (n: int) (sl: labeled_statements)
                        on sl : labeled_statements ≝
   match sl with
 …
 (* * Turn a labeled statement into a sequence *)
 nlet rec seq_of_labeled_statement (sl: labeled_statements) : statement ≝
+let rec seq_of_labeled_statement (sl: labeled_statements) : statement ≝
   match sl with
   [ LSdefault s ⇒ s
 …
   [e] is the current environment and [m] is the current memory state. *)
 ninductive eval_expr (ge:genv) (e:env) (m:mem) : expr → val → trace → Prop ≝
+inductive eval_expr (ge:genv) (e:env) (m:mem) : expr → val → trace → Prop ≝
   | eval_Econst_int:   ∀i,ty.
       eval_expr ge e m (Expr (Econst_int i) ty) (Vint i) E0
 …
       eval_lvalue ge e m (Expr (Efield a i) ty) psp l ofs tr.
 nlet rec eval_expr_ind (ge:genv) (e:env) (m:mem)
+let rec eval_expr_ind (ge:genv) (e:env) (m:mem)
   (P:∀a,v,tr. eval_expr ge e m a v tr → Prop)
   (eci:∀i,ty. P ??? (eval_Econst_int ge e m i ty))
 …
   ].
 ninverter eval_expr_inv_ind for eval_expr : Prop.
 nlet rec eval_lvalue_ind (ge:genv) (e:env) (m:mem)
+inverter eval_expr_inv_ind for eval_expr : Prop.
+let rec eval_lvalue_ind (ge:genv) (e:env) (m:mem)
   (P:∀a,psp,loc,ofs,tr. eval_lvalue ge e m a psp loc ofs tr → Prop)
   (lvl:∀id,l,ty,H. P ????? (eval_Evar_local ge e m id l ty H))
 …
 *)
 ndefinition eval_lvalue_inv_ind :
+definition eval_lvalue_inv_ind :
   ∀x1: genv.
    ∀x2: env.
 …
                                      (refl int x7) (refl trace x8)))
                                   ?)))))))))))))))).
+##[ napply (eval_lvalue_ind x1 x2 x3 (λa,psp,loc,ofs,tr,e. ∀e1:eq ? x4 a. ∀e2:eq ? x5 psp. ∀e3:eq ? x6 loc. ∀e4:eq ? x7 ofs. ∀e5:eq ? x8 tr. P a psp loc ofs tr) … Hterm);
   ##[ napply H1 ##| napply H2 ##| napply H3 ##| napply H4 ##| napply H5 ##]
 ##| ##*: ##skip
 ##] nqed.
 nlet rec eval_expr_ind2 (ge:genv) (e:env) (m:mem)
+[ @(eval_lvalue_ind x1 x2 x3 (λa,psp,loc,ofs,tr,e. ∀e1:eq ? x4 a. ∀e2:eq ? x5 psp. ∀e3:eq ? x6 loc. ∀e4:eq ? x7 ofs. ∀e5:eq ? x8 tr. P a psp loc ofs tr) … Hterm)
+  [ @H1 | @H2 | @H3 | @H4 | @H5 ]
+| *: skip
+] qed.
+let rec eval_expr_ind2 (ge:genv) (e:env) (m:mem)
   (P:∀a,v,tr. eval_expr ge e m a v tr → Prop)
   (Q:∀a,psp,loc,ofs,tr. eval_lvalue ge e m a psp loc ofs tr → Prop)
 …
   ].
 ndefinition combined_expr_lvalue_ind ≝
+definition combined_expr_lvalue_ind ≝
 λge,e,m,P,Q,eci,ecF,elv,ead,esz,eun,ebi,ect,ecf,eo1,eo2,ea1,ea2,ecs,eco,lvl,lvg,lde,lfs,lfu.
 conj ??
 …
   expressions [al] to their values [vl]. *)
 ninductive eval_exprlist (ge:genv) (e:env) (m:mem) : list expr → list val → trace → Prop ≝
+inductive eval_exprlist (ge:genv) (e:env) (m:mem) : list expr → list val → trace → Prop ≝
   | eval_Enil:
       eval_exprlist ge e m (nil ?) (nil ?) E0
 …
 (* * Continuations *)
 ninductive cont: Type :=
+inductive cont: Type[0] :=
   | Kstop: cont
   | Kseq: statement -> cont -> cont
 …
 (* * Pop continuation until a call or stop *)
 nlet rec call_cont (k: cont) : cont :=
+let rec call_cont (k: cont) : cont :=
   match k with
   [ Kseq s k => call_cont k
 …
   ].
 ndefinition is_call_cont : cont → Prop ≝ λk.
+definition is_call_cont : cont → Prop ≝ λk.
   match k with
   [ Kstop => True
 …
 (* * States *)
 ninductive state: Type :=
+inductive state: Type[0] :=
   | State:
       ∀f: function.
 …
   corresponding to a label *)
 nlet rec find_label (lbl: label) (s: statement) (k: cont)
+let rec find_label (lbl: label) (s: statement) (k: cont)
                     on s: option (statement × cont) :=
   match s with
 …
 (* Strip off outer pointer for use when comparing function types. *)
 ndefinition fun_typeof ≝
+definition fun_typeof ≝
 λe. match typeof e with
 [ Tvoid ⇒ Tvoid
 …
 (* XXX: note that cost labels in exprs expose a particular eval order. *)
 ninductive step (ge:genv) : state → trace → state → Prop ≝
+inductive step (ge:genv) : state → trace → state → Prop ≝
   | step_assign:   ∀f,a1,a2,k,e,m,psp,loc,ofs,v2,m',tr1,tr2.
 …
   through the execution of a [break], [continue] or [return] statement. *)
 ninductive outcome: Type :=
+inductive outcome: Type[0] :=
    | Out_break: outcome                 (**r terminated by [break] *)
    | Out_continue: outcome              (**r terminated by [continue] *)
 …
    | Out_return: option val -> outcome. (**r terminated by [return] *)
 ninductive out_normal_or_continue : outcome -> Prop :=
+inductive out_normal_or_continue : outcome -> Prop :=
   | Out_normal_or_continue_N: out_normal_or_continue Out_normal
   | Out_normal_or_continue_C: out_normal_or_continue Out_continue.
 ninductive out_break_or_return : outcome -> outcome -> Prop :=
+inductive out_break_or_return : outcome -> outcome -> Prop :=
   | Out_break_or_return_B: out_break_or_return Out_break Out_normal
   | Out_break_or_return_R: ∀ov.
 …
   evaluation. *)
 ninductive exec_stmt: env -> mem -> statement -> trace -> mem -> outcome -> Prop :=
+inductive exec_stmt: env -> mem -> statement -> trace -> mem -> outcome -> Prop :=
   | exec_Sskip:   ∀e,m.
       exec_stmt e m Sskip
 …
   trace of observable events performed during the execution. *)
 Coninductive execinf_stmt: env -> mem -> statement -> traceinf -> Prop :=
+Coinductive execinf_stmt: env -> mem -> statement -> traceinf -> Prop :=
   | execinf_Scall_none:   ∀e,m,a,al,vf,vargs,f,t.
       eval_expr e m a vf ->
 …
   without arguments and with an empty continuation. *)
 ninductive initial_state (p: clight_program): state -> Prop :=
+inductive initial_state (p: clight_program): state -> Prop :=
   | initial_state_intro: ∀b,f,ge,m0.
       globalenv Genv ?? p = OK ? ge →
 …
 (* * A final state is a [Returnstate] with an empty continuation. *)
 ninductive final_state: state -> int -> Prop :=
+inductive final_state: state -> int -> Prop :=
   | final_state_intro: ∀r,m.
       final_state (Returnstate (Vint r) Kstop m) r.
 …
   behavior. *)
 ndefinition exec_program : clight_program → program_behavior → Prop ≝ λp,beh.
+definition exec_program : clight_program → program_behavior → Prop ≝ λp,beh.
   ∀ge. globalenv ??? p = OK ? ge →
   program_behaves (mk_transrel ?? step) (initial_state p) final_state ge beh.
 …
 (** Big-step execution of a whole program.  *)
 ninductive bigstep_program_terminates (p: program): trace -> int -> Prop :=
+inductive bigstep_program_terminates (p: program): trace -> int -> Prop :=
   | bigstep_program_terminates_intro: ∀b,f,m1,t,r.
       let ge := Genv.globalenv p in
 …
       bigstep_program_terminates p t r.
 ninductive bigstep_program_diverges (p: program): traceinf -> Prop :=
+inductive bigstep_program_diverges (p: program): traceinf -> Prop :=
   | bigstep_program_diverges_intro: ∀b,f,t.
       let ge := Genv.globalenv p in
 …
        (eval_funcall_ind2 ge PS PF a b c d e f g h i j k l m n o p q r s t u v w x y).
 ninductive outcome_state_match
+inductive outcome_state_match
        (e: env) (m: mem) (f: function) (k: cont): outcome -> state -> Prop :=
   | osm_normal:

Deliverables/D3.1/C-semantics/Csyntax.ma

-                      r483
+                      r487
   flag and a bit size: 8, 16 or 32 bits. *)
 ninductive signedness : Type ≝
+inductive signedness : Type[0] ≝
   | Signed: signedness
   | Unsigned: signedness.
 ninductive intsize : Type ≝
+inductive intsize : Type[0] ≝
   | I8: intsize
   | I16: intsize
 …
   and 64-bit (double precision). *)
 ninductive floatsize : Type ≝
+inductive floatsize : Type[0] ≝
   | F32: floatsize
   | F64: floatsize.
 …
 *)
 ninductive type : Type ≝
+inductive type : Type[0] ≝
   | Tvoid: type                         (**r the [void] type *)
   | Tint: intsize → signedness → type   (**r integer types *)
 …
   | Tcomp_ptr: region → ident → type    (**r pointer to named struct or union *)
 with typelist : Type ≝
+with typelist : Type[0] ≝
   | Tnil: typelist
   | Tcons: type → typelist → typelist
 with fieldlist : Type ≝
+with fieldlist : Type[0] ≝
   | Fnil: fieldlist
   | Fcons: ident → type → fieldlist → fieldlist.
 (* XXX: no induction scheme! *)
 nlet rec type_ind
+let rec type_ind
   (P:type → Prop)
   (vo:P Tvoid)
 …
   ].
 nlet rec fieldlist_ind
+let rec fieldlist_ind
   (P:fieldlist → Prop)
   (nl:P Fnil)
 …
 (* * Arithmetic and logical operators. *)
 ninductive unary_operation : Type ≝
+inductive unary_operation : Type[0] ≝
   | Onotbool : unary_operation          (**r boolean negation ([!] in C) *)
   | Onotint : unary_operation           (**r integer complement ([~] in C) *)
   | Oneg : unary_operation.             (**r opposite (unary [-]) *)
 ninductive binary_operation : Type ≝
+inductive binary_operation : Type[0] ≝
   | Oadd : binary_operation             (**r addition (binary [+]) *)
   | Osub : binary_operation             (**r subtraction (binary [-]) *)
 …
 *)
 ninductive expr : Type ≝
+inductive expr : Type[0] ≝
   | Expr: expr_descr → type → expr
 with expr_descr : Type ≝
+with expr_descr : Type[0] ≝
   | Econst_int: int → expr_descr       (**r integer literal *)
   | Econst_float: float → expr_descr   (**r float literal *)
 …
 (* * Extract the type part of a type-annotated Clight expression. *)
 ndefinition typeof : expr → type ≝ λe.
+definition typeof : expr → type ≝ λe.
   match e with [ Expr de te ⇒ te ].
 …
   are not supported. *)
 ndefinition label ≝ ident.
 ninductive statement : Type ≝
+definition label ≝ ident.
+inductive statement : Type[0] ≝
   | Sskip : statement                   (**r do nothing *)
   | Sassign : expr → expr → statement   (**r assignment [lvalue = rvalue] *)
 …
   | Scost : costlabel → statement → statement
 with labeled_statements : Type ≝            (**r cases of a [switch] *)
+with labeled_statements : Type[0] ≝            (**r cases of a [switch] *)
   | LSdefault: statement → labeled_statements
   | LScase: int → statement → labeled_statements → labeled_statements.
 nlet rec statement_ind2
+let rec statement_ind2
   (P:statement → Prop) (Q:labeled_statements → Prop)
   (Ssk:P Sskip)
 …
 ].
 ndefinition statement_ind ≝ λP,Ssk,Sas,Sca,Ssq,Sif,Swh,Sdo,Sfo,Sbr,Sco,Sre,Ssw,Sla,Sgo,Scs.
+definition statement_ind ≝ λP,Ssk,Sas,Sca,Ssq,Sif,Swh,Sdo,Sfo,Sbr,Sco,Sre,Ssw,Sla,Sgo,Scs.
   statement_ind2 P (λ_.True) Ssk Sas Sca Ssq Sif Swh Sdo Sfo Sbr Sco Sre Ssw Sla Sgo Scs
   (λ_,_. I) (λ_,_,_,_,_.I).
 …
   function (a statement, [fn_body]). *)
 nrecord function : Type ≝ {
+record function : Type[0] ≝ {
   fn_return: type;
   fn_params: list (ident × type);
 …
   external functions ([External]). *)
 ninductive fundef : Type ≝
+inductive fundef : Type[0] ≝
   | Internal: function → fundef
   | External: ident → typelist → type → fundef.
 …
   data.  See module [AST] for more details. *)
 ndefinition clight_program : Type ≝ program fundef type.
+definition clight_program : Type[0] ≝ program fundef type.
 (* * * Operations over types *)
 …
 (* * The type of a function definition. *)
 nlet rec type_of_params (params: list (ident × type)) : typelist ≝
+let rec type_of_params (params: list (ident × type)) : typelist ≝
   match params with
   [ nil ⇒ Tnil
   | cons h rem ⇒ match h with [ mk_pair id ty ⇒ Tcons ty (type_of_params rem) ]
   ].
 ndefinition type_of_function : function → type ≝ λf.
+  | cons h rem ⇒ match h with [ pair id ty ⇒ Tcons ty (type_of_params rem) ]
+  ].
+definition type_of_function : function → type ≝ λf.
   Tfunction (type_of_params (fn_params f)) (fn_return f).
 ndefinition type_of_fundef : fundef → type ≝ λf.
+definition type_of_fundef : fundef → type ≝ λf.
   match f with
   [ Internal fd ⇒ type_of_function fd
 …
 (* * Natural alignment of a type, in bytes. *)
 (* FIXME: these are old values for 32 bit machines *)
 nlet rec alignof (t: type) : Z ≝
+let rec alignof (t: type) : Z ≝
   match t return λ_.Z (* XXX appears to infer nat otherwise *) with
   [ Tvoid ⇒ 1
 …
 (* XXX: automatic generation? *)
 nlet rec type_ind2
+let rec type_ind2
   (P:type → Prop) (Q:fieldlist → Prop)
   (vo:P Tvoid)
 …
   ].
 nlemma alignof_fields_pos:
+lemma alignof_fields_pos:
   ∀f. alignof_fields f > 0.
 napply fieldlist_ind; //;
 #i;#t;#fs';#IH; nlapply (Zmax_r (alignof t) (alignof_fields fs'));
 napply Zlt_to_Zle_to_Zlt; //; nqed.
 nlemma alignof_pos:
+@fieldlist_ind //;
+#i #t #fs' #IH lapply (Zmax_r (alignof t) (alignof_fields fs'));
+@Zlt_to_Zle_to_Zlt //; qed.
+lemma alignof_pos:
   ∀t. alignof t > 0.
 #t;nelim t; nnormalize; //;
 ##[ ##1,2: #z; ncases z; //;
 ##| ##3,4: #i;napply alignof_fields_pos
 ##] nqed.
+#t elim t; normalize; //;
+[ 1,2: #z cases z; //;
+| 3,4: #i @alignof_fields_pos
+] qed.
 (* * Size of a type, in bytes. *)
 ndefinition sizeof_pointer : region → Z ≝
 λsp. match sp with [ Data ⇒ 1 | IData ⇒ 1 | PData ⇒ 1 | XData ⇒ 2 | Code ⇒ 2 | Any ⇒ 3 ].
 nlet rec sizeof (t: type) : Z ≝
+definition sizeof_pointer : region → Z ≝
+λsp. match sp return λ_.Z with [ Data ⇒ 1 | IData ⇒ 1 | PData ⇒ 1 | XData ⇒ 2 | Code ⇒ 2 | Any ⇒ 3 ].
+let rec sizeof (t: type) : Z ≝
   match t return λ_.Z with
   [ Tvoid ⇒ 1
 …
   ].
 (* TODO: needs some Z_times results
 nlemma sizeof_pos:
+lemma sizeof_pos:
   ∀t. sizeof t > 0.
 #t0;
+#t0
 napply (type_ind2 (λt. sizeof t > 0)
                   (λf. sizeof_union f ≥ 0 ∧ ∀pos:Z. pos ≥ 0 → sizeof_struct f pos ≥ 0));
 ##[ ##1,4,6,9: //;
 ##| #i;ncases i;#s;//;
 ##| #f;ncases f;//
 ##| #t;#n;#H; nwhd in ⊢ (?%?);
+[ 1,4,6,9: //;
+| #i cases i;#s //;
+| #f cases f;//
+| #t #n #H whd in ⊢ (?%?);
 Proof.
   intro t0.
 …
 Open Local Scope string_scope.
 *)
 nlet rec field_offset_rec (id: ident) (fld: fieldlist) (pos: Z)
+let rec field_offset_rec (id: ident) (fld: fieldlist) (pos: Z)
                               on fld : res Z ≝
   match fld with
 …
   ].
 ndefinition field_offset ≝ λid: ident. λfld: fieldlist.
+definition field_offset ≝ λid: ident. λfld: fieldlist.
   field_offset_rec id fld 0.
 nlet rec field_type (id: ident) (fld: fieldlist) on fld : res type :=
+let rec field_type (id: ident) (fld: fieldlist) on fld : res type :=
   match fld with
   [ Fnil ⇒ Error ? (*MSG "Unknown field " :: CTX id :: nil*)
 …
 *)
 ninductive mode: Type ≝
+inductive mode: Type[0] ≝
   | By_value: memory_chunk → mode
   | By_reference: mode
   | By_nothing: mode.
 ndefinition access_mode : type → mode ≝ λty.
+definition access_mode : type → mode ≝ λty.
   match ty with
   [ Tint i s ⇒
 …
 *)
 ninductive classify_add_cases : Type ≝
+inductive classify_add_cases : Type[0] ≝
   | add_case_ii: classify_add_cases         (**r int , int *)
   | add_case_ff: classify_add_cases         (**r float , float *)
 …
   | add_default: classify_add_cases.        (**r other *)
 ndefinition classify_add ≝ λty1: type. λty2: type.
+definition classify_add ≝ λty1: type. λty2: type.
 (*
   match ty1, ty2 with
 …
   ].
 ninductive classify_sub_cases : Type ≝
+inductive classify_sub_cases : Type[0] ≝
   | sub_case_ii: classify_sub_cases          (**r int , int *)
   | sub_case_ff: classify_sub_cases          (**r float , float *)
 …
   | sub_default: classify_sub_cases .        (**r other *)
 ndefinition classify_sub ≝ λty1: type. λty2: type.
+definition classify_sub ≝ λty1: type. λty2: type.
 (*  match ty1, ty2 with
   | Tint _ _ , Tint _ _ ⇒ sub_case_ii
 …
   ].
 ninductive classify_mul_cases : Type ≝
+inductive classify_mul_cases : Type[0] ≝
   | mul_case_ii: classify_mul_cases (**r int , int *)
   | mul_case_ff: classify_mul_cases (**r float , float *)
   | mul_default: classify_mul_cases . (**r other *)
 ndefinition classify_mul ≝ λty1: type. λty2: type.
+definition classify_mul ≝ λty1: type. λty2: type.
   match ty1 with
   [ Tint _ _ ⇒ match ty2 with [ Tint _ _ ⇒ mul_case_ii | _ ⇒ mul_default ]
 …
 end.
 *)
 ninductive classify_div_cases : Type ≝
+inductive classify_div_cases : Type[0] ≝
   | div_case_I32unsi: classify_div_cases (**r unsigned int32 , int *)
   | div_case_ii: classify_div_cases    (**r int , int *)
 …
   | div_default: classify_div_cases. (**r other *)
 ndefinition classify_32un_aux ≝ λT:Type.λi.λs.λr1:T.λr2:T.
+definition classify_32un_aux ≝ λT:Type[0].λi.λs.λr1:T.λr2:T.
   match i with [ I32 ⇒
     match s with [ Unsigned ⇒ r1 | _ ⇒ r2 ]
   | _ ⇒ r2 ].
 ndefinition classify_div ≝ λty1: type. λty2: type.
+definition classify_div ≝ λty1: type. λty2: type.
   match ty1 with
   [ Tint i1 s1 ⇒
 …
   ].
 (*
 ndefinition classify_div ≝ λty1: type. λty2: type.
+definition classify_div ≝ λty1: type. λty2: type.
   match ty1,ty2 with
   | Tint I32 Unsigned, Tint _ _ ⇒ div_case_I32unsi
 …
 end.
 *)
 ninductive classify_mod_cases : Type ≝
+inductive classify_mod_cases : Type[0] ≝
   | mod_case_I32unsi: classify_mod_cases  (**r unsigned I32 , int *)
   | mod_case_ii: classify_mod_cases  (**r int , int *)
   | mod_default: classify_mod_cases . (**r other *)
 ndefinition classify_mod ≝ λty1:type. λty2:type.
+definition classify_mod ≝ λty1:type. λty2:type.
   match ty1 with
   [ Tint i1 s1 ⇒
 …
 end .
 *)
 ninductive classify_shr_cases :Type ≝
+inductive classify_shr_cases :Type[0] ≝
   | shr_case_I32unsi:  classify_shr_cases (**r unsigned I32 , int *)
   | shr_case_ii :classify_shr_cases (**r int , int *)
   | shr_default : classify_shr_cases . (**r other *)
 ndefinition classify_shr ≝ λty1: type. λty2: type.
+definition classify_shr ≝ λty1: type. λty2: type.
   match ty1 with
   [ Tint i1 s1 ⇒
 …
   end.
 *)
 ninductive classify_cmp_cases : Type ≝
+inductive classify_cmp_cases : Type[0] ≝
   | cmp_case_I32unsi: classify_cmp_cases (**r unsigned I32 , int *)
   | cmp_case_ipip: classify_cmp_cases  (**r int|ptr|array , int|ptr|array*)
 …
   | cmp_default: classify_cmp_cases . (**r other *)
 ndefinition classify_cmp ≝ λty1:type. λty2:type.
+definition classify_cmp ≝ λty1:type. λty2:type.
   match ty1 with
   [ Tint i1 s1 ⇒
 …
   end.
 *)
 ninductive classify_fun_cases : Type ≝
+inductive classify_fun_cases : Type[0] ≝
   | fun_case_f: typelist → type → classify_fun_cases   (**r (pointer to) function *)
   | fun_default: classify_fun_cases . (**r other *)
 ndefinition classify_fun ≝ λty: type.
+definition classify_fun ≝ λty: type.
   match ty with
   [ Tfunction args res ⇒ fun_case_f args res
 …
   and external functions. *)
 ndefinition typ_of_type : type → typ ≝ λt.
+definition typ_of_type : type → typ ≝ λt.
   match t with
   [ Tfloat _ ⇒ ASTfloat
 …
   ].
 ndefinition opttyp_of_type : type → option typ ≝ λt.
+definition opttyp_of_type : type → option typ ≝ λt.
   match t with
   [ Tvoid ⇒ None ?
 …
   ].
 nlet rec typlist_of_typelist (tl: typelist) : list typ ≝
+let rec typlist_of_typelist (tl: typelist) : list typ ≝
   match tl with
   [ Tnil ⇒ nil ?
 …
   ].
 ndefinition signature_of_type : typelist → type → signature ≝ λargs. λres.
+definition signature_of_type : typelist → type → signature ≝ λargs. λres.
   mk_signature (typlist_of_typelist args) (opttyp_of_type res).
 ndefinition external_function
+definition external_function
     : ident → typelist → type → external_function ≝ λid. λtargs. λtres.
   mk_external_function id (signature_of_type targs tres).

Deliverables/D3.1/C-semantics/Errors.ma

-                      r485
+                      r487
 (* *********************************************************************)
+include "datatypes/pairs.ma".
+include "Plogic/equality.ma".
+include "Plogic/connectives.ma".
+include "datatypes/sums.ma".
+include "basics/types.ma".
+include "basics/logic.ma".
 (* * Error reporting and the error monad. *)
 …
   or [Error msg] to indicate failure. *)
 ninductive res (A: Type) : Type ≝
+inductive res (A: Type[0]) : Type[0] ≝
 | OK: A → res A
 | Error: (* FIXME errmsg →*) res A.
 …
   with the following [bind] operation. *)
 ndefinition bind ≝ λA,B:Type. λf: res A. λg: A → res B.
+definition bind ≝ λA,B:Type[0]. λf: res A. λg: A → res B.
   match f with
   [ OK x ⇒ g x
 …
   ].
 ndefinition bind2 ≝ λA,B,C: Type. λf: res (A × B). λg: A → B → res C.
+definition bind2 ≝ λA,B,C: Type[0]. λf: res (A × B). λg: A → B → res C.
   match f with
   [ OK v ⇒ match v with [ mk_pair x y ⇒ g x y ]
+  [ OK v ⇒ match v with [ pair x y ⇒ g x y ]
   | Error (*msg*) => Error ? (*msg*)
   ].
 …
 notation < "vbox('do' \nbsp 〈ident v1, ident v2〉 ← e; break e')" with precedence 40 for @{'bind2 ${e} (λ${ident v1}.λ${ident v2}.${e'})}.
 notation < "vbox('do' \nbsp 〈ident v1 : ty1, ident v2 : ty2〉 ← e; break e')" with precedence 40 for @{'bind2 ${e} (λ${ident v1} : ${ty1}.λ${ident v2} : ${ty2}.${e'})}.
 interpretation "error monad pair bind" 'bind2 e f = (bind2 ??? e f).
+interpretation "error monad Prod bind" 'bind2 e f = (bind2 ??? e f).
 (*interpretation "error monad ret" 'ret e = (ret ? e).
 notation "'ret' e" non associative with precedence 45 for @{'ret ${e}}.*)
 …
  : error_monad_scope.
 *)
 nremark bind_inversion:
   ∀A,B: Type. ∀f: res A. ∀g: A → res B. ∀y: B.
+lemma bind_inversion:
+  ∀A,B: Type[0]. ∀f: res A. ∀g: A → res B. ∀y: B.
   bind ?? f g = OK ? y →
   ∃x. f = OK ? x ∧ g x = OK ? y.
 #A B f g y; ncases f;
 ##[ #a e; @a; nwhd in e:(??%?); /2/;
 ##| #H; nwhd in H:(??%?); ndestruct (H);
 ##] nqed.
 nremark bind2_inversion:
   ∀A,B,C: Type. ∀f: res (A×B). ∀g: A → B → res C. ∀z: C.
+#A #B #f #g #y cases f;
+[ #a #e %{a} whd in e:(??%?); /2/;
+| #H whd in H:(??%?); destruct (H);
+] qed.
+lemma bind2_inversion:
+  ∀A,B,C: Type[0]. ∀f: res (A×B). ∀g: A → B → res C. ∀z: C.
   bind2 ??? f g = OK ? z →
   ∃x. ∃y. f = OK ? 〈x, y〉 ∧ g x y = OK ? z.
 #A B C f g z; ncases f;
 ##[ #ab; ncases ab; #a b e; @a; @b; nwhd in e:(??%?); /2/;
 ##| #H; nwhd in H:(??%?); ndestruct
 ##] nqed.
+#A #B #C #f #g #z cases f;
+[ #ab cases ab; #a #b #e %{a} %{b} whd in e:(??%?); /2/;
+| #H whd in H:(??%?); destruct
+] qed.
 (*
 …
 ndefinition opt_to_res ≝ λA.λv:option A. match v with [ None ⇒ Error A | Some v ⇒ OK A v ].
 nlemma opt_OK: ∀A,P,e.
+definition opt_to_res ≝ λA.λv:option A. match v with [ None ⇒ Error A | Some v ⇒ OK A v ].
+lemma opt_OK: ∀A,P,e.
   (∀v. e = Some ? v → P v) →
   match opt_to_res A e with [ Error ⇒ True | OK v ⇒ P v ].
 #A P e; nelim e; /2/;
 nqed.
+#A #P #e elim e; /2/;
+qed.

Deliverables/D3.1/C-semantics/Events.ma

-                      r478
+                      r487
 (*include "Floats.ma".*)
 include "Values.ma".
 include "datatypes/list.ma".
+include "basics/list.ma".
 include "extralib.ma".
 include "CostLabel.ma".
 …
   world. *)
 ninductive eventval: Type :=
+inductive eventval: Type[0] :=
   | EVint: int -> eventval
   | EVfloat: float -> eventval.
 ninductive event : Type ≝
+inductive event : Type[0] ≝
   | EVcost: costlabel → event
   | EVextcall: ∀ev_name: ident. ∀ev_args: list eventval. ∀ev_res: eventval. event.
 …
   Traces are of two kinds: finite (type [trace]) or infinite (type [traceinf]). *)
 ndefinition trace := list event.
 ndefinition E0 : trace := nil ?.
 ndefinition Echarge : costlabel → trace ≝
+definition trace := list event.
+definition E0 : trace := nil ?.
+definition Echarge : costlabel → trace ≝
 λlabel. EVcost label :: (nil ?).
 ndefinition Eextcall : ident → list eventval → eventval → trace ≝
+definition Eextcall : ident → list eventval → eventval → trace ≝
              λname: ident. λargs: list eventval. λres: eventval.
   EVextcall name args res :: (nil ?).
 ndefinition Eapp : trace → trace → trace ≝ λt1,t2. t1 @ t2.
 ncoinductive traceinf : Type :=
+definition Eapp : trace → trace → trace ≝ λt1,t2. t1 @ t2.
+coinductive traceinf : Type[0] :=
   | Econsinf: event -> traceinf -> traceinf.
 nlet rec Eappinf (t: trace) (T: traceinf) on t : traceinf :=
+let rec Eappinf (t: trace) (T: traceinf) on t : traceinf :=
   match t with
   [ nil => T
 …
 Infix "***" := Eappinf (at level 60, right associativity).
 *)
 nlemma E0_left: ∀t. E0 ⧺ t = t.
 //; nqed.
 nlemma E0_right: ∀t. t ⧺ E0 = t.
 napply append_nil; nqed.
 nlemma Eapp_assoc: ∀t1,t2,t3. (t1 ⧺ t2) ⧺ t3 = t1 ⧺ (t2 ⧺ t3).
 napply associative_append; nqed.
 nlemma Eapp_E0_inv: ∀t1,t2. t1 ⧺ t2 = E0 → t1 = E0 ∧ t2 = E0.
 napply nil_append_nil_both; nqed.
+lemma E0_left: ∀t. E0 ⧺ t = t.
+//; qed.
+lemma E0_right: ∀t. t ⧺ E0 = t.
+@append_nil qed.
+lemma Eapp_assoc: ∀t1,t2,t3. (t1 ⧺ t2) ⧺ t3 = t1 ⧺ (t2 ⧺ t3).
+@associative_append qed.
+lemma Eapp_E0_inv: ∀t1,t2. t1 ⧺ t2 = E0 → t1 = E0 ∧ t2 = E0.
+@nil_append_nil_both qed.
 nlemma E0_left_inf: ∀T. E0 ⧻ T = T.
 //; nqed.
 nlemma Eappinf_assoc: ∀t1,t2,T. (t1 ⧺ t2) ⧻ T = t1 ⧻ (t2 ⧻ T).
 #t1; nelim t1; #t2 T; nnormalize; //; nqed.
+lemma E0_left_inf: ∀T. E0 ⧻ T = T.
+//; qed.
+lemma Eappinf_assoc: ∀t1,t2,T. (t1 ⧺ t2) ⧻ T = t1 ⧻ (t2 ⧻ T).
+#t1 elim t1; #t2 #T normalize; //; qed.
 (*
 …
   infinite concatenations of nonempty finite traces. *)
 ncoinductive traceinf': Type ≝
+coinductive traceinf': Type[0] ≝
   | Econsinf': ∀t: trace. ∀T: traceinf'. t ≠ E0 → traceinf'.
 ndefinition split_traceinf' : ∀t:trace. traceinf' → t ≠ E0 → event × traceinf' ≝
+definition split_traceinf' : ∀t:trace. traceinf' → t ≠ E0 → event × traceinf' ≝
 λt,T.
   match t return λt0.t0 ≠ E0 → ? with
 …
      ]) (refl ? t')
   ].
+##[ *; #NE; napply False_rect_Type0; napply NE; napply refl;
 ##| @; #E'; nrewrite > E' in E; #E; nwhd in E:(??%%); ndestruct (E);
 ##] nqed.
 nlet corec traceinf_of_traceinf' (T': traceinf') : traceinf ≝
+[ *; #NE @False_rect_Type0 @NE @refl
+| % #E' >E' in E #E whd in E:(??%%); destruct (E);
+] qed.
+let corec traceinf_of_traceinf' (T': traceinf') : traceinf ≝
   match T' with
   [ Econsinf' t T'' NOTEMPTY ⇒
       match split_traceinf' t T'' NOTEMPTY with [ mk_pair e tl ⇒
+      match split_traceinf' t T'' NOTEMPTY with [ pair e tl ⇒
       Econsinf e (traceinf_of_traceinf' tl) ]
   ].
 nremark unroll_traceinf':
+lemma unroll_traceinf':
   ∀T. T = match T with [ Econsinf' t T' NE ⇒ Econsinf' t T' NE ].
 #T; ncases T; //; nqed.
 nremark unroll_traceinf:
+#T cases T; //; qed.
+lemma unroll_traceinf:
   ∀T. T = match T with [ Econsinf t T' ⇒ Econsinf t T' ].
 #T; ncases T; //;
 nqed.
 nlemma traceinf_traceinfp_app:
+#T cases T #ev #tr @refl (* XXX //; *)
+qed.
+lemma traceinf_traceinfp_app:
   ∀t,T,NE.
   traceinf_of_traceinf' (Econsinf' t T NE) = t ⧻ traceinf_of_traceinf' T.
 #t; nelim t;
+##[ #T NE; ncases NE; #NE'; napply False_ind; napply NE'; napply refl;
+##| #h t'; ncases t'; ##[ ##2: #h' t''; ##] #IH T NE;
     nrewrite > (unroll_traceinf (traceinf_of_traceinf' ?));
     nwhd in ⊢ (??%?); //; nrewrite > (IH …); napply refl;
 ##] nqed.
+#t elim t;
+[ #T #NE cases NE; #NE' @False_ind @NE' @refl
+| #h #t' cases t'; [ 2: #h' #t'' ] #IH #T #NE
+    >(unroll_traceinf (traceinf_of_traceinf' ?))
+    whd in ⊢ (??%?); //; >(IH …) @refl
+] qed.
 (* <<< *)
 …
   from the operating system. *)
 ninductive eventval_match: eventval -> typ -> val -> Prop :=
+inductive eventval_match: eventval -> typ -> val -> Prop :=
   | ev_match_int:
       ∀i. eventval_match (EVint i) ASTint (Vint i)
 …
       ∀f. eventval_match (EVfloat f) ASTfloat (Vfloat f).
 ninductive eventval_list_match: list eventval -> list typ -> list val -> Prop :=
+inductive eventval_list_match: list eventval -> list typ -> list val -> Prop :=
   | evl_match_nil:
       eventval_list_match (nil ?) (nil ?) (nil ?)
 …