Extensibella: Extensibella Example: looseEval:list

Language Specification

File: syntax.sos

Module looseEval:list

Builds on looseEval:host

/*Expressions*/
expr ::= ...
       | nil(typ) /*need type for type uniqueness*/
       | cons(expr, expr)
       | head(expr)
       | tail(expr)
       | null(expr)
       | index(expr, expr) /*lst[i]*/
       | length(expr)


--------------------------- [Proj-Nil]
|{expr}- nil(Ty) ~~> num(0)


------------------------------------ [Proj-Cons]
|{expr}- cons(E1, E2) ~~> eq(E1, E2)


---------------------- [Proj-Null]
|{expr}- null(E) ~~> E


---------------------- [Proj-Head]
|{expr}- head(E) ~~> E


---------------------- [Proj-Tail]
|{expr}- tail(E) ~~> E


--------------------------------------------- [Proj-Index]
|{expr}- index(Lst, Index) ~~> eq(Lst, Index)


------------------------ [Proj-Length]
|{expr}- length(E) ~~> E




/*Statements*/
stmt ::= ...
       | listUpdate(string, expr, expr) /*lst[i] = e*/
       | listForeach(string, expr, stmt) /*foreach(x : l){ body }*/


fresh_name "I" L::Names SaveI
fresh_name "Hold" L::Names Hold
fresh_name "E" L::Names SaveE
---------------------------------------- [Proj-ListUpdate]
Names |{stmt}- listUpdate(L, I, E) ~~>
   scopeStmt(
      /*compute value of I for use in computation*/
      seq(declare(intTy, SaveI, I),
      /*save value of E to put in list later*/
      seq(declare(intTy, SaveE, E),
      /*this is to get the ctx into the right order for eval;
        after one run of the loop, SaveI will be before SaveE, and we
        want the order to be consistent for proofs*/
      seq(assign(SaveI, name(SaveI)),
      /*create a list for holding the things before place I;
        type does not matter, so long as it is declared*/
      seq(declare(intTy, Hold, nil(intTy)),
      /*pull I things off the front of L and hold them in stack Hold*/
      seq(while(greater(name(SaveI), num(0)),
                seq(assign(SaveI, minus(name(SaveI), num(1))),
                seq(assign(Hold, cons(head(name(L)), name(Hold))),
                    assign(L, tail(name(L)))))),
      /*place the new value in position I, removing the old one*/
      seq(assign(L, cons(name(SaveE), tail(name(L)))),
      /*place the old things back on list L from stack Hold*/
          while(not(null(name(Hold))),
                seq(assign(L, cons(head(name(Hold)), name(L))),
                    assign(Hold, tail(name(Hold))))))))))))
/*{
    int SaveI = I;
    int SaveE = E;
    SaveI = SaveI;
    int Hold = [];
    while SaveI > 0{
      SaveI = SaveI - 1;
      Hold = head(L)::Hold;
      L = tail(L);
    }
    L = SaveE::tail(L);
    while !null(Hold){
      L = head(Hold)::L;
      Hold = tail(Hold);
    }
  }*/


fresh_name "L" X::Names SaveL
----------------------------------------------- [Proj-ListForeach]
Names |{stmt}- listForeach(X, L, Body) ~~>
    scopeStmt(
       /*compute list for use in computation;
         as before, types don't matter*/
       seq(declare(intTy, SaveL, L),
           while(not(null(name(SaveL))),
              seq(declare(intTy, X, head(name(SaveL))),
              seq(assign(SaveL, tail(name(SaveL))),
                  Body)))))
/*{
    int SaveL = l;
    while !null(SaveL){
      int X = head(SaveL);
      SaveL = tail(SaveL);
      Body
    }
  }*/




/*Types*/
typ ::= ...
      | listTy(typ)


----------------------- [Proj-ListTy]
|{typ}- listTy(T) ~~> T




/*Values*/
value ::= ...
        | nilVal
        | consVal(value, value)


------------------------------ [Proj-NilVal]
|{value}- nilVal ~~> intVal(0)


--------------------------------------------- [Proj-ConsVal]
|{value}- consVal(Hd, Tl) ~~>
          recVal(consRecFieldVals("head", Hd,
                 consRecFieldVals("tail", Tl,
                 nilRecFieldVals)))

File: vars.sos

[Reduce File] [Raw File]

Module looseEval:list

/********************************************************************
 Expression Variables
 ********************************************************************/

--------------- [V-Nil]
vars nil(Ty) []


vars E1 V1
vars E2 V2
V1 ++ V2 = V
------------------- [V-Cons]
vars cons(E1, E2) V


vars E V
-------------- [V-Head]
vars head(E) V


vars E V
-------------- [V-Tail]
vars tail(E) V


vars E V
-------------- [V-Null]
vars null(E) V


vars L VL
vars I VI
VL ++ VI = V
------------------ [V-Index]
vars index(L, I) V


vars E V
---------------- [V-Length]
vars length(E) V

File: typing.sos

[Reduce File] [Raw File]

Module looseEval:list

/********************************************************************
 Expression Typing
 ********************************************************************/

------------------------------- [T-Nil]
typeOf FC TC nil(Ty) listTy(Ty)


typeOf FC TC E1 Ty
typeOf FC TC E2 listTy(Ty)
------------------------------------ [T-Cons]
typeOf FC TC cons(E1, E2) listTy(Ty)


typeOf FC TC E listTy(Ty)
------------------------- [T-Head]
typeOf FC TC head(E) Ty


typeOf FC TC E listTy(Ty)
------------------------------- [T-Tail]
typeOf FC TC tail(E) listTy(Ty)


typeOf FC TC E listTy(Ty)
--------------------------- [T-Null]
typeOf FC TC null(E) boolTy


typeOf FC TC L listTy(Ty)
typeOf FC TC I intTy
--------------------------- [T-Index]
typeOf FC TC index(L, I) Ty


typeOf FC TC E listTy(Ty)
---------------------------- [T-Length]
typeOf FC TC length(E) intTy



/********************************************************************
 Statement Typing
 ********************************************************************/

lookupScopes L TC listTy(Ty)
typeOf FC TC I intTy
typeOf FC TC E Ty
----------------------------------- [T-ListUpdate]
stmtOK FC TC listUpdate(L, I, E) TC


typeOf FC TC L listTy(Ty)
stmtOK FC [(X, Ty)]::TC Body TC1
--------------------------------------- [T-ListForeach]
stmtOK FC TC listForeach(X, L, Body) TC



/********************************************************************
 Value Typing
 ********************************************************************/

--------------------------- [VT-Nil]
valueType nilVal listTy(Ty)


valueType Hd Ty
valueType Tl listTy(Ty)
------------------------------------ [VT-Cons]
valueType consVal(Hd, Tl) listTy(Ty)

File: eval.sos

[Reduce File] [Raw File]

Module looseEval:list

/********************************************************************
 Expression Evaluation
 ********************************************************************/

-------------------------------- [E-Nil]
evalExpr FE EE nil(Ty) nilVal []


evalExpr FE EE E1 V1 O1
evalExpr FE EE E2 V2 O2
O1 ++ O2 = O
--------------------------------------------- [E-Cons]
evalExpr FE EE cons(E1, E2) consVal(V1, V2) O


evalExpr FE EE E consVal(Hd, Tl) O
---------------------------------- [E-Head]
evalExpr FE EE head(E) Hd O


evalExpr FE EE E consVal(Hd, Tl) O
---------------------------------- [E-Tail]
evalExpr FE EE tail(E) Tl O


evalExpr FE EE E nilVal O
-------------------------------- [E-Null-True]
evalExpr FE EE null(E) trueVal O


evalExpr FE EE E consVal(Hd, Tl) O
---------------------------------- [E-Null-False]
evalExpr FE EE null(E) falseVal O


evalExpr FE EE L LV O1
evalExpr FE EE I intVal(Idx) O2
listIndex LV Idx V
O1 ++ O2 = O
------------------------------- [E-Index]
evalExpr FE EE index(L, I) V O


evalExpr FE EE E V O
listLength V I
------------------------------------ [E-Length]
evalExpr FE EE length(E) intVal(I) O


/*we make these fixed because there aren't any other type of list
  values that it would make sense to add; they are already precluded
  by the definitions above, like E-Null-*, E-Head, E-Tail*/
Fixed Judgment listIndex : value int value
Fixed Judgment listLength : value int

============================ [LI-0]
listIndex consVal(V, Tl) 0 V


N - 1 = I
listIndex Tl I V
============================= [LI-Step]
listIndex consVal(Hd, Tl) N V



=================== [LL-Nil]
listLength nilVal 0


listLength Tl I
I + 1 = N
============================ [LL-Cons]
listLength consVal(Hd, Tl) N



/********************************************************************
 Statement Evaluation
 ********************************************************************/

lookupScopes L EE LV
evalExpr FE EE I intVal(N) O1
evalExpr FE EE E V O2
updateListIndex LV N V LV2 /*make the new list*/
replaceScopes L LV2 EE EE1 /*put it in its place*/
O1 ++ O2 = O
---------------------------------------- [E-ListUpdate]
evalStmt FE EE listUpdate(L, I, E) EE1 O


evalExpr FE EE L LV O1
iterateList FE EE LV X Body EE1 O2
O1 ++ O2 = O
-------------------------------------------- [E-ListForeach]
evalStmt FE EE listForeach(X, L, Body) EE1 O



                  /*original list, index, new value, new list*/
Fixed Judgment updateListIndex : value int value value

========================================================== [ULI-0]
updateListIndex consVal(VOld, Tl) 0 VNew consVal(VNew, Tl)


N - 1 = I
updateListIndex Tl I V TlNew
==================================================== [ULI-Step]
updateListIndex consVal(X, Tl) N V consVal(X, TlNew)



/*execute the body once for each element of the list:
     iterateList (fun ctx) (init eval ctx) (list val) (name for list elements)
                 (loop body) (final eval ctx) (printed output)*/
Judgment iterateList : {[(string, (string, value, [string], stmt))] [[(string, value)]]
                        value* string stmt [[(string, value)]] [value]}

------------------------------------- [IL-Nil]
iterateList FE EE nilVal X Body EE []


evalStmt FE [(X, Hd)]::EE Body Scope::EE1 O1
iterateList FE EE1 Tl X Body EE2 O2
O1 ++ O2 = O
---------------------------------------------- [IL-Cons]
iterateList FE EE consVal(Hd, Tl) X Body EE2 O


/*
  Why don't we have an actual rule, perhaps projecting V and iterating
  over that?  That doesn't work because the use of null in the
  condition of the while loop to which listForeach projects does not
  look through the projection, and thus we cannot prove what we need
  for Ext_Ind for listForeach.
*/
1 = 0
-------------------------------- [IL-Default]*
iterateList FE EE V X Body EE1 O

Reasoning

[Show All Proofs] [Hide All Proofs] [Raw File]

Click on a command or tactic to see a detailed view of its use.

Module looseEval:list.


Prove_Constraint looseEval:host:proj_expr_unique. [Show Proof]

%Proj-Nil
 case PrB. search.
%Proj-Cons
 case PrB. search.
%Proj-Null
 case PrB. search.
%Proj-Head
 case PrB. search.
%Proj-Tail
 case PrB. search.
%Proj-Index
 case PrB. search.
%Proj-Length
 case PrB. search.
Prove_Constraint looseEval:host:proj_expr_is. [Show Proof]

%Proj-Nil
 search.
%Proj-Cons
 case IsE. search.
%Proj-Null
 case IsE. search.
%Proj-Head
 case IsE. search.
%Proj-Tail
 case IsE. search.
%Proj-Index
 case IsE. search.
%Proj-Length
 case IsE. search.

Prove_Constraint looseEval:host:proj_stmt_unique. [Show Proof]

%Proj-ListUpdate
 PrB: case PrB.
 assert forall X, mem X (L::L1) -> mem X (L::L2).
   intros M. M: case M. search. apply Rel12 to M. search.
 assert forall X, mem X (L::L2) -> mem X (L::L1).
   intros M. M: case M. search. apply Rel21 to M. search.
 apply fresh_name_unique_mems to PrA1 PrB _ _.
 apply fresh_name_unique_mems to PrA2 PrB1 _ _.
 apply fresh_name_unique_mems to PrA3 PrB2 _ _. search.
%Proj-ListForeach
 PrB: case PrB. apply fresh_name_unique_mems to PrA1 PrB _ _.
   intros M. M: case M. search. apply Rel21 to M. search.
   intros M. M: case M. search. apply Rel12 to M. search.
 search.
Prove_Constraint looseEval:host:proj_stmt_is. [Show Proof]

%Proj-ListUpdate
 case IsS. apply fresh_name_is to _ Pr1. apply fresh_name_is to _ Pr3.
 apply fresh_name_is to _ Pr2. search 6. search 20.
%Proj-ListForeach
 case IsS. apply fresh_name_is to _ Pr1. search 20.
Prove_Constraint looseEval:host:proj_stmt_other. [Show Proof]

%Proj-ListUpdate
 case IsS. IsL'+: assert is_list is_string (L1::L').
 apply fresh_name_exists to _ IsL'+ with Base = "I".
 apply fresh_name_exists to _ IsL'+ with Base = "Hold". search 6.
 apply fresh_name_exists to _ IsL'+ with Base = "E". search.
%Proj-ListForeach
 case IsS. apply fresh_name_exists to _ _ with
              Base = "L", Names = X::L'. search.

Prove_Constraint looseEval:host:proj_fun_unique.
Prove_Constraint looseEval:host:proj_fun_is.

Prove_Constraint looseEval:host:proj_param_unique.
Prove_Constraint looseEval:host:proj_param_is.

Prove_Constraint looseEval:host:proj_program_unique.
Prove_Constraint looseEval:host:proj_program_is.

Prove_Constraint looseEval:host:proj_typ_unique. [Show Proof]

case PrB. search.
Prove_Constraint looseEval:host:proj_typ_is. [Show Proof]

case IsT. search.

Prove_Constraint looseEval:host:proj_value_unique. [Show Proof]

%Proj-NilVal
 case PrB. search.
%Proj-ConsVal
 case PrB. search.
Prove_Constraint looseEval:host:proj_value_is. [Show Proof]

%Proj-NilVal
 search.
%Proj-ConsVal
 case IsV. search 20.



/********************************************************************
 Decidable Equality
 ********************************************************************/
Add_Proj_Rel looseEval:host:is_expr,
             looseEval:host:is_args,
             looseEval:host:is_recFieldExprs.
Prove_Ext_Ind looseEval:host:is_expr,
              looseEval:host:is_args,
              looseEval:host:is_recFieldExprs. [Show Proof]

%nil
 search.
%cons
 apply IH to R1. apply IH to R2. search.
%head
 apply IH to R1. search.
%tail
 apply IH to R1. search.
%null
 apply IH to R1. search.
%index
 apply IH to R1. apply IH to R2. search.
%length
 apply IH to R1. search.

Add_Proj_Rel looseEval:host:is_stmt.
Prove_Ext_Ind looseEval:host:is_stmt. [Show Proof]

%listUpdate
 IsL: assert is_list is_string [S1].
 FrI: apply fresh_name_exists to _ IsL with Base = "I".
 FrH: apply fresh_name_exists to _ IsL with Base = "Hold". search 6.
 FrE: apply fresh_name_exists to _ IsL with Base = "E".
 apply fresh_name_is to _ FrI. apply fresh_name_is to _ FrE.
 apply fresh_name_is to _ FrH. search 6. search 15.
%listForeach
 Fr: apply fresh_name_exists to _ _ with Base = "L", Names = [S1].
 apply fresh_name_is to _ Fr. R: case R. apply IH to R5. search 10.

Prove looseEval:host:is_args_nilArgs_or_consArgs.
Prove looseEval:host:is_recFieldExprs_nilRecFieldExprs_or_consRecFieldExprs.

Add_Proj_Rel looseEval:host:is_value,
             looseEval:host:is_recFieldVals.
Prove_Ext_Ind looseEval:host:is_value,
              looseEval:host:is_recFieldVals. [Show Proof]

%nil
 search.
%cons
 apply IH to R1. apply IH to R2. search 10.

Prove looseEval:host:is_value_intVal_or_not. [Show Proof]

search. search.
Prove looseEval:host:is_value_trueVal_or_not. [Show Proof]

search. search.
Prove looseEval:host:is_value_falseVal_or_not. [Show Proof]

search. search.
Prove looseEval:host:is_value_stringVal_or_not. [Show Proof]

search. search.
Prove looseEval:host:is_value_recVal_or_not. [Show Proof]

search. search.
Extensible_Theorem
  is_value_nilVal_or_not : forall V,
    IsV : is_value V ->
    nilVal = V \/ (nilVal = V -> false)
  on IsV. [Show Proof]

search. search. search. search. search. search. search. search.
Extensible_Theorem
  is_value_consVal_or_not : forall V,
    IsV : is_value V ->
    (exists V1 V2, consVal V1 V2 = V) \/
    ((exists V1 V2, consVal V1 V2 = V) -> false)
  on IsV. [Show Proof]

search. search. search. search. search. search. search. search.
Prove looseEval:host:is_recFieldVals_nil_or_cons.

Prove looseEval:host:is_value_eq_or_not,
      looseEval:host:is_recFieldVals_eq_or_not. [Show Proof]

%nilVal
 Or: apply is_value_nilVal_or_not to Is2. N: case Or.
   %nilVal
    search.
   %not
    right. intros E. case E. backchain N.
%consVal
 Or: apply is_value_consVal_or_not to Is2. N: case Or.
   %consVal
    Is': case Is2. Or: apply IH to Is3 Is'. N: case Or.
      %Value1 = V3
       Or: apply IH to Is4 Is'1. N: case Or.
         %Value = V4
          search.
         %Value != V4
          right. intros E. case E. backchain N.
      %Value1 != V3
       right. intros E. case E. backchain N.
   %not
    right. intros E. case E. backchain N.



/********************************************************************
 Variables
 ********************************************************************/
Prove looseEval:host:vars_unique. [Show Proof]

%V-Nil
 case VarsB. search.
%V-Cons
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB.
 apply IH to _ VarsA2 VarsB1. apply append_unique to VarsA3 VarsB2.
 search.
%V-Head
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB. search.
%V-Tail
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB. search.
%V-Null
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB. search.
%V-Index
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB.
 apply IH to _ VarsA2 VarsB1. apply append_unique to VarsA3 VarsB2.
 search.
%V-Length
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB. search.

Prove looseEval:host:vars_is. [Show Proof]

%V-Nil
 search.
%V-Cons
 case IsE. apply IH to _ V1. apply IH to _ V2.
 apply append_list_string_is to _ _ V3. search.
%V-Head
 case IsE. apply IH to _ V1. search.
%V-Tail
 case IsE. apply IH to _ V1. search.
%V-Null
 case IsE. apply IH to _ V1. search.
%V-Index
 case IsE. apply IH to _ V1. apply IH to _ V2.
 apply append_list_string_is to _ _ V3. search.
%V-Length
 case IsE. apply IH to _ V1. search.

Prove looseEval:host:vars_exist,
      looseEval:host:varsArgs_exist,
      looseEval:host:varsRecFields_exist. [Show Proof]

%nil
 search.
%cons
 V1: apply IH to IsE1. V2: apply IH to IsE2.
 Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
 apply append_list_string_total to Is1 Is2. search.
%head
 apply IH to IsE1. search.
%tail
 apply IH to IsE1. search.
%null
 apply IH to IsE1. search.
%index
 V1: apply IH to IsE1. V2: apply IH to IsE2.
 Is1: apply vars_is to _ V1. Is2: apply vars_is to _ V2.
 apply append_list_string_total to Is1 Is2. search.
%length
 apply IH to IsE1. search.

Prove_Constraint looseEval:host:proj_vars. [Show Proof]

%Proj-Nil
 case V. case Mem.
%Proj-Cons
 case IsE. V: case V. V_P: case V_P. apply vars_unique to _ V V_P.
 apply vars_unique to _ V1 V_P1. apply append_unique to V_P2 V2.
 search.
%Proj-Null
 case IsE. V: case V. apply vars_unique to _ V_P V. search.
%Proj-Head
 case IsE. V: case V. apply vars_unique to _ V_P V. search.
%Proj-Tail
 case IsE. V: case V. apply vars_unique to _ V_P V. search.
%Proj-Index
 case IsE. V: case V. V_P: case V_P. apply vars_unique to _ V V_P.
 apply vars_unique to _ V1 V_P1. apply append_unique to V2 V_P2.
 search.
%Proj-Length
 case IsE. V: case V. apply vars_unique to _ V_P V. search.



/********************************************************************
 Typing
 ********************************************************************/
Prove looseEval:host:typeOf_isTy. [Show Proof]

%T-Nil
 case IsE. search.
%T-Cons
 case IsE. apply IH_E to _ _ _ Ty1. search.
%T-Head
 case IsE. IsT: apply IH_E to _ _ _ Ty1. case IsT. search.
%T-Tail
 case IsE. apply IH_E to _ _ _ Ty1. search.
%T-Null
 search.
%T-Index
 case IsE. IsT: apply IH_E to _ _ _ Ty1. case IsT. search.
%T-Length
 search.

Prove looseEval:host:stmtOK_isCtx. [Show Proof]

%T-ListUpdate
 search.
%T-ListForeach
 search.
Prove looseEval:host:stmtOK_keep_scopes. [Show Proof]

%T-ListUpdate
 search.
%T-ListForeach
 search.
Prove looseEval:host:stmtOK_older_scopes_same. [Show Proof]

%T-ListUpdate
 search.
%T-ListForeach
 search.
Prove looseEval:host:stmtOK_first_scope_lookup_same. [Show Proof]

%T-ListUpdate
 search.
%T-ListForeach
 search.

Prove looseEval:host:typeOf_unique. [Show Proof]

%T-Nil
 case TyB. search.
%T-Cons
 case IsE. TyB: case TyB. apply IH_E to _ _ _ _ TyA1 TyB _. search.
%T-Head
 case IsE. TyB: case TyB. apply IH_E to _ _ _ _ TyA1 TyB _. search.
%T-Tail
 case IsE. TyB: case TyB. apply IH_E to _ _ _ _ TyA1 TyB _. search.
%T-Null
 case TyB. search.
%T-Index
 case IsE. TyB: case TyB. apply IH_E to _ _ _ _ TyA1 TyB _. search.
%T-Length
 case TyB. search.
Prove looseEval:host:stmtOK_unique. [Show Proof]

%T-ListUpdate
 case TyB. search.
%T-ListForeach
 case TyB. search.


Prove looseEval:host:paramTy_is.
Prove looseEval:host:getFunInfo_is.
Prove looseEval:host:paramTy_exists.
Prove looseEval:host:getFunInfo_exists.



/********************************************************************
 Evaluation
 ********************************************************************/
Theorem listIndex_is : forall L I V,
  is_value L -> listIndex L I V -> is_value V. [Show Proof]

induction on 2. intros IsV LI. LI: case LI.
  %LI-0
   case IsV. search.
  %LI-Step
   case IsV. apply IH to _ LI1. search.
Theorem listLength_is : forall L I,
  listLength L I -> is_integer I. [Show Proof]

induction on 1. intros LL. LL: case LL.
  %LL-Nil
   search.
  %LL-Cons
   apply IH to LL. apply plus_integer_is_integer to _ _ LL1. search.
Theorem updateListIndex_is : forall L I V L',
  is_value L -> is_value V -> updateListIndex L I V L' -> is_value L'. [Show Proof]

induction on 3. intros IsL IsV ULI. ULI: case ULI.
  %ULI-0
   case IsL. search.
  %ULI-Step
   case IsL. apply IH to _ _ ULI1. search.

Prove looseEval:host:evalExpr_isValue,
      looseEval:host:evalStmt_isCtx,
      looseEval:host:evalArgs_isValue,
      looseEval:host:evalRecFields_isValue
with
  iterateList_isCtx : forall FE EE V X Body EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    is_list (is_list (is_pair is_string is_value)) EE'
  on IL as IH_IL. [Show Proof]

%evalExpr_isValue
 %E-Nil
  case IsE. search.
 %E-Cons
  case IsE. apply IH_V_E to _ _ _ Ev1. apply IH_V_E to _ _ _ Ev2.
  search.
 %E-Head
  case IsE. IsV: apply IH_V_E to _ _ _ Ev1. case IsV. search.
 %E-Tail
  case IsE. IsV: apply IH_V_E to _ _ _ Ev1. case IsV. search.
 %E-Null-True
  search.
 %E-Null-False
  search.
 %E-Index
  case IsE. apply IH_V_E to _ _ _ Ev1. apply listIndex_is to _ Ev3.
  search.
 %E-Length
  case IsE. apply listLength_is to Ev2. search.
%evalStmt_isCtx
 %E-ListUpdate
  case IsS. apply lookupScopes_is to _ Ev1. apply IH_V_E to _ _ _ Ev3.
  apply updateListIndex_is to _ _ Ev4.
  apply replaceScopes_is to _ _ Ev5. search.
 %E-ListForeach
  case IsS. apply IH_V_E to _ _ _ Ev1. apply IH_IL to _ _ _ _ _ Ev2.
  search.
%iterateList_isCtx
 %IL-Nil
  search.
 %IL-Cons
  case IsV. IsEE3+: apply IH_C_S to _ _ _ IL1. case IsEE3+.
  apply IH_IL to _ _ _ _ _ IL2. search.

Prove looseEval:host:evalExpr_isOutput,
      looseEval:host:evalStmt_isOutput,
      looseEval:host:evalArgs_isOutput,
      looseEval:host:evalRecFields_isOutput
with
  iterateList_isOutput : forall FE EE V X Body EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    is_list is_value O
  on IL as IH_IL. [Show Proof]

%evalExpr_isOutput
 %E-Nil
  search.
 %E-Cons
  case IsE. apply IH_E to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-Head
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Tail
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Null-True
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Null-False
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Index
  case IsE. apply IH_E to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev4. search.
 %E-Length
  case IsE. apply IH_E to _ _ _ Ev1. search.
%evalStmt_isOutput
 %E-ListUpdate
  case IsS. apply IH_E to _ _ _ Ev2. apply IH_E to _ _ _ Ev3.
  apply append_values_is to _ _ Ev6. search.
 %E-ListForeach
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isValue to _ _ _ Ev1. apply IH_IL to _ _ _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
%iterateList_isOutput
 %IL-Nil
  search.
 %IL-Cons
  case IsV. apply IH_S to _ _ _ IL1.
  IsEE3+: apply evalStmt_isCtx to _ _ _ IL1. case IsEE3+.
  apply IH_IL to _ _ _ _ _ IL2. apply append_values_is to _ _ IL3.
  search.


Prove looseEval:host:paramName_is.
Prove looseEval:host:getFunEvalInfo_is.
Prove looseEval:host:evalProgram_isOutput.


Prove looseEval:host:evalStmt_names_same
with
  iterateList_names_same : forall V X Body FE EE EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    names_same EE EE'
  on IL as IH_IL. [Show Proof]

%evalStmt_names_same
 %E-ListUpdate
  case IsS. NS: apply replaceScopes_names_same to _ Ev5. case NS.
  search.
 %E-ListForeach
  case IsS. apply evalExpr_isValue to _ _ _ Ev1.
  NS: apply IH_IL to _ _ _ _ _ Ev2. case NS. search.
%iterateList_names_same
 %IL-Nil
  backchain names_same_reflexive.
 %IL-Cons
  case IsV. IsEE3+: apply evalStmt_isCtx to _ _ _ IL1. case IsEE3+.
  NS1: apply IH_S to _ _ _ IL1. NS2: apply IH_IL to _ _ _ _ _ IL2.
  apply names_same_transitive to NS1 NS2. search.


Add_Ext_Size looseEval:host:evalExpr,
             looseEval:host:evalArgs,
             looseEval:host:evalRecFields,
             looseEval:host:evalStmt
        with iterateList FE EE V X Body EE' O.
Add_Proj_Rel looseEval:host:evalExpr,
             looseEval:host:evalArgs,
             looseEval:host:evalRecFields,
             looseEval:host:evalStmt
        with iterateList FE EE V X Body EE' O.


Theorem listIndex_geq_0 : forall L I V,
  listIndex L I V -> is_integer I -> I >= 0. [Show Proof]

induction on 1. intros LI IsI. LI: case LI.
  %LI-0
   search.
  %LI-Step
   apply minus_integer_is_integer to _ _ LI. apply IH to LI1 _.
   P: apply minus_plus_same_integer to _ _ LI.
   apply greatereq_integer__add_positive to _ _ P. search.

Theorem listIndex_unique : forall L I VA VB,
  listIndex L I VA -> listIndex L I VB -> VA = VB. [Show Proof]

induction on 1. intros LIA LIB. LIA: case LIA.
  %LI-0
   LIB: case LIB.
     %LI-0
      search.
     %LI-Step
      compute LIB. GEq: apply listIndex_geq_0 to LIB1 _.
      LEq: case GEq. case LEq.
  %LI-Step
   LIB: case LIB.
     %LI-0
      compute LIA. GEq: apply listIndex_geq_0 to LIA1 _.
      LEq: case GEq. case LEq.
     %LI-Step
      apply minus_integer_unique to LIA LIB. apply IH to LIA1 LIB1.
      search.

Theorem listLength_unique : forall L IA IB,
  listLength L IA -> listLength L IB -> IA = IB. [Show Proof]

induction on 1. intros LLA LLB. LLA: case LLA.
  %LL-Nil
   LLB: case LLB. search.
  %LL-Cons
   LLB: case LLB. apply IH to LLA LLB.
   apply plus_integer_unique to LLA1 LLB1. search.

Theorem updateListIndex_geq_0 : forall L I V Out,
  is_integer I -> updateListIndex L I V Out -> I >= 0. [Show Proof]

induction on 2. intros IsI ULI. ULI: case ULI.
  %ULI-0
   search.
  %ULI-Step
   apply minus_integer_is_integer to _ _ ULI. apply IH to _ ULI1.
   P: apply minus_plus_same_integer to _ _ ULI.
   apply greatereq_integer__add_positive to _ _ P. search.

Theorem updateListIndex_unique : forall L I V OutA OutB,
  updateListIndex L I V OutA -> updateListIndex L I V OutB ->
  OutA = OutB. [Show Proof]

induction on 1. intros ULIA ULIB. ULIA: case ULIA.
  %ULI-0
   ULIB: case ULIB.
     %ULI-0
      search.
     %ULI-Step
      compute ULIB. GEq: apply updateListIndex_geq_0 to _ ULIB1.
      LEq: case GEq. case LEq.
  %ULI-Step
   ULIB: case ULIB.
     %ULI-0
      compute ULIA. GEq: apply updateListIndex_geq_0 to _ ULIA1.
      LEq: case GEq. case LEq.
     %ULI-Step
      apply minus_integer_unique to ULIA ULIB.
      apply IH to ULIA1 ULIB1. search.

Prove looseEval:host:evalExpr_rel,
      looseEval:host:evalStmt_newNameScopes_output,
      looseEval:host:evalStmt_newNameScopes,
      looseEval:host:evalArgs_rel,
      looseEval:host:evalRecFields_rel
with
  iterateList_newNameScopes_output :
    forall FE EE_A EE_B V X Body EE_A' EE_B' O_A O_B N Len,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' O_A ->
      ILB : iterateList FE EE_B V X Body EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      O_A = O_B
    on ILA as IH_O_IL,
  iterateList_newNameScopes :
    forall FE EE_A EE_B V X Body EE_A' EE_B' O_A O_B N Len,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' O_A ->
      ILB : iterateList FE EE_B V X Body EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      newNameScopes N Len EE_A' EE_B'
    on ILA as IH_C_IL. [Show Proof]

%evalExpr_rel
 %E-Nil
  case EvB. search.
 %E-Cons
  case IsE. Vars: case Vars. EvB: case EvB.
  apply IH_E to _ _ _ _ EvA1 EvB Vars _.
    intros M L. M': apply mem_append_left to M Vars2.
    apply Rel to M' L. search.
  apply IH_E to _ _ _ _ EvA2 EvB1 Vars1 _.
    intros M L. M': apply mem_append_right to M Vars2.
    apply Rel to M' L. search.
  apply append_unique to EvA3 EvB2. search.
 %E-Head
  case IsE. Vars: case Vars. EvB: case EvB.
  apply IH_E to _ _ _ _ EvA1 EvB Vars _. search.
 %E-Tail
  case IsE. Vars: case Vars. EvB: case EvB.
  apply IH_E to _ _ _ _ EvA1 EvB Vars _. search.
 %E-Null-True
  case IsE. Vars: case Vars. EvB: case EvB.
    %E-Null-True
     apply IH_E to _ _ _ _ EvA1 EvB Vars _. search.
    %E-Null-False
     apply IH_E to _ _ _ _ EvA1 EvB Vars _.
 %E-Null-False
  case IsE. Vars: case Vars. EvB: case EvB.
    %E-Null-True
     apply IH_E to _ _ _ _ EvA1 EvB Vars _.
    %E-Null-False
     apply IH_E to _ _ _ _ EvA1 EvB Vars _. search.
 %E-Index
  case IsE. Vars: case Vars. EvB: case EvB.
  apply IH_E to _ _ _ _ EvA1 EvB Vars _.
    intros M L. M': apply mem_append_left to M Vars2.
    apply Rel to M' L. search.
  apply IH_E to _ _ _ _ EvA2 EvB1 Vars1 _.
    intros M L. M': apply mem_append_right to M Vars2.
    apply Rel to M' L. search.
  apply listIndex_unique to EvA3 EvB2.
  apply append_unique to EvA4 EvB3. search.
 %E-Length
  case IsE. Vars: case Vars. EvB: case EvB.
  apply IH_E to _ _ _ _ EvA1 EvB Vars _.
  apply listLength_unique to EvA2 EvB1. search.
%evalStmt_newNameScopes_output
 %E-ListUpdate
  Is: case IsS. VarsI: apply vars_exist to Is1.
  VarsE: apply vars_exist to Is2. EvB: case EvB.
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  apply IH_E to _ _ _ _ EvA2 EvB1 VarsI _.
    intros M L. apply vars_is to _ VarsI. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ NNS' L. search.
  apply IH_E to _ _ _ _ EvA3 EvB2 VarsE _.
    intros M L. apply vars_is to _ VarsE. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ NNS' L. search.
  apply append_unique to EvA6 EvB5. search.
 %E-ListForeach
  Is: case IsS. EvB: case EvB. V: apply vars_exist to Is1.
  apply IH_E to _ _ _ _ EvA1 EvB V _.
    intros M LSB. apply vars_is to _ V. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  apply IH_E to _ _ _ _ EvA1 EvB V _.
    intros M LSB. apply vars_is to _ V. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_O_IL to _ _ _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA3 EvB2. search.
%evalStmt_newNameScopes
 %E-ListUpdate
  Is: case IsS. VarsI: apply vars_exist to Is1.
  VarsE: apply vars_exist to Is2. EvB: case EvB.
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  apply IH_E to _ _ _ _ EvA2 EvB1 VarsI _.
    intros M L. apply vars_is to _ VarsI. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ NNS' L. search.
  apply IH_E to _ _ _ _ EvA3 EvB2 VarsE _.
    intros M L. apply vars_is to _ VarsE. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ NNS' L. search.
  apply evalExpr_isValue to _ _ _ EvA3.
  apply lookupScopes_is to _ EvB.
  LA: apply newNameScopes_lookupScopes to _ _ NNS' EvB.
  apply lookupScopes_unique to LA EvA1.
  apply updateListIndex_is to _ _ EvB3.
  apply updateListIndex_unique to EvA4 EvB3.
  RSA: apply newNameScopes_replaceScopes to _ _ _ _ NNS' EvB4.
  apply replaceScopes_unique to EvA5 RSA. search.
 %E-ListForeach
  Is: case IsS. EvB: case EvB. V: apply vars_exist to Is1.
  apply IH_E to _ _ _ _ EvA1 EvB V _.
    intros M LSB. apply vars_is to _ V. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_C_IL to _ _ _ _ _ _ EvA2 EvB1 _. search.
%iterateList_newNameScopes_output
 %IL-Nil
  case ILB. search.
 %IL-Cons
  case IsV. ILB: case ILB. apply IH_O_S to _ _ _ _ ILA1 ILB _.
  NNS+: apply IH_C_S to _ _ _ _ ILA1 ILB _. NNS+: case NNS+.
    %end
     LenEE_B: apply length_exists_list_pair_string_value to IsB.
     IsN2: apply length_is to LenEE_B.
     P: apply plus_integer_total to _ IsN2 with N1 = 1.
     LenEE_B+: assert length ([(X, Hd)]::EE_B) N3.
     LenEE2+: apply evalStmt_keep_scopes to _ _ _ ILB LenEE_B+.
     apply length_unique to LenEE2+ NNS+.
     LEq: apply newNameScopes_length to NNS LenEE_B.
     L: apply lt_plus_one to P _.
     apply less_lesseq_flip_false to L LEq.
    %step
     IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1. case IsEE1+.
     IsEE2+: apply evalStmt_isCtx to _ _ _ ILB. case IsEE2+.
     apply IH_O_IL to _ _ _ _ _ _ ILA2 ILB1 _.
     apply append_unique to ILA3 ILB2. search.
%iterateList_newNameScopes
 %IL-Nil
  case ILB. search.
 %IL-Cons
  case IsV. ILB: case ILB. NNS+: apply IH_C_S to _ _ _ _ ILA1 ILB _.
  NNS+: case NNS+.
    %end
     LenEE_B: apply length_exists_list_pair_string_value to IsB.
     IsN2: apply length_is to LenEE_B.
     P: apply plus_integer_total to _ IsN2 with N1 = 1.
     LenEE_B+: assert length ([(X, Hd)]::EE_B) N3.
     LenEE2+: apply evalStmt_keep_scopes to _ _ _ ILB LenEE_B+.
     apply length_unique to LenEE2+ NNS+.
     LEq: apply newNameScopes_length to NNS LenEE_B.
     L: apply lt_plus_one to P _.
     apply less_lesseq_flip_false to L LEq.
    %step
     IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1. case IsEE1+.
     IsEE2+: apply evalStmt_isCtx to _ _ _ ILB. case IsEE2+.
     apply IH_C_IL to _ _ _ _ _ _ ILA2 ILB1 _. search.


Prove looseEval:host:evalExpr_rel_exists_ES,
      looseEval:host:evalStmt_newNameScopes_exists_ES,
      looseEval:host:evalArgs_rel_exists_ES,
      looseEval:host:evalRecFields_rel_exists_ES
with
  iterateList_newNameScopes_exists_ES :
    forall FE EE_A EE_B V X Body EE_B' O N Len ES,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      ILB : <iterateList {ES}> FE EE_B V X Body EE_B' O ES ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_A', <iterateList {ES}> FE EE_A V X Body EE_A' O ES
    on ILB as IH_IL. [Show Proof]

%evalExpr_rel_exists_ES
 %E-Nil
  search.
 %E-Cons
  case IsE. Vars: case Vars.
  EvA1: apply IH_E to _ _ _ _ EvB3 Vars _ with EE_A = EE_A.
    intros M L. M': apply mem_append_left to M Vars2.
    apply Rel to M' L. search.
  EvA2: apply IH_E to _ _ _ _ EvB4 Vars1 _ with EE_A = EE_A.
    intros M L. M': apply mem_append_right to M Vars2.
    apply Rel to M' L. search.
  search.
 %E-Head
  case IsE. Vars: case Vars. apply IH_E to _ _ _ _ EvB2 Vars Rel.
  search.
 %E-Tail
  case IsE. Vars: case Vars. apply IH_E to _ _ _ _ EvB2 Vars Rel.
  search.
 %E-Null-True
  case IsE. Vars: case Vars. apply IH_E to _ _ _ _ EvB2 Vars Rel.
  search.
 %E-Null-False
  case IsE. Vars: case Vars. apply IH_E to _ _ _ _ EvB2 Vars Rel.
  search.
 %E-Index
  case IsE. Vars: case Vars.
  EvA1: apply IH_E to _ _ _ _ EvB3 Vars _ with EE_A = EE_A.
    intros M L. M': apply mem_append_left to M Vars2.
    apply Rel to M' L. search.
  EvA2: apply IH_E to _ _ _ _ EvB4 Vars1 _ with EE_A = EE_A.
    intros M L. M': apply mem_append_right to M Vars2.
    apply Rel to M' L. search.
  search.
 %E-Length
  case IsE. Vars: case Vars. apply IH_E to _ _ _ _ EvB2 Vars Rel.
  search.
%evalStmt_newNameScopes_exists_ES
 %E-ListUpdate
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  Is: case IsS. VarsI: apply vars_exist to Is1.
  VarsE: apply vars_exist to Is2.
  apply IH_E to _ _ _ _ EvB4 VarsI _ with EE_A = Scope::EE_A.
    intros M L. apply vars_is to _ VarsI. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ NNS' L. search.
  apply IH_E to _ _ _ _ EvB5 VarsE _ with EE_A = Scope::EE_A.
    intros M L. apply vars_is to _ VarsE. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ NNS' L. search.
  Ev': apply drop_ext_size_evalExpr to EvB5.
  apply evalExpr_isValue to _ _ _ Ev'.
  apply lookupScopes_is to _ EvB3.
  apply updateListIndex_is to _ _ EvB6.
  RA: apply newNameScopes_replaceScopes to _ _ _ _ NNS' EvB7.
  apply newNameScopes_lookupScopes to _ _ NNS' EvB3. search.
 %E-ListForeach
  Is: case IsS. EvE: apply drop_ext_size_evalExpr to EvB3.
  apply evalExpr_isValue to _ _ _ EvE. V: apply vars_exist to Is1.
  apply IH_E to _ _ _ _ EvB3 V _ with EE_A = Scope::EE_A.
    intros M LSB. apply vars_is to _ V. apply mem_is_string to _ M.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  NNS+: assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  apply IH_IL to _ _ _ _ _ _ EvB4 NNS+. search.
%iterateList_newNameScopes_exists_ES
 %IL-Nil
  search.
 %IL-Cons
  case IsV. EvA: apply IH_S to _ _ _ _ ILB2 NNS.
  EvB': apply drop_ext_size_evalStmt to ILB2.
  EvA': apply drop_ext_size_evalStmt to EvA.
  IsEE1+: apply evalStmt_isCtx to _ _ _ EvB'. case IsEE1+.
  NNS+: apply evalStmt_newNameScopes to _ _ _ _ EvA' EvB' NNS.
  NNS+: case NNS+.
    %end
     LenEE_B: apply length_exists_list_pair_string_value to IsB.
     IsN2: apply length_is to LenEE_B.
     P: apply plus_integer_total to _ IsN2 with N1 = 1.
     LenEE_B+: assert length ([(X, Hd)]::EE_B) N5.
     LenEE2+: apply evalStmt_keep_scopes to _ _ _ EvB' LenEE_B+.
     apply length_unique to LenEE2+ NNS+.
     LEq: apply newNameScopes_length to NNS LenEE_B.
     L: apply lt_plus_one to P _.
     apply less_lesseq_flip_false to L LEq.
    %step
     IsAR+: apply evalStmt_isCtx to _ _ _ EvA'. case IsAR+.
     apply IH_IL to _ _ _ _ _ _ ILB3 NNS+. search.


Prove looseEval:host:evalExpr_scopes_same,
      looseEval:host:evalStmt_scopes_same,
      looseEval:host:evalStmt_scopes_same_ctx,
      looseEval:host:evalArgs_scopes_same,
      looseEval:host:evalRecFields_scopes_same
with
  iterateList_scopes_same :
    forall V X Body FE EE_A EE_A' OA EE_B EE_B' OB,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' OA ->
      ILB : iterateList FE EE_B V X Body EE_B' OB ->
      OA = OB
    on ILA as IH_IL,
  iterateList_scopes_same_ctx :
    forall V X Body FE EE_A EE_A' OA EE_B EE_B' OB,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' OA ->
      ILB : iterateList FE EE_B V X Body EE_B' OB ->
      scopes_same EE_A' EE_B'
    on ILA as IH_IL_C. [Show Proof]

%evalExpr_scopes_same
 %E-Nil
  case EvB. search.
 %E-Cons
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply IH_E to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA3 EvB2.
  search.
 %E-Head
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB. search.
 %E-Tail
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB. search.
 %E-Null-True
  case IsE. EvB: case EvB.
    %E-Null-True
     apply IH_E to _ _ _ _ SS EvA1 EvB. search.
    %E-Null-False
     apply IH_E to _ _ _ _ SS EvA1 EvB.
 %E-Null-False
  case IsE. EvB: case EvB.
    %E-Null-True
     apply IH_E to _ _ _ _ SS EvA1 EvB.
    %E-Null-False
     apply IH_E to _ _ _ _ SS EvA1 EvB. search.
 %E-Index
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply IH_E to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA4 EvB3.
  apply listIndex_unique to EvA3 EvB2. search.
 %E-Length
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply listLength_unique to EvB1 EvA2. search.
%evalStmt_scopes_same
 %E-ListUpdate
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA2 EvB1.
  apply IH_E to _ _ _ _ SS EvA3 EvB2.
  apply scopes_same_lookupScopes to _ _ SS EvA1 EvB.
  apply updateListIndex_unique to EvA4 EvB3.
  apply append_unique to EvA6 EvB5. search.
 %E-ListForeach
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_IL to _ _ _ _ _ _ SS EvA2 EvB1.
  apply append_unique to EvA3 EvB2. search.
%evalStmt_scopes_same_ctx
 %E-ListUpdate
  EvB: case EvB. case IsS. apply IH_E to _ _ _ _ _ EvA2 EvB1.
  apply IH_E to _ _ _ _ _ EvA3 EvB2.
  apply scopes_same_lookupScopes to _ _ _ EvA1 EvB.
  apply evalExpr_isValue to _ _ _ EvA3.
  apply updateListIndex_unique to EvA4 EvB3.
  apply scopes_same_replaceScopes_scopes_same to _ _ _ _ EvA5 EvB4.
  search.
 %E-ListForeach
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_IL_C to _ _ _ _ _ _ SS EvA2 EvB1. search.
%iterateList_scopes_same
 %IL-Nil
  case ILB. search.
 %IL-Cons
  case IsV. ILB: case ILB. apply IH_S to _ _ _ _ _ ILA1 ILB.
  SS+: apply IH_S_C to _ _ _ _ _ ILA1 ILB. case SS+.
  IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1. case IsEE1+.
  IsEE2+: apply evalStmt_isCtx to _ _ _ ILB. case IsEE2+.
  apply IH_IL to _ _ _ _ _ _ _ ILA2 ILB1.
  apply append_unique to ILA3 ILB2. search.
%iterateList_scopes_same_ctx
 %IL-Nil
  case ILB. search.
 %IL-Cons
  case IsV. ILB: case ILB. SS+: apply IH_S_C to _ _ _ _ _ ILA1 ILB.
  case SS+. IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1. case IsEE1+.
  IsEE2+: apply evalStmt_isCtx to _ _ _ ILB. case IsEE2+.
  apply IH_IL_C to _ _ _ _ _ _ _ ILA2 ILB1. search.


Prove looseEval:host:evalExpr_scopes_same_exists,
      looseEval:host:evalStmt_scopes_same_exists,
      looseEval:host:evalArgs_scopes_same_exists,
      looseEval:host:evalRecFields_scopes_same_exists
with
  iterateList_scopes_same_exists :
    forall V X Body FE EE_A EE_A' O EE_B,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' O ->
      exists EE_B', iterateList FE EE_B V X Body EE_B' O
  on ILA as IH_IL. [Show Proof]

%evalExpr_scopes_same_exists
 %E-Nil
  search.
 %E-Cons
  case IsE. apply IH_E to _ _ _ _ SS EvA1.
  apply IH_E to _ _ _ _ SS EvA2. search.
 %E-Head
  case IsE. apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Tail
  case IsE. apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Null-True
  case IsE. apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Null-False
  case IsE. apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Index
  case IsE. apply IH_E to _ _ _ _ SS EvA1.
  apply IH_E to _ _ _ _ SS EvA2. search.
 %E-Length
  case IsE. apply IH_E to _ _ _ _ SS EvA1. search.
%evalStmt_scopes_same_exists
 %E-ListUpdate
  case IsS. apply IH_E to _ _ _ _ SS EvA2.
  apply IH_E to _ _ _ _ SS EvA3.
  LB: apply scopes_same_lookupScopes_exists to _ _ SS EvA1.
  apply scopes_same_replaceScopes_exists to _ _ _ SS EvA5. search.
 %E-ListForeach
  case IsS. apply IH_E to _ _ _ _ SS EvA1.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_IL to _ _ _ _ _ _ SS EvA2. search.
%iterateList_scopes_same_exists
 %IL-Nil
  search.
 %IL-Cons
  case IsV.
  SS1: assert scopes_same ([(X, Hd)]::EE_A) ([(X, Hd)]::EE_B).
  EvB: apply IH_S to _ _ _ _ SS1 ILA1.
  SS2: apply evalStmt_scopes_same_ctx to _ _ _ _ SS1 ILA1 EvB.
  SS': case SS2. IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1.
  case IsEE1+. IsBR+: apply evalStmt_isCtx to _ _ _ EvB. case IsBR+.
  apply IH_IL to _ _ _ _ _ _ SS'2 ILA2. search.


Theorem append_nil_output : forall O,
  is_list is_value O -> O ++ [] = O. [Show Proof]

induction on 1. intros Is. Is: case Is.
  %nil
   search.
  %cons
   apply IH to Is1. search.


Prove_Constraint looseEval:host:proj_evalExpr_exists. [Show Proof]

%Proj-Nil
 case Ev. search.
%Proj-Cons
 case IsE. Ev: case Ev. IsV1: apply evalExpr_isValue to _ _ _ Ev.
 IsV2: apply evalExpr_isValue to _ _ _ Ev1.
 Or: apply is_value_eq_or_not to IsV1 IsV2. case Or.
   %V1 = V2
    search.
   %V1 != V2
    search.
%Proj-Null
 case Ev. search. search.
%Proj-Head
 case Ev. search.
%Proj-Tail
 case Ev. search.
%Proj-Index
 case IsE. Ev: case Ev. IsV1: apply evalExpr_isValue to _ _ _ Ev.
 IsV2: apply evalExpr_isValue to _ _ _ Ev1.
 Or: apply is_value_eq_or_not to IsV1 IsV2. case Or.
   %V1 = V2
    search.
   %V1 != V2
    search.
%Proj-Length
 case Ev. search.


Extensible_Theorem
  iterateList_to_while : forall FE EE V X Body EE' O Names L,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    Names : names EE Names ->
    Fr : fresh_name "L" (X::Names) L ->
    exists V',
      evalStmt FE ([(L, V)]::EE)
        (while (not (null (name L)))
           (seq (declare intTy X (head (name L)))
           (seq (assign L (tail (name L)))
                Body))) ([(L, V')]::EE') O
  on IL. [Show Proof]

%IL-Nil
 search 20.
%IL-Cons
 case IsV. IsEE''+: apply evalStmt_isCtx to _ _ _ IL1.
 IsEE'': case IsEE''+. NS: apply evalStmt_names_same to _ _ _ IL1.
 Names'': apply names_exists to IsEE''1.
 IsN: apply names_is to _ Names''.
 Fr': apply fresh_name_exists to _ _ with Base = "L", Names = X::N.
 apply fresh_name_unique_mems to Fr Fr' _ _.
   %mem X::N -> mem X::Names
    intros M. M: case M. search.
    NS': apply names_same_symmetric to NS.
    apply names_same_names to NS' Names'' Names M. search.
   %mem X::Names -> mem X::N
    intros M. M: case M. search.
    apply names_same_names to NS Names Names'' M. search.
 EvSub: apply IH to _ _ _ _ _ IL2 Names'' Fr'.
 exists V'. unfold. exists [], Scope', [(F, Tl)]::EE'', O2, O3, O2.
 split.
   %eval condition
    search.
   %eval body
    unfold. exists [(X, Hd)]::[(F, consVal Hd Tl)]::EE, [], O2. split.
      %eval declare X
       search 20.
      %eval rest
       NEq: assert X = F -> false.
         intros E. case E. apply fresh_name_not_mem to Fr _.
       unfold. exists [(X, Hd)]::[(F, Tl)]::EE, [], O2. split.
         %eval assign
          search 10.
         %eval Body
          LenEE: apply length_exists_list_pair_string_value to IsEE.
          rename N1 to Len.
          NNS: assert newNameScopes [[(F, Tl)]] Len
                                    ([(F, Tl)]::EE) EE.
            unfold. exists 1, [F], Names. split. search. search.
            search. search. search. intros M MN. M: case M.
            apply fresh_name_not_mem to Fr _. case M.
          apply fresh_name_is to _ Fr.
          Ev: apply evalStmt_newNameScopes_exists to
                 _ _ _ _ IL1 NNS.
          NNS': apply evalStmt_newNameScopes to _ _ _ _ Ev IL1 _.
          NNS': case NNS'.
            %end
             Take: case NNS'2. case Take1. compute Take.
             Drop: case NNS'1. apply drop_is_integer to Drop1.
             apply plus_integer_unique_addend to _ _ _ Take Drop.
             Eq: assert L1 = Scope'::EE''.
               D: case Drop1. search. apply drop_is_integer to D1.
               P: assert 1 + -1 = 0.
               apply plus_integer_unique_addend to _ _ _ P D.
               GEq: apply drop_geq_0 to D1. LEq: case GEq. case LEq.
             case Eq. clear Take Drop Drop1.
             Len: case NNS'. apply length_is to Len.
             L: apply lt_plus_one to Len1 _.
             Len'': apply names_same_length to NS LenEE.
             apply length_unique to Len'' Len.
             apply less_integer_not_eq to L.
            %step
             NNS': case NNS'.
               %end
                Take: case NNS'2. case Take1. compute Take.
                Drop: case NNS'1. apply drop_is_integer to Drop1.
                apply plus_integer_unique_addend to _ _ _ Take Drop.
                Eq: assert L1 = EE''.
                  D: case Drop1. search. P: assert 1 + -1 = 0.
                  apply drop_is_integer to D1.
                  apply plus_integer_unique_addend to _ _ _ D P.
                  GEq: apply drop_geq_0 to D1. LEq: case GEq.
                  case LEq.
                case Eq. search.
               %step
                LenBR+: apply names_same_length to NS LenEE.
                LenBR: case LenBR+. apply length_is to LenBR.
                L: apply lt_plus_one to LenBR1 _.
                LEq: apply newNameScopes_length to NNS' LenBR.
                apply less_lesseq_flip_false to L LEq.
      %append output
       search.
      %append output
       search.
   %eval loop again
    search.
   %append first output
    search.
   %append rest output
    search.


Theorem lookupScopes_replaceScopes_exists : forall L Key V V',
  is_list (is_list (is_pair is_string is_value)) L -> is_string Key ->
  lookupScopes Key L V -> exists R, replaceScopes Key V' L R. [Show Proof]

induction on 3. intros IsL IsKey LS. LS: case LS.
  %LS-FirstScope
   Is: case IsL. RA: apply remove_all_exists to Is IsKey.
   M: apply lookup_mem to LS. search.
  %LS-Later
   case IsL. apply IH to _ _ LS1 with V' = V'. search.

Theorem replaceScopes_lookupScopes_same[Key, Item] :
  forall L (Key : Key) (V : Item) R,
    replaceScopes Key V L R -> lookupScopes Key R V. [Show Proof]

induction on 1. intros RS. RS: case RS.
  %RS-FirstScope
   search.
  %RS-Later
   apply IH to RS1. search.

Theorem remove_all_twice[K, V] : forall (L : list (pair K V)) K RA RB,
  remove_all L K RA -> remove_all RA K RB -> RA = RB. [Show Proof]

induction on 1. intros RA RB. RA: case RA.
  %RA-Nil
   case RB. search.
  %RA-Remove
   apply IH to RA RB. search.
  %RA-Keep
   RB: case RB.
     %RA-Remove
      apply RA to _.
     %RA-Keep
      apply IH to RA1 RB1. search.

Theorem replaceScopes_twice[Key, Item] :
  forall (L : list (list (pair string value))) K VA RA VB RB,
    replaceScopes K VA L RA -> replaceScopes K VB RA RB ->
    replaceScopes K VB L RB. [Show Proof]

induction on 1. intros RSA RSB. RSA: case RSA.
  %RS-FirstScope
   RSB: case RSB.
     %RS-FirstScope
      RA: case RSB1.
        %RA-Remove
         apply remove_all_twice to RSA1 RA. search.
        %RA-Keep
         apply RA to _.
     %RS-Later
      N: case RSB. apply N to _.
  %RS-Later
   RSB: case RSB.
     %RS-FirstScope
      apply no_lookup_mem to RSA RSB.
     %RS-Later
      apply IH to RSA1 RSB1. search.

Theorem updateListIndex_is_integer : forall L I V L',
  updateListIndex L I V L' -> is_integer I. [Show Proof]

induction on 1. intros ULI. ULI: case ULI.
  %ULI-0
   search.
  %ULI-Step
   IsI1: apply IH to ULI1.
   apply minus_integer_is_integer_result to _ ULI. search.

Theorem updateListIndex_pos : forall L I V L',
  updateListIndex L I V L' -> I >= 0. [Show Proof]

induction on 1. intros ULI.
IsI: apply updateListIndex_is_integer to ULI. ULI: case ULI.
  %ULI-0
   search.
  %ULI-Step
   GEq: apply IH to ULI1. P: apply minus_plus_same_integer to _ _ ULI.
   IsI1: apply updateListIndex_is_integer to ULI1.
   P': apply plus_integer_comm to _ _ P. L: apply lt_plus_one to P' _.
   LEq: case GEq. L': apply lesseq_less_integer_transitive to LEq L.
   G: assert I > 0. apply greater_integer_greatereq to G. search.

Define listy : value -> prop by
listy nilVal;
listy (consVal Hd Tl) := listy Tl.

%flip first list onto second, producing third
Define flipOnto : value -> value -> value -> prop by
flipOnto nilVal L L;
flipOnto (consVal H T) L L' := flipOnto T (consVal H L) L'.

Theorem eval_update_loop2 :
  forall (Hold SaveI SaveE L : string) V H HoldL LVal G FE,
    listy HoldL ->
    is_list (is_pair is_string
            (is_pair is_string
            (is_pair is_value
            (is_pair (is_list is_string) is_stmt)))) FE ->
    is_list (is_list (is_pair is_string is_value))
        ([(Hold, consVal H HoldL), (SaveI, intVal 0), (SaveE, V)]::G) ->
    (Hold = SaveI -> false) -> (Hold = L -> false) ->
    (SaveI = SaveE -> false) -> (SaveI = L -> false) ->
    (Hold = SaveE -> false) -> (SaveE = L -> false) ->
    lookupScopes L ([(Hold, consVal H HoldL), (SaveI, intVal 0),
                     (SaveE, V)]::G) LVal ->
    exists G' LV,
      <evalStmt {P}> FE
             ([(Hold, consVal H HoldL), (SaveI, intVal 0),
               (SaveE, V)]::G)
             (while (not (null (name Hold)))
                     (seq (assign L (cons (head (name Hold)) (name L)))
                          (assign Hold (tail (name Hold)))))
             ([(Hold, nilVal), (SaveI, intVal 0),
               (SaveE, V)]::G') [] /\
      replaceScopes L LV G G' /\
      flipOnto (consVal H HoldL) LVal LV. [Show Proof]

induction on 1. intros ListyH IsFE IsCtx NEqHI NEqHL NEqIE NEqIL NEqHE
                       NEqEL LS. ListyH: case ListyH.
  %nil
   EvCondA: assert <evalExpr {P}>
                     FE ([]::[(Hold, consVal H nilVal),
                              (SaveI, intVal 0), (SaveE, V)]::G)
                     (not (null (name Hold))) trueVal []. search 6.
   EvBody1A: assert exists G',
                     <evalStmt {P}> FE
                       ([]::[(Hold, consVal H nilVal),
                             (SaveI, intVal 0), (SaveE, V)]::G)
                       (assign L (cons (head (name Hold)) (name L)))
                       ([]::[(Hold, consVal H nilVal),
                             (SaveI, intVal 0), (SaveE, V)]::G') [] /\
                     replaceScopes L (consVal H LVal) G G'.
     Is+: assert is_list (is_list (is_pair is_string is_value))
                   ([]::[(Hold, consVal H nilVal),
                         (SaveI, intVal 0), (SaveE, V)]::G).
     IsL: apply lookupScopes_is to _ LS.
     LS: assert lookupScopes L
                   ([]::[(Hold, consVal H nilVal),
                         (SaveI, intVal 0), (SaveE, V)]::G) LVal.
     EvCP: assert exists VE, %eval projection of cons(head(Hold), L)
              <evalExpr {P}> FE
                 ([]::[(Hold, consVal H nilVal),
                       (SaveI, intVal 0), (SaveE, V)]::G)
                 (eq (head (name Hold)) (name L)) VE [].
       IsC: case IsCtx (keep). IsC: case IsC. IsP: case IsC.
       IsH: case IsP1. Or: apply is_value_eq_or_not to IsH IsL.
       N: case Or. search 20. search 20.
     case EvCP.
     RS: apply lookupScopes_replaceScopes_exists to _ _ LS with
           V' = consVal H LVal. RS: case RS (keep).
       %RS-FirstScope
        M: case RS1. apply NEqHL to _. M: case M. apply NEqIL to _.
        M: case M. apply NEqEL to _. case M.
       %RS-Later
        search 20.
   EvBody1A: case EvBody1A.
   EvBody1B: assert <evalStmt {P}> FE
                      ([]::[(Hold, consVal H nilVal),
                            (SaveI, intVal 0), (SaveE, V)]::G')
                      (assign Hold (tail (name Hold)))
                      ([]::[(Hold, nilVal), (SaveI, intVal 0),
                            (SaveE, V)]::G') [].
     unfold. exists nilVal. split.
       %eval expr
        search.
       %replaceScopes
        unfold. search. unfold. exists consVal H nilVal.
        split. search. unfold. unfold. intros E. case E.
        backchain NEqHI. unfold. intros E. case E. backchain NEqHE.
        search.
   EvCondB: assert <evalExpr {P}> FE ([]::[(Hold, nilVal),
                                           (SaveI, intVal 0),
                                           (SaveE, V)]::G')
                     (not (null (name Hold))) falseVal []. search 6.
   exists G', consVal H LVal. search 20.
  %cons
   EvCondA: assert <evalExpr {P}> FE
                     ([]::[(Hold, consVal H (consVal Hd Tl)),
                           (SaveI, intVal 0), (SaveE, V)]::G)
                     (not (null (name Hold))) trueVal []. search 6.
   EvBody1A:
      assert exists G',
                <evalStmt {P}> FE
                  ([]::[(Hold, consVal H (consVal Hd Tl)),
                        (SaveI, intVal 0), (SaveE, V)]::G)
                  (assign L (cons (head (name Hold)) (name L)))
                  ([]::[(Hold, consVal H (consVal Hd Tl)),
                        (SaveI, intVal 0), (SaveE, V)]::G') [] /\
                replaceScopes L (consVal H LVal) G G'.
     IsL: apply lookupScopes_is to _ LS.
     EvCP: assert exists VE, %eval projection of cons(head(Hold), L)
              <evalExpr {P}> FE
                 ([]::[(Hold, consVal H (consVal Hd Tl)),
                       (SaveI, intVal 0), (SaveE, V)]::G)
                 (eq (head (name Hold)) (name L)) VE [].
       IsC: case IsCtx (keep). IsC: case IsC. IsP: case IsC.
       IsH: case IsP1. Or: apply is_value_eq_or_not to IsH IsL.
       N: case Or. search 20. search 20.
     case EvCP.
     RS: apply lookupScopes_replaceScopes_exists to _ _ LS with
           V' = (consVal H LVal). RS: case RS (keep).
       %RS-FirstScope
        M: case RS1. apply NEqHL to _. M: case M. apply NEqIL to _.
        M: case M. apply NEqEL to _. case M.
       %RS-Later
        search 7.
   EvBody1A: case EvBody1A.
   EvBody1B: assert <evalStmt {P}> FE
                      ([]::[(Hold, consVal H (consVal Hd Tl)),
                            (SaveI, intVal 0), (SaveE, V)]::G')
                      (assign Hold (tail (name Hold)))
                      ([]::[(Hold, (consVal Hd Tl)),
                            (SaveI, intVal 0), (SaveE, V)]::G') [].
     unfold. exists consVal Hd Tl. split.
       %eval expr
        search.
       %replaceScopes
        unfold. search. unfold. exists consVal H (consVal Hd Tl).
        split. search. unfold. unfold. intros E. case E.
        backchain NEqHI. unfold. intros E. case E. backchain NEqHE.
        search.
   LS': assert lookupScopes L
                  ([(Hold, consVal Hd Tl), (SaveI, intVal 0),
                    (SaveE, V)]::G') (consVal H LVal).
     apply replaceScopes_lookupScopes_same to EvBody1A1. search.
   apply lookupScopes_is to _ LS. Is: case IsCtx (keep). Is: case Is.
   Is: case Is. Is: case Is3. Is: case Is4. Is: case Is2.
   Is: case Is2. Is: case Is6. Is: case Is6.
   EvBody1A': apply drop_proj_rel_evalStmt to EvBody1A.
   apply evalStmt_isCtx to _ _ _ EvBody1A'.
   EvBody1B': apply drop_proj_rel_evalStmt to EvBody1B.
   IsG'+: apply evalStmt_isCtx to _ _ _ EvBody1B'. case IsG'+.
   EvB: apply IH to ListyH _ _ _ _ _ _ _ _ _ with Hold = Hold,
          SaveI = SaveI, SaveE = SaveE, L = L, V = V, H = Hd,
          LVal = consVal H LVal, G = G', FE = FE.
   exists G'1, LV. split.
     %eval
      search 6.
     %replaceScopes
      apply replaceScopes_twice to EvBody1A1 EvB1. search.
     %flipOnto
      search.

Theorem proj_listUpdate_eval :
  forall OldL I V NewL Hold HoldL SaveI SaveE G FE L,
    updateListIndex OldL I V NewL ->
    (Hold = SaveI -> false) -> (Hold = L -> false) ->
    (SaveI = SaveE -> false) -> (SaveI = L -> false) ->
    (Hold = SaveE -> false) -> (SaveE = L -> false) ->
    listy HoldL ->
    I >= 0 ->
    is_list (is_pair is_string
            (is_pair is_string
            (is_pair is_value
            (is_pair (is_list is_string) is_stmt)))) FE ->
    is_list (is_list (is_pair is_string is_value))
       ([(Hold, HoldL), (SaveI, intVal I), (SaveE, V)]::G) ->
    lookupScopes L ([(Hold, HoldL), (SaveI, intVal I), (SaveE, V)]::G)
                 OldL ->
    exists G' LV,
      <evalStmt {P}> FE
         ([(Hold, HoldL), (SaveI, intVal I), (SaveE, V)]::G)
         (seq (while (greater (name SaveI) (num 0))
                 (seq (assign SaveI (minus (name SaveI) (num 1)))
                 (seq (assign Hold (cons (head (name L))
                                         (name Hold)))
                      (assign L (tail (name L))))))
         (seq (assign L (cons (name SaveE) (tail (name L))))
              (while (not (null (name Hold)))
                 (seq (assign L (cons (head (name Hold)) (name L)))
                      (assign Hold (tail (name Hold)))))))
         ([(Hold, nilVal), (SaveI, intVal 0), (SaveE, V)]::G') [] /\
      replaceScopes L LV G G' /\
      flipOnto HoldL NewL LV. [Show Proof]

induction on 1. intros ULI NEqHI NEqHL NEqIE NEqIL NEqHE NEqEL ListyH
                       GEqI0 IsFE Is+ LS. ULI: case ULI.
  %ULI-0
   EvLoop1: assert <evalStmt {P}> FE
                     ([(Hold, HoldL), (SaveI, intVal 0),
                       (SaveE, V)]::G)
                     (while (greater (name SaveI) (num 0))
                        (seq (assign SaveI (minus (name SaveI)
                                     (num 1)))
                        (seq (assign Hold (cons (head (name L))
                                                (name Hold)))
                             (assign L (tail (name L))))))
                     ([(Hold, HoldL), (SaveI, intVal 0),
                           (SaveE, V)]::G) []. search 6.
   EvMid_e: assert <evalExpr {P}> FE
                      ([(Hold, HoldL), (SaveI, intVal 0),
                        (SaveE, V)]::G)
                      (cons (name SaveE) (tail (name L)))
                      (consVal V Tl) [].
     EvCP: assert exists VE, %eval projection of cons
              <evalExpr {P}> FE
                 ([(Hold, HoldL), (SaveI, intVal 0),
                   (SaveE, V)]::G)
                 (eq (name SaveE) (tail (name L))) VE [].
       IsV: apply lookupScopes_is to Is+ _ with X = SaveE, V = V.
       IsLVal: apply lookupScopes_is to _ LS. IsLV: case IsLVal.
       Or: apply is_value_eq_or_not to IsV IsLV1.
       N: case Or. search 20. search 20.
     case EvCP. search 20.
   EvAssign: assert exists G',
               <evalStmt {P}> FE
                 ([(Hold, HoldL), (SaveI, intVal 0),
                   (SaveE, V)]::G)
                 (assign L (cons (name SaveE) (tail (name L))))
                 ([(Hold, HoldL), (SaveI, intVal 0),
                   (SaveE, V)]::G') [] /\
               replaceScopes L (consVal V Tl) G G'.
     IsL: apply lookupScopes_is to _ LS.
     RS: apply lookupScopes_replaceScopes_exists to _ _ LS with
           V' = consVal V Tl. RS: case RS (keep).
       %RS-FirstScope
        M: case RS1. apply NEqHL to _. M: case M. apply NEqIL to _.
        M: case M. apply NEqEL to _. case M.
       %RS-Later
        search.
   EvAssign: case EvAssign.
   ListyH': case ListyH (keep).
     %nil
      exists G', consVal V Tl. split.
        %eval
         unfold. exists ([(Hold, nilVal),
                          (SaveI, intVal 0), (SaveE, V)]::G),
                        [], []. split.
           %loop 1
            search.
           %rest
            unfold. exists [(Hold, nilVal),
                            (SaveI, intVal 0), (SaveE, V)]::G', [], [].
            split.
              %mid assign
               search.
              %loop 2
               search 6.
              %append output
               search.
        %append output
         search.
        %replaceScopes
         search.
        %flipOnto
         search.
     %cons
      LS': assert lookupScopes L ([(Hold, consVal Hd Tl1),
                                   (SaveI, intVal 0), (SaveE, V)]::G')
                               (consVal V Tl).
        apply replaceScopes_lookupScopes_same to EvAssign1. search.
      IsL: apply lookupScopes_is to _ LS.
      Is: case Is+. Is: case Is. Is: case Is2. Is: case Is3.
      Is: case Is3. EvAsgn': apply drop_proj_rel_evalStmt to EvAssign.
      apply evalStmt_isCtx to _ _ _ EvAsgn'.
      EvLoop2: apply eval_update_loop2 to _ _ _ _ _ _ _ _ _ _ with
                 Hold = Hold, SaveI = SaveI, SaveE = SaveE, L = L,
                 V = V, H = Hd, HoldL = Tl1, LVal = consVal V Tl,
                 G = G', FE = FE.
      exists G'1, LV. split.
        %eval
         unfold. exists ([(Hold, consVal Hd Tl1), (SaveI, intVal 0),
                          (SaveE, V)]::G), [], []. split.
           %loop 1
            search.
           %rest
            unfold. exists [(Hold, consVal Hd Tl1), (SaveI, intVal 0),
                            (SaveE, V)]::G', [], []. split.
              %mid assign
               search.
              %loop 2
               search.
              %append output
               search.
        %append output
         search.
        %replaceScopes
         apply replaceScopes_twice to EvAssign1 EvLoop3. search.
        %flipOnto
         search.
  %ULI-Step
   GEqI1: apply updateListIndex_pos to ULI1.
   EvCond: assert <evalExpr {P}> FE
                         ([(Hold, HoldL), (SaveI, intVal I),
                           (SaveE, V)]::G)
                         (greater (name SaveI) (num 0)) trueVal [].
     unfold. exists I, [], 0, []. split.
       %eval SaveI I
        search.
       %eval 0 0
        search.
       %I > 0
        Or: apply greatereq_integer_greater_or_eq to GEqI0.
        C: case Or.
          %I > 0
           search.
          %I = 0
           compute ULI. LEq: case GEqI1. case LEq.
       %append output
        search.
   EvBodyA: assert
              <evalStmt {P}> FE
                ([]::[(Hold, HoldL), (SaveI, intVal I),
                      (SaveE, V)]::G)
                (assign SaveI (minus (name SaveI) (num 1)))
                ([]::[(SaveI, intVal I1), (Hold, HoldL),
                      (SaveE, V)]::G) [].
     unfold. exists intVal I1. split.
       %eval expr
        unfold. exists I, [], 1, []. split.
          %eval SaveI
           search.
          %eval -1
           search.
          %subtract
           search.
          %append output
           search.
       %replaceScopes
        unfold.
          %no_lookup first
           search.
          %lookupScopes rest
           unfold. exists intVal I. split.
             %mem
              search.
             %remove_all
              unfold. intros E. case E. backchain NEqHI. unfold.
              unfold. intros E. case E. backchain NEqIE. search.
   EvBodyB: assert
              <evalStmt {P}> FE
                ([]::[(SaveI, intVal I1), (Hold, HoldL),
                      (SaveE, V)]::G)
                (assign Hold (cons (head (name L)) (name Hold)))
                ([]::[(Hold, (consVal X HoldL)), (SaveI, intVal I1),
                      (SaveE, V)]::G) [].
     EvL: assert
              <evalExpr {P}> FE
                 ([]::[(SaveI, intVal I1), (Hold, HoldL),
                       (SaveE, V)]::G) (name L) (consVal X Tl) [].
       LS: case LS.
         %LS-FirstScope
          L: case LS. apply NEqHL to _. L: case L1. L: case L2.
          apply NEqEL to _. case L3.
         %LS-Later
          assert no_lookup [(SaveI, intVal I1), (Hold, HoldL),
                            (SaveE, V)] L. search.
     EvCP: assert exists VE, %eval projection of cons
              <evalExpr {P}> FE
                 ([]::[(SaveI, intVal I1), (Hold, HoldL),
                       (SaveE, V)]::G)
                 (eq (head (name L)) (name Hold)) VE [].
       IsC: case Is+ (keep). IsC: case IsC. IsH: case IsC.
       IsL: apply lookupScopes_is to _ LS. IsL: case IsL.
       assert SaveI = Hold -> false.
         intros E. case E. backchain NEqHI.
       Or: apply is_value_eq_or_not to IsL IsH1.
       N: case Or. search 20. search 20.
     case EvCP.
     unfold. exists consVal X HoldL. split.
       %eval expr
        unfold. exists eq (head (name L)) (name Hold), VE, [], [], [].
        split.
          %eval head(name(L))
           search.
          %eval name(Hold)
           assert lookupScopes Hold
                     ([(SaveI, intVal I1), (Hold, HoldL),
                       (SaveE, V)]::G) HoldL.
             unfold. unfold. intros E. case E. backchain NEqHI.
             search.
           search.
          %append output
           search.
          %proj
           search.
          %eval proj
           search.
       %replaceScopes
        unfold. search. unfold. exists HoldL. split.
          %mem
           search.
          %remove_all
           unfold. intros E. case E. backchain NEqHI. unfold. unfold.
           intros E. case E. backchain NEqHE. search.
   EvBodyC: assert exists G',
              <evalStmt {P}> FE
                ([]::[(Hold, (consVal X HoldL)), (SaveI, intVal I1),
                      (SaveE, V)]::G) (assign L (tail (name L)))
                ([]::[(Hold, (consVal X HoldL)), (SaveI, intVal I1),
                      (SaveE, V)]::G') [] /\
              replaceScopes L Tl G G'.
     IsL: apply lookupScopes_is to _ LS.
     RS: apply lookupScopes_replaceScopes_exists to _ _ LS with
           V' = Tl. RS: case RS (keep).
       %RS-FirstScope
        M: case RS1. apply NEqHL to _. M: case M. apply NEqIL to _.
        M: case M. apply NEqEL to _. case M.
       %RS-Later
        exists New. split.
          %eval
           unfold. exists Tl. split.
             %eval expr
              LS: case LS.
                %LS-FirstScope
                 L: case LS. apply NEqHL to _. L: case L1.
                 apply NEqIL to _. L: case L2. apply NEqEL to _.
                 case L3.
                %LS-Later
                 search 8.
             %replaceScopes
              search 6.
          %replaceScopes L
           search.
   EvBodyC: case EvBodyC.
   EvBody: assert
             <evalStmt {P}> FE
               ([]::[(Hold, HoldL), (SaveI, intVal I),
                     (SaveE, V)]::G)
               (seq (assign SaveI (minus (name SaveI) (num 1)))
               (seq (assign Hold (cons (head (name L)) (name Hold)))
                    (assign L (tail (name L)))))
               ([]::[(Hold, consVal X HoldL), (SaveI, intVal I1),
                     (SaveE, V)]::G') [].
   clear EvBodyA EvBodyB EvBodyC. %done with these, as EvBody is here
   ListyH': assert listy (consVal X HoldL).
   IsL: apply lookupScopes_is to _ LS. Is: case Is+. Is: case Is.
   Is: case Is. Is: case Is2. Is: case Is2. Is: case Is4.
   Is: case Is4. case IsL. case Is5.
   apply minus_integer_is_integer to _ _ ULI.
   EvBody': apply drop_proj_rel_evalStmt to EvBody.
   IsG'+: apply evalStmt_isCtx to _ _ _ EvBody'. search 6. search 8.
   case IsG'+.
   IsG'+: assert is_list (is_list (is_pair is_string is_value))
                    ([(Hold, consVal X HoldL), (SaveI, intVal I1),
                      (SaveE, V)]::G').
   assert lookupScopes L
              ([(Hold, consVal X HoldL), (SaveI, intVal I1),
                (SaveE, V)]::G') Tl.
     apply replaceScopes_lookupScopes_same to EvBodyC1. search.
   Sub: apply IH to ULI1 NEqHI NEqHL NEqIE NEqIL NEqHE NEqEL
                    ListyH' _ _ IsG'+ _.
   EvSub: case Sub. %split this to build eval for first loop
   case EvSub2.
   EvLoop1: assert
        <evalStmt {P}> FE
          ([(Hold, HoldL), (SaveI, intVal I), (SaveE, V)]::G)
          (while (greater (name SaveI) (num 0))
            (seq (assign SaveI (minus (name SaveI) (num 1)))
            (seq (assign Hold (cons (head (name L)) (name Hold)))
                 (assign L (tail (name L)))))) EE1 [].
   exists G'1, LV. split.
     %eval
      search.
     %replaceScopes
      apply replaceScopes_twice to EvBodyC1 Sub1. search.
     %flipOnto
      case Sub2. search.


Prove_Constraint looseEval:host:proj_evalStmt_exists. [Show Proof]

%Proj-ListUpdate
 Is: case IsS. Ev: case Ev.
 assert SaveE = L -> false.
   intros E. case E. apply fresh_name_not_mem to Pr3 _.
 assert SaveI = L -> false.
   intros E. case E. apply fresh_name_not_mem to Pr1 _.
 assert Hold = L -> false.
   intros E. case E. apply fresh_name_not_mem to Pr2 _.
 assert Hold = SaveE -> false.
   intros E. case E. AppE: apply fresh_name_start to _ Pr3.
   AppH: apply fresh_name_start to _ Pr2. search 6.
   case AppE. case AppH.
 assert Hold = SaveI -> false.
   intros E. case E. AppI: apply fresh_name_start to _ Pr1.
   AppH: apply fresh_name_start to _ Pr2. search 6.
   case AppI. case AppH.
 NEqIE: assert SaveI = SaveE -> false.
   intros E. case E. AppI: apply fresh_name_start to _ Pr1.
   AppE: apply fresh_name_start to _ Pr3. case AppI. case AppE.
 EvI: assert evalStmt FE ([]::EE) (declare intTy SaveI I)
                      ([(SaveI, intVal N)]::EE) O2.
   V: apply vars_exist to Is1.
   apply evalExpr_rel_exists to _ _ _ _ Ev1 V _ with EE_A = []::EE.
   search.
 apply fresh_name_is to _ Pr1. apply evalExpr_isValue to _ _ _ Ev1.
 EvE: assert evalStmt FE ([(SaveI, intVal N)]::EE)
                      (declare intTy SaveE E)
                      ([(SaveE, V), (SaveI, intVal N)]::EE) O3.
   V: apply vars_exist to Is2.
   apply evalExpr_rel_exists to _ _ _ _ Ev2 V _ with
      EE_A = ([(SaveI, intVal N)]::EE).
     intros M L. MemN: apply lookupScopes_names to L Names.
     assert SaveI = X -> false.
       intros E. case E. apply fresh_name_not_mem to Pr1 _.
     search.
   search.
 apply fresh_name_is to _ Pr3. apply evalExpr_isValue to _ _ _ Ev2.
 EvAI: assert evalStmt FE ([(SaveE, V), (SaveI, intVal N)]::EE)
                       (assign SaveI (name SaveI))
                       ([(SaveI, intVal N), (SaveE, V)]::EE) [].
    assert SaveE = SaveI -> false. intros E. case E. backchain NEqIE.
    search.
 EvH: assert evalStmt FE ([(SaveI, intVal N), (SaveE, V)]::EE)
                      (declare intTy Hold (looseEval:list:nil intTy))
                      ([(Hold, nilVal), (SaveI, intVal N),
                        (SaveE, V)]::EE) [].
 IsSaveI: apply fresh_name_is to _ Pr1.
 IsHold: apply fresh_name_is to _ Pr2. search 6.
 GEq: apply updateListIndex_pos to Ev3.
 IsN: apply evalExpr_isValue to _ _ _ Ev1.
 Main: apply proj_listUpdate_eval to _ _ _ _ _ _ _ _ _ _ _ _ with
         OldL = LV, I = N, V = V, NewL = LV2, Hold = Hold,
         HoldL = nilVal, SaveI = SaveI, SaveE = SaveE, G = EE, L = L.
 apply drop_proj_rel_evalStmt to Main.
 exists G'. IsO3: apply evalExpr_isOutput to _ _ _ Ev2.
 apply append_nil_output to IsO3. search 20.
%Proj-ListForeach
 case IsS. Ev: case Ev. apply evalExpr_isValue to _ _ _ Ev.
 apply iterateList_to_while to _ _ _ _ _ Ev1 Names Pr1.
 V: apply vars_exist to _ with E = L.
 Ev': apply evalExpr_rel_exists to _ _ _ _ Ev V _ with EE_A = []::EE.
 search.

Prove_Constraint looseEval:host:proj_evalStmt_rel. [Show Proof]

%Proj-ListUpdate
 Is: case IsS. Ev: case Ev.
 assert SaveE = L -> false.
   intros E. case E. apply fresh_name_not_mem to Pr3 _.
 assert SaveI = L -> false.
   intros E. case E. apply fresh_name_not_mem to Pr1 _.
 assert Hold = L -> false.
   intros E. case E. apply fresh_name_not_mem to Pr2 _.
 assert Hold = SaveE -> false.
   intros E. case E. AppE: apply fresh_name_start to _ Pr3.
   AppH: apply fresh_name_start to _ Pr2. search 6.
   case AppE. case AppH.
 assert Hold = SaveI -> false.
   intros E. case E. AppI: apply fresh_name_start to _ Pr1.
   AppH: apply fresh_name_start to _ Pr2. search 6.
   case AppI. case AppH.
 NEqIE: assert SaveI = SaveE -> false.
   intros E. case E. AppI: apply fresh_name_start to _ Pr1.
   AppE: apply fresh_name_start to _ Pr3. case AppI. case AppE.
 EvI: assert evalStmt FE ([]::EE) (declare intTy SaveI I)
                      ([(SaveI, intVal N)]::EE) O2.
   V: apply vars_exist to Is1.
   apply evalExpr_rel_exists to _ _ _ _ Ev1 V _ with EE_A = []::EE.
   search.
 apply fresh_name_is to _ Pr1. apply evalExpr_isValue to _ _ _ Ev1.
 EvE: assert evalStmt FE ([(SaveI, intVal N)]::EE)
                      (declare intTy SaveE E)
                      ([(SaveE, V), (SaveI, intVal N)]::EE) O3.
   V: apply vars_exist to Is2.
   apply evalExpr_rel_exists to _ _ _ _ Ev2 V _ with
      EE_A = ([(SaveI, intVal N)]::EE).
     intros M L. MemN: apply lookupScopes_names to L Names.
     assert SaveI = X -> false.
       intros E. case E. apply fresh_name_not_mem to Pr1 _.
     search.
   search.
 apply fresh_name_is to _ Pr3. apply evalExpr_isValue to _ _ _ Ev2.
 EvAI: assert evalStmt FE ([(SaveE, V), (SaveI, intVal N)]::EE)
                       (assign SaveI (name SaveI))
                       ([(SaveI, intVal N), (SaveE, V)]::EE) [].
    assert SaveE = SaveI -> false. intros E. case E. backchain NEqIE.
    search.
 EvH: assert evalStmt FE ([(SaveI, intVal N), (SaveE, V)]::EE)
                      (declare intTy Hold (looseEval:list:nil intTy))
                      ([(Hold, nilVal), (SaveI, intVal N),
                        (SaveE, V)]::EE) [].
 IsSaveI: apply fresh_name_is to _ Pr1.
 IsHold: apply fresh_name_is to _ Pr2. search 6.
 GEq: apply updateListIndex_pos to Ev3.
 IsN: apply evalExpr_isValue to _ _ _ Ev1.
 Main: apply proj_listUpdate_eval to _ _ _ _ _ _ _ _ _ _ _ _ with
         OldL = LV, I = N, V = V, NewL = LV2, Hold = Hold,
         HoldL = nilVal, SaveI = SaveI, SaveE = SaveE, G = EE, L = L.
 apply drop_proj_rel_evalStmt to Main.
 IsO3: apply evalExpr_isOutput to _ _ _ Ev2.
 apply append_nil_output to IsO3.
 EvW: assert evalStmt FE EE
        (scopeStmt
           (seq (declare intTy SaveI I)
           (seq (declare intTy SaveE E)
           (seq (assign SaveI (name SaveI))
           (seq (declare intTy Hold (looseEval:list:nil intTy))
           (seq (while (greater (name SaveI) (num 0))
                   (seq (assign SaveI (minus (name SaveI) (num 1)))
                   (seq (assign Hold (cons (head (name L))
                                           (name Hold)))
                        (assign L (tail (name L))))))
           (seq (assign L (cons (name SaveE) (tail (name L))))
                (while (not (null (name Hold)))
                   (seq (assign L (cons (head (name Hold)) (name L)))
                        (assign Hold (tail (name Hold))))))))))))
        G' O. search 20.
 Ev_P: case Ev_P. EvW: case EvW.
 apply evalStmt_unique to _ _ _ Ev_P EvW. search 20.
 case Main2. apply replaceScopes_unique to Main1 Ev4.
 apply lookupScopes_is to _ Ev.
 apply updateListIndex_is to _ _ Ev3.
 apply replaceScopes_is to _ _ Main1.
 backchain scopes_same_reflexive.
%Proj-ListForeach
 Is: case IsS. Ev: case Ev. Ev_P: case Ev_P. Ev_P: case Ev_P.
 apply evalExpr_isValue to _ _ _ Ev.
 EvW: apply iterateList_to_while to _ _ _ _ _ Ev1 Names Pr1.
 Eq: assert EE3 = [(SaveL, LV)]::EE.
   V: apply vars_exist to Is1. Ev': case Ev_P.
   E: apply evalExpr_rel_exists to _ _ _ _ Ev V _ with EE_A = []::EE.
   apply evalExpr_unique to _ _ _ E Ev'. search.
 case Eq. apply fresh_name_is to _ Pr1.
 apply evalStmt_unique to _ _ _ Ev_P1 EvW. search 20.
 apply iterateList_isCtx to _ _ _ _ _ Ev1.
 backchain scopes_same_reflexive.

Prove_Ext_Ind looseEval:host:evalExpr,
              looseEval:host:evalArgs,
              looseEval:host:evalRecFields,
              looseEval:host:evalStmt
with forall FE EE V X Body EE' O,
        iterateList FE EE V X Body EE' O with
           IsFE : is_list (is_pair is_string
                          (is_pair is_string
                          (is_pair is_value
                          (is_pair (is_list is_string) is_stmt)))) FE,
           IsEE : is_list (is_list (is_pair is_string is_value)) EE,
           IsV : is_value V,
           IsX : is_string X,
           IsBody : is_stmt Body
and
  iterateList_to_while_P :
    forall FE SaveL V EE X Body EE' O Names N N',
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value))
                ([(SaveL, V)]::EE) ->
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IL : <iterateList {ES}> FE EE V X Body EE' O N ->
      /*
        The reason we do `acc (N + 1)` is because we need to use the
        IH for acc to change a derivation of evaluation for the body
        into evalStmt_P, where the derivation is not annotated.  Thus
        we need to know its size is smaller, but that is not
        guaranteed for the iterateList size directly.  However,
        whenever we want to use this, we evaluated the iterateList
        with its larger size, and thus have acc for the size of the
        iterateList derivation + 1.
      */
      Plus : 1 + N = N' ->
      Acc : acc N' ->
      Names : names EE Names ->
      Fr : fresh_name "L" (X::Names) SaveL ->
      %
      exists V',
        <evalStmt {P}> FE ([(SaveL, V)]::EE)
           (while (not (null (name SaveL)))
              (seq (declare intTy X (head (name SaveL)))
              (seq (assign SaveL (tail (name SaveL)))
                   Body))) ([(SaveL, V')]::EE') O
  on Acc as IH_IL_W_A, IL * as IH_IL_W. [Show Proof]

%evalExpr
 %E-Nil
  search.
 %E-Cons
  case IsE. apply ext_size_is_int_evalExpr to R3.
  apply ext_size_is_int_evalExpr to R4.
  apply plus_integer_is_integer to _ _ R2.
  L: apply lt_plus_one to R1 _. apply ext_size_pos_evalExpr to R3.
  apply ext_size_pos_evalExpr to R4. Acc: case Acc.
  RP1: assert <evalExpr {P}> FE EE E1 V1 O2.
    Or: apply lt_left to R2 _ _. L': case Or.
      %N2 < N4
       L'': apply less_integer_transitive to L' L.
       A2: apply Acc to _ L''. apply IH to R3 A2 _ _ _. search.
      %N2 = N4
       A2: apply Acc to _ L. apply IH to R3 A2 _ _ _. search.
  RP2: assert <evalExpr {P}> FE EE E2 V2 O3.
    Ev1: apply drop_ext_size_evalExpr to R3.
    Or: apply lt_right to R2 _ _ _. L': case Or.
      %N3 < N4
       L'': apply less_integer_transitive to L' L.
       A3: apply Acc to _ L''. apply IH to R4 A3 _ _ _. search.
      %N3 = N4
       A3: apply Acc to _ L. apply IH to R4 A3 _ _ _. search.
  Ev1: apply drop_ext_size_evalExpr to R3.
  Ev2: apply drop_ext_size_evalExpr to R4.
  IsV1: apply evalExpr_isValue to _ _ _ Ev1.
  IsV2: apply evalExpr_isValue to _ _ _ Ev2.
  Or: apply is_value_eq_or_not to IsV1 IsV2. case Or.
    %V1 = V2
     search.
    %V1 != V2
     search.
 %E-Head
  case IsE. apply ext_size_is_int_evalExpr to R2.
  L: apply lt_plus_one to R1 _. apply ext_size_pos_evalExpr to R2.
  Acc: case Acc. A: apply Acc to _ L. apply IH to R2 A _ _ _. search.
 %E-Tail
  case IsE. apply ext_size_is_int_evalExpr to R2.
  L: apply lt_plus_one to R1 _. apply ext_size_pos_evalExpr to R2.
  Acc: case Acc. A: apply Acc to _ L. apply IH to R2 A _ _ _. search.
 %E-Null-True
  case IsE. apply ext_size_is_int_evalExpr to R2.
  L: apply lt_plus_one to R1 _. apply ext_size_pos_evalExpr to R2.
  Acc: case Acc. A: apply Acc to _ L. apply IH to R2 A _ _ _. search.
 %E-Null-False
  case IsE. apply ext_size_is_int_evalExpr to R2.
  L: apply lt_plus_one to R1 _. apply ext_size_pos_evalExpr to R2.
  Acc: case Acc. A: apply Acc to _ L. apply IH to R2 A _ _ _. search.
 %E-Index
  case IsE. apply ext_size_is_int_evalExpr to R3.
  apply ext_size_is_int_evalExpr to R4.
  apply plus_integer_is_integer to _ _ R2.
  L: apply lt_plus_one to R1 _. apply ext_size_pos_evalExpr to R3.
  apply ext_size_pos_evalExpr to R4. Acc: case Acc.
  RP1: assert <evalExpr {P}> FE EE L LV O2.
    Or: apply lt_left to R2 _ _. L': case Or.
      %N2 < N4
       L'': apply less_integer_transitive to L' L.
       A2: apply Acc to _ L''. apply IH to R3 A2 _ _ _. search.
      %N2 = N4
       A2: apply Acc to _ L. apply IH to R3 A2 _ _ _. search.
  RP2: assert <evalExpr {P}> FE EE I (intVal Idx) O3.
    Ev1: apply drop_ext_size_evalExpr to R3.
    Or: apply lt_right to R2 _ _ _. L': case Or.
      %N3 < N4
       L'': apply less_integer_transitive to L' L.
       A3: apply Acc to _ L''. apply IH to R4 A3 _ _ _. search.
      %N3 = N4
       A3: apply Acc to _ L. apply IH to R4 A3 _ _ _. search.
  Ev1: apply drop_ext_size_evalExpr to R3.
  Ev2: apply drop_ext_size_evalExpr to R4.
  IsV1: apply evalExpr_isValue to _ _ _ Ev1.
  IsV2: apply evalExpr_isValue to _ _ _ Ev2.
  Or: apply is_value_eq_or_not to IsV1 IsV2. case Or.
    %V1 = V2
     search.
    %V1 != V2
     search.
 %E-Length
  case IsE. apply ext_size_is_int_evalExpr to R2.
  L: apply lt_plus_one to R1 _. apply ext_size_pos_evalExpr to R2.
  Acc: case Acc. A: apply Acc to _ L. apply IH to R2 A _ _ _. search.
%evalStmt
 %E-ListUpdate
  Is: case IsS.
  %R_P for sub-derivations are smaller
  apply ext_size_is_int_evalExpr to R4.
  apply ext_size_is_int_evalExpr to R5.
  apply ext_size_pos_evalExpr to R4.
  apply ext_size_pos_evalExpr to R5.
  apply plus_integer_is_integer to _ _ R2.
  L4: apply lt_plus_one to R1 _. Acc': case Acc (keep).
  L2: assert N2 < N.
    Or: apply lt_right to R2 _ _ _. L': case Or.
      %N2 < N4
       apply less_integer_transitive to L' L4. search.
      %N2 = N4
       search.
  L3: assert N3 < N.
    Or: apply lt_left to R2 _ _. L': case Or.
      %N3 < N4
       apply less_integer_transitive to L' L4. search.
      %N3 = N4
       search.
  A2: apply Acc' to _ L2. A3: apply Acc' to _ L3.
  EvI: apply IH to R4 A3 _ _ _. EvE: apply IH to R5 A2 _ _ _.
  EvI': apply drop_ext_size_evalExpr to R4.
  EvE': apply drop_ext_size_evalExpr to R5.
  apply evalExpr_isValue to _ _ _ EvI'.
  apply evalExpr_isValue to _ _ _ EvE'.
  %set up for projection with fresh names
  NamesEE: apply names_exists to IsEE. rename N5 to Names.
  IsNames: apply names_is to _ NamesEE.
  IsNames+: assert is_list is_string (L::Names).
  FrI: apply fresh_name_exists to _ IsNames+ with Base = "I".
  FrH: apply fresh_name_exists to _ IsNames+ with Base = "Hold".
    search 6.
  FrE: apply fresh_name_exists to _ IsNames+ with Base = "E".
  apply fresh_name_is to _ FrI. apply fresh_name_is to _ FrE.
  apply fresh_name_is to _ FrH. search 6. rename F to SaveI.
  rename F1 to Hold. rename F2 to SaveE.
  %uniqueness of names for projection evaluation
  assert SaveE = L -> false.
    intros E. case E. apply fresh_name_not_mem to FrE _.
  assert SaveI = L -> false.
    intros E. case E. apply fresh_name_not_mem to FrI _.
  assert Hold = L -> false.
    intros E. case E. apply fresh_name_not_mem to FrH _.
  assert Hold = SaveE -> false.
    intros E. case E. AppE: apply fresh_name_start to _ FrE.
    AppH: apply fresh_name_start to _ FrH. search 6.
    case AppE. case AppH.
  assert Hold = SaveI -> false.
    intros E. case E. AppI: apply fresh_name_start to _ FrI.
    AppH: apply fresh_name_start to _ FrH. search 6.
    case AppI. case AppH.
  NEqIE: assert SaveI = SaveE -> false.
    intros E. case E. AppI: apply fresh_name_start to _ FrI.
    AppE: apply fresh_name_start to _ FrE. case AppI. case AppE.
  %projection evaluation
  EvI: assert <evalStmt {P}> FE ([]::EE) (declare intTy SaveI I)
                       ([(SaveI, intVal N1)]::EE) O2.
    V: apply vars_exist to Is1.
    E: apply evalExpr_rel_exists_ES to _ _ _ _ R4 V _ with EE_A = []::EE.
    apply IH to E A3 _ _ _. search 10.
  EvE: assert <evalStmt {P}> FE ([(SaveI, intVal N1)]::EE)
                       (declare intTy SaveE E)
                       ([(SaveE, V), (SaveI, intVal N1)]::EE) O3.
    V: apply vars_exist to Is2.
    E: apply evalExpr_rel_exists_ES to _ _ _ _ R5 V _ with
       EE_A = ([(SaveI, intVal N1)]::EE).
      intros M L. MemN: apply lookupScopes_names to L NamesEE.
      assert SaveI = X -> false.
        intros E. case E. apply fresh_name_not_mem to FrI _.
      search.
    apply IH to E A2 _ _ _. search.
  EvAI: assert <evalStmt {P}> FE ([(SaveE, V), (SaveI, intVal N1)]::EE)
                        (assign SaveI (name SaveI))
                        ([(SaveI, intVal N1), (SaveE, V)]::EE) [].
     assert SaveE = SaveI -> false. intros E. case E. backchain NEqIE.
     search.
  EvH: assert <evalStmt {P}> FE ([(SaveI, intVal N1), (SaveE, V)]::EE)
                       (declare intTy Hold (looseEval:list:nil intTy))
                       ([(Hold, nilVal), (SaveI, intVal N1),
                         (SaveE, V)]::EE) [].
  GEq: apply updateListIndex_pos to R6.
  Main: apply proj_listUpdate_eval to _ _ _ _ _ _ _ _ _ _ _ _ with
          OldL = LV, I = N1, V = V, NewL = LV2, Hold = Hold,
          HoldL = nilVal, SaveI = SaveI, SaveE = SaveE, G = EE, L = L.
  IsO3: apply evalExpr_isOutput to _ _ _ EvE'.
  apply append_nil_output to IsO3. search 20.
 %E-ListForeach
  IsS: case IsS.
  %R_P for sub-derivations are smaller
  apply ext_size_is_int_evalExpr to R3.
  apply ext_size_is_int_iterateList to R4.
  apply ext_size_pos_evalExpr to R3.
  apply ext_size_pos_iterateList to R4.
  apply plus_integer_is_integer to _ _ R2.
  L4: apply lt_plus_one to R1 _. Acc': case Acc (keep).
  L2: assert N2 < N.
    Or: apply lt_left to R2 _ _. L': case Or.
      %N2 < N4
       apply less_integer_transitive to L' L4. search.
      %N2 = N4
       search.
  L3: assert N3 < N.
    Or: apply lt_right to R2 _ _ _. L': case Or.
      %N3 < N4
       apply less_integer_transitive to L' L4. search.
      %N3 = N4
       search.
  A2: apply Acc' to _ L2. apply IH to R3 A2 _ _ _.
  Ev: apply drop_ext_size_evalExpr to R3.
  apply evalExpr_isValue to _ _ _ Ev.
  A3: apply Acc' to _ L3. ILP: apply IH10 to R4 A3 _ _ _ _ _.
  %create proj rel derivation for projection
  EvE: apply drop_ext_size_evalExpr to R3.
  Names: apply names_exists to IsEE. IsN1: apply names_is to _ Names.
  Fr: apply fresh_name_exists to _ _ with Base = "L", Names = X::N1.
  LenEE: apply length_exists_list_pair_string_value to IsEE.
  rename F to SaveL. rename N5 to Len.
  NNS: assert newNameScopes [[(SaveL, LV)]] Len
                 ([(SaveL, LV)]::EE) EE.
    unfold. exists 1, [SaveL], N1. split. search. search. search.
    search. search. intros MSL MX. MSL: case MSL.
      apply fresh_name_not_mem to Fr _. case MSL.
  apply fresh_name_is to _ Fr.
  ILP': apply iterateList_newNameScopes_exists_ES to
           _ _ _ _ _ _ R4 NNS.
  IL: apply drop_ext_size_iterateList to R4.
  IL': apply drop_ext_size_iterateList to ILP'.
  NNS': apply iterateList_newNameScopes to _ _ _ _ _ _ IL' IL NNS.
  NNS': case NNS'.
    %end
     Take: case NNS'2. case Take1. compute Take. Drop: case NNS'1.
     IsN8: apply drop_is_integer to Drop1.
     apply plus_integer_unique_addend to _ _ _ Take Drop.
     Eq: assert L1 = EE'.
       D: case Drop1. search. GEq: apply drop_geq_0 to D1.
       apply drop_is_integer to D1. P: assert 1 + -1 = 0.
       apply plus_integer_unique_addend to _ _ _ P D.
       LEq: case GEq. case LEq.
     case Eq. clear Take Drop Drop1 IsN8.
     ILP'': apply IH4 to ILP' A3 _ _ _ _ _.
     Plus: apply plus_integer_total to _ _ with N1 = 1, N2 = N3.
     EvWP: assert exists V',
           <evalStmt {P}> FE ([(SaveL, LV)]::EE)
              (while (not (null (name SaveL)))
                 (seq (declare intTy X (head (name SaveL)))
                 (seq (assign SaveL (tail (name SaveL))) Body)))
                      ([(SaveL, V')]::EE') O3.
       Or: apply lt_right to R2 _ _ _. L: case Or.
         %N3 < N4
          LEq: apply less_integer_step_lesseq to _ _ L Plus.
          Or: apply lesseq_integer_less_or_eq to LEq. L': case Or.
            %N9 < N4
             L9: apply less_integer_transitive to L' L4.
             apply lesseq_integer__add_positive to _ _ Plus with
                Base = 0. A9: apply Acc' to _ L9.
             apply IH_IL_W to _ _ _ _ _ R4 Plus A9 Names Fr. search.
            %N9 = N4
             apply lesseq_integer__add_positive to _ _ R2 with
               Base = 0. A4: apply Acc' to _ L4.
             apply IH_IL_W to _ _ _ _ _ R4 Plus A4 Names Fr. search.
         %N3 = N4
          apply plus_integer_unique to Plus R1.
          apply IH_IL_W to _ _ _ _ _ R4 Plus Acc Names Fr. search.
     EvWP: case EvWP.
     %eval decl in projection
     V: apply vars_exist to IsS1.
     EvE+: apply evalExpr_rel_exists_ES to _ _ _ _ R3 V _ with
              EE_A = []::EE.
     EvE+': apply drop_ext_size_evalExpr to EvE+.
     unfold. exists N1,
       scopeStmt
         (seq (declare intTy SaveL L)
              (while (not (null (name SaveL)))
                 (seq (declare intTy X (head (name SaveL)))
                 (seq (assign SaveL (tail (name SaveL))) Body)))),
       EE', O, LV, O2, O3. split.
       %evalExpr
        search.
       %iterateList
        search.
       %append output
        search.
       %names
        search.
       %proj
        search.
       %eval proj
        unfold. exists [(SaveL, V')]. unfold.
        exists [(SaveL, LV)]::EE, O2, O3. split.
          %eval declare
           apply IH to EvE+ A2 _ _ _. search.
          %eval while
           search.
          %append output
           search.
    %step
     NSI: apply iterateList_names_same to _ _ _ _ _ IL.
     LenBR+: apply names_same_length to NSI LenEE. LenBR: case LenBR+.
     apply length_is to LenBR. L: apply lt_plus_one to LenBR1 _.
     LEq: apply newNameScopes_length to NNS' LenBR.
     apply less_lesseq_flip_false to L LEq.
%iterateList
 %IL-Nil
  search.
 %IL-Cons
  case IsV. Ev: apply drop_ext_size_evalStmt to R2.
  IL: apply drop_ext_size_iterateList to R3.
  apply ext_size_is_int_evalStmt to R2.
  apply ext_size_is_int_iterateList to R3.
  apply plus_integer_is_integer to _ _ R1.
  Acc': case Acc (keep). apply ext_size_pos_evalStmt to R2.
  apply ext_size_pos_iterateList to R3.
  assert <evalStmt {P}> FE ([(X, Hd)]::EE) Body (Scope::EE3) O2.
    Or: apply lt_left to R1 _ _. L': case Or.
      %N2 < N
       A2: apply Acc' to _ L'. apply IH9 to R2 A2 _ _ _. search.
      %N2 = N
       apply IH9 to R2 Acc _ _ _. search.
  assert <iterateList {P}> FE EE3 Tl X Body EE' O3.
    IsEE3+: apply evalStmt_isCtx to _ _ _ Ev. case IsEE3+.
    Or: apply lt_right to R1 _ _ _. L': case Or.
      %N3 < N
       A3: apply Acc' to _ L'. apply IH10 to R3 A3 _ _ _ _ _. search.
      %N3 = N
       apply IH10 to R3 Acc _ _ _ _ _. search.
  search.
%iterateList_to_while_P
 %IL-Nil
  search 20.
 %IL-Cons
  case IsV.
  assert <evalExpr {P}> FE ([(SaveL, consVal Hd Tl)]::EE)
                        (not (null (name SaveL))) trueVal [].
  assert <evalStmt {P}> FE ([]::[(SaveL, consVal Hd Tl)]::EE)
                        (declare intTy X (head (name SaveL)))
                        ([(X, Hd)]::[(SaveL, consVal Hd Tl)]::EE) [].
     search 20.
  NEq: assert X = SaveL -> false.
    intros E. case E. apply fresh_name_not_mem to Fr _.
  assert <evalStmt {P}> FE ([(X, Hd)]::[(SaveL, consVal Hd Tl)]::EE)
                        (assign SaveL (tail (name SaveL)))
                        ([(X, Hd)]::[(SaveL, Tl)]::EE) []. search 20.
  %body evaluation
  IsSaveL: apply fresh_name_is to _ Fr. IsEE: case IsEE.
  LenEE: apply length_exists_list_pair_string_value to IsEE1.
  rename N1 to Len. Acc': case Acc (keep).
  NNS: assert newNameScopes [[(SaveL, Tl)]] Len
                            ([(SaveL, Tl)]::EE) EE.
    unfold. exists 1, [SaveL], Names. split. search. search. search.
    search. search. intros ML MN. ML: case ML.
      %Mem-Here
       apply fresh_name_not_mem to Fr _.
      %Mem-Later
       case ML.
  Ev: apply evalStmt_newNameScopes_exists_ES to _ _ _ _ IL2 NNS.
  apply ext_size_is_int_iterateList to IL.
  LN: apply lt_plus_one to Plus _.
  EvP: assert <evalStmt {P}> FE ([(X, Hd)]::([(SaveL, Tl)]::EE)) Body
                             EE_A' O2.
     apply ext_size_is_int_evalStmt to IL2.
     apply ext_size_pos_evalStmt to IL2.
     apply ext_size_pos_iterateList to IL3.
     Or: apply lt_left to IL1 _ _. L: case Or.
       %N2 < N
        L': apply less_integer_transitive to L LN.
        A2: apply Acc' to _ L'. apply IH3 to Ev A2 _ _ _. search.
       %N2 = N
        A2: apply Acc' to _ LN. apply IH3 to Ev A2 _ _ _. search.
  %rest of loop
  Ev': apply drop_ext_size_evalStmt to Ev.
  EvB: apply drop_ext_size_evalStmt to IL2.
  Eq: assert EE_A' = Scope::[(SaveL, Tl)]::EE3.
    NNS+: apply evalStmt_newNameScopes to _ _ _ _ Ev' EvB NNS.
    NNS+: case NNS+.
      %end
       IsLen: apply length_is to LenEE.
       P: apply plus_integer_total to _ IsLen with N1 = 1.
       LenEE+: assert length ([(X, Hd)]::EE) N4.
       LenEE3+: apply evalStmt_keep_scopes to _ _ _ EvB LenEE+.
       apply length_unique to LenEE3+ NNS+.
       L: apply lt_plus_one to P _. apply less_integer_not_eq to L.
      %step
       NNS+: case NNS+.
         %end
          Take: case NNS+2. case Take1. compute Take.
          Drop: case NNS+1. apply drop_is_integer to Drop1.
          apply plus_integer_unique_addend to _ _ _ Take Drop.
          Eq: assert L = EE3.
            Drop': case Drop1. search.
            GEq: apply drop_geq_0 to Drop'1.  P: assert 1 + -1 = 0.
            apply drop_is_integer to Drop'1.
            apply plus_integer_unique_addend to _ _ _ P Drop'.
            LEq: case GEq. case LEq.
          case Eq. search.
         %step
          IsLen: apply length_is to LenEE.
          P: apply plus_integer_total to _ IsLen with N1 = 1.
          LenEE+: assert length ([(X, Hd)]::EE) N1.
          LenBR++: apply evalStmt_keep_scopes to _ _ _ EvB LenEE+.
          LenBR+: case LenBR++. apply length_is to LenBR+.
          LenBR: case LenBR+. apply length_is to LenBR.
          LEq: apply newNameScopes_length to NNS+ LenBR.
          apply plus_integer_unique_addend to _ _ _ P LenBR+1.
          L: apply lt_plus_one to LenBR1 _.
          apply less_lesseq_flip_false to L LEq.
  case Eq. Is': apply evalStmt_isCtx to _ _ _ Ev'. Is': case Is'.
  IsN3: apply ext_size_is_int_iterateList to IL3.
  apply ext_size_pos_iterateList to IL3.
  P: apply plus_integer_total to _ IsN3 with N1 = 1.
  apply lesseq_integer__add_positive to _ _ P with Base = 0.
  apply ext_size_pos_evalStmt to IL2.
  Is'': case Is'1. N: apply names_exists to Is''1.
  apply names_is to _ N.
  Fr': apply fresh_name_exists to _ _ with Base = "L", Names = X::N4.
  NS: apply evalStmt_names_same to _ _ _ EvB.
  apply fresh_name_unique_mems to Fr' Fr _ _.
    intros M. M: case M. search.
      apply names_same_names to NS Names N M. search.
    intros M. M: case M. search.
      NS': apply names_same_symmetric to NS.
      apply names_same_names to NS' N Names M. search.
  Or: apply lt_right to IL1 _ _ _. L: case Or.
    %N3 < N
     LEq: apply less_integer_step_lesseq to _ _ L P.
     Or: apply lesseq_integer_less_or_eq to LEq. L': case Or.
       %N1 < N
        L'': apply less_integer_transitive to L' LN.
        A: apply Acc' to _ L''.
        apply IH_IL_W to _ _ _ _ _ IL3 P A N Fr'. search.
       %N1 = N
        A: apply Acc' to _ LN.
        apply IH_IL_W to _ _ _ _ _ IL3 P A N Fr'. search.
    %N3 = N
     apply IH_IL_W to _ _ _ _ _ IL3 Plus Acc N Fr'. search.


Prove looseEval:host:paramName_unique.
Prove_Constraint looseEval:host:proj_paramName_forward.
Prove_Constraint looseEval:host:proj_paramName_back.
Prove looseEval:host:getFunEvalInfo_unique.
Prove_Constraint looseEval:host:proj_getFunEvalInfo_forward.
Prove_Constraint looseEval:host:proj_getFunEvalInfo_back.
Prove looseEval:host:evalProgram_unique.
Prove_Constraint looseEval:host:proj_evalProgram.
Prove_Constraint looseEval:host:proj_evalProgram_back.


Theorem listIndex_typePres : forall L I V Ty,
  valueType L (listTy Ty) -> listIndex L I V -> valueType V Ty. [Show Proof]

induction on 2. intros VT LI. LI: case LI.
  %LI-0
   case VT. search.
  %LI-Step
   case VT. apply IH to _ LI1. search.

Theorem updateListIndex_typePres : forall L I V L' Ty,
  valueType L (listTy Ty) -> valueType V Ty ->
  updateListIndex L I V L' -> valueType L' (listTy Ty). [Show Proof]

induction on 3. intros VTL VTV LI. LI: case LI.
  %LI-0
   case VTL. search.
  %LI-Step
   case VTL. apply IH to _ _ LI1. search.

Prove looseEval:host:evalExpr_typePres,
      looseEval:host:evalStmt_typePres,
      looseEval:host:evalArgs_typePres,
      looseEval:host:evalRecFields_typePres
with
  iterateList_typePres : forall V X Body FT ET Ty Sc ET' FE EE EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ty : stmtOK FT ([(X, Ty)]::ET) Body (Sc::ET') ->
    VTy : valueType V (listTy Ty) ->
    IsTy : is_typ Ty ->
    IL : iterateList FE EE V X Body EE' O ->
    Funs : (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
              lookup FT F (RetTy, ArgTys) ->
              lookup FE F (RetVar, RVVal, ArgNames, Body) ->
              exists Scope TyEnv',
                zip ArgNames ArgTys Scope /\
                valueType RVVal RetTy /\
                stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv') ->
    Ctxs : related_all_scopes ET EE ->
    related_all_scopes ET' EE'
  on IL as IH_IL. [Show Proof]

%evalExpr_typePres
 %E-Nil
  case Ty. search.
 %E-Cons
  case IsE. Ty: case Ty. apply IH_E to _ _ _ _ _ Ty Ev1 _ _.
  apply IH_E to _ _ _ _ _ Ty1 Ev2 _ _. search.
 %E-Head
  case IsE. Ty: case Ty. IsV: apply IH_E to _ _ _ _ _ Ty Ev1 _ _.
  case IsV. search.
 %E-Tail
  case IsE. Ty: case Ty. IsV: apply IH_E to _ _ _ _ _ Ty Ev1 _ _.
  case IsV. search.
 %E-Null-True
  case Ty. search.
 %E-Null-False
  case Ty. search.
 %E-Index
  case IsE. Ty: case Ty. apply IH_E to _ _ _ _ _ Ty Ev1 _ _.
  apply listIndex_typePres to _ Ev3. search.
 %E-Length
  case Ty. search.
%evalStmt_typePres
 %E-ListUpdate
  case IsS. Ty: case Ty. VT: apply IH_E to _ _ _ _ _ Ty2 Ev3 _ _.
  apply related_all_scopes_lookupScopes to _ Ty Ev1.
  apply updateListIndex_typePres to _ VT Ev4.
  apply related_all_scopes_replaceScopes to _ _ _ Ev5 Ty _. search.
 %E-ListForeach
  case IsS. Ty: case Ty.
  IsLTy: apply typeOf_isTy to _ _ _ Ty. case IsLTy.
  apply stmtOK_older_scopes_same to _ _ _ Ty1.
  apply evalExpr_isValue to _ _ _ Ev1.
  apply IH_E to _ _ _ _ _ _ Ev1 _ _.
  apply IH_IL to _ _ _ _ _ _ _ Ty1 _ _ Ev2 _ _. search.
%iterateList_typePres
 %IL-Nil
  apply stmtOK_older_scopes_same to _ _ _ Ty. search.
 %IL-Cons
  apply stmtOK_older_scopes_same to _ _ _ Ty. case IsV. case VTy.
  assert related_all_scopes ([(X, Ty)]::ET) ([(X, Hd)]::EE).
    unfold.
      %lookup
       intros L. L: case L. search. case L1.
      %no_lookup
       intros NL. case NL. search.
      %rest
       search.
  Ctxs': apply IH_S to _ _ _ _ _ Ty IL1 _ _. case Ctxs'.
  IsEE3+: apply evalStmt_isCtx to _ _ _ IL1. case IsEE3+.
  apply IH_IL to _ _ _ _ _ _ _ Ty _ _ IL2 _ _. search.


Prove looseEval:host:paramTy_paramName_same.
Prove looseEval:host:funOK_getFunEvalInfo_related.


Prove looseEval:host:evalExpr_output_forms,
      looseEval:host:evalStmt_output_forms,
      looseEval:host:evalArgs_output_forms,
      looseEval:host:evalRecFields_output_forms
with
  iterateList_output_forms : forall V X Body FE EE EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    output_forms O
  on IL as IH_IL. [Show Proof]

%evalExpr_output_forms
 %E-Nil
  search.
 %E-Cons
  case IsE. apply IH_E to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-Head
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Tail
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Null-True
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Null-False
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Index
  case IsE. apply IH_E to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev4. search.
 %E-Length
  case IsE. apply IH_E to _ _ _ Ev1. search.
%evalStmt_output_forms
 %E-ListUpdate
  case IsS. apply IH_E to _ _ _ Ev2. apply IH_E to _ _ _ Ev3.
  apply output_forms_append to _ _ Ev6. search.
 %E-ListForeach
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isValue to _ _ _ Ev1.
  apply IH_IL to _ _ _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
%iterateList_output_forms
 %IL-Nil
  search.
 %IL-Cons
  case IsV. apply IH_S to _ _ _ IL1.
  IsEE3+: apply evalStmt_isCtx to _ _ _ IL1. case IsEE3+.
  apply IH_IL to _ _ _ _ _ IL2. apply output_forms_append to _ _ IL3.
  search.

Prove looseEval:host:evalProgram_output_forms.


Prove looseEval:host:paramName_exists.
Prove looseEval:host:getFunEvalInfo_exists.