Stateful evaluation
(* Open Source License *)
(* Copyright (c) 2019 Nomadic Labs. <> *)

(* Permission is hereby granted, free of charge, to any person obtaining a *)
(* copy of this software and associated documentation files (the "Software"), *)
(* to deal in the Software without restriction, including without limitation *)
(* the rights to use, copy, modify, merge, publish, distribute, sublicense, *)
(* and/or sell copies of the Software, and to permit persons to whom the *)
(* Software is furnished to do so, subject to the following conditions: *)

(* The above copyright notice and this permission notice shall be included *)
(* in all copies or substantial portions of the Software. *)


(* Oprational semantics of the Michelson language *)

Require Import syntax.
Require Import ZArith.
Require Import String.
Require NPeano.

Require Import comparable error.
Import syntax.

Section semantics.

  Context {get_contract_type : contract_constant -> M type} {parameter_ty : type}.

  Fixpoint data (a : type) {struct a} : Set :=
    match a with
    | Comparable_type b => comparable_data b
    | signature => signature_constant
    | operation => operation_constant
    | key => key_constant
    | unit => Datatypes.unit
    | pair a b => data a * data b
    | or a b => sum (data a) (data b)
    | option a => Datatypes.option (data a)
    | list a => Datatypes.list (data a)
    | set a => set.set (comparable_data a) (compare a)
    | map a b => (comparable_data a) (data b) (compare a)
    | big_map a b => (comparable_data a) (data b) (compare a)
    | lambda a b =>
      @instruction get_contract_type parameter_ty (a ::: nil) (b ::: nil)
    | contract a => {s : contract_constant | get_contract_type s = Return _ a }

  Record proto_env {state : Set} : Set :=
        create_contract : forall g p,
          comparable_data key_hash ->
          Datatypes.option (comparable_data key_hash) ->
          Datatypes.bool -> Datatypes.bool -> tez.mutez ->
          data (lambda (pair p g) (pair (list operation) g)) ->
          data g -> data (pair operation address);
        create_account :
          comparable_data key_hash ->
          Datatypes.option (comparable_data key_hash) ->
          Datatypes.bool -> tez.mutez ->
          state -> state * data (pair operation (contract unit));
        transfer_tokens : forall p,
            data p -> tez.mutez -> data (contract p) ->
            state -> state * data operation;
        set_delegate : Datatypes.option (comparable_data key_hash) ->
                       state -> state * data operation;
        balance : tez.mutez;
        address_ : forall p, data (contract p) -> data address;
        contract_ : forall p, data address -> data (option (contract p));
        source : data address;
        sender : data address;
        self : data (contract parameter_ty);
        amount : tez.mutez;
        implicit_account :
          comparable_data key_hash -> data (contract unit);
        steps_to_quota : state -> state * N;
        now : comparable_data timestamp;
        hash_key : data key -> comparable_data key_hash;
        pack : forall a, data a -> data bytes;
        unpack : forall a, data bytes -> data (option a);
        blake2b : data bytes -> data bytes;
        sha256 : data bytes -> data bytes;
        sha512 : data bytes -> data bytes;
        check_signature :
          data key -> data signature -> data bytes -> data bool

  Variable state : Set.
  Variable env : @proto_env state.

  Fixpoint stack (t : stack_type) : Set :=
    match t with
    | nil => Datatypes.unit
    | cons a A => data a * stack A

  (** Stack manipulation *)
  Inductive stack_ind : stack_type -> Set -> Prop :=
  | stack_nil : stack_ind nil Datatypes.unit
  | stack_cons : forall a A S,
      stack_ind A S -> stack_ind (cons a A) (data a * S).

  Lemma stack_iff_stack_ind : forall (t : stack_type) (s : Set),
      stack t = s <-> stack_ind t s.
    intros t.
    induction t; intros s; simpl.
    - split; intros; subst.
      + constructor.
      + inversion H; reflexivity.
    - split; intros; subst.
      + constructor. rewrite <- (IHt (stack t)); reflexivity.
      + inversion H; subst. 
        assert (stack t = S) by (rewrite (IHt S); assumption); subst; reflexivity.

  Lemma nltz : forall n: Datatypes.nat, n < 0 -> False.
  Proof. intros; omega. Qed.

  Definition stack_app {l1} {l2} (S1 : stack l1) (S2 : stack l2) : stack (l1+++l2).
    induction l1; simpl.
    - assumption.
    - inversion S1. split; auto.

  (* Dig stuff *)

  Fixpoint stacktype_split_dig (l : stack_type) (n : Datatypes.nat) : n < List.length l -> (stack_type * type * stack_type) :=
    match l, n with
    | List.nil, _ => (fun pf => match nltz n pf with end)
    | List.cons x tl, 0 => (fun _ => (nil, x, tl))
    | List.cons x xs', S n' => (fun pf => let '(l1, a, l2) := stacktype_split_dig xs' n' (lt_S_n n' (Datatypes.length xs') pf) in (List.cons x l1, a, l2))

  Lemma length_app_cons_dig : forall n l1 l2 t,
      n = Datatypes.length l1 ->
      n < Datatypes.length (l1 +++ t ::: l2).
    intros n l1 l2 t Hlen.
    rewrite List.app_length. rewrite <- Hlen.
    simpl. omega.

  Lemma stacktype_dig_proof_irrelevant : forall l n Hlen1 Hlen2,
      stacktype_split_dig l n Hlen1 = stacktype_split_dig l n Hlen2.
    induction l; intros n Hlen1 Hlen2.
    - simpl. specialize (nltz _ Hlen1) as Hfalse. inversion Hfalse.
    - simpl. destruct n. reflexivity.
      erewrite IHl. erewrite IHl at 2. eauto.

  Lemma stacktype_split_dig_exact : forall l1 l2 t n (Hlen : n = Datatypes.length l1),
      stacktype_split_dig (l1+++t:::l2) n (length_app_cons_dig _ l1 l2 t Hlen) = (l1, t, l2).
    induction l1; intros l2 t n Hlen; simpl.
    - destruct n. reflexivity.
      inversion Hlen.
    - destruct n. inversion Hlen.
      simpl in Hlen; inversion Hlen.
      specialize (IHl1 l2 t n H0).
      specialize (stacktype_dig_proof_irrelevant (l1+++t:::l2) n (length_app_cons_dig n l1 l2 t H0)
                                             (lt_S_n n (Datatypes.length (l1 +++ t ::: l2))
                         (length_app_cons_dig (S n) (a ::: l1) l2 t Hlen))) as Hpi.
      rewrite <- Hpi. rewrite IHl1. reflexivity.

  Fixpoint stack_split_dig {l} (SA : stack (l)) (n: Datatypes.nat) (pf : n < List.length l) :
    let '(l1, a, l2) := stacktype_split_dig l n pf in (stack l1 * data a * stack l2).
    generalize dependent n.
    induction l; intros n pf. simpl.
    + destruct (nltz n pf).
    + destruct n.
      * simpl in *. destruct SA; repeat constructor; assumption.
      * simpl in SA.
        destruct SA as [x SA].
        specialize (IHl SA n (lt_S_n n (Datatypes.length l) pf)). simpl in *. destruct (stacktype_split_dig l n (lt_S_n _ _ pf)) as [[l1' a'] l2'].
        destruct IHl as [[sl1' sa'] sl2']; simpl. repeat constructor; assumption.

  Fixpoint stack_dig {l1 l2 t} (SA : stack (l1+++t:::l2)) (n: Datatypes.nat) (pf : n = Datatypes.length l1) : stack (t:::l1+++l2).
    specialize (stack_split_dig SA n (length_app_cons_dig _ l1 l2 t pf)).
    rewrite stacktype_split_dig_exact.
    intro H. simpl in *. destruct H as [[sl1 st] sl2]. split; auto.
    apply stack_app; auto.

  (* Dug stuff *)

  Lemma Snltz {A} : forall n',
      S n' <= @Datatypes.length A nil -> False.
    intros n' Hlen; simpl in *. omega.

  Fixpoint stacktype_split_dug (l : stack_type) (n : Datatypes.nat) : n <= List.length l -> (stack_type * stack_type) :=
    match l, n with
    | _, 0 => (fun _ => (nil, l))
    | List.nil, S n' => (fun pf => match (Snltz n' pf) with end)
    | List.cons x xs', S n' => (fun pf => let '(l1, l2) := stacktype_split_dug xs' n' (le_S_n n' (Datatypes.length xs') pf) in (List.cons x l1, l2))

  Lemma stacktype_dug_proof_irrelevant : forall l n Hlen1 Hlen2,
      stacktype_split_dug l n Hlen1 = stacktype_split_dug l n Hlen2.
    induction l; intros n Hlen1 Hlen2.
    - simpl. destruct n. reflexivity.
      simpl in Hlen1; omega.
    - simpl. destruct n. reflexivity.
      erewrite IHl. erewrite IHl at 2. eauto.

  Lemma length_app_cons_dug : forall n l1 l2,
      n = Datatypes.length l1 ->
      n <= Datatypes.length (l1 +++ l2).
    intros n l1 l2 Hlen.
    simpl. rewrite List.app_length. rewrite <- Hlen.

  Lemma stacktype_split_dug_exact : forall l1 l2 n (Hlen : n = Datatypes.length l1),
      stacktype_split_dug (l1+++l2) n (length_app_cons_dug _ l1 l2 Hlen) = (l1, l2).
    induction l1; intros l2 n Hlen; simpl.
    - destruct n. induction l2; reflexivity. 
      inversion Hlen.
    - destruct n. inversion Hlen.
      simpl in Hlen; inversion Hlen.
      specialize (IHl1 l2 n H0).
      specialize (stacktype_dug_proof_irrelevant (l1+++l2) n (length_app_cons_dug n l1 l2 H0)
                                             (le_S_n n (Datatypes.length (l1 +++ l2))
                         (length_app_cons_dug (S n) (a ::: l1) l2 Hlen))) as Hpi.
      rewrite <- Hpi. rewrite IHl1. reflexivity.

  Fixpoint stack_split_dug {l} (SA : stack (l)) (n: Datatypes.nat) (pf : n <= List.length l) :
    let '(l1, l2) := stacktype_split_dug l n pf in (stack l1 * stack l2).
    generalize dependent n.
    induction l; intros n pf. simpl.
    + destruct n; simpl. constructor; auto.
      destruct (Snltz _ pf).
    + destruct n.
      * simpl in *. destruct SA; repeat constructor; assumption.
      * simpl in SA.
        destruct SA as [x SA].
        specialize (IHl SA n (le_S_n n (Datatypes.length l) pf)). simpl in *. destruct (stacktype_split_dug l n (le_S_n _ _ pf)) as [l1' l2'].
        destruct IHl as [sl1' sl2']; simpl. repeat constructor; assumption.

  Fixpoint stack_dug {l1 l2 t} (SA : stack (t:::l1+++l2)) (n: Datatypes.nat) (pf : n = Datatypes.length l1) : stack (l1+++t:::l2).
    inversion SA.
    specialize (stack_split_dug H0 n (length_app_cons_dug _ l1 l2 pf)) as Hsplit.
    rewrite stacktype_split_dug_exact in Hsplit. destruct Hsplit as [sl1 sl2].
    apply stack_app; simpl; auto.

  Fixpoint concrete_data_to_data (a : type) (d : concrete_data a) : data a :=
    match d with
    | Int_constant x => x
    | Nat_constant x => x
    | String_constant x => x
    | Timestamp_constant x => x
    | Signature_constant x => Mk_sig x
    | Key_constant x => Mk_key x
    | Key_hash_constant x => Mk_key_hash x
    | Mutez_constant (Mk_mutez x) => x
    | @Contract_constant _ _ a x H => exist _ x H
    | Unit => tt
    | True_ => true
    | False_ => false
    | Pair a b => (concrete_data_to_data _ a, concrete_data_to_data _ b)
    | Left a => inl (concrete_data_to_data _ a)
    | Right b => inr (concrete_data_to_data _ b)
    | Some_ a => Some (concrete_data_to_data _ a)
    | None_ => None
    | Concrete_list l => (concrete_data_to_data _) l
    | @Concrete_set _ _ a l =>
      (fix concrete_data_set_to_data (l : Datatypes.list (concrete_data a)) :=
         match l with
         | nil => set.empty _ _
         | cons x l =>
             (data a)
             ( a)
             (comparable.compare_eq_iff a)
             (comparable.lt_trans a)
             (comparable.gt_trans a)
             (concrete_data_to_data a x)
             (concrete_data_set_to_data l)
         end) l
    | @Concrete_map _ _ a b l =>
      (fix concrete_data_map_to_data
           (l : Datatypes.list (elt_pair (concrete_data a) (concrete_data b))) :=
         match l with
         | nil => map.empty _ _ _
         | cons (Elt _ _ x y) l =>
             (data a)
             (data b)
             ( a)
             (comparable.compare_eq_iff a)
             (comparable.lt_trans a)
             (comparable.gt_trans a)
             (concrete_data_to_data _ x)
             (Some (concrete_data_to_data _ y))
             (concrete_data_map_to_data l)
         end) l
    | Instruction i => i

  Definition or_fun a (v : bitwise_variant a) : data a -> data a -> data a :=
    match v with
    | Bitwise_variant_bool => orb
    | Bitwise_variant_nat => N.lor

  Definition and a (v : bitwise_variant a) : data a -> data a -> data a :=
    match v with
    | Bitwise_variant_bool => andb
    | Bitwise_variant_nat =>

  Definition xor a (v : bitwise_variant a) : data a -> data a -> data a :=
    match v with
    | Bitwise_variant_bool => xorb
    | Bitwise_variant_nat => N.lxor

  Definition not a b (v : not_variant a b) : data a -> data b :=
    match v with
    | Not_variant_bool => negb
    | Not_variant_int => fun x => (- 1 - x)%Z
    | Not_variant_nat => fun x => (- 1 - Z.of_N x)%Z

  Definition neg a (v : neg_variant a) : data a -> data int :=
    match v with
    | Neg_variant_nat => fun x => (- Z.of_N x)%Z
    | Neg_variant_int => fun x => (- x)%Z

  Definition add a b c (v : add_variant a b c) : data a -> data b -> M (data c) :=
    match v with
    | Add_variant_nat_nat => fun x y => Return _ (x + y)%N
    | Add_variant_nat_int => fun x y => Return _ (Z.of_N x + y)%Z
    | Add_variant_int_nat => fun x y => Return _ (x + Z.of_N y)%Z
    | Add_variant_int_int => fun x y => Return _ (x + y)%Z
    | Add_variant_timestamp_int => fun x y => Return _ (x + y)%Z
    | Add_variant_int_timestamp => fun x y => Return _ (x + y)%Z
    | Add_variant_tez_tez =>
      fun x y => tez.of_Z (tez.to_Z x + tez.to_Z y)

  Definition sub a b c (v : sub_variant a b c) : data a -> data b -> M (data c) :=
    match v with
    | Sub_variant_nat_nat => fun x y => Return _ (Z.of_N x - Z.of_N y)%Z
    | Sub_variant_nat_int => fun x y => Return _ (Z.of_N x - y)%Z
    | Sub_variant_int_nat => fun x y => Return _ (x - Z.of_N y)%Z
    | Sub_variant_int_int => fun x y => Return _ (x - y)%Z
    | Sub_variant_timestamp_int => fun x y => Return _ (x - y)%Z
    | Sub_variant_timestamp_timestamp => fun x y => Return _ (x - y)%Z
    | Sub_variant_tez_tez => fun x y => tez.of_Z (tez.to_Z x - tez.to_Z y)

  Definition mul a b c (v : mul_variant a b c) : data a -> data b -> M (data c) :=
    match v with
    | Mul_variant_nat_nat => fun x y => Return _ (x * y)%N
    | Mul_variant_nat_int => fun x y => Return _ (Z.of_N x * y)%Z
    | Mul_variant_int_nat => fun x y => Return _ (x * Z.of_N y)%Z
    | Mul_variant_int_int => fun x y => Return _ (x * y)%Z
    | Mul_variant_tez_nat => fun x y => tez.of_Z (tez.to_Z x * Z.of_N y)
    | Mul_variant_nat_tez => fun x y => tez.of_Z (Z.of_N x * tez.to_Z y)

  Definition ediv_Z x y :=
    if (y =? 0)%Z then None else Some (x / y, Z.to_N (x mod y))%Z.
  Definition ediv_N x y :=
    if (y =? 0)%N then None else Some (x / y, x mod y)%N.

  Definition ediv a b c d (v : ediv_variant a b c d) : data a -> data b -> data (option (pair c d)) :=
    match v with
    | Ediv_variant_nat_nat => fun x y => ediv_N x y
    | Ediv_variant_nat_int => fun x y => ediv_Z (Z.of_N x) y
    | Ediv_variant_int_nat => fun x y => ediv_Z x (Z.of_N y)
    | Ediv_variant_int_int => fun x y => ediv_Z x y
    | Ediv_variant_tez_nat =>
      fun x y =>
        match ediv_Z (tez.to_Z x) (Z.of_N y) with
        | None => None
        | Some (quo, rem) =>
          match tez.of_Z quo, tez.of_Z (Z.of_N rem) with
          | Return _ quo, Return _ rem => Some (quo, rem)
          | _, _ => None
    | Ediv_variant_tez_tez =>
      fun x y =>
        match ediv_Z (tez.to_Z x) (tez.to_Z y) with
        | None => None
        | Some (quo, rem) =>
          match tez.of_Z (Z.of_N rem) with
          | Return _ rem => Some (Z.to_N quo, rem)
          | _ => None

  Definition concat a (v : stringlike_variant a) : data a -> data a -> data a :=
    match v with
    | Stringlike_variant_string => String.append
    | Stringlike_variant_bytes => String.append

  Definition slice a (v : stringlike_variant a) : data nat -> data nat -> data a -> data (option a) :=
    match v with
    | Stringlike_variant_string =>
      fun (n1 n2 : N) (s : data string) =>
        if (n1 + n2 <=? N.of_nat (String.length s))%N then
          (Some (String.substring (N.to_nat n1) (N.to_nat n2) s)
           : data (option string))
        else None
    | Stringlike_variant_bytes =>
      fun n1 n2 s =>
        if (n1 + n2 <=? N.of_nat (String.length s))%N then
          Some (String.substring (N.to_nat n1) (N.to_nat n2) s)
        else None

  Definition mem a b (v : mem_variant a b) : data a -> data b -> data bool :=
    match v with
    | Mem_variant_set a =>
      fun (x : data a) (y : data (set a)) => set.mem _ _ x y
    | Mem_variant_map _ _ => map.mem _ _ _
    | Mem_variant_bigmap _ _ => map.mem _ _ _

  Definition update a b c (v : update_variant a b c) :
    data a -> data b -> data c -> data c :=
    match v with
    | Update_variant_set a =>
      set.update _ _ (compare_eq_iff a) (lt_trans a) (gt_trans a)
    | Update_variant_map k v =>
      map.update _ _ _ (compare_eq_iff k) (lt_trans k) (gt_trans k)
    | Update_variant_bigmap k _ =>
      map.update _ _ _ (compare_eq_iff k) (lt_trans k) (gt_trans k)

  Definition size a (v : size_variant a) : data a -> Datatypes.nat :=
    match v with
    | Size_variant_list a => fun l => List.length l
    | Size_variant_set a => set.size (data a) (compare a)
    | Size_variant_map k v => map.size (data k) (data v) (compare k)
    | Size_variant_string => String.length
    | Size_variant_bytes => String.length

  Definition iter_destruct a b (v : iter_variant a b)
    : data b -> data (option (pair a b)) :=
    match v with
    | Iter_variant_set _ => set.destruct _ _
    | Iter_variant_map _ _ => set.destruct _ _
    | Iter_variant_list _ =>
      fun l => match l with
               | nil => None
               | cons a l => Some (a, l)

  Definition get k val c (v : get_variant k val c)
    : data k -> data c -> data (option val) :=
    match v with
    | Get_variant_map _ _ => map.get _ _ _
    | Get_variant_bigmap _ _ => map.get _ _ _

  Definition map_destruct a b ca cb (v : map_variant a b ca cb)
    : data ca -> data (option (pair a ca)) :=
    match v with
    | Map_variant_map _ _ _ => set.destruct _ _
    | Map_variant_list _ _ =>
      fun l => match l with
               | nil => None
               | cons a l => Some (a, l)

  Definition map_empty a b ca cb (v : map_variant a b ca cb)
    : data cb :=
    match v with
    | Map_variant_map _ _ _ => map.empty _ _ _
    | Map_variant_list _ _ => nil

  Definition map_insert a b ca cb (v : map_variant a b ca cb)
    : data a -> data b -> data cb -> data cb :=
    match v with
    | Map_variant_map k_ty _ v_ty =>
      fun '(k, _) v (m : data (map k_ty v_ty)) =>
        map.update _ _ _ (comparable.compare_eq_iff _) (comparable.lt_trans _) (comparable.gt_trans _) k (Some v) m
    | Map_variant_list _ _ =>
      fun _ => cons

  (* The gas argument is used to ensure termination, it is not the
  amount of gas that is actually required to run the contract because
  in the SEQ case, both instructions are run with gas n *)
  Fixpoint eval {A : stack_type} {B : stack_type} (ST : state)
           (i : instruction A B) (fuel : Datatypes.nat) {struct fuel} :
    stack A -> M (state * stack B) :=
    match fuel with
    | O => fun SA => Failed _ Out_of_fuel
    | S n =>
      match i in instruction A B return stack A -> M (state * stack B) with
      | @FAILWITH _ _ A B a =>
        fun '(x, _) => Failed _ (Assertion_Failure (data a) x)

      (* According to the documentation, FAILWITH's argument should
         not be part of the state reached by the instruction but the
         whole point of this instruction (compared to the FAIL macro)
         is to report the argument to the user. *)

      | NOOP => fun SA => Return _ (ST, SA)
      | SEQ B C =>
        fun SA => bind (fun '(ST, SB) => eval ST C n SB) (eval ST B n SA)
      | IF_ bt bf =>
        fun '(b, SA) => if b then eval ST bt n SA else eval ST bf n SA
      | LOOP body =>
        fun '(b, SA) => if b then eval ST (body;; (LOOP body)) n SA else Return _ (ST, SA)
      | LOOP_LEFT body =>
        fun '(ab, SA) =>
          match ab return M (state * stack (_ ::: _)) with
          | inl x => eval ST (body;; LOOP_LEFT body) n (x, SA)
          | inr y => Return _ (ST, (y, SA))
      | DIP i =>
        fun '(y, SA) => bind (fun '(ST, SC) => Return _ (ST, (y, SC))) (eval ST i n SA)
      | EXEC =>
        fun '(x, (f, SA)) =>
          bind (fun '(ST, (y, tt)) => Return _ (ST, (y, SA))) (eval ST f n (x, tt))
      | DROP => fun '(_, SA) => Return _ (ST, SA)
      | DUP => fun '(x, SA) => Return _ (ST, (x, (x, SA)))
      | SWAP => fun '(x, (y, SA)) => Return _ (ST, (y, (x, SA)))
      | PUSH a x => fun SA => Return _ (ST, (concrete_data_to_data _ x, SA))
      | UNIT => fun SA => Return _ (ST, (tt, SA))
      | LAMBDA a b code => fun SA => Return _ (ST, (code, SA))
      | EQ => fun '(x, SA) => Return _ (ST, ((x =? 0)%Z, SA))
      | NEQ => fun '(x, SA) => Return _ (ST, (negb (x =? 0)%Z, SA))
      | LT => fun '(x, SA) => Return _ (ST, ((x <? 0)%Z, SA))
      | GT => fun '(x, SA) => Return _ (ST, ((x >? 0)%Z, SA))
      | LE => fun '(x, SA) => Return _ (ST, ((x <=? 0)%Z, SA))
      | GE => fun '(x, SA) => Return _ (ST, ((x >=? 0)%Z, SA))
      | @OR _ _ _ s =>
        fun '(x, (y, SA)) => Return _ (ST, (or_fun _ (bitwise_variant_field _ s) x y, SA))
      | @AND _ _ _ s =>
        fun '(x, (y, SA)) => Return _ (ST, (and _ (bitwise_variant_field _ s) x y, SA))
      | @XOR _ _ _ s =>
        fun '(x, (y, SA)) => Return _ (ST, (xor _ (bitwise_variant_field _ s) x y, SA))
      | @NOT _ _ _ s =>
        fun '(x, SA) => Return _ (ST, (not _ _ (not_variant_field _ s) x, SA))
      | @NEG _ _ _ s =>
        fun '(x, SA) => Return _ (ST, (neg _ (neg_variant_field _ s) x, SA))
      | ABS => fun '(x, SA) => Return _ (ST, (Z.abs_N x, SA))
      | @ADD _ _ _ _ s =>
        fun '(x, (y, SA)) =>
          bind (fun r => Return _ (ST, (r, SA)))
               (add _ _ _ (add_variant_field _ _ s) x y)
      | @SUB _ _ _ _ s =>
        fun '(x, (y, SA)) =>
          bind (fun r => Return _ (ST, (r, SA)))
               (sub _ _ _ (sub_variant_field _ _ s) x y)
      | @MUL _ _ _ _ s =>
        fun '(x, (y, SA)) =>
          bind (fun r => Return _ (ST, (r, SA)))
               (mul _ _ _ (mul_variant_field _ _ s) x y)
      | @EDIV _ _ _ _ s =>
        fun '(x, (y, SA)) =>
          Return _ (ST, (ediv _ _ _ _ (ediv_variant_field _ _ s) x y, SA))
      | LSL => fun '(x, (y, SA)) => Return _ (ST, (N.shiftl x y, SA))
      | LSR => fun '(x, (y, SA)) => Return _ (ST, (N.shiftr x y, SA))
      | COMPARE =>
        fun '(x, (y, SA)) => Return _ (ST, (comparison_to_int (compare _ x y), SA))
      | @CONCAT _ _ _ s =>
        fun '(x, (y, SA)) =>
          Return _ (ST, (concat _ (stringlike_variant_field _ s) x y, SA))
      | @SLICE _ _ _ i =>
        fun '(n1, (n2, (s, SA))) =>
          Return _ (ST, (slice _ (stringlike_variant_field _ i) n1 n2 s, SA))
      | PAIR => fun '(x, (y, SA)) => Return _ (ST, ((x, y), SA))
      | CAR => fun '((x, y), SA) => Return _ (ST, (x, SA))
      | CDR => fun '((x, y), SA) => Return _ (ST, (y, SA))
      | EMPTY_SET a => fun SA => Return _ (ST, (set.empty _ (compare a), SA))
      | @MEM _ _ _ _ s =>
        fun '(x, (y, SA)) =>
          Return _ (ST, (mem _ _ (mem_variant_field _ _ s) x y, SA))
      | @UPDATE _ _ _ _ _ s =>
        fun '(x, (y, (z, SA))) =>
          Return _ (ST, (update _ _ _ (update_variant_field _ _ _ s) x y z, SA))
      | @ITER _ _ _ s _ body =>
        fun '(x, SA) =>
          match iter_destruct _ _ (iter_variant_field _ s) x with
          | None => Return _ (ST, SA)
          | Some ((a, y)) =>
            bind (fun '(ST, SB) =>
                    eval ST (ITER body) n (y, SB))
                 (eval ST body n (a, SA))
      | @SIZE _ _ _ s =>
        fun '(x, SA) => Return _ (ST, (N.of_nat (size _ (size_variant_field _ s) x), SA))
      | EMPTY_MAP k val =>
        fun SA => Return _ (ST, (map.empty (comparable_data k) (data val) _, SA))
      | @GET _ _ _ _ s =>
        fun '(x, (y, SA)) =>
          Return _ (ST, (get _ _ _ (get_variant_field _ _ s) x y, SA))
      | @MAP _ _ _ _ s _ body =>
        let v := (map_variant_field _ _ s) in
        fun '(x, SA) =>
          match map_destruct _ _ _ _ v x with
          | None => Return _ (ST, (map_empty _ _ _ _ v, SA))
          | Some (a, y) =>
            bind (fun '(ST, (b, SB)) =>
                    bind (fun '(ST, (c, SC)) =>
                            Return _ (ST, (map_insert _ _ _ _ v a b c,
                         (eval ST (MAP body) n (y, SB)))
                 (eval ST body n (a, SA))
      | SOME => fun '(x, SA) => Return _ (ST, (Some x, SA))
      | NONE _ => fun SA => Return _ (ST, (None, SA))
      | IF_NONE bt bf =>
        fun '(b, SA) =>
          match b with
          | None => eval ST bt n SA
          | Some b => eval ST bf n (b, SA)
      | LEFT _ => fun '(x, SA) => Return _ (ST, (inl x, SA))
      | RIGHT _ => fun '(x, SA) => Return _ (ST, (inr x, SA))
      | IF_LEFT bt bf =>
        fun '(b, SA) =>
          match b with
          | inl a => eval ST bt n (a, SA)
          | inr b => eval ST bf n (b, SA)
      | IF_RIGHT bt bf =>
        fun '(b, SA) =>
          match b with
          | inl a => eval ST bf n (a, SA)
          | inr b => eval ST bt n (b, SA)
      | CONS => fun '(x, (y, SA)) => Return _ (ST, (cons x y, SA))
      | NIL _ => fun SA => Return _ (ST, (nil, SA))
      | IF_CONS bt bf =>
        fun '(l, SA) =>
          match l with
          | cons a b => eval ST bt n (a, (b, SA))
          | nil => eval ST bf n SA
        fun '(a, (b, (c, (d, (e, (f, (g, SA))))))) =>
          let (oper, addr) := create_contract env _ _ a b c d e f g in
          Return _ (ST, (oper, (addr, SA)))
      | CREATE_CONTRACT_literal _ _ f =>
        fun '(a, (b, (c, (d, (e, (g, SA)))))) =>
          let (oper, addr) := create_contract env _ _ a b c d e f g in
          Return _ (ST, (oper, (addr, SA)))
        fun '(a, (b, (c, (d, SA)))) =>
          let '(ST, (oper, contr)) := create_account env a b c d ST in
          Return _ (ST, (oper, (contr, SA)))
        fun '(a, (b, (c, SA))) =>
          let (ST, oper) := transfer_tokens env _ a b c ST in
          Return _ (ST, (oper, SA))
      | SET_DELEGATE =>
        fun '(x, SA) =>
          let (ST, oper) := set_delegate env x ST in
          Return _ (ST, (oper, SA))
      | BALANCE => fun SA => Return _ (ST, (balance env, SA))
      | ADDRESS =>
        fun '(x, SA) => Return _ (ST, (address_ env _ x, SA))
      | CONTRACT _ =>
        fun '(x, SA) => Return _ (ST, (contract_ env _ x, SA))
      | SOURCE => fun SA => Return _ (ST, (source env, SA))
      | SENDER => fun SA => Return _ (ST, (sender env, SA))
      | SELF => fun SA => Return _ (ST, (self env, SA))
      | AMOUNT => fun SA => Return _ (ST, (amount env, SA))
        fun '(x, SA) => Return _ (ST, (implicit_account env x, SA))
      | STEPS_TO_QUOTA =>
        fun SA =>
          let (ST, steps) := steps_to_quota env ST in
          Return _ (ST, (steps, SA))
      | NOW => fun SA => Return _ (ST, (now env, SA))
      | PACK => fun '(x, SA) => Return _ (ST, ((pack env _ x, SA)))
      | UNPACK => fun '(x, SA) => Return _ (ST, (unpack env _ x, SA))
      | HASH_KEY => fun '(x, SA) => Return _ (ST, (hash_key env x, SA))
      | BLAKE2B => fun '(x, SA) => Return _ (ST, (blake2b env x, SA))
      | SHA256 => fun '(x, SA) => Return _ (ST, (sha256 env x, SA))
      | SHA512 => fun '(x, SA) => Return _ (ST, (sha512 env x, SA))
        fun '(x, (y, (z, SA))) =>
          Return _ (ST, (check_signature env x y z, SA))
      | DIG n Hlen => fun SA => Return _ (ST, (stack_dig SA n (eq_sym Hlen)))
      | DUG n Hlen => fun SA => Return _ (ST, (stack_dug SA n (eq_sym Hlen)))

  (* The evaluator does not depend on the amount of fuel provided *)
  Lemma eval_deterministic_le :
    forall fuel1 fuel2,
      fuel1 <= fuel2 ->
      forall ST {A B} (i : instruction A B) st,
        success (eval ST i fuel1 st) ->
        eval ST i fuel1 st = eval ST i fuel2 st.
    induction fuel1; intros fuel2 Hle ST A B i st Hsucc.
    - apply not_false in Hsucc.
    - destruct fuel2.
      + inversion Hle.
      + apply le_S_n in Hle.
        specialize (IHfuel1 fuel2 Hle).
        destruct i; try reflexivity.
        * simpl in Hsucc.
          destruct (success_bind _ _ Hsucc) as (x, (H1, H2)).
          rewrite <- IHfuel1.
          -- rewrite H1.
             destruct x.
             apply IHfuel1.
          -- apply success_eq_return in H1.
             exact H1.
        * destruct st as ([], st); rewrite IHfuel1; try assumption; reflexivity.
        * destruct st as ([], st).
          -- rewrite IHfuel1; try assumption; reflexivity.
          -- reflexivity.
        * destruct st as ([x|y], st).
          -- rewrite IHfuel1; try assumption; reflexivity.
          -- reflexivity.
        * destruct st; rewrite IHfuel1.
          -- reflexivity.
          -- simpl in Hsucc.
             destruct (success_bind _ _ Hsucc) as (x, (H1, H2)).
             apply success_eq_return in H1.
             exact H1.
        * destruct st as (x, (f, SA)).
          rewrite IHfuel1.
          -- reflexivity.
          -- simpl in Hsucc.
             apply success_bind_arg in Hsucc.
        * destruct st as (x, SA).
          generalize Hsucc; clear Hsucc.
          destruct (iter_destruct (iter_elt_type collection i) collection
                                  (iter_variant_field collection i) x).
          -- destruct d.
             fold stack.
             intro Hsucc.
             rewrite <- IHfuel1.
             ++ destruct (success_bind _ _ Hsucc) as ((ST2, SB), (Ha, Hb)).
                rewrite Ha.
                apply IHfuel1.
             ++ apply success_bind_arg in Hsucc.
          -- reflexivity.
        * destruct st as (x, SA).
          generalize Hsucc; clear Hsucc.
          fold stack.
          destruct (map_destruct (map_in_type collection b i)
                                 (map_out_collection_type collection b i)
                                 (map_variant_field collection b i) x).
          -- destruct d.
             intro Hsucc.
             rewrite <- IHfuel1.
             ++ destruct (success_bind _ _ Hsucc) as ((ST2, (c, SC)), (Ha, Hb)).
                destruct (success_bind _ _ Hb) as ((dd, SD), (Hm, _)).
                rewrite Ha.
                rewrite <- IHfuel1.
                ** reflexivity.
                ** rewrite Hm.
             ++ apply success_bind_arg in Hsucc.
          -- reflexivity.
        * destruct st as ([|], SA); rewrite IHfuel1.
          -- reflexivity.
          -- exact Hsucc.
          -- reflexivity.
          -- exact Hsucc.
        * destruct st as ([|], SA); rewrite IHfuel1.
          -- reflexivity.
          -- exact Hsucc.
          -- reflexivity.
          -- exact Hsucc.
        * destruct st as ([|], SA); rewrite IHfuel1.
          -- reflexivity.
          -- exact Hsucc.
          -- reflexivity.
          -- exact Hsucc.
        * destruct st as ([|], SA); rewrite IHfuel1.
          -- reflexivity.
          -- exact Hsucc.
          -- reflexivity.
          -- exact Hsucc.

  Lemma eval_deterministic_success_both fuel1 fuel2 ST {A B} (i : instruction A B) S :
    success (eval ST i fuel1 S) ->
    success (eval ST i fuel2 S) ->
    eval ST i fuel1 S = eval ST i fuel2 S.
    case (le_ge_dec fuel1 fuel2).
    - intros Hle Hsucc _.
      apply eval_deterministic_le; assumption.
    - unfold ge.
      intros Hle _ Hsucc.
      apply eval_deterministic_le; assumption.

  Definition eval_precond_body
             (eval_precond_n : forall {A B}, instruction A B -> (state * stack B -> Prop) -> state * stack A -> Prop)
             A B
             (i : instruction A B) :
    (state * stack B -> Prop) -> (state * stack A -> Prop) :=
    match i with
    | FAILWITH => fun _ _ => false
    | NOOP => fun psi st => psi st
    | SEQ B C => fun psi =>
                   eval_precond_n B (eval_precond_n C psi)
    | IF_ bt bf =>
      fun psi '(ST, (b, SA)) => if b then eval_precond_n bt psi (ST, SA)
                                else eval_precond_n bf psi (ST, SA)
    | LOOP body =>
      fun psi '(ST, (b, SA)) => if b then eval_precond_n (body;; (LOOP body)) psi (ST, SA)
                                else psi (ST, SA)
    | LOOP_LEFT body =>
      fun psi '(ST, (ab, SA)) =>
        match ab with
        | inl x => eval_precond_n (body;; LOOP_LEFT body) psi (ST, (x, SA))
        | inr y => psi (ST, (y, SA))
    | DIP i =>
      fun psi '(ST, (y, SA)) => eval_precond_n i (fun '(ST, SB) => psi (ST, (y, SB))) (ST, SA)
    | EXEC =>
      fun psi '(ST, (x, (f, SA))) =>
        eval_precond_n f (fun '(ST, (y, tt)) => psi (ST, (y, SA))) (ST, (x, tt))
    | DROP => fun psi '(ST, (_, SA)) => psi (ST, SA)
    | DUP => fun psi '(ST, (x, SA)) => psi (ST, (x, (x, SA)))
    | SWAP => fun psi '(ST, (x, (y, SA))) => psi (ST, (y, (x, SA)))
    | PUSH a x => fun psi '(ST, SA) => psi (ST, (concrete_data_to_data _ x, SA))
    | UNIT => fun psi '(ST, SA) => psi (ST, (tt, SA))
    | LAMBDA a b code => fun psi '(ST, SA) => psi (ST, (code, SA))
    | EQ => fun psi '(ST, (x, SA)) => psi (ST, ((x =? 0)%Z, SA))
    | NEQ => fun psi '(ST, (x, SA)) => psi (ST, (negb (x =? 0)%Z, SA))
    | LT => fun psi '(ST, (x, SA)) => psi (ST, ((x <? 0)%Z, SA))
    | GT => fun psi '(ST, (x, SA)) => psi (ST, ((x >? 0)%Z, SA))
    | LE => fun psi '(ST, (x, SA)) => psi (ST, ((x <=? 0)%Z, SA))
    | GE => fun psi '(ST, (x, SA)) => psi (ST, ((x >=? 0)%Z, SA))
    | @OR _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) => psi (ST, (or_fun _ (bitwise_variant_field _ s) x y, SA))
    | @AND _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) => psi (ST, (and _ (bitwise_variant_field _ s) x y, SA))
    | @XOR _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) => psi (ST, (xor _ (bitwise_variant_field _ s) x y, SA))
    | @NOT _ _ _ s =>
      fun psi '(ST, (x, SA)) => psi (ST, (not _ _ (not_variant_field _ s) x, SA))
    | @NEG _ _ _ s =>
      fun psi '(ST, (x, SA)) => psi (ST, (neg _ (neg_variant_field _ s) x, SA))
    | ABS => fun psi '(ST, (x, SA)) => psi (ST, (Z.abs_N x, SA))
    | @ADD _ _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) =>
        precond (add _ _ _ (add_variant_field _ _ s) x y) (fun z => psi (ST, (z, SA)))
    | @SUB _ _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) =>
        precond (sub _ _ _ (sub_variant_field _ _ s) x y) (fun z => psi (ST, (z, SA)))
    | @MUL _ _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) =>
        precond (mul _ _ _ (mul_variant_field _ _ s) x y) (fun z => psi (ST, (z, SA)))
    | @EDIV _ _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) =>
        psi (ST, (ediv _ _ _ _ (ediv_variant_field _ _ s) x y, SA))
    | LSL => fun psi '(ST, (x, (y, SA))) => psi (ST, (N.shiftl x y, SA))
    | LSR => fun psi '(ST, (x, (y, SA))) => psi (ST, (N.shiftr x y, SA))
    | COMPARE =>
      fun psi '(ST, (x, (y, SA))) => psi (ST, (comparison_to_int (compare _ x y), SA))
    | @CONCAT _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) =>
        psi (ST, (concat _ (stringlike_variant_field _ s) x y, SA))
    | @SLICE _ _ _ i =>
      fun psi '(ST, (n1, (n2, (s, SA)))) =>
        psi (ST, (slice _ (stringlike_variant_field _ i) n1 n2 s, SA))
    | PAIR => fun psi '(ST, (x, (y, SA))) => psi (ST, ((x, y), SA))
    | CAR => fun psi '(ST, ((x, y), SA)) => psi (ST, (x, SA))
    | CDR => fun psi '(ST, ((x, y), SA)) => psi (ST, (y, SA))
    | EMPTY_SET a => fun psi '(ST, SA) => psi (ST, (set.empty _ (compare a), SA))
    | @MEM _ _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) =>
        psi (ST, (mem _ _ (mem_variant_field _ _ s) x y, SA))
    | @UPDATE _ _ _ _ _ s =>
      fun psi '(ST, (x, (y, (z, SA)))) =>
        psi (ST, (update _ _ _ (update_variant_field _ _ _ s) x y z, SA))
    | @ITER _ _ _ s _ body =>
      fun psi '(ST, (x, SA)) =>
        match iter_destruct _ _ (iter_variant_field _ s) x with
        | None => psi (ST, SA)
        | Some (a, y) =>
          eval_precond_n body
                       (fun '(ST, SB) => eval_precond_n (ITER body) psi (ST, (y, SB)))
                       (ST, (a, SA))
    | @SIZE _ _ _ s =>
      fun psi '(ST, (x, SA)) => psi (ST, (N.of_nat (size _ (size_variant_field _ s) x), SA))
    | EMPTY_MAP k val =>
      fun psi '(ST, SA) => psi (ST, (map.empty (comparable_data k) (data val) _, SA))
    | @GET _ _ _ _ s =>
      fun psi '(ST, (x, (y, SA))) => psi (ST, (get _ _ _ (get_variant_field _ _ s) x y, SA))
    | @MAP _ _ _ _ s _ body =>
      let v := (map_variant_field _ _ s) in
      fun psi '(ST, (x, SA)) =>
        match map_destruct _ _ _ _ v x with
        | None => psi (ST, (map_empty _ _ _ _ v, SA))
        | Some (a, y) =>
          eval_precond_n body
            (fun '(ST, (b, SB)) =>
               eval_precond_n (MAP body)
                 (fun '(ST, (c, SC)) => psi (ST, (map_insert _ _ _ _ v a b c, SC)))
                 (ST, (y, SB)))
            (ST, (a, SA))
    | SOME => fun psi '(ST, (x, SA)) => psi (ST, (Some x, SA))
    | NONE _ => fun psi '(ST, SA) => psi (ST, (None, SA))
    | IF_NONE bt bf =>
      fun psi '(ST, (b, SA)) =>
        match b with
        | None => eval_precond_n bt psi (ST, SA)
        | Some b => eval_precond_n bf psi (ST, (b, SA))
    | LEFT _ => fun psi '(ST, (x, SA)) => psi (ST, (inl x, SA))
    | RIGHT _ => fun psi '(ST, (x, SA)) => psi (ST, (inr x, SA))
    | IF_LEFT bt bf =>
      fun psi '(ST, (b, SA)) =>
        match b with
        | inl a => eval_precond_n bt psi (ST, (a, SA))
        | inr b => eval_precond_n bf psi (ST, (b, SA))
    | IF_RIGHT bt bf =>
      fun psi '(ST, (b, SA)) =>
        match b with
        | inl a => eval_precond_n bf psi (ST, (a, SA))
        | inr b => eval_precond_n bt psi (ST, (b, SA))
    | CONS => fun psi '(ST, (x, (y, SA))) => psi (ST, (cons x y, SA))
    | NIL _ => fun psi '(ST, SA) => psi (ST, (nil, SA))
    | IF_CONS bt bf =>
      fun psi '(ST, (l, SA)) =>
        match l with
        | cons a b => eval_precond_n bt psi (ST, (a, (b, SA)))
        | nil => eval_precond_n bf psi (ST, SA)
      fun psi '(ST, (a, (b, (c, (d, (e, (f, (g, SA)))))))) =>
        let (oper, addr) := create_contract env _ _ a b c d e f g in
        psi (ST, (oper, (addr, SA)))
    | CREATE_CONTRACT_literal _ _ f =>
      fun psi '(ST, (a, (b, (c, (d, (e, (g, SA))))))) =>
        let (oper, addr) := create_contract env _ _ a b c d e f g in
        psi (ST, (oper, (addr, SA)))
      fun psi '(ST, (a, (b, (c, (d, SA))))) =>
        let '(ST2, (oper, contr)) := create_account env a b c d ST in
        psi (ST2, (oper, (contr, SA)))
      fun psi '(ST, (a, (b, (c, SA)))) =>
        let (ST2, oper) := transfer_tokens env _ a b c ST in
        psi (ST2, (oper, SA))
      fun psi '(ST, (x, SA)) =>
        let (ST2, oper) := set_delegate env x ST in
        psi (ST2, (oper, SA))
    | BALANCE =>
      fun psi '(ST, SA) => psi (ST, (balance env, SA))
    | ADDRESS =>
      fun psi '(ST, (x, SA)) => psi (ST, (address_ env _ x, SA))
    | CONTRACT _ =>
      fun psi '(ST, (x, SA)) => psi (ST, (contract_ env _ x, SA))
    | SOURCE => fun psi '(ST, SA) => psi (ST, (source env, SA))
    | SENDER => fun psi '(ST, SA) => psi (ST, (sender env, SA))
    | SELF => fun psi '(ST, SA) => psi (ST, (self env, SA))
    | AMOUNT => fun psi '(ST, SA) => psi (ST, (amount env, SA))
      fun psi '(ST, (x, SA)) => psi (ST, (implicit_account env x, SA))
      fun psi '(ST, SA) =>
        let (ST2, steps) := steps_to_quota env ST in
        psi (ST2, (steps, SA))
    | NOW => fun psi '(ST, SA) => psi (ST, (now env, SA))
    | PACK => fun psi '(ST, (x, SA)) => psi (ST, (pack env _ x, SA))
    | UNPACK =>
      fun psi '(ST, (x, SA)) => psi (ST, (unpack env _ x, SA))
    | HASH_KEY =>
      fun psi '(ST, (x, SA)) => psi (ST, (hash_key env x, SA))
    | BLAKE2B =>
      fun psi '(ST, (x, SA)) => psi (ST, (blake2b env x, SA))
    | SHA256 => fun psi '(ST, (x, SA)) => psi (ST, (sha256 env x, SA))
    | SHA512 => fun psi '(ST, (x, SA)) => psi (ST, (sha512 env x, SA))
      fun psi '(ST, (x, (y, (z, SA)))) =>
        psi (ST, (check_signature env x y z, SA))
    | DIG n Hlen => 
      fun psi '(ST, st) => psi (ST, (stack_dig st n (eq_sym Hlen)))
    | DUG n Hlen =>
      fun psi '(ST, st) => psi (ST, (stack_dug st n (eq_sym Hlen)))

  Fixpoint eval_precond (fuel : Datatypes.nat) :
    forall {A B},
      instruction A B ->
      (state * stack B -> Prop) -> (state * stack A -> Prop) :=
    match fuel with
    | O => fun _ _ _ _ _ => false
    | S n =>
      eval_precond_body (@eval_precond n)

  Lemma eval_precond_correct {A B} (i : instruction A B) n st ST psi :
    precond (eval ST i n st) psi <-> eval_precond n i psi (ST, st).
    generalize A B i st ST psi; clear A B i st ST psi.
    induction n; intros A B i st ST psi; [simpl; intuition|].
    destruct i; simpl; fold data stack.
    - reflexivity.
    - destruct st; reflexivity.
    - rewrite precond_bind.
      rewrite <- IHn.
      apply precond_eqv.
      intros (ST2, SB).
      apply IHn.
    - destruct st as ([|], st); auto.
    - destruct st as ([|], st).
      + apply IHn.
      + simpl. reflexivity.
    - destruct st as ([|], st); simpl.
      + apply (IHn _ _ (i;; LOOP_LEFT i)).
      + reflexivity.
    - destruct st as (y, st).
      rewrite precond_bind.
      rewrite <- IHn.
      apply precond_eqv.
      intros (ST2, SC). reflexivity.
    - destruct st as (x, (f, st)).
      rewrite precond_bind.
      rewrite <- IHn.
      apply precond_eqv.
      intros (ST2, (y, [])).
    - destruct st; reflexivity.
    - destruct st; reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - reflexivity.
    - reflexivity.
    - reflexivity.
    - destruct st; reflexivity.
    - destruct st; reflexivity.
    - destruct st; reflexivity.
    - destruct st; reflexivity.
    - destruct st; reflexivity.
    - destruct st; reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st; reflexivity.
    - destruct st; reflexivity.
    - destruct st; reflexivity.
    - destruct st as (x, (y, st)); rewrite precond_bind; reflexivity.
    - destruct st as (x, (y, st)); rewrite precond_bind; reflexivity.
    - destruct st as (x, (y, st)); rewrite precond_bind; reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st; reflexivity.
    - destruct st as (x, (y, (z, st))); reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st as ((x, y), st); reflexivity.
    - destruct st as ((x, y), st); reflexivity.
    - reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st as (x, (y, (z, st))); reflexivity.
    - destruct st as (x, st).
      destruct (iter_destruct (iter_elt_type collection i) collection
                              (iter_variant_field collection i) x) as [(hd, tl)|].
      + rewrite precond_bind.
        rewrite <- IHn.
        apply precond_eqv.
        intros (ST2, SA).
        apply IHn.
      + reflexivity.
    - reflexivity.
    - destruct st as (x, (y, st)); reflexivity.
    - destruct st as (x, st).
      destruct (map_destruct (map_in_type collection b i) b collection
                             (map_out_collection_type collection b i)
                             (map_variant_field collection b i) x) as [(hd, tl)|].
      + rewrite precond_bind.
        rewrite <- IHn.
        apply precond_eqv.
        intros (ST2, (bb, SA)).
        rewrite precond_bind.
        rewrite <- IHn.
        apply precond_eqv.
        intros (ST3, (c, B)).
      + reflexivity.
    - destruct st; reflexivity.
    - reflexivity.
    - destruct st as ([|], st); apply IHn.
    - destruct st; reflexivity.
    - destruct st; reflexivity.
    - destruct st as ([|], st); apply IHn.
    - destruct st as ([|], st); apply IHn.
    - destruct st as (x, (y, st)); reflexivity.
    - reflexivity.
    - destruct st as ([|], st); apply IHn.
    - destruct st as (a, (b, (c, (d, (e, (f, (g0, SA))))))).
      destruct (create_contract env g p a b c d e f g0).
    - destruct st as (a, (b, (c, (d, (e, (g0, SA)))))).
      destruct (create_contract env g p a b c d e i g0).
    - destruct st as (a, (b, (c, (d, SA)))).
      destruct (create_account env a b c d ST) as (ST2, (oper, contr)).
    - destruct st as (a, (b, (c, SA))).
      destruct (transfer_tokens env p a b c ST) as (ST2, oper).
    - destruct st as (a, SA).
      destruct (set_delegate env a ST) as (ST2, oper).
    - reflexivity.
    - destruct st as (a, SA).
    - destruct st as (a, SA).
    - reflexivity.
    - reflexivity.
    - reflexivity.
    - reflexivity.
    - destruct st as (a, SA).
    - destruct (steps_to_quota env ST) as (ST2, steps).
    - reflexivity.
    - destruct st as (x, SA).
    - destruct st as (x, SA).
    - destruct st as (x, SA).
    - destruct st as (x, SA).
    - destruct st as (x, SA).
    - destruct st as (x, SA).
    - destruct st as (a, (b, (c, SA))).
    - reflexivity.
    - reflexivity.

End semantics.
