Require Import compcert.lib.Coqlib.
Require Import compcert.common.AST.
Require Import compcert.common.Globalenvs.
Require Import liblayers.lib.Decision.
Require Import liblayers.lib.Monad.
Require Import liblayers.lib.OptionMonad.
Require Import liblayers.compcertx.ErrorMonad.
Require Import liblayers.compcertx.CompcertStructures.
Require Import liblayers.compcertx.MakeProgram.
Require Import liblayers.compcertx.StencilImpl.
Require liblayers.compcertx.InitMem.

Module Genv.
Import Maps.
Export Globalenvs.Genv.

Section GENV.

  Context {F V: Type}.

  Lemma find_funct_ptr_find_symbol_aux:
    ∀ l2 ge l1,
      list_norepet (map fst (l1 ++ l2)) →
      (∀ i b, find_symbol (V := V) ge i = Some b → In i (map fst l1)) →
      (∀ b f, find_funct_ptr ge b = Some f →
       ∃ i, find_symbol ge i = Some b) →
      ∀ b (f: F),
      find_funct_ptr (add_globals ge l2) b = Some f →
      ∃ i, find_symbol (add_globals ge l2) i = Some b.
  Proof.
    induction l2; simpl; try tauto.
    intros until 3.
    eapply IHl2.
    × instantiate (1 := (l1 ++ a :: nil)).
      rewrite app_ass. assumption.
    × intros. rewrite map_app. simpl.
      apply in_or_app.
      revert H2. unfold find_symbol. simpl.
      rewrite PTree.gsspec.
      destruct (peq i (@fst positive _ a));
      subst; auto.
      left; eauto.
    × assert (P: ∀ b f, find_funct_ptr ge b = Some f →
                        ∃ i, find_symbol (add_global ge a) i = Some b).
      {
        intros. exploit H1; eauto. destruct 1.
        exploit Genv.genv_symb_range; eauto.
        intro.
        unfold find_symbol. simpl.
        ∃ x.
        rewrite PTree.gso; auto.
        intro; subst.
        exploit H0; eauto.
        intro.
        rewrite map_app in H.
        rewrite list_norepet_app in H.
        destruct H as (? & ? & K).
        unfold list_disjoint in K.
        eapply K; eauto.
        simpl; auto.
      }
      unfold find_funct_ptr, find_symbol. simpl.
      destruct a; simpl.
      destruct o; simpl; auto.
      destruct g; simpl; auto.
      intros ? ?.
      rewrite PTree.gsspec.
      destruct (peq b (genv_next ge)); eauto.
      inversion 1; subst.
      esplit. eapply PTree.gss.
  Qed.

  Theorem find_funct_ptr_find_symbol:
    ∀ p b (f: F),
      list_norepet (prog_defs_names (V := V) p) →
      find_funct_ptr (globalenv p) b = Some f →
      ∃ id,
        find_symbol (globalenv p) id = Some b.
  Proof.
    unfold globalenv. unfold prog_defs_names.
    intros.
    eapply find_funct_ptr_find_symbol_aux.
    × instantiate (1 := nil). eassumption.
    × unfold find_symbol. intros ? ?.
      rewrite PTree.gempty. discriminate.
    × unfold find_funct_ptr. intros ? ?.
      rewrite PTree.gempty. discriminate.
    × eassumption.
  Qed.

  Lemma find_var_info_find_symbol_aux:
    ∀ l2 ge l1,
      list_norepet (map fst (l1 ++ l2)) →
      (∀ i b, find_symbol (F := F) ge i = Some b → In i (map fst l1)) →
      (∀ b v, find_var_info ge b = Some v →
       ∃ i, find_symbol ge i = Some b) →
      ∀ b (v: _ V),
      find_var_info (add_globals ge l2) b = Some v →
      ∃ i, find_symbol (add_globals ge l2) i = Some b.
  Proof.
    induction l2; simpl; try tauto.
    intros until 3.
    eapply IHl2.
    × instantiate (1 := (l1 ++ a :: nil)).
      rewrite app_ass. assumption.
    × intros. rewrite map_app. simpl.
      apply in_or_app.
      revert H2. unfold find_symbol. simpl.
      rewrite PTree.gsspec.
      destruct (peq i (@fst positive _ a));
      subst; auto.
      left; eauto.
    × assert (P: ∀ b v, find_var_info ge b = Some v →
                        ∃ i, find_symbol (add_global ge a) i = Some b).
      {
        intros. exploit H1; eauto. destruct 1.
        exploit Genv.genv_symb_range; eauto.
        intro.
        unfold find_symbol. simpl.
        ∃ x.
        rewrite PTree.gso; auto.
        intro; subst.
        exploit H0; eauto.
        intro.
        rewrite map_app in H.
        rewrite list_norepet_app in H.
        destruct H as (? & ? & K).
        unfold list_disjoint in K.
        eapply K; eauto.
        simpl; auto.
      }
      unfold find_var_info, find_symbol. simpl.
      destruct a; simpl.
      destruct o; simpl; auto.
      destruct g; simpl; auto.
      intros ? ?.
      rewrite PTree.gsspec.
      destruct (peq b (genv_next ge)); eauto.
      inversion 1; subst.
      esplit. eapply PTree.gss.
  Qed.

  Theorem find_var_info_find_symbol:
    ∀ p b (v: _ V),
      list_norepet (prog_defs_names (F := F) p) →
      find_var_info (globalenv p) b = Some v →
      ∃ id,
        find_symbol (globalenv p) id = Some b.
  Proof.
    unfold globalenv. unfold prog_defs_names.
    intros.
    eapply find_var_info_find_symbol_aux.
    × instantiate (1 := nil). eassumption.
    × unfold find_symbol. intros ? ?.
      rewrite PTree.gempty. discriminate.
    × unfold find_var_info. intros ? ?.
      rewrite PTree.gempty. discriminate.
    × eassumption.
  Qed.

  Theorem find_var_info_symbol_inversion:
    ∀ p id b v,
      find_symbol (globalenv (F := F) (V := V) p) id = Some b →
      find_var_info (globalenv p) b = Some v →
      In (id, Some (Gvar v)) p.(prog_defs).
  Proof.
    intros until v. unfold globalenv, find_symbol, find_var_info. apply add_globals_preserves.
    intros. simpl in ×. rewrite PTree.gsspec in H1. destruct (peq id id0).
    inv H1. destruct g as [[f1|v1]|].
    eelim Plt_strict. eapply genv_vars_range; eauto.
    rewrite PTree.gss in H2. inv H2. auto.

    eelim Plt_strict. eapply genv_vars_range; eauto.
    destruct g as [[f1|v1]|].
    auto.
    rewrite PTree.gso in H2. auto.
    apply Plt_ne. eapply genv_symb_range; eauto.
    auto.
    intros. simpl in ×. rewrite PTree.gempty in H. discriminate.
  Qed.

End GENV.

End Genv.

Lemma oplus_lb_eq´ {A: Type}:
  ∀ x y, x ⊕ y = OK None → x = OK (None (A := A)) ∧ y = OK None.
Proof.
  intros.
  destruct x; destruct y; try discriminate.
  destruct o; destruct o0; try discriminate.
  auto.
Qed.

Lemma oplus_id_left´ {A: Type}:
  LeftIdentity eq (⊕) (OK (None (A := A))).
Proof.
  unfold LeftIdentity. intros.
  destruct y; try reflexivity.
  destruct o; reflexivity.
Qed.

Lemma oplus_id_right´ {A: Type}:
  RightIdentity eq (⊕) (OK (None (A := A))).
Proof.
  unfold RightIdentity. intros.
  destruct x; try reflexivity.
  destruct o; reflexivity.
Qed.

Lemma oplus_one_left´ {A: Type}:
  ∀ (a: A) x o,
    (OK (Some a)) ⊕ x = OK o →
    x = OK None ∧ o = Some a.
Proof.
  destruct x; try discriminate.
  destruct o; try discriminate.
  inversion 1; auto.
Qed.

  Lemma assert_ex P `{P_dec: Decision P}:
    P →
    {y | ∀ msg, eassert msg P = OK y}.
  Proof.
    intros.
    unfold eassert.
    destruct (decide P); try contradiction.
    eauto.
  Defined.

  Ltac rewrite_assert H :=
    let y := fresh "y" in
    let Z := fresh "Z" in
    generalize (assert_ex _ H);
      intros [y Z];
      rewrite Z.

  Ltac rewrite_assert´ H HP :=
    let y := fresh "y" in
    let Z := fresh "Z" in
    generalize (assert_ex _ H (P_dec := HP));
      intros [y Z];
      rewrite Z.

  Ltac autorewrite_assert :=
    match goal with
      | [ H : eassert ?msg ?P = OK ?x |- context [ eassert ?msg ?P ] ] ⇒
        rewrite H
      | [ H : ?P |- context [ eassert ?msg ?P (HP := ?HP) ] ] ⇒
        (rewrite_assert´ H HP || rewrite_assert H)
    end.

  Ltac spawn_assert :=
    match goal with
      | [ |- context [ eassert ?msg ?P (HP := ?HP) ] ] ⇒
        cut P; [
            let Z := fresh "Z" in
            intro Z;
              (rewrite_assert´ Z HP || rewrite_assert Z);
              clear Z
          | ]
    end.

  Definition globdef_volatile {F V} (g: globdef F V) :=
    match g with
      | Gfun _ ⇒ false
      | Gvar g ⇒ gvar_volatile g
    end.

  Definition option_globdef_volatile {F V} (g: option (globdef F V)) :=
    match g with
      | None ⇒ false
      | Some g ⇒ globdef_volatile g
    end.

Section WITHMAKEFUNDEFOPS.
  Context `{progfmt: ProgramFormat}.
  Context `{Hmodule: !Modules ident Fm (globvar Vm) module}.
  Context `{Hlayer: !Layers ident primsem (globvar Vm) layer}.

  Definition get_varinfo_globdef mτ: res (option (AST.globdef Fp Vp)) :=
    match mτ with
      | Some τ ⇒
          _ <- eassert (MSG "volatile variable"::nil) (gvar_volatile τ = false);
          ret (Some (Gvar (globvar_map make_varinfo τ)))
      | None ⇒
          OK None
    end.

  Instance get_varinfo_globdef_mon:
    Proper (option_le eq ++> res_le (option_le eq)) get_varinfo_globdef.
  Proof with eauto with liblayers.
    intros τ1 τ2 Hτ.
    destruct Hτ; simpl...
    subst; reflexivity.
  Qed.

  Definition get_function_globdef mκ: res (option (AST.globdef Fp Vp)) :=
    match mκ with
      | None ⇒ OK None
      | Some κ ⇒ κdef <- make_internal κ; OK (Some (Gfun κdef))
    end.

  Instance get_function_globdef_mon:
    Proper (option_le eq ++> res_le (option_le eq)) get_function_globdef.
  Proof.
    unfold get_function_globdef.
    intros ? ? [κ2 | κ1 κ2 Hκ].
    × apply lower_bound.
    × subst. reflexivity.
  Qed.

  Definition get_primitive_globdef {D} i mσ: res (option (AST.globdef Fp Vp)):=
    match mσ with
      | None ⇒ OK None
      | Some σ ⇒ σdef <- make_external (D:=D) i σ; OK (Some (Gfun σdef))
    end.

  Instance get_primitive_globdef_mon D:
    Proper (- ==> option_le (≤) ++> res_le (option_le eq))
           (get_primitive_globdef (D := D)).
  Proof.
    unfold get_primitive_globdef.
    intros i ? ? [σ2 | σ1 σ2 Hσ].
    × apply lower_bound.
    × solve_monotonicity.
  Qed.

  Instance get_primitive_globdef_sim_mon:
    Proper
      (∀ R, - ==> sim R ++> res_le eq)
      (fun D ⇒ make_external (D := D)) →
    Proper
      (∀ R, - ==> option_le (sim R) ++> res_le (option_le eq))
      (fun D ⇒ get_primitive_globdef (D := D)).
  Proof.
    intro make_external_sim_monotonic.
    unfold get_primitive_globdef.
    intros D1 D2 R i ? ? [σ2 | σ1 σ2 Hσ].
    × apply lower_bound.
    × solve_monotonicity.
  Qed.

  Definition get_globdef {D} (i: ident) (M: module) (L: layer D) :=
    (mf <- get_module_function i M; get_function_globdef mf) ⊕
    (mτ <- get_module_variable i M; get_varinfo_globdef mτ) ⊕
    (mσ <- get_layer_primitive i L; get_primitive_globdef i mσ) ⊕
    (mτ <- get_layer_globalvar i L; get_varinfo_globdef mτ).

  Global Instance get_globdef_monotonic D:
    Proper (- ==> (≤) ++> sim id ++> res_le (option_le eq)) (@get_globdef D).
  Proof.
    unfold get_globdef.
    solve_monotonicity.
  Qed.

  Global Instance get_globdef_sim_monotonic:
    Proper
      (∀ R, - ==> sim R ++> res_le eq)
      (fun D ⇒ make_external (D := D)) →
    Proper (∀ R, - ==> (≤) ++> sim R ++> res_le (option_le eq)) (@get_globdef).
  Proof.
    unfold get_globdef.
    solve_monotonicity.
  Qed.

  Global Instance: Params (@get_globdef) 3%nat.

  Fixpoint add_prog_defs {D} (ids: list ident) (M: module) (L: layer D) defs:
    res (list (ident × option (globdef _ _))) :=
      match ids with
        | nil ⇒
            ret defs
        | i::ids ⇒
            def <- get_globdef i M L;
            add_prog_defs ids M L (defs ++ (i, def)::nil)
      end.

  Instance add_prog_defs_monotonic D l:
    Proper
      ((≤) ++> (≤) ++> prog_defs_le ++> res_le prog_defs_le)
      (add_prog_defs (D:=D) l).
  Proof.
    induction l; simpl.
    × solve_monotonicity.
    × solve_monotonicity.
  Qed.

  Instance add_prog_defs_sim_monotonic
           (make_external_sim_monotonic:
              Proper
                (∀ R, - ==> sim R ++> res_le eq)
                (fun D ⇒ make_external (D := D)))
           l:
    Proper
      (∀ R, (≤) ++> sim R ++> prog_defs_le ++> res_le prog_defs_le)
      (fun D ⇒ add_prog_defs (D:=D) l).
  Proof.
    induction l; simpl.
    × solve_monotonicity.
    × solve_monotonicity.
      eapply IHl; eauto.
      solve_monotonicity.
  Qed.

  Section ADD_PROG_DEFS.
    Context {D} (M: module) (L: layer D).

    Lemma add_prog_defs_append_intro ids1:
      ∀ ids2 defs defs1 defs2,
        add_prog_defs ids1 M L defs = ret defs1 →
        add_prog_defs ids2 M L defs1 = ret defs2 →
        add_prog_defs (ids1 ++ ids2) M L defs = ret defs2.
    Proof.
      induction ids1; simpl; intros ids2 defs defs1 defs2 H1 H2.
      × inv_monad H1.
        congruence.
      × inv_monad H1.
        rewrite H3.
        autorewrite with monad.
        eauto.
    Qed.

    Lemma add_prog_defs_append_elim ids1:
      ∀ ids2 defs defs2,
        add_prog_defs (ids1 ++ ids2) M L defs = ret defs2 →
        ∃ defs1,
          add_prog_defs ids1 M L defs = ret defs1 ∧
          add_prog_defs ids2 M L defs1 = ret defs2.
    Proof.
      induction ids1; simpl; intros ids2 defs defs2 H.
      × ∃ defs; eauto.
      × inv_monad H.
        rewrite H2.
        rewrite H1.
        autorewrite with monad.
        eapply IHids1.
        assumption.
    Qed.

    Lemma add_prog_defs_incl ids:
      ∀ defs defs´,
        add_prog_defs ids M L defs = ret defs´ →
        List.incl defs defs´.
    Proof.
      induction ids as [ | i ids IHids];
        simpl;
        intros defs defs´ Hdefs´;
        inv_monad Hdefs´.
      × subst.
        now firstorder.
      × intros d Hd.
        eapply IHids; try eassumption.
        apply in_app; now auto.
    Qed.

    Lemma add_prog_defs_prefix_elim ids:
      ∀ defs0 defs1 defs012,
        add_prog_defs ids M L (defs0 ++ defs1) = ret defs012 →
        ∃ defs12,
          defs012 = defs0 ++ defs12 ∧
          add_prog_defs ids M L defs1 = ret defs12.
    Proof.
      induction ids; simpl;
      intros ? ? ? Hdefs´; inv_monad Hdefs´.
      × subst; eauto.
      × rewrite app_ass in H1.
        apply IHids in H1. destruct H1 as [defs12 [Hdefs12 Hadd]].
        subst.
        rewrite H0.
        autorewrite with monad.
        eauto.
    Qed.

    Lemma add_prog_defs_prefix_intro ids:
      ∀ defs0 defs defs´,
        add_prog_defs ids M L defs = ret defs´ →
        add_prog_defs ids M L (defs0 ++ defs) = ret (defs0 ++ defs´).
    Proof.
      induction ids; simpl; intros ? ? ? Hdefs´; inv_monad Hdefs´.
      × congruence.
      × rewrite H0. autorewrite with monad.
        rewrite app_ass. eauto.
    Qed.

    Lemma add_prog_defs_globdef_exists i ids defs defs´:
      add_prog_defs ids M L defs = ret defs´ →
      In i ids →
      ∃ d,
        get_globdef i M L = ret d ∧
        In (i, d) defs´.
    Proof.
      revert i defs defs´.
      induction ids as [ | j ids IHids]; simpl; intros i defs defs´.
      × tauto.
      × intros Hdefs´ Hin.
        inv_monad Hdefs´.
        destruct Hin as [Hij | Hin].
      + subst; clear IHids.
        ∃ x.
        split; try assumption.
        eapply add_prog_defs_incl.
        eassumption.
        apply in_app.
        simpl.
        tauto.
      + eauto.
    Qed.

    Lemma add_prog_defs_globdef_inversion ids defs defs´ i d:
      add_prog_defs (D:=D) ids M L defs = ret defs´ →
      In (i, d) defs´ →
      In i ids ∨ In (i, d) defs.
    Proof.
      revert defs defs´.
      induction ids as [ | j ids IHids]; simpl; intros defs defs´ H; inv_monad H.
      × intuition congruence.
      × intros Hid.
        eapply IHids in Hid; eauto.
        rewrite in_app in Hid.
        simpl in Hid.
        intuition congruence.
    Qed.

    Lemma add_prog_defs_In_globdef ids i d:
      ∀ defs,
        add_prog_defs ids M L nil = ret defs →
        In (i, d) defs →
        get_globdef i M L = ret d.
    Proof.
      induction ids; simpl; intros defs Hdefs; inv_monad Hdefs.
      × subst. inversion 1.
      × apply (add_prog_defs_prefix_elim _ ((a, x) :: nil) nil) in H1.
        destruct H1 as [? [? ?]].
        subst.
        simpl.
        destruct 1.
        + congruence.
        + eauto.
    Qed.

    Lemma add_prog_defs_globdef_In i d ids:
      ∀ defs,
        get_globdef i M L = ret d →
        add_prog_defs ids M L nil = ret defs →
        In i ids →
        In (i, d) defs.
    Proof.
      intros.
      exploit add_prog_defs_globdef_exists; eauto.
      destruct 1 as [? [Hget ?]].
      rewrite H in Hget.
      inv_monad Hget.
      congruence.
    Qed.

    Lemma map_add_prog_defs:
      ∀ l l1,
        map (fun i ⇒ (i, get_globdef (D := D) i M L)) l = map (fun is ⇒ match is with (i, d) ⇒ (i, OK d) end) l1 →
        ∀ ld,
          add_prog_defs l M L ld = OK (ld ++ l1).
    Proof.
      induction l; destruct l1; try discriminate.
      intros. rewrite <- app_nil_end. reflexivity.
      intro J. inv J. intro.
      simpl.
      destruct p. inv H0.
      rewrite H3.
      monad_norm.
      erewrite IHl; eauto.
      rewrite app_ass.
      reflexivity.
    Qed.

    Lemma add_prog_defs_map:
      ∀ l ld l´,
        add_prog_defs l M L ld = OK l´ →
        ∃ l1, l´ = ld ++ l1 ∧
                   map (fun i ⇒ (i, get_globdef (D := D) i M L)) l = map (fun is ⇒ match is with (i, d) ⇒ (i, OK d) end) l1.
    Proof.
      induction l; simpl; intros.
       inv H. ∃ nil. split.
        rewrite <- app_nil_end. reflexivity.
        reflexivity.
      inv_monad H.
      exploit IHl; eauto.
      destruct 1 as [? [Hl´ Hmap]].
      rewrite app_ass in Hl´.
      simpl in Hl´.
      subst.
      rewrite Hmap.
      rewrite H2.
      eauto.
    Qed.

  End ADD_PROG_DEFS.

  Definition valid_program {D} (s: stencil) (M: module) (L: layer D): Prop :=
    (∀ i,
       ¬ isOKNone (get_layer_primitive i L) → In i (stencil_ids s)) ∧
    (∀ i,
       ¬ isOKNone (get_layer_globalvar i L) → In i (stencil_ids s)) ∧
    (∀ i,
       ¬ isOKNone (get_module_function i M) → In i (stencil_ids s)) ∧
    (∀ i,
       ¬ isOKNone (get_module_variable i M) → In i (stencil_ids s)).

  Ltac destruct_valid_program :=
    match goal with H : valid_program ?s ?M ?L |- _ ⇒
      let Hprim_γ := fresh "Hprim_γ" in
      let Hglob_γ := fresh "Hglob_γ" in
      let Hfun_γ := fresh "Hfun_γ" in
      let Hvar_γ := fresh "Hvar_γ" in
      destruct H as (Hprim_γ & Hglob_γ & Hfun_γ & Hvar_γ)
    end.

  Global Instance valid_program_monotonic D:
    Proper (- ==> (≤) --> (≤) --> impl) (valid_program (D:=D)).
  Proof.
    intros s M1 M2 HM L1 L2 HL.
    red in HM, HL.
    intros (Hs_prim & Hs_glob & Hs_func & Hs_var).
    repeat split; intros i H;
    repeat match goal with H: ∀ i:ident, _ |- _ ⇒ specialize (H i) end;
    rewrite <- HL, <- HM in *; eauto.
  Qed.

  Global Instance valid_program_sim_monotonic:
    Proper (∀ R, - ==> (≤) ++> sim R ++> flip impl) (fun D ⇒ valid_program (D:=D)).
  Proof.
    intros D1 D2 R s M1 M2 HM L1 L2 HL.
    red in HM, HL.
    intros (Hs_prim & Hs_glob & Hs_func & Hs_var).
    repeat split; intros i H;
    repeat match goal with H: ∀ i:ident, _ |- _ ⇒ specialize (H i) end;
    rewrite <- HM in *; eauto.
    × eapply Hs_prim. intro ABS. apply H. eapply isOKNone_le; eauto. unfold flip. eapply get_layer_primitive_sim_monotonic; eauto.
    × eapply Hs_glob. intro ABS. apply H. eapply isOKNone_le; eauto. unfold flip. eapply get_layer_globalvar_sim_monotonic; eauto.
  Qed.

  Global Instance is_OK_None_dec {A} (x: res (option A)):
    Decision (x = OK None).
  Proof.
    destruct x as [[|]|];
    first [ left; abstract congruence | right; abstract congruence ].
  Defined.

  Global Instance valid_program_dec D s M L: Decision (@valid_program D s M L).
  Proof.
    typeclasses eauto.
  Defined.

  Definition make_program {D} s M (L: layer D): res (AST.program Fp Vp) :=
    Hvalid <- eassert nil (valid_program s M L);
    defs <- add_prog_defs (D:=D) (stencil_ids s) M L nil;
    ret {|
      prog_defs := defs;
      prog_main := xH
    |}.

  Global Instance make_program_monotonic D:
    Proper (- ==> (≤) ++> (≤) ++> res_le program_le) (make_program (D:=D)).
  Proof.
    unfold make_program.
    intros s M1 M2 HM L1 L2 HL.
    solve_monotonic.
  Qed.

  Global Instance make_program_sim_monotonic:
    Proper
      (∀ R, - ==> sim R ++> res_le eq)
      (fun D ⇒ make_external (D := D)) →
    Proper (∀ R, - ==> (≤) ++> sim R ++> res_le program_le) (fun D ⇒ make_program (D:=D)).
  Proof.
    unfold make_program.
    intros make_external_sim_monotonic D1 D2 R s M1 M2 HM L1 L2 HL.
    solve_monotonic.
    eapply add_prog_defs_sim_monotonic; eauto.
    constructor.
  Qed.

  Local Instance make_program_ops:
    MakeProgramOps Fm Vm Fp Vp :=
      {
        make_program := @make_program
      }.

  Lemma add_prog_defs_names {D} is M L defs defs´:
    add_prog_defs (D:=D) is M L defs = ret defs´ →
    map fst defs´ = (map fst defs) ++ is.
  Proof.
    revert defs.
    induction is as [ | i is IHis]; simpl; intros defs.
    × intros H; inv_monad H; subst.
      apply app_nil_end.
    × intros H; inv_monad H; subst.
      erewrite IHis; eauto.
      rewrite map_app.
      rewrite app_ass.
      reflexivity.
  Qed.

  Lemma make_program_names {D} γ M L p:
    make_program (D := D) γ M L = OK p →
    prog_defs_names p = stencil_ids γ.
  Proof.
    unfold make_program.
    intro H. inv_monad H.
    subst.
    unfold prog_defs_names. simpl.
    erewrite add_prog_defs_names; eauto.
    reflexivity.
  Qed.

  Lemma make_program_names_norepet {D} γ M L p:
    make_program (D := D) γ M L = OK p →
    list_norepet (prog_defs_names p).
  Proof.
    intros. erewrite make_program_names; eauto using stencil_ids_norepet.
  Qed.

  Lemma make_globalenv_find_symbol
        {D} s L M :
    ∀ ge,
      make_globalenv (D := D) s L M = OK ge →
    ∀ i,
    Genv.find_symbol ge i =
    find_symbol s i.
  Proof.
    unfold make_globalenv.
    simpl.
    unfold globalenv_of_stencil, program_of_stencil.
    unfold Genv.globalenv.
    simpl.
    intros.
    inv_monad H.
    unfold make_program in H2.
    inv_monad H2.
    subst.
    simpl.
    rewrite <- find_symbol_of_list_correct.
    rewrite <- find_symbol_of_list_correct.
    rewrite list_map_compose.
    simpl.
    unfold Genv.find_symbol; simpl.
    rewrite Maps.PTree.gempty.
    erewrite add_prog_defs_names; eauto.
    simpl.
    rewrite map_id.
    reflexivity.
  Qed.

  Remark advance_next_length_inv:
  ∀ {F1 V1 F2 V2} (l1: list (ident × option (globdef F1 V1))) (l2: list (ident × option (globdef F2 V2))) b,
    length l1 = length l2 →
    Genv.advance_next l1 b = Genv.advance_next l2 b.
  Proof.
    induction l1; destruct l2; try discriminate.
     reflexivity.
    simpl. inversion 1; subst.
    exploit IHl1; eauto.
  Qed.

  Lemma make_globalenv_genv_next
        {D} s L M :
    ∀ ge,
      make_globalenv (D := D) s L M = OK ge →
      Genv.genv_next ge = genv_next s.
  Proof.
    unfold make_globalenv.
    simpl.
    unfold globalenv_of_stencil, program_of_stencil.
    unfold Genv.globalenv.
    simpl.
    intros.
    inv_monad H.
    unfold make_program in H2.
    inv_monad H2.
    subst.
    simpl.
    rewrite Genv.genv_next_add_globals.
    rewrite Genv.genv_next_add_globals.
    apply advance_next_length_inv.
    rewrite map_length.
    rewrite <- (map_length fst).
    erewrite add_prog_defs_names; eauto.
    reflexivity.
  Qed.

  Lemma get_globdef_not_volatile {D} M L i g:
    get_globdef (D := D) i M L = OK (Some (Gvar g)) →
    gvar_volatile g = false.
  Proof.
    unfold get_globdef.
    destruct (get_module_function i M); try discriminate.
    monad_norm.
    unfold get_function_globdef.
    destruct o.
    {
     destruct (make_internal _); try discriminate.
     monad_norm.
     match goal with |- _ ⊕ ?x = _ → _ ⇒ destruct x as [ [ | ] | ]; discriminate end.
    }
    monad_norm.
    destruct (get_module_variable i M); try discriminate.
    monad_norm.
    unfold get_varinfo_globdef at 1.
    destruct o.
    {
      match goal with [ |- context [ eassert ?x ?y ] ] ⇒
                      destruct (eassert x y); try discriminate
      end.
      match goal with |- _ ⊕ _ ⊕ ?y ⊕ ?z = _ → _ ⇒ destruct y as [ [ | ] | ]; destruct z as [ [ | ] | ]; try discriminate end.
      monad_norm. simpl. monad_norm. inversion 1; subst. assumption.
    }
    destruct (get_layer_primitive i L); try discriminate.
    monad_norm.
    unfold get_primitive_globdef.
    destruct o.
    {
      destruct (make_external _ _); try discriminate.
      monad_norm.
      match goal with |- _ ⊕ _ ⊕ _ ⊕ ?x = _ → _ ⇒ destruct x as [ [ | ] | ]; discriminate end.
    }
    destruct (get_layer_globalvar i L); try discriminate.
    simpl. monad_norm.
    destruct o; try discriminate.
    simpl. monad_norm.
    destruct 1. inv H. assumption.
  Qed.

  Lemma make_globalenv_not_volatile {D} s L M:
    ∀ ge,
      make_globalenv (D := D) s L M = ret ge →
      ∀ b,
      Events.block_is_volatile ge b = false.
  Proof.
    unfold make_globalenv.
    simpl.
    unfold make_program.
    intros until 1.
    inv_monad H.
    subst.
    unfold Events.block_is_volatile.
    intro b.
    destruct (Genv.find_var_info (Genv.globalenv _) b) eqn:?; try reflexivity.
    exploit Genv.find_var_info_inversion; eauto.
    destruct 1.
    simpl in H.
    eauto using add_prog_defs_In_globdef, get_globdef_not_volatile.
  Qed.

  Lemma make_globalenv_matches
        {D} s L M:
    ∀ ge,
      make_globalenv (D := D) s L M = ret ge →
    stencil_matches s ge.
  Proof.
    constructor.
    eapply make_globalenv_find_symbol; eauto.
    eapply make_globalenv_genv_next; eauto.
    eapply make_globalenv_not_volatile; eauto.
  Qed.

  Lemma make_program_In_globdef_exists {D} i γ M L p:
    make_program (D:=D) γ M L = OK p →
    (valid_program γ M L → In i (stencil_ids γ)) →
    ∃ def, get_globdef i M L = OK def ∧ In (i, def) (prog_defs p).
  Proof.
    unfold make_program.
    intros Hmkp; inv_monad Hmkp; subst.
    intros Hiγ.
    eapply add_prog_defs_globdef_exists; eauto.
  Qed.

  Ltac exploit_make_program_at i :=
    lazymatch goal with
      H: make_program ?γ ?M ?L = ?ret ?p |- _ ⇒
        destruct (make_program_In_globdef_exists i γ M L p H) as [d [Hgd Hpd]];
        [
          intro; destruct_valid_program;
          match goal with H: ∀ i:ident, _ → In i _ |- _ ⇒
            apply H;
            get_layer_normalize;
            get_module_normalize;
            discriminate
          end
        |
          unfold get_globdef in Hgd;
          get_layer_normalize_in Hgd;
          get_module_normalize_in Hgd;
          unfold
            get_function_globdef,
            get_varinfo_globdef,
            get_primitive_globdef in Hgd;
          monad_norm;
          rewrite ?id_left, ?id_right in Hgd;
          inv_monad Hgd; subst;
          pose proof (make_program_names_norepet γ M L p H)
        ]
    end.

  Section INITMEM.

    Context {D1 D2} (L1: layer D1) (L2: layer D2)
            (M1 M2: module).

    Hypotheses
      (function_domains:
         ∀ i,
           (¬ isOKNone (get_layer_primitive i L1) ∨ ¬ isOKNone (get_module_function i M1)) →
           (¬ isOKNone (get_layer_primitive i L2) ∨ ¬ isOKNone (get_module_function i M2)))
      (variable_domains:
         ∀ i v,
           (get_layer_globalvar i L1 = OK (Some v) ∨ get_module_variable i M1 = OK (Some v)) →
           (get_layer_globalvar i L2 = OK (Some v) ∨ get_module_variable i M2 = OK (Some v)))
    .

    Lemma get_globdef_init_mem_le i d1 d2:
      get_globdef i M1 L1 = OK d1 →
      get_globdef i M2 L2 = OK d2 →
      option_le (InitMem.def_le) d1 d2.
    Proof.
      unfold get_globdef.
      destruct (get_module_function i M1) eqn:FUN; try discriminate.
      destruct o.
      {
        monad_norm.
        unfold get_function_globdef at 1.
        destruct (make_internal f); try discriminate.
        monad_norm.
        intro J.
        apply oplus_one_left´ in J.
        destruct J; subst.
        exploit (function_domains i).
        {
          rewrite FUN. unfold isOKNone. right; congruence.
        }
        destruct (get_module_function i M2); try discriminate.
        destruct o.
        {
          intros _.
          monad_norm.
          unfold get_function_globdef.
          destruct (make_internal f1); try discriminate.
          monad_norm.
          intro J.
          apply oplus_one_left´ in J.
          destruct J; subst.
          constructor. constructor. auto.
        }
        monad_norm. unfold get_function_globdef.
        rewrite oplus_id_left´.
        destruct (
            mτ <- get_module_variable i M2; get_varinfo_globdef mτ
          ); try discriminate.
        destruct o.
        {
          intros J K.
          exfalso.
          apply oplus_one_left´ in K.
          destruct K as (K & _).
          apply oplus_lb_eq´ in K.
          destruct K as (K & _).
          inv_monad K.
          unfold get_primitive_globdef in H2.
          destruct x.
          { inv_monad H2. discriminate. }
          rewrite H1 in J.
          unfold isOKNone in J.
          unfold ret in J; simpl in J.
          destruct J; simpl; congruence.
        }
        rewrite oplus_id_left´.
        destruct (get_layer_primitive i L2); try discriminate.
        destruct o.
        {
          monad_norm.
          unfold get_primitive_globdef.
          destruct (make_external i p); try discriminate.
          monad_norm.
          intros _ J.
          apply oplus_one_left´ in J.
          destruct J; subst.
          constructor. constructor. auto.
        }
        unfold isOKNone. destruct 1; exfalso; congruence.
      }
      monad_norm.
      unfold get_function_globdef at 1.
      rewrite oplus_id_left´.
      destruct (get_module_variable i M1) eqn:VAR; try discriminate.
      destruct o.
      {
        monad_norm.
        generalize (eq_refl (get_varinfo_globdef (Some g))).
        unfold get_varinfo_globdef at 2 3.
        unfold eassert.
        destruct (decide (gvar_volatile g = false)); try discriminate.
        monad_norm.
        intro VARINFO.
        intro J.
        apply oplus_one_left´ in J.
        destruct J; subst.
        exploit (variable_domains i).
        {
          rewrite VAR. eauto.
        }
        destruct 1 as [VAR2 | VAR2].
        {
          rewrite VAR2.
          monad_norm.
          rewrite VARINFO.
          destruct ( mf <- get_module_function i M2; get_function_globdef mf
            ) as [ [ | ] | ];
            destruct ( mτ <- get_module_variable i M2; get_varinfo_globdef mτ
              ) as [ [ | ] | ];
            destruct ( mσ <- get_layer_primitive i L2; get_primitive_globdef i mσ
              ) as [ [ | ] | ];
            try discriminate.
          inversion 1; subst.
          repeat constructor.
        }
        rewrite VAR2.
        monad_norm.
        rewrite VARINFO.
          destruct ( mf <- get_module_function i M2; get_function_globdef mf
            ) as [ [ | ] | ];
            destruct ( mσ <- get_layer_primitive i L2; get_primitive_globdef i mσ
              ) as [ [ | ] | ];
            destruct ( mτ <- get_layer_globalvar i L2; get_varinfo_globdef mτ
              ) as [ [ | ] | ];
            try discriminate.
        inversion 1; subst.
        repeat constructor.
      }
      monad_norm. unfold get_varinfo_globdef at 1.
      rewrite oplus_id_left´.
      destruct (get_layer_primitive i L1) eqn:PRIM; try discriminate.
      destruct o.
      {
        monad_norm.
        unfold get_primitive_globdef at 1.
        destruct (make_external i p); try discriminate.
        monad_norm.
        intro J.
        apply oplus_one_left´ in J.
        destruct J; subst.
        exploit (function_domains i).
        { rewrite PRIM. unfold isOKNone. left; congruence. }
        destruct (get_module_function i M2); try discriminate.
        destruct o.
        {
          intros _.
          monad_norm.
          unfold get_function_globdef.
          destruct (make_internal f0); try discriminate.
          monad_norm.
          intro J.
          apply oplus_one_left´ in J.
          destruct J; subst.
          repeat constructor.
        }
        monad_norm.
        unfold get_function_globdef.
        rewrite oplus_id_left´.
        destruct (get_layer_primitive i L2).
        {
          destruct o.
          {
            intros _.
            monad_norm.
            unfold get_primitive_globdef.
            destruct (make_external i p0);
              destruct ( mτ <- get_module_variable i M2; get_varinfo_globdef mτ
                ) as [ [ | ] | ];
            destruct ( mτ <- get_layer_globalvar i L2; get_varinfo_globdef mτ
              ) as [ [ | ] | ];
            try discriminate.
            inversion 1; subst.
            repeat constructor.
          }
          unfold isOKNone. destruct 1; congruence.
        }
        destruct ( mτ <- get_module_variable i M2; get_varinfo_globdef mτ
                 ) as [ [ | ] | ];
          destruct ( mτ <- get_layer_globalvar i L2; get_varinfo_globdef mτ
                   ) as [ [ | ] | ];
          discriminate.
      }
      monad_norm.
      unfold get_primitive_globdef at 1.
      rewrite oplus_id_left´.
      intro J.
      inv_monad J.
      destruct x.
      {
        generalize H1.
        intro VARINFO.
        inv_monad H1.
        inv_monad H2.
        subst.
        exploit (variable_domains i).
        { rewrite H0. left; reflexivity. }
        destruct 1 as [VAR2 | VAR2].
        {
          rewrite VAR2. monad_norm. rewrite VARINFO.
          destruct ( mf <- get_module_function i M2; get_function_globdef mf
            ) as [ [ | ] | ];
            destruct ( mτ <- get_module_variable i M2; get_varinfo_globdef mτ
              ) as [ [ | ] | ];
            destruct ( mσ <- get_layer_primitive i L2; get_primitive_globdef i mσ
              ) as [ [ | ] | ];
            try discriminate.
          inversion 1; subst.
          repeat constructor.
        }
        rewrite VAR2. monad_norm. rewrite VARINFO.
        destruct ( mf <- get_module_function i M2; get_function_globdef mf
                 ) as [ [ | ] | ];
          destruct ( mτ <- get_layer_globalvar i L2; get_varinfo_globdef mτ
                   ) as [ [ | ] | ];
          destruct ( mσ <- get_layer_primitive i L2; get_primitive_globdef i mσ
                   ) as [ [ | ] | ];
          try discriminate.
        inversion 1; subst.
        repeat constructor.
      }
      inv H1.
      constructor.
    Qed.

    Lemma add_prog_defs_init_mem_le l:
      ∀ defs1 defs2,
        InitMem.prog_defs_le defs1 defs2 →
        ∀ res1,
          add_prog_defs l M1 L1 defs1 = OK res1 →
          ∀ res2,
            add_prog_defs l M2 L2 defs2 = OK res2 →
            InitMem.prog_defs_le res1 res2.
    Proof.
      induction l; simpl.
      × inversion 2; subst. inversion 1; subst. assumption.
      × intros.
        inv_monad H0.
        inv_monad H1.
        eapply IHl; [ | eassumption | eassumption ].
        apply app_rel; auto.
        repeat constructor.
        eauto using get_globdef_init_mem_le.
    Qed.

    Lemma make_program_defs_init_mem_le s p1 p2:
      make_program s M1 L1 = OK p1 →
      make_program s M2 L2 = OK p2 →
      InitMem.prog_defs_le (prog_defs p1) (prog_defs p2).
    Proof.
      unfold make_program.
      intros P1 P2.
      inv_monad P1. inv_monad P2.
      subst. simpl.
      eapply add_prog_defs_init_mem_le; eauto.
      constructor.
    Qed.

  End INITMEM.

  Lemma make_program_layer_ok {D} s M L:
    isOK (make_program (D := D) s M L) →
    LayerOK L.
  Proof.
    unfold LayerOK, isOK, make_program.
    destruct 1.
    inv_monad H.
    subst.
    destruct_valid_program.
    intro i.
    assert (HpOK: isOK (get_layer_primitive i L)).
    {
      destruct (get_layer_primitive i L) eqn:PRIM; eauto.
      exfalso.
      generalize (Hprim_γ i).
      rewrite PRIM.
      unfold isOKNone.
      intro K.
      exploit K; [ congruence | ].
      intro IN.
      exploit @add_prog_defs_globdef_exists; eauto.
      unfold get_globdef.
      rewrite PRIM.
      monad_norm.
      destruct 1 as (? & J & _).
      destruct (
          mf <- get_module_function i M; get_function_globdef mf
        );
        destruct (mτ <- get_module_variable i M; get_varinfo_globdef mτ); discriminate.
    }
    assert (HvOK: isOK (get_layer_globalvar i L)).
    {
      destruct (get_layer_globalvar i L) eqn:VAR; eauto.
      exfalso.
      generalize (Hglob_γ i).
      rewrite VAR.
      unfold isOKNone.
      intro K.
      exploit K; [ congruence | ].
      intro IN.
      exploit @add_prog_defs_globdef_exists; eauto.
      unfold get_globdef.
      rewrite VAR.
      monad_norm.
      destruct 1 as (? & J & _).
      destruct (
          mf <- get_module_function i M; get_function_globdef mf
        );
        destruct (mτ <- get_module_variable i M; get_varinfo_globdef mτ);
        destruct (mσ <- get_layer_primitive i L; get_primitive_globdef i mσ);
        discriminate.
    }
    split; eauto.
    {
      destruct HpOK as [[σ|] Hσ]; eauto.
      destruct HvOK as [[τ|] Hτ]; eauto.
      exfalso.
      assert (Hsi: In i (stencil_ids s)) by (apply Hprim_γ; congruence).
      exploit @add_prog_defs_globdef_exists; eauto.
      intros (d & Hd & _).
      revert Hd.
      unfold get_globdef.
      rewrite Hσ, Hτ.
      monad_norm.
      simpl.
      destruct (mf <- get_module_function i M; get_function_globdef mf);
        try discriminate.
      destruct (mτ <- get_module_variable i M; get_varinfo_globdef mτ);
        try discriminate.
      destruct (make_external i σ);
        try discriminate.
      monad_norm.
      intros [_].
      discriminate.
    }
  Qed.

  Lemma make_program_module_ok {D} s M L:
    isOK (make_program (D := D) s M L) →
    ModuleOK M.
  Proof.
    unfold ModuleOK, isOK, make_program.
    destruct 1.
    inv_monad H.
    subst.
    destruct_valid_program.
    intro i.
    assert (Hf: isOK (get_module_function i M)).
    {
      destruct (get_module_function i M) eqn:FUN; eauto.
      exfalso.
      generalize (Hfun_γ i).
      rewrite FUN.
      unfold isOKNone.
      intro K.
      exploit K; [ congruence | ].
      intro IN.
      exploit @add_prog_defs_globdef_exists; eauto.
      unfold get_globdef.
      rewrite FUN.
      monad_norm.
      destruct 1 as (? & J & _).
      discriminate.
    }
    assert (Hv: isOK (get_module_variable i M)).
    {
      destruct (get_module_variable i M) eqn:VAR; eauto.
      exfalso.
      generalize (Hvar_γ i).
      rewrite VAR.
      unfold isOKNone.
      intro K.
      exploit K; [ congruence | ].
      intro IN.
      exploit @add_prog_defs_globdef_exists; eauto.
      unfold get_globdef.
      rewrite VAR.
      monad_norm.
      destruct 1 as (? & J & _).
      destruct (
          mf <- get_module_function i M; get_function_globdef mf
        );
        discriminate.
    }
    split; eauto.
    {
      destruct Hf as [[κ|] Hκ]; eauto.
      destruct Hv as [[τ|] Hτ]; eauto.
      exfalso.
      assert (Hsi: In i (stencil_ids s)) by (apply Hfun_γ; congruence).
      exploit @add_prog_defs_globdef_exists; eauto.
      intros (d & Hd & _).
      revert Hd.
      unfold get_globdef.
      rewrite Hκ, Hτ.
      monad_norm.
      simpl.
      destruct (make_internal κ); try discriminate.
      monad_norm.
      intros [_].
      destruct (get_layer_primitive i L); try discriminate; monad_norm.
      destruct (get_primitive_globdef i o); try discriminate; monad_norm.
      destruct (get_layer_globalvar i L); try discriminate; monad_norm.
      destruct (get_varinfo_globdef _); try discriminate; monad_norm.
      destruct (_ o2); try discriminate; monad_norm.
      destruct o3; try discriminate.
    }
  Qed.

  Require Import Semantics.

  Lemma make_program_module_layer_disjoint {D} s M L:
    isOK (make_program (D:=D) s M L) →
    module_layer_disjoint M L.
  Proof.
    unfold make_program.
    intros [p Hp] i.
    inv_monad Hp.
    subst.
    destruct_valid_program.
    destruct (decide (In i (stencil_ids s))) as [Hi | Hi].
    × eapply add_prog_defs_globdef_exists in Hi; try eassumption.
      destruct Hi as (d & Hd & Hid).
      unfold get_globdef in Hd.
      destruct (_ <- get_module_function _ _; _) as [[|]|] eqn:H; inv_monad H;
      destruct (_ <- get_module_variable _ _; _) as [[|]|] eqn:H; inv_monad H;
      destruct (_ <- get_layer_primitive _ _; _) as [[|]|] eqn:H; inv_monad H;
      destruct (_ <- get_layer_globalvar _ _; _) as [[|]|] eqn:H; inv_monad H;
      try discriminate;
      repeat match goal with
               | H: ?x = ?y |- context [?x] ⇒ rewrite H; clear H
             end;
      try (right;
           destruct x2, x3; try discriminate;
           simpl in *; unfold eassert in *;
           try destruct (make_external _ _); try discriminate;
           try destruct (decide (gvar_volatile _ = _)); try discriminate;
           now repeat constructor);
      try (left;
           destruct x, x1; try discriminate;
           simpl in *; unfold eassert in *;
           try destruct (make_internal _); try discriminate;
           try destruct (decide (gvar_volatile _ = _)); try discriminate;
           now repeat constructor).
    × left.
      split.
      + destruct (decide (isOKNone (get_module_function i M))).
        - assumption.
        - elim Hi; eauto.
      + destruct (decide (isOKNone (get_module_variable i M))).
        - assumption.
        - elim Hi; eauto.
  Qed.