Extensibella: Extensibella Example: matchEval:list

Language Specification

File: syntax.sos

Module matchEval:list

Builds on matchEval:host

/*Expressions*/
expr ::= ...
       | nil(typ) /*need type for type uniqueness*/
       | cons(expr, expr)
       | head(expr)
       | tail(expr)
       | null(expr)
/*Nothing useful to which these can project without conditionals
       | index(expr, expr) /*lst[i]*/
       | length(expr)*/


------------------------------------------------- [Proj-Nil]
|{expr}- nil(Ty) ~~>
         recBuild(consRecFieldExprs("null", true,
                  nilRecFieldExprs))


------------------------------------------- [Proj-Cons]
|{expr}- cons(E1, E2) ~~>
   recBuild(
     consRecFieldExprs("null", false,
     consRecFieldExprs("head", E1,
     consRecFieldExprs("tail", E2,
                       nilRecFieldExprs))))


---------------------------------------------- [Proj-Null]
|{expr}- null(E) ~~> recFieldAccess(E, "null")


---------------------------------------------- [Proj-Head]
|{expr}- head(E) ~~> recFieldAccess(E, "head")


---------------------------------------------- [Proj-Tail]
|{expr}- tail(E) ~~> recFieldAccess(E, "tail")




/*Statements*/
stmt ::= ...
       | listUpdate(string, expr, expr) /*lst[i] = e*/
       | listForeach(string, expr, stmt) /*foreach(x : l){ body }*/


fresh_name "I" L::Names SaveI
fresh_name "Hold" L::Names Hold
fresh_name "E" L::Names SaveE
---------------------------------------- [Proj-ListUpdate]
Names |{stmt}- listUpdate(L, I, E) ~~>
   scopeStmt(
      /*compute value of I for use in computation*/
      seq(declare(intTy, SaveI, I),
      /*save value of E to put in list later*/
      seq(declare(intTy, SaveE, E),
      /*this is to get the ctx into the right order for eval;
        after one run of the loop, SaveI will be before SaveE, and we
        want the order to be consistent for proofs*/
      seq(assign(SaveI, name(SaveI)),
      /*create a list for holding the things before place I;
        type does not matter, so long as it is declared*/
      seq(declare(intTy, Hold, nil(intTy)),
      /*pull I things off the front of L and hold them in stack Hold*/
      seq(while(greater(name(SaveI), num(0)),
                seq(assign(SaveI, minus(name(SaveI), num(1))),
                seq(assign(Hold, cons(head(name(L)), name(Hold))),
                    assign(L, tail(name(L)))))),
      /*place the new value in position I, removing the old one*/
      seq(assign(L, cons(name(SaveE), tail(name(L)))),
      /*place the old things back on list L from stack Hold*/
          while(not(null(name(Hold))),
                seq(assign(L, cons(head(name(Hold)), name(L))),
                    assign(Hold, tail(name(Hold))))))))))))
/*{
    int SaveI = I;
    int SaveE = E;
    SaveI = SaveI;
    int Hold = [];
    while SaveI > 0{
      SaveI = SaveI - 1;
      Hold = head(L)::Hold;
      L = tail(L);
    }
    L = E::tail(L);
    while !null(Hold){
      L = head(Hold)::L;
      Hold = tail(Hold);
    }
  }*/


fresh_name "L" X::Names SaveL
----------------------------------------------- [Proj-ListForeach]
Names |{stmt}- listForeach(X, L, Body) ~~>
    scopeStmt(
       /*compute list for use in computation;
         as before, types don't matter*/
       seq(declare(intTy, SaveL, L),
           while(not(null(name(SaveL))),
              seq(declare(intTy, X, head(name(SaveL))),
              seq(assign(SaveL, tail(name(SaveL))),
                  Body)))))
/*{
    int SaveL = l;
    while !null(SaveL){
      int X = head(SaveL);
      SaveL = tail(SaveL);
      Body
    }
  }*/




/*Types*/
typ ::= ...
      | listTy(typ)


/*Strictly speaking, an empty list doesn't have the head or tail
  fields*/
--------------------------------------------- [Proj-ListTy]
|{typ}- listTy(T) ~~>
        recTy(consRecFieldTys("null", boolTy,
              consRecFieldTys("head", T,
              consRecFieldTys("tail", listTy(T),
              nilRecFieldTys))))




/*Values*/
value ::= ...
        | nilVal
        | consVal(value, value)

------------------------------------------------ [Proj-NilVal]
|{value}- nilVal ~~> recVal([("null", trueVal)])


----------------------------------------------------------- [Proj-ConsVal]
|{value}- consVal(V1, V2) ~~>
   recVal([("null", falseVal), ("head", V1), ("tail", V2)])

File: vars.sos

[Reduce File] [Raw File]

Module matchEval:list

/********************************************************************
 Expression Variables
 ********************************************************************/

--------------- [V-Nil]
vars nil(Ty) []


vars E1 V1
vars E2 V2
V1 ++ V2 = V
------------------- [V-Cons]
vars cons(E1, E2) V


vars E V
-------------- [V-Head]
vars head(E) V


vars E V
-------------- [V-Tail]
vars tail(E) V


vars E V
-------------- [V-Null]
vars null(E) V

File: typing.sos

[Reduce File] [Raw File]

Module matchEval:list

/********************************************************************
 Expression Typing
 ********************************************************************/

------------------------------- [T-Nil]
typeOf FC TC nil(Ty) listTy(Ty)


typeOf FC TC E1 Ty
typeOf FC TC E2 listTy(Ty)
------------------------------------ [T-Cons]
typeOf FC TC cons(E1, E2) listTy(Ty)


typeOf FC TC E listTy(Ty)
------------------------- [T-Head]
typeOf FC TC head(E) Ty


typeOf FC TC E listTy(Ty)
------------------------------- [T-Tail]
typeOf FC TC tail(E) listTy(Ty)


typeOf FC TC E listTy(Ty)
--------------------------- [T-Null]
typeOf FC TC null(E) boolTy



/********************************************************************
 Statement Typing
 ********************************************************************/

lookupScopes L TC listTy(Ty)
typeOf FC TC I intTy
typeOf FC TC E Ty
----------------------------------- [T-ListUpdate]
stmtOK FC TC listUpdate(L, I, E) TC


typeOf FC TC L listTy(Ty)
stmtOK FC [(X, Ty)]::TC Body TC1
--------------------------------------- [T-ListForeach]
stmtOK FC TC listForeach(X, L, Body) TC





/********************************************************************
 Value Typing
 ********************************************************************/

--------------------------- [VT-Nil]
valueType nilVal listTy(Ty)


valueType HV Ty
valueType TV listTy(Ty)
------------------------------------ [VT-Cons]
valueType consVal(HV, TV) listTy(Ty)

File: eval.sos

[Reduce File] [Raw File]

Module matchEval:list

/********************************************************************
 Expression Evaluation
 ********************************************************************/

-------------------------------- [E-Nil]
evalExpr FE EE nil(Ty) nilVal []


evalExpr FE EE E1 V1 O1
evalExpr FE EE E2 V2 O2
O1 ++ O2 = O
--------------------------------------------- [E-Cons]
evalExpr FE EE cons(E1, E2) consVal(V1, V2) O


evalExpr FE EE E consVal(Hd, Tl) O
---------------------------------- [E-Head]
evalExpr FE EE head(E) Hd O


evalExpr FE EE E consVal(Hd, Tl) O
---------------------------------- [E-Tail]
evalExpr FE EE tail(E) Tl O


evalExpr FE EE E nilVal O
-------------------------------- [E-Null-True]
evalExpr FE EE null(E) trueVal O


evalExpr FE EE E consVal(Hd, Tl) O
---------------------------------- [E-Null-False]
evalExpr FE EE null(E) falseVal O



----------------------------------- [MR-Nil]
matchRec nilVal [("null", trueVal)]


----------------------------------------------------------- [MR-Cons]
{matchRec consVal(V1, V2)
          [("null", falseVal), ("head", V1), ("tail", V2)]}



/********************************************************************
 Statement Evaluation
 ********************************************************************/

lookupScopes L EE LV
evalExpr FE EE I VI  O1
matchInt VI N
evalExpr FE EE E V O2
updateListIndex LV N V LV2 /*make the new list*/
replaceScopes L LV2 EE EE1 /*put it in its place*/
O1 ++ O2 = O
---------------------------------------- [E-ListUpdate]
evalStmt FE EE listUpdate(L, I, E) EE1 O


evalExpr FE EE L LV O1
iterateList FE EE LV X Body EE1 O2
O1 ++ O2 = O
-------------------------------------------- [E-ListForeach]
evalStmt FE EE listForeach(X, L, Body) EE1 O



                  /*original list, index, new value, new list*/
Fixed Judgment updateListIndex : value int value value

========================================================== [ULI-0]
updateListIndex consVal(VOld, Tl) 0 VNew consVal(VNew, Tl)


N - 1 = I
updateListIndex Tl I V TlNew
==================================================== [ULI-Step]
updateListIndex consVal(X, Tl) N V consVal(X, TlNew)



/*execute the body once for each element of the list:
     iterateList (fun ctx) (init eval ctx) (list val) (name for list elements)
                 (loop body) (final eval ctx) (printed output)*/
Judgment iterateList : {[(string, (string, value, [string], stmt))] [[(string, value)]]
                        value* string stmt [[(string, value)]] [value]}

------------------------------------- [IL-Nil]
iterateList FE EE nilVal X Body EE []


evalStmt FE [(X, Hd)]::EE Body Scope::EE1 O1
iterateList FE EE1 Tl X Body EE2 O2
O1 ++ O2 = O
---------------------------------------------- [IL-Cons]
iterateList FE EE consVal(Hd, Tl) X Body EE2 O


/*
  Why don't we have an actual rule, perhaps projecting V and iterating
  over that?  That doesn't work because the use of null in the
  condition of the while loop to which listForeach projects does not
  look through the projection, and thus we cannot prove what we need
  for Ext_Ind for listForeach.

  If we defined iteration through matching, we wouldn't *need* a
  default rule, as IL-Nil and IL-Cons would use matchNil and matchCons
  in their definitions, which would catch any value constructs from
  other extensions through the default rules for matchNil and
  matchCons.  Thus, in either case, this is the default rule we have.
*/
1 = 0
-------------------------------- [IL-Default]*
iterateList FE EE V X Body EE1 O

Reasoning

[Show All Proofs] [Hide All Proofs] [Raw File]

Click on a command or tactic to see a detailed view of its use.

Module matchEval:list.

/********************************************************************
 Basic Projection Constraints
 ********************************************************************/
Prove_Constraint matchEval:host:proj_expr_unique. [Show Proof]

%Proj-Nil
 case PrB. search.
%Proj-Cons
 case PrB. search.
%Proj-Head
 case PrB. search.
%Proj-Tail
 case PrB. search.
%Proj-Null
 case PrB. search.
Prove_Constraint matchEval:host:proj_expr_is. [Show Proof]

%Proj-Nil
 case IsE. search 8.
%Proj-Cons
 case IsE. search 10.
%Proj-Head
 case IsE. search 7.
%Proj-Tail
 case IsE. search 7.
%Proj-Null
 case IsE. search 7.

Prove_Constraint matchEval:host:proj_stmt_unique. [Show Proof]

%Proj-ListUpdate
 PrB: case PrB.
 assert forall X, mem X (L::L2) -> mem X (L::L1).
   intros M. M: case M. search. apply Rel21 to M. search.
 assert forall X, mem X (L::L1) -> mem X (L::L2).
   intros M. M: case M. search. apply Rel12 to M. search.
 apply fresh_name_unique_mems to PrA1 PrB _ _.
 apply fresh_name_unique_mems to PrA2 PrB1 _ _.
 apply fresh_name_unique_mems to PrA3 PrB2 _ _. search.
%Proj-ListForeach
 PrB: case PrB. apply fresh_name_unique_mems to PrA1 PrB _ _.
   intros M. M: case M. search. apply Rel21 to M. search.
   intros M. M: case M. search. apply Rel12 to M. search.
 search.
Prove_Constraint matchEval:host:proj_stmt_is. [Show Proof]

%Proj-ListUpdate
 case IsS. apply fresh_name_is to _ Pr1.
 assert is_string "Hold". search 6.
 apply fresh_name_is to _ Pr2.
 apply fresh_name_is to _ Pr3. search 20.
%Proj-ListForeach
 case IsS. apply fresh_name_is to _ Pr1. search 10.
Prove_Constraint matchEval:host:proj_stmt_other. [Show Proof]

%Proj-ListUpdate
 case IsS. Is': assert is_list is_string (L1::L').
 apply fresh_name_exists to _ Is' with Base = "I".
 apply fresh_name_exists to _ Is' with Base = "Hold". search 6.
 apply fresh_name_exists to _ Is' with Base = "E".
 search.
%Proj-ListForeach
 case IsS. Is': assert is_list is_string (X::L').
 apply fresh_name_exists to _ Is' with Base = "L". search.

Prove_Constraint matchEval:host:proj_fun_unique.
Prove_Constraint matchEval:host:proj_fun_is.

Prove_Constraint matchEval:host:proj_param_unique.
Prove_Constraint matchEval:host:proj_param_is.

Prove_Constraint matchEval:host:proj_program_unique.
Prove_Constraint matchEval:host:proj_program_is.

Prove_Constraint matchEval:host:proj_typ_unique. [Show Proof]

%Proj-ListTy
 case PrB. search.
Prove_Constraint matchEval:host:proj_typ_is. [Show Proof]

%Proj-ListTy
 case IsT. search 11.

Prove_Constraint matchEval:host:proj_value_unique. [Show Proof]

%Proj-Nil
 case PrB. search.
%Proj-Cons
 case PrB. search.
Prove_Constraint matchEval:host:proj_value_is. [Show Proof]

%Proj-Nil
 search 10.
%Proj-Cons
 case IsV. search 20.




/********************************************************************
 Decidable Equality
 ********************************************************************/
Add_Proj_Rel matchEval:host:is_expr,
             matchEval:host:is_args,
             matchEval:host:is_recFieldExprs.
Prove_Ext_Ind matchEval:host:is_expr,
              matchEval:host:is_args,
              matchEval:host:is_recFieldExprs. [Show Proof]

%is_expr
 %nil
  search 10.
 %cons
  apply IH to R1. apply IH to R2. search 20.
 %head
  apply IH to R1. search 10.
 %tail
  apply IH to R1. search 10.
 %null
  apply IH to R1. search 10.
Add_Proj_Rel matchEval:host:is_stmt.
Prove_Ext_Ind matchEval:host:is_stmt. [Show Proof]

%listUpdate
 FrI: apply fresh_name_exists to _ _ with Base = "I", Names = [S1].
 FrH: apply fresh_name_exists to _ _ with
        Base = "Hold", Names = [S1]. search 7.
 FrE: apply fresh_name_exists to _ _ with Base = "E", Names = [S1].
 apply fresh_name_is to _ FrI. apply fresh_name_is to _ FrE.
 apply fresh_name_is to _ FrH. search 7.
 assert [] |{stmt}- listUpdate S1 Expr1 Expr ~~>
  scopeStmt
     (seq (declare intTy F Expr1)
     (seq (declare intTy F2 Expr)
     (seq (assign F (name F))
     (seq (declare intTy F1 (matchEval:list:nil intTy))
     (seq (while (greater (name F) (num 0))
               (seq (assign F (minus (name F) (num 1)))
               (seq (assign F1 (cons (head (name S1)) (name F1)))
                    (assign S1 (tail (name S1))))))
     (seq (assign S1 (cons (name F2) (tail (name S1))))
          (while (not (null (name F1)))
               (seq (assign S1 (cons (head (name F1)) (name S1)))
                    (assign F1 (tail (name F1))))))))))).
 unfold. exists [],
  scopeStmt
     (seq (declare intTy F Expr1)
     (seq (declare intTy F2 Expr)
     (seq (assign F (name F))
     (seq (declare intTy F1 (matchEval:list:nil intTy))
     (seq (while (greater (name F) (num 0))
               (seq (assign F (minus (name F) (num 1)))
               (seq (assign F1 (cons (head (name S1)) (name F1)))
                    (assign S1 (tail (name S1))))))
     (seq (assign S1 (cons (name F2) (tail (name S1))))
          (while (not (null (name F1)))
               (seq (assign S1 (cons (head (name F1)) (name S1)))
                    (assign F1 (tail (name F1))))))))))). split.
   %is_string S1
    search.
   %is_expr Expr1
    search.
   %is_expr Expr
    search.
   %proj
    search.
   %is proj_P
    search 20.
%listForeach
 apply IH to R3.
 Fr: apply fresh_name_exists to _ _ with Base = "L", Names = [S1].
 apply fresh_name_is to _ Fr. search 20.

Prove matchEval:host:is_args_nilArgs_or_consArgs.
Prove matchEval:host:is_recFieldExprs_nilRecFieldExprs_or_consRecFieldExprs.




/********************************************************************
 Variables
 ********************************************************************/
Prove matchEval:host:vars_unique. [Show Proof]

%V-Nil
 case VarsB. search.
%V-Cons
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB.
 apply IH to _ VarsA2 VarsB1. apply append_unique to VarsA3 VarsB2.
 search.
%V-Head
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB. search.
%V-Tail
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB. search.
%V-Null
 case IsE. VarsB: case VarsB. apply IH to _ VarsA1 VarsB. search.

Prove matchEval:host:vars_is. [Show Proof]

%V-Nil
 search.
%V-Cons
 case IsE. apply IH to _ V1. apply IH to _ V2.
 apply append_list_string_is to _ _ V3. search.
%V-Head
 case IsE. apply IH to _ V1. search.
%V-Tail
 case IsE. apply IH to _ V1. search.
%V-Null
 case IsE. apply IH to _ V1. search.


Prove matchEval:host:vars_exist,
      matchEval:host:varsArgs_exist,
      matchEval:host:varsRecFields_exist. [Show Proof]

%vars_exist
 %nil
  search.
 %cons
  V1: apply IH to IsE1. V2: apply IH to IsE2.
  IsV1: apply vars_is to _ V1. IsV2: apply vars_is to _ V2.
  apply append_list_string_total to IsV1 IsV2. search.
 %head
  apply IH to IsE1. search.
 %tail
  apply IH to IsE1. search.
 %null
  apply IH to IsE1. search.


Prove_Constraint matchEval:host:proj_expr_vars. [Show Proof]

%Proj-Nil
 case V. case Mem.
%Proj-Cons
 case IsE. V: case V. V_P: case V_P. V_P: case V_P. V_P: case V_P1.
 V_P: case V_P3. case V_P5. apply append_nil_right to V_P6.
 clear V_P6. apply vars_unique to _ V V_P1.
 apply vars_unique to _ V1 V_P3. apply append_unique to V2 V_P4.
 case V_P. case V_P2. search.
%Proj-Head
 V: case V. V_P: case V_P. case IsE. apply vars_unique to _ V V_P.
 search.
%Proj-Tail
 V: case V. V_P: case V_P. case IsE. apply vars_unique to _ V V_P.
 search.
%Proj-Null
 V: case V. V_P: case V_P. case IsE. apply vars_unique to _ V V_P.
 search.




/********************************************************************
 Typing
 ********************************************************************/
Prove matchEval:host:typeOf_isTy. [Show Proof]

%T-Nil
 case IsE. search.
%T-Cons
 case IsE. apply IH to _ _ _ Ty1. search.
%T-Head
 case IsE. Is: apply IH to _ _ _ Ty1. case Is. search.
%T-Tail
 case IsE. apply IH to _ _ _ Ty1. search.
%T-Null
 search.
Prove matchEval:host:stmtOK_isCtx. [Show Proof]

%T-ListUpdate
 search.
%T-ListForeach
 search.


Prove matchEval:host:stmtOK_keep_scopes. [Show Proof]

%T-ListUpdate
 search.
%T-ListForeach
 search.


Prove matchEval:host:stmtOK_older_scopes_same. [Show Proof]

%T-ListUpdate
 search.
%T-ListForeach
 search.


Prove matchEval:host:stmtOK_first_scope_lookup_same. [Show Proof]

%T-ListUpdate
 search.
%T-ListForeach
 search.


Prove matchEval:host:typeOf_unique. [Show Proof]

%T-Nil
 case TyB. search.
%T-Cons
 case IsE. TyB: case TyB. apply IH_E to _ _ _ _ TyA1 TyB _. search.
%T-Head
 case IsE. TyB: case TyB. apply IH_E to _ _ _ _ TyA1 TyB _. search.
%T-Tail
 case IsE. TyB: case TyB. apply IH_E to _ _ _ _ TyA1 TyB _. search.
%T-Null
 case IsE. TyB: case TyB. search.
Prove matchEval:host:stmtOK_unique. [Show Proof]

%T-ListUpdate
 case TyB. search.
%T-ListForeach
 TyB: case TyB. search.


Prove matchEval:host:paramTy_is.
Prove matchEval:host:getFunInfo_is.


Prove matchEval:host:paramTy_exists.
Prove matchEval:host:getFunInfo_exists.




/********************************************************************
 Evaluation
 ********************************************************************/
Theorem updateListIndex_is : forall L I V Out,
  is_value L -> is_value V -> updateListIndex L I V Out ->
  is_value Out. [Show Proof]

induction on 3. intros IsL IsV ULI. ULI: case ULI.
  %ULI-0
   case IsL. search.
  %ULI-Step
   case IsL. apply IH to _ _ ULI1. search.


Prove matchEval:host:matchInt_is.
Prove matchEval:host:matchString_is.
Prove matchEval:host:matchRec_is. [Show Proof]

%MR-Nil
 search 10.
%MR-Cons
 case IsV. search 20.

Prove matchEval:host:evalExpr_isValue,
      matchEval:host:evalStmt_isCtx,
      matchEval:host:evalArgs_isValue,
      matchEval:host:evalRecFields_isValue
with
  iterateList_isCtx : forall FE EE V X Body EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    is_list (is_list (is_pair is_string is_value)) EE'
  on IL as IH_IL. [Show Proof]

%evalExpr_isValue
 %E-Nil
  case IsE. search 10.
 %E-Cons
  case IsE. apply IH_V_E to _ _ _ Ev1. apply IH_V_E to _ _ _ Ev2.
  search 20.
 %E-Head
  case IsE. Is: apply IH_V_E to _ _ _ Ev1. case Is. search.
 %E-Tail
  case IsE. Is: apply IH_V_E to _ _ _ Ev1. case Is. search.
 %E-Null-True
  search.
 %E-Null-False
  search.
%evalStmt_isCtx
 %E-ListUpdate
  case IsS. apply lookupScopes_is to _ Ev1.
  apply IH_V_E to _ _ _ Ev2. apply IH_V_E to _ _ _ Ev4.
  apply updateListIndex_is to _ _ Ev5.
  apply replaceScopes_is to _ _ Ev6. search.
 %E-ListForeach
  case IsS. apply IH_V_E to _ _ _ Ev1. apply IH_IL to _ _ _ _ _ Ev2.
  search.
%iterateList_isCtx
 %IL-Nil
  search.
 %IL-Cons
  case IsV. IsEE3+: apply IH_C_S to _ _ _ IL1. case IsEE3+.
  apply IH_IL to _ _ _ _ _ IL2. search.


Prove matchEval:host:evalExpr_isOutput,
      matchEval:host:evalStmt_isOutput,
      matchEval:host:evalArgs_isOutput,
      matchEval:host:evalRecFields_isOutput
with
  iterateList_isOutput : forall FE EE V X Body EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    is_list is_value O
  on IL as IH_IL. [Show Proof]

%evalExpr_isOutput
 %E-Nil
  search.
 %E-Cons
  case IsE. apply IH_E to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
 %E-Head
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Tail
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Null-True
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Null-False
  case IsE. apply IH_E to _ _ _ Ev1. search.
%evalStmt_isOutput
 %E-ListUpdate
  case IsS. apply IH_E to _ _ _ Ev2. apply IH_E to _ _ _ Ev4.
  apply append_values_is to _ _ Ev7. search.
 %E-ListForeach
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isValue to _ _ _ Ev1. apply IH_IL to _ _ _ _ _ Ev2.
  apply append_values_is to _ _ Ev3. search.
%iterateList_isOutput
 %IL-Nil
  search.
 %IL-Cons
  case IsV. apply IH_S to _ _ _ IL1.
  IsEE3+: apply evalStmt_isCtx to _ _ _ IL1. case IsEE3+.
  apply IH_IL to _ _ _ _ _ IL2. apply append_values_is to _ _ IL3.
  search.


Prove matchEval:host:paramName_is.
Prove matchEval:host:getFunEvalInfo_is.

Prove matchEval:host:evalProgram_isOutput.


Prove matchEval:host:evalStmt_names_same
with
  iterateList_names_same : forall V X Body FE EE EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    names_same EE EE'
  on IL as IH_IL. [Show Proof]

%evalStmt_names_same
 %E-ListUpdate
  case IsS. NS: apply replaceScopes_names_same to _ Ev6. case NS.
  search.
 %E-ListForeach
  case IsS. apply evalExpr_isValue to _ _ _ Ev1.
  NS: apply IH_IL to _ _ _ _ _ Ev2. case NS. search.
%iterateList_names_same
 %IL-Nil
  backchain names_same_reflexive.
 %IL-Cons
  case IsV. IsEE3+: apply evalStmt_isCtx to _ _ _ IL1. case IsEE3+.
  NS1: apply IH_S to _ _ _ IL1. NS2: apply IH_IL to _ _ _ _ _ IL2.
  apply names_same_transitive to NS1 NS2. search.


Theorem updateListIndex_geq_0 : forall L I V Out,
  is_integer I -> updateListIndex L I V Out -> I >= 0. [Show Proof]

induction on 2. intros IsI ULI. ULI: case ULI.
  %ULI-0
   search.
  %ULI-Step
   apply minus_integer_is_integer to _ _ ULI. G: apply IH to _ ULI1.
   P: apply minus_plus_same_integer to _ _ ULI.
   apply greatereq_integer__add_positive to _ _ P. search.

Theorem updateListIndex_unique : forall L I V OutA OutB,
  is_value L -> is_value V -> updateListIndex L I V OutA ->
  updateListIndex L I V OutB -> OutA = OutB. [Show Proof]

induction on 3. intros IsL IsV ULIA ULIB. ULIA: case ULIA.
  %ULI-0
   ULIB: case ULIB.
     %ULI-0
      search.
     %ULI-Step
      compute ULIB. GEq: apply updateListIndex_geq_0 to _ ULIB1.
      LEq: case GEq. case LEq.
  %ULI-Step
   ULIB: case ULIB.
     %ULI-0
      compute ULIA. G: apply updateListIndex_geq_0 to _ ULIA1.
      G: case G. case G.
     %ULI-Step
      apply minus_integer_unique to ULIA ULIB. case IsL.
      apply IH to _ _ ULIA1 ULIB1. search.


Prove matchEval:host:matchInt_unique.
Prove matchEval:host:matchTrue_matchFalse_exclusive.
Prove matchEval:host:matchString_unique.
Prove matchEval:host:matchRec_unique. [Show Proof]

%MR-Nil
 case MRB. search.
%MR-Cons
 case MRB. search.
Prove matchEval:host:matchInt_matchTrue_exclusive.
Prove matchEval:host:matchInt_matchFalse_exclusive.
Prove matchEval:host:matchInt_matchString_exclusive.
Prove matchEval:host:matchInt_matchRec_exclusive.
Prove matchEval:host:matchString_matchTrue_exclusive.
Prove matchEval:host:matchString_matchFalse_exclusive.
Prove matchEval:host:matchString_matchRec_exclusive.
Prove matchEval:host:matchRec_matchTrue_exclusive. [Show Proof]

%MR-Nil
 case MT.
%MR-Cons
 case MT.
Prove matchEval:host:matchRec_matchFalse_exclusive. [Show Proof]

%MR-Nil
 case MF.
%MR-Cons
 case MF.


Prove matchEval:host:evalExpr_rel,
      matchEval:host:evalExpr_rel_output,
      matchEval:host:evalStmt_newNameScopes_output,
      matchEval:host:evalStmt_newNameScopes,
      matchEval:host:evalArgs_rel,
      matchEval:host:evalArgs_rel_output,
      matchEval:host:evalRecFields_rel,
      matchEval:host:evalRecFields_rel_output
with
  iterateList_newNameScopes_output :
    forall FE EE_A EE_B V X Body EE_A' EE_B' O_A O_B N Len,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' O_A ->
      ILB : iterateList FE EE_B V X Body EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      O_A = O_B
    on ILA as IH_O_IL,
  iterateList_newNameScopes :
    forall FE EE_A EE_B V X Body EE_A' EE_B' O_A O_B N Len,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' O_A ->
      ILB : iterateList FE EE_B V X Body EE_B' O_B ->
      NNS : newNameScopes N Len EE_A EE_B ->
      newNameScopes N Len EE_A' EE_B'
    on ILA as IH_C_IL. [Show Proof]

%evalExpr_rel
 %E-Nil
  case EvB. search.
 %E-Cons
  case IsE. EvB: case EvB. Vars: case Vars.
  apply IH_V_E to _ _ _ _ EvA1 EvB Vars _.
    intros M L. apply mem_append_left to M Vars2. backchain Rel.
  apply IH_V_E to _ _ _ _ EvA2 EvB1 Vars1 _.
    intros M L. apply mem_append_right to M Vars2. backchain Rel.
  search.
 %E-Head
  case IsE. EvB: case EvB. Vars: case Vars.
  apply IH_V_E to _ _ _ _ EvA1 EvB Vars _.
  apply evalExpr_isValue to _ _ _ EvA1. search.
 %E-Tail
  case IsE. EvB: case EvB. Vars: case Vars.
  apply IH_V_E to _ _ _ _ EvA1 EvB Vars _.
  apply evalExpr_isValue to _ _ _ EvA1. search.
 %E-Null-True
  case IsE. Vars: case Vars. EvB: case EvB.
    %E-Null-True
     search.
    %E-Null-False
     apply IH_V_E to _ _ _ _ EvA1 EvB Vars _.
 %E-Null-False
  case IsE. Vars: case Vars. EvB: case EvB.
    %E-Null-True
     apply IH_V_E to _ _ _ _ EvA1 EvB Vars _.
    %E-Null-False
     search.
%evalExpr_rel_output
 %E-Nil
  case EvB. search.
 %E-Cons
  case IsE. EvB: case EvB. Vars: case Vars.
  apply IH_O_E to _ _ _ _ EvA1 EvB Vars _.
    intros M L. apply mem_append_left to M Vars2. backchain Rel.
  apply IH_O_E to _ _ _ _ EvA2 EvB1 Vars1 _.
    intros M L. apply mem_append_right to M Vars2. backchain Rel.
  apply append_unique to EvA3 EvB2. search.
 %E-Head
  case IsE. EvB: case EvB. Vars: case Vars.
  apply IH_O_E to _ _ _ _ EvA1 EvB _ _. search.
 %E-Tail
  case IsE. EvB: case EvB. Vars: case Vars.
  apply IH_O_E to _ _ _ _ EvA1 EvB _ _. search.
 %E-Null-True
  case IsE. Vars: case Vars. EvB: case EvB.
    %E-Null-True
     apply IH_O_E to _ _ _ _ EvA1 EvB _ _. search.
    %E-Null-False
     apply IH_O_E to _ _ _ _ EvA1 EvB _ _. search.
 %E-Null-False
  case IsE. Vars: case Vars. EvB: case EvB.
    %E-Null-True
     apply IH_O_E to _ _ _ _ EvA1 EvB _ _. search.
    %E-Null-False
     apply IH_O_E to _ _ _ _ EvA1 EvB _ _. search.
%evalStmt_newNameScopes_output
 %E-ListUpdate
  Is: case IsS. EvB: case EvB. VI: apply vars_exist to Is1.
  apply IH_O_E to _ _ _ _ EvA2 EvB1 VI _.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  VE: apply vars_exist to Is2.
  apply IH_O_E to _ _ _ _ EvA4 EvB3 VE _.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  L: apply newNameScopes_lookupScopes to _ _ _ EvB with
        A = Scope::EE_A. apply lookupScopes_unique to L EvA1.
  apply append_unique to EvA7 EvB6. search.
 %E-ListForeach
  Is: case IsS. EvB: case EvB. V: apply vars_exist to Is1.
  apply IH_O_E to _ _ _ _ EvA1 EvB V _.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  apply IH_V_E to _ _ _ _ EvA1 EvB V _.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_O_IL to _ _ _ _ _ _ EvA2 EvB1 _.
  apply append_unique to EvA3 EvB2. search.
%evalStmt_newNameScopes
 %E-ListUpdate
  Is: case IsS. EvB: case EvB. VI: apply vars_exist to Is1.
  apply IH_V_E to _ _ _ _ EvA2 EvB1 VI _.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  VE: apply vars_exist to Is2.
  apply IH_V_E to _ _ _ _ EvA4 EvB3 VE _.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  L: apply newNameScopes_lookupScopes to _ _ _ EvB with
        A = Scope::EE_A. apply lookupScopes_unique to L EvA1.
  apply evalExpr_isValue to _ _ _ EvA2.
  apply evalExpr_isValue to _ _ _ EvA4.
  apply matchInt_unique to _ EvA3 EvB2.
  apply lookupScopes_is to _ EvA1.
  apply updateListIndex_unique to _ _ EvA5 EvB4.
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  apply updateListIndex_is to _ _ EvA5.
  R: apply newNameScopes_replaceScopes to _ _ _ _ NNS' EvB5.
  apply replaceScopes_unique to R EvA6. search.
 %E-ListForeach
  Is: case IsS. EvB: case EvB. V: apply vars_exist to Is1.
  apply IH_V_E to _ _ _ _ EvA1 EvB V _.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_C_IL to _ _ _ _ _ _ EvA2 EvB1 _. search.
%iterateList_newNameScopes_output
 %IL-Nil
  case ILB. search.
 %IL-Cons
  case IsV. ILB: case ILB. apply IH_O_S to _ _ _ _ ILA1 ILB _.
  NNS+: apply IH_C_S to _ _ _ _ ILA1 ILB _. NNS+: case NNS+.
    %end
     LenEE_B: apply length_exists_list_pair_string_value to IsB.
     IsN2: apply length_is to LenEE_B.
     P: apply plus_integer_total to _ IsN2 with N1 = 1.
     LenEE_B+: assert length ([(X, Hd)]::EE_B) N3.
     LenEE2+: apply evalStmt_keep_scopes to _ _ _ ILB LenEE_B+.
     apply length_unique to LenEE2+ NNS+.
     LEq: apply newNameScopes_length to NNS LenEE_B.
     L: apply lt_plus_one to P _.
     apply less_lesseq_flip_false to L LEq.
    %step
     IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1. case IsEE1+.
     IsEE2+: apply evalStmt_isCtx to _ _ _ ILB. case IsEE2+.
     apply IH_O_IL to _ _ _ _ _ _ ILA2 ILB1 _.
     apply append_unique to ILA3 ILB2. search.
%iterateList_newNameScopes
 %IL-Nil
  case ILB. search.
 %IL-Cons
  case IsV. ILB: case ILB. NNS+: apply IH_C_S to _ _ _ _ ILA1 ILB _.
  NNS+: case NNS+.
    %end
     LenEE_B: apply length_exists_list_pair_string_value to IsB.
     IsN2: apply length_is to LenEE_B.
     P: apply plus_integer_total to _ IsN2 with N1 = 1.
     LenEE_B+: assert length ([(X, Hd)]::EE_B) N3.
     LenEE2+: apply evalStmt_keep_scopes to _ _ _ ILB LenEE_B+.
     apply length_unique to LenEE2+ NNS+.
     LEq: apply newNameScopes_length to NNS LenEE_B.
     L: apply lt_plus_one to P _.
     apply less_lesseq_flip_false to L LEq.
    %step
     IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1. case IsEE1+.
     IsEE2+: apply evalStmt_isCtx to _ _ _ ILB. case IsEE2+.
     apply IH_C_IL to _ _ _ _ _ _ ILA2 ILB1 _. search.


Add_Ext_Size matchEval:host:evalExpr, matchEval:host:evalArgs,
             matchEval:host:evalRecFields, matchEval:host:evalStmt
        with iterateList FE EE V X Body EE' O.
Add_Proj_Rel matchEval:host:evalExpr, matchEval:host:evalArgs,
             matchEval:host:evalRecFields, matchEval:host:evalStmt
        with iterateList FE EE V X Body EE' O.


Prove matchEval:host:evalExpr_rel_exists_ES,
      matchEval:host:evalStmt_newNameScopes_exists_ES,
      matchEval:host:evalArgs_rel_exists_ES,
      matchEval:host:evalRecFields_rel_exists_ES
with
  iterateList_newNameScopes_exists_ES :
    forall FE EE_A EE_B V X Body EE_B' O N Len ES,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      ILB : <iterateList {ES}> FE EE_B V X Body EE_B' O ES ->
      NNS : newNameScopes N Len EE_A EE_B ->
      exists EE_A', <iterateList {ES}> FE EE_A V X Body EE_A' O ES
    on ILB as IH_IL. [Show Proof]

%evalExpr_rel_exists_ES
 %E-Nil
  search.
 %E-Cons
  case IsE. Vars: case Vars.
  EvA1: apply IH_E to _ _ _ _ EvB3 Vars _ with EE_A = EE_A.
    intros M L. M': apply mem_append_left to M Vars2.
    apply Rel to M' L. search.
  EvA2: apply IH_E to _ _ _ _ EvB4 Vars1 _ with EE_A = EE_A.
    intros M L. M': apply mem_append_right to M Vars2.
    apply Rel to M' L. search.
  search.
 %E-Head
  case IsE. case Vars. apply IH_E to _ _ _ _ EvB2 _ Rel. search.
 %E-Tail
  case IsE. case Vars. apply IH_E to _ _ _ _ EvB2 _ Rel. search.
 %E-Null-True
  case IsE. case Vars. apply IH_E to _ _ _ _ EvB2 _ Rel. search.
 %E-Null-False
  case IsE. case Vars. apply IH_E to _ _ _ _ EvB2 _ Rel. search.
%evalStmt_newNameScopes_exists_ES
 %E-ListUpdate
  Is: case IsS. LA: apply newNameScopes_lookupScopes to IsA _ _ EvB3.
  VI: apply vars_exist to Is1.
  EvA1: apply IH_E to _ _ IsA _ EvB4 VI _ with EE_A = Scope::EE_A.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  EvB1': apply drop_ext_size_evalExpr to EvB4.
  EvA1': apply drop_ext_size_evalExpr to EvA1.
  VE: apply vars_exist to Is2.
  EvA2: apply IH_E to _ _ _ _ EvB6 VE _ with EE_A = Scope::EE_A.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  EvB2': apply drop_ext_size_evalExpr to EvB6.
  EvA2': apply drop_ext_size_evalExpr to EvA2.
  apply evalExpr_isValue to _ _ _ EvB2'.
  apply lookupScopes_is to _ EvB3.
  apply updateListIndex_is to _ _ EvB7.
  NNS': assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  apply newNameScopes_replaceScopes to _ _ _ _ NNS' EvB8. search.
 %E-ListForeach
  Is: case IsS. EvE: apply drop_ext_size_evalExpr to EvB3.
  apply evalExpr_isValue to _ _ _ EvE. V: apply vars_exist to Is1.
  apply IH_E to _ _ _ _ EvB3 V _ with EE_A = Scope::EE_A.
    intros _ LSB. apply lookupScopes_is_key to _ LSB.
    apply newNameScopes_lookupScopes to _ _ _ LSB. search.
  NNS+: assert newNameScopes N Len (Scope::EE_A) (Scope::EE_B).
  apply IH_IL to _ _ _ _ _ _ EvB4 NNS+. search.
%iterateList_newNameScopes_exists_ES
 %IL-Nil
  search.
 %IL-Cons
  case IsV. EvA: apply IH_S to _ _ _ _ ILB2 NNS.
  EvB': apply drop_ext_size_evalStmt to ILB2.
  EvA': apply drop_ext_size_evalStmt to EvA.
  IsEE1+: apply evalStmt_isCtx to _ _ _ EvB'. case IsEE1+.
  NNS+: apply evalStmt_newNameScopes to _ _ _ _ EvA' EvB' NNS.
  NNS+: case NNS+.
    %end
     LenEE_B: apply length_exists_list_pair_string_value to IsB.
     IsN2: apply length_is to LenEE_B.
     P: apply plus_integer_total to _ IsN2 with N1 = 1.
     LenEE_B+: assert length ([(X, Hd)]::EE_B) N5.
     LenEE2+: apply evalStmt_keep_scopes to _ _ _ EvB' LenEE_B+.
     apply length_unique to LenEE2+ NNS+.
     LEq: apply newNameScopes_length to NNS LenEE_B.
     L: apply lt_plus_one to P _.
     apply less_lesseq_flip_false to L LEq.
    %step
     IsAR+: apply evalStmt_isCtx to _ _ _ EvA'. case IsAR+.
     apply IH_IL to _ _ _ _ _ _ ILB3 NNS+. search.


Prove matchEval:host:evalExpr_scopes_same,
      matchEval:host:evalStmt_scopes_same,
      matchEval:host:evalStmt_scopes_same_ctx,
      matchEval:host:evalArgs_scopes_same,
      matchEval:host:evalRecFields_scopes_same
with
  iterateList_scopes_same :
    forall V X Body FE EE_A EE_A' OA EE_B EE_B' OB,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' OA ->
      ILB : iterateList FE EE_B V X Body EE_B' OB ->
      OA = OB
    on ILA as IH_IL,
  iterateList_scopes_same_ctx :
    forall V X Body FE EE_A EE_A' OA EE_B EE_B' OB,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' OA ->
      ILB : iterateList FE EE_B V X Body EE_B' OB ->
      scopes_same EE_A' EE_B'
    on ILA as IH_IL_C. [Show Proof]

%evalExpr_scopes_same
 %E-Nil
  case EvB. search.
 %E-Cons
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA1 EvB.
  apply IH_E to _ _ _ _ _ EvA2 EvB1. apply append_unique to EvA3 EvB2.
  search.
 %E-Head
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA1 EvB. search.
 %E-Tail
  case IsE. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA1 EvB. search.
 %E-Null-True
  case IsE. EvB: case EvB.
    %E-Null-True
     apply IH_E to _ _ _ _ _ EvA1 EvB. search.
    %E-Null-False
     apply IH_E to _ _ _ _ _ EvA1 EvB.
 %E-Null-False
  case IsE. EvB: case EvB.
    %E-Null-True
     apply IH_E to _ _ _ _ _ EvA1 EvB.
    %E-Null-False
     apply IH_E to _ _ _ _ _ EvA1 EvB. search.
%evalStmt_scopes_same
 %E-ListUpdate
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA2 EvB1.
  apply scopes_same_lookupScopes to _ _ SS EvA1 EvB.
  apply IH_E to _ _ _ _ _ EvA4 EvB3. apply append_unique to EvA7 EvB6.
  search.
 %E-ListForeach
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ SS EvA1 EvB.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_IL to _ _ _ _ _ _ SS EvA2 EvB1.
  apply append_unique to EvA3 EvB2. search.
%evalStmt_scopes_same_ctx
 %E-ListUpdate
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA2 EvB1.
  apply IH_E to _ _ _ _ _ EvA4 EvB3.
  apply scopes_same_lookupScopes to _ _ SS EvA1 EvB.
  apply evalExpr_isValue to _ _ _ EvA2.
  apply matchInt_unique to _ EvA3 EvB2.
  apply evalExpr_isValue to _ _ _ EvA4.
  apply lookupScopes_is to _ EvA1.
  apply updateListIndex_unique to _ _ EvA5 EvB4.
  apply scopes_same_replaceScopes_scopes_same to _ _ _ _ EvA6 EvB5.
  search.
 %E-ListForeach
  case IsS. EvB: case EvB. apply IH_E to _ _ _ _ _ EvA1 EvB.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_IL_C to _ _ _ _ _ _ SS EvA2 EvB1. search.
%iterateList_scopes_same
 %IL-Nil
  case ILB. search.
 %IL-Cons
  case IsV. ILB: case ILB. apply IH_S to _ _ _ _ _ ILA1 ILB.
  SS+: apply IH_S_C to _ _ _ _ _ ILA1 ILB. case SS+.
  IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1. case IsEE1+.
  IsEE2+: apply evalStmt_isCtx to _ _ _ ILB. case IsEE2+.
  apply IH_IL to _ _ _ _ _ _ _ ILA2 ILB1.
  apply append_unique to ILA3 ILB2. search.
%iterateList_scopes_same_ctx
 %IL-Nil
  case ILB. search.
 %IL-Cons
  case IsV. ILB: case ILB. SS+: apply IH_S_C to _ _ _ _ _ ILA1 ILB.
  case SS+. IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1. case IsEE1+.
  IsEE2+: apply evalStmt_isCtx to _ _ _ ILB. case IsEE2+.
  apply IH_IL_C to _ _ _ _ _ _ _ ILA2 ILB1. search.


Prove matchEval:host:evalExpr_scopes_same_exists,
      matchEval:host:evalStmt_scopes_same_exists,
      matchEval:host:evalArgs_scopes_same_exists,
      matchEval:host:evalRecFields_scopes_same_exists
with
  iterateList_scopes_same_exists :
    forall V X Body FE EE_A EE_A' O EE_B,
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsA : is_list (is_list (is_pair is_string is_value)) EE_A ->
      IsB : is_list (is_list (is_pair is_string is_value)) EE_B ->
      SS : scopes_same EE_A EE_B ->
      ILA : iterateList FE EE_A V X Body EE_A' O ->
      exists EE_B', iterateList FE EE_B V X Body EE_B' O
  on ILA as IH_IL. [Show Proof]

%evalExpr_scopes_same_exists
 %E-Nil
  search.
 %E-Cons
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1.
  EvB2: apply IH_E to _ _ _ _ SS EvA2. search.
 %E-Head
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Tail
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Null-True
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1. search.
 %E-Null-False
  case IsE. EvB1: apply IH_E to _ _ _ _ SS EvA1. search.
%evalStmt_scopes_same_exists
 %E-ListUpdate
  case IsS. EvB1: apply IH_E to _ _ _ _ SS EvA2.
  EvB2: apply IH_E to _ _ _ _ SS EvA4.
  apply scopes_same_lookupScopes_exists to _ _ SS EvA1.
  apply scopes_same_replaceScopes_exists to _ _ _ SS EvA6. search.
 %E-ListForeach
  case IsS. apply IH_E to _ _ _ _ SS EvA1.
  apply evalExpr_isValue to _ _ _ EvA1.
  apply IH_IL to _ _ _ _ _ _ SS EvA2. search.
%iterateList_scopes_same_exists
 %IL-Nil
  search.
 %IL-Cons
  case IsV.
  SS1: assert scopes_same ([(X, Hd)]::EE_A) ([(X, Hd)]::EE_B).
  EvB: apply IH_S to _ _ _ _ SS1 ILA1.
  SS2: apply evalStmt_scopes_same_ctx to _ _ _ _ SS1 ILA1 EvB.
  SS': case SS2. IsEE1+: apply evalStmt_isCtx to _ _ _ ILA1.
  case IsEE1+. IsBR+: apply evalStmt_isCtx to _ _ _ EvB. case IsBR+.
  apply IH_IL to _ _ _ _ _ _ SS'2 ILA2. search.


Theorem is_list_values_append_nil : forall L,
  is_list is_value L -> L ++ [] = L. [Show Proof]

induction on 1. intros IsL. Is: case IsL.
  %nil
   search.
  %cons
   apply IH to Is1. search.


Prove_Constraint matchEval:host:proj_matchInt. [Show Proof]

%Proj-NilVal
 case MI.
%Proj-ConsVal
 case MI.
Prove_Constraint matchEval:host:proj_matchTrue. [Show Proof]

%Proj-NilVal
 case MT.
%Proj-ConsVal
 case MT.
Prove_Constraint matchEval:host:proj_matchFalse. [Show Proof]

%Proj-NilVal
 case MF.
%Proj-ConsVal
 case MF.
Prove_Constraint matchEval:host:proj_matchString. [Show Proof]

%Proj-NilVal
 case MS.
%Proj-ConsVal
 case MS.
Prove_Constraint matchEval:host:proj_matchRec. [Show Proof]

%Proj-NilVal
 MR: case MR. search.
%Proj-ConsVal
 MR: case MR. search.
Add_Proj_Rel matchEval:host:matchInt.
Prove_Ext_Ind matchEval:host:matchInt.
Add_Proj_Rel matchEval:host:matchTrue.
Prove_Ext_Ind matchEval:host:matchTrue.
Add_Proj_Rel matchEval:host:matchFalse.
Prove_Ext_Ind matchEval:host:matchFalse.
Add_Proj_Rel matchEval:host:matchRec.
Prove_Ext_Ind matchEval:host:matchRec. [Show Proof]

%MR-Nil
 search.
%MR-Cons
 case IsV. search.
Add_Proj_Rel matchEval:host:matchString.
Prove_Ext_Ind matchEval:host:matchString.
Prove matchEval:host:projedVal_is.
Prove matchEval:host:projedVal_matchInt.
Prove matchEval:host:projedVal_matchString.
Prove matchEval:host:projedVal_matchTrue.
Prove matchEval:host:projedVal_matchFalse.
Prove matchEval:host:projedVal_matchRec.

Prove_Constraint matchEval:host:matchInt_proj. [Show Proof]

%PR-Cons-Head
 case MI.
%PR-Cons-Tail
 case MI.
Prove_Constraint matchEval:host:matchTrue_proj. [Show Proof]

%PR-Cons-Head
 case MT.
%PR-Cons-Tail
 case MT.
Prove_Constraint matchEval:host:matchFalse_proj. [Show Proof]

%PR-Cons-Head
 case MF.
%PR-Cons-Tail
 case MF.
Prove_Constraint matchEval:host:matchString_proj. [Show Proof]

%PR-Cons-Head
 case MS.
%PR-Cons-Tail
 case MS.
Prove_Constraint matchEval:host:matchRec_proj. [Show Proof]

%PR-Cons-Head
 MR: case MR. search.
%PR-Cons-Tail
 MR: case MR. search.
Prove matchEval:host:matchInt_projedVal.
Prove matchEval:host:matchTrue_projedVal.
Prove matchEval:host:matchFalse_projedVal.
Prove matchEval:host:matchString_projedVal.
Prove matchEval:host:matchRec_projedVal.


Theorem projedFields_lookup_back : forall Fs Fs' X V',
  projedFields Fs Fs' -> lookup Fs' X V' ->
  exists V, lookup Fs X V /\ projedVal V V'. [Show Proof]

induction on 2. intros PF L. L: case L.
  %PF-Nil
   case PF. search.
  %PF-Cons
   PF: case PF. apply IH to PF1 L1. search.


Prove_Constraint matchEval:host:proj_evalExpr_forward. [Show Proof]

%Proj-Nil
 case Ev. apply scopes_same_reflexive to IsEE. search.
%Proj-Cons
 Ev: case Ev. case IsE. IsO3: apply evalExpr_isOutput to _ _ _ Ev1.
 apply is_list_values_append_nil to IsO3. search.
%Proj-Null
 case IsE. Ev: case Ev.
   %E-Null-True
    search.
   %E-Null-False
    search.
%Proj-Head
 Ev: case Ev. search.
%Proj-Tail
 Ev: case Ev. search.


Extensible_Theorem
  iterateList_to_while : forall FE EE V X Body EE' O Names L,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    Names : names EE Names ->
    Fr : fresh_name "L" (X::Names) L ->
    exists V',
      evalStmt FE ([(L, V)]::EE)
        (while (not (null (name L)))
           (seq (declare intTy X (head (name L)))
           (seq (assign L (tail (name L)))
                Body))) ([(L, V')]::EE') O
  on IL. [Show Proof]

%IL-Nil
 search 20.
%IL-Cons
 case IsV. IsEE''+: apply evalStmt_isCtx to _ _ _ IL1.
 IsEE'': case IsEE''+. NS: apply evalStmt_names_same to _ _ _ IL1.
 Names'': apply names_exists to IsEE''1.
 IsN: apply names_is to _ Names''.
 Fr': apply fresh_name_exists to _ _ with Base = "L", Names = X::N.
 apply fresh_name_unique_mems to Fr Fr' _ _.
   %mem X::N -> mem X::Names
    intros M. M: case M. search.
    NS': apply names_same_symmetric to NS.
    apply names_same_names to NS' Names'' Names M. search.
   %mem X::Names -> mem X::N
    intros M. M: case M. search.
    apply names_same_names to NS Names Names'' M. search.
 EvSub: apply IH to _ _ _ _ _ IL2 Names'' Fr'.
 exists V'. unfold. exists trueVal, [], Scope', [(F, Tl)]::EE'', O2,
                           O3, O2. split.
   %eval condition
    search.
   %matchTrue
    search.
   %eval body
    unfold. exists [(X, Hd)]::[(F, consVal Hd Tl)]::EE, [], O2. split.
      %eval declare X
       search 20.
      %eval rest
       NEq: assert X = F -> false.
         intros E. case E. apply fresh_name_not_mem to Fr _.
       unfold. exists [(X, Hd)]::[(F, Tl)]::EE, [], O2. split.
         %eval assign
          search 10.
         %eval Body
          LenEE: apply length_exists_list_pair_string_value to IsEE.
          rename N1 to Len.
          NNS: assert newNameScopes [[(F, Tl)]] Len
                                    ([(F, Tl)]::EE) EE.
            unfold. exists 1, [F], Names. split. search. search.
            search. search. search. intros M MN. M: case M.
            apply fresh_name_not_mem to Fr _. case M.
          apply fresh_name_is to _ Fr.
          Ev: apply evalStmt_newNameScopes_exists to
                 _ _ _ _ IL1 NNS.
          NNS': apply evalStmt_newNameScopes to _ _ _ _ Ev IL1 _.
          NNS': case NNS'.
            %end
             Take: case NNS'2. case Take1. compute Take.
             Drop: case NNS'1. apply drop_is_integer to Drop1.
             apply plus_integer_unique_addend to _ _ _ Take Drop.
             Eq: assert L1 = Scope'::EE''.
               D: case Drop1. search. apply drop_is_integer to D1.
               P: assert 1 + -1 = 0.
               apply plus_integer_unique_addend to _ _ _ P D.
               GEq: apply drop_geq_0 to D1. LEq: case GEq. case LEq.
             case Eq. clear Take Drop Drop1.
             Len: case NNS'. apply length_is to Len.
             L: apply lt_plus_one to Len1 _.
             Len'': apply names_same_length to NS LenEE.
             apply length_unique to Len'' Len.
             apply less_integer_not_eq to L.
            %step
             NNS': case NNS'.
               %end
                Take: case NNS'2. case Take1. compute Take.
                Drop: case NNS'1. apply drop_is_integer to Drop1.
                apply plus_integer_unique_addend to _ _ _ Take Drop.
                Eq: assert L1 = EE''.
                  D: case Drop1. search. P: assert 1 + -1 = 0.
                  apply drop_is_integer to D1.
                  apply plus_integer_unique_addend to _ _ _ D P.
                  GEq: apply drop_geq_0 to D1. LEq: case GEq.
                  case LEq.
                case Eq. search.
               %step
                LenBR+: apply names_same_length to NS LenEE.
                LenBR: case LenBR+. apply length_is to LenBR.
                L: apply lt_plus_one to LenBR1 _.
                LEq: apply newNameScopes_length to NNS' LenBR.
                apply less_lesseq_flip_false to L LEq.
      %append output
       search.
      %append output
       search.
   %eval loop again
    search.
   %append first output
    search.
   %append rest output
    search.


Theorem lookupScopes_replaceScopes_exists : forall L Key V V',
  is_list (is_list (is_pair is_string is_value)) L -> is_string Key ->
  lookupScopes Key L V -> exists R, replaceScopes Key V' L R. [Show Proof]

induction on 3. intros IsL IsKey LS. LS: case LS.
  %LS-FirstScope
   Is: case IsL. RA: apply remove_all_exists to Is IsKey.
   M: apply lookup_mem to LS. search.
  %LS-Later
   case IsL. apply IH to _ _ LS1 with V' = V'. search.

Theorem replaceScopes_lookupScopes_same[Key, Item] :
  forall L (Key : Key) (V : Item) R,
    replaceScopes Key V L R -> lookupScopes Key R V. [Show Proof]

induction on 1. intros RS. RS: case RS.
  %RS-FirstScope
   search.
  %RS-Later
   apply IH to RS1. search.

Theorem remove_all_twice[K, V] : forall (L : list (pair K V)) K RA RB,
  remove_all L K RA -> remove_all RA K RB -> RA = RB. [Show Proof]

induction on 1. intros RA RB. RA: case RA.
  %RA-Nil
   case RB. search.
  %RA-Remove
   apply IH to RA RB. search.
  %RA-Keep
   RB: case RB.
     %RA-Remove
      apply RA to _.
     %RA-Keep
      apply IH to RA1 RB1. search.

Theorem replaceScopes_twice[Key, Item] :
  forall (L : list (list (pair string value))) K VA RA VB RB,
    replaceScopes K VA L RA -> replaceScopes K VB RA RB ->
    replaceScopes K VB L RB. [Show Proof]

induction on 1. intros RSA RSB. RSA: case RSA.
  %RS-FirstScope
   RSB: case RSB.
     %RS-FirstScope
      RA: case RSB1.
        %RA-Remove
         apply remove_all_twice to RSA1 RA. search.
        %RA-Keep
         apply RA to _.
     %RS-Later
      N: case RSB. apply N to _.
  %RS-Later
   RSB: case RSB.
     %RS-FirstScope
      apply no_lookup_mem to RSA RSB.
     %RS-Later
      apply IH to RSA1 RSB1. search.

Theorem updateListIndex_is_integer : forall L I V L',
  updateListIndex L I V L' -> is_integer I. [Show Proof]

induction on 1. intros ULI. ULI: case ULI.
  %ULI-0
   search.
  %ULI-Step
   IsI1: apply IH to ULI1.
   apply minus_integer_is_integer_result to _ ULI. search.

Theorem updateListIndex_pos : forall L I V L',
  updateListIndex L I V L' -> I >= 0. [Show Proof]

induction on 1. intros ULI.
IsI: apply updateListIndex_is_integer to ULI. ULI: case ULI.
  %ULI-0
   search.
  %ULI-Step
   GEq: apply IH to ULI1. P: apply minus_plus_same_integer to _ _ ULI.
   IsI1: apply updateListIndex_is_integer to ULI1.
   P': apply plus_integer_comm to _ _ P. L: apply lt_plus_one to P' _.
   LEq: case GEq. L': apply lesseq_less_integer_transitive to LEq L.
   G: assert I > 0. apply greater_integer_greatereq to G. search.

Define listy : value -> prop by
listy nilVal;
listy (consVal Hd Tl) := listy Tl.

%flip first list onto second, producing third
Define flipOnto : value -> value -> value -> prop by
flipOnto nilVal L L;
flipOnto (consVal H T) L L' := flipOnto T (consVal H L) L'.

Theorem eval_update_loop2 :
  forall (Hold SaveI SaveE L : string) V H HoldL LVal G FE VI,
    listy HoldL ->
    is_list (is_pair is_string
            (is_pair is_string
            (is_pair is_value
            (is_pair (is_list is_string) is_stmt)))) FE ->
    is_list (is_list (is_pair is_string is_value))
        ([(Hold, consVal H HoldL), (SaveI, VI), (SaveE, V)]::G) ->
    matchInt VI 0 ->
    (Hold = SaveI -> false) -> (Hold = L -> false) ->
    (SaveI = SaveE -> false) -> (SaveI = L -> false) ->
    (Hold = SaveE -> false) -> (SaveE = L -> false) ->
    lookupScopes L ([(Hold, consVal H HoldL), (SaveI, VI),
                     (SaveE, V)]::G) LVal ->
    exists G' LV,
      <evalStmt {P}> FE
             ([(Hold, consVal H HoldL), (SaveI, VI), (SaveE, V)]::G)
             (while (not (null (name Hold)))
                     (seq (assign L (cons (head (name Hold)) (name L)))
                          (assign Hold (tail (name Hold)))))
             ([(Hold, nilVal), (SaveI, VI), (SaveE, V)]::G') [] /\
      replaceScopes L LV G G' /\
      flipOnto (consVal H HoldL) LVal LV. [Show Proof]

induction on 1. intros ListyH IsFE IsCtx M0 NEqHI NEqHL NEqIE NEqIL
                       NEqHE NEqEL LS. ListyH: case ListyH.
  %nil
   EvCondA: assert <evalExpr {P}>
                     FE ([]::[(Hold, consVal H nilVal),
                              (SaveI, VI), (SaveE, V)]::G)
                     (not (null (name Hold))) trueVal []. search 20.
   EvBody1A: assert exists G',
                     <evalStmt {P}> FE
                       ([]::[(Hold, consVal H nilVal),
                             (SaveI, VI), (SaveE, V)]::G)
                       (assign L (cons (head (name Hold)) (name L)))
                       ([]::[(Hold, consVal H nilVal),
                             (SaveI, VI), (SaveE, V)]::G') [] /\
                     replaceScopes L (consVal H LVal) G G'.
     Is+: assert is_list (is_list (is_pair is_string is_value))
                   ([]::[(Hold, consVal H nilVal),
                         (SaveI, VI), (SaveE, V)]::G).
     IsL: apply lookupScopes_is to _ LS.
     LS: assert lookupScopes L
                   ([]::[(Hold, consVal H nilVal),
                         (SaveI, VI), (SaveE, V)]::G) LVal.
     apply lookupScopes_is_key to _ LS.
     RS: apply lookupScopes_replaceScopes_exists to _ _ LS with
           V' = consVal H LVal. RS: case RS (keep).
       %RS-FirstScope
        M: case RS1. apply NEqHL to _. M: case M. apply NEqIL to _.
        M: case M. apply NEqEL to _. case M.
       %RS-Later
        search 20.
   EvBody1A: case EvBody1A.
   EvBody1B: assert <evalStmt {P}> FE
                      ([]::[(Hold, consVal H nilVal),
                            (SaveI, VI), (SaveE, V)]::G')
                      (assign Hold (tail (name Hold)))
                      ([]::[(Hold, nilVal), (SaveI, VI),
                            (SaveE, V)]::G') [].
     unfold. exists nilVal. split.
       %eval expr
        search 20.
       %replaceScopes
        unfold. search. unfold. exists consVal H nilVal.
        split. search. unfold. unfold. intros E. case E.
        backchain NEqHI. unfold. intros E. case E. backchain NEqHE.
        search.
   EvCondB: assert <evalExpr {P}> FE ([]::[(Hold, nilVal),
                                           (SaveI, VI),
                                           (SaveE, V)]::G')
                     (not (null (name Hold))) falseVal []. search 20.
   exists G', consVal H LVal. search 20.
  %cons
   EvCondA: assert <evalExpr {P}> FE
                     ([]::[(Hold, consVal H (consVal Hd Tl)),
                           (SaveI, VI), (SaveE, V)]::G)
                     (not (null (name Hold))) trueVal []. search 20.
   EvBody1A:
      assert exists G',
                <evalStmt {P}> FE
                  ([]::[(Hold, consVal H (consVal Hd Tl)),
                        (SaveI, VI), (SaveE, V)]::G)
                  (assign L (cons (head (name Hold)) (name L)))
                  ([]::[(Hold, consVal H (consVal Hd Tl)),
                        (SaveI, VI), (SaveE, V)]::G') [] /\
                replaceScopes L (consVal H LVal) G G'.
     IsL: apply lookupScopes_is to _ LS.
     apply lookupScopes_is_key to _ LS.
     RS: apply lookupScopes_replaceScopes_exists to _ _ LS with
           V' = (consVal H LVal). RS: case RS (keep).
       %RS-FirstScope
        M: case RS1. apply NEqHL to _. M: case M. apply NEqIL to _.
        M: case M. apply NEqEL to _. case M.
       %RS-Later
        search 20.
   EvBody1A: case EvBody1A.
   EvBody1B: assert <evalStmt {P}> FE
                      ([]::[(Hold, consVal H (consVal Hd Tl)),
                            (SaveI, VI), (SaveE, V)]::G')
                      (assign Hold (tail (name Hold)))
                      ([]::[(Hold, (consVal Hd Tl)),
                            (SaveI, VI), (SaveE, V)]::G') [].
     unfold. exists consVal Hd Tl. split.
       %eval expr
        search 20.
       %replaceScopes
        unfold. search. unfold. exists consVal H (consVal Hd Tl).
        split. search. unfold. unfold. intros E. case E.
        backchain NEqHI. unfold. intros E. case E. backchain NEqHE.
        search.
   LS': assert lookupScopes L
                  ([(Hold, consVal Hd Tl), (SaveI, VI),
                    (SaveE, V)]::G') (consVal H LVal).
     apply replaceScopes_lookupScopes_same to EvBody1A1. search.
   apply lookupScopes_is to _ LS. Is: case IsCtx (keep). Is: case Is.
   Is: case Is. Is: case Is3. Is: case Is4. Is: case Is2.
   Is: case Is2. Is: case Is6. Is: case Is6.
   apply lookupScopes_is_key to _ LS.
   EvBody1A': apply drop_proj_rel_evalStmt to EvBody1A.
   apply evalStmt_isCtx to _ _ _ EvBody1A'.
   EvBody1B': apply drop_proj_rel_evalStmt to EvBody1B.
   IsG'+: apply evalStmt_isCtx to _ _ _ EvBody1B'. case IsG'+.
   EvB: apply IH to ListyH _ _ _ _ _ _ _ _ _ _ with Hold = Hold,
          SaveI = SaveI, SaveE = SaveE, L = L, V = V, H = Hd,
          LVal = consVal H LVal, G = G', FE = FE.
   exists G'1, LV. split.
     %eval
      search 20.
     %replaceScopes
      apply replaceScopes_twice to EvBody1A1 EvB1. search.
     %flipOnto
      search.

Theorem proj_listUpdate_eval :
  forall OldL I V NewL Hold HoldL SaveI SaveE G FE L VI,
    updateListIndex OldL I V NewL ->
    (Hold = SaveI -> false) -> (Hold = L -> false) ->
    (SaveI = SaveE -> false) -> (SaveI = L -> false) ->
    (Hold = SaveE -> false) -> (SaveE = L -> false) ->
    listy HoldL ->
    matchInt VI I ->
    I >= 0 ->
    is_list (is_pair is_string
            (is_pair is_string
            (is_pair is_value
            (is_pair (is_list is_string) is_stmt)))) FE ->
    is_list (is_list (is_pair is_string is_value))
       ([(Hold, HoldL), (SaveI, VI), (SaveE, V)]::G) ->
    lookupScopes L ([(Hold, HoldL), (SaveI, VI), (SaveE, V)]::G)
                 OldL ->
    exists G' LV VI',
      <evalStmt {P}> FE
         ([(Hold, HoldL), (SaveI, VI), (SaveE, V)]::G)
         (seq (while (greater (name SaveI) (num 0))
                 (seq (assign SaveI (minus (name SaveI) (num 1)))
                 (seq (assign Hold (cons (head (name L))
                                         (name Hold)))
                      (assign L (tail (name L))))))
         (seq (assign L (cons (name SaveE) (tail (name L))))
              (while (not (null (name Hold)))
                 (seq (assign L (cons (head (name Hold)) (name L)))
                      (assign Hold (tail (name Hold)))))))
         ([(Hold, nilVal), (SaveI, VI'), (SaveE, V)]::G') [] /\
      matchInt VI' 0 /\
      replaceScopes L LV G G' /\
      flipOnto HoldL NewL LV. [Show Proof]

induction on 1. intros ULI NEqHI NEqHL NEqIE NEqIL NEqHE NEqEL ListyH
                       MI GEqI0 IsFE Is+ LS. ULI: case ULI.
  %ULI-0
   EvLoop1: assert <evalStmt {P}> FE
                     ([(Hold, HoldL), (SaveI, VI),
                       (SaveE, V)]::G)
                     (while (greater (name SaveI) (num 0))
                        (seq (assign SaveI (minus (name SaveI)
                                     (num 1)))
                        (seq (assign Hold (cons (head (name L))
                                                (name Hold)))
                             (assign L (tail (name L))))))
                     ([(Hold, HoldL), (SaveI, VI),
                           (SaveE, V)]::G) []. search 6.
   EvMid_e: assert <evalExpr {P}> FE
                      ([(Hold, HoldL), (SaveI, VI),
                        (SaveE, V)]::G)
                      (cons (name SaveE) (tail (name L)))
                      (consVal V Tl) []. search 20.
   EvAssign: assert exists G',
               <evalStmt {P}> FE
                 ([(Hold, HoldL), (SaveI, VI),
                   (SaveE, V)]::G)
                 (assign L (cons (name SaveE) (tail (name L))))
                 ([(Hold, HoldL), (SaveI, VI),
                   (SaveE, V)]::G') [] /\
               replaceScopes L (consVal V Tl) G G'.
     IsL: apply lookupScopes_is to _ LS.
     apply lookupScopes_is_key to _ LS.
     RS: apply lookupScopes_replaceScopes_exists to _ _ LS with
           V' = consVal V Tl. RS: case RS (keep).
       %RS-FirstScope
        M: case RS1. apply NEqHL to _. M: case M. apply NEqIL to _.
        M: case M. apply NEqEL to _. case M.
       %RS-Later
        search.
   EvAssign: case EvAssign.
   ListyH': case ListyH (keep).
     %nil
      exists G', consVal V Tl, VI. split.
        %eval
         unfold. exists ([(Hold, nilVal),
                          (SaveI, VI), (SaveE, V)]::G),
                        [], []. split.
           %loop 1
            search.
           %rest
            unfold. exists [(Hold, nilVal),
                            (SaveI, VI), (SaveE, V)]::G', [], [].
            split.
              %mid assign
               search.
              %loop 2
               search 20.
              %append output
               search.
        %append output
         search.
        %matchInt
         search.
        %replaceScopes
         search.
        %flipOnto
         search.
     %cons
      LS': assert lookupScopes L ([(Hold, consVal Hd Tl1),
                                   (SaveI, VI), (SaveE, V)]::G')
                               (consVal V Tl).
        apply replaceScopes_lookupScopes_same to EvAssign1. search.
      IsL: apply lookupScopes_is to _ LS.
      Is: case Is+. Is: case Is. Is: case Is2. Is: case Is3.
      Is: case Is3. EvAsgn': apply drop_proj_rel_evalStmt to EvAssign.
      apply lookupScopes_is_key to _ LS.
      apply evalStmt_isCtx to _ _ _ EvAsgn'.
      EvLoop2: apply eval_update_loop2 to _ _ _ _ _ _ _ _ _ _ _ with
                 Hold = Hold, SaveI = SaveI, SaveE = SaveE, L = L,
                 V = V, H = Hd, HoldL = Tl1, LVal = consVal V Tl,
                 G = G', FE = FE.
      exists G'1, LV, VI. split.
        %eval
         unfold. exists ([(Hold, consVal Hd Tl1), (SaveI, VI),
                          (SaveE, V)]::G), [], []. split.
           %loop 1
            search.
           %rest
            unfold. exists [(Hold, consVal Hd Tl1), (SaveI, VI),
                            (SaveE, V)]::G', [], []. split.
              %mid assign
               search.
              %loop 2
               search.
              %append output
               search.
        %append output
         search.
        %matchInt
         search.
        %replaceScopes
         apply replaceScopes_twice to EvAssign1 EvLoop3. search.
        %flipOnto
         search.
  %ULI-Step
   GEqI1: apply updateListIndex_pos to ULI1.
   EvCond: assert <evalExpr {P}> FE
                         ([(Hold, HoldL), (SaveI, VI),
                           (SaveE, V)]::G)
                         (greater (name SaveI) (num 0)) trueVal [].
     unfold. exists VI, [], intVal 0, [], I, 0. split.
       %eval SaveI I
        search.
       %eval 0 0
        search.
       %matchInt I
        search.
       %matchInt 0
        search.
       %I > 0
        Or: apply greatereq_integer_greater_or_eq to GEqI0.
        C: case Or.
          %I > 0
           search.
          %I = 0
           compute ULI. LEq: case GEqI1. case LEq.
       %append output
        search.
   EvBodyA: assert
              <evalStmt {P}> FE
                ([]::[(Hold, HoldL), (SaveI, VI),
                      (SaveE, V)]::G)
                (assign SaveI (minus (name SaveI) (num 1)))
                ([]::[(SaveI, intVal I1), (Hold, HoldL),
                      (SaveE, V)]::G) [].
     unfold. exists intVal I1. split.
       %eval expr
        unfold. exists VI, [], intVal 1, [], I, 1. split.
          %eval SaveI
           search.
          %eval -1
           search.
          %matchInt I
           search.
          %matchInt -1
           search.
          %subtract
           search.
          %append output
           search.
       %replaceScopes
        unfold.
          %no_lookup first
           search.
          %lookupScopes rest
           unfold. exists VI. split.
             %mem
              search.
             %remove_all
              unfold. intros E. case E. backchain NEqHI. unfold.
              unfold. intros E. case E. backchain NEqIE. search.
   EvBodyB: assert
              <evalStmt {P}> FE
                ([]::[(SaveI, intVal I1), (Hold, HoldL),
                      (SaveE, V)]::G)
                (assign Hold (cons (head (name L)) (name Hold)))
                ([]::[(Hold, (consVal X HoldL)), (SaveI, intVal I1),
                      (SaveE, V)]::G) [].
     EvL: assert
              <evalExpr {P}> FE
                 ([]::[(SaveI, intVal I1), (Hold, HoldL),
                       (SaveE, V)]::G) (name L) (consVal X Tl) [].
       LS: case LS.
         %LS-FirstScope
          L: case LS. apply NEqHL to _. L: case L1. apply NEqIL to _.
          L: case L2. apply NEqEL to _. case L3.
         %LS-Later
          assert no_lookup [(SaveI, intVal I1), (Hold, HoldL),
                            (SaveE, V)] L. search.
     unfold. exists consVal X HoldL. split.
       %eval expr
        unfold. exists recBuild
                          (consRecFieldExprs "null" matchEval:host:false
                          (consRecFieldExprs "head" (head (name L))
                          (consRecFieldExprs "tail" (name Hold)
                           nilRecFieldExprs))),
                       recVal [("null", falseVal),
                               ("head", X),
                               ("tail", HoldL)], [], [], [].
        split.
          %eval head(name(L))
           search.
          %eval name(Hold)
           assert lookupScopes Hold
                     ([(SaveI, intVal I1), (Hold, HoldL),
                       (SaveE, V)]::G) HoldL.
             unfold. unfold. intros E. case E. backchain NEqHI.
             search.
           search.
          %append output
           search.
          %proj
           search.
          %eval proj
           unfold. unfold. exists [], []. split. search.
           unfold. exists [], []. split. search. unfold.
           exists [], []. split.
           assert lookupScopes Hold
                     ([(SaveI, intVal I1), (Hold, HoldL),
                       (SaveE, V)]::G) HoldL.
             unfold. unfold. intros E. case E. backchain NEqHI.
             search.
           search. search. search. search. search.
       %replaceScopes
        unfold. search. unfold. exists HoldL. split.
          %mem
           search.
          %remove_all
           unfold. intros E. case E. backchain NEqHI. unfold. unfold.
           intros E. case E. backchain NEqHE. search.
   EvBodyC: assert exists G',
              <evalStmt {P}> FE
                ([]::[(Hold, (consVal X HoldL)), (SaveI, intVal I1),
                      (SaveE, V)]::G) (assign L (tail (name L)))
                ([]::[(Hold, (consVal X HoldL)), (SaveI, intVal I1),
                      (SaveE, V)]::G') [] /\
              replaceScopes L Tl G G'.
     IsL: apply lookupScopes_is to _ LS.
     apply lookupScopes_is_key to _ LS.
     RS: apply lookupScopes_replaceScopes_exists to _ _ LS with
           V' = Tl. RS: case RS (keep).
       %RS-FirstScope
        M: case RS1. apply NEqHL to _. M: case M. apply NEqIL to _.
        M: case M. apply NEqEL to _. case M.
       %RS-Later
        exists New. split.
          %eval
           unfold. exists Tl. split.
             %eval expr
              LS: case LS.
                %LS-FirstScope
                 L: case LS. apply NEqHL to _. L: case L1.
                 apply NEqIL to _. L: case L2. apply NEqEL to _.
                 case L3.
                %LS-Later
                 search 20.
             %replaceScopes
              search 6.
          %replaceScopes L
           search.
   EvBodyC: case EvBodyC.
   EvBody: assert
             <evalStmt {P}> FE
               ([]::[(Hold, HoldL), (SaveI, VI),
                     (SaveE, V)]::G)
               (seq (assign SaveI (minus (name SaveI) (num 1)))
               (seq (assign Hold (cons (head (name L)) (name Hold)))
                    (assign L (tail (name L)))))
               ([]::[(Hold, consVal X HoldL), (SaveI, intVal I1),
                     (SaveE, V)]::G') [].
   clear EvBodyA EvBodyB EvBodyC. %done with these, as EvBody is here
   ListyH': assert listy (consVal X HoldL).
   IsL: apply lookupScopes_is to _ LS. Is: case Is+. Is: case Is.
   Is: case Is. Is: case Is2. Is: case Is2. Is: case Is4.
   Is: case Is4. case IsL. apply matchInt_is to _ MI.
   apply minus_integer_is_integer to _ _ ULI.
   EvBody': apply drop_proj_rel_evalStmt to EvBody.
   apply lookupScopes_is_key to _ LS.
   IsG'+: apply evalStmt_isCtx to _ _ _ EvBody'. search 6. search 8.
   case IsG'+.
   IsG'+: assert is_list (is_list (is_pair is_string is_value))
                    ([(Hold, consVal X HoldL), (SaveI, intVal I1),
                      (SaveE, V)]::G').
   assert lookupScopes L
              ([(Hold, consVal X HoldL), (SaveI, intVal I1),
                (SaveE, V)]::G') Tl.
     apply replaceScopes_lookupScopes_same to EvBodyC1. search.
   Sub: apply IH to ULI1 NEqHI NEqHL NEqIE NEqIL NEqHE NEqEL
                    ListyH' _ _ _ IsG'+ _.
   EvSub: case Sub. %split this to build eval for first loop
   case EvSub2.
   EvLoop1: assert
        <evalStmt {P}> FE
          ([(Hold, HoldL), (SaveI, VI), (SaveE, V)]::G)
          (while (greater (name SaveI) (num 0))
            (seq (assign SaveI (minus (name SaveI) (num 1)))
            (seq (assign Hold (cons (head (name L)) (name Hold)))
                 (assign L (tail (name L)))))) EE1 [].
   exists G'1, LV, VI'. split.
     %eval
      search.
     %matchInt
      search.
     %replaceScopes
      apply replaceScopes_twice to EvBodyC1 Sub2. search.
     %flipOnto
      case Sub3. search.


Prove_Constraint matchEval:host:proj_evalStmt_forward. [Show Proof]

%Proj-ListUpdate
 Is: case IsS. Ev: case Ev.
 assert SaveE = L -> false.
   intros E. case E. apply fresh_name_not_mem to Pr3 _.
 assert SaveI = L -> false.
   intros E. case E. apply fresh_name_not_mem to Pr1 _.
 assert Hold = L -> false.
   intros E. case E. apply fresh_name_not_mem to Pr2 _.
 assert Hold = SaveE -> false.
   intros E. case E. AppE: apply fresh_name_start to _ Pr3.
   AppH: apply fresh_name_start to _ Pr2. search 6.
   case AppE. case AppH.
 assert Hold = SaveI -> false.
   intros E. case E. AppI: apply fresh_name_start to _ Pr1.
   AppH: apply fresh_name_start to _ Pr2. search 6.
   case AppI. case AppH.
 NEqIE: assert SaveI = SaveE -> false.
   intros E. case E. AppI: apply fresh_name_start to _ Pr1.
   AppE: apply fresh_name_start to _ Pr3. case AppI. case AppE.
 EvI: assert evalStmt FE ([]::EE) (declare intTy SaveI I)
                      ([(SaveI, VI)]::EE) O2.
   V: apply vars_exist to Is1.
   apply evalExpr_rel_exists to _ _ _ _ Ev1 V _ with EE_A = []::EE.
   search.
 apply fresh_name_is to _ Pr1. apply evalExpr_isValue to _ _ _ Ev1.
 EvE: assert evalStmt FE ([(SaveI, VI)]::EE)
                      (declare intTy SaveE E)
                      ([(SaveE, V), (SaveI, VI)]::EE) O3.
   V: apply vars_exist to Is2.
   apply evalExpr_rel_exists to _ _ _ _ Ev3 V _ with
      EE_A = ([(SaveI, VI)]::EE).
     intros M L. MemN: apply lookupScopes_names to L Names.
     assert SaveI = X -> false.
       intros E. case E. apply fresh_name_not_mem to Pr1 _.
     search.
   search.
 apply fresh_name_is to _ Pr3. apply evalExpr_isValue to _ _ _ Ev3.
 EvAI: assert evalStmt FE ([(SaveE, V), (SaveI, VI)]::EE)
                       (assign SaveI (name SaveI))
                       ([(SaveI, VI), (SaveE, V)]::EE) [].
    assert SaveE = SaveI -> false. intros E. case E. backchain NEqIE.
    search.
 EvH: assert evalStmt FE ([(SaveI, VI), (SaveE, V)]::EE)
                      (declare intTy Hold (matchEval:list:nil intTy))
                      ([(Hold, nilVal), (SaveI, VI),
                        (SaveE, V)]::EE) [].
 IsSaveI: apply fresh_name_is to _ Pr1.
 IsHold: apply fresh_name_is to _ Pr2. search 6.
 GEq: apply updateListIndex_pos to Ev4.
 IsN: apply evalExpr_isValue to _ _ _ Ev1.
 Main: apply proj_listUpdate_eval to _ _ _ _ _ _ _ _ _ _ _ _ _ with
         OldL = LV, I = N, V = V, NewL = LV2, Hold = Hold, VI = VI,
         HoldL = nilVal, SaveI = SaveI, SaveE = SaveE, G = EE, L = L.
 apply drop_proj_rel_evalStmt to Main.
 exists G'. IsO3: apply evalExpr_isOutput to _ _ _ Ev3.
 apply is_list_values_append_nil to IsO3. split.
   %eval
    search 20.
   %scopes_same
    case Main3. apply replaceScopes_unique to Main2 Ev5.
    apply lookupScopes_is to _ Ev.
    apply evalExpr_isValue to _ _ _ Ev3.
    apply updateListIndex_is to _ _ Ev4.
    apply replaceScopes_is to _ _ Main2.
    backchain scopes_same_reflexive.
%Proj-ListForeach
 Is: case IsS. Ev: case Ev. apply evalExpr_isValue to _ _ _ Ev.
 EvW: apply iterateList_to_while to _ _ _ _ _ Ev1 Names Pr1.
 V: apply vars_exist to _ with E = L.
 Ev': apply evalExpr_rel_exists to _ _ _ _ Ev V _ with EE_A = []::EE.
 apply iterateList_isCtx to _ _ _ _ _ Ev1.
 exists EE'. split. search. backchain scopes_same_reflexive.


Prove_Ext_Ind matchEval:host:evalExpr,
              matchEval:host:evalArgs,
              matchEval:host:evalRecFields,
              matchEval:host:evalStmt
with forall FE EE V X Body EE' O,
        iterateList FE EE V X Body EE' O with
           IsFE : is_list (is_pair is_string
                          (is_pair is_string
                          (is_pair is_value
                          (is_pair (is_list is_string) is_stmt)))) FE,
           IsEE : is_list (is_list (is_pair is_string is_value)) EE,
           IsV : is_value V,
           IsX : is_string X,
           IsBody : is_stmt Body
and
  iterateList_to_while_P :
    forall FE SaveL V EE X Body EE' O Names N N',
      IsFE : is_list (is_pair is_string
                     (is_pair is_string
                     (is_pair is_value
                     (is_pair (is_list is_string) is_stmt)))) FE ->
      IsEE : is_list (is_list (is_pair is_string is_value))
                ([(SaveL, V)]::EE) ->
      IsV : is_value V ->
      IsX : is_string X ->
      IsBody : is_stmt Body ->
      IL : <iterateList {ES}> FE EE V X Body EE' O N ->
      /*
        The reason we do `acc (N + 1)` is because we need to use the
        IH for acc to change a derivation of evaluation for the body
        into evalStmt_P, where the derivation is not annotated.  Thus
        we need to know its size is smaller, but that is not
        guaranteed for the iterateList size directly.  However,
        whenever we want to use this, we evaluated the iterateList
        with its larger size, and thus have acc for the size of the
        iterateList derivation + 1.
      */
      Plus : 1 + N = N' ->
      Acc : acc N' ->
      Names : names EE Names ->
      Fr : fresh_name "L" (X::Names) SaveL ->
      %
      exists V',
        <evalStmt {P}> FE ([(SaveL, V)]::EE)
           (while (not (null (name SaveL)))
              (seq (declare intTy X (head (name SaveL)))
              (seq (assign SaveL (tail (name SaveL)))
                   Body))) ([(SaveL, V')]::EE') O
  on Acc as IH_IL_W_A, IL * as IH_IL_W. [Show Proof]

%evalExpr
 %E-Nil
  apply names_exists to IsEE. search.
 %E-Cons
  apply names_exists to IsEE. apply ext_size_is_int_evalExpr to R3.
  apply ext_size_is_int_evalExpr to R4. case IsE.
  apply plus_integer_is_integer to _ _ R2.
  L: apply lt_plus_one to R1 _. apply ext_size_pos_evalExpr to R3.
  apply ext_size_pos_evalExpr to R4. Acc: case Acc.
  RP1: assert <evalExpr {P}> FE EE E1 V1 O2.
    Or: apply lt_left to R2 _ _. L': case Or.
      %N2 < N4
       L'': apply less_integer_transitive to L' L.
       A2: apply Acc to _ L''. apply IH to R3 A2 _ _ _. search.
      %N2 = N4
       A2: apply Acc to _ L. apply IH to R3 A2 _ _ _. search.
  RP2: assert <evalExpr {P}> FE EE E2 V2 O3.
    Or: apply lt_right to R2 _ _ _. L': case Or.
      %N3 < N4
       L'': apply less_integer_transitive to L' L.
       A3: apply Acc to _ L''. apply IH to R4 A3 _ _ _. search.
      %N3 = N4
       A3: apply Acc to _ L. apply IH to R4 A3 _ _ _. search.
  unfold. exists
            (recBuild (consRecFieldExprs "null" matchEval:host:false
                      (consRecFieldExprs "head" E1
                      (consRecFieldExprs "tail" E2
                       nilRecFieldExprs)))),
            recVal [("null", falseVal), ("head", V1), ("tail", V2)],
            O, O2, O3. split.
    %eval_P E1
     search.
    %eval_P E2
     search.
    %append output
     search.
    %proj
     search.
    %eval proj
     Ev1: apply drop_ext_size_evalExpr to R3.
     Ev2: apply drop_ext_size_evalExpr to R4.
     IsO2: apply evalExpr_isOutput to _ _ _ Ev1.
     IsO3: apply evalExpr_isOutput to _ _ _ Ev2.
     apply is_list_values_append_nil to IsO2.
     apply is_list_values_append_nil to IsO3. search.
 %E-Head
  apply ext_size_is_int_evalExpr to R2.
  apply ext_size_pos_evalExpr to R2. case IsE. Acc: case Acc.
  L: apply lt_plus_one to R1 _. A: apply Acc to _ L.
  apply IH to R2 A _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
  IsO: apply evalExpr_isOutput to _ _ _ Ev.
  apply is_list_values_append_nil to IsO. search.
 %E-Tail
  apply ext_size_is_int_evalExpr to R2.
  apply ext_size_pos_evalExpr to R2. case IsE. Acc: case Acc.
  L: apply lt_plus_one to R1 _. A: apply Acc to _ L.
  apply IH to R2 A _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
  IsO: apply evalExpr_isOutput to _ _ _ Ev.
  apply is_list_values_append_nil to IsO. search.
 %E-Null-True
  apply ext_size_is_int_evalExpr to R2.
  apply ext_size_pos_evalExpr to R2. case IsE. Acc: case Acc.
  L: apply lt_plus_one to R1 _. A: apply Acc to _ L.
  apply IH to R2 A _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
  IsO: apply evalExpr_isOutput to _ _ _ Ev.
  apply is_list_values_append_nil to IsO. search.
 %E-Null-False
  apply ext_size_is_int_evalExpr to R2.
  apply ext_size_pos_evalExpr to R2. case IsE. Acc: case Acc.
  L: apply lt_plus_one to R1 _. A: apply Acc to _ L.
  apply IH to R2 A _ _ _. Ev: apply drop_ext_size_evalExpr to R2.
  IsO: apply evalExpr_isOutput to _ _ _ Ev.
  apply is_list_values_append_nil to IsO. search.
%evalStmt
 %E-ListUpdate
  Is: case IsS.
  %R_P for sub-derivations are smaller
  apply ext_size_is_int_evalExpr to R4.
  apply ext_size_is_int_evalExpr to R6.
  apply ext_size_pos_evalExpr to R4.
  apply ext_size_pos_evalExpr to R6.
  apply plus_integer_is_integer to _ _ R2.
  L4: apply lt_plus_one to R1 _. Acc': case Acc (keep).
  L2: assert N2 < N.
    Or: apply lt_right to R2 _ _ _. L': case Or.
      %N2 < N4
       apply less_integer_transitive to L' L4. search.
      %N2 = N4
       search.
  L3: assert N3 < N.
    Or: apply lt_left to R2 _ _. L': case Or.
      %N3 < N4
       apply less_integer_transitive to L' L4. search.
      %N3 = N4
       search.
  A2: apply Acc' to _ L2. A3: apply Acc' to _ L3.
  EvI: apply IH to R4 A3 _ _ _. EvE: apply IH to R6 A2 _ _ _.
  EvI': apply drop_ext_size_evalExpr to R4.
  EvE': apply drop_ext_size_evalExpr to R6.
  apply evalExpr_isValue to _ _ _ EvI'.
  apply evalExpr_isValue to _ _ _ EvE'.
  %set up for projection with fresh names
  NamesEE: apply names_exists to IsEE. rename N5 to Names.
  IsNames: apply names_is to _ NamesEE.
  IsNames+: assert is_list is_string (L::Names).
  FrI: apply fresh_name_exists to _ IsNames+ with Base = "I".
  FrH: apply fresh_name_exists to _ IsNames+ with Base = "Hold".
    search 6.
  FrE: apply fresh_name_exists to _ IsNames+ with Base = "E".
  apply fresh_name_is to _ FrI. apply fresh_name_is to _ FrE.
  apply fresh_name_is to _ FrH. search 6. rename F to SaveI.
  rename F1 to Hold. rename F2 to SaveE.
  %uniqueness of names for projection evaluation
  assert SaveE = L -> false.
    intros E. case E. apply fresh_name_not_mem to FrE _.
  assert SaveI = L -> false.
    intros E. case E. apply fresh_name_not_mem to FrI _.
  assert Hold = L -> false.
    intros E. case E. apply fresh_name_not_mem to FrH _.
  assert Hold = SaveE -> false.
    intros E. case E. AppE: apply fresh_name_start to _ FrE.
    AppH: apply fresh_name_start to _ FrH. search 6.
    case AppE. case AppH.
  assert Hold = SaveI -> false.
    intros E. case E. AppI: apply fresh_name_start to _ FrI.
    AppH: apply fresh_name_start to _ FrH. search 6.
    case AppI. case AppH.
  NEqIE: assert SaveI = SaveE -> false.
    intros E. case E. AppI: apply fresh_name_start to _ FrI.
    AppE: apply fresh_name_start to _ FrE. case AppI. case AppE.
  %projection evaluation
  EvI: assert <evalStmt {P}> FE ([]::EE) (declare intTy SaveI I)
                       ([(SaveI, VI)]::EE) O2.
    V: apply vars_exist to Is1.
    E: apply evalExpr_rel_exists_ES to _ _ _ _ R4 V _ with
          EE_A = []::EE. apply IH to E A3 _ _ _. search 10.
  EvE: assert <evalStmt {P}> FE ([(SaveI, VI)]::EE)
                       (declare intTy SaveE E)
                       ([(SaveE, V), (SaveI, VI)]::EE) O3.
    V: apply vars_exist to Is2.
    E: apply evalExpr_rel_exists_ES to _ _ _ _ R6 V _ with
       EE_A = ([(SaveI, VI)]::EE).
      intros M L. MemN: apply lookupScopes_names to L NamesEE.
      assert SaveI = X -> false.
        intros E. case E. apply fresh_name_not_mem to FrI _.
      search.
    apply IH to E A2 _ _ _. search.
  EvAI: assert <evalStmt {P}> FE ([(SaveE, V), (SaveI, VI)]::EE)
                        (assign SaveI (name SaveI))
                        ([(SaveI, VI), (SaveE, V)]::EE) [].
     assert SaveE = SaveI -> false. intros E. case E. backchain NEqIE.
     search.
  EvH: assert <evalStmt {P}> FE ([(SaveI, VI), (SaveE, V)]::EE)
                       (declare intTy Hold (matchEval:list:nil intTy))
                       ([(Hold, nilVal), (SaveI, VI),
                         (SaveE, V)]::EE) [].
  GEq: apply updateListIndex_pos to R7.
  Main: apply proj_listUpdate_eval to _ _ _ _ _ _ _ _ _ _ _ _ _ with
          OldL = LV, I = N1, V = V, NewL = LV2, Hold = Hold, VI = VI,
          HoldL = nilVal, SaveI = SaveI, SaveE = SaveE, G = EE, L = L.
  IsO3: apply evalExpr_isOutput to _ _ _ EvE'.
  apply is_list_values_append_nil to IsO3. search 20.
 %E-ListForeach
  IsS: case IsS.
  %R_P for sub-derivations are smaller
  apply ext_size_is_int_evalExpr to R3.
  apply ext_size_is_int_iterateList to R4.
  apply ext_size_pos_evalExpr to R3.
  apply ext_size_pos_iterateList to R4.
  apply plus_integer_is_integer to _ _ R2.
  L4: apply lt_plus_one to R1 _. Acc': case Acc (keep).
  L2: assert N2 < N.
    Or: apply lt_left to R2 _ _. L': case Or.
      %N2 < N4
       apply less_integer_transitive to L' L4. search.
      %N2 = N4
       search.
  L3: assert N3 < N.
    Or: apply lt_right to R2 _ _ _. L': case Or.
      %N3 < N4
       apply less_integer_transitive to L' L4. search.
      %N3 = N4
       search.
  A2: apply Acc' to _ L2. apply IH to R3 A2 _ _ _.
  Ev: apply drop_ext_size_evalExpr to R3.
  apply evalExpr_isValue to _ _ _ Ev.
  A3: apply Acc' to _ L3. ILP: apply IH10 to R4 A3 _ _ _ _ _.
  %create proj rel derivation for projection
  EvE: apply drop_ext_size_evalExpr to R3.
  Names: apply names_exists to IsEE. IsN1: apply names_is to _ Names.
  Fr: apply fresh_name_exists to _ _ with Base = "L", Names = X::N1.
  LenEE: apply length_exists_list_pair_string_value to IsEE.
  rename F to SaveL. rename N5 to Len.
  NNS: assert newNameScopes [[(SaveL, LV)]] Len
                 ([(SaveL, LV)]::EE) EE.
    unfold. exists 1, [SaveL], N1. split. search. search. search.
    search. search. intros MSL MX. MSL: case MSL.
      apply fresh_name_not_mem to Fr _. case MSL.
  apply fresh_name_is to _ Fr.
  ILP': apply iterateList_newNameScopes_exists_ES to
           _ _ _ _ _ _ R4 NNS.
  IL: apply drop_ext_size_iterateList to R4.
  IL': apply drop_ext_size_iterateList to ILP'.
  NNS': apply iterateList_newNameScopes to _ _ _ _ _ _ IL' IL NNS.
  NNS': case NNS'.
    %end
     Take: case NNS'2. case Take1. compute Take. Drop: case NNS'1.
     IsN8: apply drop_is_integer to Drop1.
     apply plus_integer_unique_addend to _ _ _ Take Drop.
     Eq: assert L1 = EE'.
       D: case Drop1. search. GEq: apply drop_geq_0 to D1.
       apply drop_is_integer to D1. P: assert 1 + -1 = 0.
       apply plus_integer_unique_addend to _ _ _ P D.
       LEq: case GEq. case LEq.
     case Eq. clear Take Drop Drop1 IsN8.
     ILP'': apply IH4 to ILP' A3 _ _ _ _ _.
     Plus: apply plus_integer_total to _ _ with N1 = 1, N2 = N3.
     EvWP: assert exists V',
           <evalStmt {P}> FE ([(SaveL, LV)]::EE)
              (while (not (null (name SaveL)))
                 (seq (declare intTy X (head (name SaveL)))
                 (seq (assign SaveL (tail (name SaveL))) Body)))
                      ([(SaveL, V')]::EE') O3.
       Or: apply lt_right to R2 _ _ _. L: case Or.
         %N3 < N4
          LEq: apply less_integer_step_lesseq to _ _ L Plus.
          Or: apply lesseq_integer_less_or_eq to LEq. L': case Or.
            %N9 < N4
             L9: apply less_integer_transitive to L' L4.
             apply lesseq_integer__add_positive to _ _ Plus with
                Base = 0. A9: apply Acc' to _ L9.
             apply IH_IL_W to _ _ _ _ _ R4 Plus A9 Names Fr. search.
            %N9 = N4
             apply lesseq_integer__add_positive to _ _ R2 with
               Base = 0. A4: apply Acc' to _ L4.
             apply IH_IL_W to _ _ _ _ _ R4 Plus A4 Names Fr. search.
         %N3 = N4
          apply plus_integer_unique to Plus R1.
          apply IH_IL_W to _ _ _ _ _ R4 Plus Acc Names Fr. search.
     EvWP: case EvWP.
     %eval decl in projection
     V: apply vars_exist to IsS1.
     EvE+: apply evalExpr_rel_exists_ES to _ _ _ _ R3 V _ with
              EE_A = []::EE.
     EvE+': apply drop_ext_size_evalExpr to EvE+.
     unfold. exists N1,
       scopeStmt
         (seq (declare intTy SaveL L)
              (while (not (null (name SaveL)))
                 (seq (declare intTy X (head (name SaveL)))
                 (seq (assign SaveL (tail (name SaveL))) Body)))),
       EE', O, LV, O2, O3. split.
       %evalExpr
        search.
       %iterateList
        search.
       %append output
        search.
       %names
        search.
       %proj
        search.
       %eval proj
        unfold. exists [(SaveL, V')]. unfold.
        exists [(SaveL, LV)]::EE, O2, O3. split.
          %eval declare
           apply IH to EvE+ A2 _ _ _. search.
          %eval while
           search.
          %append output
           search.
    %step
     NSI: apply iterateList_names_same to _ _ _ _ _ IL.
     LenBR+: apply names_same_length to NSI LenEE. LenBR: case LenBR+.
     apply length_is to LenBR. L: apply lt_plus_one to LenBR1 _.
     LEq: apply newNameScopes_length to NNS' LenBR.
     apply less_lesseq_flip_false to L LEq.
%iterateList
 %IL-Nil
  search.
 %IL-Cons
  case IsV. Ev: apply drop_ext_size_evalStmt to R2.
  IL: apply drop_ext_size_iterateList to R3.
  apply ext_size_is_int_evalStmt to R2.
  apply ext_size_is_int_iterateList to R3.
  apply plus_integer_is_integer to _ _ R1.
  Acc': case Acc (keep). apply ext_size_pos_evalStmt to R2.
  apply ext_size_pos_iterateList to R3.
  assert <evalStmt {P}> FE ([(X, Hd)]::EE) Body (Scope::EE3) O2.
    Or: apply lt_left to R1 _ _. L': case Or.
      %N2 < N
       A2: apply Acc' to _ L'. apply IH9 to R2 A2 _ _ _. search.
      %N2 = N
       apply IH9 to R2 Acc _ _ _. search.
  assert <iterateList {P}> FE EE3 Tl X Body EE' O3.
    IsEE3+: apply evalStmt_isCtx to _ _ _ Ev. case IsEE3+.
    Or: apply lt_right to R1 _ _ _. L': case Or.
      %N3 < N
       A3: apply Acc' to _ L'. apply IH10 to R3 A3 _ _ _ _ _. search.
      %N3 = N
       apply IH10 to R3 Acc _ _ _ _ _. search.
  search.
%iterateList_to_while_P
 %IL-Nil
  search 20.
 %IL-Cons
  case IsV.
  assert <evalExpr {P}> FE ([(SaveL, consVal Hd Tl)]::EE)
                        (not (null (name SaveL))) trueVal [].
     search 20.
  assert <evalStmt {P}> FE ([]::[(SaveL, consVal Hd Tl)]::EE)
                        (declare intTy X (head (name SaveL)))
                        ([(X, Hd)]::[(SaveL, consVal Hd Tl)]::EE) [].
     search 20.
  NEq: assert X = SaveL -> false.
    intros E. case E. apply fresh_name_not_mem to Fr _.
  assert <evalStmt {P}> FE ([(X, Hd)]::[(SaveL, consVal Hd Tl)]::EE)
                        (assign SaveL (tail (name SaveL)))
                        ([(X, Hd)]::[(SaveL, Tl)]::EE) []. search 20.
  %body evaluation
  IsSaveL: apply fresh_name_is to _ Fr. IsEE: case IsEE.
  LenEE: apply length_exists_list_pair_string_value to IsEE1.
  rename N1 to Len. Acc': case Acc (keep).
  NNS: assert newNameScopes [[(SaveL, Tl)]] Len
                            ([(SaveL, Tl)]::EE) EE.
    unfold. exists 1, [SaveL], Names. split. search. search. search.
    search. search. intros ML MN. ML: case ML.
      %Mem-Here
       apply fresh_name_not_mem to Fr _.
      %Mem-Later
       case ML.
  Ev: apply evalStmt_newNameScopes_exists_ES to _ _ _ _ IL2 NNS.
  apply ext_size_is_int_iterateList to IL.
  LN: apply lt_plus_one to Plus _.
  EvP: assert <evalStmt {P}> FE ([(X, Hd)]::([(SaveL, Tl)]::EE)) Body
                             EE_A' O2.
     apply ext_size_is_int_evalStmt to IL2.
     apply ext_size_pos_evalStmt to IL2.
     apply ext_size_pos_iterateList to IL3.
     Or: apply lt_left to IL1 _ _. L: case Or.
       %N2 < N
        L': apply less_integer_transitive to L LN.
        A2: apply Acc' to _ L'. apply IH3 to Ev A2 _ _ _. search.
       %N2 = N
        A2: apply Acc' to _ LN. apply IH3 to Ev A2 _ _ _. search.
  %rest of loop
  Ev': apply drop_ext_size_evalStmt to Ev.
  EvB: apply drop_ext_size_evalStmt to IL2.
  Eq: assert EE_A' = Scope::[(SaveL, Tl)]::EE3.
    NNS+: apply evalStmt_newNameScopes to _ _ _ _ Ev' EvB NNS.
    NNS+: case NNS+.
      %end
       IsLen: apply length_is to LenEE.
       P: apply plus_integer_total to _ IsLen with N1 = 1.
       LenEE+: assert length ([(X, Hd)]::EE) N4.
       LenEE3+: apply evalStmt_keep_scopes to _ _ _ EvB LenEE+.
       apply length_unique to LenEE3+ NNS+.
       L: apply lt_plus_one to P _. apply less_integer_not_eq to L.
      %step
       NNS+: case NNS+.
         %end
          Take: case NNS+2. case Take1. compute Take.
          Drop: case NNS+1. apply drop_is_integer to Drop1.
          apply plus_integer_unique_addend to _ _ _ Take Drop.
          Eq: assert L = EE3.
            Drop': case Drop1. search.
            GEq: apply drop_geq_0 to Drop'1.  P: assert 1 + -1 = 0.
            apply drop_is_integer to Drop'1.
            apply plus_integer_unique_addend to _ _ _ P Drop'.
            LEq: case GEq. case LEq.
          case Eq. search.
         %step
          IsLen: apply length_is to LenEE.
          P: apply plus_integer_total to _ IsLen with N1 = 1.
          LenEE+: assert length ([(X, Hd)]::EE) N1.
          LenBR++: apply evalStmt_keep_scopes to _ _ _ EvB LenEE+.
          LenBR+: case LenBR++. apply length_is to LenBR+.
          LenBR: case LenBR+. apply length_is to LenBR.
          LEq: apply newNameScopes_length to NNS+ LenBR.
          apply plus_integer_unique_addend to _ _ _ P LenBR+1.
          L: apply lt_plus_one to LenBR1 _.
          apply less_lesseq_flip_false to L LEq.
  case Eq. Is': apply evalStmt_isCtx to _ _ _ Ev'. Is': case Is'.
  IsN3: apply ext_size_is_int_iterateList to IL3.
  apply ext_size_pos_iterateList to IL3.
  P: apply plus_integer_total to _ IsN3 with N1 = 1.
  apply lesseq_integer__add_positive to _ _ P with Base = 0.
  apply ext_size_pos_evalStmt to IL2.
  Is'': case Is'1. N: apply names_exists to Is''1.
  apply names_is to _ N.
  Fr': apply fresh_name_exists to _ _ with Base = "L", Names = X::N4.
  NS: apply evalStmt_names_same to _ _ _ EvB.
  apply fresh_name_unique_mems to Fr' Fr _ _.
    intros M. M: case M. search.
      apply names_same_names to NS Names N M. search.
    intros M. M: case M. search.
      NS': apply names_same_symmetric to NS.
      apply names_same_names to NS' N Names M. search.
  Or: apply lt_right to IL1 _ _ _. L: case Or.
    %N3 < N
     LEq: apply less_integer_step_lesseq to _ _ L P.
     Or: apply lesseq_integer_less_or_eq to LEq. L': case Or.
       %N1 < N
        L'': apply less_integer_transitive to L' LN.
        A: apply Acc' to _ L''.
        apply IH_IL_W to _ _ _ _ _ IL3 P A N Fr'. search.
       %N1 = N
        A: apply Acc' to _ LN.
        apply IH_IL_W to _ _ _ _ _ IL3 P A N Fr'. search.
    %N3 = N
     apply IH_IL_W to _ _ _ _ _ IL3 Plus Acc N Fr'. search.


Prove matchEval:host:paramName_unique.
Prove_Constraint matchEval:host:proj_paramName_forward.
Prove_Constraint matchEval:host:proj_paramName_back.
Prove matchEval:host:getFunEvalInfo_unique.
Prove_Constraint matchEval:host:proj_getFunEvalInfo_forward.
Prove_Constraint matchEval:host:proj_getFunEvalInfo_back.

Prove matchEval:host:evalProgram_unique.
Prove_Constraint matchEval:host:proj_evalProgram_forward.
Prove_Constraint matchEval:host:proj_evalProgram_back.


Theorem updateListIndex_typePres : forall L Ty I V Out,
  valueType L (listTy Ty) -> valueType V Ty ->
  updateListIndex L I V Out -> valueType Out (listTy Ty). [Show Proof]

induction on 3. intros VTL VTV ULI. ULI: case ULI.
  %ULI-0
   VTL: case VTL. search.
  %ULI-Step
   VTL: case VTL. apply IH to _ _ ULI1. search.


Prove matchEval:host:matchRec_typePres. [Show Proof]

%MR-Nil
 case VTy.
%MR-Cons
 case VTy.


Prove matchEval:host:evalExpr_typePres,
      matchEval:host:evalStmt_typePres,
      matchEval:host:evalArgs_typePres,
      matchEval:host:evalRecFields_typePres
with
  iterateList_typePres : forall V X Body FT ET Ty Sc ET' FE EE EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFT : is_list (is_pair is_string
                   (is_pair is_typ (is_list is_typ))) FT ->
    IsET : is_list (is_list (is_pair is_string is_typ)) ET ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    Ty : stmtOK FT ([(X, Ty)]::ET) Body (Sc::ET') ->
    VTy : valueType V (listTy Ty) ->
    IsTy : is_typ Ty ->
    IL : iterateList FE EE V X Body EE' O ->
    Funs : (forall F RetTy ArgTys ArgNames Body RetVar RVVal,
              lookup FT F (RetTy, ArgTys) ->
              lookup FE F (RetVar, RVVal, ArgNames, Body) ->
              exists Scope TyEnv',
                zip ArgNames ArgTys Scope /\
                valueType RVVal RetTy /\
                stmtOK FT [((RetVar, RetTy)::Scope)] Body TyEnv') ->
    Ctxs : related_all_scopes ET EE ->
    related_all_scopes ET' EE'
  on IL as IH_IL. [Show Proof]

%evalExpr_typePres
 %E-Nil
  case Ty. search.
 %E-Cons
  case IsE. Ty: case Ty. apply IH_E to _ _ _ _ _ _ Ev1 _ _.
  apply IH_E to _ _ _ _ _ _ Ev2 _ _. search.
 %E-Head
  case IsE. Ty: case Ty. VT: apply IH_E to _ _ _ _ _ _ Ev1 _ _.
  VT: case VT. search.
 %E-Tail
  case IsE. Ty: case Ty. VT: apply IH_E to _ _ _ _ _ _ Ev1 _ _.
  VT: case VT. search.
 %E-Null-True
  case Ty. search.
 %E-Null-False
  case Ty. search.
%evalStmt_typePres
 %E-ListUpdate
  case IsS. Ty: case Ty. VT: apply IH_E to _ _ _ _ _ _ Ev4 _ _.
  VTL: apply related_all_scopes_lookupScopes to Ctxs Ty Ev1.
  apply updateListIndex_typePres to VTL VT Ev5.
  apply related_all_scopes_replaceScopes to _ _ _ Ev6 _ _. search.
 %E-ListForeach
  case IsS. Ty: case Ty.
  IsLTy: apply typeOf_isTy to _ _ _ Ty. case IsLTy.
  apply stmtOK_older_scopes_same to _ _ _ Ty1.
  apply evalExpr_isValue to _ _ _ Ev1.
  apply IH_E to _ _ _ _ _ _ Ev1 _ _.
  apply IH_IL to _ _ _ _ _ _ _ Ty1 _ _ Ev2 _ _. search.
%iterateList_typePres
 %IL-Nil
  apply stmtOK_older_scopes_same to _ _ _ Ty. search.
 %IL-Cons
  apply stmtOK_older_scopes_same to _ _ _ Ty. case IsV. case VTy.
  assert related_all_scopes ([(X, Ty)]::ET) ([(X, Hd)]::EE).
    unfold.
      %lookup
       intros L. L: case L. search. case L1.
      %no_lookup
       intros NL. case NL. search.
      %rest
       search.
  Ctxs': apply IH_S to _ _ _ _ _ Ty IL1 _ _. case Ctxs'.
  IsEE3+: apply evalStmt_isCtx to _ _ _ IL1. case IsEE3+.
  apply IH_IL to _ _ _ _ _ _ _ Ty _ _ IL2 _ _. search.


Prove matchEval:host:paramTy_paramName_same.
Prove matchEval:host:funOK_getFunEvalInfo_related.


Prove matchEval:host:evalExpr_output_forms,
      matchEval:host:evalStmt_output_forms,
      matchEval:host:evalArgs_output_forms,
      matchEval:host:evalRecFields_output_forms
with
  iterateList_output_forms : forall V X Body FE EE EE' O,
    IsV : is_value V ->
    IsX : is_string X ->
    IsBody : is_stmt Body ->
    IsFE : is_list (is_pair is_string
                   (is_pair is_string
                   (is_pair is_value
                   (is_pair (is_list is_string) is_stmt)))) FE ->
    IsEE : is_list (is_list (is_pair is_string is_value)) EE ->
    IL : iterateList FE EE V X Body EE' O ->
    output_forms O
  on IL as IH_IL. [Show Proof]

%evalExpr_output_forms
 %E-Nil
  search.
 %E-Cons
  case IsE. apply IH_E to _ _ _ Ev1. apply IH_E to _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
 %E-Head
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Tail
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Null-True
  case IsE. apply IH_E to _ _ _ Ev1. search.
 %E-Null-False
  case IsE. apply IH_E to _ _ _ Ev1. search.
%evalStmt_output_forms
 %E-ListUpdate
  case IsS. apply IH_E to _ _ _ Ev2. apply IH_E to _ _ _ Ev4.
  apply output_forms_append to _ _ Ev7. search.
 %E-ListForeach
  case IsS. apply IH_E to _ _ _ Ev1.
  apply evalExpr_isValue to _ _ _ Ev1.
  apply IH_IL to _ _ _ _ _ Ev2.
  apply output_forms_append to _ _ Ev3. search.
%iterateList_output_forms
 %IL-Nil
  search.
 %IL-Cons
  case IsV. apply IH_S to _ _ _ IL1.
  IsEE3+: apply evalStmt_isCtx to _ _ _ IL1. case IsEE3+.
  apply IH_IL to _ _ _ _ _ IL2. apply output_forms_append to _ _ IL3.
  search.


Prove matchEval:host:evalProgram_output_forms.


Prove matchEval:host:paramName_exists.
Prove matchEval:host:getFunEvalInfo_exists.