Extensibella: Extensibella Example: exactEval:host

Language Specification

File: syntax.sos

Module exactEval:host

/*Expressions*/
expr ::= num(int)
       | plus(expr, expr)
       | minus(expr, expr)
       | mult(expr, expr)
       | div(expr, expr)
       | true
       | false
       | and(expr, expr)
       | or(expr, expr)
       | not(expr)
       | greater(expr, expr)
       | eq(expr, expr)
       | stringLit(string)
       | appString(expr, expr)
       | name(string)
       | call(string, args)
       | stmtExpr(stmt, expr)
       | recBuild(recFieldExprs)
       | recFieldAccess(expr, string)
       | errorExpr(expr, typ)
        /*errorExpr represents a failure case
          expr:  string-typed error message expression
          typ:  for proving typing properties*/
/*[string] is list of names used in the program thus far;
  lets us generate fresh names for extension constructs*/
Projection expr : [string]

recFieldExprs ::= nilRecFieldExprs
                | consRecFieldExprs(string, expr, recFieldExprs)
Projection recFieldExprs :

args ::= nilArgs
       | consArgs(expr, args)
Projection args :


/*Statements*/
stmt ::= noop
       | seq(stmt, stmt)
       | declare(typ, string, expr)
       | assign(string, expr)
       | recUpdate(string, [string], expr)
       | ifThenElse(expr, stmt, stmt)
       | while(expr, stmt)
       | scopeStmt(stmt)
       | printVal(expr)
/*[string] is list of names used in the program thus far;
  lets us generate fresh names for extension constructs*/
Projection stmt : [string]


/*Functions*/
fun ::= fun(string, typ, string, value, [param], stmt)
     /*name, ret ty, ret var, init ret var val, params, body*/
Projection fun :

param ::= param(string, typ)
Projection param :


/*Full Program*/
program ::= program([fun], fun)
              /*list of auxiliary functions, main function*/
Projection program :


/*Types (cannot name it "type" because of Extensibella keyword*/
typ ::= intTy
      | boolTy
      | stringTy
      | recTy(recFieldTys)
recFieldTys ::= nilRecFieldTys
              | consRecFieldTys(string, typ, recFieldTys)
Projection typ :
Projection recFieldTys :


/*Values*/
value ::= intVal(int)
        | trueVal
        | falseVal
        | stringVal(string)
        | recVal([(string, value)])
Projection value :

File: vars.sos

[Reduce File] [Raw File]

Module exactEval:host

Judgment vars : expr* [string]
Fixed Judgment varsArgs : args [string]
Fixed Judgment varsRecFields : recFieldExprs [string]


/********************************************************************
 Expression Variables
 ********************************************************************/

-------------- [V-Num]
vars num(I) []


vars E1 V1
vars E2 V2
V1 ++ V2 = V
------------------- [V-Plus]
vars plus(E1, E2) V


vars E1 V1
vars E2 V2
V1 ++ V2 = V
-------------------- [V-Minus]
vars minus(E1, E2) V


vars E1 V1
vars E2 V2
V1 ++ V2 = V
------------------- [V-Mult]
vars mult(E1, E2) V


vars E1 V1
vars E2 V2
V1 ++ V2 = V
------------------ [V-Div]
vars div(E1, E2) V


------------ [V-True]
vars true []


------------- [V-False]
vars false []


vars E1 V1
vars E2 V2
V1 ++ V2 = V
------------------ [V-And]
vars and(E1, E2) V


vars E1 V1
vars E2 V2
V1 ++ V2 = V
----------------- [V-Or]
vars or(E1, E2) V


vars E V
------------- [V-Not]
vars not(E) V


vars E1 V1
vars E2 V2
V1 ++ V2 = V
---------------------- [V-Greater]
vars greater(E1, E2) V


vars E1 V1
vars E2 V2
V1 ++ V2 = V
----------------- [V-Eq]
vars eq(E1, E2) V


-------------------- [V-String]
vars stringLit(S) []


vars E1 V1
vars E2 V2
V1 ++ V2 = V
------------------------ [V-AppString]
vars appString(E1, E2) V


---------------- [V-Name]
vars name(X) [X]


varsArgs Args V
---------------------- [V-Call]
vars call(Fun, Args) V


vars E V
--------------------- [V-StmtExpr]
vars stmtExpr(S, E) V


varsRecFields RF V
------------------- [V-RecBuild]
vars recBuild(RF) V


vars Rec V
--------------------------------- [V-RecAccess]
vars recFieldAccess(Rec, Field) V


vars Msg V
------------------------- [V-Error]
vars errorExpr(Msg, Ty) V



/*Arguments*/

=================== [VA-Nil]
varsArgs nilArgs []


vars E VE
varsArgs Rest VRest
VE ++ VRest = V
============================ [VA-Cons]
varsArgs consArgs(E, Rest) V



/*Record Fields*/

================================= [VRF-Nil]
varsRecFields nilRecFieldExprs []


vars E VE
varsRecFields Rest VRest
VE ++ VRest = V
============================================= [VRF-Cons]
varsRecFields consRecFieldExprs(F, E, Rest) V





/********************************************************************
 Statement Names
 ********************************************************************/
         /*names to ignore, stmt, other names referenced, new ignore*/
Judgment stmtNames : [[string]] stmt* [string] [[string]]
/*
  Find the set of non-local names referenced in a statement, meaning
  the names declared outside it but used in it.  The first argument is
  the scopes for names we want to ignore.  This is used to ignore
  declarations within the statement.
  This basically finds the free variables in a statement.
*/
Judgment exprNames : [[string]] expr* [string]
Fixed Judgment argsNames : [[string]] args [string]
Fixed Judgment recFieldNames : [[string]] recFieldExprs [string]

Fixed Judgment mems : A [[A]]
Fixed Judgment not_mems : A [[A]]

------------------------- [SN-Noop]
stmtNames Ctx noop [] Ctx


stmtNames Ctx S1 N1 Ctx1
stmtNames Ctx1 S2 N2 Ctx2
N1 ++ N2 = N
-------------------------------- [SN-Seq]
stmtNames Ctx seq(S1, S2) N Ctx2


exprNames (Scope::Ctx) E N
------------------------------------------- [SN-Declare]
{stmtNames (Scope::Ctx) declare(Ty, X, E) N
           ((X::Scope)::Ctx)}


mems X Ctx
exprNames Ctx E N
-------------------------------- [SN-Assign-Ignore]
stmtNames Ctx assign(X, E) N Ctx


not_mems X Ctx
exprNames Ctx E N
----------------------------------- [SN-Assign-Take]
stmtNames Ctx assign(X, E) X::N Ctx /*assigning is use-ish*/


mems R Ctx
exprNames Ctx E N
------------------------------------------- [SN-RecUpdate-Ignore]
stmtNames Ctx recUpdate(R, Fields, E) N Ctx


not_mems R Ctx
exprNames Ctx E N
---------------------------------------------- [SN-RecUpdate-Take]
stmtNames Ctx recUpdate(R, Fields, E) R::N Ctx


exprNames Ctx C CN
stmtNames []::Ctx T TN CtxT
stmtNames []::Ctx F FN CtxF
CN ++ TN = N1
N1 ++ FN = N
--------------------------------------- [SN-IfThenElse]
stmtNames Ctx ifThenElse(C, T, F) N Ctx


exprNames Ctx Cond CN
stmtNames []::Ctx Body BN CtxB
CN ++ BN = N
------------------------------------- [SN-While]
stmtNames Ctx while(Cond, Body) N Ctx


stmtNames []::Ctx S N Ctx1
-------------------------------- [SN-ScopeStmt]
stmtNames Ctx scopeStmt(S) N Ctx


exprNames Ctx E N
------------------------------- [SN-PrintVal]
stmtNames Ctx printVal(E) N Ctx




----------------------- [EN-Num]
exprNames Ctx num(I) []


exprNames Ctx E1 N1
exprNames Ctx E2 N2
N1 ++ N2 = N
---------------------------- [EN-Plus]
exprNames Ctx plus(E1, E2) N


exprNames Ctx E1 N1
exprNames Ctx E2 N2
N1 ++ N2 = N
----------------------------- [EN-Minus]
exprNames Ctx minus(E1, E2) N


exprNames Ctx E1 N1
exprNames Ctx E2 N2
N1 ++ N2 = N
---------------------------- [EN-Mult]
exprNames Ctx mult(E1, E2) N


exprNames Ctx E1 N1
exprNames Ctx E2 N2
N1 ++ N2 = N
--------------------------- [EN-Div]
exprNames Ctx div(E1, E2) N


--------------------- [EN-True]
exprNames Ctx true []


---------------------- [EN-False]
exprNames Ctx false []


exprNames Ctx E1 N1
exprNames Ctx E2 N2
N1 ++ N2 = N
--------------------------- [EN-And]
exprNames Ctx and(E1, E2) N


exprNames Ctx E1 N1
exprNames Ctx E2 N2
N1 ++ N2 = N
-------------------------- [EN-Or]
exprNames Ctx or(E1, E2) N


exprNames Ctx E N
---------------------- [EN-Not]
exprNames Ctx not(E) N


exprNames Ctx E1 N1
exprNames Ctx E2 N2
N1 ++ N2 = N
------------------------------- [EN-Greater]
exprNames Ctx greater(E1, E2) N


exprNames Ctx E1 N1
exprNames Ctx E2 N2
N1 ++ N2 = N
-------------------------- [EN-Eq]
exprNames Ctx eq(E1, E2) N


----------------------------- [EN-String]
exprNames Ctx stringLit(S) []


exprNames Ctx E1 N1
exprNames Ctx E2 N2
N1 ++ N2 = N
--------------------------------- [EN-AppString]
exprNames Ctx appString(E1, E2) N


mems X Ctx /*in Ctx, so declared in relevant stmt*/
------------------------ [EN-Name-Ignore]
exprNames Ctx name(X) []


not_mems X Ctx /*not in Ctx, so declared outside*/
------------------------- [EN-Name-Take]
exprNames Ctx name(X) [X]


argsNames Ctx Args N
----------------------------- [EN-Call]
exprNames Ctx call(F, Args) N


stmtNames []::Ctx S NS CtxS
exprNames CtxS E NE
NS ++ NE = N
------------------------------ [EN-StmtExpr]
exprNames Ctx stmtExpr(S, E) N


recFieldNames Ctx RF N
---------------------------- [EN-RecBuild]
exprNames Ctx recBuild(RF) N


exprNames Ctx E N
------------------------------------ [EN-RecFieldAccess]
exprNames Ctx recFieldAccess(E, F) N


exprNames Ctx E N
-------------------------------- [EN-ErrorExpr]
exprNames Ctx errorExpr(E, Ty) N




======================== [AN-Nil]
argsNames Ctx nilArgs []


exprNames Ctx E EN
argsNames Ctx A AN
EN ++ AN = N
============================== [AN-Cons]
argsNames Ctx consArgs(E, A) N




===================================== [RFN-Nil]
recFieldNames Ctx nilRecFieldExprs []


exprNames Ctx E EN
recFieldNames Ctx RF RN
EN ++ RN = N
=============================================== [RFN-Cons]
recFieldNames Ctx consRecFieldExprs(F, E, RF) N




============= [NMems-Nil]
not_mems X []


not_mem X S
not_mems X Rest
================== [NMems-Cons]
not_mems X S::Rest




mem X S
============== [Mems-Here]
mems X S::Rest


mems X Rest
============== [Mems-Later]
mems X S::Rest

File: scopes.sos

[Reduce File] [Raw File]

Module exactEval:host

/*Find a name in the closest scope*/
Fixed Judgment lookupScopes : Key [[(Key, Item)]] Item

lookup L Key Item
============================= [LS-FirstScope]
lookupScopes Key L::Rest Item


no_lookup L Key
lookupScopes Key Rest Item
============================= [LS-Later]
lookupScopes Key L::Rest Item




/*Find a name in the closest scope and replace its associated item
  Fails if name does not exist*/
Fixed Judgment replaceScopes : Key Item [[(Key, Item)]] [[(Key, Item)]]

/*We use remove_all here rather than something like select because we
  want to make evaluation uniqueness not be dependent on typing.  If
  we use select instead, we need to assume there is only one binding
  so the selection of an element to remove is unique.  However, for a
  declaration, we are only ensuring there is a single binding if it is
  well-typed.  Thus evaluation uniqueness would depend on it being
  well-typed.  This is simpler.*/
mem (Key, I) L
remove_all L Key LRemain
============================================ [RS-FirstScope]
{replaceScopes Key Item L::Rest
               ((Key, Item)::LRemain)::Rest}


no_lookup L Key
replaceScopes Key Item Rest New
===================================== [RS-Later]
replaceScopes Key Item L::Rest L::New




Fixed Judgment remove_all : [(Key, Item)] Key [(Key, Item)]

==================== [RA-Nil]
remove_all [] Key []


remove_all Rest Key R
================================== [RA-Remove]
remove_all (Key, Item)::Rest Key R


K != Key
remove_all Rest Key R
=========================================== [RA-Keep]
remove_all (K, Item)::Rest Key (K, Item)::R




/*get the names that occur in all scopes*/
Fixed Judgment names : [[(Key, Item)]] [Key]

=========== [Names-Nil]
names [] []


domain Scope NScope
names Rest NRest
NScope ++ NRest = Names
======================= [Names-Cons]
names Scope::Rest Names




/*Create a name not in the list with the given base
  fresh_name base existingNames freshName

  We don't use fresh_name in the host at all; however, it will be
  useful for extensions introducing new statement forms requiring new
  variables.*/
Fixed Judgment fresh_name : string [string] string

not_mem Base Names
========================== [FN-Final]
fresh_name Base Names Base


mem Base Names
Base ++ "_" = NewBase
fresh_name NewBase Names Fresh
============================== [FN-Step]
fresh_name Base Names Fresh

File: typing.sos

[Reduce File] [Raw File]

Module exactEval:host

/*
  The type [[(string, typ)]] is a set of scopes for typing.  The
  most recent scope is the first one in the list

  The type [(string, (typ, [typ]))] is the function context, listing
  the known functions with their return types and argument types
*/

                   /*funCtx,  tyCtx,  expression,  type*/
Judgment typeOf : {[(string, (typ, [typ]))] [[(string, typ)]]
                   expr* typ}
               /*funCtx, tyCtx, args, types*/
Fixed Judgment typeOfArgs : {
               [(string, (typ, [typ]))] [[(string, typ)]]
               args [typ]}
               /*funCtx, tyCtx, fields, types*/
Fixed Judgment typeOfRecFields : {
               [(string, (typ, [typ]))] [[(string, typ)]]
               recFieldExprs recFieldTys}
                             /*record fields, field, type*/
Fixed Judgment lookupRecFieldTy : recFieldTys string typ


                   /*funCtx, starting tyCtx, statement, ending tyCtx*/
Judgment stmtOK : {[(string, (typ, [typ]))] [[(string, typ)]]
                   stmt* [[(string, typ)]]}
                             /*fields, field types, final type found*/
Fixed Judgment nestedFieldTy : [string] recFieldTys typ


Judgment funOK : [(string, (typ, [typ]))] fun*
Fixed Judgment paramTys : [param] [(string, typ)]
Judgment paramTy : param* string typ /*param name and type*/
Fixed Judgment funsOK : [(string, (typ, [typ]))] [fun]


                /*function, name, ret ty, arg tys*/
Judgment getFunInfo : fun* string typ [typ]
Fixed Judgment gatherFunInfo : [fun] [(string, (typ, [typ]))]


/*Check a full program is well-typed*/
Judgment programOK : program*


/********************************************************************
 Expression Typing
 ********************************************************************/

------------------------- [T-Num]
typeOf FC TC num(I) intTy



typeOf FC TC E1 intTy
typeOf FC TC E2 intTy
------------------------------- [T-Plus]
typeOf FC TC plus(E1, E2) intTy



typeOf FC TC E1 intTy
typeOf FC TC E2 intTy
-------------------------------- [T-Minus]
typeOf FC TC minus(E1, E2) intTy



typeOf FC TC E1 intTy
typeOf FC TC E2 intTy
------------------------------- [T-Mult]
typeOf FC TC mult(E1, E2) intTy



typeOf FC TC E1 intTy
typeOf FC TC E2 intTy
------------------------------ [T-Div]
typeOf FC TC div(E1, E2) intTy


------------------------ [T-True]
typeOf FC TC true boolTy


------------------------- [T-False]
typeOf FC TC false boolTy


typeOf FC TC E1 boolTy
typeOf FC TC E2 boolTy
------------------------------- [T-And]
typeOf FC TC and(E1, E2) boolTy


typeOf FC TC E1 boolTy
typeOf FC TC E2 boolTy
------------------------------ [T-Or]
typeOf FC TC or(E1, E2) boolTy


typeOf FC TC E boolTy
-------------------------- [T-Not]
typeOf FC TC not(E) boolTy


typeOf FC TC E1 intTy
typeOf FC TC E2 intTy
----------------------------------- [T-Greater]
typeOf FC TC greater(E1, E2) boolTy


typeOf FC TC E1 intTy
typeOf FC TC E2 intTy
------------------------------ [T-Eq-Int]
typeOf FC TC eq(E1, E2) boolTy


typeOf FC TC E1 boolTy
typeOf FC TC E2 boolTy
------------------------------ [T-Eq-Bool]
typeOf FC TC eq(E1, E2) boolTy


typeOf FC TC E1 stringTy
typeOf FC TC E2 stringTy
------------------------------ [T-Eq-String]
typeOf FC TC eq(E1, E2) boolTy


---------------------------------- [T-String]
typeOf FC TC stringLit(S) stringTy


typeOf FC TC E1 stringTy
typeOf FC TC E2 stringTy
--------------------------------------- [T-AppString]
typeOf FC TC appString(E1, E2) stringTy


lookupScopes X TC Ty
----------------------- [T-Name]
typeOf FC TC name(X) Ty


lookup FC Fun (RetTy, ArgTys)
typeOfArgs FC TC Args ArgTys
---------------------------------- [T-Call]
typeOf FC TC call(Fun, Args) RetTy


stmtOK FC []::TC S TC1 /*stmt is a new scope, containing E*/
typeOf FC TC1 E Ty
------------------------------ [T-StmtExpr]
typeOf FC TC stmtExpr(S, E) Ty


typeOfRecFields FC TC Fields FieldTys
--------------------------------------------- [T-RecBuild]
typeOf FC TC recBuild(Fields) recTy(FieldTys)


typeOf FC TC E recTy(FieldTys)
lookupRecFieldTy FieldTys Field Ty
---------------------------------------- [T-RecAccess]
typeOf FC TC recFieldAccess(E, Field) Ty


/*any type*/
---------------------------------- [T-Error]
typeOf GC TC errorExpr(Msg, Ty) Ty



/*Arguments*/

=========================== [TA-Nil]
typeOfArgs FC TC nilArgs []


typeOf FC TC E ETy
typeOfArgs FC TC Rest ETys
============================================ [TA-Cons]
typeOfArgs FC TC consArgs(E, Rest) ETy::ETys



/*Record Fields*/

===================================================== [TRF-Nil]
typeOfRecFields FC TC nilRecFieldExprs nilRecFieldTys


typeOf FC TC E ETy
typeOfRecFields FC TC Rest RestTys
======================================================= [TRF-Cons]
{typeOfRecFields FC TC consRecFieldExprs(Name, E, Rest)
                 consRecFieldTys(Name, ETy, RestTys)}



/*Record Field Types for Specific Fields*/

================================================== [LRF-Here]
lookupRecFieldTy consRecFieldTys(F, Ty, Rest) F Ty


X != F
lookupRecFieldTy Rest F Ty
=================================================== [LRF-Later]
lookupRecFieldTy consRecFieldTys(X, XTy, Rest) F Ty





/********************************************************************
 Statement Typing
 ********************************************************************/

-------------------- [T-Noop]
stmtOK FC TC noop TC


stmtOK FC TC S1 TC1
stmtOK FC TC1 S2 TC2
---------------------------- [T-Seq]
stmtOK FC TC seq(S1, S2) TC2


no_lookup Scope X /*can't redeclare in scope*/
typeOf FC Scope::RestTC E Ty
------------------------------------------ [T-Declare]
{stmtOK FC Scope::RestTC declare(Ty, X, E)
        ((X, Ty)::Scope)::RestTC}


/*Implicit simplifying assumption:  Record fields are always in the
  same order in types, so we don't have to do more than check strict
  equality here.  If we didn't want to require the same order, we
  could have a type equality check relation.*/
lookupScopes X TC Ty
typeOf FC TC E Ty
---------------------------- [T-Assign]
stmtOK FC TC assign(X, E) TC


lookupScopes Rec TC recTy(FieldTys)
typeOf FC TC E Ty
nestedFieldTy Fields FieldTys Ty
----------------------------------------- [T-RecUpdate]
stmtOK FC TC recUpdate(Rec, Fields, E) TC


typeOf FC TC Cond boolTy
stmtOK FC []::TC Th TCTh /*branches are new scopes*/
stmtOK FC []::TC El TCEl
---------------------------------------- [T-IfThenElse]
stmtOK FC TC ifThenElse(Cond, Th, El) TC


typeOf FC TC Cond boolTy
stmtOK FC []::TC Body TC2 /*body is new scope*/
--------------------------------- [T-While]
stmtOK FC TC while(Cond, Body) TC


stmtOK FC []::TC S TC2
---------------------------- [T-ScopeStmt]
stmtOK FC TC scopeStmt(S) TC


typeOf FC TC E intTy
--------------------------- [T-Print-Int]
stmtOK FC TC printVal(E) TC


typeOf FC TC E boolTy
--------------------------- [T-Print-Bool]
stmtOK FC TC printVal(E) TC


typeOf FC TC E stringTy
--------------------------- [T-Print-String]
stmtOK FC TC printVal(E) TC



/*Nested Field Type*/

lookupRecFieldTy FTys F Ty
========================== [NFT-LastField]
nestedFieldTy [F] FTys Ty


lookupRecFieldTy FTys F recTy(NextFields)
nestedFieldTy Rest NextFields Ty
========================================= [NFT-StepField]
nestedFieldTy F::Rest FTys Ty





/********************************************************************
 Function Typing
 ********************************************************************/

/*check the function is well-typed with given types*/
paramTys Params ParamTys
stmtOK FC [(RetVar, RetTy)::ParamTys] Body FinalTC
/*check the function ctx contains the given types for this function*/
lookup FC FunName (RetTy, PTys)
values ParamTys PTys
/*no param with same name as return variable*/
no_lookup ParamTys RetVar
valueType RVVal RetTy
--------------------------------------------------------- [T-Fun]
funOK FC fun(FunName, RetTy, RetVar, RVVal, Params, Body)



/*Types in Lists of Parameters*/

============== [PT-Nil]
paramTys [] []


paramTy P PName PTy
paramTys Rest RestTys
====================================== [PT-Cons]
paramTys P::Rest (PName, PTy)::RestTys



/*Types of Parameters*/

------------------------------- [PT-Param]
paramTy param(Name, Ty) Name Ty



/*Types for a List of Functions*/

============ [FOK-Nil]
funsOK FC []


funOK FC F
funsOK FC Rest
================= [FOK-Cons]
funsOK FC F::Rest





/********************************************************************
 Gather Functions
 ********************************************************************/

paramTys Params NameTys
values NameTys PTys
------------------------------------------------------------ [GFI-Fun]
{getFunInfo fun(FunName, RetTy, RetVar, RVVal, Params, Body)
            FunName RetTy PTys}



=================== [GFI-Nil]
gatherFunInfo [] []


getFunInfo F Name RetTy PTys
gatherFunInfo Rest RestTys
==================================================== [GFI-Cons]
gatherFunInfo F::Rest (Name, (RetTy, PTys))::RestTys





/********************************************************************
 Program Typing
 ********************************************************************/

gatherFunInfo Funs FC
funsOK FC Funs
funOK FC Main
/*Main must be named "main" and return int*/
getFunInfo Main "main" intTy ArgTys
----------------------------------- [T-Program]
programOK program(Funs, Main)





/********************************************************************
 Value Typing
 ********************************************************************/

/*
  At first glance, this primary component seems backward.  It appears
  we should have it be that *value* forms cannot have their types
  redefined.  However, in our language we are essentially disallowing
  extending value forms, as an expression and its projection need to
  evaluate to the same value.  In order to have type preservation, we
  then need the old values forms produced by new constructs that may
  have new types also to have those new types.  Having the type be the
  primary component here allows us to do that.
 */
Judgment valueType : value typ*
Fixed Judgment valFieldTys : [(string, value)] recFieldTys

------------------------- [VT-Int]
valueType intVal(I) intTy


------------------------ [VT-True]
valueType trueVal boolTy


------------------------- [VT-False]
valueType falseVal boolTy


------------------------------- [VT-String]
valueType stringVal(S) stringTy


valFieldTys Fields FieldTys
---------------------------------------- [VT-Rec]
valueType recVal(Fields) recTy(FieldTys)



============================= [VFT-Nil]
valFieldTys [] nilRecFieldTys


valueType V Ty
valFieldTys Rest RestTys
======================================================== [VFT-Cons]
valFieldTys (F, V)::Rest consRecFieldTys(F, Ty, RestTys)

File: eval.sos

[Reduce File] [Raw File]

Module exactEval:host

/*
  The type [(string, (string, value, [string], stmt))] is the function
  environment, listing the known functions with their return vars,
  initial return var values, parameter names, and body

  The type [[(string, value)]] is a set of scopes for evaluation.  The
  most recent scope is the first one in the list.
*/

   /*fun env,  val env in,  expr,  value,  val env out,  printed output*/
Judgment evalExpr : {[(string, (string, value, [string], stmt))] [[(string, value)]]
                      expr* value [[(string, value)]] [value]}
Judgment evalArgs : {[(string, (string, value, [string], stmt))] [[(string, value)]]
                     args* [value] [[(string, value)]] [value]}
Judgment evalRecFields : {
            [(string, (string, value, [string], stmt))] [[(string, value)]]
            recFieldExprs* [(string, value)] [[(string, value)]] [value]}


Judgment evalStmt : {[(string, (string, value, [string], stmt))] [[(string, value)]]
                     stmt* [[(string, value)]] [value]}
       /*fields,  new val,  original field vals,  updated field vals*/
Fixed Judgment updateRecFields : {
                  [string] value [(string, value)] [(string, value)]}
                /*field to replace, new value, original list, output list*/
Fixed Judgment replaceRecVal : string value [(string, value)] [(string, value)]


Fixed Judgment paramNames : [param] [string]
Judgment paramName : param* string
Fixed Judgment getFunEvalCtx : [fun] [(string, (string, value, [string], stmt))]
            /*fun, fun name, ret var, ret var init val, param names, body*/
Judgment getFunEvalInfo : fun* string string value [string] stmt

/*Given arguments to main, run program*/
Judgment evalProgram : [value] program* [value]


/********************************************************************
 Expression Evaluation
 ********************************************************************/

------------------------------------- [E-Num]
evalExpr FE EE num(I) intVal(I) EE []


evalExpr FE EE E1 intVal(I1) EE1 O1
evalExpr FE EE1 E2 intVal(I2) EE2 O2
I1 + I2 = I
O1 ++ O2 = O
------------------------------------------- [E-Plus]
evalExpr FE EE plus(E1, E2) intVal(I) EE2 O


evalExpr FE EE E1 intVal(I1) EE1 O1
evalExpr FE EE1 E2 intVal(I2) EE2 O2
I1 - I2 = I
O1 ++ O2 = O
-------------------------------------------- [E-Minus]
evalExpr FE EE minus(E1, E2) intVal(I) EE2 O


evalExpr FE EE E1 intVal(I1) EE1 O1
evalExpr FE EE1 E2 intVal(I2) EE2 O2
I1 * I2 = I
O1 ++ O2 = O
------------------------------------------- [E-Mult]
evalExpr FE EE mult(E1, E2) intVal(I) EE2 O


evalExpr FE EE E1 intVal(I1) EE1 O1
evalExpr FE EE1 E2 intVal(I2) EE2 O2
I1 / I2 = I
O1 ++ O2 = O
------------------------------------------ [E-Div]
evalExpr FE EE div(E1, E2) intVal(I) EE2 O


--------------------------------- [E-True]
evalExpr FE EE true trueVal EE []


----------------------------------- [E-False]
evalExpr FE EE false falseVal EE []


evalExpr FE EE E1 trueVal EE1 O1
evalExpr FE EE1 E2 trueVal EE2 O2
O1 ++ O2 = O
---------------------------------------- [E-And-True]
evalExpr FE EE and(E1, E2) trueVal EE2 O


evalExpr FE EE E1 falseVal EE1 O
----------------------------------------- [E-And-False1]
evalExpr FE EE and(E1, E2) falseVal EE1 O


evalExpr FE EE E1 trueVal EE1 O1
evalExpr FE EE1 E2 falseVal EE2 O2
O1 ++ O2 = O
----------------------------------------- [E-And-False2]
evalExpr FE EE and(E1, E2) falseVal EE2 O


evalExpr FE EE E1 trueVal EE1 O
--------------------------------------- [E-Or-True1]
evalExpr FE EE or(E1, E2) trueVal EE1 O


evalExpr FE EE E1 falseVal EE1 O1
evalExpr FE EE1 E2 trueVal EE2 O2
O1 ++ O2 = O
--------------------------------------- [E-Or-True2]
evalExpr FE EE or(E1, E2) trueVal EE2 O


evalExpr FE EE E1 falseVal EE1 O1
evalExpr FE EE1 E2 falseVal EE2 O2
O1 ++ O2 = O
---------------------------------------- [E-Or-False]
evalExpr FE EE or(E1, E2) falseVal EE2 O


evalExpr FE EE E falseVal EE1 O
----------------------------------- [E-Not-True]
evalExpr FE EE not(E) trueVal EE1 O


evalExpr FE EE E trueVal EE1 O
------------------------------------ [E-Not-False]
evalExpr FE EE not(E) falseVal EE1 O


evalExpr FE EE E1 intVal(I1) EE1 O1
evalExpr FE EE1 E2 intVal(I2) EE2 O2
I1 > I2
O1 ++ O2 = O
-------------------------------------------- [E-Greater-True]
evalExpr FE EE greater(E1, E2) trueVal EE2 O


evalExpr FE EE E1 intVal(I1) EE1 O1
evalExpr FE EE1 E2 intVal(I2) EE2 O2
I1 <= I2
O1 ++ O2 = O
--------------------------------------------- [E-Greater-False]
evalExpr FE EE greater(E1, E2) falseVal EE2 O


evalExpr FE EE E1 V EE1 O1
evalExpr FE EE1 E2 V EE2 O2
O1 ++ O2 = O
--------------------------------------- [E-Eq-True]
evalExpr FE EE eq(E1, E2) trueVal EE2 O


evalExpr FE EE E1 V1 EE1 O1
evalExpr FE EE1 E2 V2 EE2 O2
V1 != V2
O1 ++ O2 = O
---------------------------------------- [E-Eq-False]
evalExpr FE EE eq(E1, E2) falseVal EE2 O


---------------------------------------------- [E-String]
evalExpr FE EE stringLit(S) stringVal(S) EE []


evalExpr FE EE E1 stringVal(S1) EE1 O1
evalExpr FE EE1 E2 stringVal(S2) EE2 O2
S1 ++ S2 = S
O1 ++ O2 = O
--------------------------------------------------- [E-AppString]
evalExpr FE EE appString(E1, E2) stringVal(S) EE2 O


lookupScopes X EE V
------------------------------ [E-Name]
evalExpr FE EE name(X) V EE []


lookup FE Fun (RetVar, RVVal, ArgNames, Body)
evalArgs FE EE Args ArgVals EE1 O1
zip ArgNames ArgVals InitEnv
evalStmt FE [(RetVar, RVVal)::InitEnv] Body EE2 O2
O1 ++ O2 = O
lookupScopes RetVar EE2 V
-------------------------------------------------- [E-Call]
evalExpr FE EE call(Fun, Args) V EE1 O


evalStmt FE []::EE S EE1 O1
evalExpr FE EE1 E V Scope::EE2 O2 /*drop added scope*/
O1 ++ O2 = O
------------------------------------- [E-StmtExpr]
evalExpr FE EE stmtExpr(S, E) V EE2 O


evalRecFields FE EE RF VF EE1 O
-------------------------------------------- [E-RecBuild]
evalExpr FE EE recBuild(RF) recVal(VF) EE1 O


evalExpr FE EE Rec recVal(Fields) EE1 O
lookup Fields F V
--------------------------------------------- [E-RecAccess]
evalExpr FE EE recFieldAccess(Rec, F) V EE1 O


Extensibella_Stand_In {
  names EE Names
  Names |{expr}- E ~~> E_P
  evalExpr FE EE E_P V_P EE_P O_P
  ------------------------------- [E-Expr-Q]
  evalExpr FE EE E V EE1 O
}



/*Arguments*/

------------------------------- [EA-Nil]
evalArgs FE EE nilArgs [] EE []


evalExpr FE EE E V EE1 O1
evalArgs FE EE1 Rest VRest EE2 O2
O1 ++ O2 = O
----------------------------------------------- [EA-Cons]
evalArgs FE EE consArgs(E, Rest) V::VRest EE2 O


/*No Extensibella stand-in rule because the args type isn't intended
  to be extended*/



/*Record Fields*/

--------------------------------------------- [ERF-Nil]
evalRecFields FE EE nilRecFieldExprs [] EE []


evalExpr FE EE E V EE1 O1
evalRecFields FE EE1 Rest VRest EE2 O2
O1 ++ O2 = O
-------------------------------------------------- [ERF-Cons]
{evalRecFields FE EE consRecFieldExprs(F, E, Rest)
                     (F, V)::VRest EE2 O}

/*recFields isn't intended to be extended either*/





/********************************************************************
 Statement Evaluation
 ********************************************************************/

------------------------- [E-Noop]
evalStmt FE EE noop EE []


evalStmt FE EE S1 EE1 O1
evalStmt FE EE1 S2 EE2 O2
O1 ++ O2 = O
--------------------------------- [E-Seq]
evalStmt FE EE seq(S1, S2) EE2 O


evalExpr FE EE E V Scope::EE1 O
------------------------------------------------------- [E-Declare]
evalStmt FE EE declare(Ty, X, E) ((X, V)::Scope)::EE1 O


evalExpr FE EE E V EE1 O
replaceScopes X V EE1 EE2 /*find and replace value*/
--------------------------------- [E-Assign]
evalStmt FE EE assign(X, E) EE2 O


evalExpr FE EE E V EE1 O
lookupScopes Rec EE recVal(FieldVals)
updateRecFields Fields V FieldVals NewVals
replaceScopes Rec recVal(NewVals) EE1 EE2 /*find and replace value*/
---------------------------------------------- [E-RecUpdate]
evalStmt FE EE recUpdate(Rec, Fields, E) EE2 O


evalExpr FE EE Cond trueVal EE1 O1
evalStmt FE []::EE1 Th Scope::EE2 O2
O1 ++ O2 = O
--------------------------------------------- [E-If-True]
evalStmt FE EE ifThenElse(Cond, Th, El) EE2 O


evalExpr FE EE Cond falseVal EE1 O1
evalStmt FE []::EE1 El Scope::EE2 O2
O1 ++ O2 = O
--------------------------------------------- [E-If-False]
evalStmt FE EE ifThenElse(Cond, Th, El) EE2 O


evalExpr FE EE Cond trueVal EE1 O1
evalStmt FE []::EE1 Body Scope::EE2 O2
evalStmt FE EE2 while(Cond, Body) EE3 O3
O1 ++ O2 = O12
O12 ++ O3 = O
---------------------------------------- [E-While-True]
evalStmt FE EE while(Cond, Body) EE3 O


evalExpr FE EE Cond falseVal EE1 O
-------------------------------------- [E-While-False]
evalStmt FE EE while(Cond, Body) EE1 O


evalStmt FE []::EE S Scope::EE1 O
--------------------------------- [E-ScopeStmt]
evalStmt FE EE scopeStmt(S) EE1 O


evalExpr FE EE E intVal(I) EE1 O1
O1 ++ [intVal(I)] = O
--------------------------------- [E-Print-Int]
evalStmt FE EE printVal(E) EE1 O


evalExpr FE EE E trueVal EE1 O1
O1 ++ [trueVal] = O
-------------------------------- [E-Print-True]
evalStmt FE EE printVal(E) EE1 O


evalExpr FE EE E falseVal EE1 O1
O1 ++ [falseVal] = O
-------------------------------- [E-Print-False]
evalStmt FE EE printVal(E) EE1 O


evalExpr FE EE E stringVal(S) EE1 O1
O1 ++ [stringVal(S)] = O
------------------------------------ [E-Print-String]
evalStmt FE EE printVal(E) EE1 O


Extensibella_Stand_In {
  names EE Names
  Names |{stmt}- S ~~> S_P
  evalStmt FE EE S_P EE_P O_P
  --------------------------- [E-Stmt-Q]
  evalStmt FE EE S EE1 O
}



/*Update Record Fields*/

replaceRecVal F V L Replaced
================================ [URF-One]
updateRecFields [F] V L Replaced


lookup L F recVal(Fields)              /*find record*/
updateRecFields FRest V Fields Updated /*update that record*/
replaceRecVal F recVal(Updated) L Rest /*put that one back in*/
====================================== [URF-Step]
updateRecFields F::FRest V L Rest



==================================================== [RRV-Here]
replaceRecVal F VNew (F, VOld)::Rest (F, VNew)::Rest


F != O
replaceRecVal F VNew Rest RRest
================================================= [RRV-Later]
replaceRecVal F VNew (O, VO)::Rest (O, VO)::RRest





/********************************************************************
 Build Function Evaluation Context
 ********************************************************************/

/*Evaluation-relevant information for a single function*/
paramNames Params PNames
---------------------------------------------------- [GFEI-Fun]
{getFunEvalInfo
    fun(FunName, RetTy, RetVar, RVVal, Params, Body)
    FunName RetVar RVVal PNames Body}



/*Evaluation-relevant information for a list of functions*/

=================== [GFEC-Empty]
getFunEvalCtx [] []


getFunEvalInfo F FName RetVar RVVal PNames Body
getFunEvalCtx FRest CRest
================================================== [GFEC-Cons]
{getFunEvalCtx F::FRest
    (FName, (RetVar, RVVal, PNames, Body))::CRest}



/*Name for a single parameter*/

------------------------------ [PN-Param]
paramName param(Name, Ty) Name



/*Gather names*/

================ [PNs-Empty]
paramNames [] []


paramName P N
paramNames PRest NRest
============================ [PNs-Cons]
paramNames P::PRest N::NRest





/********************************************************************
 Program Evaluation
 ********************************************************************/

/*Build fun ctx*/
getFunEvalCtx Funs FCtx
getFunEvalInfo Main MainName RetVar RetVal PNames Body
/*Run main*/
zip PNames Args InitEnv
{evalStmt (MainName, (RetVar, RetVal, PNames, Body))::FCtx
     [(RetVar, RetVal)::InitEnv] Body EE O}
---------------------------------------------------------- [E-Program]
evalProgram Args program(Funs, Main) O

Reasoning

[Show All Proofs] [Hide All Proofs] [Raw File]

Click on a command or tactic to see a detailed view of its use.

Module exactEval:host.

%can use fresh_name to generate new names for stmt projection
Theorem fresh_name_unique : forall Base Names FA FB,
  fresh_name Base Names FA -> fresh_name Base Names FB -> FA = FB. [Show Proof]

induction on 1. intros FA FB. FA: case FA.
  %FN-Final
   FB: case FB.
     %FN-Final
      search.
     %FN-Step
      apply not_mem to FA FB.
  %FN-Step
   FB: case FB.
     %FN-Final
      apply not_mem to FB FA.
     %FN-Step
      apply append_unique to FA1 FB1. apply IH to FA2 FB2. search.


Theorem fresh_name_unique_mems : forall Base NamesA NamesB FA FB,
  fresh_name Base NamesA FA -> fresh_name Base NamesB FB ->
  (forall X, mem X NamesA -> mem X NamesB) ->
  (forall X, mem X NamesB -> mem X NamesA) ->
  FA = FB. [Show Proof]

induction on 1. intros FA FB MAB MBA. FA: case FA.
  %FN-Final
   FB: case FB.
     %FN-Final
      search.
     %FN-Step
      MA: apply MBA to FB. apply not_mem to FA MA.
  %FN-Step
   FB: case FB.
     %FN-Final
      MB: apply MAB to FA. apply not_mem to FB MB.
     %FN-Step
      apply append_unique to FA1 FB1. apply IH to FA2 FB2 _ _. search.


Theorem fresh_name_is : forall Base Names F,
  is_string Base -> fresh_name Base Names F -> is_string F. [Show Proof]

induction on 2. intros Is FN. FN: case FN.
  %FN-Final
   search.
  %FN-Step
   apply append_string_is to _ _ FN1. apply IH to _ FN2. search.


/*
  The rest of this is proving fresh_name_exists:
*/
Theorem mem_string_list_or_not : forall S L,
  is_string S -> is_list is_string L -> mem S L \/ (mem S L -> false). [Show Proof]

induction on 2. intros IsS IsL. IsL: case IsL.
  %nil
   right. intros M. case M.
  %cons
   Or: apply is_string_eq_or_not to IsS IsL. E: case Or.
     %S = H
      search.
     %S != H
      Or: apply IH to IsS IsL1. M: case Or.
        %mem S T
         search.
        %mem S T -> false
         right. intros X. case X.
           %S = H
            backchain E.
           %mem S T
            backchain M.


Theorem mem_is_string : forall L X,
  is_list is_string L -> mem X L -> is_string X. [Show Proof]

induction on 2. intros Is M. M: case M.
  %Mem-Here
   case Is. search.
  %Mem-Later
   case Is. apply IH to _ M. search.


Theorem select_string_list_is : forall S L L',
  is_list is_string L -> select S L' L -> is_list is_string L'. [Show Proof]

induction on 2. intros Is S. S: case S.
  %Slct-First
   case Is. search.
  %Slct-Later
   case Is. apply IH to _ S. search.


Theorem select_length[A] : forall (X : A) L L' N N',
  select X L' L -> length L N -> 1 + N' = N -> length L' N'. [Show Proof]

induction on 1. intros S L P. S: case S.
  %Slct-First
   L: case L (keep). IsN: apply length_is to L.
   Is: apply plus_integer_is_integer_result to IsN P. clear Is.
   Is: apply plus_integer_is_integer_result to IsN L2. clear Is.
   apply plus_integer_unique_addend to _ _ _ P L2. search.
  %Slct-Later
   L: case L (keep). IsN: apply length_is to L.
   Is: apply plus_integer_is_integer_result to IsN P. clear Is.
   Is: apply plus_integer_is_integer_result to IsN L2. clear Is.
   apply plus_integer_unique_addend to _ _ _ P L2. clear Is2.
   M: apply minus_integer_total to Is1 _ with N2 = 1.
   P': apply minus_plus_same_integer to _ _ M.
   apply minus_integer_is_integer to _ _ M.
   P'': apply plus_integer_comm to _ _ P'.
   apply IH to S L1 P''. search.


Theorem length_exists_string : forall L,
  is_list is_string L -> exists N, length L N. [Show Proof]

induction on 1. intros Is. Is: case Is.
  %nil
   search.
  %cons
   Len: apply IH to Is1. IsN: apply length_is to Len.
   apply plus_integer_total to _ IsN with N1 = 1. search.


Theorem not_mem_not_mem : forall X L,
  is_list is_string L -> (mem X L -> false) -> not_mem X L. [Show Proof]

induction on 1. intros IsL NM. Is: case IsL.
  %nil
   search.
  %cons
   unfold.
     %H = X -> false
      intros E. case E. backchain NM.
     %not_mem X T
      apply IH to Is1 _ with X = X. intros M. backchain NM. search.


Define adds_ : string -> string -> prop by
adds_ S S;
adds_ S U := exists S', S ++ "_" = S' /\ adds_ S' U.


Theorem fresh_name_remove : forall Base Names F S Names',
  fresh_name Base Names F -> (adds_ Base S -> false) ->
  select S Names' Names -> fresh_name Base Names' F. [Show Proof]

induction on 1. intros F NA S. F: case F.
  %FN-Final
   apply not_mem_before_select_after to S F. search.
  %FN-Step
   apply IH to F2 _ S. intros A. backchain NA.
   apply mem_before_select_after to S F _.
     intros E. case E. backchain NA.
   search.


Theorem fresh_name_add : forall Base Names F S Names',
  fresh_name Base Names F -> (adds_ Base S -> false) ->
  select S Names Names' -> fresh_name Base Names' F. [Show Proof]

induction on 1. intros F NA S. F: case F.
  %FN-Final
   apply not_mem_after_select_before to S F _.
     intros E. case E. backchain NA.
   search.
  %FN-Step
   apply IH to F2 _ S. intros A. backchain NA.
   apply mem_after_select_before to S F. search.

Theorem length_adds_ : forall A B NA NB,
  adds_ A B -> length A NA -> length B NB -> NA <= NB. [Show Proof]

induction on 1. intros Add LA LB. Add: case Add.
  %same
   apply length_unique to LA LB. IsN: apply length_is to LA.
   apply is_integer_lesseq to IsN. search.
  %step
   IsNA: apply length_is to LA.
   P: apply plus_integer_total to IsNA _ with N2 = 1.
   LenS': apply append_length to Add LA _ P.
   LEq: apply IH to Add1 LenS' LB. P': apply plus_integer_comm to _ _ P.
   L: apply lt_plus_one to P' _. LEq': apply less_integer_lesseq to L.
   apply lesseq_integer_transitive to LEq' LEq. search.


Theorem not_adds_ : forall Base S,
  is_string Base -> adds_ S Base -> Base ++ "_" = S -> false. [Show Proof]

intros IsBase Add App. LenBase: apply string_length_total to IsBase.
IsN: apply length_is to LenBase.
P: apply plus_integer_total to IsN _ with N2 = 1.
LenS: apply append_length to App LenBase _ P.
P': apply plus_integer_comm to _ _ P. L: apply lt_plus_one to P' _.
LEq: apply length_adds_ to Add LenS LenBase.
apply less_lesseq_flip_false to L LEq.


Theorem fresh_name_exists_acc : forall Base Names Len,
  is_string Base -> is_list is_string Names -> length Names Len ->
  acc Len -> exists F, fresh_name Base Names F. [Show Proof]

induction on 4. intros IsBase IsNames Len Acc.
Or: apply mem_string_list_or_not to IsBase IsNames. M: case Or.
  %mem Base Names
   S: apply mem_select to M. IsLen: apply length_is to Len.
   Minus: apply minus_integer_total to IsLen _ with N2 = 1.
   P: apply minus_plus_same_integer to _ _ Minus.
   IsN3: apply minus_integer_is_integer to _ _ Minus.
   P': apply plus_integer_comm to _ _ P.
   Len': apply select_length to S Len P'.
   L: apply lt_plus_one to P' _. Acc: case Acc.
   G: apply length_geq_0 to Len'. Pos: case G. A: apply Acc to _ L.
   IsL': apply select_string_list_is to _ S.
   App: apply append_string_total to IsBase _ with S2 = "_".
   IsS: apply append_string_is to _ _ App.
   F: apply IH to IsS IsL' Len' A. exists F.
   apply fresh_name_add to F _ S.
     intros Add. apply not_adds_ to _ Add App.
   search.
  %mem Base Names -> false
   apply not_mem_not_mem to _ M. search.


Theorem fresh_name_exists : forall Base Names,
  is_string Base -> is_list is_string Names ->
  exists F, fresh_name Base Names F. [Show Proof]

intros IsBase IsNames. Len: apply length_exists_string to IsNames.
IsN: apply length_is to Len. Pos: apply length_geq_0 to Len.
L: case Pos. Acc: apply all_acc to IsN L.
apply fresh_name_exists_acc to IsBase IsNames Len Acc. search.


Theorem fresh_name_not_mem : forall Base Names F,
  fresh_name Base Names F -> mem F Names -> false. [Show Proof]

induction on 1. intros F M. F: case F.
  %FN-Final
   apply not_mem to F M.
  %FN-Step
   apply IH to F2 M.


Theorem fresh_name_start : forall Base Names F,
  is_string Base -> fresh_name Base Names F ->
  exists S, Base ++ S = F. [Show Proof]

induction on 2. intros IsBase F. F: case F.
  %FN-Final
   exists "". A: apply append_string_total to IsBase _ with S2 = "".
   apply append_nil_right to A. search.
  %FN-Step
   apply append_string_is to _ _ F1. A: apply IH to _ F2.
   apply append_associative to F1 A. search.





/********************************************************************
  ____            _      
 | __ )  __ _ ___(_) ___ 
 |  _ \ / _` / __| |/ __|
 | |_) | (_| \__ \ | (__ 
 |____/ \__,_|___/_|\___|
  ____            _           _   _
 |  _ \ _ __ ___ (_) ___  ___| |_(_) ___  _ __
 | |_) | '__/ _ \| |/ _ \/ __| __| |/ _ \| '_ \
 |  __/| | | (_) | |  __/ (__| |_| | (_) | | | |
 |_|   |_|  \___// |\___|\___|\__|_|\___/|_| |_|
   ____         |_/    _             _       _
  / ___|___  _ __  ___| |_ _ __ __ _(_)_ __ | |_ ___
 | |   / _ \| '_ \/ __| __| '__/ _` | | '_ \| __/ __|
 | |__| (_) | | | \__ \ |_| | | (_| | | | | | |_\__ \
 \____\___/|_| |_|___/\__|_|  \__,_|_|_| |_|\__|___/

 Basic Projection Constraints
 ********************************************************************/
Projection_Constraint proj_expr_unique : forall L1 L2 E E1 E2,
  PrA : L1 |{expr}- E ~~> E1 ->
  PrB : L2 |{expr}- E ~~> E2 ->
  IsE : is_expr E ->
  IsL1 : is_list is_string L1 ->
  IsL2 : is_list is_string L2 ->
  Rel12 : (forall X, mem X L1 -> mem X L2) ->
  Rel21 : (forall X, mem X L2 -> mem X L1) ->
  E1 = E2.
Projection_Constraint proj_expr_is : forall L E E',
  Pr : L |{expr}- E ~~> E' ->
  IsE : is_expr E ->
  IsL : is_list is_string L ->
  is_expr E'.
Projection_Constraint proj_expr_other : forall L E E' L',
  Pr : L |{expr}- E ~~> E' ->
  IsE : is_expr E ->
  IsL : is_list is_string L ->
  IsL' : is_list is_string L' ->
  exists E'', L' |{expr}- E ~~> E''.

Projection_Constraint proj_stmt_unique : forall L1 L2 S S1 S2,
  PrA : L1 |{stmt}- S ~~> S1 ->
  PrB : L2 |{stmt}- S ~~> S2 ->
  IsS : is_stmt S ->
  IsL1 : is_list is_string L1 ->
  IsL2 : is_list is_string L2 ->
  Rel12 : (forall X, mem X L1 -> mem X L2) ->
  Rel21 : (forall X, mem X L2 -> mem X L1) ->
  S1 = S2.
Projection_Constraint proj_stmt_is : forall L S S',
  Pr : L |{stmt}- S ~~> S' ->
  IsS : is_stmt S ->
  IsL : is_list is_string L ->
  is_stmt S'.
Projection_Constraint proj_stmt_other : forall L S S' L',
  Pr : L |{stmt}- S ~~> S' ->
  IsS : is_stmt S ->
  IsL : is_list is_string L ->
  IsL' : is_list is_string L' ->
  exists S'', L' |{stmt}- S ~~> S''.

Projection_Constraint proj_fun_unique : forall F F1 F2,
  PrA : |{fun}- F ~~> F1 ->
  PrB : |{fun}- F ~~> F2 ->
  IsF : is_fun F ->
  F1 = F2.
Projection_Constraint proj_fun_is : forall F F',
  Pr : |{fun}- F ~~> F' ->
  IsF : is_fun F ->
  is_fun F'.

Projection_Constraint proj_param_unique : forall P P1 P2,
  PrA : |{param}- P ~~> P1 ->
  PrB : |{param}- P ~~> P2 ->
  IsP : is_param P ->
  P1 = P2.
Projection_Constraint proj_param_is : forall P P',
  Pr : |{param}- P ~~> P' ->
  IsP : is_param P ->
  is_param P'.

Projection_Constraint proj_program_unique : forall P P1 P2,
  PrA : |{program}- P ~~> P1 ->
  PrB : |{program}- P ~~> P2 ->
  IsP : is_program P ->
  P1 = P2.
Projection_Constraint proj_program_is : forall P P',
  Pr : |{program}- P ~~> P' ->
  IsP : is_program P ->
  is_program P'.

Projection_Constraint proj_typ_unique : forall T T1 T2,
  PrA : |{typ}- T ~~> T1 ->
  PrB : |{typ}- T ~~> T2 ->
  IsT : is_typ T ->
  T1 = T2.
Projection_Constraint proj_typ_is : forall T T',
  Pr : |{typ}- T ~~> T' ->
  IsT : is_typ T ->
  is_typ T'.





/********************************************************************
  ____            _     _       _     _
 |  _ \  ___  ___(_) __| | __ _| |__ | | ___
 | | | |/ _ \/ __| |/ _` |/ _` | '_ \| |/ _ \
 | |_| |  __/ (__| | (_| | (_| | |_) | |  __/
 |____/ \___|\___|_|\__,_|\__,_|_.__/|_|\___|
  _____                  _ _ _
 | ____|__ _ _   _  __ _| (_) |_ _   _
 |  _| / _` | | | |/ _` | | | __| | | |
 | |__| (_| | |_| | (_| | | | |_| |_| |
 |_____\__, |\__,_|\__,_|_|_|\__|\__, |
          |_|                    |___/
 Decidable Equality
 ********************************************************************/
Theorem is_list_is_string_eq_or_not : forall L1 L2,
  is_list is_string L1 -> is_list is_string L2 ->
  L1 = L2 \/ (L1 = L2 -> false). [Show Proof]

induction on 1. intros IsLA IsLB. IsLA: case IsLA.
  %nil
   case IsLB.
     %nil
      search.
     %cons
      search.
  %cons
   IsLB: case IsLB.
     %nil
      search.
     %cons
      Or1: apply is_string_eq_or_not to IsLA IsLB.
      Or2: apply IH to IsLA1 IsLB1. N: case Or1.
        %H = H1
         N: case Or2.
           %T = T1
            search.
           %T != T1
            right. intros E. case E. backchain N.
        %H != H1
         right. intros E. case E. backchain N.


Proj_Rel is_expr E, is_args A, is_recFieldExprs RF, is_stmt S.

Ext_Ind forall E, is_expr E; forall A, is_args A;
        forall RF, is_recFieldExprs RF; forall S, is_stmt S. [Show Proof]

%is_expr
 %num
  search.
 %plus
  apply IH to R1. apply IH to R2. search.
 %minus
  apply IH to R1. apply IH to R2. search.
 %mult
  apply IH to R1. apply IH to R2. search.
 %div
  apply IH to R1. apply IH to R2. search.
 %true
  search.
 %false
  search.
 %and
  apply IH to R1. apply IH to R2. search.
 %or
  apply IH to R1. apply IH to R2. search.
 %not
  apply IH to R1. search.
 %greater
  apply IH to R1. apply IH to R2. search.
 %eq
  apply IH to R1. apply IH to R2. search.
 %stringLit
  search.
 %appString
  apply IH to R1. apply IH to R2. search.
 %name
  search.
 %call
  apply IH1 to R2. search.
 %stmtExpr
  apply IH3 to R1. apply IH to R2. search.
 %recBuild
  apply IH2 to R1. search.
 %recFieldAccess
  apply IH to R1. search.
 %errorExpr
  apply IH to R1. search.
%is_args
 %nilArgs
  search.
 %consArgs
  apply IH to R1. apply IH1 to R2. search.
%is_recFieldExprs
 %nilRecFieldExprs
  search.
 %consRecFieldExprs
  apply IH to R2. apply IH2 to R3. search.
%is_stmt
 %noop
  search.
 %seq
  apply IH3 to R1. apply IH3 to R2. search.
 %declare
  apply IH to R3. search.
 %assign
  apply IH to R2. search.
 %recUpdate
  apply IH to R3. search.
 %ifThenElse
  apply IH to R1. apply IH3 to R2. apply IH3 to R3. search.
 %while
  apply IH to R1. apply IH3 to R2. search.
 %scopeStmt
  apply IH3 to R1. search.
 %printVal
  apply IH to R1. search.


/*
  With these properties, we make the args and recFieldExprs types
  nonextensible.
*/
Extensible_Theorem
  is_args_nilArgs_or_consArgs : forall A,
    Is : is_args A ->
    A = nilArgs \/ (exists E A', A = consArgs E A')
  on Is. [Show Proof]

%nilArgs
 search.
%consArgs
 search.
Extensible_Theorem
  is_recFieldExprs_nilRecFieldExprs_or_consRecFieldExprs : forall RF,
    Is : is_recFieldExprs RF ->
    RF = nilRecFieldExprs \/
    (exists F E RF', RF = consRecFieldExprs F E RF')
  on Is. [Show Proof]

%nilRecFieldExprs
 search.
%consRecFieldExprs
 search.

/*
  We do not have decidable equality for expressions, arguments, record
  fields, or statements because they are all dependent on types.  The
  problem there is that extensions need to have properties that, e.g.,
  an expression has the form of a new constructor or not, and these
  properties need to use the is relation as the key relation.  Thus we
  need Ext_Ind for all the is relations.  This is a problem for the
  typing one as extensions may find it useful to introduce new types
  that project to recursive record types (e.g. our list extension's
  list type projects to a record type containing the list type) and
  thus we cannot prove Ext_Ind for it, as we need a derivation of
  <is_typ {P}> for listTy(T) in order to build a derivation of
  <is_typ {P}> for listTy(T).  Then we cannot prove decidable
  equality for most things as we cannot prove the auxiliary things we
  need to do so.
*/





/********************************************************************
  ____                            
 / ___|  ___ ___  _ __   ___  ___ 
 \___ \ / __/ _ \| '_ \ / _ \/ __|
  ___) | (_| (_) | |_) |  __/\__ \
 |____/ \___\___/| .__/ \___||___/
                 |_|
 Scopes
 ********************************************************************/
Theorem lookupScopes_unique[Key, Item] :
  forall L (K : Key) (I1 I2 : Item),
    lookupScopes K L I1 -> lookupScopes K L I2 -> I1 = I2. [Show Proof]

induction on 1. intros LkpA LkpB. LkpA: case LkpA.
  %1:  LS-FirstScope
   LkpB: case LkpB.
     %1.1:  LS-FirstScope
      apply lookup_unique to LkpA LkpB. search.
     %1.2:  LS-Later
      apply no_lookup to LkpB LkpA.
  %2:  LS-Later
   LkpB: case LkpB.
     %2.1:  LS-FirstScope
      apply no_lookup to LkpA LkpB.
     %2.2:  LS-Later
      apply IH to LkpA1 LkpB1. search.


Theorem lookupScopes_names [K, V] : forall Ctx (X : K) (V : V) Names,
  lookupScopes X Ctx V -> names Ctx Names -> mem X Names. [Show Proof]

induction on 1. intros L N. L: case L.
  %LS-FirstScope
   N: case N. M: apply lookup_mem to L. M': apply domain_mem to M N.
   apply mem_append_left to M' N2. search.
  %LS-Later
   N: case N. M: apply IH to L1 N1. apply mem_append_right to M N2.
   search.


Theorem lookup_after_dual_select[Key, Item] :
  forall (K X : Key) (V1 V2 I1 I2 : Item) L R1 R2,
    select (K, V1) R1 L ->  select (K, V2) R2 L -> (K = X -> false) ->
    lookup R1 X I1 -> lookup R2 X I2 -> I1 = I2. [Show Proof]

intros SlctA SlctB NEq LkpA LkpB.
assert X = K -> false. intros E. case E. backchain NEq.
LkpLA: apply lookup_after_select_before to LkpA SlctA _.
LkpLB: apply lookup_after_select_before to LkpB SlctB _.
apply lookup_unique to LkpLA LkpLB. search.


Theorem remove_all_unique[Key, Item] :
  forall (L : list (pair Key Item)) X A B,
    remove_all L X A -> remove_all L X B -> A = B. [Show Proof]

induction on 1. intros RA RB. RA: case RA.
  %RA-Nil
   case RB. search.
  %RA-Remove
   RB: case RB.
     %RA-Remove
      apply IH to RA RB. search.
     %RA-keep
      apply RB to _.
  %RA-Keep
   RB: case RB.
     %RA-Remove
      apply RA to _.
     %RA-keep
      apply IH to RA1 RB1. search.


Theorem replaceScopes_unique[Key, Item] :
  forall X V (L : list (list (pair Key Item))) RA RB,
    replaceScopes X V L RA -> replaceScopes X V L RB -> RA = RB. [Show Proof]

induction on 1. intros RA RB. RA: case RA.
  %RS-FirstScope
   RB: case RB.
     %RS-FirstScope
      apply remove_all_unique to RA1 RB1. search.
     %RS-Later
      apply no_lookup_mem to RB RA.
  %RS-Later
   RB: case RB.
     %RS-FirstScope
      apply no_lookup_mem to RA RB.
     %RS-Later
      apply IH to RA1 RB1. search.


Theorem replaceScopes_names [K, V] :
  forall Ctx (X : K) (V : V) Names R,
    replaceScopes X V Ctx R -> names Ctx Names -> mem X Names. [Show Proof]

induction on 1. intros R N. R: case R.
  %RS-FirstScope
   N: case N. M: apply domain_mem to R N.
   apply mem_append_left to M N2. search.
  %LS-Later
   N: case N. M: apply IH to R1 N1. apply mem_append_right to M N2.
   search.


Theorem remove_all_names [K, V] :
  forall (X : K) (L R : list (pair K V)) NL NR Z,
    remove_all L X R -> domain L NL -> domain R NR -> mem Z NL ->
    (X = Z -> false) -> mem Z NR. [Show Proof]

induction on 1. intros RA LD RD M NEq. RA: case RA.
  %RA-Nil
   case LD. case M.
  %RA-Remove
   LD: case LD. M: case M.
     %Mem-Here
      apply NEq to _.
     %Mem-Later
      apply IH to RA LD RD _ NEq. search.
  %RA-Keep
   LD: case LD. RD: case RD. M: case M.
     %Mem-Here
      search.
     %Mem-Later
      apply IH to RA1 LD RD M NEq. search.


Theorem mem_after_remove_all_before [K, V] :
  forall L R X (Z : pair K V),
    remove_all L X R -> mem Z R -> mem Z L. [Show Proof]

induction on 1. intros R M. R: case R.
  %RA-Nil
   case M.
  %RA-Remove
   apply IH to R M. search.
  %RA-Keep
   M: case M.
     %Mem-Here
      search.
     %Mem-Later
      apply IH to R1 M. search.


Theorem mem_before_remove_all_after [K, V] :
  forall L R X (K : K) (V : V),
    remove_all L X R -> mem (K, V) L -> (K = X -> false) ->
    mem (K, V) R. [Show Proof]

induction on 1. intros R M NEq. R: case R.
  %RA-Nil
   case M.
  %RA-Remove
   M: case M.
     %Mem-Here:  K = X
      apply NEq to _.
     %Mem-Later
      apply IH to R M NEq. search.
  %RA-Keep
   M: case M.
     %Mem-Here:  K = K1
      search.
     %Mem-Later
      apply IH to R1 M _. search.


Theorem names_unique [K, V] :
  forall (L : list (list (pair K V))) NA NB,
    names L NA -> names L NB -> NA = NB. [Show Proof]

induction on 1. intros NA NB. NA: case NA.
  %Names-Nil
   case NB. search.
  %Names-Cons
   NB: case NB. apply IH to NA1 NB1. apply domain_unique to NA NB.
   apply append_unique to NA2 NB2. search.


%two sets of scopes where the names in the first are associated with
%the same items in the second one
Define lookup_all_scopes :
list (list (pair string Item)) ->
list (list (pair string Item)) -> prop by
  lookup_all_scopes [] [];
  lookup_all_scopes (A::ARest) (B::BRest) :=
    (forall X V, lookup A X V -> lookup B X V) /\
    %We will need is_string for proving things with remove_all later
    (forall X, is_string X -> no_lookup A X -> no_lookup B X) /\
    lookup_all_scopes ARest BRest.


Theorem lookup_all_scopes_lookupScopes[Item] :
  forall A B X (V : Item),
    is_string X -> lookup_all_scopes A B -> lookupScopes X A V ->
    lookupScopes X B V. [Show Proof]

induction on 2. intros IsX LAS LS. LAS: case LAS.
  %nil
   case LS.
  %cons
   LS: case LS.
     %LS-FirstScope
      apply LAS to LS. search.
     %LS-Later
      apply IH to _ LAS2 LS1. apply LAS1 to _ LS. search.


Theorem lookup_all_scopes_add[Item] :
  forall A B AS BS X (V : Item),
    lookup_all_scopes (AS::A) (BS::B) ->
    lookup_all_scopes (((X, V)::AS)::A) (((X, V)::BS)::B). [Show Proof]

intros LAS. L: case LAS. unfold.
  %lookup
   intros Lkp. Lkp: case Lkp.
     %Lkp-Here
      search.
     %Lkp-Later
      apply L to Lkp1. search.
  %no_lookup
   intros X N. N: case N. apply L1 to _ N1. search.
  %rest
   search.


%all scopes contain the same values for the same names
%order within scope does not matter
Define scopes_same : list (list (pair string value)) ->
                     list (list (pair string value)) -> prop by
scopes_same [] [];
scopes_same (A::ARest) (B::BRest) :=
  (forall X V, lookup A X V -> lookup B X V) /\
  (forall X V, lookup B X V -> lookup A X V) /\
  scopes_same ARest BRest.


Theorem scopes_same_reflexive : forall L,
  is_list (is_list (is_pair is_string is_value)) L -> scopes_same L L. [Show Proof]

induction on 1. intros IsL. IsL: case IsL.
  %nil
   search.
  %cons
   unfold.
     %lookup ->
      intros L. search.
     %lookup <-
      intros L. search.
     %rest
      apply IH to IsL1. search.


Theorem scopes_same_trans : forall A B C,
  scopes_same A B -> scopes_same B C -> scopes_same A C. [Show Proof]

induction on 1. intros AB BC. AB: case AB.
  %last
   case BC. search.
  %end
   BC: case BC. unfold.
     %lookup A -> lookp C
      intros L. LB: apply AB to L. apply BC to LB. search.
     %lookup C -> lookup A
      intros L. LB: apply BC1 to L. apply AB1 to LB. search.
     %rest
      apply IH to AB2 BC2. search.


Theorem scopes_same_symm : forall A B,
  scopes_same A B -> scopes_same B A. [Show Proof]

induction on 1. intros SS. SS: case SS.
  %last
   search.
  %step
   apply IH to SS2. unfold. search. search. search.





/********************************************************************
 __     __         _       _     _           
 \ \   / /_ _ _ __(_) __ _| |__ | | ___  ___ 
  \ \ / / _` | '__| |/ _` | '_ \| |/ _ \/ __|
   \ V / (_| | |  | | (_| | |_) | |  __/\__ \
    \_/ \__,_|_|  |_|\__,_|_.__/|_|\___||___/

 Variables
 ********************************************************************/

/********************************************************************
 Variables are unique
 ********************************************************************/
Extensible_Theorem
  vars_unique : forall E V1 V2,
    IsE : is_expr E ->
    VarsA : vars E V1 ->
    VarsB : vars E V2 ->
    V1 = V2
  on VarsA
also
  varsArgs_unique : forall A V1 V2,
    IsA : is_args A ->
    VarsA : varsArgs A V1 ->
    VarsB : varsArgs A V2 ->
    V1 = V2
  on VarsA,
  varsRecFields_unique : forall RF V1 V2,
    IsRF : is_recFieldExprs RF ->
    VarsA : varsRecFields RF V1 ->
    VarsB : varsRecFields RF V2 ->
    V1 = V2
  on VarsA. [Show Proof]

%vars_unique
  %V-Num
   case VarsB. search.
  %V-Plus
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   apply IH to _ VarsA2 VarsB2. apply append_unique to VarsA3 VarsB3.
   search.
  %V-Minus
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   apply IH to _ VarsA2 VarsB2. apply append_unique to VarsA3 VarsB3.
   search.
  %V-Mult
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   apply IH to _ VarsA2 VarsB2. apply append_unique to VarsA3 VarsB3.
   search.
  %V-Div
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   apply IH to _ VarsA2 VarsB2. apply append_unique to VarsA3 VarsB3.
   search.
  %V-True
   case VarsB. search.
  %V-False
   case VarsB. search.
  %V-And
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   apply IH to _ VarsA2 VarsB2. apply append_unique to VarsA3 VarsB3.
   search.
  %V-Or
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   apply IH to _ VarsA2 VarsB2. apply append_unique to VarsA3 VarsB3.
   search.
  %V-Not
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   search.
  %V-Greater
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   apply IH to _ VarsA2 VarsB2. apply append_unique to VarsA3 VarsB3.
   search.
  %V-Eq
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   apply IH to _ VarsA2 VarsB2. apply append_unique to VarsA3 VarsB3.
   search.
  %V-String
   case VarsB. search.
  %V-AppString
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   apply IH to _ VarsA2 VarsB2. apply append_unique to VarsA3 VarsB3.
   search.
  %V-Name
   case VarsB. search.
  %V-Call
   case IsE. VarsB: case VarsB (keep). apply IH1 to _ VarsA1 VarsB1.
   apply IH1 to _ VarsA1 VarsB1. search.
  %V-StmtExpr
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   search.
  %V-RecBuild
   case IsE. VarsB: case VarsB (keep). apply IH2 to _ VarsA1 VarsB1.
   search.
  %V-RecAccess
   case IsE. VarsB: case VarsB (keep). apply IH to _ VarsA1 VarsB1.
   search.
  %V-Error
   case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB. search.
%varsArgs_unique
 VarsA: case VarsA.
   %VA-Nil
    case VarsB. search.
   %VA-Cons
    case IsA. VarsB: case VarsB. apply IH to _ VarsA VarsB.
    apply IH1 to _ VarsA1 VarsB1.
    apply append_unique to VarsA2 VarsB2. search.
%varsRecFields_unique
 VarsA: case VarsA.
   %VRF-Nil
    case VarsB. search.
   %VRF-Cons
    case IsRF. VarsB: case VarsB. apply IH to _ VarsA VarsB.
    apply IH2 to _ VarsA1 VarsB1.
    apply append_unique to VarsA2 VarsB2. search.




/********************************************************************
 Variables is_list is_string
 ********************************************************************/
Theorem append_list_string_is : forall L1 L2 L3,
  is_list is_string L1 -> is_list is_string L2 -> L1 ++ L2 = L3 ->
  is_list is_string L3. [Show Proof]

induction on 3. intros IsA IsB App. App: case App.
  %nil
   search.
  %cons
   case IsA. apply IH to _ _ App. search.


Extensible_Theorem
  vars_is : forall E V,
    IsE : is_expr E ->
    V : vars E V ->
    is_list is_string V
  on V
also
  varsArgs_is : forall A V,
    IsA : is_args A ->
    V : varsArgs A V ->
    is_list is_string V
  on V,
  varsRecFields_is : forall RF V,
    IsRF : is_recFieldExprs RF ->
    V : varsRecFields RF V ->
    is_list is_string V
  on V. [Show Proof]

%vars_is
 %V-Num
  search.
 %V-Plus
  case IsE. IsV2: apply IH to _ V1. IsV3: apply IH to _ V2.
  apply append_list_string_is to _ _ V3. search.
 %V-Minus
  case IsE. IsV2: apply IH to _ V1. IsV3: apply IH to _ V2.
  apply append_list_string_is to _ _ V3. search.
 %V-Mult
  case IsE. IsV2: apply IH to _ V1. IsV3: apply IH to _ V2.
  apply append_list_string_is to _ _ V3. search.
 %V-Div
  case IsE. IsV2: apply IH to _ V1. IsV3: apply IH to _ V2.
  apply append_list_string_is to _ _ V3. search.
 %V-True
  search.
 %V-False
  search.
 %V-And
  case IsE. IsV2: apply IH to _ V1. IsV3: apply IH to _ V2.
  apply append_list_string_is to _ _ V3. search.
 %V-Or
  case IsE. IsV2: apply IH to _ V1. IsV3: apply IH to _ V2.
  apply append_list_string_is to _ _ V3. search.
 %V-Not
  case IsE. Is: apply IH to _ V1. search.
 %V-Greater
  case IsE. IsV2: apply IH to _ V1. IsV3: apply IH to _ V2.
  apply append_list_string_is to _ _ V3. search.
 %V-Eq
  case IsE. IsV2: apply IH to _ V1. IsV3: apply IH to _ V2.
  apply append_list_string_is to _ _ V3. search.
 %V-String
  search.
 %V-AppString
  case IsE. IsV2: apply IH to _ V1. IsV3: apply IH to _ V2.
  apply append_list_string_is to _ _ V3. search.
 %V-Name
  case IsE. search.
 %V-Call
  case IsE. apply IH1 to _ V1. search.
 %V-StmtExpr
  case IsE. apply IH to _ V1. search.
 %V-RecBuild
  case IsE. apply IH2 to _ V1. search.
 %V-RecAccess
  case IsE. apply IH to _ V1. search.
 %V-Error
  case IsE. apply IH to _ V1. search.
%varsArgs_is
 V: case V.
   %VA-Nil
    search.
   %VA-Cons
    case IsA. Is1: apply IH to _ V. Is2: apply IH1 to _ V1.
    apply append_list_string_is to _ _ V2. search.
%varsRecfields_is
 V: case V.
   %VRF-Nil
    search.
   %VRF-Cons
    Is: case IsRF. IsA: apply IH to _ V. IsB: apply IH2 to _ V1.
    apply append_list_string_is to _ _ V2. search.




/********************************************************************
 Variables exist for anything
 ********************************************************************/
Theorem append_list_string_total : forall L1 L2,
  is_list is_string L1 -> is_list is_string L2 ->
  exists L3, L1 ++ L2 = L3. [Show Proof]

induction on 1. intros IsA IsB. IsA: case IsA.
  %nil
   search.
  %cons
   apply IH to IsA1 IsB. search.


Extensible_Theorem
  vars_exist : forall E,
    IsE : is_expr E ->
    exists V, vars E V
  on IsE,
  varsArgs_exist : forall A,
    IsA : is_args A ->
    exists V, varsArgs A V
  on IsA,
  varsRecFields_exist : forall RF,
    IsRF : is_recFieldExprs RF ->
    exists V, varsRecFields RF V
  on IsRF. [Show Proof]

%vars_exist
 %V-Num
  search.
 %V-Plus
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
  apply append_list_string_total to Is1 Is2. search.
 %V-Minus
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
  apply append_list_string_total to Is1 Is2. search.
 %V-Mult
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
  apply append_list_string_total to Is1 Is2. search.
 %V-Div
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
  apply append_list_string_total to Is1 Is2. search.
 %V-True
  search.
 %V-False
  search.
 %V-And
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
  apply append_list_string_total to Is1 Is2. search.
 %V-Or
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
  apply append_list_string_total to Is1 Is2. search.
 %V-Not
  apply IH to IsE1. search.
 %V-Greater
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
  apply append_list_string_total to Is1 Is2. search.
 %V-Eq
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
  apply append_list_string_total to Is1 Is2. search.
 %V-String
  search.
 %V-AppString
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
  apply append_list_string_total to Is1 Is2. search.
 %V-Name
  search.
 %V-Call
  apply IH1 to IsE2. search.
 %V-StmtExpr
  apply IH to IsE2. search.
 %V-RecBuild
  apply IH2 to IsE1. search.
 %V-RecAccess
  apply IH to IsE1. search.
 %V-Error
  apply IH to IsE1. search.
%varsArgs_exist
 %VA-Nil
  search.
 %VA-Cons
  VE: apply IH to IsA1. VA: apply IH1 to IsA2.
  IsVE: apply vars_is to _ VE. IsVA: apply varsArgs_is to _ VA.
  apply append_list_string_total to IsVE IsVA. search.
%varsRecfields_exist
 %VRF-Nil
  search.
 %VRF-Cons
  VE: apply IH to IsRF2. VRF: apply IH2 to IsRF3.
  IsVE: apply vars_is to _ VE. IsVRF: apply varsRecFields_is to _ VRF.
  apply append_list_string_total to IsVE IsVRF. search.





/********************************************************************
   _____ _        _                            _
  / ____| |      | |                          | |
 | (___ | |_ __ _| |_ ___ _ __ ___   ___ _ __ | |_
  \___ \| __/ _` | __/ _ \ '_ ` _ \ / _ \ '_ \| __|
  ____) | || (_| | ||  __/ | | | | |  __/ | | | |_
 |_____/ \__\__,_|\__\___|_| |_| |_|\___|_| |_|\__|
 | \ | |
 |  \| | __ _ _ __ ___   ___  ___
 | . ` |/ _` | '_ ` _ \ / _ \/ __|
 | |\  | (_| | | | | | |  __/\__ \
 |_| \_|\__,_|_| |_| |_|\___||___/

 Statement Names
 ********************************************************************/

/********************************************************************
 Statement names is
 ********************************************************************/
Extensible_Theorem
  stmtNames_is : forall Ctx S N Ctx',
    IsS : is_stmt S ->
    IsCtx : is_list (is_list is_string) Ctx ->
    SN : stmtNames Ctx S N Ctx' ->
    is_list is_string N
  on SN as IH_S,
  stmtNames_isCtx : forall Ctx S N Ctx',
    IsS : is_stmt S ->
    IsCtx : is_list (is_list is_string) Ctx ->
    SN : stmtNames Ctx S N Ctx' ->
    is_list (is_list is_string) Ctx'
  on SN as IH_S_C,
  exprNames_is : forall Ctx E N,
    IsE : is_expr E ->
    IsCtx : is_list (is_list is_string) Ctx ->
    EN : exprNames Ctx E N ->
    is_list is_string N
  on EN as IH_E
also
  argsNames_is : forall Ctx A N,
    IsA : is_args A ->
    IsCtx : is_list (is_list is_string) Ctx ->
    AN : argsNames Ctx A N ->
    is_list is_string N
  on AN as IH_A,
  recFieldNames_is : forall Ctx RF N,
    IsRF : is_recFieldExprs RF ->
    IsCtx : is_list (is_list is_string) Ctx ->
    RFN : recFieldNames Ctx RF N ->
    is_list is_string N
  on RFN as IH_RF. [Show Proof]

%stmtNames_is
 %SN-Noop
  search.
 %SN-Seq
  case IsS. apply IH_S to _ _ SN1. apply IH_S_C to _ _ SN1.
  apply IH_S to _ _ SN2. apply append_list_string_is to _ _ SN3.
  search.
 %SN-Declare
  case IsS. apply IH_E to _ _ SN1. search.
 %SN-Assign-Ignore
  case IsS. apply IH_E to _ _ SN2. search.
 %SN-Assign-Take
  case IsS. apply IH_E to _ _ SN2. search.
 %SN-RecUpdate-Ignore
  case IsS. apply IH_E to _ _ SN2. search.
 %SN-RecUpdate-Take
  case IsS. apply IH_E to _ _ SN2. search.
 %SN-IfThenElse
  case IsS. apply IH_E to _ _ SN1. apply IH_S to _ _ SN2.
  apply IH_S to _ _ SN3. apply append_list_string_is to _ _ SN4.
  apply append_list_string_is to _ _ SN5. search.
 %SN-While
  case IsS. apply IH_E to _ _ SN1. apply IH_S to _ _ SN2.
  apply append_list_string_is to _ _ SN3. search.
 %SN-ScopeStmt
  case IsS. apply IH_S to _ _ SN1. search.
 %SN-PrintVal
  case IsS. apply IH_E to _ _ SN1. search.
%stmtNames_isCtx
 %SN-Noop
  search.
 %SN-Seq
  case IsS. apply IH_S_C to _ _ SN1. apply IH_S_C to _ _ SN2. search.
 %SN-Declare
  case IsS. case IsCtx. search.
 %SN-Assign-Ignore
  search.
 %SN-Assign-Take
  search.
 %SN-RecUpdate-Ignore
  search.
 %SN-RecUpdate-Take
  search.
 %SN-IfThenElse
  search.
 %SN-While
  search.
 %SN-ScopeStmt
  search.
 %SN-PrintVal
  search.
%exprNames_is
 %EN-Num
  search.
 %EN-Plus
  case IsE. apply IH_E to _ _ EN1. apply IH_E to _ _ EN2.
  apply append_list_string_is to _ _ EN3. search.
 %EN-Minus
  case IsE. apply IH_E to _ _ EN1. apply IH_E to _ _ EN2.
  apply append_list_string_is to _ _ EN3. search.
 %EN-Mult
  case IsE. apply IH_E to _ _ EN1. apply IH_E to _ _ EN2.
  apply append_list_string_is to _ _ EN3. search.
 %EN-Div
  case IsE. apply IH_E to _ _ EN1. apply IH_E to _ _ EN2.
  apply append_list_string_is to _ _ EN3. search.
 %EN-True
  search.
 %EN-False
  search.
 %EN-And
  case IsE. apply IH_E to _ _ EN1. apply IH_E to _ _ EN2.
  apply append_list_string_is to _ _ EN3. search.
 %EN-Or
  case IsE. apply IH_E to _ _ EN1. apply IH_E to _ _ EN2.
  apply append_list_string_is to _ _ EN3. search.
 %EN-Not
  case IsE. apply IH_E to _ _ EN1. search.
 %EN-Greater
  case IsE. apply IH_E to _ _ EN1. apply IH_E to _ _ EN2.
  apply append_list_string_is to _ _ EN3. search.
 %EN-Eq
  case IsE. apply IH_E to _ _ EN1. apply IH_E to _ _ EN2.
  apply append_list_string_is to _ _ EN3. search.
 %EN-String
  search.
 %EN-AppString
  case IsE. apply IH_E to _ _ EN1. apply IH_E to _ _ EN2.
  apply append_list_string_is to _ _ EN3. search.
 %EN-Name-Ignore
  search.
 %EN-Name-Take
  case IsE. search.
 %EN-Call
  case IsE. apply IH_A to _ _ EN1. search.
 %EN-StmtExpr
  case IsE. apply IH_S to _ _ EN1. apply IH_S_C to _ _ EN1.
  apply IH_E to _ _ EN2. apply append_list_string_is to _ _ EN3.
  search.
 %EN-RecBuild
  case IsE. apply IH_RF to _ _ EN1. search.
 %EN-RecFieldAccess
  case IsE. apply IH_E to _ _ EN1. search.
 %EN-ErrorExpr
  case IsE. apply IH_E to _ _ EN1. search.
%argsNames_is
 AN: case AN (keep).
   %AN-Nil
    search.
   %AN-Cons
    case IsA. apply IH_E to _ _ AN1. apply IH_A to _ _ AN2.
    apply append_list_string_is to _ _ AN3. search.
%recFieldNames_is
 RFN: case RFN (keep).
   %RFN-Nil
    search.
   %RFN-Cons
    case IsRF. apply IH_E to _ _ RFN1. apply IH_RF to _ _ RFN2.
    apply append_list_string_is to _ _ RFN3. search.




/********************************************************************
 Statement names unique
 ********************************************************************/
Theorem not_mems[A] : forall LS (A : A),
  not_mems A LS -> mems A LS -> false. [Show Proof]

induction on 1. intros NM M. NM: case NM.
  %NMems-Nil
   case M.
  %NMems-Cons
   M: case M.
     %Mems-Here
      apply not_mem to NM M.
     %Mems-Later
      apply IH to NM1 M.


Extensible_Theorem
  stmtNames_unique : forall Ctx S NA CtxA NB CtxB,
    IsS : is_stmt S ->
    IsCtx : is_list (is_list is_string) Ctx ->
    SNA : stmtNames Ctx S NA CtxA ->
    SNB : stmtNames Ctx S NB CtxB ->
    NA = NB /\ CtxA = CtxB
  on SNA as IH_S,
  exprNames_unique : forall Ctx E NA NB,
    IsE : is_expr E ->
    IsCtx : is_list (is_list is_string) Ctx ->
    ENA : exprNames Ctx E NA ->
    ENB : exprNames Ctx E NB ->
    NA = NB
  on ENA as IH_E
also
  argsNames_unique : forall Ctx A NA NB,
    IsA : is_args A ->
    IsCtx : is_list (is_list is_string) Ctx ->
    ANA : argsNames Ctx A NA ->
    ANB : argsNames Ctx A NB ->
    NA = NB
  on ANA as IH_A,
  recFieldNames_unique : forall Ctx RF NA NB,
    IsRF : is_recFieldExprs RF ->
    IsCtx : is_list (is_list is_string) Ctx ->
    RFNA : recFieldNames Ctx RF NA ->
    RFNB : recFieldNames Ctx RF NB ->
    NA = NB
  on RFNA as IH_RF. [Show Proof]

%stmtNames_unique
 %SN-Noop
  case SNB. search.
 %SN-Seq
  SNB: case SNB. case IsS. apply IH_S to _ _ SNA1 SNB.
  apply stmtNames_isCtx to _ _ SNA1. apply stmtNames_isCtx to _ _ SNB.
  apply IH_S to _ _ SNA2 SNB1. apply append_unique to SNA3 SNB2.
  search.
 %SN-Declare
  case IsS. SNB: case SNB. apply IH_E to _ _ SNA1 SNB. search.
 %SN-Assign-Ignore
  case IsS. SNB: case SNB.
    %SN-Assign-Ignore
     apply IH_E to _ _ SNA2 SNB1. search.
    %SN-Assign-Take
     apply not_mems to SNB SNA1.
 %SN-Assign-Take
  case IsS. SNB: case SNB.
    %SN-Assign-ignore
     apply not_mems to SNA1 SNB.
    %SN-Assign-Take
     apply IH_E to _ _ SNA2 SNB1. search.
 %SN-RecUpdate-Ignore
  case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply IH_E to _ _ SNA2 SNB1. search.
    %SN-RecUpdate-Take
     apply not_mems to SNB SNA1.
 %SN-RecUpdate-Take
  case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply not_mems to SNA1 SNB.
    %SN-RecUpdate-Take
     apply IH_E to _ _ SNA2 SNB1. search.
 %SN-IfThenElse
  case IsS. SNB: case SNB. apply IH_E to _ _ SNA1 SNB.
  apply IH_S to _ _ SNA2 SNB1. apply IH_S to _ _ SNA3 SNB2.
  apply append_unique to SNA4 SNB3. apply append_unique to SNA5 SNB4.
  search.
 %SN-While
  case IsS. SNB: case SNB. apply IH_E to _ _ SNA1 SNB.
  apply IH_S to _ _ SNA2 SNB1. apply append_unique to SNA3 SNB2.
  search.
 %SN-ScopeStmt
  case IsS. SNB: case SNB. apply IH_S to _ _ SNA1 SNB. search.
 %SN-PrintVal
  case IsS. SNB: case SNB. apply IH_E to _ _ SNA1 SNB. search.
%exprNames_unique
 %EN-Num
  case ENB. search.
 %EN-Plus
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-Minus
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-Mult
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-Div
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-True
  case ENB. search.
 %EN-False
  case ENB. search.
 %EN-And
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-Or
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-Not
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB. search.
 %EN-Greater
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-Eq
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-String
  case ENB. search.
 %EN-AppString
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-Name-Ignore
  case IsE. ENB: case ENB.
    %EN-Name-Ignore
     search.
    %EN-Name-Take
     apply not_mems to ENB ENA1.
 %EN-Name-Take
  case IsE. ENB: case ENB.
    %EN-Name-Ignore
     apply not_mems to ENA1 ENB.
    %EN-Name-Take
     search.
 %EN-Call
  case IsE. ENB: case ENB. apply IH_A to _ _ ENA1 ENB. search.
 %EN-StmtExpr
  case IsE. ENB: case ENB. apply IH_S to _ _ ENA1 ENB.
  apply stmtNames_isCtx to _ _ ENA1. apply stmtNames_isCtx to _ _ ENB.
  apply IH_E to _ _ ENA2 ENB1. apply append_unique to ENA3 ENB2.
  search.
 %EN-RecBuild
  case IsE. ENB: case ENB. apply IH_RF to _ _ ENA1 ENB. search.
 %EN-RecFieldAccess
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB. search.
 %EN-ErrorExpr
  case IsE. ENB: case ENB. apply IH_E to _ _ ENA1 ENB. search.
%argsNames_unique
 ANA: case ANA (keep).
   %AN-Nil
    case ANB. search.
   %AN-Cons
    case IsA. ANB: case ANB. apply IH_E to _ _ ANA1 ANB.
    apply IH_A to _ _ ANA2 ANB1. apply append_unique to ANA3 ANB2.
    search.
%recFieldNames_unique
 RFNA: case RFNA (keep).
   %RFN-Nil
    case RFNB. search.
   %RFN-Cons
    case IsRF. RFNB: case RFNB. apply IH_E to _ _ RFNA1 RFNB.
    apply IH_RF to _ _ RFNA2 RFNB1.
    apply append_unique to RFNA3 RFNB2. search.




/********************************************************************
 Statement names doesn't modify existing parts of the context
 ********************************************************************/
Extensible_Theorem
  stmtNames_keep_older : forall Scope Ctx S N Ctx',
    IsS : is_stmt S ->
    IsCtx : is_list (is_list is_string) (Scope::Ctx) ->
    SN : stmtNames (Scope::Ctx) S N Ctx' ->
    exists Scope', Ctx' = Scope'::Ctx /\
                   (forall X, mem X Scope -> mem X Scope')
  on SN. [Show Proof]

%SN-Noop
 search.
%SN-Seq
 case IsS. apply IH to _ _ SN1. apply stmtNames_isCtx to _ _ SN1.
 apply IH to _ _ SN2. exists Scope'1. split.
   %equal scopes
    search.
   %mems
    intros M. backchain H5. backchain H3.
%SN-Declare
 search.
%SN-Assign-Ignore
 search.
%SN-Assign-Take
 search.
%SN-RecUpdate-Ignore
 search.
%SN-RecUpdate-Take
 search.
%SN-IfThenElse
 search.
%SN-While
 search.
%SN-ScopeStmt
 case IsS. apply IH to _ _ SN1. search.
%SN-PrintVal
 search.




/********************************************************************
 Statement names exists
 ********************************************************************/
Theorem mems_or_not_mems : forall LS X,
  is_list (is_list is_string) LS -> is_string X ->
  mems X LS \/ not_mems X LS. [Show Proof]

induction on 1. intros IsL IsX. IsL: case IsL.
  %nil
   search.
  %cons
   Or: apply mem_string_list_or_not to IsX IsL. M: case Or.
     %mem X H
      search.
     %mem X H -> false
      Or: apply IH to IsL1 IsX. case Or.
        %mem
         search.
        %not_mem
         apply not_mem_not_mem to _ M. search.


Extensible_Theorem
  stmtNames_exists : forall Scope Ctx S,
    IsS : is_stmt S ->
    %need a scope on the front for declare
    IsCtx : is_list (is_list is_string) (Scope::Ctx) ->
    exists N Ctx', stmtNames (Scope::Ctx) S N Ctx'
  on IsS as IH_S,
  exprNames_exists : forall Ctx E,
    IsE : is_expr E ->
    IsCtx : is_list (is_list is_string) Ctx ->
    exists N, exprNames Ctx E N
  on IsE as IH_E,
  argsNames_exists : forall Ctx A,
    IsA : is_args A ->
    IsCtx : is_list (is_list is_string) Ctx ->
    exists N, argsNames Ctx A N
  on IsA as IH_A,
  recFieldNames_exists : forall Ctx RF,
    IsRF : is_recFieldExprs RF ->
    IsCtx : is_list (is_list is_string) Ctx ->
    exists N, recFieldNames Ctx RF N
  on IsRF as IH_RF. [Show Proof]

%stmtNames_exists
 %noop
  search.
 %seq
  SN1: apply IH_S to IsS1 _. IsC': apply stmtNames_isCtx to _ _ SN1.
  IsN: apply stmtNames_is to _ _ SN1.
  apply stmtNames_keep_older to _ _ SN1.
  SN2: apply IH_S to IsS2 IsC'. IsN1: apply stmtNames_is to _ _ SN2.
  apply append_list_string_total to IsN IsN1. search.
 %declare
  apply IH_E to IsS3 _. search.
 %assign
  apply IH_E to IsS2 _. Or: apply mems_or_not_mems to IsCtx IsS1.
  case Or. search. search.
 %recUpdate
  apply IH_E to IsS3 _. Or: apply mems_or_not_mems to IsCtx IsS1.
  case Or. search. search.
 %ifThenElse
  NC: apply IH_E to IsS1 _.
  NT: apply IH_S to IsS2 _ with Ctx = Scope::Ctx.
  NF: apply IH_S to IsS3 _ with Ctx = Scope::Ctx.
  IsN: apply exprNames_is to _ _ NC.
  IsN1: apply stmtNames_is to _ _ NT.
  IsN2: apply stmtNames_is to _ _ NF.
  App: apply append_list_string_total to IsN IsN1.
  IsL3: apply append_list_string_is to _ _ App.
  apply append_list_string_total to IsL3 IsN2. search.
 %while
  NC: apply IH_E to IsS1 _.
  NB: apply IH_S to IsS2 _ with Ctx = Scope::Ctx.
  IsN: apply exprNames_is to _ _ NC.
  IsN1: apply stmtNames_is to _ _ NB.
  apply append_list_string_total to IsN IsN1. search.
 %scopeStmt
  SN: apply IH_S to IsS1 _ with Ctx = Scope::Ctx. search.
 %printVal
  apply IH_E to IsS1 _. search.
%exprNames_exists
 %num
  search.
 %plus
  EN1: apply IH_E to IsE1 _. EN2: apply IH_E to IsE2 _.
  IsN: apply exprNames_is to _ _ EN1.
  IsN1: apply exprNames_is to _ _ EN2.
  apply append_list_string_total to IsN IsN1. search.
 %minus
  EN1: apply IH_E to IsE1 _. EN2: apply IH_E to IsE2 _.
  IsN: apply exprNames_is to _ _ EN1.
  IsN1: apply exprNames_is to _ _ EN2.
  apply append_list_string_total to IsN IsN1. search.
 %mult
  EN1: apply IH_E to IsE1 _. EN2: apply IH_E to IsE2 _.
  IsN: apply exprNames_is to _ _ EN1.
  IsN1: apply exprNames_is to _ _ EN2.
  apply append_list_string_total to IsN IsN1. search.
 %div
  EN1: apply IH_E to IsE1 _. EN2: apply IH_E to IsE2 _.
  IsN: apply exprNames_is to _ _ EN1.
  IsN1: apply exprNames_is to _ _ EN2.
  apply append_list_string_total to IsN IsN1. search.
 %true
  search.
 %false
  search.
 %and
  EN1: apply IH_E to IsE1 _. EN2: apply IH_E to IsE2 _.
  IsN: apply exprNames_is to _ _ EN1.
  IsN1: apply exprNames_is to _ _ EN2.
  apply append_list_string_total to IsN IsN1. search.
 %or
  EN1: apply IH_E to IsE1 _. EN2: apply IH_E to IsE2 _.
  IsN: apply exprNames_is to _ _ EN1.
  IsN1: apply exprNames_is to _ _ EN2.
  apply append_list_string_total to IsN IsN1. search.
 %not
  apply IH_E to IsE1 _. search.
 %greater
  EN1: apply IH_E to IsE1 _. EN2: apply IH_E to IsE2 _.
  IsN: apply exprNames_is to _ _ EN1.
  IsN1: apply exprNames_is to _ _ EN2.
  apply append_list_string_total to IsN IsN1. search.
 %eq
  EN1: apply IH_E to IsE1 _. EN2: apply IH_E to IsE2 _.
  IsN: apply exprNames_is to _ _ EN1.
  IsN1: apply exprNames_is to _ _ EN2.
  apply append_list_string_total to IsN IsN1. search.
 %string
  search.
 %appString
  EN1: apply IH_E to IsE1 _. EN2: apply IH_E to IsE2 _.
  IsN: apply exprNames_is to _ _ EN1.
  IsN1: apply exprNames_is to _ _ EN2.
  apply append_list_string_total to IsN IsN1. search.
 %name
  Or: apply mems_or_not_mems to IsCtx IsE1. case Or. search. search.
 %call
  apply IH_A to IsE2 _. search.
 %stmtExpr
  SN: apply IH_S to IsE1 _ with Ctx = Ctx, Scope = [].
  IsC': apply stmtNames_isCtx to _ _ SN.
  EN: apply IH_E to IsE2 IsC'. IsN: apply stmtNames_is to _ _ SN.
  IsN1: apply exprNames_is to _ _ EN.
  apply append_list_string_total to IsN IsN1. search.
 %recBuild
  apply IH_RF to IsE1 _. search.
 %recFieldAccess
  apply IH_E to IsE1 _. search.
 %errorExpr
  apply IH_E to IsE1 _. search.
%argsNames_exists
 %nilArgs
  search.
 %consArgs
  EN: apply IH_E to IsA1 _. AN: apply IH_A to IsA2 _.
  IsN: apply exprNames_is to _ _ EN.
  IsN1: apply argsNames_is to _ _ AN.
  apply append_list_string_total to IsN IsN1. search.
%recFieldNames_exists
 %nilRecFieldExprs
  search.
 %consRecFieldExprs
  EN: apply IH_E to IsRF2 _. RFN: apply IH_RF to IsRF3 _.
  IsN: apply exprNames_is to _ _ EN.
  IsN1: apply recFieldNames_is to _ _ RFN.
  apply append_list_string_total to IsN IsN1. search.




/********************************************************************
 Statement names not in ctx
 ********************************************************************/
Extensible_Theorem
  stmtNames_not_in_ctx : forall Scope Ctx S N Ctx' X,
    IsS : is_stmt S ->
    IsCtx : is_list (is_list is_string) (Scope::Ctx) ->
    SN : stmtNames (Scope::Ctx) S N Ctx' ->
    MemN : mem X N ->
    MemsCtx : mems X (Scope::Ctx) ->
    false
  on SN as IH_S,
  exprNames_not_in_ctx : forall Ctx E N X,
    IsE : is_expr E ->
    IsCtx : is_list (is_list is_string) Ctx ->
    EN : exprNames Ctx E N ->
    MemN : mem X N ->
    MemsCtx : mems X Ctx ->
    false
  on EN as IH_E
also
  argsNames_not_in_ctx : forall Ctx A N X,
    IsA : is_args A ->
    IsCtx : is_list (is_list is_string) Ctx ->
    AN : argsNames Ctx A N ->
    MemN : mem X N ->
    MemsCtx : mems X Ctx ->
    false
  on AN as IH_A,
  recFieldNames_not_in_ctx : forall Ctx RF N X,
    IsRF : is_recFieldExprs RF ->
    IsCtx : is_list (is_list is_string) Ctx ->
    RFN : recFieldNames Ctx RF N ->
    MemN : mem X N ->
    MemsCtx : mems X Ctx ->
    false
  on RFN as IH_RF. [Show Proof]

%stmtNames_not_in_ctx
 %SN-Noop
  case MemN.
 %SN-Seq
  case IsS. K: apply stmtNames_keep_older to _ _ SN1.
  apply stmtNames_isCtx to _ _ SN1.
  K': apply stmtNames_keep_older to _ _ SN2.
  Or: apply mem_append to MemN SN3. M: case Or.
    %mem X N2
     apply IH_S to _ _ SN1 M MemsCtx.
    %mem X N3
     MemsCtx': assert mems X (Scope'::Ctx).
       M': case MemsCtx. apply K to M'. search. search.
     apply IH_S to _ _ SN2 M MemsCtx'.
 %SN-Declare
  case IsS. apply IH_E to _ _ SN1 MemN MemsCtx.
 %SN-Assign-Ignore
  case IsS. apply IH_E to _ _ SN2 MemN MemsCtx.
 %SN-Assign-Take
  case IsS. MN: case MemN.
    %X = X1
     apply not_mems to SN1 MemsCtx.
    %mem X N1
     apply IH_E to _ _ SN2 MN MemsCtx.
 %SN-RecUpdate-Ignore
  case IsS. apply IH_E to _ _ SN2 MemN MemsCtx.
 %SN-RecUpdate-Take
  case IsS. MN: case MemN.
    %X = R
     apply not_mems to SN1 MemsCtx.
    %mem X N1
     apply IH_E to _ _ SN2 MN MemsCtx.
 %SN-IfThenElse
  case IsS. Or: apply mem_append to MemN SN5. M: case Or.
    %mem X N2
     Or: apply mem_append to M SN4. M': case Or.
       %mem X CN
        apply IH_E to _ _ SN1 M' MemsCtx.
       %mem X TN
        apply IH_S to _ _ SN2 M' _.
    %mem X FN
     apply IH_S to _ _ SN3 M _.
 %SN-While
  case IsS. Or: apply mem_append to MemN SN3. M: case Or.
    %mem X CN
     apply IH_E to _ _ SN1 M MemsCtx.
    %mem X BN
     apply IH_S to _ _ SN2 M _.
 %SN-ScopeStmt
  case IsS. apply IH_S to _ _ SN1 MemN _.
 %SN-PrintVal
  case IsS. apply IH_E to _ _ SN1 MemN MemsCtx.
%exprNames_not_in_ctx
 %EN-Num
  case MemN.
 %EN-Plus
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_E to _ _ EN1 M MemsCtx.
    %mem X N3
     apply IH_E to _ _ EN2 M MemsCtx.
 %EN-Minus
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_E to _ _ EN1 M MemsCtx.
    %mem X N3
     apply IH_E to _ _ EN2 M MemsCtx.
 %EN-Mult
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_E to _ _ EN1 M MemsCtx.
    %mem X N3
     apply IH_E to _ _ EN2 M MemsCtx.
 %EN-Div
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_E to _ _ EN1 M MemsCtx.
    %mem X N3
     apply IH_E to _ _ EN2 M MemsCtx.
 %EN-True
  case MemN.
 %EN-False
  case MemN.
 %EN-And
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_E to _ _ EN1 M MemsCtx.
    %mem X N3
     apply IH_E to _ _ EN2 M MemsCtx.
 %EN-Or
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_E to _ _ EN1 M MemsCtx.
    %mem X N3
     apply IH_E to _ _ EN2 M MemsCtx.
 %EN-Not
  case IsE. apply IH_E to _ _ EN1 MemN MemsCtx.
 %EN-Greater
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_E to _ _ EN1 M MemsCtx.
    %mem X N3
     apply IH_E to _ _ EN2 M MemsCtx.
 %EN-Eq
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_E to _ _ EN1 M MemsCtx.
    %mem X N3
     apply IH_E to _ _ EN2 M MemsCtx.
 %EN-String
  case MemN.
 %EN-AppString
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_E to _ _ EN1 M MemsCtx.
    %mem X N3
     apply IH_E to _ _ EN2 M MemsCtx.
 %EN-Name-Ignore
  case MemN.
 %EN-Name-Take
  M: case MemN.
    %X = X1
     apply not_mems to EN1 MemsCtx.
    %mem []
     case M.
 %EN-Call
  case IsE. apply IH_A to _ _ EN1 MemN MemsCtx.
 %EN-StmtExpr
  case IsE. Or: apply mem_append to MemN EN3. M: case Or.
    %mem X N2
     apply IH_S to _ _ EN1 M _.
    %mem X N3
     K: apply stmtNames_keep_older to _ _ EN1.
     apply stmtNames_isCtx to _ _ EN1. apply IH_E to _ _ EN2 M _.
 %EN-RecBuild
  case IsE. apply IH_RF to _ _ EN1 MemN MemsCtx.
 %EN-RecFieldAccess
  case IsE. apply IH_E to _ _ EN1 MemN MemsCtx.
 %EN-ErrorExpr
  case IsE. apply IH_E to _ _ EN1 MemN MemsCtx.
%argsNames_not_in_ctx
 AN: case AN (keep).
   %AN-Nil
    case MemN.
   %AN-Cons
    case IsA. Or: apply mem_append to MemN AN3. M: case Or.
      %mem X EN
       apply IH_E to _ _ AN1 M MemsCtx.
      %mem X AN
       apply IH_A to _ _ AN2 M MemsCtx.
%recFieldNames_not_in_ctx
 RFN: case RFN (keep).
   %RFN-Nil
    case MemN.
   %RFN-Cons
    case IsRF. Or: apply mem_append to MemN RFN3. M: case Or.
      %mem X EN
       apply IH_E to _ _ RFN1 M MemsCtx.
      %mem X RN
       apply IH_RF to _ _ RFN2 M MemsCtx.




/********************************************************************
 Statement names only depend on context members, not order
 ********************************************************************/
Extensible_Theorem
  stmtNames_relatedCtxs : forall ScopeA CtxA S N CtxA' ScopeB CtxB,
    IsS : is_stmt S ->
    IsCtxA : is_list (is_list is_string) (ScopeA::CtxA) ->
    IsCtxB : is_list (is_list is_string) (ScopeB::CtxB) ->
    RelAB : (forall X, mems X (ScopeA::CtxA) ->
                       mems X (ScopeB::CtxB)) ->
    RelBA : (forall X, mems X (ScopeB::CtxB) ->
                       mems X (ScopeA::CtxA)) ->
    SN : stmtNames (ScopeA::CtxA) S N CtxA' ->
    exists CtxB', stmtNames (ScopeB::CtxB) S N CtxB'
  on SN as IH_S,
  %The names on these for SNA and SNB are actually the same, as shown
  %by stmtNames_relatedCtxs and stmtNames_unique together, but it is
  %easier to prove this way
  stmtNames_relatedCtxs_ctx_fwd :
    forall CtxA S NA CtxA' CtxB NB CtxB' X,
      IsS : is_stmt S ->
      IsCtxA : is_list (is_list is_string) CtxA ->
      IsCtxB : is_list (is_list is_string) CtxB ->
      RelAB : (forall X, mems X CtxA -> mems X CtxB) ->
      SNA : stmtNames CtxA S NA CtxA' ->
      SNB : stmtNames CtxB S NB CtxB' ->
      Mems : mems X CtxA' ->
      mems X CtxB'
  on SNA as IH_S_CAB,
  stmtNames_relatedCtxs_ctx_back :
    forall CtxA S NA CtxA' CtxB NB CtxB' X,
      IsS : is_stmt S ->
      IsCtxA : is_list (is_list is_string) CtxA ->
      IsCtxB : is_list (is_list is_string) CtxB ->
      RelBA : (forall X, mems X CtxB -> mems X CtxA) ->
      SNA : stmtNames CtxA S NA CtxA' ->
      SNB : stmtNames CtxB S NB CtxB' ->
      Mems : mems X CtxB' ->
      mems X CtxA'
  on SNA as IH_S_CBA,
  exprNames_relatedCtxs : forall CtxA CtxB E N,
    IsE : is_expr E ->
    IsCtxA : is_list (is_list is_string) CtxA ->
    IsCtxB : is_list (is_list is_string) CtxB ->
    RelAB : (forall X, mems X CtxA -> mems X CtxB) ->
    RelBA : (forall X, mems X CtxB -> mems X CtxA) ->
    EN : exprNames CtxA E N ->
    exprNames CtxB E N
  on EN as IH_E
also
  argsNames_relatedCtxs : forall CtxA CtxB A N,
    IsA : is_args A ->
    IsCtxA : is_list (is_list is_string) CtxA ->
    IsCtxB : is_list (is_list is_string) CtxB ->
    RelAB : (forall X, mems X CtxA -> mems X CtxB) ->
    RelBA : (forall X, mems X CtxB -> mems X CtxA) ->
    AN : argsNames CtxA A N ->
    argsNames CtxB A N
  on AN as IH_A,
  recFieldNames_relatedCtxs : forall CtxA CtxB RF N,
    IsRF : is_recFieldExprs RF ->
    IsCtxA : is_list (is_list is_string) CtxA ->
    IsCtxB : is_list (is_list is_string) CtxB ->
    RelAB : (forall X, mems X CtxA -> mems X CtxB) ->
    RelBA : (forall X, mems X CtxB -> mems X CtxA) ->
    RFN : recFieldNames CtxA RF N ->
    recFieldNames CtxB RF N
  on RFN as IH_RF. [Show Proof]

%stmtNames_relatedCtxs
 %SN-Noop
  search.
 %SN-Seq
  case IsS. B1: apply IH_S to _ _ _ RelAB RelBA SN1.
  K1: apply stmtNames_keep_older to _ _ SN1.
  KB: apply stmtNames_keep_older to _ _ B1.
  apply stmtNames_isCtx to _ _ SN1. apply stmtNames_isCtx to _ _ B1.
  apply IH_S to _ _ _ _ _ SN2 with CtxB = CtxB, ScopeB = Scope'1.
    %RelBA
     intros M. apply IH_S_CBA to _ _ _ RelBA SN1 B1 M. search.
    %RelAB
     intros M. apply IH_S_CAB to _ _ _ RelAB SN1 B1 M. search.
  search.
 %SN-Declare
  case IsS. apply IH_E to _ _ _ RelAB RelBA SN1. search.
 %SN-Assign-Ignore
  case IsS. apply IH_E to _ _ _ RelAB RelBA SN2.
  apply RelAB to SN1. search.
 %SN-Assign-Take
  Is: case IsS. apply IH_E to _ _ _ RelAB RelBA SN2.
  Or: apply mems_or_not_mems to IsCtxB Is. M: case Or.
    %mems
     M': apply RelBA to M. apply not_mems to SN1 M'.
    %not_mems
     search.
 %SN-RecUpdate-Ignore
  case IsS. apply IH_E to _ _ _ RelAB RelBA SN2. apply RelAB to SN1.
  search.
 %SN-RecUpdate-Take
  Is: case IsS. apply IH_E to _ _ _ RelAB RelBA SN2.
  Or: apply mems_or_not_mems to IsCtxB Is. M: case Or.
    %mems
     M': apply RelBA to M. apply not_mems to SN1 M'.
    %not_mems
     search.
 %SN-IfThenElse
  case IsS. BC: apply IH_E to _ _ _ RelAB RelBA SN1.
  BT: apply IH_S to _ _ _ _ _ SN2 with
         ScopeB = [], CtxB = ScopeB::CtxB.
    %RelBA
     intros M. M: case M.
       %Mems-Here (mem X [])
        case M.
       %Mems-Later
        apply RelBA to M. search.
    %RelAB
     intros M. M: case M.
       %Mems-Here (mem X [])
        case M.
       %Mems-Later
        apply RelAB to M. search.
  BF: apply IH_S to _ _ _ _ _ SN3 with
         ScopeB = [], CtxB = ScopeB::CtxB.
    %RelBA
     intros M. M: case M.
       %Mems-Here (mem X [])
        case M.
       %Mems-Later
        apply RelBA to M. search.
    %RelAB
     intros M. M: case M.
       %Mems-Here (mem X [])
        case M.
       %Mems-Later
        apply RelAB to M. search.
  search.
 %SN-While
  case IsS. BC: apply IH_E to _ _ _ RelAB RelBA SN1.
  BB: apply IH_S to _ _ _ _ _ SN2 with
         ScopeB = [], CtxB = ScopeB::CtxB.
    %RelBA
     intros M. M: case M.
       %Mems-Here (mem X [])
        case M.
       %Mems-Later
        apply RelBA to M. search.
    %RelAB
     intros M. M: case M.
       %Mems-Here (mem X [])
        case M.
       %Mems-Later
        apply RelAB to M. search.
  search.
 %SN-ScopeStmt
  case IsS. B: apply IH_S to _ _ _ _ _ SN1 with
                  ScopeB = [], CtxB = ScopeB::CtxB.
    %RelBA
     intros M. M: case M.
       %Mems-Here (mem X [])
        case M.
       %Mems-Later
        apply RelBA to M. search.
    %RelAB
     intros M. M: case M.
       %Mems-Here (mem X [])
        case M.
       %Mems-Later
        apply RelAB to M. search.
  search.
 %SN-PrintVal
  case IsS. apply IH_E to _ _ _ RelAB RelBA SN1. search.
%stmtNames_relatedCtxs_ctx_fwd
 %SN-Noop
  case SNB. apply RelAB to Mems. search.
 %SN-Seq
  case IsS. SNB: case SNB. apply stmtNames_isCtx to _ _ SNA1.
  apply stmtNames_isCtx to _ _ SNB.
  apply IH_S_CAB to _ _ _ _ SNA2 SNB1 Mems.
    intros M. apply IH_S_CAB to _ _ _ RelAB SNA1 SNB M. search.
  search.
 %SN-Declare
  case IsS. SNB: case SNB. Mems: case Mems.
    %Mems-Here
     M: case Mems.
       %Mem-Here (X = X1)
        search.
       %Mem-Later (mem X Scope)
        M': apply RelAB to _ with X1 = X. case M'. search. search.
    %Mems-Later
     M': apply RelAB to _ with X1 = X. case M'. search. search.
 %SN-Assign-Ignore
  Is: case IsS. SNB: case SNB.
    %SN-Assign-Ignore
     apply RelAB to Mems. search.
    %SN-Assign-Take
     M: apply RelAB to SNA1. apply not_mems to SNB M.
 %SN-Assign-Take
  Is: case IsS. SNB: case SNB.
    %SN-Assign-Ignore
     apply RelAB to Mems. search.
    %SN-Assign-Take
     apply RelAB to Mems. search.
 %SN-RecUpdate-Ignore
  case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply RelAB to Mems. search.
    %SN-RecUpdate-Take
     apply RelAB to Mems. search.
 %SN-RecUpdate-Take
  case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply RelAB to Mems. search.
    %SN-RecUpdate-Take
     apply RelAB to Mems. search.
 %SN-IfThenElse
  case IsS. case SNB. apply RelAB to Mems. search.
 %SN-While
  case SNB. apply RelAB to Mems. search.
 %SN-ScopeStmt
  case SNB. apply RelAB to Mems. search.
 %SN-PrintVal
  case SNB. apply RelAB to Mems. search.
%stmtNames_relatedCtxs_ctx_back
 %SN-Noop
  case SNB. apply RelBA to Mems. search.
 %SN-Seq
  case IsS. SNB: case SNB. apply stmtNames_isCtx to _ _ SNA1.
  apply stmtNames_isCtx to _ _ SNB.
  apply IH_S_CBA to _ _ _ _ SNA2 SNB1 Mems.
    intros M. apply IH_S_CBA to _ _ _ RelBA SNA1 SNB M. search.
  search.
 %SN-Declare
  case IsS. SNB: case SNB. Mems: case Mems.
    %Mems-Here
     M: case Mems.
       %Mem-Here (X = X1)
        search.
       %Mem-Later (mem X Scope)
        M': apply RelBA to _ with X1 = X. case M'. search. search.
    %Mems-Later
     M': apply RelBA to _ with X1 = X. case M'. search. search.
 %SN-Assign-Ignore
  Is: case IsS. SNB: case SNB.
    %SN-Assign-Ignore
     apply RelBA to Mems. search.
    %SN-Assign-Take
     apply RelBA to Mems. search.
 %SN-Assign-Take
  Is: case IsS. SNB: case SNB.
    %SN-Assign-Ignore
     apply RelBA to Mems. search.
    %SN-Assign-Take
     apply RelBA to Mems. search.
 %SN-RecUpdate-Ignore
  Is: case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply RelBA to Mems. search.
    %SN-RecUpdate-Take
     apply RelBA to Mems. search.
 %SN-RecUpdate-Take
  Is: case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply RelBA to Mems. search.
    %SN-RecUpdate-Take
     apply RelBA to Mems. search.
 %SN-IfThenElse
  case SNB. apply RelBA to Mems. search.
 %SN-While
  case SNB. apply RelBA to Mems. search.
 %SN-ScopeStmt
  case SNB. apply RelBA to Mems. search.
 %SN-PrintVal
  case SNB. apply RelBA to Mems. search.
%exprNames_relatedCtxs
 %EN-Num
  search.
 %EN-Plus
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1.
  apply IH_E to _ _ _ RelAB RelBA EN2. search.
 %EN-Minus
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1.
  apply IH_E to _ _ _ RelAB RelBA EN2. search.
 %EN-Mult
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1.
  apply IH_E to _ _ _ RelAB RelBA EN2. search.
 %EN-Div
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1.
  apply IH_E to _ _ _ RelAB RelBA EN2. search.
 %EN-True
  search.
 %EN-False
  search.
 %EN-And
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1.
  apply IH_E to _ _ _ RelAB RelBA EN2. search.
 %EN-Or
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1.
  apply IH_E to _ _ _ RelAB RelBA EN2. search.
 %EN-Not
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1. search.
 %EN-Greater
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1.
  apply IH_E to _ _ _ RelAB RelBA EN2. search.
 %EN-Eq
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1.
  apply IH_E to _ _ _ RelAB RelBA EN2. search.
 %EN-String
  search.
 %EN-AppString
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1.
  apply IH_E to _ _ _ RelAB RelBA EN2. search.
 %EN-Name-Ignore
  IsX: case IsE. apply RelAB to EN1. search.
 %EN-Name-Take
  IsX: case IsE. Or: apply mems_or_not_mems to IsCtxB IsX. M: case Or.
    %mems X CtxB
     M': apply RelBA to M. apply not_mems to EN1 M'.
    %not_mems X CtxB
     search.
 %EN-Call
  case IsE. apply IH_A to _ _ _ RelAB RelBA EN1. search.
 %EN-StmtExpr
  case IsE. apply stmtNames_isCtx to _ _ EN1.
  assert forall X1, mems X1 ([]::CtxB) -> mems X1 ([]::CtxA).
    intros M. M: case M. case M. apply RelBA to M. search.
  assert forall X, mems X ([]::CtxA) -> mems X ([]::CtxB).
    intros M. M: case M. case M. apply RelAB to M. search.
  B1: apply IH_S to _ _ _ _ _ EN1 with ScopeB = [], CtxB = CtxB.
  apply stmtNames_isCtx to _ _ B1.
  apply IH_E to _ _ _ _ _ EN2 with CtxB = CtxB'.
    %RelBA
     intros M. apply IH_S_CBA to _ _ _ _ EN1 B1 M. search.
    %RelAB
     intros M. apply IH_S_CAB to _ _ _ _ EN1 B1 M. search.
  search.
 %EN-RecBuild
  case IsE. apply IH_RF to _ _ _ RelAB RelBA EN1. search.
 %EN-RecFieldAccess
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1. search.
 %EN-ErrorExpr
  case IsE. apply IH_E to _ _ _ RelAB RelBA EN1. search.
%argsNames_relatedCtxs
 AN: case AN (keep).
   %AN-Nil
    search.
   %AN-Cons
    case IsA. apply IH_E to _ _ _ RelAB RelBA AN1.
    apply IH_A to _ _ _ RelAB RelBA AN2. search.
%recFieldNames_relatedCtxs
 RFN: case RFN (keep).
   %RFN-Nil
    search.
   %RFN-Cons
    case IsRF. apply IH_E to _ _ _ RelAB RelBA RFN1.
    apply IH_RF to _ _ _ RelAB RelBA RFN2. search.




/********************************************************************
 Statement names with larger contexts only removes some names
 ********************************************************************/
Extensible_Theorem
  stmtNames_increaseCtxs :
    forall ScopeA CtxA S NA CtxA' ScopeB CtxB NB CtxB' X,
      IsS : is_stmt S ->
      IsCtxA : is_list (is_list is_string) (ScopeA::CtxA) ->
      IsCtxB : is_list (is_list is_string) (ScopeB::CtxB) ->
      RelAB : (forall X, mems X (ScopeA::CtxA) ->
                         mems X (ScopeB::CtxB)) ->
      SNA : stmtNames (ScopeA::CtxA) S NA CtxA' ->
      SNB : stmtNames (ScopeB::CtxB) S NB CtxB' ->
      M : mem X NB ->
      mem X NA
  on SNA as IH_S,
  stmtNames_increaseCtxs_ctxs :
    forall ScopeA CtxA S NA CtxA' ScopeB CtxB NB CtxB' X,
      IsS : is_stmt S ->
      IsCtxA : is_list (is_list is_string) (ScopeA::CtxA) ->
      IsCtxB : is_list (is_list is_string) (ScopeB::CtxB) ->
      RelAB : (forall X, mems X (ScopeA::CtxA) ->
                         mems X (ScopeB::CtxB)) ->
      SNA : stmtNames (ScopeA::CtxA) S NA CtxA' ->
      SNB : stmtNames (ScopeB::CtxB) S NB CtxB' ->
      M : mems X CtxA' ->
      mems X CtxB'
  on SNA as IH_S_C,
  exprNames_increaseCtxs :
    forall CtxA E NA CtxB NB X,
      IsE : is_expr E ->
      IsCtxA : is_list (is_list is_string) CtxA ->
      IsCtxB : is_list (is_list is_string) CtxB ->
      RelAB : (forall X, mems X CtxA -> mems X CtxB) ->
      ENA : exprNames CtxA E NA ->
      ENB : exprNames CtxB E NB ->
      M : mem X NB ->
      mem X NA
  on ENA as IH_E
also
  argsNames_increaseCtxs :
    forall CtxA A NA CtxB NB X,
      IsA : is_args A ->
      IsCtxA : is_list (is_list is_string) CtxA ->
      IsCtxB : is_list (is_list is_string) CtxB ->
      RelAB : (forall X, mems X CtxA -> mems X CtxB) ->
      ANA : argsNames CtxA A NA ->
      ANB : argsNames CtxB A NB ->
      M : mem X NB ->
      mem X NA
  on ANA as IH_A,
  recFieldNames_increaseCtxs :
    forall CtxA RF NA CtxB NB X,
      IsRF : is_recFieldExprs RF ->
      IsCtxA : is_list (is_list is_string) CtxA ->
      IsCtxB : is_list (is_list is_string) CtxB ->
      RelAB : (forall X, mems X CtxA -> mems X CtxB) ->
      RFNA : recFieldNames CtxA RF NA ->
      RFNB : recFieldNames CtxB RF NB ->
      M : mem X NB ->
      mem X NA
  on RFNA as IH_RF. [Show Proof]

%stmtNames_increaseCtxs
 %SN-Noop
  case SNB. case M.
 %SN-Seq
  case IsS. SNB: case SNB. apply stmtNames_isCtx to _ _ SNA1.
  apply stmtNames_isCtx to _ _ SNB. Or: apply mem_append to M SNB2.
  M': case Or.
    %mem X N3
     MA: apply IH_S to _ _ _ _ SNA1 SNB M'.
     apply mem_append_left to MA SNA3. search.
    %mem X N4
     apply stmtNames_keep_older to _ _ SNB.
     apply stmtNames_keep_older to _ _ SNA1.
     MA: apply IH_S to _ _ _ _ SNA2 SNB1 M'.
       intros MA+. apply IH_S_C to _ _ _ _ SNA1 SNB MA+. search.
     apply mem_append_right to MA SNA3. search.
 %SN-Declare
  case IsS. SNB: case SNB. apply IH_E to _ _ _ _ SNA1 SNB M. search.
 %SN-Assign-Ignore
  case IsS. SNB: case SNB.
    %SN-Assign-Ignore
     apply IH_E to _ _ _ _ SNA2 SNB1 M. search.
    %SN-Assign-Take
     MB: apply RelAB to SNA1. apply not_mems to SNB MB.
 %SN-Assign-Take
  case IsS. SNB: case SNB.
    %SN-Assign-Ignore
     apply IH_E to _ _ _ _ SNA2 SNB1 M. search.
    %SN-Assign-Take
     M: case M.
       %Mem-Here
        search.
       %Mem-Later
        apply IH_E to _ _ _ _ SNA2 SNB1 M. search.
 %SN-RecUpdate-Ignore
  case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply IH_E to _ _ _ _ SNA2 SNB1 M. search.
    %SN-RecUpdate-Take
     MB: apply RelAB to SNA1. apply not_mems to SNB MB.
 %SN-RecUpdate-Take
  case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply IH_E to _ _ _ _ SNA2 SNB1 M. search.
    %SN-RecUpdate-Take
     M: case M.
       %Mem-Here
        search.
       %Mem-Later
        apply IH_E to _ _ _ _ SNA2 SNB1 M. search.
 %SN-IfThenElse
  case IsS. SNB: case SNB. Or: apply mem_append to M SNB4.
  M': case Or.
    %mem X N2
     Or: apply mem_append to M' SNB3. M'': case Or.
       %mem X CN1
        MC: apply IH_E to _ _ _ _ SNA1 SNB M''.
        M1: apply mem_append_left to MC SNA4.
        apply mem_append_left to M1 SNA5. search.
       %mem X TN1
        MT: apply IH_S to _ _ _ _ SNA2 SNB1 M''.
          intros Ms. Ms: case Ms.
            %Mems-Here
             case Ms.
            %Mems-Later
             apply RelAB to Ms. search.
        M1: apply mem_append_right to MT SNA4.
        apply mem_append_left to M1 SNA5. search.
    %mem X FN1
     MF: apply IH_S to _ _ _ _ SNA3 SNB2 M'.
       intros Ms. Ms: case Ms.
         %Mems-Here
          case Ms.
         %Mems-Later
          apply RelAB to Ms. search.
     apply mem_append_right to MF SNA5. search.
 %SN-While
  case IsS. SNB: case SNB. Or: apply mem_append to M SNB2.
  M': case Or.
    %mem X CN1
     MC: apply IH_E to _ _ _ _ SNA1 SNB M'.
     apply mem_append_left to MC SNA3. search.
    %mem X BN1
     MB: apply IH_S to _ _ _ _ SNA2 SNB1 M'.
       intros Ms. Ms: case Ms.
         %Mems-Here
          case Ms.
         %Mems-Later
          apply RelAB to Ms. search.
     apply mem_append_right to MB SNA3. search.
 %SN-ScopeStmt
  case IsS. SNB: case SNB. apply IH_S to _ _ _ _ SNA1 SNB M.
    intros Ms. Ms: case Ms.
      %Mems-Here
       case Ms.
      %Mems-Later
       apply RelAB to Ms. search.
  search.
 %SN-PrintVal
  case IsS. SNB: case SNB. apply IH_E to _ _ _ _ SNA1 SNB M. search.
%stmtNames_increaseCtxs_ctxs
 %SN-Noop
  case SNB. backchain RelAB.
 %SN-Seq
  case IsS. SNB: case SNB. R: apply stmtNames_keep_older to _ _ SNA1.
  R1: apply stmtNames_keep_older to _ _ SNB.
  apply stmtNames_isCtx to _ _ SNA1. apply stmtNames_isCtx to _ _ SNB.
  R2: apply stmtNames_keep_older to _ _ SNA2.
  R3: apply stmtNames_keep_older to _ _ SNB1.
  apply IH_S_C to _ _ _ _ SNA2 SNB1 M.
    intros M'. apply IH_S_C to _ _ _ _ SNA1 SNB M'. search.
  search.
 %SN-Declare
  case IsS. SNB: case SNB. M: case M.
    %Mems-Here
      M: case M.
        %Mem-Here (X = X1)
         search.
        %Mem-Later
         MB: apply RelAB to _ with X1 = X. case MB. search. search.
    %Mems-Later
     MB: apply RelAB to _ with X1 = X. case MB. search. search.
 %SN-Assign-Ignore
  case IsS. SNB: case SNB.
    %SN-Assign-Ignore
     apply RelAB to M. search.
    %SN-Assign-Take
     MB: apply RelAB to SNA1. apply not_mems to SNB MB.
 %SN-Assign-Take
  case IsS. SNB: case SNB.
    %SN-Assign-Ignore
     apply RelAB to M. search.
    %SN-Assign-Take
     apply RelAB to M. search.
 %SN-RecUpdate-Ignore
  case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply RelAB to M. search.
    %SN-RecUpdate-Take
     MB: apply RelAB to SNA1. apply not_mems to SNB MB.
 %SN-RecUpdate-Take
  case IsS. SNB: case SNB.
    %SN-RecUpdate-Ignore
     apply RelAB to M. search.
    %SN-RecUpdate-Take
     apply RelAB to M. search.
 %SN-IfThenElse
  case IsS. SNB: case SNB. apply RelAB to M. search.
 %SN-While
  case IsS. SNB: case SNB. apply RelAB to M. search.
 %SN-ScopeStmt
  case IsS. SNB: case SNB. apply RelAB to M. search.
 %SN-PrintVal
  case IsS. SNB: case SNB. apply RelAB to M. search.
%exprNames_increaseCtxs
 %EN-Num
  case ENB. case M.
 %EN-Plus
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X N3
     M1: apply IH_E to _ _ _ _ ENA1 ENB M'.
     apply mem_append_left to M1 ENA3. search.
    %mem X N4
     M2: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
     apply mem_append_right to M2 ENA3. search.
 %EN-Minus
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X N3
     M1: apply IH_E to _ _ _ _ ENA1 ENB M'.
     apply mem_append_left to M1 ENA3. search.
    %mem X N4
     M2: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
     apply mem_append_right to M2 ENA3. search.
 %EN-Mult
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X N3
     M1: apply IH_E to _ _ _ _ ENA1 ENB M'.
     apply mem_append_left to M1 ENA3. search.
    %mem X N4
     M2: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
     apply mem_append_right to M2 ENA3. search.
 %EN-Div
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X N3
     M1: apply IH_E to _ _ _ _ ENA1 ENB M'.
     apply mem_append_left to M1 ENA3. search.
    %mem X N4
     M2: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
     apply mem_append_right to M2 ENA3. search.
 %EN-True
  case ENB. case M.
 %EN-False
  case ENB. case M.
 %EN-And
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X N3
     M1: apply IH_E to _ _ _ _ ENA1 ENB M'.
     apply mem_append_left to M1 ENA3. search.
    %mem X N4
     M2: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
     apply mem_append_right to M2 ENA3. search.
 %EN-Or
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X N3
     M1: apply IH_E to _ _ _ _ ENA1 ENB M'.
     apply mem_append_left to M1 ENA3. search.
    %mem X N4
     M2: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
     apply mem_append_right to M2 ENA3. search.
 %EN-Not
  case IsE. ENB: case ENB. apply IH_E to _ _ _ _ ENA1 ENB M. search.
 %EN-Greater
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X N3
     M1: apply IH_E to _ _ _ _ ENA1 ENB M'.
     apply mem_append_left to M1 ENA3. search.
    %mem X N4
     M2: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
     apply mem_append_right to M2 ENA3. search.
 %EN-Eq
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X N3
     M1: apply IH_E to _ _ _ _ ENA1 ENB M'.
     apply mem_append_left to M1 ENA3. search.
    %mem X N4
     M2: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
     apply mem_append_right to M2 ENA3. search.
 %EN-String
  case ENB. case M.
 %EN-AppString
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X N3
     M1: apply IH_E to _ _ _ _ ENA1 ENB M'.
     apply mem_append_left to M1 ENA3. search.
    %mem X N4
     M2: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
     apply mem_append_right to M2 ENA3. search.
 %EN-Name-Ignore
  ENB: case ENB.
    %EN-Name-Ignore
     case M.
    %EN-Name-Take
     M: case M.
       %Mem-Here
        MB: apply RelAB to ENA1. apply not_mems to ENB MB.
       %Mem-Later
        case M.
 %EN-Name-Take
  ENB: case ENB.
    %EN-Name-Ignore
     case M.
    %EN-Name-Take
     M: case M.
       %Mem-Here
        search.
       %Mem-Later
        case M.
 %EN-Call
  case IsE. ENB: case ENB. apply IH_A to _ _ _ _ ENA1 ENB M. search.
 %EN-StmtExpr
  case IsE. ENB: case ENB. Or: apply mem_append to M ENB2.
  M': case Or.
    %mem X NS1
     MNS: apply IH_S to _ _ _ _ ENA1 ENB M'.
       intros Ms. Ms: case Ms. case Ms. apply RelAB to Ms. search.
     apply mem_append_left to MNS ENA3. search.
    %mem X NE1
     apply stmtNames_isCtx to _ _ ENA1.
     apply stmtNames_isCtx to _ _ ENB.
     MNE: apply IH_E to _ _ _ _ ENA2 ENB1 M'.
       intros Ms. apply IH_S_C to _ _ _ _ ENA1 ENB Ms.
         intros Ms'. Ms': case Ms'. case Ms'. apply RelAB to Ms'.
         search.
       search.
     apply mem_append_right to MNE ENA3. search.
 %EN-RecBuild
  case IsE. ENB: case ENB. apply IH_RF to _ _ _ _ ENA1 ENB M. search.
 %EN-RecFieldAccess
  case IsE. ENB: case ENB. apply IH_E to _ _ _ _ ENA1 ENB M. search.
 %EN-ErrorExpr
  case IsE. ENB: case ENB. apply IH_E to _ _ _ _ ENA1 ENB M. search.
%argsNames_increaseCtxs
 ANA: case ANA (keep).
   %AN-Nil
    case ANB. case M.
   %AN-Cons
    case IsA. ANB: case ANB. Or: apply mem_append to M ANB2.
    M': case Or.
      %mem X N3
       M1: apply IH_E to _ _ _ _ ANA1 ANB M'.
       apply mem_append_left to M1 ANA3. search.
      %mem X N4
       M2: apply IH_A to _ _ _ _ ANA2 ANB1 M'.
       apply mem_append_right to M2 ANA3. search.
%recFieldNames_increasesCtxs
 RFNA: case RFNA (keep).
   %RFN-Nil
    case RFNB. case M.
   %RFN-Cons
    case IsRF. RFNB: case RFNB. Or: apply mem_append to M RFNB2.
    M': case Or.
      %mem X N3
       M1: apply IH_E to _ _ _ _ RFNA1 RFNB M'.
       apply mem_append_left to M1 RFNA3. search.
      %mem X N4
       M2: apply IH_RF to _ _ _ _ RFNA2 RFNB1 M'.
       apply mem_append_right to M2 RFNA3. search.




/********************************************************************
 Statement names are related across projection
 ********************************************************************/
/*
  These projection constraints ensure projections only use existing
  names and new names they introduce, not random new names.
*/
Projection_Constraint proj_exprNames : forall Names E E_P Ctx N N_P X,
  Pr : Names |{expr}- E ~~> E_P ->
  IsE : is_expr E ->
  IsNames : is_list is_string Names ->
  IsCtx : is_list (is_list is_string) Ctx ->
  EN : exprNames Ctx E N ->
  EN_P : exprNames Ctx E_P N_P ->
  M : mem X N_P ->
  mem X N.

Projection_Constraint proj_stmtNames :
  forall Names S S_P Scope Ctx N Ctx' N_P Ctx'_P X,
    Pr : Names |{stmt}- S ~~> S_P ->
    IsS : is_stmt S ->
    IsNames : is_list is_string Names ->
    IsCtx : is_list (is_list is_string) (Scope::Ctx) ->
    SN : stmtNames (Scope::Ctx) S N Ctx' ->
    SN_P : stmtNames (Scope::Ctx) S_P N_P Ctx'_P ->
    M : mem X N_P ->
    mem X N.

/*
  These two ensure projections only introduce the same new names as
  the originals, and all the same names.
*/
Projection_Constraint proj_stmtNames_names_forward :
  forall Names S S_P Scope Ctx N Ctx' N_P Ctx'_P X,
    Pr : Names |{stmt}- S ~~> S_P ->
    IsS : is_stmt S ->
    IsNames : is_list is_string Names ->
    IsCtx : is_list (is_list is_string) (Scope::Ctx) ->
    SN : stmtNames (Scope::Ctx) S N Ctx' ->
    SN_P : stmtNames (Scope::Ctx) S_P N_P Ctx'_P ->
    M : mems X Ctx' ->
    mems X Ctx'_P.
Projection_Constraint proj_stmtNames_names_backward :
  forall Names S S_P Scope Ctx N Ctx' N_P Ctx'_P X,
    Pr : Names |{stmt}- S ~~> S_P ->
    IsS : is_stmt S ->
    IsNames : is_list is_string Names ->
    IsCtx : is_list (is_list is_string) (Scope::Ctx) ->
    SN : stmtNames (Scope::Ctx) S N Ctx' ->
    SN_P : stmtNames (Scope::Ctx) S_P N_P Ctx'_P ->
    M : mems X Ctx'_P ->
    mems X Ctx'.





/********************************************************************
  _____            _             
 |_   _|   _ _ __ (_)_ __   __ _ 
   | || | | | '_ \| | '_ \ / _` |
   | || |_| | |_) | | | | | (_| |
   |_| \__, | .__/|_|_| |_|\__, |
       |___/|_|            |___/

 Typing
 ********************************************************************/

/********************************************************************
 Basic lemmas around types and typing
 ********************************************************************/

%--------------------------------------------
% Theorems about [(string, typ)]
%--------------------------------------------
Theorem is_list_mem_lookup_type : forall L ID E,
  is_list (is_pair is_string is_typ) L ->
  mem (ID, E) L -> is_string ID ->
  exists E', lookup L ID E'. [Show Proof]

induction on 2. intros IsL Mem IsID. Mem: case Mem.
  %Mem-Here
   search.
  %Mem-Later
   Is: case IsL. Is: case Is.
   Or: apply is_string_eq_or_not to Is IsID. Eq: case Or.
     %A = ID
      search.
     %A = ID -> false
      apply IH to Is1 Mem IsID. search.


Theorem lookup_is_type : forall L ID E,
  is_list (is_pair is_string is_typ) L -> lookup L ID E ->
  is_typ E. [Show Proof]

induction on 2. intros IsL Lkp. Lkp: case Lkp.
  %Lkp-Here
   Is: case IsL. case Is. search.
  %Lkp-Later
   Is: case IsL. apply IH to Is1 Lkp1. search.


Theorem lookup_is_key_type : forall L ID E,
  is_list (is_pair is_string is_typ) L -> lookup L ID E ->
  is_string ID. [Show Proof]

induction on 2. intros IsL Lkp. Lkp: case Lkp.
  %Lkp-Here
   Is: case IsL. case Is. search.
  %Lkp-Later
   Is: case IsL. apply IH to Is1 Lkp1. search.


Theorem mem_is_type : forall L IDE,
  is_list (is_pair is_string is_typ) L -> mem IDE L ->
  is_pair is_string is_typ IDE. [Show Proof]

induction on 2. intros Is M. M: case M.
  %Mem-Here
   case Is. search.
  %Mem-Later
   case Is. apply IH to _ M. search.


Theorem zip_is_type : forall A B L,
  is_list is_string A -> is_list is_typ B -> zip A B L ->
  is_list (is_pair is_string is_typ) L. [Show Proof]

induction on 3. intros IsA IsB Z. Z: case Z.
  %Zip-Nil
   search.
  %Zip-Cons
   IsA: case IsA. IsB: case IsB. apply IH to _ _ Z. search.


Theorem length_exists_list_pair_string_ty : forall L,
  is_list (is_list (is_pair is_string is_typ)) L ->
  exists N, length L N. [Show Proof]

induction on 1. intros IsL. IsL: case IsL.
  %nil
   search.
  %cons
   Len: apply IH to IsL1. Is: apply length_is to Len.
   apply plus_integer_total to _ Is with N1 = 1. search.


%--------------------------------------------
% Theorems about function contexts
% [(string, (type, [type]))]
%--------------------------------------------
Theorem is_list_mem_lookup_funTyCtx : forall L ID E,
  is_list (is_pair is_string
          (is_pair is_typ (is_list is_typ))) L ->
  mem (ID, E) L -> is_string ID ->
  exists E', lookup L ID E'. [Show Proof]

induction on 2. intros IsL Mem IsID. Mem: case Mem.
  %Mem-Here
   search.
  %Mem-Later
   Is: case IsL. Is: case Is.
   Or: apply is_string_eq_or_not to Is IsID. Eq: case Or.
     %A = ID
      search.
     %A = ID -> false
      apply IH to Is1 Mem IsID. search.


Theorem mem_is_funTyCtx : forall L IDE,
  is_list (is_pair is_string
          (is_pair is_typ (is_list is_typ))) L -> mem IDE L ->
  is_pair is_string
  (is_pair is_typ (is_list is_typ)) IDE. [Show Proof]

induction on 2. intros Is M. M: case M.
  %Mem-Here
   case Is. search.
  %Mem-Later
   case Is. apply IH to _ M. search.


Theorem lookup_is_value_funTyCtx : forall L ID E,
  is_list (is_pair is_string
          (is_pair is_typ (is_list is_typ))) L -> lookup L ID E ->
  is_pair is_typ (is_list is_typ) E. [Show Proof]

intros Is L. M: apply lookup_mem to L.
Is: apply mem_is_funTyCtx to _ M. case Is1. search.


Theorem lookup_is_key_funTyCtx : forall L ID E,
  is_list (is_pair is_string
          (is_pair is_typ (is_list is_typ))) L ->
  lookup L ID E ->
  is_string ID. [Show Proof]

intros Is L. M: apply lookup_mem to L.
Is: apply mem_is_funTyCtx to _ M. case Is1. search.


%-------------------------------------------------


Theorem lookupScopes_isTy : forall L X Ty,
  is_list (is_list (is_pair is_string is_typ)) L ->
  lookupScopes X L Ty -> is_typ Ty. [Show Proof]

induction on 2. intros Is L. L: case L.
  %LS-FirstScope
   case Is. apply lookup_is_type to _ L. search.
  %LS-Later
   case Is. apply IH to _ L1. search.


Theorem zip_is_string_ty : forall A B Z,
  is_list is_string A -> is_list is_typ B -> zip A B Z ->
  is_list (is_pair is_string is_typ) Z. [Show Proof]

induction on 3. intros IsA IsB Z. Z: case Z.
  %Zip-Nil
   search.
  %Zip-Cons
   case IsA. case IsB. apply IH to _ _ Z. search.


Theorem length_exists_ty : forall L,
  is_list is_typ L -> exists N, length L N. [Show Proof]

induction on 1. intros IsL. IsL: case IsL.
  %nil
   search.
  %cons
   Len: apply IH to IsL1. Is: apply length_is to Len.
   apply plus_integer_total to _ Is with N1 = 1. search.


%--------------------------------------------
% Theorems about recFieldTys
%--------------------------------------------
Theorem lookupRecFieldTy_is : forall Fields F Ty,
  is_recFieldTys Fields -> lookupRecFieldTy Fields F Ty -> is_typ Ty. [Show Proof]

induction on 2. intros IsF L. L: case L.
  %LFT-Here
   case IsF. search.
  %LFT-Later
   case IsF. apply IH to _ L1. search.


Theorem lookupRecFieldTy_unique : forall Fields F TyA TyB,
  lookupRecFieldTy Fields F TyA -> lookupRecFieldTy Fields F TyB ->
  TyA = TyB. [Show Proof]

induction on 1. intros LA LB. LA: case LA.
  %LRF-Here
   LB: case LB.
     %LRF-Here
      search.
     %LRF-Later
      apply LB to _.
  %LRF-Later
   LB: case LB.
     %LRF-Here
      apply LA to _.
     %LRF-Later
      apply IH to LA1 LB1. search.




/********************************************************************
 Types/Contexts produced in typing have is relations
 ********************************************************************/
Extensible_Theorem
  typeOf_isTy : forall E FT ET Ty,
    IsE : is_expr E ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    Ty : typeOf FT ET E Ty ->
    is_typ Ty
  on Ty,
  stmtOK_isCtx : forall S FT ET ET',
    IsS : is_stmt S ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    Ty : stmtOK FT ET S ET' ->
    is_list (is_list (is_pair is_string is_typ)) ET'
  on Ty
also
  typeOfArgs_isTy : forall A FT ET Tys,
    IsA : is_args A ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    Ty : typeOfArgs FT ET A Tys ->
    is_list is_typ Tys
  on Ty,
  typeOfRecFields_isTy : forall RF FT ET Fields,
    IsRF : is_recFieldExprs RF ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    Ty : typeOfRecFields FT ET RF Fields ->
    is_recFieldTys Fields
  on Ty. [Show Proof]

%typeOf_isTy
 %T-Num
  search.
 %T-Plus
  search.
 %T-Minus
  search.
 %T-Mult
  search.
 %T-Div
  search.
 %T-True
  search.
 %T-False
  search.
 %T-And
  search.
 %T-Or
  search.
 %T-Not
  search.
 %T-Greater
  search.
 %T-Eq-Int
  search.
 %T-Eq-Bool
  search.
 %T-Eq-String
  search.
 %T-String
  search.
 %T-AppString
  search.
 %T-Name
  apply lookupScopes_isTy to _ Ty1. search.
 %T-Call
  case IsE. IsFP: apply lookup_is_value_funTyCtx to _ Ty1. case IsFP.
  search.
 %T-StmtExpr
  case IsE. apply IH1 to _ _ _ Ty1. apply IH to _ _ _ Ty2. search.
 %T-RecBuild
  case IsE. apply IH3 to _ _ _ Ty1. search.
 %T-RecAccess
  case IsE. Is: apply IH to _ _ _ Ty1. case Is.
  apply lookupRecFieldTy_is to _ Ty2. search.
 %T-Error
  case IsE. search.
%stmtOK_isCtx
 %T-Noop
  search.
 %T-Seq
  case IsS. apply IH1 to _ _ _ Ty1. apply IH1 to _ _ _ Ty2. search.
 %T-Declare
  case IsS. apply IH to _ _ _ Ty2. case IsET. search.
 %T-Assign
  search.
 %T-RecUpdate
  search.
 %T-IfThenElse
  search.
 %T-While
  search.
 %T-ScopeStmt
  search.
 %T-Print-Int
  search.
 %T-Print-Bool
  search.
 %T-Print-String
  search.
%typeOfArgs_isTy
 Ty: case Ty.
   %TA-Nil
    search.
   %TA-Cons
    case IsA. apply IH to _ _ _ Ty. apply IH2 to _ _ _ Ty1. search.
%typeOfRecFields_isTy
 Ty: case Ty.
   %TRF-Nil
    search.
   %TRF-Cons
    case IsRF. apply IH to _ _ _ Ty. apply IH3 to _ _ _ Ty1. search.




/********************************************************************
 Statements do not make unwanted modifications to contexts
 ********************************************************************/
Extensible_Theorem
  stmtOK_keep_scopes : forall FT ET S ET' N,
    IsS : is_stmt S ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    Ty : stmtOK FT ET S ET' ->
    L : length ET N ->
    length ET' N
  on Ty. [Show Proof]

%T-Noop
 search.
%T-Seq
 case IsS. apply IH to _ _ _ Ty1 _. apply stmtOK_isCtx to _ _ _ Ty1.
 apply IH to _ _ _ Ty2 _. search.
%T-Declare
 L: case L. search.
%T-Assign
 search.
%T-RecUpdate
 search.
%T-IfThenElse
 search.
%T-While
 search.
%T-ScopeStmt
 search.
%T-Print-Int
 search.
%T-Print-Bool
 search.
%T-Print-String
 search.


Extensible_Theorem
  stmtOK_older_scopes_same : forall FT ET S ET' Scope,
    IsS : is_stmt S ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) (Scope::ET) ->
    Ty : stmtOK FT (Scope::ET) S ET' ->
    exists Scope', ET' = Scope'::ET
  on Ty. [Show Proof]

%T-Noop
 search.
%T-Seq
 case IsS. apply IH to _ _ _ Ty1. apply stmtOK_isCtx to _ _ _ Ty1.
 apply IH to _ _ _ Ty2. search.
%T-Declare
 search.
%T-Assign
 search.
%T-RecUpdate
 search.
%T-IfThenElse
 search.
%T-While
 search.
%T-ScopeStmt
 search.
%T-Print-Int
 search.
%T-Print-Bool
 search.
%T-Print-String
 search.


%Don't overwrite existing names in current scope
%Can't say lookupScopes because can overwrite names from older scopes
%   in this scope
Extensible_Theorem
  stmtOK_first_scope_lookup_same : forall FT ET S Scope Scope' X Ty,
    IsS : is_stmt S ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) (Scope::ET) ->
    Ty : stmtOK FT (Scope::ET) S (Scope'::ET) ->
    L : lookup Scope X Ty ->
    lookup Scope' X Ty
  on Ty. [Show Proof]

%T-Noop
 search.
%T-Seq
 case IsS. apply stmtOK_older_scopes_same to _ _ _ Ty1.
 L': apply IH to _ _ _ Ty1 L. apply stmtOK_isCtx to _ _ _ Ty1.
 apply stmtOK_older_scopes_same to _ _ _ Ty2.
 apply IH to _ _ _ Ty2 L'. search.
%T-Declare
 Is: case IsS. case IsET. Is': apply lookup_is_key_type to _ L.
 Or: apply is_string_eq_or_not to Is1 Is'. E: case Or.
   %X1 = X
    apply no_lookup to Ty1 L.
   %X1 != X
    search.
%T-Assign
 search.
%T-RecUpdate
 search.
%T-IfThenElse
 search.
%T-While
 search.
%T-ScopeStmt
 search.
%T-Print-Int
 search.
%T-Print-Bool
 search.
%T-Print-String
 search.




/********************************************************************
 Typing unique
 ********************************************************************/
Extensible_Theorem
  typeOf_unique : forall FT ET_A ET_B E TyA TyB,
    IsE : is_expr E ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsA : is_list (is_list (is_pair is_string is_typ)) ET_A ->
    IsB : is_list (is_list (is_pair is_string is_typ)) ET_B ->
    TyA : typeOf FT ET_A E TyA ->
    TyB : typeOf FT ET_B E TyB ->
    Lkp : lookup_all_scopes ET_A ET_B ->
    TyA = TyB
  on TyA as IH_E,
  stmtOK_unique : forall FT ET_A ET_B S ET_A' ET_B',
    IsS : is_stmt S ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsA : is_list (is_list (is_pair is_string is_typ)) ET_A ->
    IsB : is_list (is_list (is_pair is_string is_typ)) ET_B ->
    TyA : stmtOK FT ET_A S ET_A' ->
    TyB : stmtOK FT ET_B S ET_B' ->
    Lkp : lookup_all_scopes ET_A ET_B ->
    lookup_all_scopes ET_A' ET_B'
  on TyA as IH_S
also
  typeOfArgs_unique : forall FT ET_A ET_B A TysA TysB,
    IsA : is_args A ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsA : is_list (is_list (is_pair is_string is_typ)) ET_A ->
    IsB : is_list (is_list (is_pair is_string is_typ)) ET_B ->
    TyA : typeOfArgs FT ET_A A TysA ->
    TyB : typeOfArgs FT ET_B A TysB ->
    Lkp : lookup_all_scopes ET_A ET_B ->
    TysA = TysB
  on TyA as IH_A,
  typeOfRecFields_unique : forall FT ET_A ET_B RF FieldsA FieldsB,
    IsRF : is_recFieldExprs RF ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsA : is_list (is_list (is_pair is_string is_typ)) ET_A ->
    IsB : is_list (is_list (is_pair is_string is_typ)) ET_B ->
    TyA : typeOfRecFields FT ET_A RF FieldsA ->
    TyB : typeOfRecFields FT ET_B RF FieldsB ->
    Lkp : lookup_all_scopes ET_A ET_B ->
    FieldsA = FieldsB
  on TyA as IH_RF. [Show Proof]

%typeOf_unique
 %T-Num
  case TyB. search.
 %T-Plus
  case TyB. search.
 %T-Minus
  case TyB. search.
 %T-Mult
  case TyB. search.
 %T-Div
  case TyB. search.
 %T-True
  case TyB. search.
 %T-False
  case TyB. search.
 %T-And
  case TyB. search.
 %T-Or
  case TyB. search.
 %T-Not
  case TyB. search.
 %T-Greater
  case TyB. search.
 %T-Eq-Int
  case TyB. search. search. search.
 %T-Eq-Bool
  case TyB. search. search. search.
 %T-Eq-String
  case TyB. search. search. search.
 %T-String
  case TyB. search.
 %T-AppString
  case TyB. search.
 %T-Name
  TyB: case TyB. case IsE.
  L: apply lookup_all_scopes_lookupScopes to _ Lkp TyA1.
  apply lookupScopes_unique to L TyB. search.
 %T-Call
  TyB: case TyB. apply lookup_unique to TyA1 TyB. search.
 %T-StmtExpr
  case IsE. TyB: case TyB. apply IH_S to _ _ _ _ TyA1 TyB _.
  apply stmtOK_isCtx to _ _ _ TyA1. apply stmtOK_isCtx to _ _ _ TyB.
  apply IH_E to _ _ _ _ TyA2 TyB1 _. search.
 %T-RecBuild
  case IsE. TyB: case TyB. apply IH_RF to _ _ _ _ TyA1 TyB _. search.
 %T-RecAccess
  case IsE. TyB: case TyB. apply IH_E to _ _ _ _ TyA1 TyB _.
  apply lookupRecFieldTy_unique to TyA2 TyB1. search.
 %T-Error
  case TyB. search.
%stmtOK_unique
 %T-Noop
  case TyB. search.
 %T-Seq
  case IsS. TyB: case TyB. apply IH_S to _ _ _ _ TyA1 TyB _.
  apply stmtOK_isCtx to _ _ _ TyA1. apply stmtOK_isCtx to _ _ _ TyB.
  apply IH_S to _ _ _ _ TyA2 TyB1 _. search.
 %T-Declare
  case IsS. TyB: case TyB. apply IH_E to _ _ _ _ TyA2 TyB1 _.
  backchain lookup_all_scopes_add.
 %T-Assign
  case TyB. search.
 %T-RecUpdate
  case IsS. TyB: case TyB. search.
 %T-IfThenElse
  TyB: case TyB. search.
 %T-While
  TyB: case TyB. search.
 %T-ScopeStmt
  TyB: case TyB. search.
 %T-Print-Int
  TyB: case TyB.
    %T-Print-Int
     search.
    %T-Print-Bool
     search.
    %T-Print-String
     search.
 %T-Print-Bool
  case TyB.
    %T-Print-Int
     search.
    %T-Print-Bool
     search.
    %T-Print-String
     search.
 %T-Print-String
  case TyB.
    %T-Print-Int
     search.
    %T-Print-Bool
     search.
    %T-Print-String
     search.
%typeOfArgs_unique
 TyA: case TyA.
   %TRF-Nil
    case TyB. search.
   %TRF-Cons
    case IsA. TyB: case TyB. apply IH_E to _ _ _ _ TyA TyB _.
    apply IH_A to _ _ _ _ TyA1 TyB1 _. search.
%typeOfRecFields_unique
 TyA: case TyA.
   %TRF-Nil
    case TyB. search.
   %TRF-Cons
    case IsRF. TyB: case TyB. apply IH_E to _ _ _ _ TyA TyB _.
    apply IH_RF to _ _ _ _ TyA1 TyB1 _. search.




/********************************************************************
 Gathered function typing information has is relations
 ********************************************************************/
Extensible_Theorem
  paramTy_is : forall P N T,
    IsP : is_param P ->
    PT : paramTy P N T ->
    is_string N /\ is_typ T
  on PT. [Show Proof]

%PT-Param
 case IsP. search.


Theorem paramTys_is : forall Ps PTys,
  is_list is_param Ps -> paramTys Ps PTys ->
  is_list (is_pair is_string is_typ) PTys. [Show Proof]

induction on 2. intros IsPs PT. PT: case PT.
  %PT-Nil
   search.
  %PT-Cons
   case IsPs. apply paramTy_is to _ PT. apply IH to _ PT1. search.


Theorem values_is_ty : forall L V,
  is_list (is_pair is_string is_typ) L -> values L V ->
  is_list is_typ V. [Show Proof]

induction on 2. intros Is V. V: case V.
  %V-Nil
   search.
  %V-Cons
   Is: case Is. case Is. apply IH to _ V. search.


Extensible_Theorem
  getFunInfo_is : forall F N R P,
    IsF : is_fun F ->
    GFI : getFunInfo F N R P ->
    is_string N /\ is_typ R /\ is_list is_typ P
  on GFI. [Show Proof]

%GFI-Fun
 case IsF. apply paramTys_is to _ GFI1. apply values_is_ty to _ GFI2.
 search.


Theorem gatherFunInfo_is : forall Fs Ctx,
  is_list is_fun Fs -> gatherFunInfo Fs Ctx ->
  is_list (is_pair is_string (is_pair is_typ (is_list is_typ))) Ctx. [Show Proof]

induction on 2. intros IsFs GFI. GFI: case GFI.
  %GFI-Nil
   search.
  %GFI-Cons
   case IsFs. apply getFunInfo_is to _ GFI. apply IH to _ GFI1.
   search.




/********************************************************************
 Gathered function typing information always exists
 ********************************************************************/
Extensible_Theorem
  paramTy_exists : forall P,
    IsP : is_param P ->
    exists N T, paramTy P N T
  on IsP. [Show Proof]

%param
 search.


Theorem paramTys_exists : forall Ps,
  is_list is_param Ps -> exists PTys, paramTys Ps PTys. [Show Proof]

induction on 1. intros Is. Is: case Is.
  %nil
   search.
  %cons
   apply paramTy_exists to Is. apply IH to Is1. search.


Theorem values_exists_ty : forall L,
  is_list (is_pair is_string is_typ) L -> exists V, values L V. [Show Proof]

induction on 1. intros Is. Is: case Is.
  %nil
   search.
  %cons
   case Is. apply IH to Is1. search.


Extensible_Theorem
  getFunInfo_exists : forall F,
    IsF : is_fun F ->
    exists N R P, getFunInfo F N R P
  on IsF. [Show Proof]

%fun
 PT: apply paramTys_exists to IsF5. Is: apply paramTys_is to _ PT.
 apply values_exists_ty to Is. search.


Theorem gatherFunInfo_exists : forall Fs,
  is_list is_fun Fs -> exists Ctx, gatherFunInfo Fs Ctx. [Show Proof]

induction on 1. intros Is. Is: case Is.
  %nil
   search.
  %cons
   apply getFunInfo_exists to Is. apply IH to Is1. search.





/********************************************************************
  _____            _             _   _
 | ____|_   ____ _| |_   _  __ _| |_(_) ___  _ __
 |  _| \ \ / / _` | | | | |/ _` | __| |/ _ \| '_ \
 | |___ \ V / (_| | | |_| | (_| | |_| | (_) | | | |
 |_____| \_/ \__,_|_|\__,_|\__,_|\__|_|\___/|_| |_|

 Evaluation
 ********************************************************************/

/********************************************************************
 Basic lemmas around values and evaluation
 ********************************************************************/

%--------------------------------------------
% Theorems about [(string, value)]
%--------------------------------------------
Theorem is_list_mem_lookup : forall L ID E,
  is_list (is_pair is_string is_value) L ->
  mem (ID, E) L -> is_string ID ->
  exists E', lookup L ID E'. [Show Proof]

induction on 2. intros IsL Mem IsID. Mem: case Mem.
  %Mem-Here
   search.
  %Mem-Later
   Is: case IsL. Is: case Is.
   Or: apply is_string_eq_or_not to Is IsID. Eq: case Or.
     %A = ID
      search.
     %A = ID -> false
      apply IH to Is1 Mem IsID. search.


Theorem lookup_is_value : forall L ID E,
  is_list (is_pair is_string is_value) L -> lookup L ID E ->
  is_value E. [Show Proof]

induction on 2. intros IsL Lkp. Lkp: case Lkp.
  %Lkp-Here
   Is: case IsL. case Is. search.
  %Lkp-Later
   Is: case IsL. apply IH to Is1 Lkp1. search.


Theorem lookup_is_key : forall L ID E,
  is_list (is_pair is_string is_value) L -> lookup L ID E ->
  is_string ID. [Show Proof]

induction on 2. intros IsL Lkp. Lkp: case Lkp.
  %Lkp-Here
   Is: case IsL. case Is. search.
  %Lkp-Later
   Is: case IsL. apply IH to Is1 Lkp1. search.


Theorem lookup_string_value_list_or_no : forall L X,
  is_list (is_pair is_string is_value) L -> is_string X ->
  (exists V, lookup L X V) \/ no_lookup L X. [Show Proof]

induction on 1. intros IsL IsX. IsL: case IsL.
  %nil
   search.
  %cons
   Is: case IsL. Or: apply is_string_eq_or_not to Is IsX. E: case Or.
     %A = X
      search.
     %A != X
      Or: apply IH to IsL1 IsX. L: case Or.
        %lookup T X V
         search.
        %no_lookup T X
         search.


Theorem mem_is : forall L IDE,
  is_list (is_pair is_string is_value) L -> mem IDE L ->
  is_pair is_string is_value IDE. [Show Proof]

induction on 2. intros Is M. M: case M.
  %Mem-Here
   case Is. search.
  %Mem-Later
   case Is. apply IH to _ M. search.


Theorem zip_is : forall A B L,
  is_list is_string A -> is_list is_value B -> zip A B L ->
  is_list (is_pair is_string is_value) L. [Show Proof]

induction on 3. intros IsA IsB Z. Z: case Z.
  %Zip-Nil
   search.
  %Zip-Cons
   IsA: case IsA. IsB: case IsB. apply IH to _ _ Z. search.


Theorem select_is : forall L X L',
  is_list (is_pair is_string is_value) L -> select X L' L ->
  is_list (is_pair is_string is_value) L'. [Show Proof]

induction on 2. intros Is S. S: case S.
  %Slct-First
   case Is. search.
  %Slct-Later
   case Is. apply IH to _ S. search.


Theorem domain_is : forall L D,
  is_list (is_pair is_string is_value) L -> domain L D ->
  is_list is_string D. [Show Proof]

induction on 2. intros IsL D. D: case D.
  %Dmn-Nil
   search.
  %Dmn-Cons
   Is: case IsL. case Is. apply IH to _ D. search.


Theorem names_is : forall L N,
  is_list (is_list (is_pair is_string is_value)) L -> names L N ->
  is_list is_string N. [Show Proof]

induction on 2. intros Is N. N: case N.
  %Names-Nil
   search.
  %Names-Cons
   case Is. IsNRest: apply IH to _ N1.
   IsNScope: apply domain_is to _ N.
   apply append_list_string_is to _ _ N2. search.


Theorem domain_exists : forall L,
  is_list (is_pair is_string is_value) L -> exists D, domain L D. [Show Proof]

induction on 1. intros Is. Is: case Is.
  %nil
   search.
  %cons
   case Is. apply IH to Is1. search.


Theorem names_exists : forall L,
  is_list (is_list (is_pair is_string is_value)) L ->
  exists N, names L N. [Show Proof]

induction on 1. intros Is. Is: case Is.
  %nil
   search.
  %cons
   D: apply domain_exists to Is. N: apply IH to Is1.
   IsD: apply domain_is to Is D. IsN: apply names_is to _ N.
   apply append_list_string_total to IsD IsN. search.


%--------------------------------------------
% Theorems about function contexts
% [(string, (string, value, [string], stmt))]
%--------------------------------------------
Theorem is_list_mem_lookup_funCtx : forall L ID E,
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) L ->
  mem (ID, E) L -> is_string ID ->
  exists E', lookup L ID E'. [Show Proof]

induction on 2. intros IsL Mem IsID. Mem: case Mem.
  %Mem-Here
   search.
  %Mem-Later
   Is: case IsL. Is: case Is.
   Or: apply is_string_eq_or_not to Is IsID. Eq: case Or.
     %A = ID
      search.
     %A = ID -> false
      apply IH to Is1 Mem IsID. search.


Theorem mem_is_funCtx : forall L IDE,
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) L -> mem IDE L ->
  is_pair is_string
      (is_pair is_string (is_pair is_value
                         (is_pair (is_list is_string) is_stmt))) IDE. [Show Proof]

induction on 2. intros Is M. M: case M.
  %Mem-Here
   case Is. search.
  %Mem-Later
   case Is. apply IH to _ M. search.


Theorem lookup_is_value_funCtx : forall L ID E,
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) L ->
  lookup L ID E ->
  is_pair is_string (is_pair is_value
                       (is_pair (is_list is_string) is_stmt)) E. [Show Proof]

intros Is L. M: apply lookup_mem to L. Is: apply mem_is_funCtx to _ M.
case Is1. search.


Theorem lookup_is_key_funCtx : forall L ID E,
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) L ->
  lookup L ID E ->
  is_string ID. [Show Proof]

intros Is L. M: apply lookup_mem to L. Is: apply mem_is_funCtx to _ M.
case Is1. search.


%--------------------------------------------
% Theorems about remove_all
%--------------------------------------------
Theorem remove_all_mem[Key, Item] :
  forall (L : list (pair Key Item)) K L' I,
    remove_all L K L' -> mem (K, I) L' -> false. [Show Proof]

induction on 1. intros RA M. RA: case RA.
  %RA-Nil
   case M.
  %RA-Remove
   apply IH to RA M.
  %RA-Keep
   M: case M.
     %Mem-Here
      backchain RA.
     %Mem-Later
      apply IH to RA1 M.


Theorem remove_all_lookup_other[Key, Item] :
  forall (L : list (pair Key Item)) K L' X I,
    remove_all L K L' -> lookup L' X I -> (K = X -> false) ->
    lookup L X I. [Show Proof]

induction on 1. intros R L N. R: case R.
  %RA-Nil
   case L.
  %RA-Remove
   apply IH to R L _. search.
  %RA-Keep
   L: case L.
     %Lkp-First
      search.
     %Lkp-Later
      apply IH to R1 L1 _. search.


Theorem remove_all_lookup_other_back[Key, Item] :
  forall (L : list (pair Key Item)) K L' X I,
    remove_all L K L' -> lookup L X I -> (K = X -> false) ->
    lookup L' X I. [Show Proof]

induction on 1. intros R L N. R: case R.
  %RA-Nil
   case L.
  %RA-Remove
   L: case L.
     %Lkp-First
      apply N to _.
     %Lkp-Later
      apply IH to R L1 _. search.
  %RA-Keep
   L: case L.
     %Lkp-First
      search.
     %Lkp-Later
      apply IH to R1 L1 _. search.


Theorem remove_all_lookups : forall LA LB K LA' LB' X I,
    is_list (is_pair is_string is_value) LA ->
    is_list (is_pair is_string is_value) LB ->
    is_string K -> is_string X ->
    (forall X I, lookup LA X I -> lookup LB X I) ->
    remove_all LA K LA' -> remove_all LB K LB' -> lookup LA' X I ->
    lookup LB' X I. [Show Proof]

intros IsA IsB IsK IsX Lkp RA RB L.
Or: apply is_string_eq_or_not to IsK IsX. E: case Or.
  %X = K
   M: apply lookup_mem to L. apply remove_all_mem to RA M.
  %X != K
   L': apply remove_all_lookup_other to RA L E. LB: apply Lkp to L'.
   apply remove_all_lookup_other_back to RB LB _. search.


Theorem remove_all_no_lookup_back[Key, Item] :
  forall (L : list (pair Key Item)) K L' X,
    remove_all L K L' -> no_lookup L X -> no_lookup L' X. [Show Proof]

induction on 1. intros RA N. RA: case RA.
  %RA-Nil
   search.
  %RA-Remove
   N: case N. apply IH to RA N1. search.
  %RA-Keep
   N: case N. apply IH to RA1 N1. search.


Theorem remove_all_no_lookup : forall L K L' X,
  is_list (is_pair is_string is_value) L ->
  is_string K -> is_string X ->
  remove_all L K L' -> no_lookup L' X -> no_lookup L X \/ X = K. [Show Proof]

induction on 4. intros IsL IsK IsX RA N. RA: case RA.
  %RA-Nil
   search.
  %RA-Remove
   Is: case IsL. Or: apply IH to _ _ _ RA N. E: case Or.
     %no_lookup Rest X
      Or: apply is_string_eq_or_not to IsK IsX. NE: case Or.
        %K = X
         search.
        %K != X
         search.
     %X = K
      search.
  %RA-Keep
   N: case N. Is: case IsL. Or: apply IH to _ _ _ RA1 N1. E: case Or.
     %no_lookup Rest X
      Or: apply is_string_eq_or_not to IsK IsX. NE: case Or.
        %K = X
         search.
        %K != X
         search.
     %X = K
      search.


%--------------------------------------------
% Theorems about length
%--------------------------------------------
Theorem length_exists_list_pair_string_value : forall L,
  is_list (is_list (is_pair is_string is_value)) L ->
  exists N, length L N. [Show Proof]

induction on 1. intros IsL. IsL: case IsL.
  %nil
   search.
  %cons
   Len: apply IH to IsL1. Is: apply length_is to Len.
   apply plus_integer_total to _ Is with N1 = 1. search.


Theorem length_exists_value : forall L,
  is_list is_value L -> exists N, length L N. [Show Proof]

induction on 1. intros IsL. IsL: case IsL.
  %nil
   search.
  %cons
   Len: apply IH to IsL1. Is: apply length_is to Len.
   apply plus_integer_total to _ Is with N1 = 1. search.


%--------------------------------------------
% Theorems about zip
%--------------------------------------------
Theorem zip_exists[A, B] : forall (A : list A) (B : list B) N,
  length A N -> length B N -> exists Z, zip A B Z. [Show Proof]

induction on 1. intros LA LB. LA: case LA.
  %A = []
   LB: case LB.
     %B = []
      search.
     %B cons
      GEq: apply length_geq_0 to LB.
      Or: apply greatereq_integer_greater_or_eq to GEq. L: case Or.
        %N' > 0
         apply length_is to LB. apply lt_plus_one to LB1 _.
         apply greater_less_impossible to L _.
        %N' = 0
         case LB1.
  %A cons
   LB: case LB.
     %B = []
      GEq: apply length_geq_0 to LA.
      Or: apply greatereq_integer_greater_or_eq to GEq. L: case Or.
        %N' > 0
         apply length_is to LA. apply lt_plus_one to LA1 _.
         apply greater_less_impossible to L _.
        %N1 = 0
         case LA1.
     %B cons
      apply length_is to LA. apply length_is to LB.
      apply plus_integer_unique_addend to _ _ _ LA1 LB1.
      apply IH to LA LB. search.


Theorem zip_is_string_value : forall A B Z,
  is_list is_string A -> is_list is_value B -> zip A B Z ->
  is_list (is_pair is_string is_value) Z. [Show Proof]

induction on 3. intros IsA IsB Z. Z: case Z.
  %Zip-Nil
   search.
  %Zip-Cons
   case IsA. case IsB. apply IH to _ _ Z. search.


%--------------------------------------------


Theorem mem_lookup : forall L X V,
  is_list (is_pair is_string is_value) L -> mem (X, V) L ->
  exists V', lookup L X V'. [Show Proof]

induction on 2. intros IsL M. M: case M.
  %Mem-Here
   search.
  %Mem-Later
   IsL: case IsL. Is: apply mem_is to _ M. IsA: case IsL.
   IsB: case Is. Or: apply is_string_eq_or_not to IsA IsB. E: case Or.
     %A = X
      search.
     %A != X
      apply IH to _ M. search.


Theorem replaceScopes_lookup_all_scopes : forall X V A B A' B',
    is_list (is_list (is_pair is_string is_value)) A ->
    is_list (is_list (is_pair is_string is_value)) B ->
    lookup_all_scopes A B ->
    replaceScopes X V A A' -> replaceScopes X V B B' ->
    lookup_all_scopes A' B'. [Show Proof]

induction on 4. intros IsA IsB LAS RA RB. RA: case RA.
  %RS-FirstScope
   RB: case RB.
     %RS-FirstScope
      LAS: case LAS (keep). unfold.
        %lookup
         intros L. L: case L.
           %Lkp-Here (X = X1)
            search.
           %Lkp-Later (X != X1)
            LL: apply remove_all_lookup_other to RA1 L1 _.
            LB: apply LAS1 to LL.
            apply remove_all_lookup_other_back to RB1 LB _. search.
        %no_lookup
         intros X N. N: case N. case IsB. IsP: apply mem_is to _ RB.
         case IsP. case IsA.
         Or: apply remove_all_no_lookup to _ _ _ RA1 N1. NL: case Or.
           %no_lookup L X1
            NL1: apply LAS2 to _ NL.
            apply remove_all_no_lookup_back to RB1 NL1. search.
           %X1 = X
            apply N to _.
        %rest
         search.
     %RS-Later
      case IsA. LA: apply mem_lookup to _ RA. LAS: case LAS.
      LB: apply LAS to LA. apply no_lookup to RB LB.
  %RS-Later
   RB: case RB.
     %RS-FirstScope
      LAS: case LAS. case IsB. IsP: apply mem_is to _ RB. case IsP.
      LB: apply LAS1 to _ RA. apply no_lookup_mem to LB RB.
     %RS-Later
      LAS: case LAS. case IsA. case IsB. apply IH to _ _ _ RA1 RB1.
      search.




/********************************************************************
 Evaluation-produced values and contexts have is relations
 ********************************************************************/
 Theorem lookupScopes_is : forall L X V,
  is_list (is_list (is_pair is_string is_value)) L ->
  lookupScopes X L V -> is_value V /\ is_string X. [Show Proof]

induction on 2. intros Is L. L: case L.
  %LS-FirstScope
   case Is. apply lookup_is_value to _ L. apply lookup_is_key to _ L.
   search.
  %LS-Later
   case Is. apply IH to _ L1. search.


Theorem remove_all_is : forall L X L',
  is_list (is_pair is_string is_value) L -> remove_all L X L' ->
  is_list (is_pair is_string is_value) L'. [Show Proof]

induction on 2. intros IsL R. R: case R.
  %RA-Nil
   search.
  %RA-Remove
   Is: case IsL. apply IH to _ R. search.
  %RA-Keep
   Is: case IsL. apply IH to _ R1. search.


Theorem replaceScopes_is : forall L X V L',
  is_list (is_list (is_pair is_string is_value)) L -> is_value V ->
  replaceScopes X V L L' ->
  is_list (is_list (is_pair is_string is_value)) L'. [Show Proof]

induction on 3. intros IsL IsV R. R: case R.
  %RS-FirstScope
   case IsL. apply remove_all_is to _ R1. IsP: apply mem_is to _ R.
   case IsP. search.
  %RS-Later
   case IsL. apply IH to _ _ R1. search.


Theorem replaceRecVal_is : forall F V L L',
  is_value V -> is_list (is_pair is_string is_value) L ->
  replaceRecVal F V L L' -> is_list (is_pair is_string is_value) L'. [Show Proof]

induction on 3. intros IsV IsL RRV. RRV: case RRV.
  %RRV-Here
   Is: case IsL. case Is. search.
  %RRV-Later
   Is: case IsL. apply IH to _ _ RRV1. search.


Theorem updateRecFields_is : forall Fs V L L',
  is_value V -> is_list is_string Fs ->
  is_list (is_pair is_string is_value) L ->
  updateRecFields Fs V L L' ->
  is_list (is_pair is_string is_value) L'. [Show Proof]

induction on 4. intros IsV IsFs IsL U. U: case U.
  %URF-One
   apply replaceRecVal_is to _ _ U. case IsFs. search.
  %URF-Step
   IsFs: case IsFs. IsRV: apply lookup_is_value to _ U. case IsRV.
   apply IH to _ _ _ U1. apply replaceRecVal_is to _ _ U2. search.


Extensible_Theorem
  evalExpr_isCtx : forall FE EE EE' E V O,
    IsE : is_expr E ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalExpr FE EE E V EE' O ->
    is_list (is_list (is_pair is_string is_value)) EE'
  on Ev as IH_C_E,
  evalExpr_isValue : forall FE EE EE' E V O,
    IsE : is_expr E ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalExpr FE EE E V EE' O ->
    is_value V
  on Ev as IH_V_E,
  evalStmt_isCtx : forall FE EE EE' S O,
    IsS : is_stmt S ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalStmt FE EE S EE' O ->
    is_list (is_list (is_pair is_string is_value)) EE'
  on Ev as IH_C_S,
  evalArgs_isCtx : forall FE EE EE' A V O,
    IsA : is_args A ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalArgs FE EE A V EE' O ->
    is_list (is_list (is_pair is_string is_value)) EE'
  on Ev as IH_C_A,
  evalArgs_isValue : forall FE EE EE' A V O,
    IsA : is_args A ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalArgs FE EE A V EE' O ->
    is_list is_value V
  on Ev as IH_V_A,
  evalRecFields_isCtx : forall FE EE EE' RF V O,
    IsRF : is_recFieldExprs RF ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalRecFields FE EE RF V EE' O ->
    is_list (is_list (is_pair is_string is_value)) EE'
  on Ev as IH_C_RF,
  evalRecFields_isValue : forall FE EE EE' RF V O,
    IsRF : is_recFieldExprs RF ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalRecFields FE EE RF V EE' O ->
    is_list (is_pair is_string is_value) V
  on Ev as IH_V_RF. [Show Proof]

%evalExpr_isCtx
 %E-Num
  search.
 %E-Plus
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Minus
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Mult
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Div
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-And-False1
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. search.
 %E-And-False2
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Or-True1
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. search.
 %E-Or-True2
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Or-False
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Not-True
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. search.
 %E-Not-False
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. search.
 %E-Greater-True
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Greater-False
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Eq-True
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Eq-False
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-String
  search.
 %E-AppString
  Is: case IsE. apply IH_C_E to _ _ _ Ev1. apply IH_C_E to _ _ _ Ev2.
  search.
 %E-Name
  search.
 %E-Call
  case IsE. apply IH_C_A to _ _ _ Ev2. search.
 %E-StmtExpr
  Is: case IsE. apply IH_C_S to _ _ _ Ev1.
  IsEE3: apply IH_C_E to _ _ _ Ev2. case IsEE3. search.
 %E-RecBuild
  case IsE. apply IH_C_RF to _ _ _ Ev1. search.
 %E-RecAccess
  case IsE. apply IH_C_E to _ _ _ Ev1. search.
%evalExpr_isValue
 %E-Num
  case IsE. search.
 %E-Plus
  case IsE. IsI1: apply IH_V_E to _ _ _ Ev1.
  apply IH_C_E to _ _ _ Ev1. IsI2: apply IH_V_E to _ _ _ Ev2.
  case IsI1. case IsI2. apply plus_integer_is_integer to _ _ Ev3.
  search.
 %E-Minus
  case IsE. IsI1: apply IH_V_E to _ _ _ Ev1.
  apply IH_C_E to _ _ _ Ev1. IsI2: apply IH_V_E to _ _ _ Ev2.
  case IsI1. case IsI2. apply minus_integer_is_integer to _ _ Ev3.
  search.
 %E-Mult
  case IsE. IsI1: apply IH_V_E to _ _ _ Ev1.
  apply IH_C_E to _ _ _ Ev1. IsI2: apply IH_V_E to _ _ _ Ev2.
  case IsI1. case IsI2. apply multiply_integer_is_integer to _ _ Ev3.
  search.
 %E-Div
  case IsE. IsI1: apply IH_V_E to _ _ _ Ev1.
  apply IH_C_E to _ _ _ Ev1. IsI2: apply IH_V_E to _ _ _ Ev2.
  case IsI1. case IsI2. apply divide_integer_is_integer to _ _ Ev3.
  search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  search.
 %E-And-False1
  search.
 %E-And-False2
  search.
 %E-Or-True1
  search.
 %E-Or-True2
  search.
 %E-Or-False
  search.
 %E-Not-True
  search.
 %E-Not-False
  search.
 %E-Greater-True
  search.
 %E-Greater-False
  search.
 %E-Eq-True
  search.
 %E-Eq-False
  search.
 %E-String
  case IsE. search.
 %E-AppString
  case IsE. IsI1: apply IH_V_E to _ _ _ Ev1.
  apply IH_C_E to _ _ _ Ev1. IsI2: apply IH_V_E to _ _ _ Ev2.
  case IsI1. case IsI2. apply is_string_append to _ _ Ev3. search.
 %E-Name
  case IsE. apply lookupScopes_is to _ Ev1. search.
 %E-Call
  IsF: apply lookup_is_value_funCtx to _ Ev1. IsF: case IsF.
  IsF: case IsF1. IsF: case IsF2. case IsE. apply IH_V_A to _ _ _ Ev2.
  apply zip_is to _ _ Ev3. apply IH_C_S to _ _ _ Ev4.
  apply lookupScopes_is to _ Ev6. search.
 %E-StmtExpr
  Is: case IsE. apply IH_C_S to _ _ _ Ev1. apply IH_V_E to _ _ _ Ev2.
  search.
 %E-RecBuild
  case IsE. apply IH_V_RF to _ _ _ Ev1. search.
 %E-RecAccess
  Is: case IsE. IsRV: apply IH_V_E to _ _ _ Ev1. case IsRV.
  apply lookup_is_value to _ Ev2. search.
%evalStmt_isCtx
 %E-Noop
  search.
 %E-Seq
  case IsS. apply IH_C_S to _ _ _ Ev1. apply IH_C_S to _ _ _ Ev2.
  search.
 %E-Declare
  case IsS. IsC: apply IH_C_E to _ _ _ Ev1.
  apply IH_V_E to _ _ _ Ev1. case IsC. search.
 %E-Assign
  case IsS. apply IH_C_E to _ _ _ Ev1. apply IH_V_E to _ _ _ Ev1.
  apply replaceScopes_is to _ _ Ev2. search.
 %E-RecUpdate
  case IsS. IsRV: apply lookupScopes_is to _ Ev2. case IsRV.
  apply IH_V_E to _ _ _ Ev1. apply updateRecFields_is to _ _ _ Ev3.
  apply IH_C_E to _ _ _ Ev1. apply replaceScopes_is to _ _ Ev4.
  search.
 %E-If-True
  case IsS. apply IH_C_E to _ _ _ Ev1. Is': apply IH_C_S to _ _ _ Ev2.
  case Is'. search.
 %E-If-False
  case IsS. apply IH_C_E to _ _ _ Ev1. Is': apply IH_C_S to _ _ _ Ev2.
  case Is'. search.
 %E-While-True
  case IsS. apply IH_C_E to _ _ _ Ev1.
  IsEE4+: apply IH_C_S to _ _ _ Ev2. case IsEE4+.
  apply IH_C_S to _ _ _ Ev3. search.
 %E-While-False
  case IsS. apply IH_C_E to _ _ _ Ev1. search.
 %E-ScopeStmt
  case IsS. Is: apply IH_C_S to _ _ _ Ev1. case Is. search.
 %E-Print-Int
  case IsS. apply IH_C_E to _ _ _ Ev1. search.
 %E-Print-True
  case IsS. apply IH_C_E to _ _ _ Ev1. search.
 %E-Print-False
  case IsS. apply IH_C_E to _ _ _ Ev1. search.
 %E-Print-String
  case IsS. apply IH_C_E to _ _ _ Ev1. search.
%evalArgs_isCtx
 %EA-Nil
  search.
 %EA-Cons
  case IsA. apply IH_C_E to _ _ _ Ev1. apply IH_C_A to _ _ _ Ev2.
  search.
%evalArgs_isValue
 %EA-Nil
  search.
 %EA-Cons
  case IsA. apply IH_C_E to _ _ _ Ev1. apply IH_V_E to _ _ _ Ev1.
  apply IH_V_A to _ _ _ Ev2. search.
%evalRecFields_isCtx
 %ERF-Nil
  search.
 %ERF-Cons
  case IsRF. apply IH_C_E to _ _ _ Ev1. apply IH_C_RF to _ _ _ Ev2.
  search.
%evalRecFields_isValue
 %ERF-Nil
  search.
 %ERF-Cons
  case IsRF. apply IH_C_E to _ _ _ Ev1. apply IH_V_E to _ _ _ Ev1.
  apply IH_V_RF to _ _ _ Ev2. search.


Theorem append_values_is : forall LA LB L,
  is_list is_value LA -> is_list is_value LB -> LA ++ LB = L ->
  is_list is_value L. [Show Proof]

induction on 1. intros IsA IsB App. IsA: case IsA.
  %nil
   case App. search.
  %cons
   App: case App. apply IH to IsA1 IsB App. search.


/*
  We put this in a separate group from the other is theorems above as
  a deliberate choice to prevent extensions from making their values
  depend on printed values.
 */
Extensible_Theorem
  evalExpr_isOutput : forall FE EE EE' E V O,
    IsE : is_expr E ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalExpr FE EE E V EE' O ->
    is_list is_value O
  on Ev as IH_E,
  evalStmt_isOutput : forall FE EE EE' S O,
    IsS : is_stmt S ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalStmt FE EE S EE' O ->
    is_list is_value O
  on Ev as IH_S,
  evalArgs_isOutput : forall FE EE EE' A V O,
    IsA : is_args A ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalArgs FE EE A V EE' O ->
    is_list is_value O
  on Ev as IH_A,
  evalRecFields_isOutput : forall FE EE EE' RF V O,
    IsRF : is_recFieldExprs RF ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalRecFields FE EE RF V EE' O ->
    is_list is_value O
  on Ev as IH_RF. [Show Proof]

%evalExpr_isOutput
 %E-Num
  search.
 %E-Plus
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev4. search.
 %E-Minus
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev4. search.
 %E-Mult
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev4. search.
 %E-Div
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev4. search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-And-False1
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-And-False2
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-Or-True1
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Or-True2
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-Or-False
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-Not-True
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Not-False
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Greater-True
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev4. search.
 %E-Greater-False
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev4. search.
 %E-Eq-True
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-Eq-False
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev4. search.
 %E-String
  search.
 %E-AppString
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev4. search.
 %E-Name
  search.
 %E-Call
  IsFP: apply lookup_is_value_funCtx to _ Ev1. IsF: case IsFP.
  IsF: case IsF1. IsF: case IsF2. case IsE.
  apply evalArgs_isValue to _ _ _ Ev2. apply zip_is to _ _ Ev3.
  apply IH_S to _ _ _ Ev4. apply IH_A to _ _ _ Ev2.
  apply append_values_is to _ _ Ev5. search.
 %E-StmtExpr
  case IsE. apply IH_S to _ _ _ Ev1.
  apply evalStmt_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-RecBuild
  case IsE. apply IH_RF to _ _ _ Ev1. search.
 %E-RecAccess
  case IsE. apply IH_E to _ _ _ Ev1. search.
%evalStmt_isOutput
 %E-Noop
  search.
 %E-Seq
  case IsS. apply IH_S to _ _ _ Ev1.
  apply evalStmt_isCtx to _ _ _ Ev1. apply IH_S to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-Declare
  case IsS. apply IH_E to _ _ _ Ev1. search.
 %E-Assign
  case IsS. apply IH_E to _ _ _ Ev1. search.
 %E-RecUpdate
  case IsS. apply IH_E to _ _ _ Ev1. search.
 %E-If-True
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_S to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-If-False
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_S to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-While-True
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_S to _ _ _ Ev2.
  Is: apply evalStmt_isCtx to _ _ _ Ev2. case Is.
  apply IH_S to _ _ _ Ev3. apply append_values_is to _ _ Ev4.
  apply append_values_is to _ _ Ev5. search.
 %E-While-False
  case IsS. apply IH_E to _ _ _ Ev1. search.
 %E-ScopeStmt
  case IsS. apply IH_S to _ _ _ Ev1. search.
 %E-Print-Int
  case IsS. apply IH_E to _ _ _ Ev1.
  IsV: apply evalExpr_isValue to _ _ _ Ev1. case IsV.
  apply append_values_is to _ _ Ev2. search.
 %E-Print-True
  case IsS. apply IH_E to _ _ _ Ev1.
  apply append_values_is to _ _ Ev2. search.
 %E-Print-False
  case IsS. apply IH_E to _ _ _ Ev1.
  apply append_values_is to _ _ Ev2. search.
 %E-Print-String
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isValue to _ _ _ Ev1.
  apply append_values_is to _ _ Ev2. search.
%evalArgs_isOutput
 %EA-Nil
  search.
 %EA-Cons
  case IsA. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_A to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
%evalRecFields_isOutput
 %ERF-Nil
  search.
 %ERF-Cons
  case IsRF. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_RF to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.




/********************************************************************
 Gathered function evaluation information has is relations
 ********************************************************************/
Extensible_Theorem
  paramName_is : forall P N,
    IsP : is_param P ->
    PN : paramName P N ->
    is_string N
  on PN. [Show Proof]

%PN-Param
 case IsP. search.


Theorem paramNames_is : forall Ps Ns,
  is_list is_param Ps -> paramNames Ps Ns -> is_list is_string Ns. [Show Proof]

induction on 2. intros IsPs PN. PN: case PN.
  %PNs-Empty
   search.
  %PNs-Cons
   case IsPs. apply paramName_is to _ PN. apply IH to _ PN1. search.


Extensible_Theorem
  getFunEvalInfo_is : forall F Name RetVar RVVal PNames Body,
    IsF : is_fun F ->
    GEFI : getFunEvalInfo F Name RetVar RVVal PNames Body ->
    is_string Name /\ is_string RetVar /\ is_value RVVal /\
      is_list is_string PNames /\ is_stmt Body
  on GEFI. [Show Proof]

%GEFI-Fun
 case IsF. apply paramNames_is to _ GEFI1. search.


Theorem getFunEvalCtx_is : forall Fs Ctx,
  is_list is_fun Fs -> getFunEvalCtx Fs Ctx ->
  is_list (is_pair is_string (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) Ctx. [Show Proof]

induction on 2. intros IsFs GEFC. GEFC: case GEFC.
  %GEFC-Empty
   search.
  %GEFC-Cons
   case IsFs. apply getFunEvalInfo_is to _ GEFC. apply IH to _ GEFC1.
   search.




/********************************************************************
 Program evaluation results have is_list is_value
 ********************************************************************/
Extensible_Theorem
  evalProgram_isOutput : forall A P O,
    IsP : is_program P ->
    IsA : is_list is_value A ->
    Ev : evalProgram A P O ->
    is_list is_value O
  on Ev. [Show Proof]

%E-Program
 Is: case IsP. apply getFunEvalInfo_is to _ Ev2.
 apply zip_is to _ _ Ev3. apply getFunEvalCtx_is to _ Ev1.
 apply evalStmt_isOutput to _ _ _ Ev4. search.




/********************************************************************
 Evaluation does not make unwanted modifications to contexts
 ********************************************************************/
Define names_same : list (list (pair string ItemA)) ->
                    list (list (pair string ItemB)) -> prop by
names_same [] [];
names_same (A::ARest) (B::BRest) :=
  (forall X IA, mem (X, IA) A -> exists IB, mem (X, IB) B) /\
  (forall X IB, mem (X, IB) B -> exists IA, mem (X, IA) A) /\
  names_same ARest BRest.


Theorem names_same_symmetric[A, B] :
  forall (A : list (list (pair string A)))
         (B : list (list (pair string B))),
    names_same A B -> names_same B A. [Show Proof]

induction on 1. intros NS. NS: case NS.
  %last
   search.
  %step
   apply IH to NS2. search.


Theorem names_same_reflexive : forall L,
  is_list (is_list (is_pair is_string is_value)) L -> names_same L L. [Show Proof]

induction on 1. intros IsL. IsL: case IsL.
  %nil
   search.
  %cons
   apply IH to IsL1. search.


Theorem names_same_transitive[ItemA, ItemB, ItemC] :
  forall (A : list (list (pair string ItemA)))
         (B : list (list (pair string ItemB)))
         (C : list (list (pair string ItemC))),
    names_same A B -> names_same B C -> names_same A C. [Show Proof]

induction on 1. intros NAB NBC. NAB: case NAB.
  %last
   case NBC. search.
  %step
   NBC: case NBC. rename B2 to C1. rename BRest1 to CRest. unfold.
     %mem A1 -> mem C1
      intros MA. MB: apply NAB to MA. apply NBC to MB. search.
     %mem C1 -> mem A1
      intros MC. MB: apply NBC1 to MC. apply NAB1 to MB. search.
     %rest
      apply IH to NAB2 NBC2. search.


Theorem names_same_names[ItemA, ItemB] :
  forall (A : list (list (pair string ItemA)))
         (B : list (list (pair string ItemB))) NA NB X,
    names_same A B -> names A NA -> names B NB -> mem X NA ->
    mem X NB. [Show Proof]

induction on 1. intros NS NA NB M. NS: case NS.
  %last
   case NA. case M.
  %step
   NA: case NA. NB: case NB. Or: apply mem_append to M NA2.
   M': case Or.
     %mem X NScope
      MA1: apply mem_domain to NA M'. MB1: apply NS to MA1.
      M'': apply domain_mem to MB1 NB.
      apply mem_append_left to M'' NB2. search.
     %mem X NRest
      M'': apply IH to NS2 NA1 NB1 M'.
      apply mem_append_right to M'' NB2. search.


Theorem names_same_names_back[ItemA, ItemB] :
  forall (A : list (list (pair string ItemA)))
         (B : list (list (pair string ItemB))) NA NB X,
    names_same A B -> names A NA -> names B NB -> mem X NB ->
    mem X NA. [Show Proof]

induction on 1. intros NS NA NB M. NS: case NS.
  %last
   case NB. case M.
  %step
   NB: case NB. NA: case NA. Or: apply mem_append to M NB2.
   M': case Or.
     %mem X NScope
      MB1: apply mem_domain to NB M'. MA1: apply NS1 to MB1.
      M'': apply domain_mem to MA1 NA.
      apply mem_append_left to M'' NA2. search.
     %mem X NRest
      M'': apply IH to NS2 NA1 NB1 M'.
      apply mem_append_right to M'' NA2. search.


Theorem replaceScopes_names_same : forall L K I R,
    is_list (is_list (is_pair is_string is_value)) L ->
    replaceScopes K I L R -> names_same L R. [Show Proof]

induction on 2. intros IsL R. R: case R.
  %RS-FirstScope
   unfold.
     %mem L -> mem LRemain
      intros M. case IsL. IsX: apply mem_is to _ M. IsX: case IsX.
      IsK: apply mem_is to _ R. IsK: case IsK.
      Or: apply is_string_eq_or_not to IsK IsX. E: case Or.
        %X = K
         search.
        %X != K
         apply mem_before_remove_all_after to R1 M _.
           intros Eq. case Eq. backchain E.
         search.
     %mem LRemain -> mem L
      intros M. M: case M.
        %Mem-Here:  X = K
         search.
        %Mem-Later
         apply mem_after_remove_all_before to R1 M. search.
     %rest
      Is: case IsL. backchain names_same_reflexive.
  %RS-Later
   case IsL. apply IH to _ R1. search.


Theorem names_same_add_scope[I, V] :
  forall (A : list (list (pair string I)))
         (B : list (list (pair string V))),
    names_same A B -> names_same ([]::A) ([]::B). [Show Proof]

intros NS. unfold.
  %mem A -> mem B
   intros M. case M.
  %mem B -> mem A
   intros M. case M.
  %rest
   search.


%Evaluation doesn't change the names present in the context, or at
%   least older scopes for stmts
%This will be important for extension evaluation and projection,
%   showing fresh_names still holds after evaluating one term
Extensible_Theorem
  evalExpr_names_same : forall E FE EE V EE' O,
    IsE : is_expr E ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalExpr FE EE E V EE' O ->
    names_same EE EE'
  on Ev as IH_E,
  evalStmt_names_same : forall S FE Scope EE EE' O,
    IsS : is_stmt S ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value))
              (Scope::EE) ->
    Ev : evalStmt FE (Scope::EE) S EE' O ->
    exists Scope' EE'', EE' = Scope'::EE'' /\ names_same EE EE''
  on Ev as IH_S,
  evalArgs_names_same : forall A FE EE V EE' O,
    IsA : is_args A ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalArgs FE EE A V EE' O ->
    names_same EE EE'
  on Ev as IH_A,
  evalRecFields_names_same : forall RF FE EE V EE' O,
    IsRF : is_recFieldExprs RF ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalRecFields FE EE RF V EE' O ->
    names_same EE EE'
  on Ev as IH_RF. [Show Proof]

%evalExpr_names_same
 %E-Num
  backchain names_same_reflexive.
 %E-Plus
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Minus
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Mult
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Div
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-True
  backchain names_same_reflexive.
 %E-False
  backchain names_same_reflexive.
 %E-And-True
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-And-False1
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-And-False2
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Or-True1
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Or-True2
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Or-False
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Not-True
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Not-False
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Greater-True
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Greater-False
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Eq-True
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Eq-False
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-String
  backchain names_same_reflexive.
 %E-AppString
  case IsE. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_E to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
 %E-Name
  backchain names_same_reflexive.
 %E-Call
  case IsE. apply IH_A to _ _ _ Ev2. search.
 %E-StmtExpr
  case IsE. NS_S: apply IH_S to _ _ _ Ev1.
  apply evalStmt_isCtx to _ _ _ Ev1. NS_E: apply IH_E to _ _ _ Ev2.
  NS': case NS_E. apply names_same_transitive to NS_S NS'2. search.
 %E-RecBuild
  case IsE. apply IH_RF to _ _ _ Ev1. search.
 %E-RecAccess
  case IsE. apply IH_E to _ _ _ Ev1. search.
%evalStmt_names_same
 %E-Noop
  NS: apply names_same_reflexive to IsEE. case NS. search.
 %E-Seq
  case IsS. NS_A: apply IH_S to _ _ _ Ev1.
  apply evalStmt_isCtx to _ _ _ Ev1. NS_B: apply IH_S to _ _ _ Ev2.
  apply names_same_transitive to NS_A NS_B. search.
 %E-Declare
  case IsS. NS: apply IH_E to _ _ _ Ev1. NS: case NS. search.
 %E-Assign
  case IsS. NS_E: apply IH_E to _ _ _ Ev1. case NS_E (keep).
  apply evalExpr_isCtx to _ _ _ Ev1.
  NS_R: apply replaceScopes_names_same to _ Ev2.
  NS: apply names_same_transitive to NS_E NS_R. case NS. search.
 %E-RecUpdate
  case IsS. NS_E: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  NS_R: apply replaceScopes_names_same to _ Ev4.
  NS: apply names_same_transitive to NS_E NS_R. case NS. search.
 %E-If-True
  case IsS. NS_E: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  NS_B: apply IH_S to _ _ _ Ev2.
  NS: apply names_same_transitive to NS_E NS_B. case NS. search.
 %E-If-False
  case IsS. NS_E: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  NS_B: apply IH_S to _ _ _ Ev2.
  NS: apply names_same_transitive to NS_E NS_B. case NS. search.
 %E-While-True
  case IsS. NS_E: apply IH_E to _ _ _ Ev1. NS_E': case NS_E.
  apply evalExpr_isCtx to _ _ _ Ev1.
  NS_B: apply IH_S to _ _ _ Ev2. NS_B': case NS_B.
  IsEE''+: apply evalStmt_isCtx to _ _ _ Ev2. case IsEE''+.
  NS_W: apply IH_S to _ _ _ Ev3.
  NS': apply names_same_transitive to NS_E'2 NS_B'2.
  NS: apply names_same_transitive to NS' NS_W. search.
 %E-While-False
  case IsS. NS: apply IH_E to _ _ _ Ev1. case NS. search.
 %E-ScopeStmt
  case IsS. NS: apply IH_S to _ _ _ Ev1. case NS. search.
 %E-Print-Int
  case IsS. NS: apply IH_E to _ _ _ Ev1. case NS. search.
 %E-Print-True
  case IsS. NS: apply IH_E to _ _ _ Ev1. case NS. search.
 %E-Print-False
  case IsS. NS: apply IH_E to _ _ _ Ev1. case NS. search.
 %E-Print-String
  case IsS. NS: apply IH_E to _ _ _ Ev1. case NS. search.
%evalArgs_names_same
 %EA-Nil
  backchain names_same_reflexive.
 %EA-Cons
  case IsA. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_A to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.
%evalRecFields_names_same
 %ERF-Nil
  backchain names_same_reflexive.
 %ERF-Cons
  case IsRF. NS1: apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. NS2: apply IH_RF to _ _ _ Ev2.
  apply names_same_transitive to NS1 NS2. search.


Theorem names_same_length[A, B] :
  forall (A : list (list (pair string A)))
         (B : list (list (pair string B))) L,
    names_same A B -> length A L -> length B L. [Show Proof]

induction on 2. intros NS L. L: case L.
  %nil
   case NS. search.
  %cons
   NS: case NS. apply IH to NS2 L. search.


Theorem evalExpr_keep_scopes : forall FE EE E EE' V O N,
  is_expr E ->
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) FE ->
  is_list (is_list (is_pair is_string is_value)) EE ->
  evalExpr FE EE E V EE' O -> length EE N -> length EE' N. [Show Proof]

intros IsE IsFE IsEE Ev L. NS: apply evalExpr_names_same to _ _ _ Ev.
apply names_same_length to NS L. search.
Theorem evalStmt_keep_scopes : forall FE Scope EE S EE' N O,
  is_stmt S ->
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) FE ->
  is_list (is_list (is_pair is_string is_value)) (Scope::EE) ->
  evalStmt FE (Scope::EE) S EE' O -> length (Scope::EE) N ->
  length EE' N. [Show Proof]

intros IsE IsFE IsEE Ev L.
NS: apply evalStmt_names_same to _ _ _ Ev. L: case L.
apply names_same_length to NS L. search.
Theorem evalArgs_keep_scopes : forall FE EE A EE' Vs O N,
  is_args A ->
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) FE ->
  is_list (is_list (is_pair is_string is_value)) EE ->
  evalArgs FE EE A Vs EE' O -> length EE N -> length EE' N. [Show Proof]

intros IsE IsFE IsEE Ev L. NS: apply evalArgs_names_same to _ _ _ Ev.
apply names_same_length to NS L. search.
Theorem evalRecFields_keep_scopes : forall FE EE RF EE' F O N,
  is_recFieldExprs RF ->
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) FE ->
  is_list (is_list (is_pair is_string is_value)) EE ->
  evalRecFields FE EE RF F EE' O -> length EE N -> length EE' N. [Show Proof]

intros IsE IsFE IsEE Ev L.
NS: apply evalRecFields_names_same to _ _ _ Ev.
apply names_same_length to NS L. search.




/********************************************************************
 Evaluation unique
 ********************************************************************/
Theorem replaceRecVal_unique : forall F V L A B,
  replaceRecVal F V L A -> replaceRecVal F V L B -> A = B. [Show Proof]

induction on 1. intros A B. A: case A.
  %RRV-Here
   B: case B.
     %RRV-Here
      search.
     %RRV-Later
      apply B to _.
  %RRV-Later
   B: case B.
     %RRV-Here
      apply A to _.
     %RRV-Later
      apply IH to A1 B1. search.


Theorem updateRecFields_unique : forall F V L OutA OutB,
  updateRecFields F V L OutA -> updateRecFields F V L OutB ->
  OutA = OutB. [Show Proof]

induction on 1. intros UA UB. UA: case UA.
  %URF-One
   UB: case UB.
     %URF-One
      apply replaceRecVal_unique to UA UB. search.
     %URF-Step
      case UB1.
  %URF-Step
   UB: case UB.
     %URF-One
      case UA1.
     %URF-Step
      apply lookup_unique to UA UB. apply IH to UA1 UB1.
      apply replaceRecVal_unique to UA2 UB2. search.




/********************************************************************
 Evaluation doesn't change if you add extra scopes with new names
 ********************************************************************/
/*
  Two contexts are related by adding some scopes declaring only fresh
  names relative to the rest of the context.
  Note the length of the last bit ensures there is only one valid
  splitting location, a fact important for dropping added scopes in
  proving evaluation is maintained under newNameScopes-related
  contexts.
  The one with added scopes is the first one.
*/
Define newNameScopes : list (list (pair string Item)) -> integer ->
                       list (list (pair string Item)) ->
                       list (list (pair string Item)) -> prop by
newNameScopes Scopes Len A B :=
  exists N SNames BNames,
    length B Len /\ %B has Len scopes in it
    drop N A B /\ %A is just B with N new scopes
    %extra scopes only have new names
    take N A Scopes /\ names Scopes SNames /\ names B BNames /\
    (forall X, mem X SNames -> mem X BNames -> false);
%same scope on front, related rest
newNameScopes Scopes Len (S::AR) (S::BR) :=
  newNameScopes Scopes Len AR BR.


Theorem lookupScopes_drop_not_mem :
  forall X B (V : value) N A Scopes SNames BNames,
    is_list (is_list (is_pair is_string is_value)) A ->
    is_string X ->
    lookupScopes X B V -> drop N A B -> take N A Scopes ->
    names Scopes SNames -> names B BNames ->
    (forall Z, mem Z SNames -> mem Z BNames -> false) ->
    lookupScopes X A V. [Show Proof]

induction on 4. intros IsA IsX L D T NS NB NMems. D: case D.
  %Drop-0
   T: case T.
     %Take-0
      search.
     %Take-Step
      GEq: apply take_geq_0 to T1. apply take_is_integer to T1.
      L': apply lt_plus_one to T _.
      apply greatereq_less_integer_false to GEq L'.
  %Drop-Step
   T: case T.
     %Take-0
      GEq: apply drop_geq_0 to D1. apply drop_is_integer to D1.
      L': apply lt_plus_one to D _.
      apply greatereq_less_integer_false to GEq L'.
     %Take-Step
      NS: case NS. apply drop_is_integer to D1.
      Is: case IsA. apply take_is_integer to T1.
      apply plus_integer_unique_addend to _ _ _ D T.
      apply IH to _ _ L D1 T1 NS1 NB _.
        intros MN MB. MS: apply mem_append_right to MN NS2.
        apply NMems to MS MB.
      Or: apply lookup_string_value_list_or_no to Is IsX. L: case Or.
        %lookup X1 X V
         M: apply lookup_mem to L1. MNS: apply domain_mem to M NS.
         MBN: apply lookupScopes_names to L NB.
         M': apply mem_append_left to MNS NS2. apply NMems to M' MBN.
        %no_lookp X1 X
         search.


Theorem newNameScopes_lookupScopes : forall N Len A B X V,
  is_list (is_list (is_pair is_string is_value)) A -> is_string X ->
  newNameScopes N Len A B -> lookupScopes X B V -> lookupScopes X A V. [Show Proof]

induction on 4. intros IsA IsX NNS LkpB. L: case LkpB (keep).
  %LS-FirstScope
   NNS: case NNS.
     %end
      apply lookupScopes_drop_not_mem to
         _ IsX LkpB NNS1 _ NNS3 NNS4 _. search.
     %step
      search.
  %LS-Later
   NNS: case NNS.
     %end
      apply lookupScopes_drop_not_mem to
         _ IsX LkpB NNS1 _ NNS3 NNS4 _. search.
     %step
      case IsA. apply IH to _ IsX NNS L1. search.


Theorem replaceScopes_drop_not_mem :
  forall A X V B RB N Scopes SNames BNames,
    is_list (is_list (is_pair is_string is_value)) A -> is_string X ->
    replaceScopes X V B RB -> drop N A B -> take N A Scopes ->
    names Scopes SNames -> names B BNames ->
    (forall Z, mem Z SNames -> mem Z BNames -> false) ->
    exists RA, Scopes ++ RB = RA /\ replaceScopes X V A RA. [Show Proof]

induction on 4. intros IsA IsX R D T NS NB NMems. D: case D.
  %Drop-0
   T: case T.
     %Take-0
      search.
     %Take-Step
      GEq: apply take_geq_0 to T1. apply take_is_integer to T1.
      L': apply lt_plus_one to T _.
      apply greatereq_less_integer_false to GEq L'.
  %Drop-Step
   T: case T.
     %Take-0
      GEq: apply drop_geq_0 to D1. apply drop_is_integer to D1.
      L': apply lt_plus_one to D _.
      apply greatereq_less_integer_false to GEq L'.
     %Take-Step
      NS: case NS. apply drop_is_integer to D1. Is: case IsA.
      apply take_is_integer to T1.
      apply plus_integer_unique_addend to _ _ _ D T.
      R': apply IH to _ _ R D1 T1 NS1 NB _.
        intros MN MB. MS: apply mem_append_right to MN NS2.
        apply NMems to MS MB.
      Or: apply lookup_string_value_list_or_no to Is IsX. L: case Or.
        %lookup X1 X V
         M: apply lookup_mem to L. MNS: apply domain_mem to M NS.
         MBN: apply replaceScopes_names to R NB.
         M': apply mem_append_left to MNS NS2. apply NMems to M' MBN.
        %no_lookp X1 X
         search.


Theorem replaceScopes_names_forward : forall X V L R LN RN Z,
  is_list (is_list (is_pair is_string is_value)) L -> is_string X ->
  replaceScopes X V L R -> names L LN  -> names R RN ->
  mem Z LN -> mem Z RN. [Show Proof]

induction on 3. intros IsL IsX R NL NR M. R: case R.
  %RS-FirstScope
   NL: case NL. NR: case NR. NR: case NR.
   Or: apply mem_append to M NL2. M': case Or.
     %mem Z NScope
      Is: case IsL. IsNScope: apply domain_is to _ NL.
      IsZ: apply mem_is_string to _ M'.
      Or: apply is_string_eq_or_not to IsX IsZ. E: case Or.
        %X = Z
         case NR2. search.
        %X != Z
         apply remove_all_names to R1 NL NR M' _.
         apply mem_append_left to _ NR2 with A = Z. search.
     %mem Z NRest
      apply names_unique to NL1 NR1.
      apply mem_append_right to M' NR2. search.
  %RS-Later
   Is: case IsL. NL: case NL. NR: case NR.
   Or: apply mem_append to M NL2. M': case Or.
     %mem Z NScope
      apply domain_unique to NL NR. apply mem_append_left to M' NR2.
      search.
     %mem Z NRest
      M'': apply IH to _ IsX R1 NL1 NR1 M'.
      apply mem_append_right to M'' NR2. search.


Theorem replaceScopes_names_backward : forall X V L R LN RN Z,
  is_list (is_list (is_pair is_string is_value)) L -> is_string X ->
  replaceScopes X V L R -> names L LN  -> names R RN ->
  mem Z RN -> mem Z LN. [Show Proof]

induction on 3. intros IsL IsX R NL NR M. R: case R.
  %RS-FirstScope
   NL: case NL. NR: case NR. NR: case NR.
   Or: apply mem_append to M NR2. M': case Or.
     %mem Z X::DRest
      M': case M'.
        %Mem-Here:  Z = X
         M'': apply domain_mem to R NL.
         apply mem_append_left to M'' NL2. search.
        %Mem-Later:  mem Z DRest
         MLRemain: apply mem_domain to NR M'.
         ML1: apply mem_after_remove_all_before to R1 MLRemain.
         MNScope: apply domain_mem to ML1 NL.
         apply mem_append_left to MNScope NL2. search.
     %mem Z NRest1
      apply names_unique to NL1 NR1. apply mem_append_right to M' NL2.
      search.
  %RS-Later
   NL: case NL. NR: case NR. apply domain_unique to NL NR.
   Or: apply mem_append to M NR2. M': case Or.
     %mem Z NScope1
      apply mem_append_left to M' NL2. search.
     %mem Z NRest1
      case IsL. M'': apply IH to _ _ R1 NL1 NR1 M'.
      apply mem_append_right to M'' NL2. search.


Theorem replaceScopes_keep_scopes[Key, Item] :
  forall L (K : Key) (I : Item) R N,
    replaceScopes K I L R -> length L N -> length R N. [Show Proof]

induction on 1. intros R L. R: case R.
  %RS-FirstScope
   case L. search.
  %RS-Later
   case L. apply IH to R1 _. search.


Theorem newNameScopes_replaceScopes : forall S Len A B X V RB,
  is_list (is_list (is_pair is_string is_value)) A ->
  is_list (is_list (is_pair is_string is_value)) B ->
  is_string X -> is_value V ->
  newNameScopes S Len A B -> replaceScopes X V B RB ->
  exists RA, replaceScopes X V A RA /\ newNameScopes S Len RA RB. [Show Proof]

induction on 5. intros IsA IsB IsX IsV NNS R. NNS: case NNS.
  %end
   R: case R (keep).
     %RS-FirstScope
      R': apply replaceScopes_drop_not_mem to _ IsX R NNS1 _ NNS3 _ _.
      exists RA. split. search. ScopesLen: apply take_length to NNS2.
      D: apply append_drop to R' ScopesLen.
      IsReplaced: apply replaceScopes_is to _ _ R.
      NRepl: apply names_exists to IsReplaced.
      unfold. exists N, SNames, N1. split.
        %length
         case NNS. search.
        %drop
         search.
        %take
         Len: apply take_length to NNS2.
         apply append_take to R' Len. search.
        %SNames
         search.
        %replaced names
         search.
        %not mems
         intros MS MN. MBN: apply replaceScopes_names_backward to
                               _ IsX R NNS4 NRepl MN.
         apply NNS5 to MS MBN.
     %RS-Later
      R': apply replaceScopes_drop_not_mem to _ IsX R NNS1 _ NNS3 _ _.
      exists RA. split. search. IsLN: apply replaceScopes_is to _ _ R.
      NamesLNew: apply names_exists to IsLN.
      Len: apply take_length to NNS2.
      unfold. exists N, SNames, N1. split.
        %length
         Len': case NNS. apply replaceScopes_keep_scopes to R2 Len'.
         search.
        %drop
         apply append_drop to R' Len. search.
        %take
         apply append_take to R' Len. search.
        %names Scopes
         search.
        %names New
         search.
        %not mems
         intros MS MN. MBN: apply replaceScopes_names_backward to
                               _ _ R NNS4 NamesLNew MN.
         apply NNS5 to MS MBN.
  %step
   R: case R.
     %RS-FirstScope
      search.
     %RS-Later
      case IsA. case IsB. apply IH to _ _ IsX _ NNS R1. search.


Theorem newNameScopes_length [V] :
  forall S Len (A B : list (list (pair string V))) BLen,
    newNameScopes S Len A B -> length B BLen -> Len <= BLen. [Show Proof]

induction on 1. intros NNS Len. NNS: case NNS.
  %end
   apply length_unique to Len NNS. apply length_is to Len.
   backchain is_integer_lesseq.
  %step
   Len: case Len. LEq: apply IH to NNS Len. apply length_is to Len.
   L: apply lt_plus_one to Len1 _.
   apply lesseq_less_integer_transitive to LEq L.
   backchain less_integer_lesseq.


Theorem newNameScopes_reflexive : forall EE,
  is_list (is_list (is_pair is_string is_value)) EE ->
  exists Len, length EE Len /\ newNameScopes [] Len EE EE. [Show Proof]

intros IsEE. Len: apply length_exists_list_pair_string_value to IsEE.
exists N. split. search. Names: apply names_exists to IsEE. unfold.
exists 0, [], N1. split.
  %length
   search.
  %drop
   search.
  %take
   search.
  %names []
   search.
  %names EE
   search.
  %mems
   intros M. case M.


Theorem newNameScopes_same[V] :
  forall Len (A B : list (list (pair string V))),
    newNameScopes [] Len A B -> A = B. [Show Proof]

induction on 1. intros NNS. NNS: case NNS.
  %last
   case NNS2. Drop: case NNS1.
     %Drop-0
      search.
     %Drop-Step
      apply drop_is_integer to Drop1. P: assert 1 + -1 = 0.
      apply plus_integer_unique_addend to _ _ _ Drop P.
      GEq: apply drop_geq_0 to Drop1. LEq: case GEq. case LEq.
  %step
   apply IH to NNS. search.


Extensible_Theorem
  evalExpr_newNameScopes :
    forall FE EE_A EE_B E VA VB EE_A' EE_B' O_A O_B N Len,
      IsE : is_expr E ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvA : evalExpr FE EE_A E VA EE_A' O_A ->
      EvB : evalExpr FE EE_B E VB EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      VA = VB
    on EvA as IH_V_E,
  evalExpr_newNameScopes_output :
    forall FE EE_A EE_B E VA VB EE_A' EE_B' O_A O_B N Len,
      IsE : is_expr E ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvA : evalExpr FE EE_A E VA EE_A' O_A ->
      EvB : evalExpr FE EE_B E VB EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      O_A = O_B
    on EvA as IH_O_E,
  evalExpr_newNameScopes_ctx :
    forall FE EE_A EE_B E VA VB EE_A' EE_B' O_A O_B N Len,
      IsE : is_expr E ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvA : evalExpr FE EE_A E VA EE_A' O_A ->
      EvB : evalExpr FE EE_B E VB EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      newNameScopes N Len EE_A' EE_B'
    on EvA as IH_C_E,
  /*
    Note we have the same scope on the front of both contexts for
    evaluation.  This is necessary for declare, where we will add a
    new binding to the front scope on both and still need
    newNameScopes for the result.

    **For extensions introducing new statements, this means they
      must introduce a new scope before adding any new assignments.**
  */
  evalStmt_newNameScopes_output :
    forall FE EE_A EE_B S EE_A' EE_B' O_A O_B N Len Scope,
      IsS : is_stmt S ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value))
               (Scope::EE_A) ->
      IsB : is_list (is_list (is_pair is_string is_value))
               (Scope::EE_B) ->
      EvA : evalStmt FE (Scope::EE_A) S EE_A' O_A ->
      EvB : evalStmt FE (Scope::EE_B) S EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      O_A = O_B
    on EvA as IH_O_S,
  evalStmt_newNameScopes :
    forall FE EE_A EE_B S EE_A' EE_B' O_A O_B N Len Scope,
      IsS : is_stmt S ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value))
               (Scope::EE_A) ->
      IsB : is_list (is_list (is_pair is_string is_value))
               (Scope::EE_B) ->
      EvA : evalStmt FE (Scope::EE_A) S EE_A' O_A ->
      EvB : evalStmt FE (Scope::EE_B) S EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      newNameScopes N Len EE_A' EE_B'
    on EvA as IH_C_S,
  evalArgs_newNameScopes :
    forall FE EE_A EE_B A VA VB EE_A' EE_B' O_A O_B N Len,
      IsA : is_args A ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvA : evalArgs FE EE_A A VA EE_A' O_A ->
      EvB : evalArgs FE EE_B A VB EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      VA = VB
    on EvA as IH_V_A,
  evalArgs_newNameScopes_output :
    forall FE EE_A EE_B A VA VB EE_A' EE_B' O_A O_B N Len,
      IsA : is_args A ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvA : evalArgs FE EE_A A VA EE_A' O_A ->
      EvB : evalArgs FE EE_B A VB EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      O_A = O_B
    on EvA as IH_O_A,
  evalArgs_newNameScopes_ctx :
    forall FE EE_A EE_B A VA VB EE_A' EE_B' O_A O_B N Len,
      IsA : is_args A ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvA : evalArgs FE EE_A A VA EE_A' O_A ->
      EvB : evalArgs FE EE_B A VB EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      newNameScopes N Len EE_A' EE_B'
    on EvA as IH_C_A,
  evalRecFields_newNameScopes :
    forall FE EE_A EE_B RF VA VB EE_A' EE_B' O_A O_B N Len,
      IsRF : is_recFieldExprs RF ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvA : evalRecFields FE EE_A RF VA EE_A' O_A ->
      EvB : evalRecFields FE EE_B RF VB EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      VA = VB
    on EvA as IH_V_RF,
  evalRecFields_newNameScopes_output :
    forall FE EE_A EE_B RF VA VB EE_A' EE_B' O_A O_B N Len,
      IsRF : is_recFieldExprs RF ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvA : evalRecFields FE EE_A RF VA EE_A' O_A ->
      EvB : evalRecFields FE EE_B RF VB EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      O_A = O_B
    on EvA as IH_O_RF,
  evalRecFields_newNameScopes_ctx :
    forall FE EE_A EE_B RF VA VB EE_A' EE_B' O_A O_B N Len,
      IsRF : is_recFieldExprs RF ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvA : evalRecFields FE EE_A RF VA EE_A' O_A ->
      EvB : evalRecFields FE EE_B RF VB EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      newNameScopes N Len EE_A' EE_B'
    on EvA as IH_C_RF. [Show Proof]

%evalExpr_newNameScopes
 %E-Num
  case EvB. search.
 %E-Plus
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_V_E to _ _ _ _ EvA1 EvB _.
  apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
  apply plus_integer_unique to EvA3 EvB2. search.
 %E-Minus
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_V_E to _ _ _ _ EvA1 EvB _.
  apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
  apply minus_integer_unique to EvA3 EvB2. search.
 %E-Mult
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_V_E to _ _ _ _ EvA1 EvB _.
  apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
  apply multiply_integer_unique to EvA3 EvB2. search.
 %E-Div
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_V_E to _ _ _ _ EvA1 EvB _.
  apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
  apply divide_integer_unique to EvA3 EvB2. search.
 %E-True
  case EvB. search.
 %E-False
  case EvB. search.
 %E-And-True
  case IsE. EvB: case EvB.
    %E-And-True
     search.
    %E-And-False1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-And-False2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
 %E-And-False1
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-And-False1
     search.
    %E-And-False2
     search.
 %E-And-False2
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
    %E-And-False1
     search.
    %E-And-False2
     search.
 %E-Or-True1
  case IsE. EvB: case EvB.
    %E-Or-True1
     search.
    %E-Or-True2
     search.
    %E-Or-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-Or-True2
  case IsE. EvB: case EvB.
    %E-Or-True1
     search.
    %E-Or-True2
     search.
    %E-Or-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
 %E-Or-False
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Or-True2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
    %E-Or-False
     search.
 %E-Not-True
  case IsE. EvB: case EvB.
    %E-Not-True
     search.
    %E-Not-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-Not-False
  case IsE. EvB: case EvB.
    %E-Not-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Not-False
     search.
 %E-Greater-True
  case IsE. EvB: case EvB.
    %E-Greater-True
     search.
    %E-Greater-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
     apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
     L: apply greater_integer_flip_less to EvA3.
     apply less_lesseq_flip_false to L EvB2.
 %E-Greater-False
  case IsE. EvB: case EvB.
    %E-Greater-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
     apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
     L: apply greater_integer_flip_less to EvB2.
     apply less_lesseq_flip_false to L EvA3.
    %E-Greater-False
     search.
 %E-Eq-True
  case IsE. EvB: case EvB.
    %E-Eq-True
     search.
    %E-Eq-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
     apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
     apply EvB2 to _.
 %E-Eq-False
  case IsE. EvB: case EvB.
    %E-Eq-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
     apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
     apply EvA3 to _.
    %E-Eq-False
     search.
 %E-String
  case EvB. search.
 %E-AppString
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_V_E to _ _ _ _ EvA1 EvB _.
  apply IH_V_E to _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA3 EvB2. search.
 %E-Name
  case IsE. EvB: case EvB.
  LA: apply newNameScopes_lookupScopes to _ _ NNS EvB.
  apply lookupScopes_unique to EvA1 LA. search.
 %E-Call
  case IsE. EvB: case EvB. apply lookup_unique to EvA1 EvB.
  apply IH_V_A to _ _ _ _ EvA2 EvB1 _.
  apply zip_unique to EvA3 EvB2. apply evalArgs_isValue to _ _ _ EvA2.
  IsFP: apply lookup_is_value_funCtx to _ EvA1. IsF: case IsFP.
  IsF: case IsF1. IsF: case IsF2. IsIE: apply zip_is to _ _ EvA3.
  NNS': apply newNameScopes_reflexive to _ with EE = [].
  NNS'': apply IH_C_S to _ _ _ _ EvA4 EvB3 NNS'1.
  apply evalStmt_isCtx to _ _ _ EvA4.
  apply evalStmt_isCtx to _ _ _ EvB3.
  LA: apply newNameScopes_lookupScopes to _ _ NNS'' EvB5.
  apply lookupScopes_unique to LA EvA6. search.
 %E-StmtExpr
  case IsE. EvB: case EvB. apply IH_C_S to _ _ _ _ EvA1 EvB _.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB.
  apply IH_V_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-RecBuild
  case IsE. EvB: case EvB. apply IH_V_RF to _ _ _ _ EvA1 EvB _.
  search.
 %E-RecAccess
  case IsE. EvB: case EvB. apply IH_V_E to _ _ _ _ EvA1 EvB _.
  apply lookup_unique to EvA2 EvB1. search.
%evalExpr_newNameScopes_output
 %E-Num
  case EvB. search.
 %E-Plus
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_O_E to _ _ _ _ EvA1 EvB _.
  apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA4 EvB3. search.
 %E-Minus
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_O_E to _ _ _ _ EvA1 EvB _.
  apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA4 EvB3. search.
 %E-Mult
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_O_E to _ _ _ _ EvA1 EvB _.
  apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA4 EvB3. search.
 %E-Div
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_O_E to _ _ _ _ EvA1 EvB _.
  apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA4 EvB3. search.
 %E-True
  case EvB. search.
 %E-False
  case EvB. search.
 %E-And-True
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
    %E-And-False1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-And-False2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
 %E-And-False1
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-And-False1
     apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
    %E-And-False2
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-And-False2
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
    %E-And-False1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-And-False2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
 %E-Or-True1
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
    %E-Or-True2
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Or-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-Or-True2
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Or-True2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
    %E-Or-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
 %E-Or-False
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Or-True2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
    %E-Or-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
 %E-Not-True
  case IsE. EvB: case EvB.
    %E-Not-True
     apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
    %E-Not-False
     apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
 %E-Not-False
  case IsE. EvB: case EvB.
    %E-Not-True
     apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
    %E-Not-False
     apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
 %E-Greater-True
  case IsE. EvB: case EvB.
    %E-Greater-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA4 EvB3. search.
    %E-Greater-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA4 EvB3. search.
 %E-Greater-False
  case IsE. EvB: case EvB.
    %E-Greater-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA4 EvB3. search.
    %E-Greater-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA4 EvB3. search.
 %E-Eq-True
  case IsE. EvB: case EvB.
    %E-Eq-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
    %E-Eq-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB3. search.
 %E-Eq-False
  case IsE. EvB: case EvB.
    %E-Eq-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA4 EvB2. search.
    %E-Eq-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA4 EvB3. search.
 %E-String
  case EvB. search.
 %E-AppString
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_O_E to _ _ _ _ EvA1 EvB _.
  apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA4 EvB3. search.
 %E-Name
  case EvB. search.
 %E-Call
  case IsE. EvB: case EvB. apply IH_O_A to _ _ _ _ EvA2 EvB1 _.
  apply lookup_unique to EvB EvA1.
  apply IH_V_A to _ _ _ _ EvA2 EvB1 _. apply zip_unique to EvA3 EvB2.
  IsFP: apply lookup_is_value_funCtx to _ EvA1. IsF: case IsFP.
  IsF: case IsF1. IsF: case IsF2.
  apply evalArgs_isValue to _ _ _ EvA2. apply zip_is to _ _ EvA3.
  NNS': apply newNameScopes_reflexive to _ with EE = [].
  apply IH_O_S to _ _ _ _ EvA4 EvB3 NNS'1.
  apply append_unique to EvA5 EvB4. search.
 %E-StmtExpr
  case IsE. EvB: case EvB. apply IH_O_S to _ _ _ _ EvA1 EvB _.
  apply IH_C_S to _ _ _ _ EvA1 EvB _.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB.
  apply IH_O_E to _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA3 EvB2. search.
 %E-RecBuild
  case IsE. EvB: case EvB. apply IH_O_RF to _ _ _ _ EvA1 EvB _.
  search.
 %E-RecAccess
  case IsE. EvB: case EvB. apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
%evalExpr_newNameScopes_ctx
 %E-Num
  case EvB. search.
 %E-Plus
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Minus
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Mult
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Div
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-True
  case EvB. search.
 %E-False
  case EvB. search.
 %E-And-True
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
    %E-And-False1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-And-False2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-And-False1
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-And-False1
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-And-False2
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-And-False2
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
    %E-And-False1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-And-False2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Or-True1
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Or-True2
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Or-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-Or-True2
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Or-True2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
    %E-Or-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Or-False
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Or-True2
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
    %E-Or-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Not-True
  case IsE. EvB: case EvB.
    %E-Not-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Not-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
 %E-Not-False
  case IsE. EvB: case EvB.
    %E-Not-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Not-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
 %E-Greater-True
  case IsE. EvB: case EvB.
    %E-Greater-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
    %E-Greater-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Greater-False
  case IsE. EvB: case EvB.
    %E-Greater-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
    %E-Greater-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Eq-True
  case IsE. EvB: case EvB.
    %E-Eq-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
    %E-Eq-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Eq-False
  case IsE. EvB: case EvB.
    %E-Eq-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
    %E-Eq-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-String
  case EvB. search.
 %E-AppString
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_C_E to _ _ _ _ EvA2 EvB1 _. search.
 %E-Name
  case EvB. search.
 %E-Call
  case IsE. EvB: case EvB. apply IH_C_A to _ _ _ _ EvA2 EvB1 _.
  search.
 %E-StmtExpr
  case IsE. EvB: case EvB. NNS1: apply IH_C_S to _ _ _ _ EvA1 EvB _.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB.
  NNS': apply IH_C_E to _ _ _ _ EvA2 EvB1 _.
  LenB: apply length_exists_list_pair_string_value to IsB.
  IsN1: apply length_is to LenB.
  P: apply plus_integer_total to _ IsN1 with N1 = 1.
  LenB+: assert length ([]::EE_B) N3.
  LenEE2: apply evalStmt_keep_scopes to _ _ _ EvB LenB+.
  LenEE_B'+: apply evalExpr_keep_scopes to _ _ _ EvB1 LenEE2.
  LEq: apply newNameScopes_length to NNS' LenEE_B'+.
  LenEE_B: case LenEE_B'+ (keep). apply length_is to LenEE_B.
  L: apply lt_plus_one to LenEE_B1 _. NNS': case NNS'.
    %end
     apply length_unique to _ NNS' with N1 = N3.
     LEq': apply newNameScopes_length to NNS LenB.
     apply plus_integer_unique_addend to _ _ _ LenEE_B1 P.
     apply less_lesseq_flip_false to L LEq'.
    %step
     search.
 %E-RecBuild
  case IsE. EvB: case EvB. apply IH_C_RF to _ _ _ _ EvA1 EvB _.
  search.
 %E-RecAccess
  case IsE. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
%evalStmt_newNameScopes_output
 %E-Noop
  case EvB. search.
 %E-Seq
  case IsS. EvB: case EvB. NNS': apply IH_C_S to _ _ _ _ EvA1 EvB _.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB.
  apply IH_O_S to _ _ _ _ EvA1 EvB _.
  LenB: apply length_exists_list_pair_string_value to IsB.
  LenA: apply length_exists_list_pair_string_value to IsA.
  IsN2: apply length_is to LenA. IsN1: apply length_is to LenB.
  LenEE1: apply evalStmt_keep_scopes to _ _ _ EvA1 LenA.
  LenEE2: apply evalStmt_keep_scopes to _ _ _ EvB LenB.
  LenB': case LenB (keep). LenA': case LenA (keep).
  GEqB: apply length_geq_0 to LenB'. apply length_is to LenB'.
  LB: apply lt_plus_one to LenB'1 _. apply length_is to LenA'.
  GEqA: apply length_geq_0 to LenA'. LA: apply lt_plus_one to LenA'1 _.
  LEqA: case GEqA. LEqB: case GEqB.
  LA': apply lesseq_less_integer_transitive to LEqA LA.
  LB': apply lesseq_less_integer_transitive to LEqB LB.
  GA: apply less_integer_flip_greater to LA'.
  GB: apply less_integer_flip_greater to LB'.
  apply length_cons to LenEE1 GA. apply length_cons to LenEE2 GB.
  NNS': case NNS'.
    %end
     apply length_unique to LenEE2 NNS'.
     LEq: apply newNameScopes_length to NNS LenB'.
     apply less_lesseq_flip_false to LB LEq.
    %step
     apply IH_O_S to _ IsFE _ _ EvA2 EvB1 NNS'.
     apply append_unique to EvA3 EvB2. search.
 %E-Declare
  case IsS. EvB: case EvB. apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
 %E-Assign
  case IsS. EvB: case EvB. apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
 %E-RecUpdate
  case IsS. EvB: case EvB. apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
 %E-If-True
  case IsS. EvB: case EvB.
    %E-If-True
     NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_S to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
    %E-If-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-If-False
  case IsS. EvB: case EvB.
    %E-If-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-If-False
     NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_S to _ _ _ _ EvA2 EvB1 _.
     apply append_unique to EvA3 EvB2. search.
 %E-While-True
  case IsS. EvB: case EvB.
    %E-While-True
     NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     NNS'': apply IH_C_S to _ _ _ _ EvA2 EvB1 _. NNS'': case NNS''.
       %end
        LenA: apply length_exists_list_pair_string_value to IsA.
        LenB: apply length_exists_list_pair_string_value to IsB.
        IsN1: apply length_is to LenA. IsN2: apply length_is to LenB.
        LenEE1: apply evalExpr_keep_scopes to _ _ _ EvA1 LenA.
        LenEE3: apply evalExpr_keep_scopes to _ _ _ EvB LenB.
        PA: apply plus_integer_total to _ IsN1 with N1 = 1.
        PB: apply plus_integer_total to _ IsN2 with N1 = 1.
        LenEE1+: assert length ([]::EE1) N4.
        LenEE3+: assert length ([]::EE3) N5.
        LenEE2+: apply evalStmt_keep_scopes to _ _ _ EvA2 LenEE1+.
        LenEE4+: apply evalStmt_keep_scopes to _ _ _ EvB1 LenEE3+.
        apply length_unique to LenEE4+ NNS''.
        LEq: apply newNameScopes_length to NNS' LenEE3.
        L: apply lt_plus_one to PB _.
        apply less_lesseq_flip_false to L LEq.
       %step
        NNS'': case NNS''.
          %end
           LenB: apply length_exists_list_pair_string_value to IsB.
           IsN1: apply length_is to LenB.
           LenEE3: apply evalExpr_keep_scopes to _ _ _ EvB LenB.
           PB: apply plus_integer_total to _ IsN1 with N1 = 1.
           LenEE3+: assert length ([]::EE3) N3.
           LenEE4+: apply evalStmt_keep_scopes to _ _ _ EvB1 LenEE3+.
           LenEE4: case LenEE4+. apply length_unique to LenEE4 NNS''.
           apply length_is to LenEE4.
           apply plus_integer_unique_addend to _ _ _ PB LenEE1.
           LenB': case LenB. apply length_is to LenB'.
           LEq: apply newNameScopes_length to NNS LenB'.           
           L: apply lt_plus_one to LenB'1 _.
           apply less_lesseq_flip_false to L LEq.
          %step
           apply IH_O_E to _ _ _ _ EvA1 EvB _.
           apply IH_O_S to _ _ _ _ EvA2 EvB1 _.
           IsAR+: apply evalStmt_isCtx to _ _ _ EvA2. case IsAR+.
           IsBR+: apply evalStmt_isCtx to _ _ _ EvB1. case IsBR+.
           apply IH_O_S to _ _ _ _ EvA3 EvB2 _.
           apply append_unique to EvA4 EvB3.
           apply append_unique to EvA5 EvB4. search.
    %E-While-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-While-False
  case IsS. EvB: case EvB.
    %E-While-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-While-False
     apply IH_O_E to _ _ _ _ EvA1 EvB _. search.
 %E-ScopeStmt
  case IsS. EvB: case EvB. apply IH_O_S to _ _ _ _ EvA1 EvB _. search.
 %E-Print-Int
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply append_unique to EvA2 EvB1. search.
    %E-Print-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Print-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Print-String
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-Print-True
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Print-True
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply append_unique to EvA2 EvB1. search.
    %E-Print-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Print-String
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-Print-False
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Print-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Print-False
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply append_unique to EvA2 EvB1. search.
    %E-Print-String
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-Print-String
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Print-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Print-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-Print-String
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
     apply IH_O_E to _ _ _ _ EvA1 EvB _.
     apply append_unique to EvA2 EvB1. search.
%evalStmt_newNameScopes
 %E-Noop
  case EvB. search.
 %E-Seq
  case IsS. EvB: case EvB. NNS': apply IH_C_S to _ _ _ _ EvA1 EvB _.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB.
  LenB: apply length_exists_list_pair_string_value to IsB.
  LenA: apply length_exists_list_pair_string_value to IsA.
  IsN2: apply length_is to LenA. IsN1: apply length_is to LenB.
  LenEE1: apply evalStmt_keep_scopes to _ _ _ EvA1 LenA.
  LenEE2: apply evalStmt_keep_scopes to _ _ _ EvB LenB.
  LenB': case LenB (keep). LenA': case LenA (keep).
  GEqB: apply length_geq_0 to LenB'. apply length_is to LenB'.
  LB: apply lt_plus_one to LenB'1 _. apply length_is to LenA'.
  GEqA: apply length_geq_0 to LenA'. LA: apply lt_plus_one to LenA'1 _.
  LEqA: case GEqA. LEqB: case GEqB.
  LA': apply lesseq_less_integer_transitive to LEqA LA.
  LB': apply lesseq_less_integer_transitive to LEqB LB.
  GA: apply less_integer_flip_greater to LA'.
  GB: apply less_integer_flip_greater to LB'.
  apply length_cons to LenEE1 GA. apply length_cons to LenEE2 GB.
  NNS': case NNS'.
    %end
     apply length_unique to LenEE2 NNS'.
     LEq: apply newNameScopes_length to NNS LenB'.
     apply less_lesseq_flip_false to LB LEq.
    %step
     apply IH_C_S to _ IsFE _ _ EvA2 EvB1 NNS'. search.
 %E-Declare
  case IsS. EvB: case EvB. NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply IH_V_E to _ _ _ _ EvA1 EvB _. NNS': case NNS' (keep).
    %end
     LenB: apply length_exists_list_pair_string_value to IsB.
     LenB': case LenB (keep).
     LEq: apply newNameScopes_length to NNS LenB'.
     LenEE2+: apply evalExpr_keep_scopes to _ _ _ EvB LenB.
     LenEE2: case LenEE2+ (keep). apply length_is to LenB'.
     apply length_is to LenEE2. apply length_unique to NNS'1 LenEE2+.
     apply plus_integer_unique_addend to _ _ _ LenEE1 LenB'1.
     L: apply lt_plus_one to LenEE1 _.
     apply less_lesseq_flip_false to L LEq.
    %step
     search.
 %E-Assign
  case IsS. EvB: case EvB. NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_V_E to _ _ _ _ EvA1 EvB _.
  R: apply newNameScopes_replaceScopes to _ _ _ _ NNS' EvB1.
  apply replaceScopes_unique to R EvA2. search.
 %E-RecUpdate
  case IsS. EvB: case EvB. NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply IH_V_E to _ _ _ _ EvA1 EvB _.
  NNS'': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  Lkp: apply newNameScopes_lookupScopes to _ _ NNS'' EvB1.
  apply lookupScopes_unique to Lkp EvA2.
  apply updateRecFields_unique to EvA3 EvB2.
  IsV: apply evalExpr_isValue to _ _ _ EvA1.
  IsR: apply lookupScopes_is to _ EvA2. case IsR.
  apply updateRecFields_is to _ _ _ EvB2.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  R: apply newNameScopes_replaceScopes to _ _ _ _ NNS' EvB3.
  apply replaceScopes_unique to R EvA4. search.
 %E-If-True
  case IsS. EvB: case EvB.
    %E-If-True
     NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     NNS'': apply IH_C_S to _ _ _ _ EvA2 EvB1 _. NNS'': case NNS''.
       %end
        LenB: apply length_exists_list_pair_string_value to IsB.
        LenB': case LenB (keep).
        LEq: apply newNameScopes_length to NNS LenB'.
        LenEE2: apply evalExpr_keep_scopes to _ _ _ EvB LenB.
        IsN1: apply length_is to LenEE2.
        P: apply plus_integer_total to _ IsN1 with N1 = 1.
        LenEE2+: assert length ([]::EE2) N3.
        LenEE_B'+: apply evalStmt_keep_scopes to _ _ _ EvB1 LenEE2+.
        L: apply lt_plus_one to P _. apply length_is to LenB'.
        L': apply lt_plus_one to LenB'1 _.
        L'': apply less_integer_transitive to L' L.
        apply length_unique to NNS'' LenEE_B'+.
        apply less_lesseq_flip_false to L'' LEq.
       %step
        search.
    %E-If-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-If-False
  case IsS. EvB: case EvB.
    %E-If-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-If-False
     NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     NNS'': apply IH_C_S to _ _ _ _ EvA2 EvB1 _. NNS'': case NNS''.
       %end
        LenB: apply length_exists_list_pair_string_value to IsB.
        LenB': case LenB (keep).
        LEq: apply newNameScopes_length to NNS LenB'.
        LenEE2: apply evalExpr_keep_scopes to _ _ _ EvB LenB.
        IsN1: apply length_is to LenEE2.
        P: apply plus_integer_total to _ IsN1 with N1 = 1.
        LenEE2+: assert length ([]::EE2) N3.
        LenEE_B'+: apply evalStmt_keep_scopes to _ _ _ EvB1 LenEE2+.
        L: apply lt_plus_one to P _. apply length_is to LenB'.
        L': apply lt_plus_one to LenB'1 _.
        L'': apply less_integer_transitive to L' L.
        apply length_unique to NNS'' LenEE_B'+.
        apply less_lesseq_flip_false to L'' LEq.
       %step
        search.
 %E-While-True
  case IsS. EvB: case EvB.
    %E-While-True
     NNS': apply IH_C_E to _ _ _ _ EvA1 EvB _.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     NNS'': apply IH_C_S to _ _ _ _ EvA2 EvB1 _. NNS'': case NNS''.
       %end
        LenA: apply length_exists_list_pair_string_value to IsA.
        LenB: apply length_exists_list_pair_string_value to IsB.
        IsN1: apply length_is to LenA. IsN2: apply length_is to LenB.
        LenEE1: apply evalExpr_keep_scopes to _ _ _ EvA1 LenA.
        LenEE3: apply evalExpr_keep_scopes to _ _ _ EvB LenB.
        PA: apply plus_integer_total to _ IsN1 with N1 = 1.
        PB: apply plus_integer_total to _ IsN2 with N1 = 1.
        LenEE1+: assert length ([]::EE1) N4.
        LenEE3+: assert length ([]::EE3) N5.
        LenEE2+: apply evalStmt_keep_scopes to _ _ _ EvA2 LenEE1+.
        LenEE4+: apply evalStmt_keep_scopes to _ _ _ EvB1 LenEE3+.
        apply length_unique to LenEE4+ NNS''.
        LEq: apply newNameScopes_length to NNS' LenEE3.
        L: apply lt_plus_one to PB _.
        apply less_lesseq_flip_false to L LEq.
       %step
        NNS'': case NNS''.
          %end
           LenB: apply length_exists_list_pair_string_value to IsB.
           IsN1: apply length_is to LenB.
           LenEE3: apply evalExpr_keep_scopes to _ _ _ EvB LenB.
           PB: apply plus_integer_total to _ IsN1 with N1 = 1.
           LenEE3+: assert length ([]::EE3) N3.
           LenEE4+: apply evalStmt_keep_scopes to _ _ _ EvB1 LenEE3+.
           LenEE4: case LenEE4+. apply length_unique to LenEE4 NNS''.
           apply length_is to LenEE4.
           apply plus_integer_unique_addend to _ _ _ PB LenEE1.
           LenB': case LenB. apply length_is to LenB'.
           LEq: apply newNameScopes_length to NNS LenB'.           
           L: apply lt_plus_one to LenB'1 _.
           apply less_lesseq_flip_false to L LEq.
          %step
           IsAR+: apply evalStmt_isCtx to _ _ _ EvA2. case IsAR+.
           IsBR+: apply evalStmt_isCtx to _ _ _ EvB1. case IsBR+.
           apply IH_C_S to _ _ _ _ EvA3 EvB2 _. search.
    %E-While-False
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
 %E-While-False
  case IsS. EvB: case EvB.
    %E-While-True
     apply IH_V_E to _ _ _ _ EvA1 EvB _.
    %E-While-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
 %E-ScopeStmt
  case IsS. EvB: case EvB. NNS': apply IH_C_S to _ _ _ _ EvA1 EvB _.
  NNS': case NNS'.
    %end
     LenB: apply length_exists_list_pair_string_value to IsB.
     LenB': case LenB (keep). IsN1: apply length_is to LenB.
     LEq: apply newNameScopes_length to NNS LenB'.
     P: apply plus_integer_total to _ IsN1 with N1 = 1.
     Len++: assert length ([]::Scope::EE_B) N3.
     LenFinal: apply evalStmt_keep_scopes to _ _ _ EvB Len++.
     apply length_unique to LenFinal NNS'.
     L: apply lt_plus_one to P _. apply length_is to LenB'.
     L': apply lt_plus_one to LenB'1 _.
     L'': apply less_integer_transitive to L' L.
     apply less_lesseq_flip_false to L'' LEq.
    %step
     search.
 %E-Print-Int
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-String
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
 %E-Print-True
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-String
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
 %E-Print-False
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-String
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
 %E-Print-String
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-True
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-False
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
    %E-Print-String
     apply IH_C_E to _ _ _ _ EvA1 EvB _. search.
%evalArgs_newNameScopes
 %EA-Nil
  case EvB. search.
 %EA-Cons
  case IsA. EvB: case EvB. apply IH_V_E to _ _ _ _ EvA1 EvB _.
  apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_V_A to _ _ _ _ EvA2 EvB1 _. search.
%evalArgs_newNameScopes_output
 %EA-Nil
  case EvB. search.
 %EA-Cons
  case IsA. EvB: case EvB. apply IH_O_E to _ _ _ _ EvA1 EvB _.
  apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_O_A to _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA3 EvB2. search.
%evalArgs_newNameScopes_ctx
 %EA-Nil
  case EvB. search.
 %EA-Cons
  case IsA. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_C_A to _ _ _ _ EvA2 EvB1 _. search.
%evalRecFields_newNameScopes
 %ERF-Nil
  case EvB. search.
 %ERF-Cons
  case IsRF. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_V_E to _ _ _ _ EvA1 EvB _.
  apply IH_V_RF to _ _ _ _ EvA2 EvB1 _. search.
%evalRecFields_newNameScopes_output
 %ERF-Nil
  case EvB. search.
 %ERF-Cons
  case IsRF. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_O_E to _ _ _ _ EvA1 EvB _.
  apply IH_O_RF to _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA3 EvB2. search.
%evalRecFields_newNameScopes_ctx
 %ERF-Nil
  case EvB. search.
 %ERF-Cons
  case IsRF. EvB: case EvB. apply IH_C_E to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_C_RF to _ _ _ _ EvA2 EvB1 _. search.




/********************************************************************
 Evaluation is Unique
 ********************************************************************/
Theorem evalExpr_unique : forall FE EE E VA EE_A OA VB EE_B OB,
  is_expr E ->
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) FE ->
  is_list (is_list (is_pair is_string is_value)) EE ->
  evalExpr FE EE E VA EE_A OA ->
  evalExpr FE EE E VB EE_B OB ->
  VA = VB /\ EE_A = EE_B /\ OA = OB. [Show Proof]

intros IsE IsFE IsEE EvA EvB.
LN: apply newNameScopes_reflexive to IsEE.
apply evalExpr_newNameScopes to _ _ _ _ EvA EvB _.
apply evalExpr_newNameScopes_output to _ _ _ _ EvA EvB _.
NNS: apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA EvB _.
apply newNameScopes_same to NNS. search.


Theorem evalStmt_unique : forall FE Scope EE S EE_A OA EE_B OB,
  is_stmt S ->
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) FE ->
  is_list (is_list (is_pair is_string is_value)) (Scope::EE) ->
  evalStmt FE (Scope::EE) S EE_A OA ->
  evalStmt FE (Scope::EE) S EE_B OB ->
  EE_A = EE_B /\ OA = OB. [Show Proof]

intros IsS IsFE IsEE EvA EvB. IsEE': case IsEE.
LN: apply newNameScopes_reflexive to IsEE'1.
apply evalStmt_newNameScopes_output to _ _ _ _ EvA EvB _.
NNS: apply evalStmt_newNameScopes to _ _ _ _ EvA EvB _.
apply newNameScopes_same to NNS. search.


Theorem evalArgs_unique : forall FE EE A VA EE_A OA VB EE_B OB,
  is_args A ->
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) FE ->
  is_list (is_list (is_pair is_string is_value)) EE ->
  evalArgs FE EE A VA EE_A OA ->
  evalArgs FE EE A VB EE_B OB ->
  VA = VB /\ EE_A = EE_B /\ OA = OB. [Show Proof]

intros IsE IsFE IsEE EvA EvB.
LN: apply newNameScopes_reflexive to IsEE.
apply evalArgs_newNameScopes to _ _ _ _ EvA EvB _.
apply evalArgs_newNameScopes_output to _ _ _ _ EvA EvB _.
NNS: apply evalArgs_newNameScopes_ctx to _ _ _ _ EvA EvB _.
apply newNameScopes_same to NNS. search.


Theorem evalRecFields_unique : forall FE EE RF VA EE_A OA VB EE_B OB,
  is_recFieldExprs RF ->
  is_list (is_pair is_string
          (is_pair is_string
          (is_pair is_value
          (is_pair (is_list is_string) is_stmt)))) FE ->
  is_list (is_list (is_pair is_string is_value)) EE ->
  evalRecFields FE EE RF VA EE_A OA ->
  evalRecFields FE EE RF VB EE_B OB ->
  VA = VB /\ EE_A = EE_B /\ OA = OB. [Show Proof]

intros IsE IsFE IsEE EvA EvB.
LN: apply newNameScopes_reflexive to IsEE.
apply evalRecFields_newNameScopes to _ _ _ _ EvA EvB _.
apply evalRecFields_newNameScopes_output to _ _ _ _ EvA EvB _.
NNS: apply evalRecFields_newNameScopes_ctx to _ _ _ _ EvA EvB _.
apply newNameScopes_same to NNS. search.




/********************************************************************
 Extension size versions of evaluation
 ********************************************************************/
Ext_Size evalExpr FE EE E V EE' O,
         evalArgs FE EE E V EE' O,
         evalRecFields FE EE E F EE' O,
         evalStmt FE EE S EE' O.

Proj_Rel evalExpr FE EE E V EE' O,
         evalArgs FE EE E V EE' O,
         evalRecFields FE EE E F EE' O,
         evalStmt FE EE S EE' O.




/********************************************************************
 Evaluation across newNameScopes exists
 ********************************************************************/
/*
  Not only is evaluation related when the same term evaluates across
  newNameScopes, but a term must evaluate under the added-to context
  when it evaluates under the original one.  We will use this fact for
  proving projection constraints and Ext_Ind for evaluation.  Due to
  its use for Ext_Ind, we use the extension size versions of the
  various evaluation relations so we can use the inductive hypotheses
  there with the new derivations we produce with this.
*/
Extensible_Theorem
  evalExpr_newNameScopes_exists_ES :
    forall FE EE_A EE_B E V EE_B' O N Len ES,
      IsE : is_expr E ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvB : <evalExpr {ES}> FE EE_B E V EE_B' O ES ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_A', <evalExpr {ES}> FE EE_A E V EE_A' O ES
    on EvB as IH_E,
  evalStmt_newNameScopes_exists_ES :
    forall FE EE_A EE_B S EE_B' O N Len Scope ES,
      IsS : is_stmt S ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value))
               (Scope::EE_A) ->
      IsB : is_list (is_list (is_pair is_string is_value))
               (Scope::EE_B) ->
      EvB : <evalStmt {ES}> FE (Scope::EE_B) S EE_B' O ES ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_A', <evalStmt {ES}> FE (Scope::EE_A) S EE_A' O ES
    on EvB as IH_S,
  evalArgs_newNameScopes_exists_ES :
    forall FE EE_A EE_B A V EE_B' O N Len ES,
      IsA : is_args A ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvB : <evalArgs {ES}> FE EE_B A V EE_B' O ES ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_A', <evalArgs {ES}> FE EE_A A V EE_A' O ES
    on EvB as IH_A,
  evalRecFields_newNameScopes_exists_ES :
    forall FE EE_A EE_B RF V EE_B' O N Len ES,
      IsRF : is_recFieldExprs RF ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      EvB : <evalRecFields {ES}> FE EE_B RF V EE_B' O ES ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_A', <evalRecFields {ES}> FE EE_A RF V EE_A' O ES
    on EvB as IH_RF. [Show Proof]

%evalExpr_newNameScopes_exists
 %E-Num
  search.
 %E-Plus
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Minus
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Mult
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Div
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-And-False1
  case IsE. apply IH_E to _ _ _ _ EvB1 NNS. search.
 %E-And-False2
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Or-True1
  case IsE. apply IH_E to _ _ _ _ EvB1 NNS. search.
 %E-Or-True2
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Or-False
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Not-True
  case IsE. apply IH_E to _ _ _ _ EvB1 NNS. search.
 %E-Not-False
  case IsE. apply IH_E to _ _ _ _ EvB1 NNS. search.
 %E-Greater-True
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Greater-False
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Eq-True
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Eq-False
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-String
  search.
 %E-AppString
  case IsE. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvB2': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'. search.
 %E-Name
  case IsE. apply newNameScopes_lookupScopes to _ _ NNS EvB1. search.
 %E-Call
  case IsE. EvA2: apply IH_A to _ _ _ _ EvB3 NNS. search.
 %E-StmtExpr
  case IsE. EvA1: apply IH_S to _ _ _ _ EvB2 NNS.
  EvA1': apply drop_ext_size_evalStmt to EvA1.
  EvB1': apply drop_ext_size_evalStmt to EvB2.
  NNS': apply evalStmt_newNameScopes to _ _ _ _ EvA1' EvB1' NNS.
  apply evalStmt_isCtx to _ _ _ EvB1'.
  apply evalStmt_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_E to _ _ _ _ EvB3 NNS'.
  Len_EE_A: apply length_exists_list_pair_string_value to IsA.
  IsLen: apply length_is to Len_EE_A.
  P: apply plus_integer_total to _ IsLen with N1 = 1.
  Len_EE_A+: assert length ([]::EE_A) N4.
  EvA2': apply drop_ext_size_evalExpr to EvA2.
  Len_EE_A': apply evalStmt_keep_scopes to _ _ _ EvA1' Len_EE_A+.
  LenFinal: apply evalExpr_keep_scopes to _ _ _ EvA2' Len_EE_A'.
  GEq: apply length_geq_0 to Len_EE_A. L: apply lt_plus_one to P _.
  LEq: case GEq. apply lesseq_less_integer_transitive to LEq L.
  apply length_cons to LenFinal _. search.
 %E-RecBuild
  case IsE. apply IH_RF to _ _ _ _ EvB1 NNS. search.
 %E-RecAccess
  case IsE. apply IH_E to _ _ _ _ EvB1 NNS. search.
%evalStmt_newNameScopes_exists
 %E-Noop
  search.
 %E-Seq
  case IsS. EvA1: apply IH_S to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalStmt to EvB2.
  EvA1': apply drop_ext_size_evalStmt to EvA1.
  NNS': apply evalStmt_newNameScopes to _ _ _ _ EvA1' EvB1' NNS.
  apply evalStmt_isCtx to _ _ _ EvB1'.
  apply evalStmt_isCtx to _ _ _ EvA1'.
  Len_EE_A+: apply length_exists_list_pair_string_value to IsA.
  Len_EE_A': apply evalStmt_keep_scopes to _ _ _ EvA1' Len_EE_A+.
  Len: case Len_EE_A+. GEq: apply length_geq_0 to Len.
  apply length_is to Len. L: apply lt_plus_one to Len1 _.
  LEq: case GEq. apply lesseq_less_integer_transitive to LEq L.
  apply length_cons to Len_EE_A' _. NNS': case NNS'.
    %final
     LenB+: apply length_exists_list_pair_string_value to IsB.
     L': apply evalStmt_keep_scopes to _ _ _ EvB1' LenB+.
     apply length_unique to NNS' L'.
     LenB: case LenB+. apply length_is to LenB.
     LEq: apply newNameScopes_length to _ LenB.
     L: apply lt_plus_one to LenB1 _.
     apply less_lesseq_flip_false to L1 LEq1.
    %step
     EvA2: apply IH_S to _ _ _ _ EvB3 NNS'. search.
 %E-Declare
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. EvA1: apply IH_E to _ _ _ _ EvB1 NNS'.
  Len_EE_A+: apply length_exists_list_pair_string_value to IsA.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  Len_EE_A': apply evalExpr_keep_scopes to _ _ _ EvA1' Len_EE_A+.
  Len: case Len_EE_A+. GEq: apply length_geq_0 to Len.
  apply length_is to Len. L: apply lt_plus_one to Len1 _.
  LEq: case GEq. apply lesseq_less_integer_transitive to LEq L.
  apply length_cons to Len_EE_A' _. search.
 %E-Assign
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. EvA1: apply IH_E to _ _ _ _ EvB1 NNS'.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  EvB1': apply drop_ext_size_evalExpr to EvB1.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  apply evalExpr_isValue to _ _ _ EvB1'.
  NNS'': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS'.
  apply newNameScopes_replaceScopes to _ _ _ _ NNS'' EvB2. search.
 %E-RecUpdate
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. EvA1: apply IH_E to _ _ _ _ EvB1 NNS'.
  EvB1': apply drop_ext_size_evalExpr to EvB1.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  apply evalExpr_isValue to _ _ _ EvB1'.
  NNS'': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS'.
  apply newNameScopes_lookupScopes to _ _ NNS' EvB2.
  IsRF: apply lookupScopes_is to _ EvB2. case IsRF.
  apply updateRecFields_is to _ _ _ EvB3.
  apply newNameScopes_replaceScopes to _ _ _ _ NNS'' EvB4. search.
 %E-If-True
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. EvA1: apply IH_E to _ _ _ _ EvB2 NNS'.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  IsA': apply evalExpr_isCtx to _ _ _ EvA1'.
  NNS'': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS'.
  EvA2: apply IH_S to _ _ _ _ EvB3 NNS''.
  LenA': apply length_exists_list_pair_string_value to IsA'.
  IsN1: apply length_is to LenA'.
  P: apply plus_integer_total to _ IsN1 with N1 = 1.
  LenA'+: assert length ([]::EE_A') N4.
  EvA2': apply drop_ext_size_evalStmt to EvA2.
  Len'': apply evalStmt_keep_scopes to _ _ _ EvA2' LenA'+.
  apply cons_length to LenA'+. apply length_cons to Len'' _. search.
 %E-If-False
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. EvA1: apply IH_E to _ _ _ _ EvB2 NNS'.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  IsA': apply evalExpr_isCtx to _ _ _ EvA1'.
  NNS'': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS'.
  EvA2: apply IH_S to _ _ _ _ EvB3 NNS''.
  LenA': apply length_exists_list_pair_string_value to IsA'.
  IsN1: apply length_is to LenA'.
  P: apply plus_integer_total to _ IsN1 with N1 = 1.
  LenA'+: assert length ([]::EE_A') N4.
  EvA2': apply drop_ext_size_evalStmt to EvA2.
  Len'': apply evalStmt_keep_scopes to _ _ _ EvA2' LenA'+.
  apply cons_length to LenA'+. apply length_cons to Len'' _. search.
 %E-While-True
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. EvA1: apply IH_E to _ _ _ _ EvB3 NNS'.
  EvB1': apply drop_ext_size_evalExpr to EvB3.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  IsA': apply evalExpr_isCtx to _ _ _ EvA1'.
  NNS'': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS'.
  %eval body and drop scope from it
  EvA2: apply IH_S to _ _ _ _ EvB4 NNS''.
  EvB2': apply drop_ext_size_evalStmt to EvB4.
  EvA2': apply drop_ext_size_evalStmt to EvA2.
  LenA': apply length_exists_list_pair_string_value to IsA'.
  IsN1: apply length_is to LenA'.
  P: apply plus_integer_total to _ IsN1 with N1 = 1.
  LenA'+: assert length ([]::EE_A') N6.
  Len'': apply evalStmt_keep_scopes to _ _ _ EvA2' LenA'+.
  apply cons_length to LenA'+. apply length_cons to Len'' _.
  %eval while again
  IsB+: apply evalStmt_isCtx to _ _ _ EvB2'. IsB': case IsB+.
  IsA+: apply evalStmt_isCtx to _ _ _ EvA2'. IsA': case IsA+.
  NNS+: apply evalStmt_newNameScopes to _ _ _ _ EvA2' EvB2' _.
  LenB+: apply length_exists_list_pair_string_value to IsB.
  LenB: case LenB+ (keep).
  LEq: apply newNameScopes_length to NNS LenB.
  LenEE1: apply evalExpr_keep_scopes to _ _ _ EvB1' LenB+.
  IsN2: apply length_is to LenEE1.
  P: apply plus_integer_total to _ IsN2 with N1 = 1.
  LenEE1+: assert length ([]::EE1) N8.
  LenEE2+: apply evalStmt_keep_scopes to _ _ _ EvB2' LenEE1+.
  NNS_: case NNS+.
    %last
     apply length_unique to LenEE2+ NNS_. apply length_is to LenB.
     apply length_is to LenEE1. L1: apply lt_plus_one to LenB1 _.
     L2: apply lt_plus_one to P1 _.
     L: apply less_integer_transitive to L1 L2.
     apply less_lesseq_flip_false to L LEq.
    %step
     NNS_: case NNS_.
       %last
        LenEE2: case LenEE2+. apply length_unique to LenEE2 NNS_.
        apply length_is to NNS_. apply length_is to LenB.
        apply plus_integer_unique_addend to _ _ _ P1 LenEE3.
        L: apply lt_plus_one to LenB1 _.
        apply less_lesseq_flip_false to L LEq.
       %step
        apply IH_S to _ _ _ _ EvB5 NNS_. search.
 %E-While-False
  NNS+: assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. apply IH_E to _ _ _ _ EvB1 NNS+. search.
 %E-ScopeStmt
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. EvA1: apply IH_S to _ _ _ _ EvB1 NNS'.
  LenA+: apply length_exists_list_pair_string_value to IsA.
  IsN1: apply length_is to LenA+.
  P: apply plus_integer_total to _ IsN1 with N1 = 1.
  LenA++: assert length ([]::Scope::EE_A) N3.
  EvA1': apply drop_ext_size_evalStmt to EvA1.
  LenA': apply evalStmt_keep_scopes to _ _ _ EvA1' LenA++.
  apply cons_length to LenA++. apply length_cons to LenA' _. search.
 %E-Print-Int
  NNS+: assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. apply IH_E to _ _ _ _ EvB1 NNS+. search.
 %E-Print-True
  NNS+: assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. apply IH_E to _ _ _ _ EvB1 NNS+. search.
 %E-Print-False
  NNS+: assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. apply IH_E to _ _ _ _ EvB1 NNS+. search.
 %E-Print-String
  NNS+: assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  case IsS. apply IH_E to _ _ _ _ EvB1 NNS+. search.
%evalArgs_newNameScopes_exists
 %EA-Nil
  search.
 %EA-Cons
  case IsA. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_A to _ _ _ _ EvB3 NNS'. search.
%evalRecFields_newNameScopes_exists
 %ERF-Nil
  search.
 %ERF-Cons
  case IsRF. EvA1: apply IH_E to _ _ _ _ EvB2 NNS.
  EvB1': apply drop_ext_size_evalExpr to EvB2.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1' EvB1' NNS.
  apply evalExpr_isCtx to _ _ _ EvB1'.
  apply evalExpr_isCtx to _ _ _ EvA1'.
  EvA2: apply IH_RF to _ _ _ _ EvB3 NNS'. search.


Theorem evalExpr_newNameScopes_exists :
  forall FE EE_A EE_B E V EE_B' O N Len,
    is_expr E ->
    is_list (is_pair is_string
            (is_pair is_string
            (is_pair is_value
            (is_pair (is_list is_string) is_stmt)))) FE ->
    is_list (is_list (is_pair is_string is_value)) EE_A ->
    is_list (is_list (is_pair is_string is_value)) EE_B ->
    evalExpr FE EE_B E V EE_B' O ->
    newNameScopes N Len EE_A EE_B ->
    exists EE_A', evalExpr FE EE_A E V EE_A' O. [Show Proof]

intros IsE IsFE IsA IsB Ev NNS.
Ev': apply add_ext_size_evalExpr to Ev.
E: apply evalExpr_newNameScopes_exists_ES to IsE IsFE IsA IsB Ev' NNS.
apply drop_ext_size_evalExpr to E. search.
Theorem evalStmt_newNameScopes_exists :
  forall FE EE_A EE_B S EE_B' O N Len Scope,
    is_stmt S ->
    is_list (is_pair is_string
            (is_pair is_string
            (is_pair is_value
            (is_pair (is_list is_string) is_stmt)))) FE ->
    is_list (is_list (is_pair is_string is_value))
       (Scope::EE_A) ->
    is_list (is_list (is_pair is_string is_value))
       (Scope::EE_B) ->
    evalStmt FE (Scope::EE_B) S EE_B' O ->
    newNameScopes N Len EE_A EE_B ->
    exists EE_A', evalStmt FE (Scope::EE_A) S EE_A' O. [Show Proof]

intros IsS IsFE IsA IsB Ev NNS.
Ev': apply add_ext_size_evalStmt to Ev.
E: apply evalStmt_newNameScopes_exists_ES to IsS IsFE IsA IsB Ev' NNS.
apply drop_ext_size_evalStmt to E. search.
Theorem evalArgs_newNameScopes_exists :
    forall FE EE_A EE_B A V EE_B' O N Len,
      is_args A ->
      is_list (is_pair is_string
              (is_pair is_string
              (is_pair is_value
              (is_pair (is_list is_string) is_stmt)))) FE ->
      is_list (is_list (is_pair is_string is_value)) EE_A ->
      is_list (is_list (is_pair is_string is_value)) EE_B ->
      evalArgs FE EE_B A V EE_B' O ->
      newNameScopes N Len EE_A EE_B ->
      exists EE_A', evalArgs FE EE_A A V EE_A' O. [Show Proof]

intros IsAr IsFE IsA IsB Ev NNS.
Ev': apply add_ext_size_evalArgs to Ev.
E: apply evalArgs_newNameScopes_exists_ES to
             IsAr IsFE IsA IsB Ev' NNS.
apply drop_ext_size_evalArgs to E. search.
Theorem evalRecFields_newNameScopes_exists :
  forall FE EE_A EE_B RF V EE_B' O N Len,
    is_recFieldExprs RF ->
    is_list (is_pair is_string
            (is_pair is_string
            (is_pair is_value
            (is_pair (is_list is_string) is_stmt)))) FE ->
    is_list (is_list (is_pair is_string is_value)) EE_A ->
    is_list (is_list (is_pair is_string is_value)) EE_B ->
    evalRecFields FE EE_B RF V EE_B' O ->
    newNameScopes N Len EE_A EE_B ->
    exists EE_A', evalRecFields FE EE_A RF V EE_A' O. [Show Proof]

intros IsRF IsFE IsA IsB Ev NNS.
Ev': apply add_ext_size_evalRecFields to Ev.
E: apply evalRecFields_newNameScopes_exists_ES to
            IsRF IsFE IsA IsB Ev' NNS.
apply drop_ext_size_evalRecFields to E. search.




/********************************************************************
 Evaluation back across newNameScopes
 ********************************************************************/
/*
  If we have A and B where we have `newNameScopes S Len A B` and a
  term evaluates under A, we also want to say it evaluates under B.
  However, this is not true in general as the term might use a
  variable introduced in the new scopes in A.  To say this isn't
  possible, we specify all the names occurring in a term are in B
  using ctx_names and stmtNames (or the related relations for other
  types).  We will use this for projection constraints requiring
  evaluation of originals when projections evaluate.
*/
Define ctx_names : list (list (pair K I)) -> list (list K) -> prop by
  ctx_names [] [];
  ctx_names (A::ARest) (B::BRest) :=
    (forall K I, mem (K, I) A -> mem K B) /\
    (forall K, mem K B -> exists I, mem (K, I) A) /\
    ctx_names ARest BRest.


Theorem ctx_names_add[K, I] : forall A B AS BS (K : K) (I : I),
  ctx_names (AS::A) (BS::B) ->
  ctx_names (((K, I)::AS)::A) ((K::BS)::B). [Show Proof]

intros CN. CN: case CN. unfold.
  %mem AS -> mem BS
   intros M. M: case M.
     %Mem-Here
      search.
     %Mem-Later
      apply CN to M. search.
  %mem BS -> mem AS
   intros M. M: case M.
     %Mem-Here
      search.
     %Mem-Later
      apply CN1 to M. search.
  %rest
   search.


Theorem ctx_names_add_scope[K, I] :
  forall (A : list (list (pair K I))) B,
    ctx_names A B -> ctx_names ([]::A) ([]::B). [Show Proof]

intros CN. unfold.
  %mem A -> mem B
   intros M. case M.
  %mem B -> mem A
   intros M. case M.
  %rest
   search.


Theorem ctx_names_lookupScopes[K, I] : forall A B (K : K) (I : I),
  ctx_names A B -> lookupScopes K A I -> mems K B. [Show Proof]

induction on 2. intros CN L. L: case L.
  %Mems-Here
   M: apply lookup_mem to L. CN: case CN. apply CN to M. search.
  %Mems-Later
   CN: case CN. apply IH to CN2 L1. search.


Theorem ctx_names_replaceScopes : forall A B X V A',
  is_list (is_list (is_pair is_string is_value)) A ->
  is_list (is_list is_string) B ->
  ctx_names A B -> replaceScopes X V A A' -> ctx_names A' B. [Show Proof]

induction on 4. intros IsA IsB CN RS. RS: case RS.
  %RS-FirstScope
   CN: case CN. unfold.
     %mem A' -> mem B
      intros M. M: case M.
        %Mem-Here (K = X)
         apply CN to RS. search.
        %Mem-Later
         M': apply mem_after_remove_all_before to RS1 M.
         apply CN to M'. search.
     %mem B -> mem A'
      intros M. M': apply CN1 to M. case IsA.
      IsKP: apply mem_is to _ M'. IsK: case IsKP.
      IsXP: apply mem_is to _ RS. IsX: case IsXP.
      Or: apply is_string_eq_or_not to IsK IsX. E: case Or.
        %X = K
         search.
        %X != K
         apply mem_before_remove_all_after to RS1 M' _. search.
     %rest
      search.
  %RS-Later
   CN: case CN. case IsA. case IsB. apply IH to _ _ CN2 RS1. search.


Extensible_Theorem
  evalExpr_ctx_names : forall FE EE E V EE' O Ctx N,
    IsE : is_expr E ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IsCtx : is_list (is_list is_string) Ctx ->
    Ctxs : ctx_names EE Ctx ->
    EN : exprNames Ctx E N ->
    Ev : evalExpr FE EE E V EE' O ->
    ctx_names EE' Ctx
  on Ev as IH_E,
  evalStmt_ctx_names : forall FE EE S EE' O Ctx Ctx' N,
    IsS : is_stmt S ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IsCtx : is_list (is_list is_string) Ctx ->
    Ctxs : ctx_names EE Ctx ->
    SN : stmtNames Ctx S N Ctx' ->
    Ev : evalStmt FE EE S EE' O ->
    ctx_names EE' Ctx'
  on Ev as IH_S,
  evalArgs_ctx_names : forall FE EE A V EE' O Ctx N,
    IsA : is_args A ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IsCtx : is_list (is_list is_string) Ctx ->
    Ctxs : ctx_names EE Ctx ->
    AN : argsNames Ctx A N ->
    Ev : evalArgs FE EE A V EE' O ->
    ctx_names EE' Ctx
  on Ev as IH_A,
  evalRecFields_ctx_names : forall FE EE RF V EE' O Ctx N,
    IsRF : is_recFieldExprs RF ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IsCtx : is_list (is_list is_string) Ctx ->
    Ctxs : ctx_names EE Ctx ->
    RFN : recFieldNames Ctx RF N ->
    Ev : evalRecFields FE EE RF V EE' O ->
    ctx_names EE' Ctx
  on Ev as IH_RF. [Show Proof]

%evalExpr_ctx_names
 %E-Num
  search.
 %E-Plus
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Minus
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Mult
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Div
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-And-False1
  case IsE. EN: case EN. apply IH_E to _ _ _ _ Ctxs EN Ev1. search.
 %E-And-False2
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Or-True1
  case IsE. EN: case EN. apply IH_E to _ _ _ _ Ctxs EN Ev1. search.
 %E-Or-True2
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Or-False
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Not-True
  case IsE. EN: case EN. apply IH_E to _ _ _ _ Ctxs EN Ev1. search.
 %E-Not-False
  case IsE. EN: case EN. apply IH_E to _ _ _ _ Ctxs EN Ev1. search.
 %E-Greater-True
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Greater-False
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Eq-True
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Eq-False
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-String
  search.
 %E-AppString
  case IsE. EN: case EN. Ctxs': apply IH_E to _ _ _ _ Ctxs EN Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_E to _ _ _ _ Ctxs' EN1 Ev2. search.
 %E-Name
  search.
 %E-Call
  case IsE. EN: case EN. apply IH_A to _ _ _ _ Ctxs EN Ev2. search.
 %E-StmtExpr
  case IsE. EN: case EN. Ctxs': apply ctx_names_add_scope to Ctxs.
  Ctxs'': apply IH_S to _ _ _ _ Ctxs' EN Ev1.
  apply evalStmt_isCtx to _ _ _ Ev1. apply stmtNames_isCtx to _ _ EN.
  C: apply IH_E to _ _ _ _ Ctxs'' EN1 Ev2. C: case C.
  apply stmtNames_keep_older to _ _ EN. search.
 %E-RecBuild
  case IsE. EN: case EN. apply IH_RF to _ _ _ _ Ctxs EN Ev1. search.
 %E-RecAccess
  case IsE. EN: case EN. apply IH_E to _ _ _ _ Ctxs EN Ev1. search.
%evalStmt_ctx_names
 %E-Noop
  case SN. search.
 %E-Seq
  case IsS. SN: case SN. apply stmtNames_isCtx to _ _ SN.
  apply stmtNames_isCtx to _ _ SN1. apply evalStmt_isCtx to _ _ _ Ev1.
  apply evalStmt_isCtx to _ _ _ Ev2. apply IH_S to _ _ _ _ _ _ Ev1.
  apply IH_S to _ _ _ _ _ _ Ev2. search.
 %E-Declare
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ Ev1.
  backchain ctx_names_add.
 %E-Assign
  case IsS. SN: case SN.
    %SN-Assign-Ignore
     CN: apply IH_E to _ _ _ _ _ _ Ev1.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply ctx_names_replaceScopes to _ _ CN Ev2. search.
    %SN-Assign-Take
     CN: apply IH_E to _ _ _ _ _ _ Ev1.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply ctx_names_replaceScopes to _ _ CN Ev2. search.
 %E-RecUpdate
  case IsS. SN: case SN.
    %SN-RecUpdate-Ignore
     CN: apply IH_E to _ _ _ _ _ _ Ev1.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply ctx_names_replaceScopes to _ _ CN Ev4. search.
    %SN-RecUpdate-Take
     CN: apply IH_E to _ _ _ _ _ _ Ev1.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply ctx_names_replaceScopes to _ _ CN Ev4. search.
 %E-If-True
  case IsS. SN: case SN. C: apply IH_E to _ _ _ _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply ctx_names_add_scope to C.
  C': apply IH_S to _ _ _ _ _ _ Ev2.
  apply stmtNames_keep_older to _ _ SN1. case C'. search.
 %E-If-False
  case IsS. SN: case SN. C: apply IH_E to _ _ _ _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply ctx_names_add_scope to C.
  C': apply IH_S to _ _ _ _ _ _ Ev2.
  apply stmtNames_keep_older to _ _ SN2. case C'. search.
 %E-While-True
  case IsS. SN: case SN (keep). C: apply IH_E to _ _ _ _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply ctx_names_add_scope to C.
  C': apply IH_S to _ _ _ _ _ _ Ev2.
  apply stmtNames_keep_older to _ _ SN2. case C'.
  IsEE4+: apply evalStmt_isCtx to _ _ _ Ev2. case IsEE4+.
  apply IH_S to _ _ _ _ _ _ Ev3. search.
 %E-While-False
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ Ev1. search.
 %E-ScopeStmt
  case IsS. SN: case SN. apply ctx_names_add_scope to Ctxs.
  C: apply IH_S to _ _ _ _ _ _ Ev1. case C.
  apply stmtNames_keep_older to _ _ SN. search.
 %E-Print-Int
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ Ev1. search.
 %E-Print-True
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ Ev1. search.
 %E-Print-False
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ Ev1. search.
 %E-Print-String
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ Ev1. search.
%evalArgs_ctx_names
 %EA-Nil
  search.
 %EA-Cons
  case IsA. AN: case AN. apply IH_E to _ _ _ _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_A to _ _ _ _ _ _ Ev2.
  search.
%evalRecFields_ctx_names
 %ERF-Nil
  search.
 %ERF-Cons
  case IsRF. case RFN. apply IH_E to _ _ _ _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_RF to _ _ _ _ _ _ Ev2.
  search.


Theorem ctx_names_names[K, I] :
  forall (A : list (list (pair K I))) Names Ctx X,
    ctx_names A Ctx -> names A Names -> mems X Ctx -> mem X Names. [Show Proof]

induction on 3. intros CN N M. M: case M (keep).
  %Mems-Here
   CN: case CN. N: case N. M': apply CN1 to M1.
   MN: apply domain_mem to M' N. apply mem_append_left to MN N2.
   search.
  %Mems-Later
   CN: case CN. N: case N. MN: apply IH to CN2 N1 M1.
   apply mem_append_right to MN N2. search.


Theorem newNameScopes_ctx_names_lookupScopes [V] :
  forall N Len A B Ctx X (V : V),
    newNameScopes N Len A B -> ctx_names B Ctx -> mems X Ctx ->
    lookupScopes X A V -> lookupScopes X B V. [Show Proof]

induction on 4. intros NNS CN M L. L: case L.
  %LS-FirstScope
   NNS: case NNS.
     %last
      Drop: case NNS1.
        %Drop-0:  no new scopes, so lookup in same scope
         search.
        %Drop-Step:  impossible to be in B (Ctx) and new A scopes
         MBN: apply ctx_names_names to CN NNS4 M. Take: case NNS2.
           %Take-0
            P: assert 1 + -1 = 0. apply drop_is_integer to Drop1.
            apply plus_integer_unique_addend to _ _ _ P Drop.
            GEq: apply drop_geq_0 to Drop1. LEq: case GEq. case LEq.
           %Take-Step
            Names: case NNS3. ML: apply lookup_mem to L.
            MNS: apply domain_mem to ML Names.
            MSNames: apply mem_append_left to MNS Names2.
            apply NNS5 to MSNames MBN.
     %step
      search.
  %LS-Later
   NNS: case NNS.
     %last
      Drop: case NNS1.
        %Drop-0:  no new scopes
         search.
        %Drop-Step:  must be after new scopes
         Take: case NNS2.
           %Take-0
            P: assert 1 + -1 = 0. apply drop_is_integer to Drop1.
            apply plus_integer_unique_addend to _ _ _ P Drop.
            GEq: apply drop_geq_0 to Drop1. LEq: case GEq. case LEq.
           %Take-Step
            apply drop_is_integer to Drop1.
            apply take_is_integer to Take1.
            apply plus_integer_unique_addend to _ _ _ Drop Take.
            SNames: case NNS3.
            NNS': assert newNameScopes F Len Rest B.
              unfold. exists N3, NRest, BNames. split.
                %length B
                 search.
                %drop
                 search.
                %take
                 search.
                %names F
                 search.
                %names B
                 search.
                %mems
                 intros MNR MB. apply mem_append_right to MNR SNames2.
                 backchain NNS5.
            apply IH to NNS' CN M L1. search.
     %step
      CN: case CN. M: case M.
        %Mems-Here:  mem X B1
         MB: apply CN1 to M. apply no_lookup_mem to L MB.
        %Mems-Later:  mems X BRest
         apply IH to NNS CN2 M L1. search.


Theorem newNameScopes_replaceScopes_back :
  forall S Len A B X V RA Ctx,
    is_list (is_list (is_pair is_string is_value)) A ->
    is_list (is_list (is_pair is_string is_value)) B ->
    is_string X -> is_value V ->
    ctx_names B Ctx -> mems X Ctx ->
    newNameScopes S Len A B -> replaceScopes X V A RA ->
    exists RB, replaceScopes X V B RB. [Show Proof]

induction on 8. intros IsA IsB IsX IsV CN M NNS R. R: case R.
  %RS-FirstScope
   NNS: case NNS.
     %last
      Drop: case NNS1.
        %Drop-0:  no new scopes, so replace in same scope
         search.
        %Drop-Step:  impossible to be in B (Ctx) and new A scopes
         MBN: apply ctx_names_names to CN NNS4 M. Take: case NNS2.
           %Take-0
            P: assert 1 + -1 = 0. apply drop_is_integer to Drop1.
            apply plus_integer_unique_addend to _ _ _ P Drop.
            GEq: apply drop_geq_0 to Drop1. LEq: case GEq. case LEq.
           %Take-Step
            Names: case NNS3. MNS: apply domain_mem to R Names.
            MSNames: apply mem_append_left to MNS Names2.
            apply NNS5 to MSNames MBN.
     %step
      search.
  %RS-Later
   NNS: case NNS.
     %last
      apply drop_is_integer to NNS1. Drop: case NNS1.
        %Drop-0
         search.
        %Drop-Step
         apply drop_is_integer to Drop1. Take: case NNS2.
           %Take-0
            P: assert 1 + -1 = 0.
            apply plus_integer_unique_addend to _ _ _ P Drop.
            GEq: apply drop_geq_0 to Drop1. LEq: case GEq. case LEq.
           %Take-Step
            Names: case NNS3. apply take_is_integer to Take1.
            apply plus_integer_unique_addend to _ _ _ Take Drop.
            NNS': assert newNameScopes F Len Rest B.
              unfold. exists N2, NRest, BNames. split.
                %length
                 search.
                %drop
                 search.
                %take
                 search.
                %names F
                 search.
                %names B
                 search.
                %mems
                 intros MN MB. S: apply mem_append_right to MN Names2.
                 apply NNS5 to S MB.
            case IsA. apply IH to _ _ _ _ CN M NNS' R1. search.
     %step
      case IsA. case IsB. CN: case CN. M: case M.
        %Mem-Here
         ML: apply CN1 to M. apply no_lookup_mem to R ML.
        %Mem-Later
         apply IH to _ _ _ _ CN2 M NNS R1. search.


%ctx_names and empty names ensures all names are in EE_B or declared
%   in the term being evaluated
%if we assume the term is well-typed under the scopes of EE_B, this is
%   a valid assumption
Extensible_Theorem
  evalExpr_newNameScopes_exists_back :
    forall FE EE_A EE_B E V Ctx EE_A' O N Len,
      IsE : is_expr E ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      IsCtx : is_list (is_list is_string) Ctx ->
      %----------
      Ctxs : ctx_names EE_B Ctx ->
      EN : exprNames Ctx E [] ->
      %----------
      EvA : evalExpr FE EE_A E V EE_A' O ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_B', evalExpr FE EE_B E V EE_B' O
    on EvA as IH_E,
  evalStmt_newNameScopes_exists_back :
    forall FE EE_A EE_B S Ctx Ctx' EE_A' O N Len Scope,
      IsS : is_stmt S ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value))
               (Scope::EE_A) ->
      IsB : is_list (is_list (is_pair is_string is_value))
               (Scope::EE_B) ->
      IsCtx : is_list (is_list is_string) Ctx ->
      %----------
      Ctxs : ctx_names (Scope::EE_B) Ctx ->
      SN : stmtNames Ctx S [] Ctx' ->
      %----------
      EvA : evalStmt FE (Scope::EE_A) S EE_A' O ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_B', evalStmt FE (Scope::EE_B) S EE_B' O
    on EvA as IH_S,
  evalArgs_newNameScopes_exists_back :
    forall FE EE_A EE_B A V Ctx EE_A' O N Len,
      IsA : is_args A ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      IsCtx : is_list (is_list is_string) Ctx ->
      %----------
      Ctxs : ctx_names EE_B Ctx ->
      AN : argsNames Ctx A [] ->
      %----------
      EvA : evalArgs FE EE_A A V EE_A' O ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_B', evalArgs FE EE_B A V EE_B' O
    on EvA as IH_A,
  evalRecFields_newNameScopes_exists_back :
    forall FE EE_A EE_B RF V Ctx EE_A' O N Len,
      IsRF : is_recFieldExprs RF ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      IsCtx : is_list (is_list is_string) Ctx ->
      %----------
      Ctxs : ctx_names EE_B Ctx ->
      RFN : recFieldNames Ctx RF [] ->
      %----------
      EvA : evalRecFields FE EE_A RF V EE_A' O ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_B', evalRecFields FE EE_B RF V EE_B' O
    on EvA as IH_RF. [Show Proof]

%evalExpr_newNameScopes_exists_back
 %E-Num
  search.
 %E-Plus
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Minus
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Mult
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Div
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-And-False1
  case IsE. EN: case EN. case EN2.
  apply IH_E to _ _ _ _ _ _ _ EvA1 NNS. search.
 %E-And-False2
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Or-True1
  case IsE. EN: case EN. case EN2.
  apply IH_E to _ _ _ _ _ _ _ EvA1 NNS. search.
 %E-Or-True2
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Or-False
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Not-True
  case IsE. EN: case EN. apply IH_E to _ _ _ _ _ _ _ EvA1 NNS. search.
 %E-Not-False
  case IsE. EN: case EN. apply IH_E to _ _ _ _ _ _ _ EvA1 NNS. search.
 %E-Greater-True
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Greater-False
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Eq-True
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Eq-False
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-String
  search.
 %E-AppString
  case IsE. EN: case EN. case EN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 NNS.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_ctx_names to _ _ _ _ _ _ EvB1.
  apply IH_E to _ _ _ _ _ _ _ EvA2 NNS'. search.
 %E-Name
  case IsE. EN: case EN.
  apply newNameScopes_ctx_names_lookupScopes to NNS Ctxs EN EvA1.
  search.
 %E-Call
  case IsE. EN: case EN. apply IH_A to _ _ _ _ _ Ctxs EN EvA2 NNS.
  search.
 %E-StmtExpr
  case IsE. EN: case EN. apply evalStmt_isCtx to _ _ _ EvA1.
  apply stmtNames_isCtx to _ _ EN.
  Ctxs': apply ctx_names_add_scope to Ctxs. case EN2.
  EvB1: apply IH_S to _ _ _ _ _ Ctxs' EN EvA1 NNS.
  NNS': apply evalStmt_newNameScopes to _ _ _ _ EvA1 EvB1 NNS.
  apply evalStmt_isCtx to _ _ _ EvB1. apply stmtNames_isCtx to _ _ EN.
  Ctxs'': apply evalStmt_ctx_names to _ _ _ _ Ctxs' EN EvB1.
  EvB2: apply IH_E to _ _ _ _ _ Ctxs'' EN1 EvA2 NNS'.
  apply stmtNames_keep_older to _ _ EN.
  C: apply evalExpr_ctx_names to _ _ _ _ _ EN1 EvB2. case C. search.
 %E-RecBuild
  case IsE. EN: case EN. apply IH_RF to _ _ _ _ _ Ctxs EN EvA1 NNS.
  search.
 %E-RecAccess
  case IsE. EN: case EN. apply IH_E to _ _ _ _ _ Ctxs EN EvA1 NNS.
  search.
%evalStmt_newNameScopes_exists_back
 %E-Noop
  search.
 %E-Seq
  case IsS. SN: case SN. apply evalStmt_isCtx to _ _ _ EvA1.
  apply stmtNames_isCtx to _ _ SN. case SN2.
  EvB1: apply IH_S to _ _ _ _ _ Ctxs SN EvA1 NNS.
  apply evalStmt_isCtx to _ _ _ EvB1.
  NNS': apply evalStmt_newNameScopes to _ _ _ _ EvA1 EvB1 NNS.
  Ctxs': apply evalStmt_ctx_names to _ _ _ _ Ctxs SN EvB1.
  NNS': case NNS' (keep).
    %last
     LenB+: apply length_exists_list_pair_string_value to IsB.
     LenB: case LenB+ (keep).
     LEq: apply newNameScopes_length to NNS LenB.
     LenEE_B': apply evalStmt_keep_scopes to _ _ _ EvB1 LenB+.
     apply cons_length to LenB+. apply length_cons to LenEE_B' _.
     apply length_unique to LenEE_B' NNS'1. apply length_is to LenB.
     L: apply lt_plus_one to LenB1 _.
     apply less_lesseq_flip_false to L LEq.
    %step
     apply IH_S to _ _ _ _ _ Ctxs' SN1 EvA2 NNS'1. search.
 %E-Declare
  case IsS. SN: case SN. EvB: apply IH_E to _ _ _ _ _ Ctxs SN EvA1 _.
  C: apply evalExpr_ctx_names to _ _ _ _ Ctxs SN EvB. case C. search.
 %E-Assign
  case IsS. SN: case SN. EvB: apply IH_E to _ _ _ _ _ Ctxs SN1 EvA1 _.
  IsEE_B': apply evalExpr_isCtx to _ _ _ EvB.
  IsEE1: apply evalExpr_isCtx to _ _ _ EvA1.
  C: apply evalExpr_ctx_names to _ _ _ _ Ctxs SN1 EvB.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB _.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply newNameScopes_replaceScopes_back to
     IsEE1 IsEE_B' _ _ C SN NNS' EvA2. search.
 %E-RecUpdate
  case IsS. SN: case SN. EvB: apply IH_E to _ _ _ _ _ Ctxs SN1 EvA1 _.
  IsEE_B': apply evalExpr_isCtx to _ _ _ EvB.
  IsEE1: apply evalExpr_isCtx to _ _ _ EvA1.
  C: apply evalExpr_ctx_names to _ _ _ _ Ctxs SN1 EvB.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB _.
  IsV: apply evalExpr_isValue to _ _ _ EvA1.
  IsRF: apply lookupScopes_is to _ EvA2. case IsRF.
  apply updateRecFields_is to _ _ _ EvA3.
  apply newNameScopes_ctx_names_lookupScopes to _ Ctxs _ EvA2.
  apply newNameScopes_replaceScopes_back to _ _ _ _ C SN NNS' EvA4.
  search.
 %E-If-True
  case IsS. SN: case SN. case SN4. case SN3.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs SN EvA1 _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  C: apply evalExpr_ctx_names to _ _ _ _ Ctxs SN EvB1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 _.
  apply ctx_names_add_scope to C.
  EvB2: apply IH_S to _ _ _ _ _ _ _ EvA2 NNS'.
  apply stmtNames_keep_older to _ _ SN1.
  C': apply evalStmt_ctx_names to _ _ _ _ _ SN1 EvB2. case C'. search.
 %E-If-False
  case IsS. SN: case SN. case SN4. case SN3.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs SN EvA1 _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  C: apply evalExpr_ctx_names to _ _ _ _ Ctxs SN EvB1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 _.
  apply ctx_names_add_scope to C.
  EvB2: apply IH_S to _ _ _ _ _ _ _ EvA2 NNS'.
  apply stmtNames_keep_older to _ _ SN2.
  C': apply evalStmt_ctx_names to _ _ _ _ _ SN2 EvB2. case C'. search.
 %E-While-True
  case IsS. SN: case SN. case SN2.
  EvB1: apply IH_E to _ _ _ _ _ Ctxs SN EvA1 _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  C: apply evalExpr_ctx_names to _ _ _ _ Ctxs SN EvB1.
  NNS': apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 _.
  apply ctx_names_add_scope to C.
  EvB2: apply IH_S to _ _ _ _ _ _ _ EvA2 NNS'.
  apply stmtNames_keep_older to _ _ SN1.
  C': apply evalStmt_ctx_names to _ _ _ _ _ SN1 EvB2. case C'.
  IsEE2+: apply evalStmt_isCtx to _ _ _ EvA2. case IsEE2+.
  IsARest+: apply evalStmt_isCtx to _ _ _ EvB2. case IsARest+.
  NNS'': apply evalStmt_newNameScopes to _ _ _ _ EvA2 EvB2 _.
  LenEEB+: apply length_exists_list_pair_string_value to IsB.
  LenEEB: case LenEEB+ (keep).
  LEq: apply newNameScopes_length to NNS LenEEB.
  LenEEB': apply evalExpr_keep_scopes to _ _ _ EvB1 LenEEB+.
  IsN2: apply length_is to LenEEB'.
  P: apply plus_integer_total to _ IsN2 with N1 = 1.
  LenEEB'+: assert length ([]::EE_B') N3.
  LenAR+: apply evalStmt_keep_scopes to _ _ _ EvB2 LenEEB'+.
  NNS'': case NNS'' (keep).
    %last:  impossible because it wasn't before
     apply length_unique to LenAR+ NNS''1.
     L: apply lt_plus_one to P _. apply length_is to LenEEB.
     L': apply lt_plus_one to LenEEB1 _.
     L'': apply less_integer_transitive to L' L.
     apply less_lesseq_flip_false to L'' LEq.
    %step
     NNS'': case NNS''1.
       %last
        LenAR: case LenAR+. apply length_unique to LenAR NNS''1.
        apply length_is to LenAR. apply length_is to LenEEB.
        apply plus_integer_unique_addend to _ _ _ P LenAR1.
        L: apply lt_plus_one to LenEEB1 _.
        apply less_lesseq_flip_false to L LEq.
       %step
        apply IH_S to _ _ _ _ _ _ _ EvA3 NNS''1. search.
 %E-While-False
  case IsS. SN: case SN. case SN2.
  apply IH_E to _ _ _ _ _ Ctxs SN EvA1 _. search.
 %E-ScopeStmt
  case IsS. SN: case SN. apply ctx_names_add_scope to Ctxs.
  EvB: apply IH_S to _ _ _ _ _ _ SN EvA1 _.
  apply stmtNames_keep_older to _ _ SN.
  C: apply evalStmt_ctx_names to _ _ _ _ _ SN EvB. case C. search.
 %E-Print-Int
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ SN EvA1 _. search.
 %E-Print-True
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ SN EvA1 _. search.
 %E-Print-False
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ SN EvA1 _. search.
 %E-Print-String
  case IsS. SN: case SN. apply IH_E to _ _ _ _ _ _ SN EvA1 _. search.
%evalArgs_newNameScopes_exists_back
 %EA-Nil
  search.
 %EA-Cons
  case IsA. AN: case AN. case AN2.
  EvB1: apply IH_E to _ _ _ _ _ _ AN EvA1 _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 _.
  apply evalExpr_ctx_names to _ _ _ _ Ctxs AN EvB1.
  apply IH_A to _ _ _ _ _ _ AN1 EvA2 _. search.
%evalRecFields_newNameScopes_exists_back
 %ERF-Nil
  search.
 %ERF-Cons
  case IsRF. RFN: case RFN. case RFN2.
  EvB1: apply IH_E to _ _ _ _ _ _ RFN EvA1 _.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  apply evalExpr_newNameScopes_ctx to _ _ _ _ EvA1 EvB1 _.
  apply evalExpr_ctx_names to _ _ _ _ Ctxs RFN EvB1.
  apply IH_RF to _ _ _ _ _ _ RFN1 EvA2 _. search.




/********************************************************************
 Evaluation with scopes_same
 ********************************************************************/
Theorem scopes_same_lookupScopes_exists : forall A B X V,
  is_list (is_list (is_pair is_string is_value)) B -> is_string X ->
  scopes_same A B -> lookupScopes X A V -> lookupScopes X B V. [Show Proof]

induction on 4. intros IsB IsX SS L. L: case L.
  %LS-FirstScope
   SS: case SS. apply SS to L. search.
  %LS-Later
   SS: case SS. IsB: case IsB.
   Or: apply lookup_string_value_list_or_no to IsB IsX. N: case Or.
     %lookup B1 X V
      L': apply SS1 to N. apply no_lookup to L L'.
     %no_lookup B1 X
      apply IH to _ IsX SS2 L1. search.


Theorem scopes_same_lookupScopes : forall A B X VA VB,
  is_list (is_list (is_pair is_string is_value)) B -> is_string X ->
  scopes_same A B -> lookupScopes X A VA -> lookupScopes X B VB ->
  VA = VB. [Show Proof]

intros IsB IsX SS LA LB.
LB': apply scopes_same_lookupScopes_exists to _ _ SS LA.
apply lookupScopes_unique to LB LB'. search.


Theorem remove_all_exists : forall X EE,
  is_list (is_pair is_string is_value) EE -> is_string X ->
  exists EE', remove_all EE X EE'. [Show Proof]

induction on 1. intros IsEE IsX. Is: case IsEE.
  %nil
   search.
  %cons
   RA: apply IH to Is1 IsX. IsP: case Is.
   Or: apply is_string_eq_or_not to IsP IsX. E: case Or.
     %A = X
      search.
     %A != X
      search.


Theorem scopes_same_replaceScopes_exists : forall A B X V A',
  is_list (is_list (is_pair is_string is_value)) A ->
  is_list (is_list (is_pair is_string is_value)) B -> is_string X ->
  scopes_same A B -> replaceScopes X V A A' ->
  exists B', replaceScopes X V B B'. [Show Proof]

induction on 5. intros IsA IsB IsX SS RS. RS: case RS.
  %RS-FirstScope
   SS: case SS. IsB: case IsB.
   Or: apply lookup_string_value_list_or_no to IsB IsX. L: case Or.
     %lookup B1 X V1
      apply lookup_mem to L. apply remove_all_exists to IsB IsX.
      search.
     %no_lookup B1 X
      case IsA. L': apply mem_lookup to _ RS. LB: apply SS to L'.
      apply no_lookup to L LB.
  %RS-Later
   SS: case SS. case IsA. IsB: case IsB. apply IH to _ _ IsX SS2 RS1.
   Or: apply lookup_string_value_list_or_no to IsB IsX. L: case Or.
     %lookup B1 X V
      L': apply SS1 to L. apply no_lookup to RS L'.
     %no_lookup B1 X
      search.


Theorem scopes_same_replaceScopes_scopes_same : forall A B X V A' B',
  is_list (is_list (is_pair is_string is_value)) A ->
  is_list (is_list (is_pair is_string is_value)) B -> is_string X ->
  scopes_same A B -> replaceScopes X V A A' ->
  replaceScopes X V B B' -> scopes_same A' B'. [Show Proof]

induction on 5. intros IsA IsB IsX SS RSA RSB. RSA: case RSA.
  %RS-FirstScope
   RSB: case RSB.
     %RS-FirstScope
      SS: case SS. unfold.
        %lookup forward
         intros L. L: case L.
           %Lkp-Here
            search.
           %Lkp-Later
            L': apply remove_all_lookup_other to RSA1 L1 _.
            LB: apply SS to L'.
            apply remove_all_lookup_other_back to RSB1 LB _. search.
        %lookup backward
         intros L. L: case L.
           %Lkp-Here
            search.
           %Lkp-Later
            L': apply remove_all_lookup_other to RSB1 L1 _.
            LA: apply SS1 to L'.
            apply remove_all_lookup_other_back to RSA1 LA _. search.
        %rest
         search.
     %RS-Later
      case IsA. LA: apply mem_lookup to _ RSA. SS: case SS.
      LB: apply SS to LA. apply no_lookup to RSB LB.
  %RS-Later
   RSB: case RSB.
     %RS-FirstScope
      case IsB. LB: apply mem_lookup to _ RSB. SS: case SS.
      LA: apply SS1 to LB. apply no_lookup to RSA LA.
     %RS-Later
      SS: case SS. case IsA. case IsB.
      apply IH to _ _ _ SS2 RSA1 RSB1. search.


Theorem scopes_same_add_scope : forall A B,
  scopes_same A B -> scopes_same ([]::A) ([]::B). [Show Proof]

intros SS. unfold.
  %lookup forward
   intros. search.
  %lookup back
   intros. search.
  %rest
   search.


Extensible_Theorem
  evalExpr_scopes_same :
    forall E FE EE_A VA EE_A' OA EE_B VB EE_B' OB,
      IsE : is_expr E ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      EvA : evalExpr FE EE_A E VA EE_A' OA ->
      EvB : evalExpr FE EE_B E VB EE_B' OB ->
      VA = VB /\ OA = OB
    on EvA as IH_E,
  evalExpr_scopes_same_ctx :
    forall E FE EE_A VA EE_A' OA EE_B VB EE_B' OB,
      IsE : is_expr E ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      EvA : evalExpr FE EE_A E VA EE_A' OA ->
      EvB : evalExpr FE EE_B E VB EE_B' OB ->
      scopes_same EE_A' EE_B'
    on EvA as IH_E_C,
  evalStmt_scopes_same :
    forall S FE EE_A EE_A' OA EE_B EE_B' OB,
      IsS : is_stmt S ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      EvA : evalStmt FE EE_A S EE_A' OA ->
      EvB : evalStmt FE EE_B S EE_B' OB ->
      OA = OB
    on EvA as IH_S,
  evalStmt_scopes_same_ctx :
    forall S FE EE_A EE_A' OA EE_B EE_B' OB,
      IsS : is_stmt S ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      EvA : evalStmt FE EE_A S EE_A' OA ->
      EvB : evalStmt FE EE_B S EE_B' OB ->
      scopes_same EE_A' EE_B'
    on EvA as IH_S_C,
  evalArgs_scopes_same :
    forall A FE EE_A VA EE_A' OA EE_B VB EE_B' OB,
      IsA : is_args A ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      EvA : evalArgs FE EE_A A VA EE_A' OA ->
      EvB : evalArgs FE EE_B A VB EE_B' OB ->
      VA = VB /\ OA = OB
    on EvA as IH_A,
  evalArgs_scopes_same_ctx :
    forall A FE EE_A VA EE_A' OA EE_B VB EE_B' OB,
      IsA : is_args A ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      EvA : evalArgs FE EE_A A VA EE_A' OA ->
      EvB : evalArgs FE EE_B A VB EE_B' OB ->
      scopes_same EE_A' EE_B'
    on EvA as IH_A_C,
  evalRecFields_scopes_same :
    forall RF FE EE_A VA EE_A' OA EE_B VB EE_B' OB,
      IsRF : is_recFieldExprs RF ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      EvA : evalRecFields FE EE_A RF VA EE_A' OA ->
      EvB : evalRecFields FE EE_B RF VB EE_B' OB ->
      VA = VB /\ OA = OB
    on EvA as IH_RF,
  evalRecFields_scopes_same_ctx :
    forall RF FE EE_A VA EE_A' OA EE_B VB EE_B' OB,
      IsRF : is_recFieldExprs RF ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      EvA : evalRecFields FE EE_A RF VA EE_A' OA ->
      EvB : evalRecFields FE EE_B RF VB EE_B' OB ->
      scopes_same EE_A' EE_B'
    on EvA as IH_RF_C. [Show Proof]

%evalExpr_scopes_same
 %E-Num
  case EvB. search.
 %E-Plus
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply IH_E_C to _ _ _ _ SS EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA4 EvB3.
  apply plus_integer_unique to EvA3 EvB2. search.
 %E-Minus
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply IH_E_C to _ _ _ _ SS EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA4 EvB3.
  apply minus_integer_unique to EvA3 EvB2. search.
 %E-Mult
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply IH_E_C to _ _ _ _ SS EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA4 EvB3.
  apply multiply_integer_unique to EvA3 EvB2. search.
 %E-Div
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply IH_E_C to _ _ _ _ SS EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA4 EvB3.
  apply divide_integer_unique to EvA3 EvB2. search.
 %E-True
  case EvB. search.
 %E-False
  case EvB. search.
 %E-And-True
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA3 EvB2. search.
    %E-And-False1
     apply IH_E to _ _ _ _ SS EvA1 EvB.
    %E-And-False2
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
 %E-And-False1
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_E to _ _ _ _ SS EvA1 EvB.
    %E-And-False1
     apply IH_E to _ _ _ _ SS EvA1 EvB. search.
    %E-And-False2
     apply IH_E to _ _ _ _ SS EvA1 EvB.
 %E-And-False2
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
    %E-And-False1
     apply IH_E to _ _ _ _ SS EvA1 EvB.
    %E-And-False2
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA3 EvB2. search.
 %E-Or-True1
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_E to _ _ _ _ SS EvA1 EvB. search.
    %E-Or-True2
     apply IH_E to _ _ _ _ SS EvA1 EvB.
    %E-Or-False
     apply IH_E to _ _ _ _ SS EvA1 EvB.
 %E-Or-True2
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_E to _ _ _ _ SS EvA1 EvB.
    %E-Or-True2
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA3 EvB2. search.
    %E-Or-False
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
 %E-Or-False
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_E to _ _ _ _ SS EvA1 EvB.
    %E-Or-True2
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
    %E-Or-False
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA3 EvB2. search.
 %E-Not-True
  case IsE. EvB: case EvB.
    %E-Not-True
     apply IH_E to _ _ _ _ SS EvA1 EvB. search.
    %E-Not-False
     apply IH_E to _ _ _ _ SS EvA1 EvB.
 %E-Not-False
  case IsE. EvB: case EvB.
    %E-Not-True
     apply IH_E to _ _ _ _ SS EvA1 EvB.
    %E-Not-False
     apply IH_E to _ _ _ _ SS EvA1 EvB. search.
 %E-Greater-True
  case IsE. EvB: case EvB.
    %E-Greater-True
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA4 EvB3. search.
    %E-Greater-False
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply greater_lesseq_integer_false to EvA3 EvB2.
 %E-Greater-False
  case IsE. EvB: case EvB.
    %E-Greater-True
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply greater_lesseq_integer_false to EvB2 EvA3.
    %E-Greater-False
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA4 EvB3. search.
 %E-Eq-True
  case IsE. EvB: case EvB.
    %E-Eq-True
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA3 EvB2. search.
    %E-Eq-False
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1. apply EvB2 to _.
 %E-Eq-False
  case IsE. EvB: case EvB.
    %E-Eq-True
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1. apply EvA3 to _.
    %E-Eq-False
     apply IH_E to _ _ _ _ SS EvA1 EvB.
     apply IH_E_C to _ _ _ _ SS EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA4 EvB3. search.
 %E-String
  case EvB. search.
 %E-AppString
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply IH_E_C to _ _ _ _ SS EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA3 EvB2.
  apply append_unique to EvA4 EvB3. search.
 %E-Name
  case IsE. EvB: case EvB.
  apply scopes_same_lookupScopes to _ _ _ EvA1 EvB. search.
 %E-Call
  case IsE. EvB: case EvB. apply lookup_unique to EvB EvA1.
  apply IH_A to _ _ _ _ SS EvA2 EvB1. apply zip_unique to EvA3 EvB2.
  IsFP: apply lookup_is_value_funCtx to _ EvA1. IsFP: case IsFP.
  IsFP: case IsFP1. IsFP: case IsFP2.
  apply evalArgs_isValue to _ _ _ EvA2. apply zip_is to _ _ EvA3.
  apply evalStmt_unique to _ _ _ EvA4 EvB3.
  apply lookupScopes_unique to EvA6 EvB5.
  apply append_unique to EvA5 EvB4. search.
 %E-StmtExpr
  case IsE. SS': apply scopes_same_add_scope to SS. EvB: case EvB.
  apply IH_S to _ _ _ _ SS' EvA1 EvB.
  apply IH_S_C to _ _ _ _ SS' EvA1 EvB.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB.
  apply IH_E to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA3 EvB2.
  search.
 %E-RecBuild
  case IsE. EvB: case EvB. apply IH_RF to _ _ _ _ SS EvA1 EvB. search.
 %E-RecAccess
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply lookup_unique to EvA2 EvB1. search.
%evalExpr_scopes_same_ctx
 %E-Num
  case EvB. search.
 %E-Plus
  case IsE. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Minus
  case IsE. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Mult
  case IsE. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Div
  case IsE. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-True
  case EvB. search.
 %E-False
  case EvB. search.
 %E-And-True
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
    %E-And-False1
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-And-False2
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-And-False1
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-And-False1
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
    %E-And-False2
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-And-False2
  case IsE. EvB: case EvB.
    %E-And-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
    %E-And-False1
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-And-False2
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Or-True1
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
    %E-Or-True2
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Or-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-Or-True2
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Or-True2
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
    %E-Or-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Or-False
  case IsE. EvB: case EvB.
    %E-Or-True1
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Or-True2
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
    %E-Or-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Not-True
  case IsE. EvB: case EvB.
    %E-Not-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
    %E-Not-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
 %E-Not-False
  case IsE. EvB: case EvB.
    %E-Not-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
    %E-Not-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
 %E-Greater-True
  case IsE. EvB: case EvB.
    %E-Greater-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
    %E-Greater-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Greater-False
  case IsE. EvB: case EvB.
    %E-Greater-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
    %E-Greater-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Eq-True
  case IsE. EvB: case EvB.
    %E-Eq-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
    %E-Eq-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Eq-False
  case IsE. EvB: case EvB.
    %E-Eq-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
    %E-Eq-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-String
  case EvB. search.
 %E-AppString
  case IsE. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_E_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Name
  case EvB. search.
 %E-Call
  case IsE. EvB: case EvB. apply IH_A_C to _ _ _ _ _ EvA2 EvB1.
  search.
 %E-StmtExpr
  case IsE. EvB: case EvB. apply scopes_same_add_scope to SS.
  apply IH_S_C to _ _ _ _ _ EvA1 EvB.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB.
  SS': apply IH_E_C to _ _ _ _ _ EvA2 EvB1. case SS'. search.
 %E-RecBuild
  case IsE. EvB: case EvB. apply IH_RF_C to _ _ _ _ _ EvA1 EvB.
  search.
 %E-RecAccess
  case IsE. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
%evalStmt_scopes_same
 %E-Noop
  case EvB. search.
 %E-Seq
  case IsS. EvB: case EvB. apply IH_S_C to _ _ _ _ _ EvA1 EvB.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB.
  apply IH_S to _ _ _ _ _ EvA1 EvB. apply IH_S to _ _ _ _ _ EvA2 EvB1.
  apply append_unique to EvA3 EvB2. search.
 %E-Declare
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA1 EvB. search.
 %E-Assign
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA1 EvB. search.
 %E-RecUpdate
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA1 EvB. search.
 %E-If-True
  case IsS. EvB: case EvB.
    %E-If-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA1 EvB.
     apply IH_S to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA3 EvB2. search.
   %E-If-False
    apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-If-False
  case IsS. EvB: case EvB.
    %E-If-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-If-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_E to _ _ _ _ _ EvA1 EvB.
     apply IH_S to _ _ _ _ _ EvA2 EvB1.
     apply append_unique to EvA3 EvB2. search.
 %E-While-True
  case IsS. EvB: case EvB.
    %E-While-True
     SS1: apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     SS1': apply scopes_same_add_scope to SS1.
     apply IH_E to _ _ _ _ _ EvA1 EvB.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     apply IH_S to _ _ _ _ _ EvA2 EvB1.
     SS2: apply IH_S_C to _ _ _ _ _ EvA2 EvB1. SS2': case SS2.
     IsEE2+: apply evalStmt_isCtx to _ _ _ EvA2. case IsEE2+.
     IsEE4+: apply evalStmt_isCtx to _ _ _ EvB1. case IsEE4+.
     apply IH_S to _ _ _ _ _ EvA3 EvB2.
     apply append_unique to EvA4 EvB3.
     apply append_unique to EvA5 EvB4. search.
    %E-While-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-While-False
  case IsS. EvB: case EvB.
    %E-While-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-While-False
     apply IH_E to _ _ _ _ _ EvA1 EvB. search.
 %E-ScopeStmt
  case IsS. EvB: case EvB. apply scopes_same_add_scope to SS.
  apply IH_S to _ _ _ _ _ EvA1 EvB. search.
 %E-Print-Int
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_E to _ _ _ _ _ EvA1 EvB.
     apply append_unique to EvA2 EvB1. search.
    %E-Print-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-String
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-Print-True
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
     apply append_unique to EvA2 EvB1. search.
    %E-Print-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-String
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-Print-False
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
     apply append_unique to EvA2 EvB1. search.
    %E-Print-String
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-Print-String
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-String
     apply IH_E to _ _ _ _ _ EvA1 EvB.
     apply append_unique to EvA2 EvB1. search.
%evalStmt_scopes_same_ctx
 %E-Noop
  case EvB. search.
 %E-Seq
  case IsS. EvB: case EvB. apply IH_S_C to _ _ _ _ _ EvA1 EvB.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB.
  apply IH_S_C to _ _ _ _ _ EvA2 EvB1. search.
 %E-Declare
  case IsS. EvB: case EvB. SS': apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply IH_E to _ _ _ _ _ EvA1 EvB. SS': case SS'. unfold.
    %lookup forward
     intros L. L: case L.
       %Lkp-Here
        search.
       %Lkp-Later
        apply SS' to L1. search.
    %lookup back
     intros L. L: case L.
       %Lkp-Here
        search.
       %Lkp-Later
        apply SS'1 to L1. search.
    %rest
     search.
 %E-Assign
  case IsS. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply IH_E to _ _ _ _ _ EvA1 EvB. apply evalExpr_isCtx to _ _ _ EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply scopes_same_replaceScopes_scopes_same to _ _ _ _ EvA2 EvB1.
  search.
 %E-RecUpdate
  case IsS. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply IH_E to _ _ _ _ _ EvA1 EvB. apply evalExpr_isCtx to _ _ _ EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply scopes_same_lookupScopes to _ _ _ EvA2 EvB1.
  apply updateRecFields_unique to EvA3 EvB2.
  apply scopes_same_replaceScopes_scopes_same to _ _ _ _ EvA4 EvB3.
  search.
 %E-If-True
  case IsS. EvB: case EvB.
    %E-If-True
     SS1: apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply scopes_same_add_scope to SS1.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     SS2: apply IH_S_C to _ _ _ _ _ EvA2 EvB1. case SS2. search.
    %E-If-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-If-False
  case IsS. EvB: case EvB.
    %E-If-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-If-False
     SS1: apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply scopes_same_add_scope to SS1.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     SS2: apply IH_S_C to _ _ _ _ _ EvA2 EvB1. case SS2. search.
 %E-While-True
  case IsS. EvB: case EvB.
    %E-While-True
     SS1: apply IH_E_C to _ _ _ _ _ EvA1 EvB.
     apply scopes_same_add_scope to SS1.
     apply evalExpr_isCtx to _ _ _ EvA1.
     apply evalExpr_isCtx to _ _ _ EvB.
     SS2: apply IH_S_C to _ _ _ _ _ EvA2 EvB1. case SS2.
     IsEE2+: apply evalStmt_isCtx to _ _ _ EvA2. case IsEE2+.
     IsEE4+: apply evalStmt_isCtx to _ _ _ EvB1. case IsEE4+.
     apply IH_S_C to _ _ _ _ _ EvA3 EvB2. search.
    %E-While-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-While-False
  case IsS. EvB: case EvB.
    %E-While-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-While-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
 %E-ScopeStmt
  case IsS. EvB: case EvB. apply scopes_same_add_scope to SS.
  SS': apply IH_S_C to _ _ _ _ _ EvA1 EvB. case SS'. search.
 %E-Print-Int
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
    %E-Print-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-String
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-Print-True
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-True
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
    %E-Print-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-String
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-Print-False
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-False
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
    %E-Print-String
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-Print-String
  case IsS. EvB: case EvB.
    %E-Print-Int
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Print-String
     apply IH_E_C to _ _ _ _ _ EvA1 EvB. search.
%evalArgs_scopes_same
 %EA-Nil
  case EvB. search.
 %EA-Cons
  case IsA. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply IH_E to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_A to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA3 EvB2.
  search.
%evalArgs_scopes_same_ctx
 %EA-Nil
  case EvB. search.
 %EA-Cons
  case IsA. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_A_C to _ _ _ _ _ EvA2 EvB1. search.
%evalRecFields_scopes_same
 %ERF-Nil
  case EvB. search.
 %ERF-Cons
  case IsRF. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply IH_E to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_RF to _ _ _ _ _ EvA2 EvB1.
  apply append_unique to EvA3 EvB2. search.
%evalRecFields_scopes_same_ctx
 %ERF-Nil
  case EvB. search.
 %ERF-Cons
  case IsRF. EvB: case EvB. apply IH_E_C to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply IH_RF_C to _ _ _ _ _ EvA2 EvB1. search.


Extensible_Theorem
  evalExpr_scopes_same_exists : forall E FE EE_A V EE_A' O EE_B,
    IsE : is_expr E ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
    IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
    SS : scopes_same EE_A EE_B ->
    EvA : evalExpr FE EE_A E V EE_A' O ->
    exists EE_B', evalExpr FE EE_B E V EE_B' O
  on EvA as IH_E,
  evalStmt_scopes_same_exists : forall S FE EE_A EE_A' O EE_B,
    IsS : is_stmt S ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
    IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
    SS : scopes_same EE_A EE_B ->
    EvA : evalStmt FE EE_A S EE_A' O ->
    exists EE_B', evalStmt FE EE_B S EE_B' O
  on EvA as IH_S,
  evalArgs_scopes_same_exists : forall A FE EE_A V EE_A' O EE_B,
    IsA : is_args A ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
    IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
    SS : scopes_same EE_A EE_B ->
    EvA : evalArgs FE EE_A A V EE_A' O ->
    exists EE_B', evalArgs FE EE_B A V EE_B' O
  on EvA as IH_A,
  evalRecFields_scopes_same_exists : forall RF FE EE_A V EE_A' O EE_B,
    IsRF : is_recFieldExprs RF ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
    IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
    SS : scopes_same EE_A EE_B ->
    EvA : evalRecFields FE EE_A RF V EE_A' O ->
    exists EE_B', evalRecFields FE EE_B RF V EE_B' O
  on EvA as IH_RF. [Show Proof]

%evalExpr_scopes_same_exists
 %E-Num
  search.
 %E-Plus
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Minus
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Mult
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Div
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-And-False1
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1. search.
 %E-And-False2
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Or-True1
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Or-True2
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Or-False
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Not-True
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Not-False
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Greater-True
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Greater-False
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Eq-True
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Eq-False
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-String
  search.
 %E-AppString
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS' EvA2. search.
 %E-Name
  case IsE. apply scopes_same_lookupScopes_exists to _ _ SS EvA1.
  search.
 %E-Call
  case IsE. EvB: apply IH_A to _ _ _ _ SS EvA2. search.
 %E-StmtExpr
  case IsE. SS': apply scopes_same_add_scope to SS.
  EvB1: apply IH_S to _ _ _ _ SS' EvA1.
  SS1: apply evalStmt_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB1.
  EvB2: apply IH_E to _ _ _ _ SS1 EvA2.
  SS2: apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA2 EvB2.
  case SS2. search.
 %E-RecBuild
  case IsE. apply IH_RF to _ _ _ _ SS EvA1. search.
 %E-RecAccess
  case IsE. apply IH_E to _ _ _ _ SS EvA1. search.
%evalStmt_scopes_same_exists
 %E-Noop
  search.
 %E-Seq
  case IsS. EvB1: apply IH_S to _ _ _ _ SS EvA1.
  SS': apply evalStmt_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalStmt_isCtx to _ _ _ EvA1.
  apply evalStmt_isCtx to _ _ _ EvB1.
  apply IH_S to _ _ _ _ SS' EvA2. search.
 %E-Declare
  case IsS. EvB: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB.
  case SS' (keep). apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB. search.
 %E-Assign
  case IsS. EvB: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply scopes_same_replaceScopes_exists to _ _ _ SS' EvA2. search.
 %E-RecUpdate
  case IsS. EvB: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB.
  apply scopes_same_replaceScopes_exists to _ _ _ SS' EvA4.
  apply scopes_same_lookupScopes_exists to _ _ SS EvA2. search.
 %E-If-True
  case IsS. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  SS1: apply scopes_same_add_scope to SS'.
  EvB2: apply IH_S to _ _ _ _ SS1 EvA2.
  SS2: apply evalStmt_scopes_same_ctx to _ _ _ _ _ EvA2 EvB2.
  case SS2. search.
 %E-If-False
  case IsS. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  SS1: apply scopes_same_add_scope to SS'.
  EvB2: apply IH_S to _ _ _ _ SS1 EvA2.
  SS2: apply evalStmt_scopes_same_ctx to _ _ _ _ _ EvA2 EvB2.
  case SS2. search.
 %E-While-True
  case IsS. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  SS1: apply scopes_same_add_scope to SS'.
  EvB2: apply IH_S to _ _ _ _ SS1 EvA2.
  SS2: apply evalStmt_scopes_same_ctx to _ _ _ _ _ EvA2 EvB2.
  SS2': case SS2. IsEE2+: apply evalStmt_isCtx to _ _ _ EvA2.
  IsBR+: apply evalStmt_isCtx to _ _ _ EvB2. case IsEE2+. case IsBR+.
  apply IH_S to _ _ _ _ SS2'2 EvA3. search.
 %E-While-False
  case IsS. apply IH_E to _ _ _ _ SS EvA1. search.
 %E-ScopeStmt
  case IsS. SS': apply scopes_same_add_scope to SS.
  EvB: apply IH_S to _ _ _ _ SS' EvA1.
  SS'': apply evalStmt_scopes_same_ctx to _ _ _ _ _ EvA1 EvB.
  case SS''. search.
 %E-PrintInt
  case IsS. apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Print-True
  case IsS. apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Print-False
  case IsS. apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Print-String
  case IsS. apply IH_E to _ _ _ _ SS EvA1. search.
%evalArgs_scopes_same_exists
 %EA-Nil
  search.
 %EA-Cons
  case IsA. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply IH_A to _ _ _ _ SS' EvA2. search.
%evalRecFields_scopes_same_exists
 %ERF-Nil
  search.
 %ERF-Cons
  case IsRF. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  apply evalExpr_isCtx to _ _ _ EvA1.
  apply evalExpr_isCtx to _ _ _ EvB1.
  SS': apply evalExpr_scopes_same_ctx to _ _ _ _ _ EvA1 EvB1.
  apply IH_RF to _ _ _ _ SS' EvA2. search.




/********************************************************************
 Projection Constraints for Evaluation
 ********************************************************************/
%projection evaluates to same value, related ctxs
Projection_Constraint proj_evalExpr_forward :
  forall Names E E' FE EE V EE' O,
    Pr : Names |{expr}- E ~~> E' ->
    Names : names EE Names ->
    IsE : is_expr E ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalExpr FE EE E V EE' O ->
    exists EE'', evalExpr FE EE E' V EE'' O /\
                 scopes_same EE' EE''.


%if proj evaluates, original evaluates to same value, related ctxs if
%it only uses names occurring in the original
Projection_Constraint proj_evalExpr_backward :
  forall Names E E' FE EE V EE' O Ctx,
    Pr : Names |{expr}- E ~~> E' ->
    Names : names EE Names ->
    IsE : is_expr E ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IsCtx : is_list (is_list is_string) Ctx ->
    Ctxs : ctx_names EE Ctx ->
    EN : exprNames Ctx E [] ->
    Ev : evalExpr FE EE E' V EE' O ->
    exists EE'', evalExpr FE EE E V EE'' O /\
                 scopes_same EE' EE''.


%projection evaluates to a related context
Projection_Constraint proj_evalStmt_forward :
  forall Names S S' FE EE EE' O,
    Pr : Names |{stmt}- S ~~> S' ->
    Names : names EE Names ->
    IsS : is_stmt S ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalStmt FE EE S EE' O ->
    exists EE'', evalStmt FE EE S' EE'' O /\
                 scopes_same EE' EE''.

%if proj evaluates, original evaluates to a related context if it
%only uses names occurring in the original
Projection_Constraint proj_evalStmt_backward :
  forall Names S S' FE EE EE' O Ctx Ctx',
    Pr : Names |{stmt}- S ~~> S' ->
    Names : names EE Names ->
    IsS : is_stmt S ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IsCtx : is_list (is_list is_string) Ctx ->
    Ctxs : ctx_names EE Ctx ->
    SN : stmtNames Ctx S [] Ctx' ->
    Ev : evalStmt FE EE S' EE' O ->
    exists EE'', evalStmt FE EE S EE'' O /\
                 scopes_same EE' EE''.


/*
  We don't include any projection constraints for argument and record
  field expression evaluation because we introduced properties above
  to make the types nonextensible, so there cannot actually be
  projecting syntax for them.
*/




/********************************************************************
 Evaluation Ext_Ind for statements, expressions, and associated terms
 ********************************************************************/
Ext_Ind forall FE EE E V EE' O, evalExpr FE EE E V EE' O with
           IsFE : is_list (is_pair is_string
                          (is_pair is_string
                          (is_pair is_value
                          (is_pair (is_list is_string) is_stmt)))) FE,
           IsEE : is_list (is_list (is_pair is_string is_value)) EE,
           IsE : is_expr E;
        forall FE EE A V EE' O, evalArgs FE EE A V EE' O with
           IsFE : is_list (is_pair is_string
                          (is_pair is_string
                          (is_pair is_value
                          (is_pair (is_list is_string) is_stmt)))) FE,
           IsEE : is_list (is_list (is_pair is_string is_value)) EE,
           IsA : is_args A;
        forall FE EE RF V EE' O, evalRecFields FE EE RF V EE' O with
           IsFE : is_list (is_pair is_string
                          (is_pair is_string
                          (is_pair is_value
                          (is_pair (is_list is_string) is_stmt)))) FE,
           IsEE : is_list (is_list (is_pair is_string is_value)) EE,
           IsRF : is_recFieldExprs RF;
        forall FE EE S EE' O, evalStmt FE EE S EE' O with
           IsFE : is_list (is_pair is_string
                          (is_pair is_string
                          (is_pair is_value
                          (is_pair (is_list is_string) is_stmt)))) FE,
           IsEE : is_list (is_list (is_pair is_string is_value)) EE,
           IsS : is_stmt S. [Show Proof]

%evalExpr
 %E-Num
  search.
 %E-Plus
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Minus
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Mult
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Div
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-And-False1
  case IsE. apply IH4 to R1 Acc _ _ _. search.
 %E-And-False2
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Or-True1
  case IsE. apply IH4 to R1 Acc _ _ _. search.
 %E-Or-True2
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Or-False
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Not-True
  case IsE. apply IH4 to R1 Acc _ _ _. search.
 %E-Not-False
  case IsE. apply IH4 to R1 Acc _ _ _. search.
 %E-Greater-True
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Greater-False
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Eq-True
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Eq-False
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-String
  search.
 %E-AppString
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-Name
  search.
 %E-Call
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalArgs to R3.
  LE_N3: apply ext_size_pos_evalStmt to R5.
  OrN2: apply lt_left to R1 _ _. apply ext_size_is_int_evalStmt to R5.
  OrN3: apply lt_right to R1 _ _ _. Is: case IsE.
  IsFP: apply lookup_is_value_funCtx to _ R2. IsFP: case IsFP.
  IsFP: case IsFP1. IsFP: case IsFP2.
  EvA: apply drop_ext_size_evalArgs to R3.
  apply evalArgs_isValue to _ _ _ EvA. apply zip_is to _ _ R4.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH5 to R3 A2 _ _ _.
     LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH7 to R5 A3 _ _ _. search.
       %N3 = N
        apply IH7 to R5 Acc _ _ _. search.
    %N2 = N
     apply IH5 to R3 Acc _ _ _. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH7 to R5 A3 _ _ _. search.
       %N3 = N
        apply IH7 to R5 Acc _ _ _. search.
 %E-StmtExpr
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalStmt to R2.
  LE_N3: apply ext_size_pos_evalExpr to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalExpr to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsE. Ev1: apply drop_ext_size_evalStmt to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH7 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalStmt to R2.
     apply evalStmt_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH7 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalStmt to R2.
     apply evalStmt_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH4 to R3 Acc _ _ _. search.
 %E-RecBuild
  case IsE. apply IH6 to R1 Acc _ _ _. search.
 %E-RecAccess
  case IsE. apply IH4 to R1 Acc _ _ _. search.
%evalArgs
 %EA-Nil
  search.
 %EA-Cons
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalArgs to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalArgs to R3.
  OrN3: apply lt_right to R1 _ _ _. Is: case IsA. LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH5 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH5 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH5 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH5 to R3 Acc _ _ _. search.
%evalRecFields
 %ERF-Nil
  search.
 %ERF-Cons
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalRecFields to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalRecFields to R3.
  OrN3: apply lt_right to R1 _ _ _. Is: case IsRF. LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH6 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH6 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH6 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH6 to R3 Acc _ _ _. search.
%evalStmt
 %E-Noop
  search.
 %E-Seq
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalStmt to R2.
  LE_N3: apply ext_size_pos_evalStmt to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalStmt to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsS. Ev1: apply drop_ext_size_evalStmt to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH7 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalStmt to R2.
     apply evalStmt_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH7 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH7 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH7 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalStmt to R2.
     apply evalStmt_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH7 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH7 to R3 Acc _ _ _. search.
 %E-Declare
  case IsS. apply IH4 to R1 Acc _ _ _. search.
 %E-Assign
  case IsS. apply IH4 to R1 Acc _ _ _. search.
 %E-RecUpdate
  case IsS. apply IH4 to R1 Acc _ _ _. search.
 %E-If-True
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalStmt to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalStmt to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsS. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH7 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH7 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH7 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH7 to R3 Acc _ _ _. search.
 %E-If-False
  Acc': case Acc (keep). LE_N2: apply ext_size_pos_evalExpr to R2.
  LE_N3: apply ext_size_pos_evalStmt to R3.
  OrN2: apply lt_left to R1 _ _.
  apply ext_size_is_int_evalStmt to R3.
  OrN3: apply lt_right to R1 _ _ _.
  Is: case IsS. Ev1: apply drop_ext_size_evalExpr to R2.
  LN2: case OrN2.
    %N2 < N
     A2: apply Acc' to _ LN2. apply IH4 to R2 A2 _ _ _.
     Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH7 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH7 to R3 Acc _ _ _. search.
    %N2 = N
     apply IH4 to R2 Acc _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
     apply evalExpr_isCtx to _ _ _ Ev. LN3: case OrN3.
       %N3 < N
        A3: apply Acc' to _ LN3. apply IH7 to R3 A3 _ _ _. search.
       %N3 = N
        apply IH7 to R3 Acc _ _ _. search.
 %E-While-True
  LE_N2: apply ext_size_pos_evalExpr to R3.
  LE_N4: apply ext_size_pos_evalStmt to R5.
  LE_N5: apply ext_size_pos_evalStmt to R4. Is: case IsS.
  EvCond: apply drop_ext_size_evalExpr to R3.
  apply evalExpr_isCtx to _ _ _ EvCond.
  EvBody: apply drop_ext_size_evalStmt to R4.
  IsEE4+: apply evalStmt_isCtx to _ _ _ EvBody. case IsEE4+.
  apply ext_size_is_int_evalExpr to R3.
  apply ext_size_is_int_evalStmt to R5.
  apply ext_size_is_int_evalStmt to R4.
  LE_N2_N5: apply lte_left to R2 _ _ _.
  LE_N4_N5: apply lte_right to R2 _ _ _.
  apply lesseq_integer__add_positives to _ _ R2.
  Or3: apply lt_left to R1 _ _.
  apply plus_integer_is_integer to _ _ R2.
  LE_N5_N: apply lte_right to R1 _ _ _.
  LE_N2_N: apply lesseq_integer_transitive to LE_N2_N5 LE_N5_N.
  LE_N4_N: apply lesseq_integer_transitive to LE_N4_N5 LE_N5_N.
  Or2: apply lesseq_integer_less_or_eq to LE_N2_N.
  Or4: apply lesseq_integer_less_or_eq to LE_N4_N.
  Acc': case Acc (keep).
  assert <evalExpr {P}> FE EE Cond trueVal EE2 O2.
    LN3: case Or3.
      %N3 < N
       A3: apply Acc' to _ LN3. apply IH4 to R3 A3 _ _ _. search.
      %N3 = N
       apply IH4 to R3 Acc _ _ _. search.
  assert <evalStmt {P}> FE ([]::EE2) Body (Scope::EE4) O3.
    LN2: case Or2.
      %N2 < N
       A2: apply Acc' to _ LN2. apply IH7 to R4 A2 _ _ _. search.
      %N3 = N
       apply IH7 to R4 Acc _ _ _. search.
  assert <evalStmt {P}> FE EE4 (while Cond Body) EE' O4.
    LN4: case Or4.
      %N4 < N
       A4: apply Acc' to _ LN4. apply IH7 to R5 A4 _ _ _. search.
      %N4 = N
       apply IH7 to R5 Acc _ _ _. search.
  search.
 %E-While-False
  case IsS. apply IH4 to R1 Acc _ _ _. search.
 %E-ScopeStmt
  case IsS. apply IH7 to R1 Acc _ _ _. search.
 %E-Print-Int
  case IsS. apply IH4 to R1 Acc _ _ _. search.
 %E-Print-True
  case IsS. apply IH4 to R1 Acc _ _ _. search.
 %E-Print-False
  case IsS. apply IH4 to R1 Acc _ _ _. search.
 %E-Print-String
  case IsS. apply IH4 to R1 Acc _ _ _. search.




/********************************************************************
 Gathered function evaluation information unique
 ********************************************************************/
Extensible_Theorem
  paramName_unique : forall P NA NB,
    IsP : is_param P ->
    PA : paramName P NA ->
    PB : paramName P NB ->
    NA = NB
  on PA. [Show Proof]

%PN-Param
 case PB. search.


Theorem paramNames_unique : forall P NA NB,
  is_list is_param P -> paramNames P NA -> paramNames P NB -> NA = NB. [Show Proof]

induction on 2. intros IsP PA PB. PA: case PA.
  %PNs-Empty
   case PB. search.
  %PNs-Cons
   PB: case PB. case IsP. apply paramName_unique to _ PA PB.
   apply IH to _ PA1 PB1. search.


%a parameter's projection has the same name as it;
%new parameter constructors should just be extra info around same name
Projection_Constraint proj_paramName_forward : forall P P' N,
  Pr : |{param}- P ~~> P' ->
  IsP : is_param P ->
  PN : paramName P N ->
  paramName P' N.

%if a parameter's projection gives info, the original gives the same
Projection_Constraint proj_paramName_back : forall P P' N,
  Pr : |{param}- P ~~> P' ->
  IsP : is_param P ->
  PN : paramName P' N ->
  paramName P N.


Extensible_Theorem
  getFunEvalInfo_unique : forall F NA RA VA PA BA NB RB VB PB BB,
    IsF : is_fun F ->
    GFEIA : getFunEvalInfo F NA RA VA PA BA ->
    GFEIB : getFunEvalInfo F NB RB VB PB BB ->
    NA = NB /\ RA = RB /\ VA = VB /\ PA = PB /\ BA = BB
  on GFEIA. [Show Proof]

%GFEI-Fun
 GFEIB: case GFEIB. case IsF.
 apply paramNames_unique to _ GFEIA1 GFEIB. search.


Theorem getFunEvalCtx_unique : forall Fs FCA FCB,
  is_list is_fun Fs -> getFunEvalCtx Fs FCA -> getFunEvalCtx Fs FCB ->
  FCA = FCB. [Show Proof]

induction on 2. intros IsFs GFECA GFECB. GFECA: case GFECA.
  %GFEC-Empty
   case GFECB. search.
  %GFEC-Cons
   GFECB: case GFECB. case IsFs.
   apply getFunEvalInfo_unique to _ GFECA GFECB.
   apply IH to _ GFECA1 GFECB1. search.


%a function's projection gives the same information as it
Projection_Constraint proj_getFunEvalInfo_forward :
  forall F F' N R V P B,
    Pr : |{fun}- F ~~> F' ->
    IsF : is_fun F ->
    GFEI : getFunEvalInfo F N R V P B ->
    getFunEvalInfo F' N R V P B.

%if a function's projection gives info, the original gives the same
Projection_Constraint proj_getFunEvalInfo_back :
  forall F F' N R V P B,
    Pr : |{fun}- F ~~> F' ->
    IsF : is_fun F ->
    GFEI : getFunEvalInfo F' N R V P B ->
    getFunEvalInfo F N R V P B.




/********************************************************************
 Program evaluation unique
 ********************************************************************/
Extensible_Theorem
  evalProgram_unique : forall A P OA OB,
    IsA : is_list is_value A ->
    IsP : is_program P ->
    EvA : evalProgram A P OA ->
    EvB : evalProgram A P OB ->
    OA = OB
  on EvA. [Show Proof]

%E-Program
 EvB: case EvB. case IsP. apply getFunEvalCtx_unique to _ EvA1 EvB.
 apply getFunEvalInfo_unique to _ EvA2 EvB1.
 apply zip_unique to EvA3 EvB2. apply getFunEvalCtx_is to _ EvA1.
 apply getFunEvalInfo_is to _ EvA2. apply zip_is to _ _ EvA3.
 apply evalStmt_unique to _ _ _ EvA4 EvB3. search.


%a program's projection evaluates the same as it
Projection_Constraint proj_evalProgram_forward : forall P P' A O,
  Pr : |{program}- P ~~> P' ->
  IsP : is_program P ->
  IsA : is_list is_value A ->
  Ev : evalProgram A P O ->
  evalProgram A P' O.

%if a program's projection evaluates, the original evaluates the same
Projection_Constraint proj_evalProgram_back : forall P P' A O,
  Pr : |{program}- P ~~> P' ->
  IsP : is_program P ->
  IsA : is_list is_value A ->
  Ev : evalProgram A P' O ->
  evalProgram A P O.




/********************************************************************
 Type preservation
 ********************************************************************/
Define related_all_scopes :
    list (list (pair string typ)) ->
    list (list (pair string value)) -> prop by
  related_all_scopes [] [];
  related_all_scopes (A::ARest) (B::BRest) :=
    (forall X T,
       lookup A X T -> exists V, lookup B X V /\ valueType V T) /\
    (forall X, no_lookup A X -> no_lookup B X) /\
    related_all_scopes ARest BRest.


Theorem related_all_scopes_add : forall A B AS BS X V T,
  related_all_scopes (AS::A) (BS::B) -> valueType V T ->
  related_all_scopes (((X, T)::AS)::A) (((X, V)::BS)::B). [Show Proof]

intros RAS. R: case RAS. unfold.
  %lookup
   intros LkpA LkpB. LkpA: case LkpA.
     %Lkp-Here
      search.
     %Lkp-Later
      apply R to LkpA1. search.
  %no_lookup
   intros N. N: case N. apply R1 to N1. search.
  %rest
   search.


Theorem related_all_scopes_add_scope : forall A B,
  related_all_scopes A B -> related_all_scopes ([]::A) ([]::B). [Show Proof]

intros R. unfold.
  %lookup
   intros L. case L.
  %no_lookup
   intros N. search.
  %rest
   search.


Theorem related_all_scopes_lookupScopes : forall A B X V T,
  related_all_scopes A B -> lookupScopes X A T ->
  lookupScopes X B V -> valueType V T. [Show Proof]

induction on 1. intros R LA LB. LA: case LA.
  %LS-FirstScope
   R: case R. LB: case LB.
     %LS-FirstScope
      L: apply R to LA. apply lookup_unique to LB L. search.
     %LS-Later
      L: apply R to LA. apply no_lookup to LB L.
  %LS-Later
   R: case R. LB: case LB.
     %LS-FirstScope
      N: apply R1 to LA. apply no_lookup to N LB.
     %LS-Later
      apply IH to R2 LA1 LB1. search.


Define valueTypeList : list value -> list typ -> prop by
  valueTypeList [] [];
  valueTypeList (V::VRest) (T::TRest) :=
    valueType V T /\ valueTypeList VRest TRest.


Theorem valueTypeList_related_all_scopes :
  forall Vs Tys Ns VScope TScope,
    valueTypeList Vs Tys -> zip Ns Vs VScope -> zip Ns Tys TScope ->
    related_all_scopes [TScope] [VScope]. [Show Proof]

induction on 1. intros VTL ZV ZT. VTL: case VTL.
  %nil
   case ZV. case ZT. unfold.
     intros L. case L.
     intros. search.
     search.
  %cons
   ZV: case ZV. ZT: case ZT. R: apply IH to VTL1 ZV ZT. R: case R.
   unfold.
     %lookup
      intros L. L: case L.
        %Lkp-Here
         search.
        %Lkp-Later
         apply R to L1. search.
     %no_lookup
      intros N. N: case N. apply R1 to N1. search.
     %rest
      search.


Theorem valFieldTys_lookup : forall Fields FieldTys F V Ty,
  valFieldTys Fields FieldTys -> lookup Fields F V ->
  lookupRecFieldTy FieldTys F Ty -> valueType V Ty. [Show Proof]

induction on 1. intros VFT LV LT. VFT: case VFT.
  %VFT-Nil
   case LV.
  %VFT-Cons
   LV: case LV.
     %Lkp-Here
      LT: case LT.
        %LRF-Here
         search.
        %LRF-Later
         apply LT to _.
     %Lkp-Later
      LT: case LT.
        %LRF-Here
         apply LV to _.
        %LRF-Later
         apply IH to VFT1 LV1 LT1. search.


Theorem related_all_scopes_replaceScopes : forall ET EE X V EE' Ty,
  is_list (is_list (is_pair is_string is_typ)) ET ->
  is_list (is_list (is_pair is_string is_value)) EE ->
  related_all_scopes ET EE -> replaceScopes X V EE EE' ->
  lookupScopes X ET Ty -> valueType V Ty ->
  related_all_scopes ET EE'. [Show Proof]

induction on 4. intros IsET IsEE RAS RS LTy VTy. RS: case RS.
  %RS-FirstScope
   RAS: case RAS. LTy: case LTy.
     %LS-FirstScope
      unfold.
        %lookup
         intros L. case IsET. IsX: apply lookup_is_key_type to _ LTy.
         IsX1: apply lookup_is_key_type to _ L.
         Or: apply is_string_eq_or_not to IsX IsX1. E: case Or.
           %X = X1
            apply lookup_unique to LTy L. search.
           %X != X1
            LNew: apply RAS to L.
            apply remove_all_lookup_other_back to RS1 LNew _. search.
        %no_lookup
         intros N. unfold.
           %X != X1
            intros E. case E. apply no_lookup to N LTy.
           %no_lookup LRemain X1
            N': apply RAS1 to N.
            apply remove_all_no_lookup_back to RS1 N'. search.
        %rest
         search.
     %LS-Later
      N: apply RAS1 to LTy. apply no_lookup_mem to N RS.
  %RS-Later
   RAS: case RAS. LTy: case LTy.
     %LS-FirstScope
      apply RAS to LTy. apply no_lookup to RS _.
     %LS-Later
      case IsET. case IsEE. apply IH to _ _ RAS2 RS1 LTy1 _. search.


Theorem replaceRecVal_typePres : forall L Tys F VTy V L',
  valFieldTys L Tys -> lookupRecFieldTy Tys F VTy ->
  valueType V VTy -> replaceRecVal F V L L' -> valFieldTys L' Tys. [Show Proof]

induction on 4. intros VFT L VTy RRV. RRV: case RRV.
  %RRV-Here
   case VFT. L: case L.
     %LRF-Here
      search.
     %LRF-Later
      apply L to _.
  %RRV-Later
   VFT: case VFT. L: case L.
     %LRF-Here
      apply RRV to _.
     %LRF-Later
      apply IH to VFT1 L1 VTy RRV1. search.


Theorem updateRecFields_typePres : forall Fs FTys Ty V FVals Out,
  nestedFieldTy Fs FTys Ty -> updateRecFields Fs V FVals Out ->
  valueType V Ty -> valFieldTys FVals FTys -> valFieldTys Out FTys. [Show Proof]

induction on 2. intros NFT URF VTy VFT. URF: case URF.
  %URF-One
   NFT: case NFT.
     %NFT-LastField
      apply replaceRecVal_typePres to _ _ _ URF. search.
     %NFT-StepField
      case NFT1.
  %URF-Step
   NFT: case NFT.
     %NFT-LastField
      case URF1.
     %NFT-StepField
      RVTy: apply valFieldTys_lookup to VFT URF NFT. case RVTy.
      apply IH to NFT1 URF1 VTy _.
      apply replaceRecVal_typePres to _ _ _ URF2. search.


Extensible_Theorem
  evalExpr_typePres_ctx : forall E FT ET Ty FE EE EE' O V,
    IsE : is_expr E ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ty : typeOf FT ET E Ty ->
    Ev : evalExpr FE EE E V EE' O ->
    Funs : (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
              lookup FT F (RetTy, ArgTys) ->
              lookup FE F (RetVar, RVVal, ArgNames, Body) ->
              exists Scope TyEnv',
                zip ArgNames ArgTys Scope /\
                valueType RVVal RetTy /\
                stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv') ->
    Ctxs : related_all_scopes ET EE ->
    related_all_scopes ET EE'
  on Ev as IH_C_E,
  evalExpr_typePres : forall E FT ET Ty FE EE EE' O V,
    IsE : is_expr E ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ty : typeOf FT ET E Ty ->
    Ev : evalExpr FE EE E V EE' O ->
    Funs : (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
              lookup FT F (RetTy, ArgTys) ->
              lookup FE F (RetVar, RVVal, ArgNames, Body) ->
              exists Scope TyEnv',
                zip ArgNames ArgTys Scope /\
                valueType RVVal RetTy /\
                stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv') ->
    Ctxs : related_all_scopes ET EE ->
    valueType V Ty
  on Ev as IH_T_E,
  evalStmt_typePres : forall S FT ET ET' FE EE EE' O,
    IsS : is_stmt S ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ty : stmtOK FT ET S ET' ->
    Ev : evalStmt FE EE S EE' O ->
    Funs : (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
              lookup FT F (RetTy, ArgTys) ->
              lookup FE F (RetVar, RVVal, ArgNames, Body) ->
              exists Scope TyEnv',
                zip ArgNames ArgTys Scope /\
                valueType RVVal RetTy /\
                stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv') ->
    Ctxs : related_all_scopes ET EE ->
    related_all_scopes ET' EE'
  on Ev as IH_C_S,
  evalArgs_typePres_Ctx : forall A FT ET Tys FE EE EE' O Vs,
    IsA : is_args A ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ty : typeOfArgs FT ET A Tys ->
    Ev : evalArgs FE EE A Vs EE' O ->
    Funs : (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
              lookup FT F (RetTy, ArgTys) ->
              lookup FE F (RetVar, RVVal, ArgNames, Body) ->
              exists Scope TyEnv',
                zip ArgNames ArgTys Scope /\
                valueType RVVal RetTy /\
                stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv') ->
    Ctxs : related_all_scopes ET EE ->
    related_all_scopes ET EE'
  on Ev as IH_C_A,
  evalArgs_typePres : forall A FT ET Tys FE EE EE' O Vs,
    IsA : is_args A ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ty : typeOfArgs FT ET A Tys ->
    Ev : evalArgs FE EE A Vs EE' O ->
    Funs : (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
              lookup FT F (RetTy, ArgTys) ->
              lookup FE F (RetVar, RVVal, ArgNames, Body) ->
              exists Scope TyEnv',
                zip ArgNames ArgTys Scope /\
                valueType RVVal RetTy /\
                stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv') ->
    Ctxs : related_all_scopes ET EE ->
    valueTypeList Vs Tys
  on Ev as IH_T_A,
  evalRecFields_typePres_Ctx : forall RF FT ET FTys FE EE EE' O FVs,
    IsRF : is_recFieldExprs RF ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ty : typeOfRecFields FT ET RF FTys ->
    Ev : evalRecFields FE EE RF FVs EE' O ->
    Funs : (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
              lookup FT F (RetTy, ArgTys) ->
              lookup FE F (RetVar, RVVal, ArgNames, Body) ->
              exists Scope TyEnv',
                zip ArgNames ArgTys Scope /\
                valueType RVVal RetTy /\
                stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv') ->
    Ctxs : related_all_scopes ET EE ->
    related_all_scopes ET EE'
  on Ev as IH_C_RF,
  evalRecFields_typePres : forall RF FT ET FTys FE EE EE' O FVs,
    IsRF : is_recFieldExprs RF ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ty : typeOfRecFields FT ET RF FTys ->
    Ev : evalRecFields FE EE RF FVs EE' O ->
    Funs : (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
              lookup FT F (RetTy, ArgTys) ->
              lookup FE F (RetVar, RVVal, ArgNames, Body) ->
              exists Scope TyEnv',
                zip ArgNames ArgTys Scope /\
                valueType RVVal RetTy /\
                stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv') ->
    Ctxs : related_all_scopes ET EE ->
    valFieldTys FVs FTys
  on Ev as IH_T_RF. [Show Proof]

%evalExpr_typePres_ctx
 %E-Num
  search.
 %E-Plus
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Minus
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Mult
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Div
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-And-False1
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _. search.
 %E-And-False2
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Or-True1
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _. search.
 %E-Or-True2
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Or-False
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Not-True
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _. search.
 %E-Not-False
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _. search.
 %E-Greater-True
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Greater-False
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Eq-True
  case IsE. Ty: case Ty.
    %T-Eq-Int
     apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
    %T-Eq-Bool
     apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
    %T-Eq-String
     apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Eq-False
  case IsE. Ty: case Ty.
    %T-Eq-Int
     apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
    %T-Eq-Bool
     apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
    %T-Eq-String
     apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
     apply evalExpr_isCtx to _ _ _ Ev1.
     apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-String
  search.
 %E-AppString
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Name
  search.
 %E-Call
  case IsE. Ty: case Ty. apply IH_C_A to _ _ _ _ _ _ Ev2 _ _. search.
 %E-StmtExpr
  case IsE. Ty: case Ty. apply IH_C_S to _ _ _ _ _ Ty Ev1 _ _.
    unfold. intros L. case L. intros. search. search.
  apply evalStmt_isCtx to _ _ _ Ev1. apply stmtOK_isCtx to _ _ _ Ty.
  R: apply IH_C_E to _ _ _ _ _ Ty1 Ev2 _ _.
  apply stmtOK_older_scopes_same to _ _ _ Ty. R: case R. search.
 %E-RecBuild
  case IsE. Ty: case Ty. apply IH_C_RF to _ _ _ _ _ _ Ev1 _ _. search.
 %E-RecAccess
  case IsE. Ty: case Ty. apply IH_C_E to _ _ _ _ _ _ Ev1 _ _. search.
%evalExpr_typePres
 %E-Num
  case Ty. search.
 %E-Plus
  case Ty. search.
 %E-Minus
  case Ty. search.
 %E-Mult
  case Ty. search.
 %E-Div
  case Ty. search.
 %E-True
  case Ty. search.
 %E-False
  case Ty. search.
 %E-And-True
  case Ty. search.
 %E-And-False1
  case Ty. search.
 %E-And-False2
  case Ty. search.
 %E-Or-True1
  case Ty. search.
 %E-Or-True2
  case Ty. search.
 %E-Or-False
  case Ty. search.
 %E-Not-True
  case Ty. search.
 %E-Not-False
  case Ty. search.
 %E-Greater-True
  case Ty. search.
 %E-Greater-False
  case Ty. search.
 %E-Eq-True
  case Ty. search. search. search.
 %E-Eq-False
  case Ty. search. search. search.
 %E-String
  case Ty. search.
 %E-AppString
  case Ty. search.
 %E-Name
  Ty: case Ty. apply related_all_scopes_lookupScopes to _ Ty Ev1.
  search.
 %E-Call
  case IsE. Ty: case Ty. F: apply Funs to Ty Ev1.
  IsP: apply lookup_is_value_funCtx to _ Ev1. Is: case IsP.
  Is: case Is1. Is: case Is2. apply evalArgs_isValue to _ _ _ Ev2.
  apply zip_is_string_value to _ _ Ev3.
  IsP: apply lookup_is_value_funTyCtx to _ Ty. case IsP.
  apply zip_is_string_ty to _ _ F.
  VTL: apply IH_T_A to _ _ _ _ _ Ty1 Ev2 _ _.
  VTL': assert valueTypeList (RVVal::ArgVals) (Ty::ArgTys).
  ZE: assert zip (RetVar::ArgNames) (RVVal::ArgVals)
                 ((RetVar, RVVal)::InitEnv).
  ZT: assert zip (RetVar::ArgNames) (Ty::ArgTys)
                 ((RetVar, Ty)::Scope).
  apply valueTypeList_related_all_scopes to VTL' ZE ZT.
  R: apply IH_C_S to _ _ _ _ _ F2 Ev4 _ _.
  apply stmtOK_older_scopes_same to _ _ _ F2.
  apply stmtOK_first_scope_lookup_same to _ _ _ F2 _.
  apply related_all_scopes_lookupScopes to R _ Ev6. search.
 %E-StmtExpr
  case IsE. Ty: case Ty. apply stmtOK_older_scopes_same to _ _ _ Ty.
  apply related_all_scopes_add_scope to Ctxs.
  apply IH_C_S to _ _ _ _ _ Ty Ev1 _ _.
  apply evalStmt_isCtx to _ _ _ Ev1. apply stmtOK_isCtx to _ _ _ Ty.
  apply IH_T_E to _ _ _ _ _ Ty1 Ev2 _ _. search.
 %E-RecBuild
  case IsE. Ty: case Ty. apply IH_T_RF to _ _ _ _ _ Ty Ev1 _ _. search.
 %E-RecAccess
  case IsE. Ty: case Ty. VT: apply IH_T_E to _ _ _ _ _ Ty Ev1 _ _.
  VFT: case VT. apply valFieldTys_lookup to VFT Ev2 Ty1. search.
%evalStmt_typePres
 %E-Noop
  case Ty. search.
 %E-Seq
  case IsS. Ty: case Ty. apply IH_C_S to _ _ _ _ _ Ty Ev1 _ _.
  apply stmtOK_isCtx to _ _ _ Ty. apply evalStmt_isCtx to _ _ _ Ev1.
  apply IH_C_S to _ _ _ _ _ Ty1 Ev2 _ _. search.
 %E-Declare
  case IsS. Ty: case Ty. apply IH_T_E to _ _ _ _ _ Ty1 Ev1 _ _.
  R: apply IH_C_E to _ _ _ _ _ Ty1 Ev1 _ _. R: case R. unfold.
    %lookup
     intros L. L: case L.
       %Lkp-Here
        search.
       %Lkp-Later
        apply R to L1. exists V1. split.
          %lookup ((X, V)::Scope) X1 V1
           search.
          %valueType V1 T
           search.
    %no_lookup
     intros N. N: case N. apply R1 to N1. search.
    %rest
     search.
 %E-Assign
  case IsS. Ty: case Ty. R: apply IH_C_E to _ _ _ _ _ Ty1 Ev1 _ _.
  apply IH_T_E to _ _ _ _ _ Ty1 Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply related_all_scopes_replaceScopes to _ _ R Ev2 Ty _. search.
 %E-RecUpdate
  case IsS. Ty: case Ty. R: apply IH_C_E to _ _ _ _ _ Ty1 Ev1 _ _.
  apply IH_T_E to _ _ _ _ _ Ty1 Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  RFTy: apply related_all_scopes_lookupScopes to Ctxs Ty Ev2.
  case RFTy. apply updateRecFields_typePres to Ty2 Ev3 _ _.
  apply related_all_scopes_replaceScopes to _ _ R Ev4 Ty _. search.
 %E-If-True
  case IsS. Ty: case Ty. R: apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply related_all_scopes_add_scope to R.
  R': apply IH_C_S to _ _ _ _ _ Ty1 Ev2 _ _.
  apply stmtOK_older_scopes_same to _ _ _ Ty1. case R'. search.
 %E-If-False
  case IsS. Ty: case Ty. R: apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply related_all_scopes_add_scope to R.
  R': apply IH_C_S to _ _ _ _ _ Ty2 Ev2 _ _.
  apply stmtOK_older_scopes_same to _ _ _ Ty2. case R'. search.
 %E-While-True
  case IsS. Ty: case Ty. R: apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply related_all_scopes_add_scope to R.
  R': apply IH_C_S to _ _ _ _ _ Ty1 Ev2 _ _.
  apply stmtOK_older_scopes_same to _ _ _ Ty1. case R'.
  Is: apply evalStmt_isCtx to _ _ _ Ev2. case Is.
  apply IH_C_S to _ _ _ _ _ _ Ev3 _ _. search.
 %E-While-False
  case IsS. Ty: case Ty. R: apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _.
  search.
 %E-ScopeStmt
  case IsS. Ty: case Ty. apply related_all_scopes_add_scope to Ctxs.
  R: apply IH_C_S to _ _ _ _ _ Ty Ev1 _ _.
  apply stmtOK_older_scopes_same to _ _ _ Ty. case R. search.
 %E-Print-Int
  case IsS. Ty: case Ty.
    %T-Print-Int
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
    %T-Print-Bool
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
    %T-Print-String
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
 %E-Print-True
  case IsS. Ty: case Ty.
    %T-Print-Int
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
    %T-Print-Bool
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
    %T-Print-String
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
 %E-Print-False
  case IsS. Ty: case Ty.
    %T-Print-Int
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
    %T-Print-Bool
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
    %T-Print-String
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
 %E-Print-String
  case IsS. Ty: case Ty.
    %T-Print-Int
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
    %T-Print-Bool
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
    %T-Print-String
     apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _. search.
%evalArgs_typePres_Ctx
 %EA-Nil
  search.
 %EA-Cons
  case IsA. Ty: case Ty. apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_A to _ _ _ _ _ Ty1 Ev2 _ _. search.
%evalArgs_typePres
 %EA-Nil
  case Ty. search.
 %EA-Cons
  case IsA. Ty: case Ty. apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _.
  apply IH_T_E to _ _ _ _ _ Ty Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_T_A to _ _ _ _ _ Ty1 Ev2 _ _. search.
%evalRecFields_typePres_Ctx
 %ERF-Nil
  search.
 %ERF-Cons
  case IsRF. Ty: case Ty. apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_C_RF to _ _ _ _ _ Ty1 Ev2 _ _. search.
%evalRecFields_typePres
 %ERF-Nil
  case Ty. search.
 %ERF-Cons
  case IsRF. Ty: case Ty. apply IH_C_E to _ _ _ _ _ Ty Ev1 _ _.
  apply IH_T_E to _ _ _ _ _ Ty Ev1 _ _.
  apply evalExpr_isCtx to _ _ _ Ev1.
  apply IH_T_RF to _ _ _ _ _ Ty1 Ev2 _ _. search.




/********************************************************************
 Gathered function typing and evaluation information agrees
 ********************************************************************/
Extensible_Theorem
  paramTy_paramName_same : forall P NT T N,
    PT : paramTy P NT T ->
    PN : paramName P N ->
    NT = N
  on PT. [Show Proof]

%PT-Param
 case PN. search.


Theorem paramTys_values_names_zip_same : forall Ps PTys Tys Ns,
  paramTys Ps PTys -> values PTys Tys -> paramNames Ps Ns ->
  zip Ns Tys PTys. [Show Proof]

induction on 1. intros PT V PN. PT: case PT.
  %nil
   case V. case PN. search.
  %cons
   V: case V. PN: case PN. apply IH to PT1 V PN1.
   apply paramTy_paramName_same to PT PN. search.


Extensible_Theorem
  funOK_getFunEvalInfo_related :
    forall F FT Name RetVar RVVal PNames Body,
      IsF : is_fun F ->
      IsFT : is_list (is_pair is_string
                     (is_pair is_typ (is_list is_typ))) FT ->
      FOK : funOK FT F ->
      GFEI : getFunEvalInfo F Name RetVar RVVal PNames Body ->
      exists RetTy ArgTys Scope TyEnv',
        lookup FT Name (RetTy, ArgTys) /\
        zip PNames ArgTys Scope /\
        valueType RVVal RetTy /\
        stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv' /\
        lookup FT Name (RetTy, ArgTys)
  on FOK. [Show Proof]

%T-Fun
 GFEI: case GFEI.
 Z: apply paramTys_values_names_zip_same to FOK1 FOK4 GFEI.
 exists RetTy, PTys, ParamTys, FinalTC. search.


Theorem funsOK_getFunEvalCtx_related : forall Fs FT FE,
  is_list is_fun Fs ->
  is_list (is_pair is_string (is_pair is_typ (is_list is_typ))) FT ->
  funsOK FT Fs -> getFunEvalCtx Fs FE ->
  %literally what we require for type preservation
  (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
     lookup FT F (RetTy, ArgTys) ->
     lookup FE F (RetVar, RVVal, ArgNames, Body) ->
     exists Scope TyEnv',
       zip ArgNames ArgTys Scope /\
       valueType RVVal RetTy /\
       stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv'). [Show Proof]

induction on 3. intros IsFs IsFT FOK GFEC LT LE. FOK: case FOK.
  %FOK-Nil
   case GFEC. case LE.
  %FOK-Cons
   GFE: case GFEC. case IsFs.
   Y: apply funOK_getFunEvalInfo_related to _ _ FOK GFE. L: case LE.
     %Lkp-Here
      exists Scope, TyEnv'. apply lookup_unique to LT Y4. search.
     %Lkp-Later
      X: apply IH to _ _ FOK1 GFE1. backchain X.



/********************************************************************
 Evaluation prints only basic values
 ********************************************************************/
/*
  Only basic values can be printed.  Record values can only be printed
  by printing primitive values representing them.
*/
Define output_forms : list value -> prop by
  output_forms [];
  output_forms (intVal I::Rest) := output_forms Rest;
  output_forms (trueVal::Rest) := output_forms Rest;
  output_forms (falseVal::Rest) := output_forms Rest;
  output_forms (stringVal S::Rest) := output_forms Rest.


Theorem output_forms_append : forall OA OB O,
  output_forms OA -> output_forms OB -> OA ++ OB = O ->
  output_forms O. [Show Proof]

induction on 3. intros OA OB A. A: case A.
  %nil
   search.
  %cons
   OA: case OA.
     %int
      apply IH to _ _ A. search.
     %true
      apply IH to _ _ A. search.
     %false
      apply IH to _ _ A. search.
     %string
      apply IH to _ _ A. search.


Extensible_Theorem
  evalExpr_output_forms : forall E FE EE V EE' O,
    IsE : is_expr E ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalExpr FE EE E V EE' O ->
    output_forms O
  on Ev as IH_E,
  evalStmt_output_forms : forall S FE EE EE' O,
    IsS : is_stmt S ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalStmt FE EE S EE' O ->
    output_forms O
  on Ev as IH_S,
  evalArgs_output_forms : forall A FE EE Vs EE' O,
    IsA : is_args A ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalArgs FE EE A Vs EE' O ->
    output_forms O
  on Ev as IH_A,
  evalRecFields_output_forms : forall RF FE EE Fields EE' O,
    IsRF : is_recFieldExprs RF ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ev : evalRecFields FE EE RF Fields EE' O ->
    output_forms O
  on Ev as IH_RF. [Show Proof]

%evalExpr_output_forms
 %E-Num
  search.
 %E-Plus
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev4. search.
 %E-Minus
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev4. search.
 %E-Mult
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev4. search.
 %E-Div
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev4. search.
 %E-True
  search.
 %E-False
  search.
 %E-And-True
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-And-False1
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-And-False2
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-Or-True1
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Or-True2
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-Or-False
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-Not-True
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Not-False
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Greater-True
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev4. search.
 %E-Greater-False
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev4. search.
 %E-Eq-True
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-Eq-False
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev4. search.
 %E-String
  search.
 %E-AppString
  case IsE. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev4. search.
 %E-Name
  search.
 %E-Call
  case IsE. IsF: apply lookup_is_value_funCtx to _ Ev1. IsF: case IsF.
  IsF: case IsF1. IsF: case IsF2. apply IH_A to _ _ _ Ev2.
  apply evalArgs_isValue to _ _ _ Ev2. apply zip_is to _ _ Ev3.
  apply IH_S to _ _ _ Ev4. apply output_forms_append to _ _ Ev5.
  search.
 %E-StmtExpr
  case IsE. apply IH_S to _ _ _ Ev1.
  apply evalStmt_isCtx to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-RecBuild
  case IsE. apply IH_RF to _ _ _ Ev1. search.
 %E-RecAccess
  case IsE. apply IH_E to _ _ _ Ev1. search.
%evalStmt_output_forms
 %E-Noop
  search.
 %E-Seq
  case IsS. apply IH_S to _ _ _ Ev1.
  apply evalStmt_isCtx to _ _ _ Ev1. apply IH_S to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-Declare
  case IsS. apply IH_E to _ _ _ Ev1. search.
 %E-Assign
  case IsS. apply IH_E to _ _ _ Ev1. search.
 %E-RecUpdate
  case IsS. apply IH_E to _ _ _ Ev1. search.
 %E-If-True
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_S to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-If-False
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_S to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-While-True
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_S to _ _ _ Ev2.
  IsEE4+: apply evalStmt_isCtx to _ _ _ Ev2. case IsEE4+.
  apply IH_S to _ _ _ Ev3. apply output_forms_append to _ _ Ev4.
  apply output_forms_append to _ _ Ev5. search.
 %E-While-False
  case IsS. apply IH_E to _ _ _ Ev1. search.
 %E-ScopeStmt
  case IsS. apply IH_S to _ _ _ Ev1. search.
 %E-Print-Int
  case IsS. apply IH_E to _ _ _ Ev1.
  apply output_forms_append to _ _ Ev2. search.
 %E-Print-True
  case IsS. apply IH_E to _ _ _ Ev1.
  apply output_forms_append to _ _ Ev2. search.
 %E-Print-False
  case IsS. apply IH_E to _ _ _ Ev1.
  apply output_forms_append to _ _ Ev2. search.
 %E-Print-String
  case IsS. apply IH_E to _ _ _ Ev1.
  apply output_forms_append to _ _ Ev2. search.
%evalArgs_output_forms
 %EA-Nil
  search.
 %EA-Cons
  case IsA. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_A to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
%evalRecFields_output_forms
 %ERF-Nil
  search.
 %ERF-Cons
  case IsRF. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isCtx to _ _ _ Ev1. apply IH_RF to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.




/********************************************************************
 Program evaluation prints only basic values
 ********************************************************************/
Extensible_Theorem
  evalProgram_output_forms : forall A P O,
    IsA : is_list is_value A ->
    IsP : is_program P ->
    Ev : evalProgram A P O ->
    output_forms O
  on Ev. [Show Proof]

%E-Program
 case IsP. apply getFunEvalCtx_is to _ Ev1.
 apply getFunEvalInfo_is to _ Ev2. apply zip_is to _ _ Ev3.
 apply evalStmt_output_forms to _ _ _ Ev4. search.




/********************************************************************
 Gathered function evaluation information always exists
 ********************************************************************/
Extensible_Theorem
  paramName_exists : forall P,
    IsP : is_param P ->
    exists N, paramName P N
  on IsP. [Show Proof]

%param
 search.


Theorem paramNames_exists : forall Ps,
  is_list is_param Ps -> exists Ns, paramNames Ps Ns. [Show Proof]

induction on 1. intros IsPs. Is: case IsPs.
  %nil
   search.
  %cons
   apply paramName_exists to Is. apply IH to Is1. search.


Extensible_Theorem
  getFunEvalInfo_exists : forall F,
    IsF : is_fun F ->
    exists N R V P B, getFunEvalInfo F N R V P B
  on IsF. [Show Proof]

%fun
 apply paramNames_exists to IsF5. search.


Theorem getFunEvalCtx_exists : forall Fs,
  is_list is_fun Fs -> exists Ctx, getFunEvalCtx Fs Ctx. [Show Proof]

induction on 1. intros Is. Is: case Is.
  %nil
   search.
  %cons
   apply getFunEvalInfo_exists to Is. apply IH to Is1. search.