spurious Hoare logic match error connected to simplification hints

[alleystoughton]

(* below is a problem with the Hoare logic match tactic
   (there is an identical problem with the one-sided match
   of pRHL)

   taking out either of the simplification hints removes
   the error *)

type ('a, 'b) epdp = {enc : 'a -> 'b; dec : 'b -> 'a option}.

op valid_epdp (epdp : ('a, 'b) epdp) : bool =
  (forall (x : 'a), epdp.`dec (epdp.`enc x) = Some x) /\
  (forall (y : 'b, x : 'a), epdp.`dec y = Some x => epdp.`enc x = y).

lemma epdp_enc_dec (epdp : ('a, 'b) epdp, x : 'a) :
  valid_epdp epdp => epdp.`dec (epdp.`enc x) = Some x.
proof.
rewrite /valid_epdp => [[enc_dec _]].
by rewrite enc_dec.
qed.

hint simplify [reduce] epdp_enc_dec.

op my_epdp : (int, int) epdp.

axiom valid_my_epdp : valid_epdp my_epdp.

hint simplify [eqtrue] valid_my_epdp.

module M = {
  proc f(m : int) : unit = {
    match (my_epdp.`dec m) with
    | None => {}
    | Some x => {}
    end;
  }
}.

lemma foo :
  hoare [M.f : m = my_epdp.`enc witness ==> true].
proof.
proc.
(*
Current goal

Type variables: <none>

------------------------------------------------------------------------
Context : {m : int}

pre = m = my_epdp.`enc witness

(1)  match (my_epdp.`dec m) with
(1)  | None => {                
(1)  }                          
(1)  | Some x => {              
(1)  }                          

post = true
*)
match.
(* error:
cannot clear x that is/are used in the conclusion
*)

[alleystoughton]

Note: the "x" in the error message has nothing to do with the bound variable in the second clause of the match.

[namasikanam]

I met the same error for some reason, which I don't know. I don't have an explicit assumption, but the error disappeared when I tried to extract the pattern matching from the loop. Here's an minimal working example.

require import AllCore List Distr DList DBool.

type value.
type cell.

type opkind = [Read | Write].

type t1 = {
  height    : int;
}.

type inst = [
  | Rd of cell
  | Wt of (cell * value)
].
type prog = inst list.

module M1 = {
  proc oread(t1 : t1, c : cell) : t1 = {
    return t1;
  }

  proc owrite(t1 : t1, c : cell, v : value) : t1 = {
    return t1;
  }

  proc compile(o : t1, p : prog) : t1 = {
    var i : int;
    i <- 0;
    while (i < size p) {
      match (nth witness p i) with
      | Rd c => { o <@ oread(o, c); }
      | Wt t => { o <@ owrite(o, t.`1, t.`2); }
      end;
    }
    return o;
  }
}.

type t2 = {
  iheight   : int;
}.

module M2 = {
  proc compile(o : t2, p : prog) : t2 = {
    var i : int;
    i <- 0;
    while (i < size p) {
    }
    return o;
  }
}.

op rel (C : cell -> bool) (h : int) (t1 : t1) = t1.`height = h.

lemma internal_compile (_h : int) (_p : prog) :
     equiv[M1.compile ~ M2.compile : true ==> true].
proof.
proc => //=.
sp.
while (
  (exists (C : cell -> bool), rel C _h o{1})
).
+ match{1}.