538 files changed, 16716 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..00ce93e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,22 @@
+*.aux
+*.glob
+*.vio
+*.vo
+*.vok
+*.vos
+.CoqMakefile.d
+.Makefile.coq.d
+.direnv
+.lia.cache
+Makefile.coq
+Makefile.coq.conf
+*#*.v#
+*~
+_build/
+_coverage/
+_opam/
+result
+mininix_history
+.vscode/
+.envrc
+mininix.install
diff --git a/.ocamlformat b/.ocamlformat
new file mode 100644
index 0000000..9ed4c26
--- /dev/null
+++ b/.ocamlformat
@@ -0,0 +1 @@
+version = 0.27.0
diff --git a/.ocamlformat-ignore b/.ocamlformat-ignore
new file mode 100644
index 0000000..fb55689
--- /dev/null
+++ b/.ocamlformat-ignore
@@ -0,0 +1 @@
+lib/mininix/extraction.*
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..412a78c
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,564 @@
+License information for this artifact
+=====================================
+This artifact consists of a few parts. We choose to license most of
+our code under the 3-clause BSD license (SPDX: BSD-3-Clause), with an
+exception of the Nix test suite that we have adopted, which remains
+licensed under LGPL 2.1 (SPDX: LGPL-2.1-or-later).
+Specifically:
+- The following files in lib/nix/ are derived from nixformat [1] by
+  Denis Korzunov:
+    lexer.ml, nix.ml, parser.mly, printer.ml and types.ml
+  nixformat is licensed under ISC (SPDX: ISC). For consistency, we
+  choose to relicense these files under the 3-clause BSD license (as
+  it subsumes the ISC license). We also include a copy of the ISC
+  license as required.
+- The files in test/testdata/ come from Nix [2] and remain licensed
+  under version 2.1 of the LGPL license. We also include a copy of
+  this license below. The only exception here is the file
+    test/testdata/importdef.sexp
+  which was created by us (and is therefore licensed under the 3-clause BSD
+  license).
+- Any files not described by the preceding items is licensed under the
+  3-clause BSD license.
+[1]: https://github.com/d2km/nixformat
+[2]: https://github.com/NixOs/nix
+The 3-clause BSD license (BSD-3-Clause)
+---------------------------------------
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+    1. Redistributions of source code must retain the above copyright
+       notice, this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above
+       copyright notice, this list of conditions and the following
+       disclaimer in the documentation and/or other materials provided
+       with the distribution.
+    3. Neither the name of the copyright holder nor the names of its
+       contributors may be used to endorse or promote products derived
+       from this software without specific prior written permission.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+The ISC license (ISC)
+---------------------
+Permission to use, copy, modify, and /or distribute this software for
+any purpose with or without fee is hereby granted, provided that the
+above copyright notice and this permission notice appear in all
+copies.
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
+WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
+TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+Version 2.1 of the LGPL license (LGPL-2.1-or-later)
+---------------------------------------------------
+Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+[This is the first released version of the Lesser GPL. It also counts
+as the successor of the GNU Library Public License, version 2, hence
+the version number 2.1.]
+Preamble
+The licenses for most software are designed to take away your freedom
+to share and change it. By contrast, the GNU General Public Licenses
+are intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.
+This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it. You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations
+below.
+When we speak of free software, we are referring to freedom of use,
+not price. Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights. These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you. You must make sure that they, too, receive or can get the source
+code. If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it. And you must show them these terms so they know their rights.
+We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+To protect each distributor, we want to make it very clear that there
+is no warranty for the free library. Also, if the library is modified
+by someone else and passed on, the recipients should know that what
+they have is not the original version, so that the original author's
+reputation will not be affected by problems that might be introduced
+by others.
+Finally, software patents pose a constant threat to the existence of
+any free program. We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder. Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License. This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License. We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+When a program is linked with a library, whether statically or using a
+shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library. The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom. The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License. It also provides other free software developers Less
+of an advantage over competing non-free programs. These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries. However, the Lesser license provides advantages in certain
+special circumstances.
+For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it
+becomes a de-facto standard. To achieve this, non-free programs must
+be allowed to use the library. A more frequent case is that a free
+library does the same job as widely used non-free libraries. In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software. For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+The precise terms and conditions for copying, distribution and
+modification follow. Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library". The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+GNU LESSER GENERAL PUBLIC LICENSE
+TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+     0. This License Agreement applies to any software library or
+        other program which contains a notice placed by the copyright
+        holder or other authorized party saying it may be distributed
+        under the terms of this Lesser General Public License (also
+        called "this License"). Each licensee is addressed as "you".
+ 
+        A "library" means a collection of software functions and/or
+        data prepared so as to be conveniently linked with application
+        programs (which use some of those functions and data) to form
+        executables.
+ 
+        The "Library", below, refers to any such software library or
+        work which has been distributed under these terms. A "work
+        based on the Library" means either the Library or any
+        derivative work under copyright law: that is to say, a work
+        containing the Library or a portion of it, either verbatim or
+        with modifications and/or translated straightforwardly into
+        another language. (Hereinafter, translation is included
+        without limitation in the term "modification".)
+ 
+        "Source code" for a work means the preferred form of the work
+        for making modifications to it. For a library, complete source
+        code means all the source code for all modules it contains,
+        plus any associated interface definition files, plus the
+        scripts used to control compilation and installation of the
+        library.
+ 
+        Activities other than copying, distribution and modification
+        are not covered by this License; they are outside its scope.
+        The act of running a program using the Library is not
+        restricted, and output from such a program is covered only if
+        its contents constitute a work based on the Library
+        (independent of the use of the Library in a tool for writing
+        it). Whether that is true depends on what the Library does and
+        what the program that uses the Library does. 1. You may copy
+        and distribute verbatim copies of the Library's complete
+        source code as you receive it, in any medium, provided that
+        you conspicuously and appropriately publish on each copy an
+        appropriate copyright notice and disclaimer of warranty; keep
+        intact all the notices that refer to this License and to the
+        absence of any warranty; and distribute a copy of this License
+        along with the Library.
+ 
+        You may charge a fee for the physical act of transferring a
+        copy, and you may at your option offer warranty protection in
+        exchange for a fee.
+ 
+     2. You may modify your copy or copies of the Library or any
+        portion of it, thus forming a work based on the Library, and
+        copy and distribute such modifications or work under the terms
+        of Section 1 above, provided that you also meet all of these
+        conditions:
+ 
+         a) The modified work must itself be a software library.
+         b) You must cause the files modified to carry prominent
+            notices stating that you changed the files and the date of
+            any change.
+         c) You must cause the whole of the work to be licensed at no
+            charge to all third parties under the terms of this
+            License.
+         d) If a facility in the modified Library refers to a function
+            or a table of data to be supplied by an application
+            program that uses the facility, other than as an argument
+            passed when the facility is invoked, then you must make a
+            good faith effort to ensure that, in the event an
+            application does not supply such function or table, the
+            facility still operates, and performs whatever part of its
+            purpose remains meaningful.
+ 
+        (For example, a function in a library to compute square roots
+        has a purpose that is entirely well-defined independent of the
+        application. Therefore, Subsection 2d requires that any
+        application-supplied function or table used by this function
+        must be optional: if the application does not supply it, the
+        square root function must still compute square roots.)
+ 
+        These requirements apply to the modified work as a whole. If
+        identifiable sections of that work are not derived from the
+        Library, and can be reasonably considered independent and
+        separate works in themselves, then this License, and its
+        terms, do not apply to those sections when you distribute them
+        as separate works. But when you distribute the same sections
+        as part of a whole which is a work based on the Library, the
+        distribution of the whole must be on the terms of this
+        License, whose permissions for other licensees extend to the
+        entire whole, and thus to each and every part regardless of
+        who wrote it.
+ 
+        Thus, it is not the intent of this section to claim rights or
+        contest your rights to work written entirely by you; rather,
+        the intent is to exercise the right to control the
+        distribution of derivative or collective works based on the
+        Library.
+ 
+        In addition, mere aggregation of another work not based on the
+        Library with the Library (or with a work based on the Library)
+        on a volume of a storage or distribution medium does not bring
+        the other work under the scope of this License.
+ 
+     3. You may opt to apply the terms of the ordinary GNU General
+        Public License instead of this License to a given copy of the
+        Library. To do this, you must alter all the notices that refer
+        to this License, so that they refer to the ordinary GNU
+        General Public License, version 2, instead of to this License.
+        (If a newer version than version 2 of the ordinary GNU General
+        Public License has appeared, then you can specify that version
+        instead if you wish.) Do not make any other change in these
+        notices.
+ 
+        Once this change is made in a given copy, it is irreversible
+        for that copy, so the ordinary GNU General Public License
+        applies to all subsequent copies and derivative works made
+        from that copy.
+ 
+        This option is useful when you wish to copy part of the code
+        of the Library into a program that is not a library.
+ 
+     4. You may copy and distribute the Library (or a portion or
+        derivative of it, under Section 2) in object code or
+        executable form under the terms of Sections 1 and 2 above
+        provided that you accompany it with the complete corresponding
+        machine-readable source code, which must be distributed under
+        the terms of Sections 1 and 2 above on a medium customarily
+        used for software interchange.
+ 
+        If distribution of object code is made by offering access to
+        copy from a designated place, then offering equivalent access
+        to copy the source code from the same place satisfies the
+        requirement to distribute the source code, even though third
+        parties are not compelled to copy the source along with the
+        object code.
+ 
+     5. A program that contains no derivative of any portion of the
+        Library, but is designed to work with the Library by being
+        compiled or linked with it, is called a "work that uses the
+        Library". Such a work, in isolation, is not a derivative work
+        of the Library, and therefore falls outside the scope of this
+        License.
+ 
+        However, linking a "work that uses the Library" with the
+        Library creates an executable that is a derivative of the
+        Library (because it contains portions of the Library), rather
+        than a "work that uses the library". The executable is
+        therefore covered by this License. Section 6 states terms for
+        distribution of such executables.
+ 
+        When a "work that uses the Library" uses material from a
+        header file that is part of the Library, the object code for
+        the work may be a derivative work of the Library even though
+        the source code is not. Whether this is true is especially
+        significant if the work can be linked without the Library, or
+        if the work is itself a library. The threshold for this to be
+        true is not precisely defined by law.
+ 
+        If such an object file uses only numerical parameters, data
+        structure layouts and accessors, and small macros and small
+        inline functions (ten lines or less in length), then the use
+        of the object file is unrestricted, regardless of whether it
+        is legally a derivative work. (Executables containing this
+        object code plus portions of the Library will still fall under
+        Section 6.)
+ 
+        Otherwise, if the work is a derivative of the Library, you may
+        distribute the object code for the work under the terms of
+        Section 6. Any executables containing that work also fall
+        under Section 6, whether or not they are linked directly with
+        the Library itself.
+ 
+     6. As an exception to the Sections above, you may also combine or
+        link a "work that uses the Library" with the Library to
+        produce a work containing portions of the Library, and
+        distribute that work under terms of your choice, provided that
+        the terms permit modification of the work for the customer's
+        own use and reverse engineering for debugging such
+        modifications.
+ 
+        You must give prominent notice with each copy of the work that
+        the Library is used in it and that the Library and its use are
+        covered by this License. You must supply a copy of this
+        License. If the work during execution displays copyright
+        notices, you must include the copyright notice for the Library
+        among them, as well as a reference directing the user to the
+        copy of this License. Also, you must do one of these things:
+ 
+         a) Accompany the work with the complete corresponding
+            machine-readable source code for the Library including
+            whatever changes were used in the work (which must be
+            distributed under Sections 1 and 2 above); and, if the
+            work is an executable linked with the Library, with the
+            complete machine-readable "work that uses the Library", as
+            object code and/or source code, so that the user can
+            modify the Library and then relink to produce a modified
+            executable containing the modified Library. (It is
+            understood that the user who changes the contents of
+            definitions files in the Library will not necessarily be
+            able to recompile the application to use the modified
+            definitions.)
+         b) Use a suitable shared library mechanism for linking with
+            the Library. A suitable mechanism is one that (1) uses at
+            run time a copy of the library already present on the
+            user's computer system, rather than copying library
+            functions into the executable, and (2) will operate
+            properly with a modified version of the library, if the
+            user installs one, as long as the modified version is
+            interface-compatible with the version that the work was
+            made with.
+         c) Accompany the work with a written offer, valid for at
+            least three years, to give the same user the materials
+            specified in Subsection 6a, above, for a charge no more
+            than the cost of performing this distribution.
+         d) If distribution of the work is made by offering access to
+            copy from a designated place, offer equivalent access to
+            copy the above specified materials from the same place.
+         e) Verify that the user has already received a copy of these
+            materials or that you have already sent this user a copy.
+ 
+        For an executable, the required form of the "work that uses
+        the Library" must include any data and utility programs needed
+        for reproducing the executable from it. However, as a special
+        exception, the materials to be distributed need not include
+        anything that is normally distributed (in either source or
+        binary form) with the major components (compiler, kernel, and
+        so on) of the operating system on which the executable runs,
+        unless that component itself accompanies the executable.
+ 
+        It may happen that this requirement contradicts the license
+        restrictions of other proprietary libraries that do not
+        normally accompany the operating system. Such a contradiction
+        means you cannot use both them and the Library together in an
+        executable that you distribute.
+ 
+     7. You may place library facilities that are a work based on the
+        Library side-by-side in a single library together with other
+        library facilities not covered by this License, and distribute
+        such a combined library, provided that the separate
+        distribution of the work based on the Library and of the other
+        library facilities is otherwise permitted, and provided that
+        you do these two things:
+ 
+         a) Accompany the combined library with a copy of the same
+            work based on the Library, uncombined with any other
+            library facilities. This must be distributed under the
+            terms of the Sections above.
+         b) Give prominent notice with the combined library of the
+            fact that part of it is a work based on the Library, and
+            explaining where to find the accompanying uncombined form
+            of the same work.
+ 
+     8. You may not copy, modify, sublicense, link with, or distribute
+        the Library except as expressly provided under this License.
+        Any attempt otherwise to copy, modify, sublicense, link with,
+        or distribute the Library is void, and will automatically
+        terminate your rights under this License. However, parties who
+        have received copies, or rights, from you under this License
+        will not have their licenses terminated so long as such
+        parties remain in full compliance.
+ 
+     9. You are not required to accept this License, since you have
+        not signed it. However, nothing else grants you permission to
+        modify or distribute the Library or its derivative works.
+        These actions are prohibited by law if you do not accept this
+        License. Therefore, by modifying or distributing the Library
+        (or any work based on the Library), you indicate your
+        acceptance of this License to do so, and all its terms and
+        conditions for copying, distributing or modifying the Library
+        or works based on it.
+    10. Each time you redistribute the Library (or any work based on
+        the Library), the recipient automatically receives a license
+        from the original licensor to copy, distribute, link with or
+        modify the Library subject to these terms and conditions. You
+        may not impose any further restrictions on the recipients'
+        exercise of the rights granted herein. You are not responsible
+        for enforcing compliance by third parties with this License.
+    11. If, as a consequence of a court judgment or allegation of
+        patent infringement or for any other reason (not limited to
+        patent issues), conditions are imposed on you (whether by
+        court order, agreement or otherwise) that contradict the
+        conditions of this License, they do not excuse you from the
+        conditions of this License. If you cannot distribute so as to
+        satisfy simultaneously your obligations under this License and
+        any other pertinent obligations, then as a consequence you may
+        not distribute the Library at all. For example, if a patent
+        license would not permit royalty-free redistribution of the
+        Library by all those who receive copies directly or indirectly
+        through you, then the only way you could satisfy both it and
+        this License would be to refrain entirely from distribution of
+        the Library.
+        If any portion of this section is held invalid or
+        unenforceable under any particular circumstance, the balance
+        of the section is intended to apply, and the section as a
+        whole is intended to apply in other circumstances.
+        It is not the purpose of this section to induce you to
+        infringe any patents or other property right claims or to
+        contest validity of any such claims; this section has the sole
+        purpose of protecting the integrity of the free software
+        distribution system which is implemented by public license
+        practices. Many people have made generous contributions to the
+        wide range of software distributed through that system in
+        reliance on consistent application of that system; it is up to
+        the author/donor to decide if he or she is willing to
+        distribute software through any other system and a licensee
+        cannot impose that choice.
+        This section is intended to make thoroughly clear what is
+        believed to be a consequence of the rest of this License.
+    12. If the distribution and/or use of the Library is restricted in
+        certain countries either by patents or by copyrighted
+        interfaces, the original copyright holder who places the
+        Library under this License may add an explicit geographical
+        distribution limitation excluding those countries, so that
+        distribution is permitted only in or among countries not thus
+        excluded. In such case, this License incorporates the
+        limitation as if written in the body of this License.
+    13. The Free Software Foundation may publish revised and/or new
+        versions of the Lesser General Public License from time to
+        time. Such new versions will be similar in spirit to the
+        present version, but may differ in detail to address new
+        problems or concerns.
+        Each version is given a distinguishing version number. If the
+        Library specifies a version number of this License which
+        applies to it and "any later version", you have the option of
+        following the terms and conditions either of that version or
+        of any later version published by the Free Software
+        Foundation. If the Library does not specify a license version
+        number, you may choose any version ever published by the Free
+        Software Foundation.
+    14. If you wish to incorporate parts of the Library into other
+        free programs whose distribution conditions are incompatible
+        with these, write to the author to ask for permission. For
+        software which is copyrighted by the Free Software Foundation,
+        write to the Free Software Foundation; we sometimes make
+        exceptions for this. Our decision will be guided by the two
+        goals of preserving the free status of all derivatives of our
+        free software and of promoting the sharing and reuse of
+        software generally.
+    NO WARRANTY
+    15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+        WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY
+        APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
+        COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS
+        IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
+        INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+        MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+        ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY
+        IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+        THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+    16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+        WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY
+        MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE
+        LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
+        INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
+        INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO
+        LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
+        SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY
+        TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR
+        OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+        DAMAGES.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..ac8dba0
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,55 @@
+# Default target
+all: Makefile.coq
+        +@$(MAKE) -f Makefile.coq all
+.PHONY: all
+# Permit local customization
+-include Makefile.local
+# Forward most targets to Coq makefile (with some trick to make this phony)
+%: Makefile.coq phony
+        @#echo "Forwarding $@"
+        +@$(MAKE) -f Makefile.coq $@
+phony: ;
+.PHONY: phony
+clean: Makefile.coq
+        +@$(MAKE) -f Makefile.coq clean
+        @# Make sure not to enter the `_opam` folder.
+        find [a-z]*/ \( -name "*.d" -o -name "*.vo" -o -name "*.vo[sk]" -o -name "*.aux" -o -name "*.cache" -o -name "*.glob" -o -name "*.vio" \) -print -delete || true
+        rm -f Makefile.coq .lia.cache builddep/*
+.PHONY: clean
+# Create Coq Makefile.
+Makefile.coq: _CoqProject Makefile
+        "$(COQBIN)coq_makefile" -f _CoqProject -o Makefile.coq $(EXTRA_COQFILES)
+# Install build-dependencies
+OPAMFILES=$(wildcard *.opam)
+BUILDDEPFILES=$(addsuffix -builddep.opam, $(addprefix builddep/,$(basename $(OPAMFILES))))
+builddep/%-builddep.opam: %.opam Makefile
+        @echo "# Creating builddep package for $<."
+        @mkdir -p builddep
+        @sed <$< -E 's/^(build|install|remove):.*/\1: []/; s/"(.*)"(.*= *version.*)$$/"\1-builddep"\2/;' >$@
+builddep-opamfiles: $(BUILDDEPFILES)
+.PHONY: builddep-opamfiles
+builddep: builddep-opamfiles
+        @# We want opam to not just install the build-deps now, but to also keep satisfying these
+        @# constraints.  Otherwise, `opam upgrade` may well update some packages to versions
+        @# that are incompatible with our build requirements.
+        @# To achieve this, we create a fake opam package that has our build-dependencies as
+        @# dependencies, but does not actually install anything itself.
+        @echo "# Installing builddep packages."
+        @opam install $(OPAMFLAGS) $(BUILDDEPFILES)
+.PHONY: builddep
+# Backwards compatibility target
+build-dep: builddep
+.PHONY: build-dep
+# Some files that do *not* need to be forwarded to Makefile.coq.
+# ("::" lets Makefile.local overwrite this.)
+Makefile Makefile.local _CoqProject $(OPAMFILES):: ;
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ad7b1b7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,383 @@
+Artifact for "Verified Interpreters for Dynamic Languages with Applications to the Nix Expression Language"
+===========================================================================================================
+This is the accompanying artifact for the following paper:
+> Rutger Broekhoff and Robbert Krebbers. 2025. Verified Interpreters for Dynamic Languages with Applications to the Nix Expression Language. _Proc. ACM Program. Lang._ 9, ICFP, Article 268 (August 2025), 29 pages. https://doi.org/10.1145/3747537
+This artifact primarily consists of two components:
+1. A Rocq formalization of the languages presented in the paper (LambdaLang; § 2, DynLang; § 3, EvalLang; § 3.4, NixLang; § 4).
+   This includes operational semantics and properties, an interpreter and correctness proof, plus some tests and examples.
+2. An OCaml front-end for NixLang (§ 5), which elaborates Nix source files into NixLang.
+   These are then evaluated using the NixLang interpreter, which is derived from the Rocq sources using Rocq's program extraction functionality.
+> N.B.: If you are using the VM image that we provide for evaluating the artifact, then all necessary dependencies will already be installed using `opam`.
+> You can directly proceed with using the [Dune project and Makefile](#dune-project-and-makefile) or [using the CLI](#usage-of-the-cli).
+For the purposes of evaluating the artifact, we suggest the following steps:
+1. [Building](#building) (this must certainly be done first).
+2. Comparing that the mechanized semantics and interpreters of the defined languages match those presented in the paper.
+   The mechanization of all languages follows a [common structure](#structure-of-the-mechanization), but we also have a [table](#index-of-definitions-and-theories) that points you directly to the relevant definitions.
+3. Comparing that the mechanized theorems correspond to those presented in the paper.
+   We have a [table](#index-of-definitions-and-theories) that lists all theorems in the paper and their corresponding version in the formalization.
+   The paper mentions some properties/proofs in passing, we list the corresponding mechanized versions for these as well (but it may be less relevant to verify these, as they are primarily used as stepping stones for the major theorems presented in the paper).
+4. Exercising the Nix test suite on our interpreter and verifying that this gives the same results as presented in the paper (§ 5).
+5. Trying out some Nix programs in our REPL.
+   The paper (§ 1, § 4.1, § 5) contains some examples that might be interesting to try out.
+You may also be interested in the [axioms used](#use-of-axioms) by the mechanization, or in reproducing the interpreter coverage number (91.77%, § 5, p. 22) and Table 1 (§ 5 p. 22).
+How to do this depends on the build method that you are using, see the followings section.
+> N.B.: We have only verified this artifact to function on Linux (Arch Linux, Debian) and macOS. It does not work on Windows.
+## Building
+As mentioned at the start, this project consists of two parts: the Rocq mechanization and the front-end of the Nix interpreter.
+The front-end of the Nix interpreter, which uses the makes use of the NixLang interpreter (written in Rocq, extracted to OCaml), is built using [Dune](https://dune.build/).
+The Dune project also takes care of checking all of the parts of the Rocq mechanization, and extracting the NixLang interpreter to OCaml.
+However, for convenience, we have a separate (classic) `Makefile` which checks only the Rocq sources (this may be more familiar to some, and will explicitly print the files being checked).
+(Do note that Dune will refuse to build if the `.vo` files resulting from the checking process are not cleaned up; this can be done using `make clean`.)
+*Both parts require dependencies.*
+We have two main ways of managing the dependencies of the project: either using Nix or `opam`.
+If you are familiar with Nix and have it available to you, it will likely be most easy to use.
+If you are just interested in using Nix to build the project (so not directly interacting with the Dune project / Makefile), look [here](#building-with-nix).
+If you are instead interested in interacting with `dune`, Makefile and/or other scripts in this repository, you should probably use the Nix devshell instead.
+For that, look [here](#managing-dependencies-nix-devshell).
+With the devshell set up, you can then proceed with using the [Dune project and Makefile](#dune-project-and-makefile).
+If you cannot or do not want to use Nix, there is always still `opam`.
+Look [here](#managing-dependencies-opam) to see how to install project dependencies with `opam`.
+With the dependencies installed using `opam`, you can then proceed with using the [Dune project and Makefile](#dune-project-and-makefile).
+### Building with Nix
+> N.B.: Only do this if you are solely interested in building/testing and/or using the artifact. If you are interested in being able to manually use the `Makefile` and Dune project, you should use a Nix devshell instead; look [here](#nix-devshell) for instructions.
+Run `nix-build` (or equivalently `nix-build ./default.nix`) to build and test the artifact. This will take a few minutes.
+The resulting CLI should then be available as `./result/bin/mininix`.
+See how to use the CLI [below](#usage-of-the-cli).
+For some more details on the test suite, look [here](#use-of-the-nix-language-tests).
+Run `nix-build ./axioms.nix` to generate the list of axioms used by the formalization.
+This is equivalent to running `make validate`.
+The output of `coqchk` should be printed directly, but will also be stored at `./result/coqchk-output`.
+See [below](#use-of-axioms) for more information on the axioms used.
+In the paper, we report a 91.77% coverage for the interpreter code extracted from Rocq.
+To generate the coverage report, run `nix-build ./coverage.nix`.
+The coverage report should then be available as `./result/coverage/report-plain` (a text file, look for `lib/extraction/interp.ml` for the interpreter coverage).
+A HTML version is also generated, the report for the interpreter should then be available under `./result/coverage/html/lib/extraction/interp.ml.html`.
+To generate the line counts for the Rocq development (for comparison with Table 1 in the article), run `nix-build ./cloc.nix`.
+The resulting report should be available as a text file `./result/formalization-loc-report`.
+### Managing dependencies: Nix devshell
+The Nix devshell gives you a shell where all required dependencies are installed for you, so you do not have to fiddle with `opam`, but can still use the Dune project and Makefile that we provide.
+There are a few ways that you can use the devshell.
+Enter the devshell by running `nix-shell`.
+You can then proceed with using the [Dune project and Makefile](#dune-project-and-makefile) *inside of the Nix devshell*.
+### Managing dependencies: opam
+First, ensure that your `opam` repositories are up-to-date:
+```sh
+opam update
+```
+For maximum flexibility and reproducibility, we recommend running the following
+command to create a new opam switch in which the pinned dependencies are
+installed (this includes the required Rocq, Flocq, Rocq-std++ versions etc.):
+```sh
+# Leave out the --locked flag if not on Linux!
+opam switch create ./ --repos default,rocq-released=https://rocq-prover.org/opam/released --deps-only --locked
+```
+It may be necessary to activate the newly set up opam switch as follows (if
+you are not sure and opam instructs you to run this after creating the switch:
+_do_ run it):
+```sh
+eval $(opam env)
+```
+The [Dune project `Makefile`](#dune-project-and-makefile) can then be used as usual.
+### Dune project and `Makefile`
+#### The Makefile (just the formalization)
+If you are solely interested in the Rocq sources, you may make use of the `Makefile` to check and build Rocq sources and dependencies, provided that you have the appropriate [Rocq](https://rocq-prover.org/), [Flocq](https://flocq.gitlabpages.inria.fr/) and [Rocq-std++](https://gitlab.mpi-sws.org/iris/stdpp) versions available (8.20.1, 4.2.0/4.2.1 and 1.11.0 resp.).
+When using a Nix devshell or an `opam` switch with the required dependencies installed (instructions above), this should work automatically.
+Run `make` to check all files in the formalization.
+Run `make validate` to print the axioms used.
+See [below](#use-of-axioms) for more information on the axioms used.
+#### The Dune project (formalization + front-end)
+> N.B.: Dune will produce errors if `.vo` files generated by the `Makefile` are present.
+> Remove these by running `make clean`.
+> The Dune project will then build.
+This step assumes that you have dependencies installed and available, either using `opam` or a Nix devshell.
+See the relevant sections above.
+To check all proofs and build the CLI, use `dune build -p mininix`.
+To then run the CLI, use `./_build/default/bin/main.exe` (see how to use it [below](#usage-of-the-cli)).
+To execute the test suite, use `dune test` (this may take a few minutes).
+For some more details on the test suite, look [here](#use-of-the-nix-language-tests).
+To generate the coverage report, run `./coverage.sh` (this will take a few minutes).
+The report will then be printed directly (look for `lib/extraction/interp.ml`).
+A detailed HTML report should also be available under `_coverage/html/lib/extraction/interp.ml.html`.
+To generate the line counts for the Rocq development (for comparison with Table 1 in the article), make sure that `cloc` and `jq` are installed (if not using the provided Nix shell).
+Then run `./cloc-rocq.sh` to print the report.
+## Usage of the CLI
+Depending on how you built the CLI, it will be available to you as `./_build/default/bin/main.exe` (Dune) or `./result/bin/mininix` (Nix).
+In these examples, replace `<cli>` with the actual path of the CLI binary.
+- As a Nix REPL: `<cli> repl`.
+  Various meta-commands are available: `:quit`, `:run`, `:set` and `:settings`.
+  Autocomplete for these meta-commands is available; it is possible to cycle through suggestions using <kbd>TAB</kbd>.
+  Input can be canceled using <kbd>Ctrl+C</kbd> and the REPL can be quit using `:quit` or <kbd>Ctrl+D</kbd>.
+  The REPL evaluates in deep mode by default.
+  This can be changed by using `:set eval_strategy shallow`.
+  The REPL does not handle newlines in user input (a newline is processed as a request to process input).
+  The expected format of user input is the Nix language (although, as mentioned in the paper, e.g. derivations are not supported).
+  The paper (§ 1, § 4.1, § 5) contains some examples that might be interesting to try out.
+- For evaluating single files: `<cli> eval FILENAME`.
+  This command evaluates in shallow mode by default.
+  You can change to deep mode by using the flag `-strict`.
+  An import tree definition file can be passed using the `-importsdef` flag.
+  See [below](#import-tree-definitions).
+## The Rocq mechanization
+See how to check/build the mechanization [here](#build).
+This section describes the different parts of the mechanization, and how it relates to the different parts of the article.
+### Use of axioms
+See how to list the axioms used [above](#build) (look for the dependency management / build method that you are using).
+(In case that you are using the Makefile (so dependencies are managed using `opam` / the Nix devshell): run `make validate`. If you are using Nix but not the devshell: use `nix-build ./axioms.nix` (the axioms used will also be written to `result/coqchk-output`).)
+Use of four axioms will be reported, namely:
+```
+Coq.Logic.FunctionalExtensionality.functional_extensionality_dep
+Coq.Reals.ClassicalDedekindReals.sig_not_dec
+Coq.Reals.ClassicalDedekindReals.sig_forall_dec
+Coq.Logic.Classical_Prop.classic
+```
+*These are not axioms that we directly make use of.*
+Instead, they are marked as used because we import [Flocq](https://flocq.gitlabpages.inria.fr/) (so NixLang can support IEEE 754 floating point numbers, see `theories/nix/floats.v`), which imports the classical `Reals` module from the standard library.
+Running `coqchk` on the `Reals` module from the standard library gives the same list of axioms as shown above.
+### Structure of the mechanization
+There are two files that are shared by all four languages:
+- `theories/res.v`: contains the `res` monad. See also Fig 2. on p. 6.
+- `theories/utils.v`: contains some generic lemmas that are useful for all languages.
+  A decent amount of these are about finite maps, which we use heavily.
+There is a general structure for all four languages that we formalize:
+- `operational.v`: the definition of the operational semantics.
+  + Contains an inductive type `expr` for expressions.
+  + Contains a `step` relation that describes the small-step op. sem.
+  + Contains a `subst` function that gives parallel substitution (as used by `step`).
+- `operational_props.v`: properties of the operational semantics.
+  + Contains a lemma `step_det`, proving that the small-step op. sem. is deterministic.
+- `interp.v`: the definition of the interpreter.
+  + Contains the definition of values `val`, thunks `thunk` and environments `env`.
+  + Contains an `interp` function that takes some expression, environment and amount of fuel, and returns a result (timeout, fail or some value).
+        (In NixLang, we end up not using `interp` directly, but instead use `interp'` which wraps `interp` and allows specifying whether to evaluate in shallow/deep mode, cf. `⟦e⟧^{δ,E}_μ` (§ 4.4, p. 19).)
+- `interp_proofs.v`: soundness and completeness of interpreter w.r.t. operational semantics, in three main theorems:
+  + `interp_sound_complete_ret_string` (or `interp_sound_complete_ret_lit` for NixLang) proving the soundness and completeness for programs that reduce to strings (or literals in general in NixLang).
+  + `interp_sound_complete_fail` proving the soundness and completeness for programs that fault.
+  + `interp_sound_complete_no_fuel` proving the soundness and completeness for programs that loop.
+  For LambdaLang, an extra condition here is that the programs that we are considering must be closed.
+  
+  There is also always a generalized version of `interp_sound_complete_ret_string/lit`, namely `interp_sound_complete_ret`, which states that the interpreter is sound and complete w.r.t. the operational semantics for (in case of LambdaLang closed) programs that reduce to a value.
+Specific to the different languages are the following files:
+- In `theories/dynlang` (for DynLang, § 3):
+  + `equiv.v`, the equivalence of LambdaLang and DynLang for closed LambdaLang terms.
+- In `theories/evallang` (for EvalLang, § 3.4):
+  + `tests.v`, some tests of the EvalLang expression parser and interpreter.
+- In `theories/nix` (for NixLang, § 4):
+  + `floats.v`: our Flocq instantiation with some helper functions.
+  + `notations.v`: some notations to make writing NixLang programs in Rocq easier.
+  + `tests.v`: some example NixLang programs to test the functionality of the interpreter with.
+  + `wp.v`: the definition of our proof-of-concept weakest precondition-based program logic, derived rules (see § 5).
+  + `wp_examples.v`: examples of use of our WP-based program logic (see § 5).
+### Index of definitions and theories
+**Relevant definitions.**
+| In paper                                           | File and line number                  | Name                           |
+|----------------------------------------------------|---------------------------------------|--------------------------------|
+| Shared result monad (p. 6)                         | `theories/res.v:4`                    | `res`                          |
+| LambdaLang syntax (p. 6)                           | `theories/lambda/operational.v:6`     | `expr`                         |
+| LambdaLang operational semantics (p. 6)            | `theories/lambda/operational.v:21`    | `step`                         |
+| LambdaLang final expressions (p. 6)                | `theories/lambda/operational.v:28`    | `final`                        |
+| LambdaLang parallel substitution (p. 6)            | `theories/lambda/operational.v:12`    | `subst`                        |
+| LambdaLang interpreter (p. 6)                      | `theories/lambda/interp.v:34`         | `interp`                       |
+| LambdaLang interpreter data structures (p. 6)      | `theories/lambda/interp.v:7-14`       | `thunk`, `env`, `val`          |
+| DynLang syntax (p. 9)                              | `theories/dynlang/operational.v:6`    | `expr`                         |
+| DynLang operational semantics (p. 9)               | `theories/dynlang/operational.v:21`   | `step`                         |
+| DynLang final expressions (p. 9)                   | `theories/dynlang/operational.v:31`   | `final`                        |
+| DynLang parallel substitution (p. 9)               | `theories/dynlang/operational.v:12`   | `subst`                        |
+| DynLang interpreter (p. 9)                         | `theories/dynlang/interp.v:39`        | `interp`                       |
+| DynLang interpreter data structures (p. 9)         | `theories/dynlang/interp.v:7-13`      | `thunk`, `env`, `val`          |
+| EvalLang syntax (p. 11)                            | `theories/evallang/operational.v:7`   | `expr`                         |
+| EvalLang expression parser (p. 11)                 | `theories/evallang/operational.v:103` | `parse`                        |
+| EvalLang operational semantics (p. 11)             | `theories/evallang/operational.v:119` | `step`                         |
+| EvalLang final expressions (p. 11)                 | `theories/evallang/operational.v:130` | `final`                        |
+| EvalLang interpreter (p. 11)                       | `theories/evallang/interp.v:42`       | `interp`                       |
+| EvalLang interpreter data structures (p. 11)       | `theories/evallang/interp.v:7-13`     | `thunk`, `env`, `val`          |
+| NixLang syntax (p. 14)                             | `theories/nix/operational.v:67`       | `expr`                         |
+| NixLang operational semantics (p. 14)              | `theories/nix/operational.v:444`      | `step`                         |
+| NixLang evaluation contexts (p. 14)                | `theories/nix/operational.v:418`      | `ctx1`                         |
+| NixLang final expressions (p. 14)                  | `theories/nix/operational.v:139`      | `final`                        |
+| NixLang binary operator semantics (p. 15)          | `theories/nix/operational.v:297`      | `sem_bin_op`                   |
+| NixLang argument matching (p. 15)                  | `theories/nix/operational.v:398`      | `matches`                      |
+| NixLang substitution (p. 15)                       | `theories/nix/operational.v:112`      | `subst`                        |
+| NixLang interpreter (p. 18)                        | `theories/nix/interp.v:329`           | `interp`                       |
+| NixLang interpreter data structures (p. 18)        | `theories/nix/interp.v:5-21`          | `val`, `thunk`, `tattr`, `env` |
+| NixLang interpreter variant with mode arg. (p. 19) | `theories/nix/interp.v:348`           | `interp'`                      |
+**Corresponding theorems.**
+| Theorem in paper                | File and line number                  | Name                               |
+|---------------------------------|---------------------------------------|------------------------------------|
+| Theorem 2.1, Item 1 (p. 7)      | `theories/lambda/interp_proofs.v:575` | `interp_sound_complete_ret_string` |
+| Theorem 2.1, Item 2 (p. 7)      | `theories/lambda/interp_proofs.v:585` | `interp_sound_complete_fail`       |
+| Theorem 2.1, Item 3 (p. 7)      | `theories/lambda/interp_proofs.v:594` | `interp_sound_complete_no_fuel`    |
+| Lemma 2.2 (p. 8)                | `theories/lambda/interp_proofs.v:516` | `interp_sound_open`                |
+| Lemma 2.3 (p. 8)                | `theories/lambda/interp_proofs.v:402` | `interp_step`                      |
+| Lemma 2.4 (p. 8)                | `theories/lambda/interp_proofs.v:297` | `interp_proper`                    |
+| Theorem 3.1, Item 1 (p. 11)     | `theories/dynlang/equiv.v:120`        | `interp_equiv_ret_string`          |
+| Theorem 3.1, Item 2 (p. 11)     | `theories/dynlang/equiv.v:131`        | `interp_equiv_fail`                |
+| Theorem 3.1, Item 3 (p. 11)     | `theories/dynlang/equiv.v:142`        | `interp_equiv_no_fuel`             |
+| Theorem 4.1, Item 1 (p. 20) (*) | `theories/nix/interp_proofs.v:2655`   | `interp_sound_complete_ret_lit`    |
+| Theorem 4.1, Item 2 (p. 20)     | `theories/nix/interp_proofs.v:2665`   | `interp_sound_complete_fail`       |
+| Theorem 4.1, Item 3 (p. 20)     | `theories/nix/interp_proofs.v:2673`   | `interp_sound_complete_no_fuel`    |
+| Lemma 4.2 (p. 20)               | `theories/nix/interp_proofs.v:2619`   | `interp_sound_open'`               |
+| Lemma 4.3 (p. 20)               | `theories/nix/interp_proofs.v:2029`   | `interp_step'`                     |
+(*): The theorem in the formalization is stronger than the theorem presented in the paper. The latter is a trivial specialization of the former.
+**Other claims in the paper.**
+- § 2, LambdaLang:
+  + p. 7: Theorem 2.1, Item 1 generalizes to any final value.
+        See `theories/lambda/interp_proofs.v:563`, `interp_sound_complete_ret`.
+        This also holds for DynLang, EvalLang and NixLang.
+        These languages have a theory `interp_sound_complete_ret` in their respective `interp_proofs.v` files as well.
+  + p. 7: LambdaLang has a deterministic operational semantics. See `theories/lambda/operational_props.v:19`, `step_det`.
+        This also holds for DynLang, EvalLang and NixLang.
+        These languages have a theory `step_det` in their respective `operational_props.v` files as well. 
+- § 3, DynLang:
+  + p. 10: A variant of the main theorem of DynLang (Theorem 2.1) also holds for DynLang.
+        The primary difference here is that the closedness conditions are not needed for DynLang.
+        For a variant of Theorem 2.1, Item 1, see `theories/dynlang/interp_proofs.v:391`, `interp_sound_complete_ret_string`.
+        For a variant of Theorem 2.1, Item 2, see `theories/dynlang/interp_proofs.v:400`, `interp_sound_complete_fail`.
+        For a variant of Theorem 2.1, Item 3, see `theories/dynlang/interp_proofs.v:408`, `interp_sound_complete_no_fuel`.
+        A variant of the generalized version of Theorem 2.1, Item 1 also holds for DynLang.
+        See `theories/dynlang/interp_proofs.v:381`, `interp_sound_complete_ret`.
+- § 4, NixLang:
+  + p. 19/20: Theorem 4.1, Item 1 generalizes to any final value.
+  + p. 20: Lemma 4.2 follows from mutual induction on four properties.
+        For these four properties and their corresponding proof, see `theories/nix/interp_proofs.v:2267-2282` (`interp_sound_open`, `interp_thunk_sound`, `interp_app_sound`, `force_deep_sound`).
+  + p. 20: Lemma 4.3 follows from mutual induction on two properties.
+        For these two properties and their corresponding proof, see `theories/nix/interp_proofs.v:1519`, `interp_step`.
+- § 5, Evaluation (Program logic, p. 22):
+  + We can derive structural rules for WP (the application rule is presented).
+        See `theories/nix/wp.v:55`, `App_wp` for the presented application rule.
+        In general, `theories/nix/wp.v` contains all derived rules for WP.
+  + We prove the total correctness of three variants of the recursive program from § 4.1:
+        * See `theories/nix/wp_examples.v:84`, `even_rec_attr_wp'` for
+          ```nix
+          rec { f = x: if x = 0 then true else !(f (x - 1)); }.f n
+          ```
+        * See `theories/nix/wp_examples.v:132`, `even_rec_functor_wp'` for
+          ```nix
+          { "__functor " = r: x: if x == 0 then true else !(r (x - 1)); } n
+          ```
+        * See `theories/nix/wp_examples.v:157`, `even_rec_default_wp'` for
+          ```nix
+          ({ f ? (x: if x == 0 then true else !(f (x - 1))) }: f) {} n
+          ```
+  + We prove the total correctness of the following program for any non-recursive attribute set `e`:
+        ```nix
+        let x = 1; in with e; with { y = 2; }; x == y
+        ```
+        See `theories/nix/wp_examples.v:11`, `test_wp`.
+## Import tree definitions
+We do not claim to have (proper) support the `import` feature of Nix, but we do support it in a bare-bones fashion in order to be able to run the test suite.
+In the test suite, there is a file `lib.nix`, which a few test cases load by using `with import ./lib.nix; ...` (or something similar).
+To support this, we use a so-called import tree definition file, which pre-declares all files that may be imported.
+In the test suite, for example, we have created a `test/testdata/importdef.sexp` file, which looks like this:
+```
+(deps ./lib.nix)
+```
+This means that the file `lib.nix` should be available to be imported for all files in the `test/testdata` folder.
+Such `importdef.sexp` files are discovered automatically by walking up the directory tree from the path of the file to be evaluated (or in case of the REPL, from the current working directory).
+The general syntax (`<forest>`) is as follows: `(deps <tree>)`, where `<tree>` is either `<filename>` or `(<filename> <forest>)`
+In general, the primitive imports mechanism works as follows:
+- All path expressions (_e.g.,_ `./lib.nix`) in the Nix source file are converted to strings representing their absolute path.
+- We load all dependencies and evaluate them to NixLang values.
+- We put all of these values in a NixLang attribute set (`VAttr`, see `theories/nix/interp.v:14`), where we associate the NixLang value of each imported file with the original filename (as an absolute path).
+- We then create a NixLang function `import <filename>` (using `VClo`, see `theories/nix/interp.v:9`) that takes a string and returns the value for that file (if indeed forward-declared in the import tree definition).
+- This function is then inserted into the global environment of the file that we want to evaluate.
+This process is performed recursively, hence recursive imports are also supported.
+## Use of the Nix language tests
+When exercising the official Nix language tests on our extracted interpreter, we do not exactly consider all tests in the Nix test suite.
+Since we are only interested in tests for the interpreter, and not so much in tests for the parser, we only consider the `eval-*` test files in the `test/testdata` folder.
+There are two types of tests that we have here: tests where evaluation should succeed, and tests where evaluation should fail.
+This is simply marked in the filename; Nix files that should fail to evaluate are named `eval-fail-*.nix` and files that should evaluate successfully are named `eval-okay-*.nix`.
+For the former, there are expected error outputs that the interpreter should produce, but we are not interested in reproducing these (nor would this be realistic with our setup).
+For the latter, there are also expected output expressions, which can be found in matching `eval-okay-*.exp`.
+However, there are two `eval-okay-*.nix` files for which no such matching `eval-okay-*.exp` file exists:
+- `eval-okay-tail-call-1.nix`: a file `eval-okay-tail-call-1.exp-disabled` exists; we hence do not consider this test.
+- `eval-okay-xml.nix`: a file `eval-okay-xml.exp.xml` exists, but we are not interested in converting the resulting term to XML to validate the result of this test.
+The total amount of `eval-fail-*.nix` files and pairs of `eval-okay-*.nix` and `eval-okay-*.exp` files informs our total count of interpreter tests that we consider to begin with, namely 182 (§ 5, p. 21).
+For these tests again, we explicitly list 74 tests that should be ignored in `./test/test_mininix.ml`, since they cover functionality of Nix that is out of scope for our paper.
+We end up with 108 tests that we exercise our interpreter on.
+Our interpreter passes 103 of these tests, and times out for five tests due to its call-by-name nature.
+Some more details can be found in the paper, in § 5.
+## General project structure
+- The `theories` folder contains the Rocq formalization. See the [structure of the mechanization](#structure-of-the-mechanization).
+- The `bin` folder contains the entrypoint for the command-line interface.
+- The `lib` folder contains the Nix parser, elaborator and interpreter extraction
+  + The `nix` subfolder contains an adapted version of the parser and pretty-printer from nixformat (licensed under ISC) by Denis Korzunov.
+    See https://github.com/d2km/nixformat.
+    Some improvements were made to the parser and pretty-printer.
+    The file `elaborator.ml`, not part of nixformat, in this folder is concerned with desugaring attribute paths among other things; you may consider this a 'normalizing' stage, which allows the elaborator to our core language to be more concise.
+  + The `mininix` subfolder is the most important here. It contains, among
+    other files:
+    - `nix2mininix.ml`, elaboration of Nix into our core language
+    - `builtins.nix`, our implementation of builtins in Nix, in our core Nix language, where we liberally use 'core' builtins (available as binary operations) that are specific to the core language
+    - `conv.ml`, conversion between numeric types in OCaml and Rocq/Flocq
+    - `import.ml`, very bare-bones support for imports, used in the test suite
+  + The `extraction` folder contains a file that extracts the core language interpreter and some auxiliary functions to OCaml
+- The `explorer` folder contains some utilities for converting the Rocq Mechanization to a static site.
diff --git a/_CoqProject b/_CoqProject
new file mode 100644
index 0000000..49e7e24
--- /dev/null
+++ b/_CoqProject
@@ -0,0 +1,31 @@
+-Q theories mininix
+theories/utils.v
+theories/res.v
+theories/lambda/operational.v
+theories/lambda/operational_props.v
+theories/lambda/interp.v
+theories/lambda/interp_proofs.v
+theories/dynlang/operational.v
+theories/dynlang/operational_props.v
+theories/dynlang/interp.v
+theories/dynlang/interp_proofs.v
+theories/dynlang/equiv.v
+theories/evallang/operational.v
+theories/evallang/operational_props.v
+theories/evallang/interp.v
+theories/evallang/interp_proofs.v
+theories/evallang/tests.v
+theories/nix/floats.v
+theories/nix/operational.v
+theories/nix/operational_props.v
+theories/nix/interp.v
+theories/nix/notations.v
+theories/nix/tests.v
+theories/nix/interp_proofs.v
+theories/nix/wp.v
+theories/nix/wp_examples.v
diff --git a/axioms.nix b/axioms.nix
new file mode 100644
index 0000000..1bdbefb
--- /dev/null
+++ b/axioms.nix
@@ -0,0 +1,22 @@
+{ pkgs ? import ./nixpkgs-pinned.nix {} }: with pkgs;
+stdenv.mkDerivation {
+  name = "mininix-axioms";
+  src = ./.;
+  nativeBuildInputs = [ coq_8_20 ];
+  buildInputs = (with coqPackages_8_20; [
+    flocq
+    stdpp
+  ]);
+  buildPhase = ''
+    make validate 2>&1 | tee coqchk-output
+  '';
+  installPhase = ''
+    mkdir -p $out
+    mv coqchk-output $out
+  '';
+}
diff --git a/bin/dune b/bin/dune
new file mode 100644
index 0000000..2a56b29
--- /dev/null
+++ b/bin/dune
@@ -0,0 +1,14 @@
+(executable
+ (public_name mininix)
+ (name main)
+ (preprocess
+  (pps ppx_let))
+ (libraries
+  nix
+  core
+  core_unix.command_unix
+  linenoise
+  mininix
+  sexp_pretty
+  stdio
+  ppx_let))
diff --git a/bin/main.ml b/bin/main.ml
new file mode 100644
index 0000000..e4ca4b9
--- /dev/null
+++ b/bin/main.ml
@@ -0,0 +1,26 @@
+open Core
+let repl =
+  Command.basic ~summary:"run the Mininix REPL" (Command.Param.return Repl.run)
+let eval =
+  Command.basic ~summary:"run a Nix file"
+    (let%map_open.Command filename = anon ("FILENAME" %: string)
+     and strict = flag "strict" no_arg ~doc:"use deep evaluation strategy"
+     and importsdef =
+       flag "importsdef" (optional string) ~doc:"import tree definition file"
+     in
+     fun () ->
+       Settings.opts.eval_strategy := if strict then `Deep else `Shallow;
+       Settings.opts.imports_def_file := importsdef;
+       let ok =
+         if String.(filename = "-") then Run.eval_stdin ()
+         else Run.eval_file filename
+       in
+       if ok then exit 0 else exit 1)
+let main =
+  Command.group ~summary:"the Mininix interpreter"
+    [ ("repl", repl); ("eval", eval) ]
+let () = Command_unix.run main
diff --git a/bin/repl.ml b/bin/repl.ml
new file mode 100644
index 0000000..092c503
--- /dev/null
+++ b/bin/repl.ml
@@ -0,0 +1,52 @@
+open Core
+open Option.Let_syntax
+let ok = ref true
+let opts = Settings.opts
+let rec user_input cb =
+  let prompt = (if !ok then "[okay]" else "[fail]") ^ " (mini)nix> " in
+  try
+    match LNoise.linenoise prompt with
+    | None -> ()
+    | Some v ->
+        cb v;
+        user_input cb
+  with Sys_unix.Break ->
+    printf "\n%!";
+    user_input cb
+let split_cmd_prefix cmd =
+  let%bind cmd = String.chop_prefix ~prefix:":" cmd in
+  let cmd' = Repl_cmd.lstrip_space cmd in
+  let space = String.chop_suffix_exn cmd ~suffix:cmd' in
+  return (":" ^ space, cmd')
+let handle_cmd cmd =
+  let cmd = Repl_cmd.strip_space cmd in
+  (match split_cmd_prefix cmd with
+  | Some (_, cmd) -> ok := Repl_cmd.invoke cmd
+  | None ->
+      if String.(strip cmd <> "") then
+        ok := Run.eval_expr cmd ~origin:Interactive);
+  printf "\n%!"
+let run () =
+  LNoise.set_multiline true;
+  LNoise.history_load ~filename:"mininix_history" |> ignore;
+  LNoise.history_set ~max_length:500 |> ignore;
+  LNoise.set_hints_callback (fun line ->
+      let%bind _, cmd = split_cmd_prefix line in
+      let%bind hint = Repl_cmd.hint cmd in
+      return (hint, LNoise.Yellow, true));
+  LNoise.set_completion_callback (fun line_so_far completions ->
+      match split_cmd_prefix line_so_far with
+      | Some (prefix, cmd_so_far) ->
+          Repl_cmd.complete cmd_so_far
+          |> List.map ~f:(String.append prefix)
+          |> List.iter ~f:(LNoise.add_completion completions)
+      | None -> ());
+  user_input (fun from_user ->
+      LNoise.history_add from_user |> ignore;
+      LNoise.history_save ~filename:"mininix_history" |> ignore;
+      handle_cmd from_user)
diff --git a/bin/repl_cmd.ml b/bin/repl_cmd.ml
new file mode 100644
index 0000000..9ebeae7
--- /dev/null
+++ b/bin/repl_cmd.ml
@@ -0,0 +1,178 @@
+open Core
+open Option.Let_syntax
+let join_str_list ~sep = function
+  | [] -> ""
+  | s :: ss -> List.fold ss ~init:s ~f:(fun acc s -> acc ^ sep ^ s)
+type cmd = {
+  args : string;
+  opts : unit -> string list;
+  next : (string -> (string, cmd) Either.t) option;
+  call : string list -> bool;
+}
+let set_opt_cmd opt setting =
+  {
+    args = "<option value>";
+    opts = (fun () -> Settings.allowed_values setting);
+    next = None;
+    call =
+      (fun args ->
+        match Settings.set_to setting args with
+        | None -> true
+        | Some msg ->
+            printf "Failed to set option %s: %s\n%!" opt msg;
+            false);
+  }
+let set_cmd =
+  {
+    args = "<option name> <option value>";
+    opts = (fun () -> Map.keys Settings.settings);
+    next =
+      Some
+        (fun opt ->
+          match Map.find Settings.settings opt with
+          | Some setting -> Second (set_opt_cmd opt setting)
+          | None -> First (sprintf "Unknown option '%s'" opt));
+    call =
+      (fun _ ->
+        printf "Missing option argument value\n%!";
+        false);
+  }
+let settings_cmd =
+  {
+    args = "";
+    opts = (fun () -> []);
+    next = None;
+    call =
+      (function
+      | [] ->
+          Settings.print ();
+          true
+      | _ ->
+          printf "Expected no arguments\n%!";
+          false);
+  }
+let run_cmd =
+  {
+    args = "<filename>";
+    opts = (fun () -> []);
+    next = None;
+    call =
+      (function
+      | [ filename ] -> Run.eval_file filename
+      | _ ->
+          printf "Expected one argument (the filename)\n%!";
+          false);
+  }
+let quit_cmd =
+  { args = ""; opts = (fun () -> []); next = None; call = (fun _ -> exit 0) }
+let commands =
+  Map.of_alist_exn
+    (module String)
+    [
+      ("quit", quit_cmd);
+      ("set", set_cmd);
+      ("settings", settings_cmd);
+      ("run", run_cmd);
+    ]
+let root_cmd =
+  {
+    args = "<command>";
+    opts = (fun () -> Map.keys commands);
+    next =
+      Some
+        (fun cmd_name ->
+          match Map.find commands cmd_name with
+          | Some cmd -> Second cmd
+          | None ->
+              First
+                (sprintf "Unknown command '%s' (expected one of {%s})" cmd_name
+                   (Map.keys commands |> join_str_list ~sep:", ")));
+    call =
+      (fun _ ->
+        printf "Missing command!\n%!";
+        false);
+  }
+let is_space = Char.( = ) ' '
+let strip_space = String.strip ~drop:is_space
+let lstrip_space = String.lstrip ~drop:is_space
+let clean_str_list ss =
+  ss |> List.map ~f:strip_space
+  |> List.filter ~f:(fun s -> not (String.is_empty s))
+let words s = s |> String.split ~on:' ' |> clean_str_list
+let unwords ss = clean_str_list ss |> join_str_list ~sep:" "
+let rec call cmd args =
+  match args with
+  | [] -> cmd.call []
+  | arg0 :: argn -> (
+      match cmd.next with
+      | None -> cmd.call args
+      | Some next -> (
+          match next arg0 with
+          | First msg ->
+              printf "%s\n%!" msg;
+              false
+          | Second cmd' -> call cmd' argn))
+let try_lsplit2_space s =
+  match String.lsplit2 s ~on:' ' with Some (l, r) -> (l, r) | None -> (s, "")
+let lsplit2_space' s =
+  let%bind l, r = String.lsplit2 s ~on:' ' in
+  (* s = l ^ " " ^ r *)
+  let r' = lstrip_space r in
+  let space = " " ^ String.chop_suffix_exn r ~suffix:r' in
+  (* s = l ^ space ^ r' *)
+  return (l, space, r')
+let rec completions cmd args =
+  (* cmd|<TAB> -> options
+     cmd|abc<TAB> -> options with prefix 'abc'
+     cmd|abc .*<TAB> -> subcommand 'abc' options, pass .* *)
+  if String.(args = "") then cmd.opts ()
+  else
+    match lsplit2_space' args with
+    | None -> cmd.opts () |> List.filter ~f:(String.is_prefix ~prefix:args)
+    | Some (arg0, space, argn) -> (
+        match cmd.next with
+        | None -> []
+        | Some next -> (
+            match next arg0 with
+            | First _ -> []
+            | Second cmd' ->
+                completions cmd' argn
+                |> List.map ~f:(String.append (arg0 ^ space))))
+let rec hints cmd args =
+  (* cmd: "" -> " <args>"
+     cmd: "<space>+" -> "<args>"
+     cmd: "<space>+<subcmd>" -> "<hints for subcmd>"
+     cmd: "<space>+<subcmd> .*" -> "<hints for subcmd with .*>" *)
+  if String.(args = "") then Some (" " ^ cmd.args)
+  else if String.(strip_space args = "") then Some cmd.args
+  else
+    let args = lstrip_space args in
+    let%bind next = cmd.next in
+    match lsplit2_space' args with
+    | None ->
+        let%bind cmd' = next args |> Either.Second.to_option in
+        hints cmd' ""
+    | Some (arg0, space, argn) ->
+        let%bind cmd' = next arg0 |> Either.Second.to_option in
+        hints cmd' (space ^ argn)
+let invoke cmd = call root_cmd (words cmd)
+let complete cmd = completions root_cmd cmd
+let hint cmd = hints root_cmd cmd
diff --git a/bin/run.ml b/bin/run.ml
new file mode 100644
index 0000000..f39997c
--- /dev/null
+++ b/bin/run.ml
@@ -0,0 +1,163 @@
+open Core
+let opts = Settings.opts
+module Origin = struct
+  type t = Filename of string | Stdin | Interactive
+  let to_string = function
+    | Filename name -> name
+    | Stdin -> "<stdin>"
+    | Interactive -> "<interactive>"
+end
+(* [dir] must be an absolute path *)
+let rec find_imports_file dir : (string, string) result =
+  let def_filename = Filename.concat dir "importdef.sexp" in
+  match Core_unix.access def_filename [ `Read ] with
+  | Ok () -> Ok def_filename
+  | Error (Core_unix.Unix_error (ENOENT, _, _))
+  | Error (Core_unix.Unix_error (EACCES, _, _)) ->
+      let parent = Filename.dirname dir in
+      if String.(parent = dir) then Error "Could not find importdef.sexp file"
+      else find_imports_file (Filename.dirname dir)
+  | Error _ -> Error "Could not find importdef.sexp file"
+let load_imports ~for_ =
+  let cwd = Core_unix.getcwd () in
+  let filename =
+    match !(opts.imports_def_file) with
+    | None -> (
+        let dir =
+          match for_ with
+          | Origin.Filename filename ->
+              Filename.to_absolute_exn
+                (Filename.dirname filename)
+                ~relative_to:cwd
+          | Origin.Stdin | Origin.Interactive -> cwd
+        in
+        match find_imports_file dir with
+        | Error _ ->
+            printf
+              "Note: no importdef.sexp was found / could be accessed; imports \
+               will not work\n\
+               %!";
+            None
+        | Ok filename ->
+            let relative =
+              if Filename.is_absolute filename then
+                Filename.of_absolute_exn filename ~relative_to:cwd
+              else filename
+            in
+            printf "Imports definition found at %s\n%!" relative;
+            Some filename)
+    | Some filename -> Some filename
+  in
+  match filename with
+  | None -> Ok []
+  | Some filename -> (
+      (* User-provided filenames may not be absolute *)
+      let filename_abs = Filename.to_absolute_exn filename ~relative_to:cwd in
+      try
+        Ok
+          (In_channel.read_all filename
+          |> Sexp.of_string |> Mininix.Sexp.import_forest_of_sexp
+          |> Mininix.Import.materialize
+               ~relative_to:(Filename.dirname filename_abs))
+      with Sys_error err -> Error ("Failed to read imports definition: " ^ err))
+let eval_expr_with_imports ~origin ~imports data =
+  let cwd = Core_unix.getcwd () in
+  let config = Sexp_pretty.Config.default
+  and formatter = Stdlib.Format.formatter_of_out_channel stdout in
+  try
+    if !(opts.print_input) then printf "==> Input Nix:\n%s\n\n%!" data;
+    let nexp = Nix.parse ~filename:(Origin.to_string origin) data in
+    if !(opts.print_parsed) then (
+      print_string "==> Parsed Nix:\n";
+      Nix.Printer.print stdout nexp;
+      printf "\n\n%!");
+    let nnexp =
+      Nix.elaborate
+        ~dir:
+          (Some
+             (match origin with
+             | Filename name ->
+                 Filename.to_absolute_exn ~relative_to:cwd
+                   (Filename.dirname name)
+             | Stdin | Interactive -> cwd))
+        nexp
+    in
+    if !(opts.print_elaborated) then (
+      print_string "==> Parsed, elaborated Nix:\n";
+      Nix.Printer.print stdout nnexp;
+      printf "\n\n%!");
+    if !(opts.print_nix_sexp) then (
+      let nsexp = Nix.Ast.sexp_of_expr nnexp in
+      print_string "==> Nix S-expr:\n";
+      Sexp_pretty.pp_formatter config formatter nsexp;
+      printf "\n%!");
+    let mnexp = Mininix.Nix2mininix.from_nix nnexp in
+    if !(opts.print_mininix_sexp) then (
+      let mnsexp = Mininix.Sexp.expr_to_sexp mnexp in
+      print_string "==> Mininix S-expr:\n";
+      Sexp_pretty.pp_formatter config formatter mnsexp;
+      printf "\n%!");
+    let mnwpexp = Mininix.apply_prelude mnexp in
+    if !(opts.print_mininix_sexp_w_prelude) then (
+      let mnwpsexp = Mininix.Sexp.expr_to_sexp mnwpexp in
+      print_string "==> Mininix S-expr (+ prelude):\n";
+      Sexp_pretty.pp_formatter config formatter mnwpsexp;
+      printf "\n%!");
+    let res =
+      Mininix.interp_tl ~fuel:!(opts.fuel_amount) ~mode:!(opts.eval_strategy)
+        ~imports mnwpexp
+    in
+    if !(opts.print_result_mininix_sexp) then (
+      let ressexp = Mininix.Sexp.val_res_to_sexp res in
+      print_string "==> Evaluation result (Mininix S-exp):\n";
+      Sexp_pretty.pp_formatter config formatter ressexp;
+      printf "\n%!");
+    match res with
+    | Res (Some v) ->
+        let nixv = Mininix.Mininix2nix.from_val v in
+        if !(opts.print_result_nix_sexp) then (
+          let nixvsexp = Nix.Ast.sexp_of_expr nixv in
+          print_string "==> Evaluation result (Nix S-exp):\n";
+          Sexp_pretty.pp_formatter config formatter nixvsexp;
+          printf "\n%!");
+        print_string "==> Evaluation result (Nix):\n";
+        Nix.Printer.print stdout nixv;
+        printf "\n%!";
+        true
+    | Res None ->
+        printf "Failed to evaluate\n%!";
+        false
+    | _ ->
+        printf "Ran out of fuel\n%!";
+        false
+  with
+  | Nix.ParseError msg ->
+      printf "Failed to parse: %s\n%!" msg;
+      false
+  | Nix.ElaborateError msg ->
+      printf "Elaboration failed: %s\n%!" msg;
+      false
+  | Mininix.Nix2mininix.FromNixError msg ->
+      printf "Failed to convert Nix to Mininix: %s\n%!" msg;
+      false
+let eval_expr ~origin data =
+  match load_imports ~for_:origin with
+  | Ok imports -> eval_expr_with_imports ~origin ~imports data
+  | Error msg ->
+      print_endline msg;
+      false
+let eval_ch ~origin ch = In_channel.input_all ch |> eval_expr ~origin
+let eval_file filename =
+  In_channel.with_file filename ~binary:true
+    ~f:(eval_ch ~origin:(Filename filename))
+let eval_stdin () = eval_ch In_channel.stdin ~origin:Stdin
diff --git a/bin/settings.ml b/bin/settings.ml
new file mode 100644
index 0000000..55699ee
--- /dev/null
+++ b/bin/settings.ml
@@ -0,0 +1,120 @@
+open Core
+type fuel_amount = [ `Limited | `Unlimited ]
+type eval_strategy = [ `Shallow | `Deep ]
+type options = {
+  eval_strategy : eval_strategy ref;
+  fuel_amount : fuel_amount ref;
+  imports_def_file : string option ref;
+  print_input : bool ref;
+  print_parsed : bool ref;
+  print_elaborated : bool ref;
+  print_nix_sexp : bool ref;
+  print_mininix_sexp : bool ref;
+  print_mininix_sexp_w_prelude : bool ref;
+  print_result_mininix_sexp : bool ref;
+  print_result_nix_sexp : bool ref;
+}
+let opts =
+  {
+    eval_strategy = ref `Deep;
+    fuel_amount = ref `Unlimited;
+    imports_def_file = ref None;
+    print_input = ref false;
+    print_parsed = ref false;
+    print_elaborated = ref false;
+    print_nix_sexp = ref false;
+    print_mininix_sexp = ref false;
+    print_mininix_sexp_w_prelude = ref false;
+    print_result_mininix_sexp = ref false;
+    print_result_nix_sexp = ref false;
+  }
+type 'a setter = 'a -> unit
+type setting =
+  | BoolSetting of bool ref
+  | EvalStrategySetting of eval_strategy ref
+  | FilenameOptionSetting of string option ref
+  | FuelAmountSetting of fuel_amount ref
+let allowed_values s =
+  match s with
+  | BoolSetting _ -> [ "true"; "false" ]
+  | EvalStrategySetting _ -> [ "shallow"; "deep" ]
+  | FilenameOptionSetting _ -> [ "none"; "some " ]
+  | FuelAmountSetting _ -> [ "limited"; "unlimited" ]
+let set_to s v =
+  match s with
+  | BoolSetting vref -> (
+      match v with
+      | [ "true" ] ->
+          vref := true;
+          None
+      | [ "false" ] ->
+          vref := false;
+          None
+      | _ -> Some "expected one argument: 'true' or 'false'")
+  | EvalStrategySetting vref -> (
+      match v with
+      | [ "shallow" ] ->
+          vref := `Shallow;
+          None
+      | [ "deep" ] ->
+          vref := `Deep;
+          None
+      | _ -> Some "expected one argument: 'shallow' or 'deep'")
+  | FilenameOptionSetting vref -> (
+      match v with
+      | [ "none" ] ->
+          vref := None;
+          None
+      | [ "some"; filename ] ->
+          vref := Some (String.strip filename);
+          None
+      | _ -> Some "expected 'none' or 'some <filename>'")
+  | FuelAmountSetting vref -> (
+      match v with
+      | [ "limited" ] ->
+          vref := `Limited;
+          None
+      | [ "unlimited" ] ->
+          vref := `Unlimited;
+          None
+      | _ -> Some "expected 'limited' or 'unlimited'")
+let to_string s =
+  match s with
+  | BoolSetting vref -> Bool.to_string !vref
+  | EvalStrategySetting vref -> (
+      match !vref with `Shallow -> "shallow" | `Deep -> "deep")
+  | FilenameOptionSetting vref -> (
+      match !vref with None -> "none" | Some v -> "some " ^ v)
+  | FuelAmountSetting vref -> (
+      match !vref with `Limited -> "limited" | `Unlimited -> "unlimited")
+let settings =
+  Map.of_alist_exn
+    (module String)
+    [
+      ("print_input", BoolSetting opts.print_input);
+      ("print_parsed", BoolSetting opts.print_parsed);
+      ("print_elaborated", BoolSetting opts.print_elaborated);
+      ("print_nix_sexp", BoolSetting opts.print_nix_sexp);
+      ("print_mininix_sexp", BoolSetting opts.print_mininix_sexp);
+      ( "print_mininix_sexp_w_prelude",
+        BoolSetting opts.print_mininix_sexp_w_prelude );
+      ("print_result_mininix_sexp", BoolSetting opts.print_result_mininix_sexp);
+      ("print_result_nix_sexp", BoolSetting opts.print_result_nix_sexp);
+      ("eval_strategy", EvalStrategySetting opts.eval_strategy);
+      ("fuel_amount", FuelAmountSetting opts.fuel_amount);
+      ("imports_def_file", FilenameOptionSetting opts.imports_def_file);
+    ]
+let print () =
+  printf "==> Settings:\n";
+  Map.iteri settings ~f:(fun ~key:name ~data:setting ->
+      printf "  %s: %s\n" name (to_string setting))
diff --git a/cloc-rocq.sh b/cloc-rocq.sh
new file mode 100755
index 0000000..1019af3
--- /dev/null
+++ b/cloc-rocq.sh
@@ -0,0 +1,150 @@
+#!/bin/bash
+cloc --by-file ./theories --include-ext=v --json | jq -r '
+        def categories: {
+                "./theories/lambda/operational.v": {
+                        component: "(2) LambdaLang",
+                        category1: "(1) Operational semantics",
+                        category2: "General",
+                },
+                "./theories/lambda/operational_props.v": {
+                        component: "(2) LambdaLang",
+                        category1: "(1) Operational semantics",
+                        category2: "Properties",
+                },
+                "./theories/lambda/interp.v": {
+                        component: "(2) LambdaLang",
+                        category1: "(2) Interpreter",
+                        category2: "General",
+                },
+                "./theories/lambda/interp_proofs.v": {
+                        component: "(2) LambdaLang",
+                        category1: "(2) Interpreter",
+                        category2: "Theorem + proofs",
+                },
+                "./theories/dynlang/operational.v": {
+                        component: "(3) DynLang",
+                        category1: "(1) Operational semantics",
+                        category2: "General",
+                },
+                "./theories/dynlang/operational_props.v": {
+                        component: "(3) DynLang",
+                        category1: "(1) Operational semantics",
+                        category2: "Properties",
+                },
+                "./theories/dynlang/interp.v": {
+                        component: "(3) DynLang",
+                        category1: "(2) Interpreter",
+                        category2: "General",
+                },
+                "./theories/dynlang/interp_proofs.v": {
+                        component: "(3) DynLang",
+                        category1: "(2) Interpreter",
+                        category2: "Theorem + proofs",
+                },
+                "./theories/dynlang/equiv.v": {
+                        component: "(3) DynLang",
+                        category1: "(4) Extra",
+                        category2: "Equivalence with LambdaLang",
+                },
+                "./theories/evallang/operational.v": {
+                        component: "(4) EvalLang",
+                        category1: "(1) Operational semantics",
+                        category2: "General",
+                },
+                "./theories/evallang/operational_props.v": {
+                        component: "(4) EvalLang",
+                        category1: "(1) Operational semantics",
+                        category2: "Properties",
+                },
+                "./theories/evallang/interp.v": {
+                        component: "(4) EvalLang",
+                        category1: "(2) Interpreter",
+                        category2: "General",
+                },
+                "./theories/evallang/interp_proofs.v": {
+                        component: "(4) EvalLang",
+                        category1: "(2) Interpreter",
+                        category2: "Theorem + proofs",
+                },
+                "./theories/evallang/tests.v": {
+                        component: "(4) EvalLang",
+                        category1: "(3) Tests",
+                        category2: "General",
+                },
+                "./theories/nix/floats.v": {
+                        component: "(5) NixLang",
+                        category1: "(4) Extra",
+                        category2: "General",
+                },
+                "./theories/nix/operational.v": {
+                        component: "(5) NixLang",
+                        category1: "(1) Operational semantics",
+                        category2: "General",
+                },
+                "./theories/nix/operational_props.v": {
+                        component: "(5) NixLang",
+                        category1: "(1) Operational semantics",
+                        category2: "Properties",
+                },
+                "./theories/nix/notations.v": {
+                        component: "(5) NixLang",
+                        category1: "(4) Extra",
+                        category2: "General",
+                },
+                "./theories/nix/interp.v": {
+                        component: "(5) NixLang",
+                        category1: "(2) Interpreter",
+                        category2: "General",
+                },
+                "./theories/nix/interp_proofs.v": {
+                        component: "(5) NixLang",
+                        category1: "(2) Interpreter",
+                        category2: "Theorem + proofs",
+                },
+                "./theories/nix/tests.v": {
+                        component: "(5) NixLang",
+                        category1: "(3) Tests",
+                        category2: "General",
+                },
+                "./theories/nix/wp.v": {
+                        component: "(5) NixLang",
+                        category1: "(4) Extra",
+                        category2: "General",
+                },
+                "./theories/nix/wp_examples.v": {
+                        component: "(5) NixLang",
+                        category1: "(4) Extra",
+                        category2: "General",
+                },
+                "./theories/utils.v": {
+                        component: "(1) Shared",
+                        category1: "General",
+                        category2: "General",
+                },
+                "./theories/res.v": {
+                        component: "(1) Shared",
+                        category1: "General",
+                        category2: "General",
+                },
+        };
+        def add_cat_data:
+                { key, value: ({loc: .value.code} + categories[.key]) };
+        def categorize_by(key):
+                group_by(.value[key]) | map({ key: .[0].value[key], value: . }) | from_entries;
+        def spaces: if . == 0 then "" else " " + (. - 1 | spaces) end;
+        def pretty(ind):
+                if (. | type) == "number" then
+                        . | tostring
+                else
+                        to_entries | reduce .[] as $item (""; . + "\n" + (ind | spaces) + $item.key + ": " + ($item.value | pretty(ind + 2)))
+                end;
+        .SUM.code as $sum | del(.header, .SUM) | with_entries(add_cat_data) | to_entries
+        | categorize_by("component") | map_values(categorize_by("category1"))
+        | map_values(map_values(categorize_by("category2") | map_values(map(.value.loc) | add)))
+        | map_values(map_values(. + { TOTAL: to_entries | map(.value) | add }))
+        | map_values(. + { TOTAL: to_entries | map(.value.TOTAL) | add })
+        | . + { TOTAL: to_entries | map(.value.TOTAL) | add }
+        | if .TOTAL == $sum then . else error("internal error: calculated total \(.TOTAL) does not match provided sum \($sum)") end
+        | "Lines of code for the different parts of the Rocq development:" + pretty(0)
+'
diff --git a/cloc.nix b/cloc.nix
new file mode 100644
index 0000000..07a3692
--- /dev/null
+++ b/cloc.nix
@@ -0,0 +1,16 @@
+{ pkgs ? import ./nixpkgs-pinned.nix {} }:
+pkgs.stdenv.mkDerivation {
+  name = "mininix-cloc";
+  src = ./.;
+  nativeBuildInputs = with pkgs; [ cloc jq ];
+  buildPhase = ''
+    bash cloc-rocq.sh > formalization-loc-report
+  '';
+  installPhase = ''
+    mkdir -p $out
+    cp formalization-loc-report $out/
+  '';
+}
diff --git a/coverage.nix b/coverage.nix
new file mode 100644
index 0000000..ed03ce8
--- /dev/null
+++ b/coverage.nix
@@ -0,0 +1,19 @@
+{ pkgs ? import ./nixpkgs-pinned.nix {} }:
+(import ./default.nix { inherit pkgs; }).overrideAttrs (final: prev: {
+  name = "mininix-coverage";
+  nativeBuildInputs = prev.nativeBuildInputs ++ [
+    pkgs.ocaml-ng.ocamlPackages_4_14.bisect_ppx
+  ];
+  checkPhase = ''
+    dune test --instrument-with bisect_ppx --force
+  '';
+  installPhase = ''
+    mkdir -p $out/coverage
+    bisect-ppx-report summary --per-file > $out/coverage/report-plain
+    bisect-ppx-report html
+    cp -R _coverage $out/coverage/html/
+  '';
+})
diff --git a/coverage.sh b/coverage.sh
new file mode 100755
index 0000000..10fdf37
--- /dev/null
+++ b/coverage.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+rm -rf _coverage
+echo "Running tests"
+dune test --instrument-with bisect_ppx --force
+echo "Generating report"
+bisect-ppx-report html
+bisect-ppx-report summary --per-file
+echo "See lib/extraction/interp.ml above or see the detailed report (in HTML form) at _coverage/html/lib/extraction/interp.ml.html"
diff --git a/default.nix b/default.nix
new file mode 100644
index 0000000..8f68fe8
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,27 @@
+{ pkgs ? import ./nixpkgs-pinned.nix {} }: with pkgs;
+let ocamlPackages = ocaml-ng.ocamlPackages_4_14; in
+ocamlPackages.buildDunePackage {
+  pname = "mininix";
+  version = "1.0.0";
+  src = ./.;
+  doCheck = true;
+  nativeBuildInputs = [ coq_8_20 git ocamlPackages.menhir ];
+  buildInputs = (with coqPackages_8_20; [
+    flocq
+    stdpp
+  ]) ++ (with ocamlPackages; [
+    bisect_ppx
+    core
+    core_unix
+    linenoise
+    pprint
+    ppx_blob
+    ppx_let
+    ppx_sexp_conv
+    sexp_pretty
+    stdio
+  ]);
+}
diff --git a/dune-project b/dune-project
new file mode 100644
index 0000000..32c81cd
--- /dev/null
+++ b/dune-project
@@ -0,0 +1,22 @@
+(lang dune 3.15)
+(name mininix)
+(generate_opam_files true)
+(using menhir 3.0)
+(using coq 0.8)
+(authors "Rutger Broekhoff" "Robbert Krebbers")
+(license LICENSE)
+(package
+ (name mininix)
+ (depends (ocaml (< 5))
+          (coq (and (>= 8.20) (< 8.21)))
+          (coq-stdpp (and (>= 1.11) (< 1.12)))
+          coq-flocq
+          core core_unix linenoise menhir pprint sexp_pretty stdio
+          ppx_sexp_conv ppx_blob ppx_let bisect_ppx
+          (merlin :dev) (ocamlformat :dev)))
diff --git a/explorer/.gitignore b/explorer/.gitignore
new file mode 100644
index 0000000..94529d8
--- /dev/null
+++ b/explorer/.gitignore
@@ -0,0 +1,2 @@
+dest/
+dest-*/
diff --git a/explorer/generate.sh b/explorer/generate.sh
new file mode 100755
index 0000000..cf2b77a
--- /dev/null
+++ b/explorer/generate.sh
@@ -0,0 +1,140 @@
+#!/bin/bash
+shopt -s globstar
+set -eu
+set -o pipefail
+rm -rf dest
+mkdir -p dest
+TREE="$(pwd)/tree.sh"
+destdir="$(pwd)/dest"
+commit="$(git rev-parse --short HEAD)"
+cd ../theories
+for file in **/*.v; do
+        destfile="$destdir/$file.html"
+        mkdir -p "$(dirname "$destfile")"
+        echo "<!DOCTYPE html>
+        <html lang=\"en\">
+                <head>
+                        <meta charset=\"UTF-8\">
+                        <title>$file</title>
+                        <style>" >> "$destfile"
+        python -m pygments -S default -f html >> "$destfile"
+        echo "
+                        html { height: 100%; }
+                        body {
+                                font-family: sans-serif;
+                                margin: 0px;
+                                min-height: 100%;
+                                display: flex;
+                                flex-direction: column;
+                        }
+                        header {
+                                display: flex;
+                                padding: 0em 1em;
+                                border-bottom: 1px solid black;
+                        }
+                        nav {
+                                width: 200px;
+                                border-right: 1px solid black;
+                                min-height: 100%;
+                        }
+                        nav ul {
+                                list-style-type: none;
+                                padding-left: 1em;
+                        }
+                        nav ul:not(#top-dir) {
+                                border-left: 1px solid black;
+                        }
+                        nav li {
+                                font-family: monospace;
+                        }
+                        a { text-decoration: none; }
+                        a.current { font-weight: bold; }
+                        .row { display: flex; }
+                        .grow { flex-grow: 1; }
+                        .h1-like {
+                                display: block;
+                                margin-block: 0.67em;
+                                font-size: 2.00em;
+                                font-weight: bold;
+                        }
+                        #subtitle {
+                                display: block;
+                                margin-block: 0.83em;
+                                font-size: 1.50em;
+                        }
+                </style>
+        </head>
+        <body>
+                <header class=\"row\">
+                        <div class=\"grow\">
+                                <h1>Verified Interpreters for Dynamic Languages</h1>
+                                <span id=\"subtitle\">with Applications to the Nix Expression Language</span>
+                        </div>
+                        <div>
+                                <span class=\"h1-like\">Rocq Mechanization</span>
+                                <span>Commit $commit</span>
+                        </div>
+                </header>
+                <div class=\"row grow\">
+                        <nav>
+                                <ul id=\"top-dir\">
+" >> "$destfile"
+        $TREE "$file" >> "$destfile"
+        echo '
+                                </ul>
+                        </nav>
+                        <main class="grow">' >> "$destfile"
+        python -m pygments -fhtml -lcoq -Oanchorlinenos,linenos,linespans=line "$file" >> "$destfile"
+        echo '
+                        </main>
+                </div>
+                <script>
+                function highlightOne(lineno) {
+                        let el = document.getElementById("line-" + lineno);
+                        el.classList.add("hll");
+                }
+        
+                function scrollTo(lineno) {
+                        let el = document.getElementById("line-" + lineno);
+                        el.scrollIntoView();
+                }
+        
+                function highlight() {
+                        let frag = window.location.hash.substring(1);
+                        if (/^line-[0-9]+$/.test(frag)) {
+                                highlightOne(frag.substring(5));
+                                scrollTo(frag.substring(5));
+                        } else if (/^L[0-9]+$/.test(frag)) {
+                                highlightOne(frag.substring(1));
+                                scrollTo(frag.substring(1));
+                        } else if (/^L[0-9]+-L[0-9]+$/.test(frag)) {
+                                let matches = frag.match(/[0-9]+/g);
+                                let startLineno = Number(matches[0]);
+                                let endLineno = Number(matches[1]);
+                                for (let lineno = startLineno; lineno <= endLineno; lineno++) {
+                                        highlightOne(lineno);
+                                }
+                                scrollTo(startLineno);
+                        }
+                }
+        
+                function unhighlight() {
+                        for (const el of Array.from(document.getElementsByClassName("hll"))) {
+                                el.classList.remove("hll");
+                        }
+                }
+        
+                function rehighlight() {
+                        unhighlight();
+                        highlight();
+                }
+        
+                window.addEventListener("hashchange", rehighlight);
+                window.addEventListener("load", highlight);
+                </script>
+        </body>
+</html>' >> "$destfile"
+done
diff --git a/explorer/tree.sh b/explorer/tree.sh
new file mode 100755
index 0000000..1620d2d
--- /dev/null
+++ b/explorer/tree.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+tree -J ../theories -P "*.v" | jq --arg "current" "$1" -r '
+        ("../" * ($current | [ scan("/+") ] | length)) as $prefix |
+        def make_item_link(prefix):
+                (if $current == prefix + .name then " class=\"current\"" else "" end) as $extra |
+                "<a href=\"\($prefix)\(prefix)\(.name | @uri).html\"\($extra)>\(.name | @html)</a>";
+        def handle_item(prefix):
+                if .type == "directory" then
+                        "<li>\(.name | @html)<ul>" +
+                        (.name as $dir | .contents | map(handle_item("\(prefix)\($dir)/")) | add) +
+                        "</ul></li>"
+                else
+                        "<li>\(make_item_link(prefix))</li>"
+                end;
+        .[0].contents | map(handle_item("")) | add
+'
diff --git a/explorer/upload-new.sh b/explorer/upload-new.sh
new file mode 100755
index 0000000..7873aa2
--- /dev/null
+++ b/explorer/upload-new.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -eu
+set -o pipefail
+commit="$(git rev-parse --short HEAD)"
+[ -e "dest-$commit" ] && {
+        echo "Revision $commit may have already been uploaded. Delete the directory dest-$commit to force re-upload.";
+        exit 1
+}
+./generate.sh
+mv dest "dest-$commit"
+mcli cp --recursive --checksum sha256 dest-$commit/* s3-default-par/verified-dyn-lang-interp/$commit/theories/
+echo "Base URL (for \\rocqbaseurl): https://s3.fr-par.scw.cloud/verified-dyn-lang-interp/$commit/"
diff --git a/importdef.sexp b/importdef.sexp
new file mode 100644
index 0000000..2d11aed
--- /dev/null
+++ b/importdef.sexp
@@ -0,0 +1 @@
+(deps test/testdata/lib.nix)
diff --git a/lib/extraction/dune b/lib/extraction/dune
new file mode 100644
index 0000000..b56caf9
--- /dev/null
+++ b/lib/extraction/dune
@@ -0,0 +1,56 @@
+(coq.extraction
+ (prelude prelude)
+ (extracted_modules
+  Ascii
+  BinInt
+  Bits
+  Decimal
+  prelude
+  gmap
+  Nat
+  PeanoNat
+  SpecFloat
+  ZArith_dec
+  base
+  BinNat
+  Bool
+  DecimalString
+  interp
+  numbers
+  pretty
+  Specif
+  Zbool
+  Basics
+  BinNums
+  countable
+  list0
+  operational
+  res
+  String
+  Zpower
+  Binary
+  BinPosDef
+  Datatypes
+  fin_maps
+  List
+  option
+  Round
+  strings
+  BinarySingleNaN
+  BinPos
+  decidable
+  floats
+  mapset
+  orders
+  sorting
+  utils)
+ (flags
+  (-output-directory "."))
+ (theories Flocq stdpp mininix))
+(library
+ (name extraction)
+ (flags
+  (:standard -w -33))
+ (instrumentation
+  (backend bisect_ppx)))
diff --git a/lib/extraction/extraction.ml b/lib/extraction/extraction.ml
new file mode 100644
index 0000000..a737700
--- /dev/null
+++ b/lib/extraction/extraction.ml
@@ -0,0 +1,18 @@
+include Prelude
+include Interp
+include Operational
+include Res
+(* Stuff that's not part of the paper. Still exposed because we sometimes want
+   to be able to create a natural number, float, process a list etc. *)
+module Internal = struct
+  module BinNums = BinNums
+  module Datatypes = Datatypes
+  module List = List
+  module Floats = struct
+    include Floats
+    include Binary
+    include SpecFloat
+  end
+end
diff --git a/lib/extraction/prelude.v b/lib/extraction/prelude.v
new file mode 100644
index 0000000..ef35bcb
--- /dev/null
+++ b/lib/extraction/prelude.v
@@ -0,0 +1,52 @@
+Require Import Coq.Numbers.DecimalString ExtrOcamlBasic ExtrOcamlString.
+From stdpp Require Import strings stringmap gmap.
+From mininix Require Import nix.interp.
+Definition attr_set_insert (x : string) (α : attr) (αs : gmap string attr) : gmap string attr :=
+  <[x:=α]> αs.
+Definition attr_set_contains (x : string) (αs : gmap string attr) : bool :=
+  bool_decide (x ∈ dom αs).
+Definition attr_set_fold {A} (f : string → attr → A → A) (init : A) (αs : gmap string attr) : A :=
+  map_fold f init αs.
+Definition attr_set_empty : gmap string attr := ∅.
+Definition env_fold {A} (f : string → (kind * thunk) → A → A) (init : A) (E : env) : A :=
+  map_fold f init E.
+Definition env_insert_abs (x : string) (t : thunk) (E : env) : env :=
+  <[x:=(ABS,t)]> E.
+Definition thunk_map_fold {A} (f : string → thunk → A → A) (init : A) (bs : gmap string thunk) : A :=
+  map_fold f init bs.
+Definition thunk_map_insert (x : string) (t : thunk) (bs : gmap string thunk) : gmap string thunk :=
+  <[x:=t]> bs.
+Definition thunk_map_empty : gmap string thunk := ∅.
+Definition matcher := gmap string (option expr).
+Definition matcher_empty : matcher := ∅.
+Definition matcher_insert (x : string) (me : option expr) (ms : matcher) : matcher :=
+  <[x:=me]> ms.
+Definition matcher_fold {A} (f : string → option expr → A → A) (init : A) (ms : matcher) : A :=
+  map_fold f init ms.
+Definition env_empty : env := ∅.
+Definition string_of_Z (x : Z) : string :=
+  NilZero.string_of_int (Z.to_int x).
+Definition string_to_Z (s : string) : option Z :=
+  Z.of_int <$> NilZero.int_of_string s.
+Separate Extraction
+  attr_set_insert env_insert_abs matcher_insert thunk_map_insert
+  attr_set_contains attr_set_fold env_fold matcher_fold thunk_map_fold
+  env_empty attr_set_empty matcher_empty thunk_map_empty string_of_Z
+  string_to_Z interp' forallb.
diff --git a/lib/mininix/builtins.ml b/lib/mininix/builtins.ml
new file mode 100644
index 0000000..0809668
--- /dev/null
+++ b/lib/mininix/builtins.ml
@@ -0,0 +1,77 @@
+open Core
+open Nix2mininix
+let minimal_prelude =
+  mn_attr
+    [
+      ("true", `Nonrec, Extraction.ELit (Extraction.LitBool true));
+      ("false", `Nonrec, Extraction.ELit (Extraction.LitBool false));
+      ("null", `Nonrec, Extraction.ELit Extraction.LitNull);
+      ("seq", `Nonrec, mn_abs [ "e1"; "e2" ] (mn_seq (mn_id "e1") (mn_id "e2")));
+      ( "deepSeq",
+        `Nonrec,
+        mn_abs [ "e1"; "e2" ] (mn_deep_seq (mn_id "e1") (mn_id "e2")) );
+      ("typeOf", `Nonrec, mn_abs [ "e" ] (mn_type_of (mn_id "e")));
+      ("functionArgs", `Nonrec, mn_abs [ "f" ] (mn_function_args (mn_id "f")));
+      ( "bitAnd",
+        `Nonrec,
+        mn_abs [ "x"; "y" ] (mn_bit_and (mn_id "x") (mn_id "y")) );
+      ("bitOr", `Nonrec, mn_abs [ "x"; "y" ] (mn_bit_or (mn_id "x") (mn_id "y")));
+      ( "bitXor",
+        `Nonrec,
+        mn_abs [ "x"; "y" ] (mn_bit_xor (mn_id "x") (mn_id "y")) );
+      ("ceil", `Nonrec, mn_abs [ "x" ] (mn_ceil (mn_id "x")));
+      ("floor", `Nonrec, mn_abs [ "x" ] (mn_floor (mn_id "x")));
+      ("__mn_nearestEven", `Nonrec, mn_abs [ "x" ] (mn_nearest_even (mn_id "x")));
+      ( "__mn_singleton",
+        `Nonrec,
+        mn_abs [ "x"; "e" ] (mn_singleton_attr (mn_id "x") (mn_id "e")) );
+      ( "__mn_attr_delete",
+        `Nonrec,
+        mn_abs [ "as"; "x" ] (mn_delete_attr (mn_id "as") (mn_id "x")) );
+      ( "__mn_attr_has_prim",
+        `Nonrec,
+        mn_abs [ "d"; "e" ] (mn_has_attr (mn_id "d") (mn_id "e")) );
+      ("__mn_attr_match", `Nonrec, mn_abs [ "as" ] (mn_attr_match (mn_id "as")));
+      ("__mn_list_match", `Nonrec, mn_abs [ "xs" ] (mn_list_match (mn_id "xs")));
+      ( "__mn_string_match",
+        `Nonrec,
+        mn_abs [ "s" ] (mn_string_match (mn_id "s")) );
+    ]
+(* Watch out to not introduce constructs here that refer to themselves using
+   the mnbi_* functions in Nix2mininix - this can cause undesired loops. *)
+let builtins_nix =
+  Nix.elaborate (Nix.parse ~filename:"<builtins>" [%blob "builtins.nix"])
+let builtins =
+  Extraction.ELetAttr
+    (Extraction.ABS, minimal_prelude, Nix2mininix.from_nix builtins_nix)
+let exported_builtins =
+  [
+    "__mn_assert";
+    "__mn_attr_has";
+    "__mn_attr_insertNew";
+    "__mn_attr_select";
+    "__mn_attr_selectOr";
+    "abort";
+    "false";
+    "head";
+    "map";
+    "null";
+    "removeAttrs";
+    "tail";
+    "throw";
+    "toString";
+    "true";
+  ]
+let apply_prelude e =
+  let bindings =
+    mn_attr
+      (("builtins", `Nonrec, builtins)
+      :: List.map exported_builtins ~f:(fun x ->
+             (x, `Rec, mn_select_attr (mn_id "builtins") (mn_str x))))
+  in
+  Extraction.ELetAttr (Extraction.ABS, bindings, e)
diff --git a/lib/mininix/builtins.nix b/lib/mininix/builtins.nix
new file mode 100644
index 0000000..9c7ed32
--- /dev/null
+++ b/lib/mininix/builtins.nix
@@ -0,0 +1,302 @@
+rec {
+  inherit true false null functionArgs typeOf seq deepSeq bitAnd bitOr bitXor floor ceil; # from the minimal prelude
+  abort = _: null null; # we ignore the provided message
+  throw = abort; # same here
+  head = xs: (__mn_list_match xs).head;
+  tail = xs: (__mn_list_match xs).tail;
+  __mn_matchAttr = f: as: f (__mn_attr_match as);
+  __mn_matchList = f: xs: f (__mn_list_match xs);
+  __mn_matchString = f: s: f (__mn_string_match s);
+  __mn_foldr = op: nul:
+    __mn_matchList ({ head, tail, empty }:
+      if empty then nul else op head (__mn_foldr op nul tail));
+  # foldl' should really be strict. But if we do that (using seq), the
+  # complexity of this function suddenly morphs from linear to
+  # exponential, which is way worse than not actually being strict.
+  foldl' = op: nul:
+    __mn_matchList
+      ({ head, tail, empty }:
+        if empty then nul else
+        let v = op nul head; in
+        seq v (foldl' op v tail));
+  map = f:
+    __mn_matchList ({ head, tail, empty }:
+      if empty then [ ] else [ (f head) ] ++ map f tail);
+  elem = x: any (y: x == y);
+  elemAt = xs: n: assert n >= 0;
+    let go = xs: n: if n == 0 then head xs else go (tail xs) (n - 1);
+    in go xs n;
+  length = __mn_matchList ({ head, tail, empty }:
+    if empty then 0 else 1 + length tail);
+  sort = __mn_mergesort;
+  any = f: __mn_matchList ({ head, tail, empty }: !empty && (f head || any f tail));
+  all = f: __mn_matchList ({ head, tail, empty }: !empty -> (f head && all f tail));
+  concatLists =
+    __mn_matchList ({ head, tail, empty }:
+      if empty then [ ] else head ++ concatLists tail);
+  concatMap = f: xss: concatLists (map f xss);
+  concatStringsSep = sep:
+    __mn_matchList ({ head, tail, empty }:
+      if empty then "" else if tail == [ ] then head
+      else head + sep + concatStringsSep sep tail);
+  filter = f:
+    __mn_matchList ({ head, tail, empty }:
+      if empty then [ ] else (if f head then [ head ] else [ ]) ++ filter f tail);
+  groupBy = f: xs:
+    let update = x: acc: acc // { ${f x} = [ x ] ++ (acc.${f x} or [ ]); };
+    in __mn_foldr update { } xs;
+  partition = f: groupBy (x: if f x then "right" else "wrong");
+  hasAttr = x: as: as ? ${x};
+  getAttr = x: as: as.${x};
+  attrNames = __mn_matchAttr ({ key, tail, empty, ... }:
+    if empty then [ ] else [ key ] ++ attrNames tail);
+  attrValues = __mn_matchAttr ({ head, tail, empty, ... }:
+    if empty then [ ] else [ head ] ++ attrValues tail);
+  mapAttrs = f: __mn_matchAttr ({ key, head, tail, empty }:
+    if empty then { } else
+    mapAttrs f tail // { ${key} = f key head; });
+  removeAttrs = __mn_foldr (x: as': __mn_attr_delete as' x);
+  zipAttrsWith = f: ass: mapAttrs f (__mn_zipAttrs ass);
+  catAttrs = x:
+    __mn_matchList ({ head, tail, empty }:
+      if empty then [ ]
+      else (if head ? ${x} then [ head.${x} ] else [ ]) ++ catAttrs x tail);
+  listToAttrs =
+    __mn_foldr (attr: as': as' // { ${attr.name} = attr.value; }) { };
+  intersectAttrs = e1: e2:
+    __mn_matchAttr
+      ({ key, head, tail, empty }:
+        if empty then { } else
+        (if e2 ? ${key} then { ${key} = e2.${key}; } else { }) //
+        intersectAttrs tail (__mn_attr_delete e2 key))
+      e1;
+  lessThan = x: y: x < y; # documentation is misleading, not only for numbers
+  add = x: y: x + y;
+  mul = x: y: x * y;
+  div = x: y: x / y;
+  sub = x: y: x - y;
+  genList = gen: n:
+    let
+      aux = off: if off >= n then [ ] else
+      [ (gen off) ] ++ aux (off + 1);
+    in
+    aux 0;
+  __mn_genericClosure = { operator, seen, startSet }:
+    __mn_matchList
+      ({ head, tail, empty }:
+        if empty then [ ] else
+        if seen head.key
+        then __mn_genericClosure { inherit operator seen; startSet = tail; }
+        else [ head ] ++ __mn_genericClosure {
+          inherit operator;
+          seen = k: k == head.key || seen k;
+          startSet = tail ++ operator head;
+        })
+      startSet;
+  genericClosure = { operator, startSet }:
+    __mn_genericClosure { inherit operator startSet; seen = _: false; };
+  isAttrs = e: typeOf e == "set";
+  isBool = e: typeOf e == "bool";
+  isFloat = e: typeOf e == "float";
+  isFunction = e: typeOf e == "lambda";
+  isInt = e: typeOf e == "int";
+  isList = e: typeOf e == "list";
+  isNull = e: typeOf e == "null";
+  isString = e: typeOf e == "string";
+  toString = e:
+    if isAttrs e then
+      if e ? __toString then e.__toString e else e.outPath
+    else if isBool e then
+      if e then "1" else ""
+    else if isFloat e then
+      __mn_float_toString e
+    else if isInt e then
+      __mn_int_toString e
+    else if isList e then
+      concatStringsSep " " (map toString e)
+    else if isNull e then
+      ""
+    else if isString e then
+      e
+    else abort null;
+  stringLength =
+    __mn_matchString ({ head, tail, empty }:
+      if empty then 0 else 1 + stringLength tail);
+  substring = start: assert start >= 0; len:
+    __mn_matchString ({ head, tail, empty }:
+      if empty || len == 0 then "" else
+      if start > 0
+      then substring (start - 1) len tail
+      else head + substring 0 (len - 1) tail);
+  replaceStrings = from: to: s:
+    __mn_matchList
+      ({ head, tail, empty }:
+        let from = if empty then [ ] else [ head ] ++ tail; in
+        __mn_matchList
+          ({ head, tail, empty }:
+            let to = if empty then [ ] else [ head ] ++ tail; in
+            assert length from == length to;
+            __mn_strings_replace from to s)
+          to)
+      from;
+  __mn_strings_replace = subsFrom: subsTo: s:
+    let go = __mn_strings_replace subsFrom subsTo; in
+    __mn_strings_replace_aux go subsFrom subsTo s;
+  __mn_strings_replace_aux = go: subsFrom: subsTo: s:
+    __mn_matchList
+      ({ head, tail, empty }:
+        if empty
+        then
+          __mn_matchString
+            ({ head, tail, empty }: if empty then "" else head + go tail)
+            s
+        else
+          let subFrom = head; subsFrom' = tail; in
+          __mn_matchList
+            ({ head, tail, ... }:
+              let subTo = head; subsTo' = tail; in
+              if subFrom == ""
+              then
+              # We can only ask ourselves why, but it is so -- in Nix:
+              #   replaceStrings ["" "a"] ["X" "_"] "asdf" ~> "XaXsXdXfX"
+              # and so we emulate this 'behavior'
+                subTo + __mn_matchString
+                  ({ head, tail, empty }:
+                    if empty then "" else head + go tail)
+                  s
+              else
+                ({ ok, rest }:
+                  if ok
+                  then subTo + go rest
+                  else __mn_strings_replace_aux go subsFrom' subsTo' s)
+                  (__mn_string_chopPrefix subFrom s))
+            subsTo)
+      subsFrom;
+  __mn_string_chopPrefix = prefix: s:
+    __mn_matchString
+      ({ head, tail, empty }:
+        if empty then { ok = true; rest = s; } else
+        let prefix = head; prefix' = tail; in __mn_matchString
+          ({ head, tail, empty }:
+            if empty || prefix != head then { ok = false; rest = null; } else
+            __mn_string_chopPrefix prefix' tail)
+          s)
+      prefix;
+  __mn_string_drop = n: s:
+    if n <= 0 then s else
+    __mn_matchString
+      ({ tail, empty, ... }:
+        if empty then "" else
+        __mn_string_drop (n - 1) tail)
+      s;
+  __mn_float_toString = x:
+    let
+      sign = x < 0;
+      abs = __mn_abs x;
+      int = floor abs;
+      dec = __mn_nearestEven ((abs - int) * 1000000);
+    in
+    (if sign then "-" else "") +
+    __mn_int_toString int + "." + __mn_int_toString dec;
+  __mn_int_toString = x: (if x < 0 then "-" else "") +
+    (
+      let d10 = __mn_quotRem (__mn_abs x) 10; in
+      (if d10.quot != 0 then toString d10.quot else "") +
+        (if d10.rem == 0 then "0" else
+        if d10.rem == 1 then "1" else
+        if d10.rem == 2 then "2" else
+        if d10.rem == 3 then "3" else
+        if d10.rem == 4 then "4" else
+        if d10.rem == 5 then "5" else
+        if d10.rem == 6 then "6" else
+        if d10.rem == 7 then "7" else
+        if d10.rem == 8 then "8" else
+        if d10.rem == 9 then "9" else
+        abort null)
+    );
+  __mn_quotRem = x: y:
+    let quot = x / y; in
+    { inherit quot; rem = x - quot * y; };
+  __mn_abs = x: if x < 0 then -x else x;
+  __mn_attr_insertNew = as: x: e:
+    if x == null then { } else
+      assert !(as ? ${x}); as // __mn_singleton x e;
+  __mn_attr_has_aux = d: e:
+    if typeOf d != "set" then false else __mn_attr_has_prim d e;
+  __mn_attr_has = e:
+    __mn_matchList ({ head, tail, empty }:
+      if empty then true else
+      if __mn_attr_has_aux e head then __mn_attr_has e.${head} tail
+      else false);
+  __mn_attr_select = e:
+    __mn_matchList ({ head, tail, empty }:
+      if empty then e
+      else __mn_attr_select e.${head} tail);
+  __mn_attr_selectOr = e: as: d:
+    if __mn_attr_has e as
+    then __mn_attr_select e as
+    else d;
+  __mn_assert = e1: e2:
+    if e1 then e2 else abort null;
+  __mn_consAttrs = as: acc:
+    __mn_foldr
+      (x: acc: acc // {
+        ${x} = [ as.${x} ] ++ (acc.${x} or [ ]);
+      })
+      acc
+      (attrNames as);
+  __mn_zipAttrs = __mn_foldr __mn_consAttrs { };
+  # Old merge sort algorithm, taken from GHC.Internal.Data.OldList.
+  __mn_mergesort = cmp: xs: __mn_mergesort' cmp (__mn_singletons xs);
+  __mn_singletons = map (x: [ x ]);
+  __mn_mergesort' = cmp: xs:
+    __mn_matchList
+      ({ head, tail, empty }:
+        if empty then [ ] else if tail == [ ] then head else
+        __mn_mergesort' cmp (__mn_mergePairs cmp xs))
+      xs;
+  __mn_mergePairs = cmp:
+    __mn_matchList ({ head, tail, empty }: if empty then [ ] else
+    let xs' = head; in __mn_matchList
+      ({ head, tail, empty }:
+        if empty then [ xs' ] else
+        let ys' = head; xss' = tail; in
+        [ (__mn_merge cmp xs' ys') ] ++ __mn_mergePairs cmp xss')
+      tail);
+  __mn_merge = cmp: xs: ys:
+    __mn_matchList
+      ({ head, tail, empty }:
+        if empty then ys else
+        let x = head; xs' = tail; in
+        __mn_matchList
+          ({ head, tail, empty }:
+            if empty then xs else
+            let y = head; ys' = tail; in
+            if cmp y x
+            then [ y ] ++ __mn_merge cmp xs ys' # y < x, i.e., x > y
+            else [ x ] ++ __mn_merge cmp xs' ys)
+          ys)
+      xs;
+}
diff --git a/lib/mininix/conv.ml b/lib/mininix/conv.ml
new file mode 100644
index 0000000..8062099
--- /dev/null
+++ b/lib/mininix/conv.ml
@@ -0,0 +1,96 @@
+open Core
+let _ = assert (Sys.word_size_in_bits = 64)
+let chlist s = String.to_list s
+let ( <> ) l1 l2 = not (List.equal Char.( = ) l1 l2)
+let str = String.of_char_list
+let prec = 53
+let emax = 1024
+let exp_bits = 11
+let saturated_exp = Int.shift_left 1 exp_bits - 1
+let rec int_bits (x : int) : bool list =
+  if Int.(x < 0) then raise (Invalid_argument "Number must be nonnegative")
+  else if Int.(x = 0) then []
+  else
+    let q = x /% 2 and r = x % 2 in
+    int_bits q @ [ r = 1 ]
+let int_to_positive (x : int) : Extraction.Internal.BinNums.positive =
+  if x <= 0 then raise (Invalid_argument "Number must be positive")
+  else
+    let bits = List.tl_exn (int_bits x) in
+    List.fold_left
+      ~f:(fun acc digit ->
+        if digit then Extraction.Internal.BinNums.Coq_xI acc
+        else Extraction.Internal.BinNums.Coq_xO acc)
+      ~init:Extraction.Internal.BinNums.Coq_xH bits
+let int_to_z (x : int) : Extraction.Internal.BinNums.coq_Z =
+  if x = 0 then Z0
+  else if x < 0 then Zneg (int_to_positive (-x))
+  else Zpos (int_to_positive x)
+let rec int63_of_positive (x : Extraction.Internal.BinNums.positive) : Int63.t =
+  let two = Int63.(succ one) in
+  match x with
+  | Coq_xH -> Int63.of_int_exn 1
+  | Coq_xO x -> Int63.(two * int63_of_positive x)
+  | Coq_xI x -> Int63.((two * int63_of_positive x) + one)
+let int63_of_z (x : Extraction.Internal.BinNums.coq_Z) : Int63.t =
+  match x with
+  | Z0 -> Int63.zero
+  | Zpos x -> int63_of_positive x
+  | Zneg x -> Int63.neg (int63_of_positive x)
+let int63_to_positive x = Int63.to_int_exn x |> int_to_positive
+(* Conversions are the same as those in Coq's FloatOps.
+   See https://github.com/coq/coq/blob/master/theories/Floats/FloatOps.v *)
+let normfr_mantissa f =
+  let f = Float.abs f in
+  if Float.(f >= 0.5) && Float.(f < 1.) then Float.to_int (Float.ldexp f prec)
+  else 0
+let float_to_flocq (x : float) : Extraction.Internal.Floats.float =
+  match Float.classify x with
+  | Zero -> Extraction.Internal.Floats.B754_zero (Float.ieee_negative x)
+  | Nan ->
+      Extraction.Internal.Floats.B754_nan
+        (Float.ieee_negative x, Float.ieee_mantissa x |> int63_to_positive)
+  | Infinite -> Extraction.Internal.Floats.B754_infinity (Float.ieee_negative x)
+  | Normal | Subnormal -> (
+      let prec_z = int_to_z prec and emax_z = int_to_z emax in
+      let r, exp = Float.frexp x in
+      let e = int_to_z (exp - prec) and r' = int_to_z (normfr_mantissa r) in
+      let shr, e' =
+        Extraction.Internal.Floats.(shr_fexp prec_z emax_z r' e Coq_loc_Exact)
+      in
+      match shr.shr_m with
+      | Zpos p -> B754_finite (Float.is_negative x, p, e')
+      | Zneg _ | Z0 -> assert false)
+let float_from_flocq x : float =
+  match x with
+  | Extraction.Internal.Floats.B754_zero s ->
+      Float.create_ieee_exn ~negative:s ~mantissa:Int63.zero ~exponent:0
+  | Extraction.Internal.Floats.B754_infinity s ->
+      if s then Float.neg_infinity else Float.infinity
+  | Extraction.Internal.Floats.B754_nan (s, m) ->
+      let m_int = int63_of_positive m in
+      Float.create_ieee_exn ~negative:s ~mantissa:m_int ~exponent:saturated_exp
+  | Extraction.Internal.Floats.B754_finite (s, m, e) ->
+      let pm = Float.of_int63 (int63_of_positive m) in
+      let f = Float.ldexp pm (Int63.to_int_exn (int63_of_z e)) in
+      if s then Float.neg f else f
+open struct
+  open Base_quickcheck
+  let%expect_test "float conversion" =
+    Test.run_exn
+      (module Float)
+      ~f:(fun x -> [%test_eq: float] (float_from_flocq (float_to_flocq x)) x)
+end
diff --git a/lib/mininix/dune b/lib/mininix/dune
new file mode 100644
index 0000000..aabbf45
--- /dev/null
+++ b/lib/mininix/dune
@@ -0,0 +1,15 @@
+(library
+ (name mininix)
+ (inline_tests)
+ (preprocessor_deps
+  (file builtins.nix))
+ (preprocess
+  (pps
+   ppx_blob
+   ppx_sexp_conv
+   ppx_expect
+   ppx_assert
+   base_quickcheck.ppx_quickcheck))
+ (instrumentation
+  (backend bisect_ppx))
+ (libraries core extraction nix ppx_blob ppx_sexp_conv))
diff --git a/lib/mininix/import.ml b/lib/mininix/import.ml
new file mode 100644
index 0000000..ca1bfb5
--- /dev/null
+++ b/lib/mininix/import.ml
@@ -0,0 +1,54 @@
+open Core
+exception ImportError of string
+type tree = { filename : string; deps : forest }
+and forest = tree list
+let provide (imports : (string * Extraction.coq_val) list) =
+  let imports_set =
+    Extraction.(
+      VAttr
+        (List.fold imports ~init:thunk_map_empty ~f:(fun attrs (filename, v) ->
+             thunk_map_insert (Conv.chlist filename) (Forced v) attrs)))
+  in
+  let make_env =
+    Extraction.(
+      env_insert_abs (Conv.chlist "imports") (Forced imports_set) env_empty)
+  in
+  Extraction.(
+    VClo
+      ( Conv.chlist "path",
+        make_env,
+        EBinOp
+          ( SelectAttrOp,
+            EId (Conv.chlist "imports", None),
+            EId (Conv.chlist "path", None) ) ))
+let make_env (imports : (string * Extraction.coq_val) list) =
+  Extraction.(
+    env_insert_abs (Conv.chlist "import") (Forced (provide imports)) env_empty)
+let rec import trees : (string * Extraction.coq_val) list =
+  List.map trees ~f:(fun { filename; deps } ->
+      let data = In_channel.read_all filename in
+      Nix.parse ~filename data |> Nix.elaborate |> Nix2mininix.from_nix
+      |> Builtins.apply_prelude
+      |> Run.interp ~fuel:`Unlimited ~mode:`Shallow
+           ~env:(make_env (import deps))
+      |> function
+      | Res (Some v) -> (filename, v)
+      | Res None ->
+          raise
+            (ImportError
+               (sprintf "Could not import %s: Failed to evaluate" filename))
+      | NoFuel -> assert false)
+let rec tree_map ~(f : string -> string) { filename; deps } =
+  { filename = f filename; deps = forest_map ~f deps }
+and forest_map ~(f : string -> string) trees = List.map ~f:(tree_map ~f) trees
+(* [relative_to] must be an absolute path *)
+let materialize forest ~relative_to : (string * Extraction.coq_val) list =
+  forest_map forest ~f:(Filename.to_absolute_exn ~relative_to) |> import
diff --git a/lib/mininix/mininix.ml b/lib/mininix/mininix.ml
new file mode 100644
index 0000000..b121619
--- /dev/null
+++ b/lib/mininix/mininix.ml
@@ -0,0 +1,13 @@
+module Nix2mininix = Nix2mininix
+module Mininix2nix = Mininix2nix
+module Sexp = Sexp
+module Import = Import
+let interp_tl ~fuel ~mode ?(imports = []) e =
+  Run.interp ~fuel ~mode ~env:(Import.make_env imports) e
+let apply_prelude = Builtins.apply_prelude
+let preprocess input ~filename =
+  input |> Nix.parse ~filename |> Nix.elaborate |> Nix2mininix.from_nix
+  |> Builtins.apply_prelude
diff --git a/lib/mininix/mininix2nix.ml b/lib/mininix/mininix2nix.ml
new file mode 100644
index 0000000..efbc42a
--- /dev/null
+++ b/lib/mininix/mininix2nix.ml
@@ -0,0 +1,54 @@
+open Conv
+open Core
+(* [or] is not a 'strong' keyword. That means that 'it depends' whether it is
+   identified as such. In the context of the left-hand side of an attribute, it
+   is not recognized as such. *)
+let strong_keywords =
+  [ "with"; "rec"; "let"; "in"; "inherit"; "if"; "then"; "else"; "assert" ]
+let id_re = Str.regexp {|^[A-Za-z_]+[A-Za-z0-9'_-]*$|}
+let is_simple_id s =
+  Str.string_match id_re s 0
+  && not (List.exists strong_keywords ~f:(String.( = ) s))
+let thunk_map_to_map tm =
+  Extraction.thunk_map_fold
+    (fun k t -> Map.add_exn ~key:(String.of_char_list k) ~data:t)
+    (Map.empty (module String))
+    tm
+let from_lit l =
+  match l with
+  | Extraction.LitString s -> Nix.Ast.Val (Nix.Ast.Str (str s, []))
+  | Extraction.LitNull -> Nix.Ast.Id "null"
+  | Extraction.LitBool b -> Nix.Ast.Id (if b then "true" else "false")
+  | Extraction.LitNum x ->
+      Nix.Ast.Val
+        (match x with
+        | Extraction.NInt x -> Nix.Ast.Int (x |> Extraction.string_of_Z |> str)
+        | Extraction.NFloat x ->
+            Nix.Ast.Float (Printf.sprintf "%g" (float_from_flocq x)))
+let rec from_val = function
+  | Extraction.VClo _ | Extraction.VCloMatch _ -> Nix.Ast.Id "<CODE>"
+  | Extraction.VLit l -> from_lit l
+  | Extraction.VAttr bs ->
+      let bs =
+        thunk_map_to_map bs
+        |> Map.to_alist ~key_order:`Increasing
+        |> List.map ~f:(fun (x, t) ->
+               let lhs =
+                 if is_simple_id x then Nix.Ast.Id x
+                 else Nix.Ast.Val (Nix.Ast.Str (x, []))
+               in
+               Nix.Ast.AttrPath ([ lhs ], from_thunk t))
+      in
+      Nix.Ast.Val (Nix.Ast.AttSet (Nix.Ast.Nonrec, bs))
+  | Extraction.VList ts -> Nix.Ast.Val (Nix.Ast.List List.(ts >>| from_thunk))
+and from_thunk = function
+  | Extraction.Thunk (_, ELit l) -> from_lit l
+  | Extraction.Thunk _ | Extraction.Indirect _ -> Nix.Ast.Id "<CODE>"
+  | Extraction.Forced v -> from_val v
diff --git a/lib/mininix/nix2mininix.ml b/lib/mininix/nix2mininix.ml
new file mode 100644
index 0000000..cfd4fa3
--- /dev/null
+++ b/lib/mininix/nix2mininix.ml
@@ -0,0 +1,254 @@
+open Conv
+open Core
+exception FromNixError of string
+let try_insert_attr x e bs =
+  let x = chlist x in
+  if Extraction.attr_set_contains x bs then
+    raise (FromNixError "Attribute already exists")
+  else Extraction.attr_set_insert x e bs
+(* Shorthands, minor conversions *)
+let mn_singleton_set x e =
+  Extraction.(
+    EAttr (attr_set_insert (chlist x) (Attr (NONREC, e)) attr_set_empty))
+let mn_abs args e =
+  List.fold_right args ~init:e ~f:(fun arg e' ->
+      Extraction.EAbs (chlist arg, e'))
+let mn_lit l = Extraction.ELit l
+let mn_int x = mn_lit (Extraction.LitNum (Extraction.NInt x))
+let mn_float x = mn_lit (Extraction.LitNum (Extraction.NFloat x))
+let mn_bool b = mn_lit (Extraction.LitBool b)
+let mn_true = mn_bool true
+let mn_false = mn_bool false
+let mn_str s = mn_lit (Extraction.LitString (chlist s))
+let mn_null = mn_lit Extraction.LitNull
+let mn_id x = Extraction.EId (chlist x, None)
+let mn_app e1 e2 = Extraction.EApp (e1, e2)
+let mn_seq e1 e2 = Extraction.ESeq (Extraction.SHALLOW, e1, e2)
+let mn_deep_seq e1 e2 = Extraction.ESeq (Extraction.DEEP, e1, e2)
+let mn_list es = Extraction.EList es
+let mn_attr (bs : (string * [ `Rec | `Nonrec ] * Extraction.expr) list) =
+  Extraction.EAttr
+    (List.fold_left bs ~init:Extraction.attr_set_empty ~f:(fun bs' (x, r, e) ->
+         let r' =
+           match r with `Rec -> Extraction.REC | `Nonrec -> Extraction.NONREC
+         in
+         Extraction.attr_set_insert (chlist x) (Extraction.Attr (r', e)) bs'))
+let mn_with e1 e2 = Extraction.ELetAttr (Extraction.WITH, e1, e2)
+let mn_binop op e1 e2 = Extraction.EBinOp (op, e1, e2)
+let mn_add e1 e2 = mn_binop Extraction.AddOp e1 e2
+let mn_sub e1 e2 = mn_binop Extraction.SubOp e1 e2
+let mn_mul e1 e2 = mn_binop Extraction.MulOp e1 e2
+let mn_div e1 e2 = mn_binop Extraction.DivOp e1 e2
+let mn_bit_and e1 e2 = mn_binop Extraction.AndOp e1 e2
+let mn_bit_or e1 e2 = mn_binop Extraction.OrOp e1 e2
+let mn_bit_xor e1 e2 = mn_binop Extraction.XOrOp e1 e2
+let mn_lt e1 e2 = mn_binop Extraction.LtOp e1 e2
+let mn_eq e1 e2 = mn_binop Extraction.EqOp e1 e2
+let mn_if e1 e2 e3 = Extraction.EIf (e1, e2, e3)
+let mn_delete_attr e1 e2 = mn_binop Extraction.DeleteAttrOp e1 e2
+let mn_has_attr e1 e2 = mn_binop Extraction.HasAttrOp e1 e2
+let mn_select_attr e1 e2 = mn_binop Extraction.SelectAttrOp e1 e2
+let mn_singleton_attr e1 e2 =
+  mn_app (mn_binop Extraction.SingletonAttrOp e1 mn_null) e2
+let mn_update_attr e1 e2 = mn_binop Extraction.UpdateAttrOp e1 e2
+let mn_type_of e = mn_binop Extraction.TypeOfOp e mn_null
+let mn_function_args e = mn_binop Extraction.FunctionArgsOp e mn_null
+let mn_list_append e1 e2 = mn_binop Extraction.AppendListOp e1 e2
+let mn_list_match e = mn_binop Extraction.MatchListOp e mn_null
+let mn_string_match e = mn_binop Extraction.MatchStringOp e mn_null
+let mn_attr_match e = mn_binop Extraction.MatchAttrOp e mn_null
+let mn_ceil e = mn_binop (Extraction.RoundOp Ceil) e mn_null
+let mn_nearest_even e = mn_binop (Extraction.RoundOp NearestEven) e mn_null
+let mn_floor e = mn_binop (Extraction.RoundOp Floor) e mn_null
+(* Macros *)
+let mn_cast_bool e = mn_if e mn_true mn_false
+let mn_or e1 e2 = mn_if e1 mn_true (mn_cast_bool e2)
+let mn_and e1 e2 = mn_if e1 (mn_cast_bool e2) mn_false
+let mn_impl e1 e2 = mn_if e1 (mn_cast_bool e2) mn_true
+let mn_not e = mn_if e mn_false mn_true
+let mn_negate e = mn_sub (mn_int Extraction.Internal.BinNums.Z0) e
+let mn_neq e1 e2 = mn_not (mn_eq e2 e1)
+let mn_gt e1 e2 = mn_lt e2 e1
+let mn_lte e1 e2 = mn_not (mn_gt e1 e2)
+let mn_gte e1 e2 = mn_not (mn_lt e1 e2)
+(* Macros based on exported functions from the prelude *)
+let mnbi_assert e1 e2 = mn_app (mn_app (mn_id "__mn_assert") e1) e2
+let mnbi_has_attr e ds = mn_app (mn_app (mn_id "__mn_attr_has") e) (mn_list ds)
+let mnbi_select e ds = mn_app (mn_app (mn_id "__mn_attr_select") e) (mn_list ds)
+let mnbi_select_or e1 ds e2 =
+  mn_app (mn_app (mn_app (mn_id "__mn_attr_selectOr") e1) (mn_list ds)) e2
+let mnbi_insert_new e1 e2 e3 =
+  mn_app (mn_app (mn_app (mn_id "__mn_attr_insertNew") e1) e2) e3
+let is_dynamic_binding (b : Nix.Ast.binding) =
+  match b with
+  | Nix.Ast.AttrPath ([ Nix.Ast.Val (Nix.Ast.Str (_, [])) ], _)
+  | Nix.Ast.Inherit _ ->
+      false
+  | Nix.Ast.AttrPath ([ _ ], _) -> true
+  | _ -> assert false
+let has_dynamic_bindings (bs : Nix.Ast.binding list) =
+  List.exists bs ~f:is_dynamic_binding
+(* Static bindings left, dynamic bindings right *)
+let partition_dynamic (bs : Nix.Ast.binding list) :
+    Nix.Ast.binding list * Nix.Ast.binding list =
+  List.fold_left bs ~init:([], []) ~f:(fun (static, dynamic) b ->
+      if is_dynamic_binding b then (static, b :: dynamic)
+      else (b :: static, dynamic))
+(* Precondition: e must be have been processed by the elaborator. *)
+let rec from_nix e =
+  match e with
+  | Nix.Ast.BinaryOp (op, e1, e2) -> (
+      let e1', e2' = (from_nix e1, from_nix e2) in
+      match op with
+      | Nix.Ast.Plus -> mn_add e1' e2'
+      | Nix.Ast.Minus -> mn_sub e1' e2'
+      | Nix.Ast.Mult -> mn_mul e1' e2'
+      | Nix.Ast.Div -> mn_div e1' e2'
+      | Nix.Ast.Gt -> mn_gt e1' e2'
+      | Nix.Ast.Lt -> mn_lt e1' e2'
+      | Nix.Ast.Lte -> mn_lte e1' e2'
+      | Nix.Ast.Gte -> mn_gte e1' e2'
+      | Nix.Ast.Eq -> mn_eq e1' e2'
+      | Nix.Ast.Neq -> mn_neq e1' e2'
+      | Nix.Ast.Or -> mn_or e1' e2'
+      | Nix.Ast.And -> mn_and e1' e2'
+      | Nix.Ast.Impl -> mn_impl e1' e2'
+      | Nix.Ast.Merge -> mn_update_attr e1' e2'
+      | Nix.Ast.Concat -> mn_list_append e1' e2')
+  | Nix.Ast.UnaryOp (op, e) -> (
+      let e = from_nix e in
+      match op with Nix.Ast.Negate -> mn_negate e | Nix.Ast.Not -> mn_not e)
+  | Nix.Ast.Cond (e1, e2, e3) -> mn_if (from_nix e1) (from_nix e2) (from_nix e3)
+  | Nix.Ast.With (e1, e2) -> mn_with (from_nix e1) (from_nix e2)
+  | Nix.Ast.Assert (e1, e2) -> mnbi_assert (from_nix e1) (from_nix e2)
+  | Nix.Ast.Test (e, ds) -> mnbi_has_attr (from_nix e) List.(ds >>| from_nix)
+  | Nix.Ast.SetLet bs ->
+      from_nix
+        (Nix.Ast.Select
+           ( Nix.Ast.Val (Nix.Ast.AttSet (Nix.Ast.Rec, bs)),
+             [ Nix.Ast.Val (Nix.Ast.Str ("body", [])) ],
+             None ))
+  | Nix.Ast.Let (bs, e2) ->
+      if has_dynamic_bindings bs then
+        raise (FromNixError "Let bindings may not be dynamic");
+      let e1 = from_nix (Nix.Ast.Val (Nix.Ast.AttSet (Nix.Ast.Rec, bs))) in
+      Extraction.ELetAttr (Extraction.ABS, e1, from_nix e2)
+  | Nix.Ast.Val v -> from_nix_val v
+  | Nix.Ast.Id x -> mn_id x
+  | Nix.Ast.Select (e, parts, md) -> (
+      match md with
+      | Some d ->
+          mnbi_select_or (from_nix e) List.(parts >>| from_nix) (from_nix d)
+      | None -> (
+          match parts with
+          | [ part ] -> mn_select_attr (from_nix e) (from_nix part)
+          | _ -> mnbi_select (from_nix e) List.(parts >>| from_nix)))
+  | Nix.Ast.Apply (e1, e2) -> mn_app (from_nix e1) (from_nix e2)
+  | Nix.Ast.Aquote _ ->
+      assert false (* should be gone after processing by elaborator *)
+and from_nix_val v =
+  match v with
+  | Str (s, parts) ->
+      let parts = List.(parts >>= fun (e, s) -> [ from_nix e; mn_str s ]) in
+      List.fold_left parts ~init:(mn_str s) ~f:mn_add
+  | IStr _ -> raise (FromNixError "Indented strings are not supported")
+  | Int n -> (
+      match Extraction.string_to_Z (chlist n) with
+      | Some n -> mn_int n
+      | None -> raise (FromNixError "Bad integer literal"))
+  | Float n ->
+      let n =
+        try Float.of_string n
+        with Invalid_argument _ -> raise (FromNixError "Bad float literal")
+      in
+      if Float.(is_nan n || is_inf n) then
+        raise (FromNixError "Bad float literal")
+      else mn_float (float_to_flocq n)
+  | Path _ | SPath _ | HPath _ -> raise (FromNixError "Paths are not supported")
+  | Uri s -> mn_str s
+  | Lambda (Alias x, e) -> mn_abs [ x ] (from_nix e)
+  | Lambda (ParamSet (Some x, fs), e) ->
+      from_nix_val
+        (Lambda (Alias x, Apply (Val (Lambda (ParamSet (None, fs), e)), Id x)))
+  | Lambda (ParamSet (None, (fs, strictness)), e) ->
+      let ms =
+        List.fold_left fs ~init:Extraction.matcher_empty ~f:(fun ms (x, me) ->
+            Extraction.matcher_insert (chlist x) (Option.map ~f:from_nix me) ms)
+      in
+      Extraction.EAbsMatch
+        ( ms,
+          (match strictness with Loose -> false | Exact -> true),
+          from_nix e )
+  | List es -> mn_list (List.map es ~f:from_nix)
+  | AttSet (recursivity, bs) ->
+      let static, dynamic = partition_dynamic bs
+      and recursivity' =
+        match recursivity with
+        | Nix.Ast.Rec -> Extraction.REC
+        | Nix.Ast.Nonrec -> Extraction.NONREC
+      in
+      let set_no_dyn =
+        Extraction.EAttr
+          (List.fold_left static ~init:Extraction.attr_set_empty
+             ~f:(fun static' bnd ->
+               match bnd with
+               | Nix.Ast.AttrPath ([ Nix.Ast.Val (Nix.Ast.Str (x, [])) ], e) ->
+                   try_insert_attr x
+                     (Extraction.Attr (recursivity', from_nix e))
+                     static'
+               | Nix.Ast.Inherit (None, xs) ->
+                   List.fold_left xs ~init:static' ~f:(fun static' x ->
+                       match x with
+                       | Id x ->
+                           try_insert_attr x
+                             (Extraction.Attr (Extraction.NONREC, mn_id x))
+                             static'
+                       | _ -> assert false)
+               | Nix.Ast.Inherit (Some e, xs) ->
+                   let e = from_nix e in
+                   List.fold_left xs ~init:static' ~f:(fun static' x ->
+                       match x with
+                       | Id x ->
+                           try_insert_attr x
+                             (Extraction.Attr
+                                (recursivity', mn_select_attr e (mn_str x)))
+                             static'
+                       | _ -> assert false)
+               | _ -> assert false))
+      in
+      List.fold_right dynamic ~init:set_no_dyn ~f:(fun bnd set ->
+          match bnd with
+          | Nix.Ast.AttrPath ([ d ], e) ->
+              mnbi_insert_new set
+                (match recursivity with
+                | Nix.Ast.Rec ->
+                    Extraction.ELetAttr (Extraction.ABS, set_no_dyn, from_nix d)
+                | Nix.Ast.Nonrec -> from_nix d)
+                (match recursivity with
+                | Nix.Ast.Rec ->
+                    Extraction.ELetAttr (Extraction.ABS, set_no_dyn, from_nix e)
+                | Nix.Ast.Nonrec -> from_nix e)
+          | _ -> assert false)
diff --git a/lib/mininix/run.ml b/lib/mininix/run.ml
new file mode 100644
index 0000000..f33bace
--- /dev/null
+++ b/lib/mininix/run.ml
@@ -0,0 +1,17 @@
+open Core
+(* The [n]th Church numeral *)
+let rec church n f x = if n <= 0 then x else church (n - 1) f (f x)
+let limited =
+  church 2048
+    (fun x -> Extraction.Internal.Datatypes.S x)
+    Extraction.Internal.Datatypes.O
+let rec infinity = Extraction.Internal.Datatypes.S infinity
+let interp ~fuel ~mode ~env e =
+  let mode : Extraction.mode =
+    match mode with `Shallow -> SHALLOW | `Deep -> DEEP
+  and fuel = match fuel with `Unlimited -> infinity | `Limited -> limited in
+  Extraction.interp' fuel mode env e
diff --git a/lib/mininix/sexp.ml b/lib/mininix/sexp.ml
new file mode 100644
index 0000000..95da655
--- /dev/null
+++ b/lib/mininix/sexp.ml
@@ -0,0 +1,160 @@
+open Conv
+open Core
+open Extraction
+exception ToSexpError of string
+let tag t l = Sexp.List (Sexp.Atom t :: l)
+let lit_to_sexp = function
+  | LitString s -> tag "LitString" [ Sexp.Atom (str s) ]
+  | LitNum (NInt n) ->
+      tag "LitNum" [ Sexp.Atom "INT"; Sexp.Atom (str (string_of_Z n)) ]
+  | LitNum (NFloat n) ->
+      tag "LitNum"
+        [
+          Sexp.Atom "FLOAT";
+          Sexp.Atom (Printf.sprintf "%g" (float_from_flocq n));
+        ]
+  | LitBool b -> tag "LitBool" [ Sexp.Atom (Bool.to_string b) ]
+  | LitNull -> tag "LitNull" []
+let option_to_sexp mv ~f =
+  match mv with Some v -> tag "Some" [ f v ] | None -> Sexp.Atom "None"
+let mode_to_sexp mode =
+  Sexp.Atom (match mode with SHALLOW -> "SHALLOW" | DEEP -> "DEEP")
+let rec_to_sexp r = Sexp.Atom (match r with REC -> "REC" | NONREC -> "NONREC")
+let binop_to_sexp op =
+  Sexp.Atom
+    (match op with
+    | UpdateAttrOp -> "UpdateAttrOp"
+    | AddOp -> "AddOp"
+    | SubOp -> "SubOp"
+    | MulOp -> "MulOp"
+    | DivOp -> "DivOp"
+    | AndOp -> "AndOp"
+    | OrOp -> "OrOp"
+    | XOrOp -> "XOrOp"
+    | RoundOp Ceil -> "Ceil"
+    | RoundOp NearestEven -> "NearestEven"
+    | RoundOp Floor -> "Floor"
+    | LtOp -> "LtOp"
+    | EqOp -> "EqOp"
+    | HasAttrOp -> "HasAttrOp"
+    | SelectAttrOp -> "SelectAttrOp"
+    | DeleteAttrOp -> "DeleteAttrOp"
+    | SingletonAttrOp -> "SingletonAttrOp"
+    | TypeOfOp -> "TypeOfOp"
+    | AppendListOp -> "AppendListOp"
+    | MatchAttrOp -> "MatchAttrOp"
+    | MatchListOp -> "MatchListOp"
+    | MatchStringOp -> "MatchStringOp"
+    | FunctionArgsOp -> "FunctionArgsOp")
+let kind_to_sexp k = Sexp.Atom (match k with ABS -> "ABS" | WITH -> "WITH")
+let rec expr_to_sexp = function
+  | ELit l -> tag "ELit" [ lit_to_sexp l ]
+  | EId (x, None) -> tag "EId" [ Sexp.Atom (str x) ]
+  | EId (x, Some (k, e)) ->
+      tag "EId"
+        [ Sexp.Atom (str x); tag "alt" [ kind_to_sexp k; expr_to_sexp e ] ]
+  | EAbs (x, e) -> tag "EAbs" [ Sexp.Atom (str x); expr_to_sexp e ]
+  | EAbsMatch (ms, strict, e) ->
+      tag "EAbsMatch"
+        [
+          Sexp.Atom (if strict then "EXACT" else "LOOSE");
+          tag "formals"
+            (matcher_fold
+               (fun x me se ->
+                 Sexp.List
+                   [ Sexp.Atom (str x); option_to_sexp me ~f:expr_to_sexp ]
+                 :: se)
+               [] ms);
+          expr_to_sexp e;
+        ]
+  | EApp (e1, e2) -> tag "EApp" [ expr_to_sexp e1; expr_to_sexp e2 ]
+  | ELetAttr (k, e1, e2) ->
+      tag "ELetAttr" [ kind_to_sexp k; expr_to_sexp e1; expr_to_sexp e2 ]
+  | ESeq (mode, e1, e2) ->
+      tag "ESeq" [ mode_to_sexp mode; expr_to_sexp e1; expr_to_sexp e2 ]
+  | EAttr bs ->
+      tag "EAttr"
+        (attr_set_fold
+           (fun x (Attr (r, e)) se ->
+             Sexp.List [ Sexp.Atom (str x); rec_to_sexp r; expr_to_sexp e ]
+             :: se)
+           [] bs)
+  | EList es ->
+      tag "EList"
+        (Internal.List.fold_right (fun e se -> expr_to_sexp e :: se) [] es)
+  | EBinOp (op, e1, e2) ->
+      tag "EBinOp" [ binop_to_sexp op; expr_to_sexp e1; expr_to_sexp e2 ]
+  | EIf (e1, e2, e3) ->
+      tag "EIf" [ expr_to_sexp e1; expr_to_sexp e2; expr_to_sexp e3 ]
+let rec val_to_sexp = function
+  | VLit l -> tag "VLit" [ lit_to_sexp l ]
+  | VClo _ -> tag "VClo" []
+  | VCloMatch _ -> tag "VCloMatch" []
+  | VAttr bs ->
+      tag "VAttr"
+        (Extraction.thunk_map_fold
+           (fun x t bs' ->
+             Sexp.List [ Sexp.Atom (str x); thunk_to_sexp t ] :: bs')
+           [] bs)
+  | VList ts ->
+      tag "VList"
+        (Internal.List.fold_right (fun t st -> thunk_to_sexp t :: st) [] ts)
+and env_to_sexp env =
+  tag "Env"
+    (Extraction.env_fold
+       (fun x (k, t) envs ->
+         Sexp.List
+           [
+             Sexp.Atom (str x);
+             Sexp.Atom
+               (match k with
+               | Extraction.ABS -> "ABS"
+               | Extraction.WITH -> "WITH");
+             thunk_to_sexp t;
+           ]
+         :: envs)
+       [] env)
+and thunk_to_sexp = function
+  | Thunk _ -> tag "Thunk" [ Sexp.Atom "DELAYED" ]
+  | Indirect _ -> tag "Thunk" [ Sexp.Atom "INDIRECT" ]
+  | Forced v -> tag "Thunk" [ Sexp.Atom "FORCED"; val_to_sexp v ]
+let expr_res_to_sexp = function
+  | NoFuel -> Sexp.Atom "NoFuel"
+  | Res e -> tag "Res" [ option_to_sexp e ~f:expr_to_sexp ]
+let val_res_to_sexp = function
+  | NoFuel -> Sexp.Atom "NoFuel"
+  | Res e -> tag "Res" [ option_to_sexp e ~f:val_to_sexp ]
+let rec (sexp_of_import_tree : Import.tree -> Sexp.t) = function
+  | { filename; deps = [] } -> Sexp.Atom filename
+  | { filename; deps } ->
+      Sexp.List [ Sexp.Atom filename; sexp_of_import_forest deps ]
+and sexp_of_import_forest forest =
+  Sexp.List (Sexp.Atom "deps" :: List.map forest ~f:sexp_of_import_tree)
+exception OfSexpError of string
+let rec import_tree_of_sexp : Sexp.t -> Import.tree = function
+  | Sexp.Atom filename -> { filename; deps = [] }
+  | Sexp.List [ Sexp.Atom filename; deps ] ->
+      { filename; deps = import_forest_of_sexp deps }
+  | _ -> raise (OfSexpError "Could not parse import tree")
+and import_forest_of_sexp = function
+  | Sexp.List (Sexp.Atom "deps" :: deps) -> List.map ~f:import_tree_of_sexp deps
+  | _ -> raise (OfSexpError "Could not parse import forest")
diff --git a/lib/nix/dune b/lib/nix/dune
new file mode 100644
index 0000000..3954c8a
--- /dev/null
+++ b/lib/nix/dune
@@ -0,0 +1,15 @@
+(menhir
+ (modules parser)
+ (flags "--dump" "--strict" "--external-tokens" "Tokens")
+ (infer true))
+(ocamllex
+ (modules lexer))
+(library
+ (name nix)
+ (preprocess
+  (pps ppx_sexp_conv))
+ (instrumentation
+  (backend bisect_ppx))
+ (libraries core core_unix core_unix.filename_unix pprint ppx_sexp_conv str))
diff --git a/lib/nix/elaborator.ml b/lib/nix/elaborator.ml
new file mode 100644
index 0000000..36ee0d4
--- /dev/null
+++ b/lib/nix/elaborator.ml
@@ -0,0 +1,208 @@
+open Core
+open Types
+(* The Nix elaborator does a few things:
+   - Attribute paths are transformed into a simple list of expressions:
+     + Simple identifiers are rewritten to string values
+     + Antiquotations are rewritten to their component expressions
+     + Anything else, that is not a string value, is rejected
+       and raises an exception
+   - In 'inherit (...) x1 ... xn', x1 ... xn are checked for 'reasonably' being
+     identifiers, i.e., being one of x, "x" and ${"x"}.
+   - Nested attribute paths are unfolded and attribute sets are merged where
+     possible. (Where we mean 'what Nix does' with 'where possible'; see the
+     comment at the respective function.)
+   - Paths are turned into strings and made absolute w.r.t. the current
+     working directory.
+   - Indented strings are converted to their 'normal' counterpart. *)
+exception ElaborateError of string
+type attr_set = recursivity * binding list
+let set_expr (r, bs) = Val (AttSet (r, bs))
+let get_id = function Id x -> x | _ -> assert false
+let rec update_bnd (bs : binding list) (x : string) ~(f : expr option -> expr) =
+  match bs with
+  | [] -> [ AttrPath ([ Val (Str (x, [])) ], f None) ]
+  | AttrPath ([ Val (Str (y, [])) ], e) :: s' when String.(x = y) ->
+      AttrPath ([ Val (Str (y, [])) ], f (Some e)) :: s'
+  | Inherit (_, ids) :: _
+    when List.exists ids ~f:(fun e -> String.(get_id e = x)) ->
+      raise (ElaborateError "Cannot update inherit")
+  | bnd :: s' -> bnd :: update_bnd s' x ~f
+let set_update_bnd (r, bs) x ~f = (r, update_bnd bs x ~f)
+let rec has_bnd (bs : binding list) (x : string) : bool =
+  match bs with
+  | [] -> false
+  | AttrPath ([ Val (Str (y, [])) ], _) :: _ when String.(x = y) -> true
+  | Inherit (_, ids) :: _
+    when List.exists ids ~f:(fun e -> String.(get_id e = x)) ->
+      true
+  | _ :: bs' -> has_bnd bs' x
+let merge_bnds bs1 bs2 : binding list =
+  List.fold_left bs2 ~init:bs1 ~f:(fun bs1' b2 ->
+      match b2 with
+      | AttrPath ([ Val (Str (x, [])) ], e) ->
+          update_bnd bs1' x ~f:(function
+            | Some _ -> raise (ElaborateError "Duplicated attribute")
+            | None -> e)
+      | AttrPath ([ d ], e) -> AttrPath ([ d ], e) :: bs1'
+      | Inherit (md, xs) ->
+          if List.for_all xs ~f:(fun e -> not (has_bnd bs1' (get_id e))) then
+            Inherit (md, xs) :: bs1'
+          else raise (ElaborateError "Duplicated attribute")
+      | _ -> assert false)
+(* This function intentionally clobbers recursivity, because that is the way
+   that Nix likes to handle attribute insertion. See
+     (1) https://github.com/NixOS/nix/issues/9020
+     (2) https://github.com/NixOS/nix/issues/11268
+     (3) https://github.com/NixOS/nix/pull/11294 *)
+let rec insert (bs : binding list) (path : expr list) (e : expr) =
+  match path with
+  | [] -> raise (ElaborateError "Cannot insert attribute with empty path")
+  | [ Val (Str (x, [])) ] ->
+      update_bnd bs x ~f:(function
+        | None -> e
+        | Some (Val (AttSet (r1, bs1))) -> (
+            match e with
+            | Val (AttSet (_, bs2)) -> set_expr (r1, merge_bnds bs1 bs2)
+            | _ -> raise (ElaborateError "Duplicated attribute"))
+        | _ -> raise (ElaborateError "Duplicated attribute"))
+  | Val (Str (x, [])) :: rest ->
+      update_bnd bs x ~f:(function
+        | Some (Val (AttSet (r, bs))) -> Val (AttSet (r, insert bs rest e))
+        | Some _ -> raise (ElaborateError "Duplicated attribute")
+        | None -> Val (AttSet (Nonrec, insert [] rest e)))
+  | [ part ] -> AttrPath ([ part ], e) :: bs
+  | part :: rest ->
+      AttrPath ([ part ], Val (AttSet (Nonrec, insert [] rest e))) :: bs
+let insert_inherit (bs : binding list) (from : expr option) (es : expr list) =
+  if List.for_all es ~f:(fun e -> not (has_bnd bs (get_id e))) then
+    Inherit (from, es) :: bs
+  else raise (ElaborateError "Duplicated attribute")
+let simplify_path_component = function
+  | Id x -> Val (Str (x, []))
+  | Val (Str (s, ess)) -> Val (Str (s, ess))
+  | Aquote e -> e
+  | _ -> raise (ElaborateError "Unexpected path component")
+let simplify_path = List.map ~f:simplify_path_component
+let simplify_bnd_paths =
+  List.map ~f:(fun bnd ->
+      match bnd with
+      | AttrPath (path, e) -> AttrPath (simplify_path path, e)
+      | Inherit (me, xs) -> Inherit (me, xs))
+(* Law: concat_lines ∘ split_lines = id *)
+let rec split_lines s =
+  match String.lsplit2 s ~on:'\n' with
+  | Some (s1, s2) -> s1 :: split_lines s2
+  | None -> [ s ]
+let rec concat_lines = function
+  | [] -> ""
+  | [ x ] -> x
+  | x :: xs -> x ^ "\n" ^ concat_lines xs
+let map_tail ~f = function [] -> [] | x :: xs -> x :: List.map ~f xs
+let unindent n s ~skip_first_line =
+  let map_op ~f = if skip_first_line then map_tail ~f else List.map ~f in
+  split_lines s
+  |> map_op ~f:(fun line ->
+         let expected_prefix = String.make n ' ' in
+         String.chop_prefix_if_exists ~prefix:expected_prefix line)
+  |> concat_lines
+let is_spaces l = String.(strip l ~drop:(Char.( = ) ' ') |> is_empty)
+let drop_first_empty_line s =
+  match String.lsplit2 s ~on:'\n' with
+  | Some (l, s') when is_spaces l -> s'
+  | _ -> s
+let rec process ?(dir = None) = function
+  | BinaryOp (op, e1, e2) -> BinaryOp (op, process ~dir e1, process ~dir e2)
+  | UnaryOp (op, e) -> UnaryOp (op, process ~dir e)
+  | Cond (e1, e2, e3) -> Cond (process ~dir e1, process ~dir e2, process ~dir e3)
+  | With (e1, e2) -> With (process ~dir e1, process ~dir e2)
+  | Assert (e1, e2) -> Assert (process ~dir e1, process ~dir e2)
+  | Test (e1, es) ->
+      Test (process ~dir e1, List.(simplify_path es >>| process ~dir))
+  | SetLet bs -> SetLet (process_bnds ~dir bs)
+  | Let (bs, e) -> Let (process_bnds ~dir bs, process ~dir e)
+  | Val v -> Val (process_val ~dir v)
+  | Id x -> Id x
+  | Select (e, es, me) ->
+      Select
+        ( process ~dir e,
+          List.(simplify_path es >>| process ~dir),
+          Option.(me >>| process ~dir) )
+  | Apply (e1, e2) -> Apply (process ~dir e1, process ~dir e2)
+  | Aquote e -> Aquote (process ~dir e)
+and process_val ~dir = function
+  | Str (s, ess) -> Str (s, List.(ess >>| fun (e, s) -> (process ~dir e, s)))
+  | IStr (n, s, ess) ->
+      let s' = drop_first_empty_line (unindent n s ~skip_first_line:false)
+      and ess' =
+        List.map ess ~f:(fun (e, s) ->
+            (process ~dir e, unindent n s ~skip_first_line:true))
+      in
+      Str (s', ess')
+  | Lambda (p, e) -> Lambda (process_pattern ~dir p, process ~dir e)
+  | List es -> List List.(es >>| process ~dir)
+  | AttSet (r, bs) -> AttSet (r, process_bnds ~dir bs)
+  | Path p -> (
+      if Filename.is_absolute p then Str (p, [])
+      else
+        match dir with
+        | Some dir when Filename.is_absolute dir ->
+            Str (Filename.concat dir p, [])
+        | Some _ ->
+            raise
+              (ElaborateError "Provided directory should be an absolute path")
+        | None -> raise (ElaborateError "Do not know how to resolve path"))
+  | v -> v
+and process_bnds ~dir bs =
+  bs
+  |> List.map ~f:(function
+       | AttrPath (es, e) ->
+           AttrPath (List.(es >>| process ~dir), process ~dir e)
+       | Inherit (me, xs) ->
+           Inherit (Option.(me >>| process ~dir), process_inherit_ids xs))
+  |> simplify_bnd_paths
+  |> List.fold ~init:[] ~f:(fun bs' bnd ->
+         match bnd with
+         | AttrPath (path, e) -> insert bs' path e
+         | Inherit (from, es) -> insert_inherit bs' from es)
+and process_inherit_ids =
+  List.map ~f:(function
+    | Id x | Val (Str (x, [])) | Aquote (Val (Str (x, []))) -> Id x
+    | _ -> raise (ElaborateError "Unexpected expression in inherit"))
+and process_pattern ~dir = function
+  | Alias x -> Alias x
+  | ParamSet (mx, (ps, k)) -> ParamSet (mx, (process_param_set ~dir mx ps, k))
+and process_param_set ~dir ?(seen = String.Set.empty) mx ps =
+  match ps with
+  | [] -> []
+  | (y, me) :: ps' ->
+      if Set.mem seen y || Option.mem mx y ~equal:String.( = ) then
+        raise (ElaborateError "Duplicated function argument")
+      else
+        (y, Option.(me >>| process ~dir))
+        :: process_param_set ~dir mx ps' ~seen:(Set.add seen y)
diff --git a/lib/nix/lexer.mll b/lib/nix/lexer.mll
new file mode 100644
index 0000000..023d888
--- /dev/null
+++ b/lib/nix/lexer.mll
@@ -0,0 +1,315 @@
+{
+open Core
+open Tokens
+exception Error of string
+(* Types of curly braces.
+   AQUOTE corresponds to the braces for antiquotation, i.e. '${...}'
+   and SET to an attribute set '{...}'.
+ *)
+type braces =
+  | AQUOTE
+  | SET
+let print_stack s =
+  let b = Buffer.create 100 in
+  Buffer.add_string b "[ ";
+  List.iter s ~f:(function
+      | AQUOTE -> Buffer.add_string b "AQUOTE; "
+      | SET -> Buffer.add_string b "SET; "
+    );
+  Buffer.add_string b "]";
+  Buffer.contents b
+let token_of_str state buf =
+  match state with
+        | `Start -> STR_START (Buffer.contents buf)
+        | `Mid -> STR_MID (Buffer.contents buf)
+let token_of_istr state buf =
+  match state with
+        | `Start -> ISTR_START (Buffer.contents buf)
+        | `Mid -> ISTR_MID (Buffer.contents buf)
+(* lookup table for one-character tokens *)
+let char_table = Array.create ~len:94 EOF
+let _ =
+  List.iter ~f:(fun (k, v) -> Array.set char_table ((int_of_char k) - 1) v)
+    [
+      '.', SELECT;
+      '?', QMARK;
+      '!', NOT;
+      '=', ASSIGN;
+      '<', LT;
+      '>', GT;
+      '[', LBRACK;
+      ']', RBRACK;
+      '+', PLUS;
+      '-', MINUS;
+      '*', TIMES;
+      '/', SLASH;
+      '(', LPAREN;
+      ')', RPAREN;
+      ':', COLON;
+      ';', SEMICOLON;
+      ',', COMMA;
+      '@', AS
+    ]
+(* lookup table for two- and three-character tokens *)
+let str_table = Hashtbl.create (module String) ~size:10
+let _ =
+  List.iter ~f:(fun (kwd, tok) -> Hashtbl.set str_table ~key:kwd ~data:tok)
+    [
+      "//", MERGE;
+      "++", CONCAT;
+      "<=", LTE;
+      ">=", GTE;
+      "==", EQ;
+      "!=", NEQ;
+      "&&", AND;
+      "||", OR;
+      "->", IMPL;
+      "...", ELLIPSIS
+    ]
+(* lookup table for keywords *)
+let keyword_table = Hashtbl.create (module String) ~size:10
+let _ =
+  List.iter ~f:(fun (kwd, tok) -> Hashtbl.set keyword_table ~key:kwd ~data:tok)
+    [ "with", WITH;
+      "rec", REC;
+      "let", LET;
+      "in", IN;
+      "inherit", INHERIT;
+      "if" , IF;
+      "then", THEN;
+      "else", ELSE;
+      "assert", ASSERT;
+      "or", ORDEF ]
+(* replace an escape sequence by the corresponding character(s) *)
+let unescape = function
+  | "\\n" -> "\n"
+  | "\\r" -> "\r"
+  | "\\t" -> "\t"
+  | "\\\\" -> "\\"
+  | "\\${" -> "${"
+  | "''$" -> "$"
+  | "$$" -> "$"
+  | "'''" -> "''"
+  | "''\\t" -> "\t"
+  | "''\\r" -> "\r"
+  | "''\\n" -> "\n"
+  | x ->
+    failwith (Printf.sprintf "unescape unexpected arg %s" x)
+let collect_tokens lexer q lexbuf =
+  let stack = ref [] in
+  let queue = Stdlib.Queue.create () in
+  let rec go () =
+    match (try Some (Stdlib.Queue.take queue) with Stdlib.Queue.Empty -> None) with
+    | Some token ->
+      (
+        match token, !stack with
+        | AQUOTE_CLOSE, [] ->
+          Stdlib.Queue.add AQUOTE_CLOSE q
+        | EOF, _ ->
+          Stdlib.Queue.add EOF q;
+        | _, _ ->
+          Stdlib.Queue.add token q;
+          go ()
+      )
+    | None ->
+      lexer queue stack lexbuf;
+      go ()
+  in
+  Stdlib.Queue.add AQUOTE_OPEN q;
+  stack := [AQUOTE];
+  lexer queue stack lexbuf;
+  go ()
+(* utility functions *)
+let print_position lexbuf =
+  let pos = Lexing.lexeme_start_p lexbuf in
+  Printf.sprintf "%s:%d:%d" pos.pos_fname
+    pos.pos_lnum (pos.pos_cnum - pos.pos_bol + 1)
+let set_filename fname (lexbuf: Lexing.lexbuf)  =
+  let pos = lexbuf.lex_curr_p in
+  lexbuf.lex_curr_p <- { pos with pos_fname = fname }; lexbuf
+}
+let nzdigit = ['1'-'9']
+let digit = nzdigit | '0'
+let float = (nzdigit digit* '.' digit* | '0'? '.' digit+) (['E' 'e'] ['+' '-']? digit+)?
+let alpha = ['a'-'z' 'A'-'Z']
+let alpha_digit = alpha | digit
+let path_chr = alpha_digit | ['.' '_' '-' '+']
+let path = path_chr* ('/' path_chr+)+
+let spath = alpha_digit path_chr* ('/' path_chr+)*
+let uri_chr = ['%' '/' '?' ':' '@' '&' '=' '+' '$' ',' '-' '_' '.' '!' '~' '*' '\'']
+let scheme = alpha (alpha | ['+' '-' '.'])*
+let uri = scheme ':' (alpha_digit | uri_chr)+
+let char_tokens = ['.' '?' '!' '=' '<' '>' '[' ']' '+' '-' '*' '/' '^' '(' ')' ':' ';' ',' '@']
+rule get_tokens q s = parse
+(* skip whitespeces *)
+| [' ' '\t' '\r']
+    { get_tokens q s lexbuf }
+(* increase line count for new lines *)
+| '\n'
+    { Lexing.new_line lexbuf; get_tokens q s lexbuf }
+| char_tokens as c
+    { Stdlib.Queue.add (Array.get char_table ((int_of_char c) - 1)) q }
+| ("//" | "++" | "<=" | ">=" | "==" | "!=" | "&&" | "||" | "->" | "...") as s
+    { Stdlib.Queue.add (Hashtbl.find_exn str_table s) q}
+| digit+ as i
+    { Stdlib.Queue.add (INT i) q }
+| float
+    { Stdlib.Queue.add (FLOAT (Lexing.lexeme lexbuf)) q }
+| path
+    { Stdlib.Queue.add (PATH (Lexing.lexeme lexbuf)) q }
+| '<' (spath as p) '>'
+    { Stdlib.Queue.add (SPATH  p) q }
+| '~' path as p
+    { Stdlib.Queue.add (HPATH  p) q }
+| uri
+    { Stdlib.Queue.add(URI (Lexing.lexeme lexbuf)) q }
+(* keywords or identifiers *)
+| ((alpha | '_')+ (alpha_digit | ['_' '\'' '-'])*) as id
+    { Stdlib.Queue.add (Hashtbl.find keyword_table id |> Option.value ~default:(ID id)) q}
+(* comments *)
+| '#' ([^ '\n']* as c)
+    { ignore c; get_tokens q s lexbuf}
+| "/*"
+    { comment (Buffer.create 64) lexbuf;
+      get_tokens q s lexbuf
+    }
+(* the following three tokens change the braces stack *)
+| "${"
+    { Stdlib.Queue.add AQUOTE_OPEN q; s := AQUOTE :: !s }
+| '{'
+    { Stdlib.Queue.add LBRACE q; s := SET :: !s }
+| '}'
+    {
+      match !s with
+      | AQUOTE :: rest ->
+        Stdlib.Queue.add AQUOTE_CLOSE q; s := rest
+      | SET :: rest ->
+        Stdlib.Queue.add RBRACE q; s := rest
+      | _ ->
+        let pos = print_position lexbuf in
+        let err = Printf.sprintf "Unbalanced '}' at %s\n" pos in
+        raise (Error err)
+    }
+(* a double-quoted string *)
+| '"'
+    { string `Start (Buffer.create 64) q lexbuf }
+(* an indented string *)
+| "''" (' '+ as ws)
+    { istring `Start (Some (String.length ws)) (Buffer.create 64) q lexbuf }
+| "''"
+    { istring `Start None (Buffer.create 64) q lexbuf }
+(* End of input *)
+| eof
+    { Stdlib.Queue.add EOF q }
+(* any other character raises an exception *)
+| _
+    {
+      let pos = print_position lexbuf in
+      let tok = Lexing.lexeme lexbuf in
+      let err = Printf.sprintf "Unexpected character '%s' at %s\n" tok pos in
+      raise (Error err)
+    }
+(* Nix does not allow nested comments, but it is still handy to lex it
+   separately because we can properly increase line count. *)
+and comment buf = parse
+  | '\n'
+    {Lexing.new_line lexbuf; Buffer.add_char buf '\n'; comment buf lexbuf}
+  | "*/"
+    { () }
+  | _ as c
+    { Buffer.add_char buf c; comment buf lexbuf }
+and string state buf q = parse
+  | '"'                         (* terminate when we hit '"' *)
+    { Stdlib.Queue.add (token_of_str state buf) q; Stdlib.Queue.add STR_END q }
+  | '\n'
+    { Lexing.new_line lexbuf; Buffer.add_char buf '\n'; string state buf q lexbuf }
+  | ("\\n" | "\\r" | "\\t" | "\\\\" | "\\${") as s
+      { Buffer.add_string buf (unescape s); string state buf q lexbuf }
+  | "\\" (_ as c)               (* add the character verbatim *)
+      { Buffer.add_char buf c; string state buf q lexbuf }
+  | "${"               (* collect all the tokens till we hit the matching '}' *)
+    {
+      Stdlib.Queue.add (token_of_str state buf) q;
+      collect_tokens get_tokens q lexbuf;
+      string `Mid (Buffer.create 64) q lexbuf
+    }
+  | _ as c                  (* otherwise just add the character to the buffer *)
+    { Buffer.add_char buf c; string state buf q lexbuf }
+and istring state imin buf q = parse
+  | ('\n' ' '* "''")
+      {
+        Lexing.new_line lexbuf;
+        Buffer.add_string buf "\n";
+        let indent = match imin with | None -> 0 | Some i -> i in
+        Stdlib.Queue.add (token_of_istr state buf) q;
+        Stdlib.Queue.add (ISTR_END indent) q
+      }
+  | "''"
+      {
+        let indent = match imin with | None -> 0 | Some i -> i in
+        Stdlib.Queue.add (token_of_istr state buf) q;
+        Stdlib.Queue.add (ISTR_END indent) q
+      }
+  | ('\n' ' '* '\n') as s
+    {
+      Lexing.new_line lexbuf;
+      Lexing.new_line lexbuf;
+      Buffer.add_string buf s;
+      istring state imin buf q lexbuf
+    }
+  | ('\n' (' '* as ws)) as s
+    {
+      Lexing.new_line lexbuf;
+      Buffer.add_string buf s;
+      let ws_count = String.length ws in
+      match imin with
+      | None ->
+        istring state (Some ws_count) buf q lexbuf
+      | Some i ->
+        istring state (Some (min i ws_count)) buf q lexbuf
+    }
+  | ("''$" | "'''" | "''\\t" | "''\\r" | "''\\n") as s
+      { Buffer.add_string buf (unescape s); istring state imin buf q lexbuf }
+  | "''\\" (_ as c)
+      { Buffer.add_char buf c; istring state imin buf q lexbuf }
+  | "${"
+    {
+      Stdlib.Queue.add (token_of_istr state buf) q;
+      collect_tokens get_tokens q lexbuf;
+      istring `Mid imin (Buffer.create 64) q lexbuf
+    }
+  | _ as c
+    { Buffer.add_char buf c; istring state imin buf q lexbuf }
+{
+let rec next_token
+    (q: token Stdlib.Queue.t)
+    (s: braces list ref)
+    (lexbuf: Lexing.lexbuf)
+  : token =
+  match (try Some (Stdlib.Queue.take q) with | Stdlib.Queue.Empty -> None) with
+  | Some token ->
+    token
+  | None ->
+    get_tokens q s lexbuf;
+    next_token q s lexbuf
+}
diff --git a/lib/nix/nix.ml b/lib/nix/nix.ml
new file mode 100644
index 0000000..39dc94c
--- /dev/null
+++ b/lib/nix/nix.ml
@@ -0,0 +1,20 @@
+open Core
+module Ast = Types
+module Printer = Printer
+exception ParseError of string
+let parse ~filename (data : string) =
+  let lexbuf = Lexer.set_filename filename (Lexing.from_string data)
+  and q, s = (Stdlib.Queue.create (), ref []) in
+  try Parser.main (Lexer.next_token q s) lexbuf with
+  | Lexer.Error msg ->
+      let msg' = String.rstrip msg in
+      raise (ParseError (sprintf "Lexing error: %s" msg'))
+  | Parser.Error ->
+      let msg = sprintf "Parse error at %s" (Lexer.print_position lexbuf) in
+      raise (ParseError msg)
+let elaborate = Elaborator.process
+exception ElaborateError = Elaborator.ElaborateError
diff --git a/lib/nix/parser.mly b/lib/nix/parser.mly
new file mode 100644
index 0000000..dc1638d
--- /dev/null
+++ b/lib/nix/parser.mly
@@ -0,0 +1,310 @@
+/* Tokens with data */
+%token <string> INT
+%token <string> FLOAT
+/* A path */
+%token <string> PATH
+/* Search path, enclosed in <> */
+%token <string> SPATH
+/* Home path, starts with ~ */
+%token <string> HPATH
+%token <string> URI
+%token <string> STR_START
+%token <string> STR_MID
+%token STR_END
+%token <string> ISTR_START
+%token <string> ISTR_MID
+%token <int> ISTR_END
+%token <string> ID
+/* Tokens that stand for themselves */
+%token SELECT "."
+%token QMARK "?"
+%token CONCAT "++"
+%token NOT "!"
+%token MERGE "//"
+%token ASSIGN "="
+%token LT "<"
+%token LTE "<="
+%token GT ">"
+%token GTE ">="
+%token EQ "=="
+%token NEQ "!="
+%token AND "&&"
+%token OR "||"
+%token IMPL "->"
+%token AQUOTE_OPEN "${"
+%token AQUOTE_CLOSE "}$"
+%token LBRACE "{"
+%token RBRACE "}"
+%token LBRACK "["
+%token RBRACK "]"
+%token PLUS "+"
+%token MINUS "-"
+%token TIMES "*"
+%token SLASH "/"
+%token LPAREN "("
+%token RPAREN ")"
+%token COLON ":"
+%token SEMICOLON ";"
+%token COMMA ","
+%token ELLIPSIS "..."
+%token AS "@"
+/* Keywords */
+%token WITH "with"
+%token REC "rec"
+%token LET "let"
+%token IN "in"
+%token INHERIT "inherit"
+%token IF "if"
+%token THEN "then"
+%token ELSE "else"
+%token ASSERT "assert"
+%token ORDEF "or"
+/* End of input */
+%token EOF
+%{
+  open Types
+%}
+%start <Types.expr> main
+%%
+main:
+| e = expr0 EOF
+    { e }
+expr0:
+| "if"; e1 = expr0; "then"; e2 = expr0; "else"; e3 = expr0
+    { Cond (e1, e2, e3) }
+| "with"; e1 = expr0; ";"; e2 = expr0
+    { With (e1, e2) }
+| "assert"; e1 = expr0; ";"; e2 = expr0
+    { Assert (e1, e2) }
+| "let"; xs = delimited("{", list(binding), "}")
+    { SetLet xs }
+| "let"; xs = list(binding); "in"; e = expr0
+    { Let (xs, e) }
+| l = lambda
+    { Val l }
+| e = expr1
+    { e }
+/* Rules expr1-expr14 are almost direct translation of the operator
+   precedence table:
+   https://nixos.org/nix/manual/#sec-language-operators */
+%inline binary_expr(Lhs, Op, Rhs):
+| lhs = Lhs; op = Op; rhs = Rhs
+    { BinaryOp (op, lhs, rhs) }
+expr1:
+| e = binary_expr(expr2, "->" {Impl}, expr1)
+| e = expr2
+    { e }
+expr2:
+| e = binary_expr(expr2, "||" {Or}, expr3)
+| e = expr3
+    { e }
+expr3:
+| e = binary_expr(expr3, "&&" {And}, expr4)
+| e = expr4
+    { e }
+%inline expr4_ops:
+| "==" { Eq }
+| "!=" { Neq }
+expr4:
+| e = binary_expr(expr5, expr4_ops, expr5)
+| e = expr5
+    { e }
+%inline expr5_ops:
+| "<" { Lt }
+| ">" { Gt }
+| "<=" { Lte }
+| ">=" { Gte }
+expr5:
+| e = binary_expr(expr6, expr5_ops, expr6)
+| e = expr6
+    { e }
+expr6:
+| e = binary_expr(expr7, "//" {Merge}, expr6)
+| e = expr7
+    { e }
+expr7:
+| e = preceded("!", expr7)
+    { UnaryOp (Not, e) }
+| e = expr8
+    { e }
+%inline expr8_ops:
+| "+" { Plus }
+| "-" { Minus }
+expr8:
+| e = binary_expr(expr8, expr8_ops, expr9)
+| e = expr9
+    { e }
+%inline expr9_ops:
+| "*" { Mult }
+| "/" { Div }
+expr9:
+| e = binary_expr(expr9, expr9_ops, expr10)
+| e = expr10
+    { e }
+expr10:
+| e = binary_expr(expr11, "++" {Concat}, expr10)
+| e = expr11
+    { e }
+expr11:
+| e = expr12 "?" p = attr_path
+    { Test (e, p) }
+| e = expr12
+    { e }
+expr12:
+| e = preceded("-", expr13)
+    { UnaryOp (Negate, e) }
+| e = expr13
+    { e }
+expr13:
+| f = expr13; arg = expr14
+    { Apply (f, arg) }
+| e = expr14
+    { e }
+%inline selectable:
+| s = set
+    { Val s }
+| id = ID
+    { Id id }
+| e = delimited("(", expr0, ")")
+    { e }
+expr14:
+| e = selectable; "."; p = attr_path; o = option(preceded("or", expr14))
+    { Select (e, p, o) }
+| e = atomic_expr; "or"
+    { Apply (e, Id "or") }
+| e = atomic_expr
+    { e }
+atomic_expr:
+| id = ID
+    { Id id }
+| v = value
+    { Val v }
+| e = delimited("(", expr0, ")")
+    { e }
+attr_path:
+| p = separated_nonempty_list(".", attr_path_component)
+    { p }
+attr_path_component:
+| "or"
+    { Id "or" }
+| id = ID
+    { Id id }
+| e = delimited("${", expr0, "}$")
+    { Aquote e }
+| s = str
+    { Val s }
+value:
+| s = str
+    { s }
+| s = istr
+    { s }
+| i = INT
+    {Int i}
+| f = FLOAT
+    { Float f }
+| p = PATH
+    { Path p }
+| sp = SPATH
+    { SPath sp }
+| hp = HPATH
+    { HPath hp }
+| uri = URI
+    { Uri uri }
+| l = nixlist
+    { l }
+| s = set
+    { s }
+%inline str_mid(X):
+| xs = list(pair(delimited("${", expr0, "}$"), X)) { xs }
+/* Double-quoted string */
+str:
+| start = STR_START; mids = str_mid(STR_MID); STR_END
+    { Str (start, mids) }
+/* Indented string */
+istr:
+| start = ISTR_START; mids = str_mid(ISTR_MID); i = ISTR_END
+    { IStr (i, start, mids) }
+/* Lists and sets */
+nixlist:
+| xs = delimited("[", list(expr14), "]")
+    { List xs }
+empty_set:
+| "{"; "}" {}
+set:
+| empty_set
+    { AttSet (Nonrec, []) }
+| xs = delimited("{", nonempty_list(binding), "}")
+    { AttSet (Nonrec, xs) }
+| xs = preceded("rec", delimited("{", list(binding), "}"))
+    { AttSet (Rec, xs) }
+binding:
+| kv = terminated(separated_pair(attr_path, "=", expr0), ";")
+    { let (k, v) = kv in AttrPath (k, v) }
+| xs = delimited("inherit", pair(option(delimited("(", expr0, ")")), list(attr_path_component)), ";")
+    { let (prefix, ids) = xs in Inherit (prefix, ids) }
+lambda:
+| id = ID; "@"; p = param_set; ":"; e = expr0
+    { Lambda (ParamSet (Some id, p), e) }
+| p = param_set; "@"; id = ID; ":"; e = expr0
+    { Lambda (ParamSet (Some id, p), e) }
+| p = param_set; ":"; e = expr0
+    { Lambda (ParamSet (None, p), e) }
+| id = ID; ":"; e = expr0
+    { Lambda (Alias id, e) }
+%inline param_set:
+| empty_set
+    { ([], Exact) }
+| "{"; "..."; "}"
+    { ([], Loose) }
+| ps = delimited("{", pair(pair(params, ","?), boption("...")), "}")
+    { let ((ps, _), ellipsis) = ps in (ps, if ellipsis then Loose else Exact) }
+params:
+| p = param
+    { [p] }
+| ps = params; ","; p = param
+    { ps @ [p] }
+%inline param:
+p = pair(ID, option(preceded("?", expr0)))
+    { p }
diff --git a/lib/nix/printer.ml b/lib/nix/printer.ml
new file mode 100644
index 0000000..57e81f4
--- /dev/null
+++ b/lib/nix/printer.ml
@@ -0,0 +1,176 @@
+open Core
+open Types
+open PPrint
+let rec escape_chlist = function
+  | [] -> []
+  | '$' :: '{' :: l' -> '\\' :: '$' :: '{' :: escape_chlist l'
+  | '\n' :: l' -> '\\' :: 'n' :: escape_chlist l'
+  | '\r' :: l' -> '\\' :: 'r' :: escape_chlist l'
+  | '\t' :: l' -> '\\' :: 't' :: escape_chlist l'
+  | '\\' :: l' -> '\\' :: '\\' :: escape_chlist l'
+  | '"' :: l' -> '\\' :: '"' :: escape_chlist l'
+  | c :: l' -> c :: escape_chlist l'
+let escape_string s = s |> String.to_list |> escape_chlist |> String.of_list
+let out_width = ref 80
+let set_width i = out_width := i
+let indent = ref 2
+let set_indent i = indent := i
+let rec doc_of_expr = function
+  | BinaryOp (op, lhs, rhs) ->
+      let lhs_doc = maybe_parens_bop op `Left lhs
+      and rhs_doc = maybe_parens_bop op `Right rhs in
+      infix !indent 1 (doc_of_bop op) lhs_doc rhs_doc
+  | UnaryOp (op, e) -> precede (doc_of_uop op) (maybe_parens (prec_of_uop op) e)
+  | Cond (e1, e2, e3) ->
+      surround !indent 1
+        (soft_surround !indent 1 (string "if") (doc_of_expr e1) (string "then"))
+        (doc_of_expr e2)
+        (string "else" ^^ nest !indent (break 1 ^^ doc_of_expr e3))
+  | With (e1, e2) ->
+      flow (break 1) [ string "with"; doc_of_expr e1 ^^ semi; doc_of_expr e2 ]
+  | Assert (e1, e2) ->
+      flow (break 1) [ string "assert"; doc_of_expr e1 ^^ semi; doc_of_expr e2 ]
+  | Test (e, path) ->
+      maybe_parens 4 e ^^ space ^^ string "?"
+      ^^ group (break 1 ^^ separate_map dot doc_of_expr path)
+  | SetLet bs ->
+      surround !indent 1
+        (string "let " ^^ lbrace)
+        (group (separate_map (break 1) doc_of_binding bs))
+        rbrace
+  | Let (bs, e) ->
+      surround !indent 1 (string "let")
+        (separate_map (break 1) doc_of_binding bs)
+        (prefix !indent 1 (string "in") (doc_of_expr e))
+  | Val v -> doc_of_val v
+  | Id id -> string id
+  | Select (e, path, oe) ->
+      maybe_parens 1 e ^^ dot ^^ doc_of_attpath path
+      ^^ optional
+           (fun e ->
+             space ^^ string "or" ^^ nest !indent (break 1 ^^ maybe_parens 1 e))
+           oe
+  | Apply (e1, e2) -> prefix !indent 1 (maybe_parens 2 e1) (maybe_parens 2 e2)
+  | Aquote e -> surround !indent 0 (string "${") (doc_of_expr e) (string "}")
+and maybe_parens lvl e =
+  if prec_of_expr e >= lvl then surround !indent 0 lparen (doc_of_expr e) rparen
+  else doc_of_expr e
+and maybe_parens_bop op (loc : [ `Left | `Right ]) e =
+  match (loc, assoc_of_bop op) with
+  | (`Left, Some Left | `Right, Some Right)
+    when prec_of_expr e >= prec_of_bop op ->
+      doc_of_expr e
+  | _, _ -> maybe_parens (prec_of_bop op) e
+and doc_of_attpath path = separate_map dot doc_of_expr path
+and doc_of_paramset (params, kind) =
+  let ps =
+    List.map ~f:doc_of_param params
+    @ if Poly.(kind = Loose) then [ string "..." ] else []
+  in
+  surround !indent 0 lbrace (separate (comma ^^ break 1) ps) rbrace
+and doc_of_param (id, oe) =
+  string id ^^ optional (fun e -> qmark ^^ space ^^ doc_of_expr e) oe
+and doc_of_binding = function
+  | AttrPath (path, e) ->
+      doc_of_attpath path ^^ space ^^ equals ^^ space ^^ doc_of_expr e ^^ semi
+  | Inherit (oe, ids) ->
+      let id_docs =
+        List.map
+          ~f:(function
+            | Id x | Val (Str (x, [])) -> string x | _ -> assert false)
+          ids
+      in
+      let xs =
+        flow (break 1)
+          (match oe with
+          | Some e -> parens (doc_of_expr e) :: id_docs
+          | None -> id_docs)
+      in
+      soft_surround !indent 0 (string "inherit" ^^ space) xs semi
+and doc_of_bop = function
+  | Plus -> plus
+  | Minus -> minus
+  | Mult -> star
+  | Div -> slash
+  | Gt -> rangle
+  | Lt -> langle
+  | Lte -> string "<="
+  | Gte -> string ">="
+  | Eq -> string "=="
+  | Neq -> string "!="
+  | Or -> string "||"
+  | And -> string "&&"
+  | Impl -> string "->"
+  | Merge -> string "//"
+  | Concat -> string "++"
+and doc_of_uop = function Negate -> minus | Not -> bang
+and doc_of_val = function
+  | Str (start, xs) ->
+      dquotes
+        (string (escape_string start)
+        ^^ concat
+             (List.map
+                ~f:(fun (e, s) ->
+                  surround !indent 0 (string "${") (doc_of_expr e)
+                    (string "}" ^^ string (escape_string s)))
+                xs))
+  | IStr (i, start, xs) ->
+      let qq = string "''" in
+      let str s =
+        String.split ~on:'\n' s
+        |> List.map ~f:(fun s ->
+               let len = String.length s in
+               let s' =
+                 if len >= i then String.sub s ~pos:i ~len:(len - i) else s
+               in
+               string s')
+        |> separate hardline
+      in
+      enclose qq qq
+        (str start
+        ^^ concat
+             (List.map
+                ~f:(fun (e, s) ->
+                  enclose (string "${") rbrace (doc_of_expr e) ^^ str s)
+                xs))
+  | Int x | Float x | Path x | SPath x | HPath x | Uri x -> string x
+  | Lambda (pattern, body) ->
+      let pat =
+        match pattern with
+        | Alias id -> string id
+        | ParamSet (None, ps) -> doc_of_paramset ps
+        | ParamSet (Some id, ps) ->
+            doc_of_paramset ps ^^ group (break 1 ^^ at ^^ break 1 ^^ string id)
+      in
+      flow (break 1) [ pat ^^ colon; doc_of_expr body ]
+  | List [] -> lbracket ^^ space ^^ rbracket
+  | List es ->
+      surround !indent 1 lbracket
+        (separate_map (break 1) (maybe_parens 2) es)
+        rbracket
+  | AttSet (Nonrec, []) -> lbrace ^^ space ^^ rbrace
+  | AttSet (Nonrec, bs) ->
+      surround !indent 1 lbrace
+        (group (separate_map (break 1) doc_of_binding bs))
+        rbrace
+  | AttSet (Rec, bs) ->
+      string "rec" ^^ space ^^ doc_of_val (AttSet (Nonrec, bs))
+let print chan expr = ToChannel.pretty 0.7 !out_width chan (doc_of_expr expr)
+let to_string expr =
+  let buf = Stdlib.Buffer.create 0 in
+  ToBuffer.pretty 0.7 !out_width buf (doc_of_expr expr);
+  Stdlib.Buffer.contents buf
diff --git a/lib/nix/tokens.ml b/lib/nix/tokens.ml
new file mode 100644
index 0000000..4891d48
--- /dev/null
+++ b/lib/nix/tokens.ml
@@ -0,0 +1,64 @@
+type token =
+  (* Tokens with data *)
+  | INT of string
+  | FLOAT of string
+  (* A path (starting with / or ./) *)
+  | PATH of string
+  (* Search path, enclosed in < and > *)
+  | SPATH of string
+  (* Home path, starting with ~/ *)
+  | HPATH of string
+  | URI of string
+  | STR_START of string
+  | STR_MID of string
+  | STR_END
+  | ISTR_START of string
+  | ISTR_MID of string
+  | ISTR_END of int
+  | ID of string
+  (* Tokens that stand for themselves *)
+  | SELECT
+  | QMARK
+  | CONCAT
+  | NOT
+  | MERGE
+  | ASSIGN
+  | LT
+  | LTE
+  | GT
+  | GTE
+  | EQ
+  | NEQ
+  | AND
+  | OR
+  | IMPL
+  | AQUOTE_OPEN
+  | AQUOTE_CLOSE
+  | LBRACE
+  | RBRACE
+  | LBRACK
+  | RBRACK
+  | PLUS
+  | MINUS
+  | TIMES
+  | SLASH
+  | LPAREN
+  | RPAREN
+  | COLON
+  | SEMICOLON
+  | COMMA
+  | ELLIPSIS
+  | AS
+  (* Keywords *)
+  | WITH
+  | REC
+  | LET
+  | IN
+  | INHERIT
+  | IF
+  | THEN
+  | ELSE
+  | ASSERT
+  | ORDEF
+  (* End of input *)
+  | EOF
diff --git a/lib/nix/types.ml b/lib/nix/types.ml
new file mode 100644
index 0000000..8245406
--- /dev/null
+++ b/lib/nix/types.ml
@@ -0,0 +1,112 @@
+open Core
+(* Binary operators *)
+type binary_op =
+  | Plus
+  | Minus
+  | Mult
+  | Div
+  | Gt
+  | Lt
+  | Lte
+  | Gte
+  | Eq
+  | Neq
+  | Or
+  | And
+  | Impl
+  | Merge
+  | Concat
+[@@deriving sexp_of]
+(* Unary operators *)
+type unary_op = Negate | Not [@@deriving sexp_of]
+(* The top-level expression type *)
+type expr =
+  | BinaryOp of binary_op * expr * expr
+  | UnaryOp of unary_op * expr
+  | Cond of expr * expr * expr
+  | With of expr * expr
+  | Assert of expr * expr
+  | Test of expr * expr list
+  | SetLet of binding list
+  | Let of binding list * expr
+  | Val of value
+  | Id of id
+  | Select of expr * expr list * expr option
+  | Apply of expr * expr
+  | Aquote of expr
+[@@deriving sexp_of]
+(* Possible values *)
+and value =
+  (* Str is a string start, followed by arbitrary number of antiquotations and
+     strings that separate them *)
+  | Str of string * (expr * string) list
+  (* IStr is an indented string, so it has the extra integer component which
+     indicates the indentation *)
+  | IStr of int * string * (expr * string) list
+  | Int of string
+  | Float of string
+  | Path of string
+  | SPath of string
+  | HPath of string
+  | Uri of string
+  | Lambda of pattern * expr
+  | List of expr list
+  | AttSet of recursivity * binding list
+[@@deriving sexp_of]
+(* Patterns in lambda definitions *)
+and pattern = Alias of id | ParamSet of id option * param_set
+[@@deriving sexp_of]
+and param_set = param list * match_kind [@@deriving sexp_of]
+and param = id * expr option [@@deriving sexp_of]
+and recursivity = Rec | Nonrec
+and match_kind = Exact | Loose
+(* Bindings in attribute sets and let expressions *)
+and binding =
+  (* The first expr should be attrpath, which is the same as in Select *)
+  | AttrPath of expr list * expr
+  | Inherit of expr option * expr list
+[@@deriving sexp_of]
+(* Identifiers *)
+and id = string
+(* Precedence levels of binary operators *)
+let prec_of_bop = function
+  | Concat -> 5
+  | Mult | Div -> 6
+  | Plus | Minus -> 7
+  | Merge -> 9
+  | Gt | Lt | Lte | Gte -> 10
+  | Eq | Neq -> 11
+  | And -> 12
+  | Or -> 13
+  | Impl -> 14
+type assoc = Left | Right
+let assoc_of_bop = function
+  | Mult | Div | Plus | Minus -> Some Left
+  | Concat | Merge | And | Or -> Some Right
+  | Gt | Lt | Lte | Gte | Eq | Neq | Impl -> None
+(* Precedence levels of unary operators *)
+let prec_of_uop = function Negate -> 3 | Not -> 8
+(* Precedence level of expressions
+   (assuming that the constituents have higher levels) *)
+let prec_of_expr = function
+  | Val (Lambda _) -> 15
+  | Val _ | Id _ | Aquote _ -> 0
+  | BinaryOp (op, _, _) -> prec_of_bop op
+  | UnaryOp (op, _) -> prec_of_uop op
+  | Cond _ | With _ | Assert _ | Let _ | SetLet _ -> 15
+  | Test _ -> 4
+  | Select _ -> 1
+  | Apply _ -> 2
diff --git a/mininix.opam b/mininix.opam
new file mode 100644
index 0000000..f28f0cb
--- /dev/null
+++ b/mininix.opam
@@ -0,0 +1,39 @@
+# This file is generated by dune, edit dune-project instead
+opam-version: "2.0"
+authors: ["Anonymous Authors"]
+license: "LICENSE"
+depends: [
+  "dune" {>= "3.15"}
+  "ocaml" {< "5"}
+  "coq" {>= "8.20" & < "8.21"}
+  "coq-stdpp" {>= "1.11" & < "1.12"}
+  "coq-flocq"
+  "core"
+  "core_unix"
+  "linenoise"
+  "menhir"
+  "pprint"
+  "sexp_pretty"
+  "stdio"
+  "ppx_sexp_conv"
+  "ppx_blob"
+  "ppx_let"
+  "bisect_ppx"
+  "merlin" {dev}
+  "ocamlformat" {dev}
+  "odoc" {with-doc}
+]
+build: [
+  ["dune" "subst"] {dev}
+  [
+    "dune"
+    "build"
+    "-p"
+    name
+    "-j"
+    jobs
+    "@install"
+    "@runtest" {with-test}
+    "@doc" {with-doc}
+  ]
+]
diff --git a/mininix.opam.locked b/mininix.opam.locked
new file mode 100644
index 0000000..3cabd84
--- /dev/null
+++ b/mininix.opam.locked
@@ -0,0 +1,131 @@
+opam-version: "2.0"
+name: "mininix"
+version: "dev"
+authors: "Anonymous Authors"
+license: "LICENSE"
+depends: [
+  "astring" {= "0.8.5" & with-doc}
+  "base" {= "v0.16.3"}
+  "base-bigarray" {= "base"}
+  "base-threads" {= "base"}
+  "base-unix" {= "base"}
+  "base_bigstring" {= "v0.16.0"}
+  "base_quickcheck" {= "v0.16.0"}
+  "bin_prot" {= "v0.16.0"}
+  "bisect_ppx" {= "2.8.3"}
+  "camlp-streams" {= "5.0.1" & with-doc}
+  "cmdliner" {= "1.3.0"}
+  "conf-bash" {= "1"}
+  "conf-g++" {= "1.0"}
+  "conf-gmp" {= "4"}
+  "conf-linux-libc-dev" {= "0"}
+  "conf-pkg-config" {= "4"}
+  "coq" {= "8.20.1"}
+  "coq-core" {= "8.20.1"}
+  "coq-flocq" {= "4.2.0"}
+  "coq-stdlib" {= "8.20.1"}
+  "coq-stdpp" {= "1.11.0"}
+  "coqide-server" {= "8.20.1"}
+  "core" {= "v0.16.2"}
+  "core_kernel" {= "v0.16.0"}
+  "core_unix" {= "v0.16.0"}
+  "cppo" {= "1.8.0" & with-doc}
+  "crunch" {= "3.3.1" & with-doc}
+  "csexp" {= "1.5.2"}
+  "dune" {= "3.17.2"}
+  "dune-configurator" {= "3.17.2"}
+  "expect_test_helpers_core" {= "v0.16.0"}
+  "fieldslib" {= "v0.16.0"}
+  "fmt" {= "0.9.0" & with-doc}
+  "fpath" {= "0.7.3" & with-doc}
+  "int_repr" {= "v0.16.0"}
+  "jane-street-headers" {= "v0.16.0"}
+  "jst-config" {= "v0.16.0"}
+  "linenoise" {= "1.5.1"}
+  "menhir" {= "20240715"}
+  "menhirCST" {= "20240715"}
+  "menhirLib" {= "20240715"}
+  "menhirSdk" {= "20240715"}
+  "num" {= "1.5-1"}
+  "ocaml" {= "4.14.2"}
+  "ocaml-base-compiler" {= "4.14.2"}
+  "ocaml-compiler-libs" {= "v0.12.4"}
+  "ocaml-config" {= "2"}
+  "ocaml-options-vanilla" {= "1"}
+  "ocaml_intrinsics" {= "v0.16.1"}
+  "ocamlbuild" {= "0.15.0" & with-doc}
+  "ocamlfind" {= "1.9.6"}
+  "odoc" {= "2.4.4" & with-doc}
+  "odoc-parser" {= "2.4.4" & with-doc}
+  "parsexp" {= "v0.16.0"}
+  "pprint" {= "20230830"}
+  "ppx_assert" {= "v0.16.0"}
+  "ppx_base" {= "v0.16.0"}
+  "ppx_bench" {= "v0.16.0"}
+  "ppx_bin_prot" {= "v0.16.0"}
+  "ppx_blob" {= "0.9.0"}
+  "ppx_cold" {= "v0.16.0"}
+  "ppx_compare" {= "v0.16.0"}
+  "ppx_custom_printf" {= "v0.16.0"}
+  "ppx_derivers" {= "1.2.1"}
+  "ppx_disable_unused_warnings" {= "v0.16.0"}
+  "ppx_enumerate" {= "v0.16.0"}
+  "ppx_expect" {= "v0.16.1"}
+  "ppx_fields_conv" {= "v0.16.0"}
+  "ppx_fixed_literal" {= "v0.16.0"}
+  "ppx_globalize" {= "v0.16.0"}
+  "ppx_hash" {= "v0.16.0"}
+  "ppx_here" {= "v0.16.0"}
+  "ppx_ignore_instrumentation" {= "v0.16.0"}
+  "ppx_inline_test" {= "v0.16.1"}
+  "ppx_jane" {= "v0.16.0"}
+  "ppx_let" {= "v0.16.0"}
+  "ppx_log" {= "v0.16.0"}
+  "ppx_module_timer" {= "v0.16.0"}
+  "ppx_optcomp" {= "v0.16.0"}
+  "ppx_optional" {= "v0.16.0"}
+  "ppx_pipebang" {= "v0.16.0"}
+  "ppx_sexp_conv" {= "v0.16.0"}
+  "ppx_sexp_message" {= "v0.16.0"}
+  "ppx_sexp_value" {= "v0.16.0"}
+  "ppx_stable" {= "v0.16.0"}
+  "ppx_stable_witness" {= "v0.16.0"}
+  "ppx_string" {= "v0.16.0"}
+  "ppx_tydi" {= "v0.16.0"}
+  "ppx_typerep_conv" {= "v0.16.0"}
+  "ppx_variants_conv" {= "v0.16.0"}
+  "ppxlib" {= "0.34.0"}
+  "ptime" {= "1.2.0" & with-doc}
+  "re" {= "1.12.0"}
+  "result" {= "1.5" & with-doc}
+  "seq" {= "base"}
+  "sexp_pretty" {= "v0.16.0"}
+  "sexplib" {= "v0.16.0"}
+  "sexplib0" {= "v0.16.0"}
+  "spawn" {= "v0.17.0"}
+  "splittable_random" {= "v0.16.0"}
+  "stdio" {= "v0.16.0"}
+  "stdlib-shims" {= "0.3.0"}
+  "time_now" {= "v0.16.0"}
+  "timezone" {= "v0.16.0"}
+  "topkg" {= "1.0.7" & with-doc}
+  "typerep" {= "v0.16.0"}
+  "tyxml" {= "4.6.0" & with-doc}
+  "uutf" {= "1.0.3" & with-doc}
+  "variantslib" {= "v0.16.0"}
+  "zarith" {= "1.14"}
+]
+build: [
+  ["dune" "subst"] {dev}
+  [
+    "dune"
+    "build"
+    "-p"
+    name
+    "-j"
+    jobs
+    "@install"
+    "@runtest" {with-test}
+    "@doc" {with-doc}
+  ]
+]
+\ No newline at end of file
diff --git a/nixpkgs-pinned.nix b/nixpkgs-pinned.nix
new file mode 100644
index 0000000..00ca388
--- /dev/null
+++ b/nixpkgs-pinned.nix
@@ -0,0 +1,7 @@
+import (builtins.fetchTarball {
+  name = "nixos-25.05";
+  # Nixpkgs 25.05 at 2025-05-06 19:25 UTC
+  # Please keep in sync with the locked version for the flake
+  url = "https://github.com/NixOS/nixpkgs/archive/70c74b02eac46f4e4aa071e45a6189ce0f6d9265.tar.gz";
+  sha256 = "0b4jz58kkm7dbq6c6fmbgrh29smchhs6d96czhms7wddlni1m71p";
+})
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..464969d
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1,21 @@
+{ pkgs ? import ./nixpkgs-pinned.nix {} }:
+let ocamlPackages = pkgs.ocaml-ng.ocamlPackages_4_14; in
+pkgs.mkShell {
+  inputsFrom = [ (import ./coverage.nix { inherit pkgs; }) ];
+  buildInputs = with pkgs; [
+    bash
+    cloc
+    git
+    jq
+    tree
+    (python3.withPackages (pkgs: [ pkgs.pygments ]))
+    coqPackages_8_20.coq
+    coqPackages_8_20.coq-lsp
+    coqPackages_8_20.vscoq-language-server
+    ocamlPackages.ocaml-lsp
+    ocamlPackages.ocamlformat
+    ocamlPackages.odoc
+    ocamlPackages.utop
+    ocamlPackages.merlin
+  ];
+}
diff --git a/test/dune b/test/dune
new file mode 100644
index 0000000..8726c07
--- /dev/null
+++ b/test/dune
@@ -0,0 +1,7 @@
+(test
+ (name test_mininix)
+ (libraries core core_unix core_unix.filename_unix nix mininix)
+ (preprocess
+  (pps ppx_sexp_conv ppx_expect))
+ (deps
+  (glob_files_rec testdata/*.{nix,exp})))
diff --git a/test/test_mininix.ml b/test/test_mininix.ml
new file mode 100644
index 0000000..f628a8a
--- /dev/null
+++ b/test/test_mininix.ml
@@ -0,0 +1,319 @@
+open Core
+let with_dir path ~f =
+  let fd = Core_unix.opendir path in
+  f fd;
+  Core_unix.closedir fd
+let walk_dir path ~f =
+  with_dir path ~f:(fun fd ->
+      let rec go () =
+        match Core_unix.readdir_opt fd with
+        | Some entry ->
+            f (Filename.concat path entry);
+            go ()
+        | None -> ()
+      in
+      go ())
+type testcase = {
+  name : string;
+  dir : string;
+  input : string;
+  expected_output : [ `Okay of string | `Fail ];
+}
+let testdata_dir = "./testdata"
+and testcases = ref []
+and testcases_ignored = ref 0
+let add_testcase c = testcases := c :: !testcases
+let print_testcase_stats () =
+  let okay, fail =
+    List.fold !testcases ~init:(0, 0)
+      ~f:(fun (okay, fail) { expected_output; _ } ->
+        match expected_output with
+        | `Okay _ -> (okay + 1, fail)
+        | `Fail -> (okay, fail + 1))
+  in
+  printf
+    "Loaded %d test cases (ignored %d), expected results: okay %d, fail %d\n%!"
+    (okay + fail) !testcases_ignored okay fail
+let imports () =
+  Mininix.Import.materialize
+    [ { filename = "./testdata/lib.nix"; deps = [] } ]
+    ~relative_to:(Core_unix.getcwd ())
+type eval_err = [ `Timeout | `ParseError | `ProgramError | `ElaborateError ]
+[@@deriving sexp]
+type eval_result = (string, eval_err) Result.t [@@deriving sexp]
+let eval input ~name ~dir ~imports =
+  let dir = Filename.to_absolute_exn dir ~relative_to:(Core_unix.getcwd ()) in
+  try
+    input
+    |> Nix.parse ~filename:(name ^ ".nix")
+    |> Nix.elaborate ~dir:(Some dir)
+    |> Mininix.Nix2mininix.from_nix |> Mininix.apply_prelude
+    |> Mininix.interp_tl ~fuel:`Limited ~mode:`Deep ~imports
+    |> function
+    | Res (Some v) ->
+        Ok (v |> Mininix.Mininix2nix.from_val |> Nix.Printer.to_string)
+    | Res None -> Error `ProgramError
+    | NoFuel -> Error `Timeout
+  with
+  | Nix.ParseError _ -> Error `ParseError
+  | Nix.ElaborateError _ -> Error `ElaborateError
+  | Mininix.Nix2mininix.FromNixError _ -> Error `ElaborateError
+let eval_subproc input ~name ~dir ~imports =
+  let rxfd, txfd = Core_unix.pipe () in
+  match Core_unix.fork () with
+  | `In_the_child ->
+      let txc = Core_unix.out_channel_of_descr txfd in
+      eval input ~name ~dir ~imports
+      |> [%sexp_of: eval_result] |> Sexp.output txc;
+      exit 0
+  | `In_the_parent child_pid ->
+      let select_res =
+        Core_unix.select ~restart:true ~read:[ rxfd ] ~write:[] ~except:[]
+          ~timeout:(`After (Time_ns.Span.of_min 1.))
+          ()
+      in
+      if List.is_empty select_res.read then (
+        ignore (Signal_unix.send Signal.kill (`Pid child_pid));
+        ignore (Core_unix.waitpid child_pid);
+        Error `Timeout)
+      else
+        let rxc = Core_unix.in_channel_of_descr rxfd in
+        let res = Sexp.input_sexp rxc |> [%of_sexp: eval_result] in
+        ignore (Core_unix.waitpid child_pid);
+        Core_unix.close ~restart:true rxfd;
+        Core_unix.close ~restart:true txfd;
+        res
+type test_result =
+  [ `Timeout
+  | `ParseError
+  | `ProgramError
+  | `ElaborateError
+  | `WrongOutput
+  | `UnexpectedSuccess
+  | `Okay ]
+let run_testcase ~imports = function
+  | { name; dir; input; expected_output = `Okay expected_output } -> (
+      match eval_subproc input ~name ~dir ~imports with
+      | Ok got_output ->
+          if String.(strip got_output = strip expected_output) then `Okay
+          else `WrongOutput
+      | Error err -> (err :> test_result))
+  | { name; dir; input; expected_output = `Fail } -> (
+      match eval_subproc input ~name ~dir ~imports with
+      | Ok _ -> `UnexpectedSuccess
+      | Error _ -> `Okay)
+type test_stats = {
+  okay : int;
+  unexpected_success : int;
+  wrong_output : int;
+  parse_error : int;
+  elaborate_error : int;
+  program_error : int;
+  timeout : int;
+}
+let test_stats_empty =
+  {
+    okay = 0;
+    unexpected_success = 0;
+    wrong_output = 0;
+    parse_error = 0;
+    elaborate_error = 0;
+    program_error = 0;
+    timeout = 0;
+  }
+let run_testcases () =
+  Nix.Printer.set_width 1000000;
+  let mat_imports = imports () in
+  let stats =
+    List.foldi !testcases ~init:test_stats_empty ~f:(fun i stats c ->
+        printf "[%d/%d] %s  %!" (i + 1) (List.length !testcases) c.name;
+        match run_testcase c ~imports:mat_imports with
+        | `Okay ->
+            printf "okay\n%!";
+            { stats with okay = stats.okay + 1 }
+        | `UnexpectedSuccess ->
+            printf "unexpectedly succeeded\n%!";
+            { stats with unexpected_success = stats.unexpected_success + 1 }
+        | `WrongOutput ->
+            printf "gave wrong output\n%!";
+            { stats with wrong_output = stats.wrong_output + 1 }
+        | `ParseError ->
+            printf "could not be parsed\n%!";
+            { stats with parse_error = stats.parse_error + 1 }
+        | `ElaborateError ->
+            printf "could not be elaborated\n%!";
+            { stats with elaborate_error = stats.elaborate_error + 1 }
+        | `ProgramError ->
+            printf "failed to execute\n%!";
+            { stats with program_error = stats.program_error + 1 }
+        | `Timeout ->
+            printf "timed out\n%!";
+            { stats with timeout = stats.timeout + 1 })
+  in
+  printf
+    "Results:\n\
+    \  %d gave the expected output\n\
+    \  %d unexpectedly succeeded\n\
+    \  %d gave wrong output\n\
+    \  %d could not be parsed\n\
+    \  %d could not be elaborated\n\
+    \  %d failed to execute\n\
+    \  %d timed out\n\
+     %!"
+    stats.okay stats.unexpected_success stats.wrong_output stats.parse_error
+    stats.elaborate_error stats.program_error stats.timeout
+let try_add_testcase without_ext =
+  try
+    let dir = Filename.dirname without_ext in
+    let input = In_channel.read_all (without_ext ^ ".nix") in
+    let name = Filename.basename without_ext in
+    if String.is_prefix ~prefix:"eval-fail" name then
+      add_testcase { name; dir; input; expected_output = `Fail }
+    else if String.is_prefix ~prefix:"eval-okay" name then
+      let expected_output = In_channel.read_all (without_ext ^ ".exp") in
+      add_testcase { name; dir; input; expected_output = `Okay expected_output }
+  with
+  (* There are certain test cases where the '.nix' file is available, but
+     there is no '.exp' file. (Instead, for example, there may be a
+     '.exp-disabled' file, which we don't check for.) So [add_testcase] fails
+     when trying to read the '.exp' file, which does not exist. We catch the
+     exception that is then raised in [add_testcase] here. *)
+  | Sys_error _ ->
+    ()
+let ignore_tests =
+  [
+    (* We do not implement '«repeated»' *)
+    "eval-okay-repeated-empty-attrs";
+    "eval-okay-repeated-empty-list";
+    (* # Very specific / hard-to-implement builtins: *)
+    (* We do not implement conversion from/to JSON/XML *)
+    "eval-okay-toxml";
+    "eval-okay-toxml2";
+    "eval-okay-tojson";
+    "eval-okay-fromTOML";
+    "eval-okay-fromTOML-timestamps";
+    "eval-okay-fromjson";
+    "eval-okay-fromjson-escapes";
+    "eval-fail-fromJSON-overflowing";
+    "eval-fail-fromTOML-timestamps";
+    "eval-fail-toJSON";
+    (* We do not implement hasing *)
+    "eval-okay-convertHash";
+    "eval-okay-hashstring";
+    "eval-okay-hashfile";
+    "eval-okay-groupBy";
+    "eval-okay-zipAttrsWith";
+    "eval-fail-hashfile-missing";
+    (* We do not support filesystem operations *)
+    "eval-okay-readDir";
+    "eval-okay-readfile";
+    "eval-okay-readFileType";
+    "eval-okay-symlink-resolution";
+    (* We do not support version operations *)
+    "eval-okay-splitversion";
+    "eval-okay-versions";
+    (* We do not support flake references *)
+    "eval-okay-parse-flake-ref";
+    "eval-okay-flake-ref-to-string";
+    "eval-fail-flake-ref-to-string-negative-integer";
+    (* We do not support regexes *)
+    "eval-okay-regex-match";
+    "eval-okay-regex-split";
+    (* # Features that the core interpreter lacks *)
+    (* We do not implement derivations and contexts *)
+    "eval-okay-derivation-legacy";
+    "eval-okay-eq-derivations";
+    "eval-fail-addDrvOutputDependencies-empty-context";
+    "eval-fail-addDrvOutputDependencies-multi-elem-context";
+    "eval-fail-addDrvOutputDependencies-wrong-element-kind";
+    "eval-fail-assert-equal-derivations";
+    "eval-fail-assert-equal-derivations-extra";
+    "eval-fail-derivation-name";
+    "eval-okay-context";
+    "eval-okay-context-introspection";
+    "eval-okay-substring-context";
+    "eval-fail-addErrorContext-example";
+    (* We do not support scopedImport *)
+    "eval-okay-import";
+    (* We do not support tryEval *)
+    "eval-okay-redefine-builtin";
+    "eval-okay-tryeval";
+    (* We do not support unsafeGetAttrPos nor __curPos *)
+    "eval-okay-curpos";
+    "eval-okay-getattrpos";
+    "eval-okay-getattrpos-functionargs";
+    "eval-okay-getattrpos-undefined";
+    "eval-okay-inherit-attr-pos";
+    (* We do not support environment variable lookup *)
+    "eval-okay-getenv";
+    (* We do not support '__override's. Rationale: this construct has expressly
+       been avoided in Nixpkgs since the 13.10 release, see
+       https://github.com/NixOS/nixpkgs/issues/2112 *)
+    "eval-okay-attrs6";
+    "eval-okay-overrides";
+    "eval-fail-set-override";
+    (* We do not implement the 'trace' builtin *)
+    "eval-okay-print";
+    "eval-okay-inherit-from";
+    (* ^ also uses __overrides, for which we lack support *)
+    (* We do not implement flags to set arguments / retrieve attributes
+       for the evaluator *)
+    (* We do not support setting variables outside of the program *)
+    "eval-okay-autoargs";
+    (* We do not support paths *)
+    "eval-okay-baseNameOf";
+    "eval-okay-path";
+    "eval-okay-path-string-interpolation";
+    "eval-okay-pathexists";
+    "eval-okay-search-path";
+    "eval-okay-string";
+    "eval-okay-types";
+    "eval-fail-assert-equal-paths";
+    "eval-fail-bad-string-interpolation-2";
+    "eval-fail-nonexist-path";
+    "eval-fail-path-slash";
+    "eval-fail-to-path";
+    (* We do not implement the 'currentSystem' and 'dirOf' builtins *)
+    "eval-okay-builtins";
+    (* We do not support fetch operations *)
+    "eval-fail-fetchTree-negative";
+    "eval-fail-fetchurl-baseName";
+    "eval-fail-fetchurl-baseName-attrs";
+    "eval-fail-fetchurl-baseName-attrs-name";
+    (* We do not support the pipe operator *)
+    "eval-fail-pipe-operators";
+  ]
+let () =
+  Printf.printf "Running in %s\n%!" (Core_unix.getcwd ());
+  walk_dir testdata_dir ~f:(fun entry ->
+      match Filename.split_extension entry with
+      | without_ext, Some "nix" ->
+          if
+            List.exists ignore_tests ~f:(fun name ->
+                String.(name = Filename.basename without_ext))
+          then testcases_ignored := !testcases_ignored + 1
+          else try_add_testcase without_ext
+      | _ -> ());
+  testcases :=
+    List.sort !testcases ~compare:(fun c1 c2 -> String.compare c1.name c2.name);
+  print_testcase_stats ();
+  run_testcases ()
diff --git a/test/testdata/binary-data b/test/testdata/binary-data
new file mode 100644
index 0000000..06d7405
--- /dev/null
+++ b/test/testdata/binary-data
Binary files differ
diff --git a/test/testdata/data b/test/testdata/data
new file mode 100644
index 0000000..257cc56
--- /dev/null
+++ b/test/testdata/data
@@ -0,0 +1 @@
+foo
diff --git a/test/testdata/dir1/a.nix b/test/testdata/dir1/a.nix
new file mode 100644
index 0000000..231f150
--- /dev/null
+++ b/test/testdata/dir1/a.nix
@@ -0,0 +1 @@
+"a"
diff --git a/test/testdata/dir2/a.nix b/test/testdata/dir2/a.nix
new file mode 100644
index 0000000..170df52
--- /dev/null
+++ b/test/testdata/dir2/a.nix
@@ -0,0 +1 @@
+"X"
diff --git a/test/testdata/dir2/b.nix b/test/testdata/dir2/b.nix
new file mode 100644
index 0000000..19010cc
--- /dev/null
+++ b/test/testdata/dir2/b.nix
@@ -0,0 +1 @@
+"b"
diff --git a/test/testdata/dir3/a.nix b/test/testdata/dir3/a.nix
new file mode 100644
index 0000000..170df52
--- /dev/null
+++ b/test/testdata/dir3/a.nix
@@ -0,0 +1 @@
+"X"
diff --git a/test/testdata/dir3/b.nix b/test/testdata/dir3/b.nix
new file mode 100644
index 0000000..170df52
--- /dev/null
+++ b/test/testdata/dir3/b.nix
@@ -0,0 +1 @@
+"X"
diff --git a/test/testdata/dir3/c.nix b/test/testdata/dir3/c.nix
new file mode 100644
index 0000000..cdf1585
--- /dev/null
+++ b/test/testdata/dir3/c.nix
@@ -0,0 +1 @@
+"c"
diff --git a/test/testdata/dir4/a.nix b/test/testdata/dir4/a.nix
new file mode 100644
index 0000000..170df52
--- /dev/null
+++ b/test/testdata/dir4/a.nix
@@ -0,0 +1 @@
+"X"
diff --git a/test/testdata/dir4/c.nix b/test/testdata/dir4/c.nix
new file mode 100644
index 0000000..170df52
--- /dev/null
+++ b/test/testdata/dir4/c.nix
@@ -0,0 +1 @@
+"X"
diff --git a/test/testdata/eval-fail-abort.err.exp b/test/testdata/eval-fail-abort.err.exp
new file mode 100644
index 0000000..20e7b9e
--- /dev/null
+++ b/test/testdata/eval-fail-abort.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while calling the 'abort' builtin
+         at /pwd/lang/eval-fail-abort.nix:1:14:
+            1| if true then abort "this should fail" else 1
+             |              ^
+            2|
+       error: evaluation aborted with the following error message: 'this should fail'
diff --git a/test/testdata/eval-fail-abort.nix b/test/testdata/eval-fail-abort.nix
new file mode 100644
index 0000000..75c51bc
--- /dev/null
+++ b/test/testdata/eval-fail-abort.nix
@@ -0,0 +1 @@
+if true then abort "this should fail" else 1
diff --git a/test/testdata/eval-fail-addDrvOutputDependencies-empty-context.err.exp b/test/testdata/eval-fail-addDrvOutputDependencies-empty-context.err.exp
new file mode 100644
index 0000000..37e0bd9
--- /dev/null
+++ b/test/testdata/eval-fail-addDrvOutputDependencies-empty-context.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while calling the 'addDrvOutputDependencies' builtin
+         at /pwd/lang/eval-fail-addDrvOutputDependencies-empty-context.nix:1:1:
+            1| builtins.addDrvOutputDependencies ""
+             | ^
+            2|
+       error: context of string '' must have exactly one element, but has 0
diff --git a/test/testdata/eval-fail-addDrvOutputDependencies-empty-context.nix b/test/testdata/eval-fail-addDrvOutputDependencies-empty-context.nix
new file mode 100644
index 0000000..dc9ee3b
--- /dev/null
+++ b/test/testdata/eval-fail-addDrvOutputDependencies-empty-context.nix
@@ -0,0 +1 @@
+builtins.addDrvOutputDependencies ""
diff --git a/test/testdata/eval-fail-addDrvOutputDependencies-multi-elem-context.err.exp b/test/testdata/eval-fail-addDrvOutputDependencies-multi-elem-context.err.exp
new file mode 100644
index 0000000..6828e03
--- /dev/null
+++ b/test/testdata/eval-fail-addDrvOutputDependencies-multi-elem-context.err.exp
@@ -0,0 +1,9 @@
+error:
+       … while calling the 'addDrvOutputDependencies' builtin
+         at /pwd/lang/eval-fail-addDrvOutputDependencies-multi-elem-context.nix:18:4:
+           17|
+           18| in builtins.addDrvOutputDependencies combo-path
+             |    ^
+           19|
+       error: context of string '/nix/store/pg9yqs4yd85yhdm3f4i5dyaqp5jahrsz-fail.drv/nix/store/2dxd5frb715z451vbf7s8birlf3argbk-fail-2.drv' must have exactly one element, but has 2
diff --git a/test/testdata/eval-fail-addDrvOutputDependencies-multi-elem-context.nix b/test/testdata/eval-fail-addDrvOutputDependencies-multi-elem-context.nix
new file mode 100644
index 0000000..dbde264
--- /dev/null
+++ b/test/testdata/eval-fail-addDrvOutputDependencies-multi-elem-context.nix
@@ -0,0 +1,18 @@
+let
+  drv0 = derivation {
+    name = "fail";
+    builder = "/bin/false";
+    system = "x86_64-linux";
+    outputs = [ "out" "foo" ];
+  };
+  drv1 = derivation {
+    name = "fail-2";
+    builder = "/bin/false";
+    system = "x86_64-linux";
+    outputs = [ "out" "foo" ];
+  };
+  combo-path = "${drv0.drvPath}${drv1.drvPath}";
+in builtins.addDrvOutputDependencies combo-path
diff --git a/test/testdata/eval-fail-addDrvOutputDependencies-wrong-element-kind.err.exp b/test/testdata/eval-fail-addDrvOutputDependencies-wrong-element-kind.err.exp
new file mode 100644
index 0000000..72b5e63
--- /dev/null
+++ b/test/testdata/eval-fail-addDrvOutputDependencies-wrong-element-kind.err.exp
@@ -0,0 +1,9 @@
+error:
+       … while calling the 'addDrvOutputDependencies' builtin
+         at /pwd/lang/eval-fail-addDrvOutputDependencies-wrong-element-kind.nix:9:4:
+            8|
+            9| in builtins.addDrvOutputDependencies drv.outPath
+             |    ^
+           10|
+       error: `addDrvOutputDependencies` can only act on derivations, not on a derivation output such as 'out'
diff --git a/test/testdata/eval-fail-addDrvOutputDependencies-wrong-element-kind.nix b/test/testdata/eval-fail-addDrvOutputDependencies-wrong-element-kind.nix
new file mode 100644
index 0000000..e379e1d
--- /dev/null
+++ b/test/testdata/eval-fail-addDrvOutputDependencies-wrong-element-kind.nix
@@ -0,0 +1,9 @@
+let
+  drv = derivation {
+    name = "fail";
+    builder = "/bin/false";
+    system = "x86_64-linux";
+    outputs = [ "out" "foo" ];
+  };
+in builtins.addDrvOutputDependencies drv.outPath
diff --git a/test/testdata/eval-fail-addErrorContext-example.err.exp b/test/testdata/eval-fail-addErrorContext-example.err.exp
new file mode 100644
index 0000000..4fad8f5
--- /dev/null
+++ b/test/testdata/eval-fail-addErrorContext-example.err.exp
@@ -0,0 +1,24 @@
+error:
+       … while counting down; n = 10
+       … while counting down; n = 9
+       … while counting down; n = 8
+       … while counting down; n = 7
+       … while counting down; n = 6
+       … while counting down; n = 5
+       … while counting down; n = 4
+       … while counting down; n = 3
+       … while counting down; n = 2
+       … while counting down; n = 1
+       (stack trace truncated; use '--show-trace' to show the full, detailed trace)
+       error: kaboom
diff --git a/test/testdata/eval-fail-addErrorContext-example.flags b/test/testdata/eval-fail-addErrorContext-example.flags
new file mode 100644
index 0000000..9b1f645
--- /dev/null
+++ b/test/testdata/eval-fail-addErrorContext-example.flags
@@ -0,0 +1 @@
+--eval --strict --no-show-trace
diff --git a/test/testdata/eval-fail-addErrorContext-example.nix b/test/testdata/eval-fail-addErrorContext-example.nix
new file mode 100644
index 0000000..996b246
--- /dev/null
+++ b/test/testdata/eval-fail-addErrorContext-example.nix
@@ -0,0 +1,9 @@
+let
+  countDown = n:
+    if n == 0
+    then throw "kaboom"
+    else
+      builtins.addErrorContext
+        "while counting down; n = ${toString n}"
+        ("x" + countDown (n - 1));
+in countDown 10
diff --git a/test/testdata/eval-fail-assert-equal-attrs-names-2.err.exp b/test/testdata/eval-fail-assert-equal-attrs-names-2.err.exp
new file mode 100644
index 0000000..4b68d97
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-attrs-names-2.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while evaluating the condition of the assertion '({ a = true; } == { a = true; b = true; })'
+         at /pwd/lang/eval-fail-assert-equal-attrs-names-2.nix:1:1:
+            1| assert { a = true; } == { a = true; b = true; };
+             | ^
+            2| throw "unreachable"
+       error: attribute names of attribute set '{ a = true; }' differs from attribute set '{ a = true; b = true; }'
diff --git a/test/testdata/eval-fail-assert-equal-attrs-names-2.nix b/test/testdata/eval-fail-assert-equal-attrs-names-2.nix
new file mode 100644
index 0000000..8e7ac9c
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-attrs-names-2.nix
@@ -0,0 +1,2 @@
+assert { a = true; } == { a = true; b = true; };
+throw "unreachable"
diff --git a/test/testdata/eval-fail-assert-equal-attrs-names.err.exp b/test/testdata/eval-fail-assert-equal-attrs-names.err.exp
new file mode 100644
index 0000000..bc61ca6
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-attrs-names.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while evaluating the condition of the assertion '({ a = true; b = true; } == { a = true; })'
+         at /pwd/lang/eval-fail-assert-equal-attrs-names.nix:1:1:
+            1| assert { a = true; b = true; } == { a = true; };
+             | ^
+            2| throw "unreachable"
+       error: attribute names of attribute set '{ a = true; b = true; }' differs from attribute set '{ a = true; }'
diff --git a/test/testdata/eval-fail-assert-equal-attrs-names.nix b/test/testdata/eval-fail-assert-equal-attrs-names.nix
new file mode 100644
index 0000000..e2f53a8
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-attrs-names.nix
@@ -0,0 +1,2 @@
+assert { a = true; b = true; } == { a = true; };
+throw "unreachable"
diff --git a/test/testdata/eval-fail-assert-equal-derivations-extra.err.exp b/test/testdata/eval-fail-assert-equal-derivations-extra.err.exp
new file mode 100644
index 0000000..7f49240
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-derivations-extra.err.exp
@@ -0,0 +1,26 @@
+error:
+       … while evaluating the condition of the assertion '({ foo = { outPath = "/nix/store/0"; type = "derivation"; }; } == { foo = { devious = true; outPath = "/nix/store/1"; type = "derivation"; }; })'
+         at /pwd/lang/eval-fail-assert-equal-derivations-extra.nix:1:1:
+            1| assert
+             | ^
+            2|   { foo = { type = "derivation"; outPath = "/nix/store/0"; }; }
+       … while comparing attribute 'foo'
+       … where left hand side is
+         at /pwd/lang/eval-fail-assert-equal-derivations-extra.nix:2:5:
+            1| assert
+            2|   { foo = { type = "derivation"; outPath = "/nix/store/0"; }; }
+             |     ^
+            3|   ==
+       … where right hand side is
+         at /pwd/lang/eval-fail-assert-equal-derivations-extra.nix:4:5:
+            3|   ==
+            4|   { foo = { type = "derivation"; outPath = "/nix/store/1"; devious = true; }; };
+             |     ^
+            5| throw "unreachable"
+       … while comparing a derivation by its 'outPath' attribute
+       error: string '"/nix/store/0"' is not equal to string '"/nix/store/1"'
diff --git a/test/testdata/eval-fail-assert-equal-derivations-extra.nix b/test/testdata/eval-fail-assert-equal-derivations-extra.nix
new file mode 100644
index 0000000..fd8bc3f
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-derivations-extra.nix
@@ -0,0 +1,5 @@
+assert
+  { foo = { type = "derivation"; outPath = "/nix/store/0"; }; }
+  ==
+  { foo = { type = "derivation"; outPath = "/nix/store/1"; devious = true; }; };
+throw "unreachable"
+\ No newline at end of file
diff --git a/test/testdata/eval-fail-assert-equal-derivations.err.exp b/test/testdata/eval-fail-assert-equal-derivations.err.exp
new file mode 100644
index 0000000..d7f0fac
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-derivations.err.exp
@@ -0,0 +1,26 @@
+error:
+       … while evaluating the condition of the assertion '({ foo = { ignored = (abort "not ignored"); outPath = "/nix/store/0"; type = "derivation"; }; } == { foo = { ignored = (abort "not ignored"); outPath = "/nix/store/1"; type = "derivation"; }; })'
+         at /pwd/lang/eval-fail-assert-equal-derivations.nix:1:1:
+            1| assert
+             | ^
+            2|   { foo = { type = "derivation"; outPath = "/nix/store/0"; ignored = abort "not ignored"; }; }
+       … while comparing attribute 'foo'
+       … where left hand side is
+         at /pwd/lang/eval-fail-assert-equal-derivations.nix:2:5:
+            1| assert
+            2|   { foo = { type = "derivation"; outPath = "/nix/store/0"; ignored = abort "not ignored"; }; }
+             |     ^
+            3|   ==
+       … where right hand side is
+         at /pwd/lang/eval-fail-assert-equal-derivations.nix:4:5:
+            3|   ==
+            4|   { foo = { type = "derivation"; outPath = "/nix/store/1"; ignored = abort "not ignored"; }; };
+             |     ^
+            5| throw "unreachable"
+       … while comparing a derivation by its 'outPath' attribute
+       error: string '"/nix/store/0"' is not equal to string '"/nix/store/1"'
diff --git a/test/testdata/eval-fail-assert-equal-derivations.nix b/test/testdata/eval-fail-assert-equal-derivations.nix
new file mode 100644
index 0000000..c648eae
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-derivations.nix
@@ -0,0 +1,5 @@
+assert
+  { foo = { type = "derivation"; outPath = "/nix/store/0"; ignored = abort "not ignored"; }; }
+  ==
+  { foo = { type = "derivation"; outPath = "/nix/store/1"; ignored = abort "not ignored"; }; };
+throw "unreachable"
+\ No newline at end of file
diff --git a/test/testdata/eval-fail-assert-equal-floats.err.exp b/test/testdata/eval-fail-assert-equal-floats.err.exp
new file mode 100644
index 0000000..d8545e2
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-floats.err.exp
@@ -0,0 +1,22 @@
+error:
+       … while evaluating the condition of the assertion '({ b = 1; } == { b = 1.01; })'
+         at /pwd/lang/eval-fail-assert-equal-floats.nix:1:1:
+            1| assert { b = 1.0; } == { b = 1.01; };
+             | ^
+            2| abort "unreachable"
+       … while comparing attribute 'b'
+       … where left hand side is
+         at /pwd/lang/eval-fail-assert-equal-floats.nix:1:10:
+            1| assert { b = 1.0; } == { b = 1.01; };
+             |          ^
+            2| abort "unreachable"
+       … where right hand side is
+         at /pwd/lang/eval-fail-assert-equal-floats.nix:1:26:
+            1| assert { b = 1.0; } == { b = 1.01; };
+             |                          ^
+            2| abort "unreachable"
+       error: a float with value '1' is not equal to a float with value '1.01'
diff --git a/test/testdata/eval-fail-assert-equal-floats.nix b/test/testdata/eval-fail-assert-equal-floats.nix
new file mode 100644
index 0000000..438e85a
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-floats.nix
@@ -0,0 +1,2 @@
+assert { b = 1.0; } == { b = 1.01; };
+abort "unreachable"
diff --git a/test/testdata/eval-fail-assert-equal-function-direct.err.exp b/test/testdata/eval-fail-assert-equal-function-direct.err.exp
new file mode 100644
index 0000000..f06d796
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-function-direct.err.exp
@@ -0,0 +1,9 @@
+error:
+       … while evaluating the condition of the assertion '((x: x) == (x: x))'
+         at /pwd/lang/eval-fail-assert-equal-function-direct.nix:3:1:
+            2| # This only compares a direct comparison and makes no claims about functions in nested structures.
+            3| assert
+             | ^
+            4|   (x: x)
+       error: distinct functions and immediate comparisons of identical functions compare as unequal
diff --git a/test/testdata/eval-fail-assert-equal-function-direct.nix b/test/testdata/eval-fail-assert-equal-function-direct.nix
new file mode 100644
index 0000000..68e5e39
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-function-direct.nix
@@ -0,0 +1,7 @@
+# Note: functions in nested structures, e.g. attributes, may be optimized away by pointer identity optimization.
+# This only compares a direct comparison and makes no claims about functions in nested structures.
+assert
+  (x: x)
+  ==
+  (x: x);
+abort "unreachable"
+\ No newline at end of file
diff --git a/test/testdata/eval-fail-assert-equal-int-float.err.exp b/test/testdata/eval-fail-assert-equal-int-float.err.exp
new file mode 100644
index 0000000..c927e38
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-int-float.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while evaluating the condition of the assertion '(1 == 1.1)'
+         at /pwd/lang/eval-fail-assert-equal-int-float.nix:1:1:
+            1| assert 1 == 1.1;
+             | ^
+            2| throw "unreachable"
+       error: an integer with value '1' is not equal to a float with value '1.1'
diff --git a/test/testdata/eval-fail-assert-equal-int-float.nix b/test/testdata/eval-fail-assert-equal-int-float.nix
new file mode 100644
index 0000000..1dfdf2b
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-int-float.nix
@@ -0,0 +1,2 @@
+assert 1 == 1.1;
+throw "unreachable"
diff --git a/test/testdata/eval-fail-assert-equal-ints.err.exp b/test/testdata/eval-fail-assert-equal-ints.err.exp
new file mode 100644
index 0000000..d6219e2
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-ints.err.exp
@@ -0,0 +1,22 @@
+error:
+       … while evaluating the condition of the assertion '({ b = 1; } == { b = 2; })'
+         at /pwd/lang/eval-fail-assert-equal-ints.nix:1:1:
+            1| assert { b = 1; } == { b = 2; };
+             | ^
+            2| abort "unreachable"
+       … while comparing attribute 'b'
+       … where left hand side is
+         at /pwd/lang/eval-fail-assert-equal-ints.nix:1:10:
+            1| assert { b = 1; } == { b = 2; };
+             |          ^
+            2| abort "unreachable"
+       … where right hand side is
+         at /pwd/lang/eval-fail-assert-equal-ints.nix:1:24:
+            1| assert { b = 1; } == { b = 2; };
+             |                        ^
+            2| abort "unreachable"
+       error: an integer with value '1' is not equal to an integer with value '2'
diff --git a/test/testdata/eval-fail-assert-equal-ints.nix b/test/testdata/eval-fail-assert-equal-ints.nix
new file mode 100644
index 0000000..645258e
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-ints.nix
@@ -0,0 +1,2 @@
+assert { b = 1; } == { b = 2; };
+abort "unreachable"
diff --git a/test/testdata/eval-fail-assert-equal-list-length.err.exp b/test/testdata/eval-fail-assert-equal-list-length.err.exp
new file mode 100644
index 0000000..9010855
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-list-length.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while evaluating the condition of the assertion '([ (1) (0) ] == [ (10) ])'
+         at /pwd/lang/eval-fail-assert-equal-list-length.nix:1:1:
+            1| assert [ 1 0 ] == [ 10 ];
+             | ^
+            2| throw "unreachable"
+       error: list of size '2' is not equal to list of size '1', left hand side is '[ 1 0 ]', right hand side is '[ 10 ]'
diff --git a/test/testdata/eval-fail-assert-equal-list-length.nix b/test/testdata/eval-fail-assert-equal-list-length.nix
new file mode 100644
index 0000000..6d40f4d
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-list-length.nix
@@ -0,0 +1,2 @@
+assert [ 1 0 ] == [ 10 ];
+throw "unreachable"
+\ No newline at end of file
diff --git a/test/testdata/eval-fail-assert-equal-paths.err.exp b/test/testdata/eval-fail-assert-equal-paths.err.exp
new file mode 100644
index 0000000..66c34e9
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-paths.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while evaluating the condition of the assertion '(/pwd/lang/foo == /pwd/lang/bar)'
+         at /pwd/lang/eval-fail-assert-equal-paths.nix:1:1:
+            1| assert ./foo == ./bar;
+             | ^
+            2| throw "unreachable"
+       error: path '/pwd/lang/foo' is not equal to path '/pwd/lang/bar'
diff --git a/test/testdata/eval-fail-assert-equal-paths.nix b/test/testdata/eval-fail-assert-equal-paths.nix
new file mode 100644
index 0000000..ef0b670
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-paths.nix
@@ -0,0 +1,2 @@
+assert ./foo == ./bar;
+throw "unreachable"
+\ No newline at end of file
diff --git a/test/testdata/eval-fail-assert-equal-type-nested.err.exp b/test/testdata/eval-fail-assert-equal-type-nested.err.exp
new file mode 100644
index 0000000..f78badd
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-type-nested.err.exp
@@ -0,0 +1,22 @@
+error:
+       … while evaluating the condition of the assertion '({ ding = false; } == { ding = null; })'
+         at /pwd/lang/eval-fail-assert-equal-type-nested.nix:1:1:
+            1| assert { ding = false; } == { ding = null; };
+             | ^
+            2| abort "unreachable"
+       … while comparing attribute 'ding'
+       … where left hand side is
+         at /pwd/lang/eval-fail-assert-equal-type-nested.nix:1:10:
+            1| assert { ding = false; } == { ding = null; };
+             |          ^
+            2| abort "unreachable"
+       … where right hand side is
+         at /pwd/lang/eval-fail-assert-equal-type-nested.nix:1:31:
+            1| assert { ding = false; } == { ding = null; };
+             |                               ^
+            2| abort "unreachable"
+       error: a Boolean of value 'false' is not equal to null of value 'null'
diff --git a/test/testdata/eval-fail-assert-equal-type-nested.nix b/test/testdata/eval-fail-assert-equal-type-nested.nix
new file mode 100644
index 0000000..3fbd14c
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-type-nested.nix
@@ -0,0 +1,2 @@
+assert { ding = false; } == { ding = null; };
+abort "unreachable"
diff --git a/test/testdata/eval-fail-assert-equal-type.err.exp b/test/testdata/eval-fail-assert-equal-type.err.exp
new file mode 100644
index 0000000..4dc3f2e
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-type.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while evaluating the condition of the assertion '(false == null)'
+         at /pwd/lang/eval-fail-assert-equal-type.nix:1:1:
+            1| assert false == null;
+             | ^
+            2| abort "unreachable"
+       error: a Boolean of value 'false' is not equal to null of value 'null'
diff --git a/test/testdata/eval-fail-assert-equal-type.nix b/test/testdata/eval-fail-assert-equal-type.nix
new file mode 100644
index 0000000..7023ea0
--- /dev/null
+++ b/test/testdata/eval-fail-assert-equal-type.nix
@@ -0,0 +1,2 @@
+assert false == null;
+abort "unreachable"
diff --git a/test/testdata/eval-fail-assert-nested-bool.err.exp b/test/testdata/eval-fail-assert-nested-bool.err.exp
new file mode 100644
index 0000000..1debb66
--- /dev/null
+++ b/test/testdata/eval-fail-assert-nested-bool.err.exp
@@ -0,0 +1,74 @@
+error:
+       … while evaluating the condition of the assertion '({ a = { b = [ ({ c = { d = true; }; }) ]; }; } == { a = { b = [ ({ c = { d = false; }; }) ]; }; })'
+         at /pwd/lang/eval-fail-assert-nested-bool.nix:1:1:
+            1| assert
+             | ^
+            2|   { a.b = [ { c.d = true; } ]; }
+       … while comparing attribute 'a'
+       … where left hand side is
+         at /pwd/lang/eval-fail-assert-nested-bool.nix:2:5:
+            1| assert
+            2|   { a.b = [ { c.d = true; } ]; }
+             |     ^
+            3|   ==
+       … where right hand side is
+         at /pwd/lang/eval-fail-assert-nested-bool.nix:4:5:
+            3|   ==
+            4|   { a.b = [ { c.d = false; } ]; };
+             |     ^
+            5|
+       … while comparing attribute 'b'
+       … where left hand side is
+         at /pwd/lang/eval-fail-assert-nested-bool.nix:2:5:
+            1| assert
+            2|   { a.b = [ { c.d = true; } ]; }
+             |     ^
+            3|   ==
+       … where right hand side is
+         at /pwd/lang/eval-fail-assert-nested-bool.nix:4:5:
+            3|   ==
+            4|   { a.b = [ { c.d = false; } ]; };
+             |     ^
+            5|
+       … while comparing list element 0
+       … while comparing attribute 'c'
+       … where left hand side is
+         at /pwd/lang/eval-fail-assert-nested-bool.nix:2:15:
+            1| assert
+            2|   { a.b = [ { c.d = true; } ]; }
+             |               ^
+            3|   ==
+       … where right hand side is
+         at /pwd/lang/eval-fail-assert-nested-bool.nix:4:15:
+            3|   ==
+            4|   { a.b = [ { c.d = false; } ]; };
+             |               ^
+            5|
+       … while comparing attribute 'd'
+       … where left hand side is
+         at /pwd/lang/eval-fail-assert-nested-bool.nix:2:15:
+            1| assert
+            2|   { a.b = [ { c.d = true; } ]; }
+             |               ^
+            3|   ==
+       … where right hand side is
+         at /pwd/lang/eval-fail-assert-nested-bool.nix:4:15:
+            3|   ==
+            4|   { a.b = [ { c.d = false; } ]; };
+             |               ^
+            5|
+       error: boolean 'true' is not equal to boolean 'false'
diff --git a/test/testdata/eval-fail-assert-nested-bool.nix b/test/testdata/eval-fail-assert-nested-bool.nix
new file mode 100644
index 0000000..2285769
--- /dev/null
+++ b/test/testdata/eval-fail-assert-nested-bool.nix
@@ -0,0 +1,6 @@
+assert
+  { a.b = [ { c.d = true; } ]; }
+  ==
+  { a.b = [ { c.d = false; } ]; };
+abort "unreachable"
+\ No newline at end of file
diff --git a/test/testdata/eval-fail-assert.err.exp b/test/testdata/eval-fail-assert.err.exp
new file mode 100644
index 0000000..7be9e23
--- /dev/null
+++ b/test/testdata/eval-fail-assert.err.exp
@@ -0,0 +1,30 @@
+error:
+       … while evaluating the attribute 'body'
+         at /pwd/lang/eval-fail-assert.nix:4:3:
+            3|
+            4|   body = x "x";
+             |   ^
+            5| }
+       … from call site
+         at /pwd/lang/eval-fail-assert.nix:4:10:
+            3|
+            4|   body = x "x";
+             |          ^
+            5| }
+       … while calling 'x'
+         at /pwd/lang/eval-fail-assert.nix:2:7:
+            1| let {
+            2|   x = arg: assert arg == "y"; 123;
+             |       ^
+            3|
+       … while evaluating the condition of the assertion '(arg == "y")'
+         at /pwd/lang/eval-fail-assert.nix:2:12:
+            1| let {
+            2|   x = arg: assert arg == "y"; 123;
+             |            ^
+            3|
+       error: string '"x"' is not equal to string '"y"'
diff --git a/test/testdata/eval-fail-assert.nix b/test/testdata/eval-fail-assert.nix
new file mode 100644
index 0000000..3b7a1e8
--- /dev/null
+++ b/test/testdata/eval-fail-assert.nix
@@ -0,0 +1,5 @@
+let {
+  x = arg: assert arg == "y"; 123;
+  body = x "x";
+}
+\ No newline at end of file
diff --git a/test/testdata/eval-fail-attr-name-type.err.exp b/test/testdata/eval-fail-attr-name-type.err.exp
new file mode 100644
index 0000000..6848a35
--- /dev/null
+++ b/test/testdata/eval-fail-attr-name-type.err.exp
@@ -0,0 +1,21 @@
+error:
+       … while evaluating the attribute 'puppy."${key}"'
+         at /pwd/lang/eval-fail-attr-name-type.nix:3:5:
+            2|   attrs = {
+            3|     puppy.doggy = {};
+             |     ^
+            4|   };
+       … while evaluating an attribute name
+         at /pwd/lang/eval-fail-attr-name-type.nix:7:17:
+            6| in
+            7|   attrs.puppy.${key}
+             |                 ^
+            8|
+       error: expected a string but found an integer: 1
+       at /pwd/lang/eval-fail-attr-name-type.nix:7:17:
+            6| in
+            7|   attrs.puppy.${key}
+             |                 ^
+            8|
diff --git a/test/testdata/eval-fail-attr-name-type.nix b/test/testdata/eval-fail-attr-name-type.nix
new file mode 100644
index 0000000..a0e7600
--- /dev/null
+++ b/test/testdata/eval-fail-attr-name-type.nix
@@ -0,0 +1,7 @@
+let
+  attrs = {
+    puppy.doggy = {};
+  };
+  key = 1;
+in
+  attrs.puppy.${key}
diff --git a/test/testdata/eval-fail-bad-string-interpolation-1.err.exp b/test/testdata/eval-fail-bad-string-interpolation-1.err.exp
new file mode 100644
index 0000000..5ae5303
--- /dev/null
+++ b/test/testdata/eval-fail-bad-string-interpolation-1.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while evaluating a path segment
+         at /pwd/lang/eval-fail-bad-string-interpolation-1.nix:1:2:
+            1| "${x: x}"
+             |  ^
+            2|
+       error: cannot coerce a function to a string: «lambda @ /pwd/lang/eval-fail-bad-string-interpolation-1.nix:1:4»
diff --git a/test/testdata/eval-fail-bad-string-interpolation-1.nix b/test/testdata/eval-fail-bad-string-interpolation-1.nix
new file mode 100644
index 0000000..ffe9c98
--- /dev/null
+++ b/test/testdata/eval-fail-bad-string-interpolation-1.nix
@@ -0,0 +1 @@
+"${x: x}"
diff --git a/test/testdata/eval-fail-bad-string-interpolation-2.err.exp b/test/testdata/eval-fail-bad-string-interpolation-2.err.exp
new file mode 100644
index 0000000..a287067
--- /dev/null
+++ b/test/testdata/eval-fail-bad-string-interpolation-2.err.exp
@@ -0,0 +1 @@
+error: path '/pwd/lang/fnord' does not exist
diff --git a/test/testdata/eval-fail-bad-string-interpolation-2.nix b/test/testdata/eval-fail-bad-string-interpolation-2.nix
new file mode 100644
index 0000000..3745235
--- /dev/null
+++ b/test/testdata/eval-fail-bad-string-interpolation-2.nix
@@ -0,0 +1 @@
+"${./fnord}"
diff --git a/test/testdata/eval-fail-bad-string-interpolation-3.err.exp b/test/testdata/eval-fail-bad-string-interpolation-3.err.exp
new file mode 100644
index 0000000..170a3d1
--- /dev/null
+++ b/test/testdata/eval-fail-bad-string-interpolation-3.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while evaluating a path segment
+         at /pwd/lang/eval-fail-bad-string-interpolation-3.nix:1:3:
+            1| ''${x: x}''
+             |   ^
+            2|
+       error: cannot coerce a function to a string: «lambda @ /pwd/lang/eval-fail-bad-string-interpolation-3.nix:1:5»
diff --git a/test/testdata/eval-fail-bad-string-interpolation-3.nix b/test/testdata/eval-fail-bad-string-interpolation-3.nix
new file mode 100644
index 0000000..65b9d4f
--- /dev/null
+++ b/test/testdata/eval-fail-bad-string-interpolation-3.nix
@@ -0,0 +1 @@
+''${x: x}''
diff --git a/test/testdata/eval-fail-bad-string-interpolation-4.err.exp b/test/testdata/eval-fail-bad-string-interpolation-4.err.exp
new file mode 100644
index 0000000..b262e81
--- /dev/null
+++ b/test/testdata/eval-fail-bad-string-interpolation-4.err.exp
@@ -0,0 +1,9 @@
+error:
+       … while evaluating a path segment
+         at /pwd/lang/eval-fail-bad-string-interpolation-4.nix:9:3:
+            8| # The error message should not be too long.
+            9| ''${pkgs}''
+             |   ^
+           10|
+       error: cannot coerce a set to a string: { a = { a = { a = { a = "ha"; b = "ha"; c = "ha"; d = "ha"; e = "ha"; f = "ha"; g = "ha"; h = "ha"; j = "ha"; }; «8 attributes elided» }; «8 attributes elided» }; «8 attributes elided» }
diff --git a/test/testdata/eval-fail-bad-string-interpolation-4.nix b/test/testdata/eval-fail-bad-string-interpolation-4.nix
new file mode 100644
index 0000000..457b5f0
--- /dev/null
+++ b/test/testdata/eval-fail-bad-string-interpolation-4.nix
@@ -0,0 +1,9 @@
+let
+  # Basically a "billion laughs" attack, but toned down to simulated `pkgs`.
+  ha = x: y: { a = x y; b = x y; c = x y; d = x y; e = x y; f = x y; g = x y; h = x y; j = x y; };
+  has = ha (ha (ha (ha (x: x)))) "ha";
+  # A large structure that has already been evaluated.
+  pkgs = builtins.deepSeq has has;
+in
+# The error message should not be too long.
+''${pkgs}''
diff --git a/test/testdata/eval-fail-blackhole.err.exp b/test/testdata/eval-fail-blackhole.err.exp
new file mode 100644
index 0000000..95e33a5
--- /dev/null
+++ b/test/testdata/eval-fail-blackhole.err.exp
@@ -0,0 +1,14 @@
+error:
+       … while evaluating the attribute 'body'
+         at /pwd/lang/eval-fail-blackhole.nix:2:3:
+            1| let {
+            2|   body = x;
+             |   ^
+            3|   x = y;
+       error: infinite recursion encountered
+       at /pwd/lang/eval-fail-blackhole.nix:3:7:
+            2|   body = x;
+            3|   x = y;
+             |       ^
+            4|   y = x;
diff --git a/test/testdata/eval-fail-blackhole.nix b/test/testdata/eval-fail-blackhole.nix
new file mode 100644
index 0000000..81133b5
--- /dev/null
+++ b/test/testdata/eval-fail-blackhole.nix
@@ -0,0 +1,5 @@
+let {
+  body = x;
+  x = y;
+  y = x;
+}
diff --git a/test/testdata/eval-fail-call-primop.err.exp b/test/testdata/eval-fail-call-primop.err.exp
new file mode 100644
index 0000000..0c6f614
--- /dev/null
+++ b/test/testdata/eval-fail-call-primop.err.exp
@@ -0,0 +1,10 @@
+error:
+       … while calling the 'length' builtin
+         at /pwd/lang/eval-fail-call-primop.nix:1:1:
+            1| builtins.length 1
+             | ^
+            2|
+       … while evaluating the first argument passed to builtins.length
+       error: expected a list but found an integer: 1
diff --git a/test/testdata/eval-fail-call-primop.nix b/test/testdata/eval-fail-call-primop.nix
new file mode 100644
index 0000000..972eb72
--- /dev/null
+++ b/test/testdata/eval-fail-call-primop.nix
@@ -0,0 +1 @@
+builtins.length 1
diff --git a/test/testdata/eval-fail-deepseq.err.exp b/test/testdata/eval-fail-deepseq.err.exp
new file mode 100644
index 0000000..11b6234
--- /dev/null
+++ b/test/testdata/eval-fail-deepseq.err.exp
@@ -0,0 +1,20 @@
+error:
+       … while calling the 'deepSeq' builtin
+         at /pwd/lang/eval-fail-deepseq.nix:1:1:
+            1| builtins.deepSeq { x = abort "foo"; } 456
+             | ^
+            2|
+       … while evaluating the attribute 'x'
+         at /pwd/lang/eval-fail-deepseq.nix:1:20:
+            1| builtins.deepSeq { x = abort "foo"; } 456
+             |                    ^
+            2|
+       … while calling the 'abort' builtin
+         at /pwd/lang/eval-fail-deepseq.nix:1:24:
+            1| builtins.deepSeq { x = abort "foo"; } 456
+             |                        ^
+            2|
+       error: evaluation aborted with the following error message: 'foo'
diff --git a/test/testdata/eval-fail-deepseq.nix b/test/testdata/eval-fail-deepseq.nix
new file mode 100644
index 0000000..9baa49b
--- /dev/null
+++ b/test/testdata/eval-fail-deepseq.nix
@@ -0,0 +1 @@
+builtins.deepSeq { x = abort "foo"; } 456
diff --git a/test/testdata/eval-fail-derivation-name.err.exp b/test/testdata/eval-fail-derivation-name.err.exp
new file mode 100644
index 0000000..0ef9867
--- /dev/null
+++ b/test/testdata/eval-fail-derivation-name.err.exp
@@ -0,0 +1,26 @@
+error:
+       … while evaluating the attribute 'outPath'
+         at <nix/derivation-internal.nix>:<number>:<number>:
+     <number>|       value = commonAttrs // {
+     <number>|         outPath = builtins.getAttr outputName strict;
+             |         ^
+     <number>|         drvPath = strict.drvPath;
+       … while calling the 'getAttr' builtin
+         at <nix/derivation-internal.nix>:<number>:<number>:
+     <number>|       value = commonAttrs // {
+     <number>|         outPath = builtins.getAttr outputName strict;
+             |                   ^
+     <number>|         drvPath = strict.drvPath;
+       … while calling the 'derivationStrict' builtin
+         at <nix/derivation-internal.nix>:<number>:<number>:
+     <number>|
+     <number>|   strict = derivationStrict drvAttrs;
+             |            ^
+     <number>|
+       … while evaluating derivation '~jiggle~'
+         whose name attribute is located at /pwd/lang/eval-fail-derivation-name.nix:<number>:<number>
+       error: invalid derivation name: name '~jiggle~' contains illegal character '~'. Please pass a different 'name'.
diff --git a/test/testdata/eval-fail-derivation-name.nix b/test/testdata/eval-fail-derivation-name.nix
new file mode 100644
index 0000000..e779ad6
--- /dev/null
+++ b/test/testdata/eval-fail-derivation-name.nix
@@ -0,0 +1,5 @@
+derivation {
+  name = "~jiggle~";
+  system = "some-system";
+  builder = "/dontcare";
+}
diff --git a/test/testdata/eval-fail-derivation-name.postprocess b/test/testdata/eval-fail-derivation-name.postprocess
new file mode 100644
index 0000000..ffbc2b5
--- /dev/null
+++ b/test/testdata/eval-fail-derivation-name.postprocess
@@ -0,0 +1,9 @@
+# shellcheck shell=bash
+set -euo pipefail
+testcaseBasename=$1
+# Line numbers change when derivation.nix docs are updated.
+sed -i "$testcaseBasename.err" \
+  -e 's/[0-9 ][0-9 ][0-9 ][0-9 ][0-9 ][0-9 ][0-9 ][0-9]\([^0-9]\)/<number>\1/g' \
+  -e 's/[0-9][0-9]*/<number>/g' \
+  ;
diff --git a/test/testdata/eval-fail-dup-dynamic-attrs.err.exp b/test/testdata/eval-fail-dup-dynamic-attrs.err.exp
new file mode 100644
index 0000000..834f9c6
--- /dev/null
+++ b/test/testdata/eval-fail-dup-dynamic-attrs.err.exp
@@ -0,0 +1,14 @@
+error:
+       … while evaluating the attribute 'set'
+         at /pwd/lang/eval-fail-dup-dynamic-attrs.nix:2:3:
+            1| {
+            2|   set = { "${"" + "b"}" = 1; };
+             |   ^
+            3|   set = { "${"b" + ""}" = 2; };
+       error: dynamic attribute 'b' already defined at /pwd/lang/eval-fail-dup-dynamic-attrs.nix:2:11
+       at /pwd/lang/eval-fail-dup-dynamic-attrs.nix:3:11:
+            2|   set = { "${"" + "b"}" = 1; };
+            3|   set = { "${"b" + ""}" = 2; };
+             |           ^
+            4| }
diff --git a/test/testdata/eval-fail-dup-dynamic-attrs.nix b/test/testdata/eval-fail-dup-dynamic-attrs.nix
new file mode 100644
index 0000000..7ea17f6
--- /dev/null
+++ b/test/testdata/eval-fail-dup-dynamic-attrs.nix
@@ -0,0 +1,4 @@
+{
+  set = { "${"" + "b"}" = 1; };
+  set = { "${"b" + ""}" = 2; };
+}
diff --git a/test/testdata/eval-fail-duplicate-traces.err.exp b/test/testdata/eval-fail-duplicate-traces.err.exp
new file mode 100644
index 0000000..cedaebd
--- /dev/null
+++ b/test/testdata/eval-fail-duplicate-traces.err.exp
@@ -0,0 +1,51 @@
+error:
+       … from call site
+         at /pwd/lang/eval-fail-duplicate-traces.nix:9:3:
+            8| in
+            9|   throwAfter 2
+             |   ^
+           10|
+       … while calling 'throwAfter'
+         at /pwd/lang/eval-fail-duplicate-traces.nix:4:16:
+            3| let
+            4|   throwAfter = n:
+             |                ^
+            5|     if n > 0
+       … from call site
+         at /pwd/lang/eval-fail-duplicate-traces.nix:6:10:
+            5|     if n > 0
+            6|     then throwAfter (n - 1)
+             |          ^
+            7|     else throw "Uh oh!";
+       … while calling 'throwAfter'
+         at /pwd/lang/eval-fail-duplicate-traces.nix:4:16:
+            3| let
+            4|   throwAfter = n:
+             |                ^
+            5|     if n > 0
+       … from call site
+         at /pwd/lang/eval-fail-duplicate-traces.nix:6:10:
+            5|     if n > 0
+            6|     then throwAfter (n - 1)
+             |          ^
+            7|     else throw "Uh oh!";
+       … while calling 'throwAfter'
+         at /pwd/lang/eval-fail-duplicate-traces.nix:4:16:
+            3| let
+            4|   throwAfter = n:
+             |                ^
+            5|     if n > 0
+       … while calling the 'throw' builtin
+         at /pwd/lang/eval-fail-duplicate-traces.nix:7:10:
+            6|     then throwAfter (n - 1)
+            7|     else throw "Uh oh!";
+             |          ^
+            8| in
+       error: Uh oh!
diff --git a/test/testdata/eval-fail-duplicate-traces.nix b/test/testdata/eval-fail-duplicate-traces.nix
new file mode 100644
index 0000000..17ce374
--- /dev/null
+++ b/test/testdata/eval-fail-duplicate-traces.nix
@@ -0,0 +1,9 @@
+# Check that we only omit duplicate stack traces when there's a bunch of them.
+# Here, there's only a couple duplicate entries, so we output them all.
+let
+  throwAfter = n:
+    if n > 0
+    then throwAfter (n - 1)
+    else throw "Uh oh!";
+in
+  throwAfter 2
diff --git a/test/testdata/eval-fail-eol-1.err.exp b/test/testdata/eval-fail-eol-1.err.exp
new file mode 100644
index 0000000..3f5a5c2
--- /dev/null
+++ b/test/testdata/eval-fail-eol-1.err.exp
@@ -0,0 +1,6 @@
+error: undefined variable 'invalid'
+       at /pwd/lang/eval-fail-eol-1.nix:2:1:
+            1| # foo
+            2| invalid
+             | ^
+            3| # bar
diff --git a/test/testdata/eval-fail-eol-1.nix b/test/testdata/eval-fail-eol-1.nix
new file mode 100644
index 0000000..4762239
--- /dev/null
+++ b/test/testdata/eval-fail-eol-1.nix
@@ -0,0 +1,3 @@
+# foo
+invalid
+# bar
diff --git a/test/testdata/eval-fail-eol-2.err.exp b/test/testdata/eval-fail-eol-2.err.exp
new file mode 100644
index 0000000..ff13e2d
--- /dev/null
+++ b/test/testdata/eval-fail-eol-2.err.exp
@@ -0,0 +1,6 @@
+error: undefined variable 'invalid'
+       at /pwd/lang/eval-fail-eol-2.nix:2:1:
+            1| # foo
+            2| invalid
+             | ^
+            3| # bar
diff --git a/test/testdata/eval-fail-eol-2.nix b/test/testdata/eval-fail-eol-2.nix
new file mode 100644
index 0000000..0cf92a4
--- /dev/null
+++ b/test/testdata/eval-fail-eol-2.nix
@@ -0,0 +1,2 @@
+# foo
+invalid
+# bar
diff --git a/test/testdata/eval-fail-eol-3.err.exp b/test/testdata/eval-fail-eol-3.err.exp
new file mode 100644
index 0000000..ada3c5e
--- /dev/null
+++ b/test/testdata/eval-fail-eol-3.err.exp
@@ -0,0 +1,6 @@
+error: undefined variable 'invalid'
+       at /pwd/lang/eval-fail-eol-3.nix:2:1:
+            1| # foo
+            2| invalid
+             | ^
+            3| # bar
diff --git a/test/testdata/eval-fail-eol-3.nix b/test/testdata/eval-fail-eol-3.nix
new file mode 100644
index 0000000..4762239
--- /dev/null
+++ b/test/testdata/eval-fail-eol-3.nix
@@ -0,0 +1,3 @@
+# foo
+invalid
+# bar
diff --git a/test/testdata/eval-fail-fetchTree-negative.err.exp b/test/testdata/eval-fail-fetchTree-negative.err.exp
new file mode 100644
index 0000000..d9ba1f0
--- /dev/null
+++ b/test/testdata/eval-fail-fetchTree-negative.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while calling the 'fetchTree' builtin
+         at /pwd/lang/eval-fail-fetchTree-negative.nix:1:1:
+            1| builtins.fetchTree {
+             | ^
+            2|   type = "file";
+       error: negative value given for fetchTree attr owner: -1
diff --git a/test/testdata/eval-fail-fetchTree-negative.nix b/test/testdata/eval-fail-fetchTree-negative.nix
new file mode 100644
index 0000000..90bcab5
--- /dev/null
+++ b/test/testdata/eval-fail-fetchTree-negative.nix
@@ -0,0 +1,5 @@
+builtins.fetchTree {
+  type = "file";
+  url = "file://eval-fail-fetchTree-negative.nix";
+  owner = -1;
+}
diff --git a/test/testdata/eval-fail-fetchurl-baseName-attrs-name.err.exp b/test/testdata/eval-fail-fetchurl-baseName-attrs-name.err.exp
new file mode 100644
index 0000000..30f8b6a
--- /dev/null
+++ b/test/testdata/eval-fail-fetchurl-baseName-attrs-name.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while calling the 'fetchurl' builtin
+         at /pwd/lang/eval-fail-fetchurl-baseName-attrs-name.nix:1:1:
+            1| builtins.fetchurl { url = "https://example.com/foo.tar.gz"; name = "~wobble~"; }
+             | ^
+            2|
+       error: invalid store path name when fetching URL 'https://example.com/foo.tar.gz': name '~wobble~' contains illegal character '~'. Please change the value for the 'name' attribute passed to 'fetchurl', so that it can create a valid store path.
diff --git a/test/testdata/eval-fail-fetchurl-baseName-attrs-name.nix b/test/testdata/eval-fail-fetchurl-baseName-attrs-name.nix
new file mode 100644
index 0000000..5838055
--- /dev/null
+++ b/test/testdata/eval-fail-fetchurl-baseName-attrs-name.nix
@@ -0,0 +1 @@
+builtins.fetchurl { url = "https://example.com/foo.tar.gz"; name = "~wobble~"; }
diff --git a/test/testdata/eval-fail-fetchurl-baseName-attrs.err.exp b/test/testdata/eval-fail-fetchurl-baseName-attrs.err.exp
new file mode 100644
index 0000000..cef532e
--- /dev/null
+++ b/test/testdata/eval-fail-fetchurl-baseName-attrs.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while calling the 'fetchurl' builtin
+         at /pwd/lang/eval-fail-fetchurl-baseName-attrs.nix:1:1:
+            1| builtins.fetchurl { url = "https://example.com/~wiggle~"; }
+             | ^
+            2|
+       error: invalid store path name when fetching URL 'https://example.com/~wiggle~': name '~wiggle~' contains illegal character '~'. Please add a valid 'name' attribute to the argument for 'fetchurl', so that it can create a valid store path.
diff --git a/test/testdata/eval-fail-fetchurl-baseName-attrs.nix b/test/testdata/eval-fail-fetchurl-baseName-attrs.nix
new file mode 100644
index 0000000..068120e
--- /dev/null
+++ b/test/testdata/eval-fail-fetchurl-baseName-attrs.nix
@@ -0,0 +1 @@
+builtins.fetchurl { url = "https://example.com/~wiggle~"; }
diff --git a/test/testdata/eval-fail-fetchurl-baseName.err.exp b/test/testdata/eval-fail-fetchurl-baseName.err.exp
new file mode 100644
index 0000000..0950e8e
--- /dev/null
+++ b/test/testdata/eval-fail-fetchurl-baseName.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while calling the 'fetchurl' builtin
+         at /pwd/lang/eval-fail-fetchurl-baseName.nix:1:1:
+            1| builtins.fetchurl "https://example.com/~wiggle~"
+             | ^
+            2|
+       error: invalid store path name when fetching URL 'https://example.com/~wiggle~': name '~wiggle~' contains illegal character '~'. Please pass an attribute set with 'url' and 'name' attributes to 'fetchurl',  so that it can create a valid store path.
diff --git a/test/testdata/eval-fail-fetchurl-baseName.nix b/test/testdata/eval-fail-fetchurl-baseName.nix
new file mode 100644
index 0000000..9650938
--- /dev/null
+++ b/test/testdata/eval-fail-fetchurl-baseName.nix
@@ -0,0 +1 @@
+builtins.fetchurl "https://example.com/~wiggle~"
diff --git a/test/testdata/eval-fail-flake-ref-to-string-negative-integer.err.exp b/test/testdata/eval-fail-flake-ref-to-string-negative-integer.err.exp
new file mode 100644
index 0000000..25c8d7e
--- /dev/null
+++ b/test/testdata/eval-fail-flake-ref-to-string-negative-integer.err.exp
@@ -0,0 +1,14 @@
+error:
+       … while calling the 'seq' builtin
+         at /pwd/lang/eval-fail-flake-ref-to-string-negative-integer.nix:1:16:
+            1| let n = -1; in builtins.seq n (builtins.flakeRefToString {
+             |                ^
+            2|   type  = "github";
+       … while calling the 'flakeRefToString' builtin
+         at /pwd/lang/eval-fail-flake-ref-to-string-negative-integer.nix:1:32:
+            1| let n = -1; in builtins.seq n (builtins.flakeRefToString {
+             |                                ^
+            2|   type  = "github";
+       error: negative value given for flake ref attr repo: -1
diff --git a/test/testdata/eval-fail-flake-ref-to-string-negative-integer.nix b/test/testdata/eval-fail-flake-ref-to-string-negative-integer.nix
new file mode 100644
index 0000000..e0208eb
--- /dev/null
+++ b/test/testdata/eval-fail-flake-ref-to-string-negative-integer.nix
@@ -0,0 +1,7 @@
+let n = -1; in builtins.seq n (builtins.flakeRefToString {
+  type  = "github";
+  owner = "NixOS";
+  repo  = n;
+  ref   = "23.05";
+  dir   = "lib";
+})
diff --git a/test/testdata/eval-fail-foldlStrict-strict-op-application.err.exp b/test/testdata/eval-fail-foldlStrict-strict-op-application.err.exp
new file mode 100644
index 0000000..4903bc8
--- /dev/null
+++ b/test/testdata/eval-fail-foldlStrict-strict-op-application.err.exp
@@ -0,0 +1,37 @@
+error:
+       … while calling the 'foldl'' builtin
+         at /pwd/lang/eval-fail-foldlStrict-strict-op-application.nix:2:1:
+            1| # Tests that the result of applying op is forced even if the value is never used
+            2| builtins.foldl'
+             | ^
+            3|   (_: f: f null)
+       … while calling anonymous lambda
+         at /pwd/lang/eval-fail-foldlStrict-strict-op-application.nix:3:7:
+            2| builtins.foldl'
+            3|   (_: f: f null)
+             |       ^
+            4|   null
+       … from call site
+         at /pwd/lang/eval-fail-foldlStrict-strict-op-application.nix:3:10:
+            2| builtins.foldl'
+            3|   (_: f: f null)
+             |          ^
+            4|   null
+       … while calling anonymous lambda
+         at /pwd/lang/eval-fail-foldlStrict-strict-op-application.nix:5:6:
+            4|   null
+            5|   [ (_: throw "Not the final value, but is still forced!") (_: 23) ]
+             |      ^
+            6|
+       … while calling the 'throw' builtin
+         at /pwd/lang/eval-fail-foldlStrict-strict-op-application.nix:5:9:
+            4|   null
+            5|   [ (_: throw "Not the final value, but is still forced!") (_: 23) ]
+             |         ^
+            6|
+       error: Not the final value, but is still forced!
diff --git a/test/testdata/eval-fail-foldlStrict-strict-op-application.nix b/test/testdata/eval-fail-foldlStrict-strict-op-application.nix
new file mode 100644
index 0000000..1620cc7
--- /dev/null
+++ b/test/testdata/eval-fail-foldlStrict-strict-op-application.nix
@@ -0,0 +1,5 @@
+# Tests that the result of applying op is forced even if the value is never used
+builtins.foldl'
+  (_: f: f null)
+  null
+  [ (_: throw "Not the final value, but is still forced!") (_: 23) ]
diff --git a/test/testdata/eval-fail-fromJSON-overflowing.err.exp b/test/testdata/eval-fail-fromJSON-overflowing.err.exp
new file mode 100644
index 0000000..a39082b
--- /dev/null
+++ b/test/testdata/eval-fail-fromJSON-overflowing.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while calling the 'fromJSON' builtin
+         at /pwd/lang/eval-fail-fromJSON-overflowing.nix:1:1:
+            1| builtins.fromJSON ''{"attr": 18446744073709551615}''
+             | ^
+            2|
+       error: unsigned json number 18446744073709551615 outside of Nix integer range
diff --git a/test/testdata/eval-fail-fromJSON-overflowing.nix b/test/testdata/eval-fail-fromJSON-overflowing.nix
new file mode 100644
index 0000000..6dfbce3
--- /dev/null
+++ b/test/testdata/eval-fail-fromJSON-overflowing.nix
@@ -0,0 +1 @@
+builtins.fromJSON ''{"attr": 18446744073709551615}''
diff --git a/test/testdata/eval-fail-fromTOML-timestamps.err.exp b/test/testdata/eval-fail-fromTOML-timestamps.err.exp
new file mode 100644
index 0000000..9bbb251
--- /dev/null
+++ b/test/testdata/eval-fail-fromTOML-timestamps.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while calling the 'fromTOML' builtin
+         at /pwd/lang/eval-fail-fromTOML-timestamps.nix:1:1:
+            1| builtins.fromTOML ''
+             | ^
+            2|   key = "value"
+       error: while parsing TOML: Dates and times are not supported
diff --git a/test/testdata/eval-fail-fromTOML-timestamps.nix b/test/testdata/eval-fail-fromTOML-timestamps.nix
new file mode 100644
index 0000000..74cff94
--- /dev/null
+++ b/test/testdata/eval-fail-fromTOML-timestamps.nix
@@ -0,0 +1,130 @@
+builtins.fromTOML ''
+  key = "value"
+  bare_key = "value"
+  bare-key = "value"
+  1234 = "value"
+  "127.0.0.1" = "value"
+  "character encoding" = "value"
+  "ʎǝʞ" = "value"
+  'key2' = "value"
+  'quoted "value"' = "value"
+  name = "Orange"
+  physical.color = "orange"
+  physical.shape = "round"
+  site."google.com" = true
+  # This is legal according to the spec, but cpptoml doesn't handle it.
+  #a.b.c = 1
+  #a.d = 2
+  str = "I'm a string. \"You can quote me\". Name\tJos\u00E9\nLocation\tSF."
+  int1 = +99
+  int2 = 42
+  int3 = 0
+  int4 = -17
+  int5 = 1_000
+  int6 = 5_349_221
+  int7 = 1_2_3_4_5
+  hex1 = 0xDEADBEEF
+  hex2 = 0xdeadbeef
+  hex3 = 0xdead_beef
+  oct1 = 0o01234567
+  oct2 = 0o755
+  bin1 = 0b11010110
+  flt1 = +1.0
+  flt2 = 3.1415
+  flt3 = -0.01
+  flt4 = 5e+22
+  flt5 = 1e6
+  flt6 = -2E-2
+  flt7 = 6.626e-34
+  flt8 = 9_224_617.445_991_228_313
+  bool1 = true
+  bool2 = false
+  odt1 = 1979-05-27T07:32:00Z
+  odt2 = 1979-05-27T00:32:00-07:00
+  odt3 = 1979-05-27T00:32:00.999999-07:00
+  odt4 = 1979-05-27 07:32:00Z
+  ldt1 = 1979-05-27T07:32:00
+  ldt2 = 1979-05-27T00:32:00.999999
+  ld1 = 1979-05-27
+  lt1 = 07:32:00
+  lt2 = 00:32:00.999999
+  arr1 = [ 1, 2, 3 ]
+  arr2 = [ "red", "yellow", "green" ]
+  arr3 = [ [ 1, 2 ], [3, 4, 5] ]
+  arr4 = [ "all", 'strings', """are the same""", ''''type'''']
+  arr5 = [ [ 1, 2 ], ["a", "b", "c"] ]
+  arr7 = [
+    1, 2, 3
+  ]
+  arr8 = [
+    1,
+    2, # this is ok
+  ]
+  [table-1]
+  key1 = "some string"
+  key2 = 123
+  [table-2]
+  key1 = "another string"
+  key2 = 456
+  [dog."tater.man"]
+  type.name = "pug"
+  [a.b.c]
+  [ d.e.f ]
+  [ g .  h  . i ]
+  [ j . "ʞ" . 'l' ]
+  [x.y.z.w]
+  name = { first = "Tom", last = "Preston-Werner" }
+  point = { x = 1, y = 2 }
+  animal = { type.name = "pug" }
+  [[products]]
+  name = "Hammer"
+  sku = 738594937
+  [[products]]
+  [[products]]
+  name = "Nail"
+  sku = 284758393
+  color = "gray"
+  [[fruit]]
+    name = "apple"
+    [fruit.physical]
+      color = "red"
+      shape = "round"
+    [[fruit.variety]]
+      name = "red delicious"
+    [[fruit.variety]]
+      name = "granny smith"
+  [[fruit]]
+    name = "banana"
+    [[fruit.variety]]
+      name = "plantain"
+''
diff --git a/test/testdata/eval-fail-hashfile-missing.err.exp b/test/testdata/eval-fail-hashfile-missing.err.exp
new file mode 100644
index 0000000..1e46539
--- /dev/null
+++ b/test/testdata/eval-fail-hashfile-missing.err.exp
@@ -0,0 +1,13 @@
+error:
+       … while calling the 'toString' builtin
+         at /pwd/lang/eval-fail-hashfile-missing.nix:4:3:
+            3| in
+            4|   toString (builtins.concatLists (map (hash: map (builtins.hashFile hash) paths) ["md5" "sha1" "sha256" "sha512"]))
+             |   ^
+            5|
+       … while evaluating the first argument passed to builtins.toString
+       … while calling the 'hashFile' builtin
+       error: opening file '/pwd/lang/this-file-is-definitely-not-there-7392097': No such file or directory
diff --git a/test/testdata/eval-fail-hashfile-missing.nix b/test/testdata/eval-fail-hashfile-missing.nix
new file mode 100644
index 0000000..ce098b8
--- /dev/null
+++ b/test/testdata/eval-fail-hashfile-missing.nix
@@ -0,0 +1,5 @@
+let
+  paths = [ ./this-file-is-definitely-not-there-7392097 "/and/neither/is/this/37293620" ];
+in
+  toString (builtins.concatLists (map (hash: map (builtins.hashFile hash) paths) ["md5" "sha1" "sha256" "sha512"]))
diff --git a/test/testdata/eval-fail-infinite-recursion-lambda.err.exp b/test/testdata/eval-fail-infinite-recursion-lambda.err.exp
new file mode 100644
index 0000000..712dd75
--- /dev/null
+++ b/test/testdata/eval-fail-infinite-recursion-lambda.err.exp
@@ -0,0 +1,38 @@
+error:
+       … from call site
+         at /pwd/lang/eval-fail-infinite-recursion-lambda.nix:1:1:
+            1| (x: x x) (x: x x)
+             | ^
+            2|
+       … while calling anonymous lambda
+         at /pwd/lang/eval-fail-infinite-recursion-lambda.nix:1:2:
+            1| (x: x x) (x: x x)
+             |  ^
+            2|
+       … from call site
+         at /pwd/lang/eval-fail-infinite-recursion-lambda.nix:1:5:
+            1| (x: x x) (x: x x)
+             |     ^
+            2|
+       … while calling anonymous lambda
+         at /pwd/lang/eval-fail-infinite-recursion-lambda.nix:1:11:
+            1| (x: x x) (x: x x)
+             |           ^
+            2|
+       … from call site
+         at /pwd/lang/eval-fail-infinite-recursion-lambda.nix:1:14:
+            1| (x: x x) (x: x x)
+             |              ^
+            2|
+       (197 duplicate frames omitted)
+       error: stack overflow; max-call-depth exceeded
+       at /pwd/lang/eval-fail-infinite-recursion-lambda.nix:1:14:
+            1| (x: x x) (x: x x)
+             |              ^
+            2|
diff --git a/test/testdata/eval-fail-infinite-recursion-lambda.flags b/test/testdata/eval-fail-infinite-recursion-lambda.flags
new file mode 100644
index 0000000..59e20ec
--- /dev/null
+++ b/test/testdata/eval-fail-infinite-recursion-lambda.flags
@@ -0,0 +1 @@
+--max-call-depth 100
+\ No newline at end of file
diff --git a/test/testdata/eval-fail-infinite-recursion-lambda.nix b/test/testdata/eval-fail-infinite-recursion-lambda.nix
new file mode 100644
index 0000000..dd0a8bf
--- /dev/null
+++ b/test/testdata/eval-fail-infinite-recursion-lambda.nix
@@ -0,0 +1 @@
+(x: x x) (x: x x)
diff --git a/test/testdata/eval-fail-list.err.exp b/test/testdata/eval-fail-list.err.exp
new file mode 100644
index 0000000..d492f8b
--- /dev/null
+++ b/test/testdata/eval-fail-list.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while evaluating one of the elements to concatenate
+         at /pwd/lang/eval-fail-list.nix:1:2:
+            1| 8++1
+             |  ^
+            2|
+       error: expected a list but found an integer: 8
diff --git a/test/testdata/eval-fail-list.nix b/test/testdata/eval-fail-list.nix
new file mode 100644
index 0000000..fa749f2
--- /dev/null
+++ b/test/testdata/eval-fail-list.nix
@@ -0,0 +1 @@
+8++1
diff --git a/test/testdata/eval-fail-missing-arg.err.exp b/test/testdata/eval-fail-missing-arg.err.exp
new file mode 100644
index 0000000..3b162fe
--- /dev/null
+++ b/test/testdata/eval-fail-missing-arg.err.exp
@@ -0,0 +1,12 @@
+error:
+       … from call site
+         at /pwd/lang/eval-fail-missing-arg.nix:1:1:
+            1| ({x, y, z}: x + y + z) {x = "foo"; z = "bar";}
+             | ^
+            2|
+       error: function 'anonymous lambda' called without required argument 'y'
+       at /pwd/lang/eval-fail-missing-arg.nix:1:2:
+            1| ({x, y, z}: x + y + z) {x = "foo"; z = "bar";}
+             |  ^
+            2|
diff --git a/test/testdata/eval-fail-missing-arg.nix b/test/testdata/eval-fail-missing-arg.nix
new file mode 100644
index 0000000..c4be979
--- /dev/null
+++ b/test/testdata/eval-fail-missing-arg.nix
@@ -0,0 +1 @@
+({x, y, z}: x + y + z) {x = "foo"; z = "bar";}
diff --git a/test/testdata/eval-fail-mutual-recursion.err.exp b/test/testdata/eval-fail-mutual-recursion.err.exp
new file mode 100644
index 0000000..c034afc
--- /dev/null
+++ b/test/testdata/eval-fail-mutual-recursion.err.exp
@@ -0,0 +1,64 @@
+error:
+       … from call site
+         at /pwd/lang/eval-fail-mutual-recursion.nix:36:3:
+           35| in
+           36|   throwAfterA true 10
+             |   ^
+           37|
+       … while calling 'throwAfterA'
+         at /pwd/lang/eval-fail-mutual-recursion.nix:29:26:
+           28|
+           29|   throwAfterA = recurse: n:
+             |                          ^
+           30|     if n > 0
+       … from call site
+         at /pwd/lang/eval-fail-mutual-recursion.nix:31:10:
+           30|     if n > 0
+           31|     then throwAfterA recurse (n - 1)
+             |          ^
+           32|     else if recurse
+       (19 duplicate frames omitted)
+       … from call site
+         at /pwd/lang/eval-fail-mutual-recursion.nix:33:10:
+           32|     else if recurse
+           33|     then throwAfterB true 10
+             |          ^
+           34|     else throw "Uh oh!";
+       … while calling 'throwAfterB'
+         at /pwd/lang/eval-fail-mutual-recursion.nix:22:26:
+           21| let
+           22|   throwAfterB = recurse: n:
+             |                          ^
+           23|     if n > 0
+       … from call site
+         at /pwd/lang/eval-fail-mutual-recursion.nix:24:10:
+           23|     if n > 0
+           24|     then throwAfterB recurse (n - 1)
+             |          ^
+           25|     else if recurse
+       (19 duplicate frames omitted)
+       … from call site
+         at /pwd/lang/eval-fail-mutual-recursion.nix:26:10:
+           25|     else if recurse
+           26|     then throwAfterA false 10
+             |          ^
+           27|     else throw "Uh oh!";
+       (21 duplicate frames omitted)
+       … while calling the 'throw' builtin
+         at /pwd/lang/eval-fail-mutual-recursion.nix:34:10:
+           33|     then throwAfterB true 10
+           34|     else throw "Uh oh!";
+             |          ^
+           35| in
+       error: Uh oh!
diff --git a/test/testdata/eval-fail-mutual-recursion.nix b/test/testdata/eval-fail-mutual-recursion.nix
new file mode 100644
index 0000000..d090d31
--- /dev/null
+++ b/test/testdata/eval-fail-mutual-recursion.nix
@@ -0,0 +1,36 @@
+# Check that stack frame deduplication only affects consecutive intervals, and
+# that they are reported independently of any preceding sections, even if
+# they're indistinguishable.
+#
+# In terms of the current implementation, we check that we clear the set of
+# "seen frames" after eliding a group of frames.
+#
+# Suppose we have:
+# - 10 frames in a function A
+# - 10 frames in a function B
+# - 10 frames in a function A
+#
+# We want to output:
+# - a few frames of A (skip the rest)
+# - a few frames of B (skip the rest)
+# - a few frames of A (skip the rest)
+#
+# If we implemented this in the naive manner, we'd instead get:
+# - a few frames of A (skip the rest)
+# - a few frames of B (skip the rest, _and_ skip the remaining frames of A)
+let
+  throwAfterB = recurse: n:
+    if n > 0
+    then throwAfterB recurse (n - 1)
+    else if recurse
+    then throwAfterA false 10
+    else throw "Uh oh!";
+  throwAfterA = recurse: n:
+    if n > 0
+    then throwAfterA recurse (n - 1)
+    else if recurse
+    then throwAfterB true 10
+    else throw "Uh oh!";
+in
+  throwAfterA true 10
diff --git a/test/testdata/eval-fail-nested-list-items.err.exp b/test/testdata/eval-fail-nested-list-items.err.exp
new file mode 100644
index 0000000..90d4390
--- /dev/null
+++ b/test/testdata/eval-fail-nested-list-items.err.exp
@@ -0,0 +1,9 @@
+error:
+       … while evaluating a path segment
+         at /pwd/lang/eval-fail-nested-list-items.nix:11:6:
+           10|
+           11| "" + (let v = [ [ 1 2 3 4 5 6 7 8 ] [1 2 3 4]]; in builtins.deepSeq v v)
+             |      ^
+           12|
+       error: cannot coerce a list to a string: [ [ 1 2 3 4 5 6 7 8 ] [ 1 «3 items elided» ] ]
diff --git a/test/testdata/eval-fail-nested-list-items.nix b/test/testdata/eval-fail-nested-list-items.nix
new file mode 100644
index 0000000..af45b1d
--- /dev/null
+++ b/test/testdata/eval-fail-nested-list-items.nix
@@ -0,0 +1,11 @@
+# This reproduces https://github.com/NixOS/nix/issues/10993, for lists
+# $ nix run nix/2.23.1 -- eval --expr '"" + (let v = [ [ 1 2 3 4 5 6 7 8 ] [1 2 3 4]]; in builtins.deepSeq v v)'
+# error:
+#        … while evaluating a path segment
+#          at «string»:1:6:
+#             1| "" + (let v = [ [ 1 2 3 4 5 6 7 8 ] [1 2 3 4]]; in builtins.deepSeq v v)
+#              |      ^
+#
+#        error: cannot coerce a list to a string: [ [ 1 2 3 4 5 6 7 8 ] [ 1 «4294967290 items elided» ] ]
+"" + (let v = [ [ 1 2 3 4 5 6 7 8 ] [1 2 3 4]]; in builtins.deepSeq v v)
diff --git a/test/testdata/eval-fail-nonexist-path.err.exp b/test/testdata/eval-fail-nonexist-path.err.exp
new file mode 100644
index 0000000..a287067
--- /dev/null
+++ b/test/testdata/eval-fail-nonexist-path.err.exp
@@ -0,0 +1 @@
+error: path '/pwd/lang/fnord' does not exist
diff --git a/test/testdata/eval-fail-nonexist-path.nix b/test/testdata/eval-fail-nonexist-path.nix
new file mode 100644
index 0000000..f2f0810
--- /dev/null
+++ b/test/testdata/eval-fail-nonexist-path.nix
@@ -0,0 +1,4 @@
+# This must fail to evaluate, since ./fnord doesn't exist.  If it did
+# exist, it would produce "/nix/store/<hash>-fnord/xyzzy" (with an
+# appropriate context).
+"${./fnord}/xyzzy"
diff --git a/test/testdata/eval-fail-not-throws.err.exp b/test/testdata/eval-fail-not-throws.err.exp
new file mode 100644
index 0000000..fc81f72
--- /dev/null
+++ b/test/testdata/eval-fail-not-throws.err.exp
@@ -0,0 +1,14 @@
+error:
+       … in the argument of the not operator
+         at /pwd/lang/eval-fail-not-throws.nix:1:4:
+            1| ! (throw "uh oh!")
+             |    ^
+            2|
+       … while calling the 'throw' builtin
+         at /pwd/lang/eval-fail-not-throws.nix:1:4:
+            1| ! (throw "uh oh!")
+             |    ^
+            2|
+       error: uh oh!
diff --git a/test/testdata/eval-fail-not-throws.nix b/test/testdata/eval-fail-not-throws.nix
new file mode 100644
index 0000000..a74ce4e
--- /dev/null
+++ b/test/testdata/eval-fail-not-throws.nix
@@ -0,0 +1 @@
+! (throw "uh oh!")
diff --git a/test/testdata/eval-fail-overflowing-add.err.exp b/test/testdata/eval-fail-overflowing-add.err.exp
new file mode 100644
index 0000000..6458cf1
--- /dev/null
+++ b/test/testdata/eval-fail-overflowing-add.err.exp
@@ -0,0 +1,6 @@
+error: integer overflow in adding 9223372036854775807 + 1
+       at /pwd/lang/eval-fail-overflowing-add.nix:4:8:
+            3|   b = 1;
+            4| in a + b
+             |        ^
+            5|
diff --git a/test/testdata/eval-fail-overflowing-add.nix b/test/testdata/eval-fail-overflowing-add.nix
new file mode 100644
index 0000000..24258fc
--- /dev/null
+++ b/test/testdata/eval-fail-overflowing-add.nix
@@ -0,0 +1,4 @@
+let
+  a = 9223372036854775807;
+  b = 1;
+in a + b
diff --git a/test/testdata/eval-fail-overflowing-div.err.exp b/test/testdata/eval-fail-overflowing-div.err.exp
new file mode 100644
index 0000000..8ce07d4
--- /dev/null
+++ b/test/testdata/eval-fail-overflowing-div.err.exp
@@ -0,0 +1,23 @@
+error:
+       … while calling the 'seq' builtin
+         at /pwd/lang/eval-fail-overflowing-div.nix:7:4:
+            6|   b = -1;
+            7| in builtins.seq intMin (builtins.seq b (intMin / b))
+             |    ^
+            8|
+       … while calling the 'seq' builtin
+         at /pwd/lang/eval-fail-overflowing-div.nix:7:25:
+            6|   b = -1;
+            7| in builtins.seq intMin (builtins.seq b (intMin / b))
+             |                         ^
+            8|
+       … while calling the 'div' builtin
+         at /pwd/lang/eval-fail-overflowing-div.nix:7:48:
+            6|   b = -1;
+            7| in builtins.seq intMin (builtins.seq b (intMin / b))
+             |                                                ^
+            8|
+       error: integer overflow in dividing -9223372036854775808 / -1
diff --git a/test/testdata/eval-fail-overflowing-div.nix b/test/testdata/eval-fail-overflowing-div.nix
new file mode 100644
index 0000000..44fbe9d
--- /dev/null
+++ b/test/testdata/eval-fail-overflowing-div.nix
@@ -0,0 +1,7 @@
+let
+  # lol, this has to be written as an expression like this because negative
+  # numbers use unary negation rather than parsing directly, and 2**63 is out
+  # of range
+  intMin = -9223372036854775807 - 1;
+  b = -1;
+in builtins.seq intMin (builtins.seq b (intMin / b))
diff --git a/test/testdata/eval-fail-overflowing-mul.err.exp b/test/testdata/eval-fail-overflowing-mul.err.exp
new file mode 100644
index 0000000..f42b39d
--- /dev/null
+++ b/test/testdata/eval-fail-overflowing-mul.err.exp
@@ -0,0 +1,16 @@
+error:
+       … while calling the 'mul' builtin
+         at /pwd/lang/eval-fail-overflowing-mul.nix:3:10:
+            2|   a = 4294967297;
+            3| in a * a * a
+             |          ^
+            4|
+       … while calling the 'mul' builtin
+         at /pwd/lang/eval-fail-overflowing-mul.nix:3:6:
+            2|   a = 4294967297;
+            3| in a * a * a
+             |      ^
+            4|
+       error: integer overflow in multiplying 4294967297 * 4294967297
diff --git a/test/testdata/eval-fail-overflowing-mul.nix b/test/testdata/eval-fail-overflowing-mul.nix
new file mode 100644
index 0000000..6081d9c
--- /dev/null
+++ b/test/testdata/eval-fail-overflowing-mul.nix
@@ -0,0 +1,3 @@
+let
+  a = 4294967297;
+in a * a * a
diff --git a/test/testdata/eval-fail-overflowing-sub.err.exp b/test/testdata/eval-fail-overflowing-sub.err.exp
new file mode 100644
index 0000000..66a3a03
--- /dev/null
+++ b/test/testdata/eval-fail-overflowing-sub.err.exp
@@ -0,0 +1,9 @@
+error:
+       … while calling the 'sub' builtin
+         at /pwd/lang/eval-fail-overflowing-sub.nix:4:6:
+            3|   b = 2;
+            4| in a - b
+             |      ^
+            5|
+       error: integer overflow in subtracting -9223372036854775807 - 2
diff --git a/test/testdata/eval-fail-overflowing-sub.nix b/test/testdata/eval-fail-overflowing-sub.nix
new file mode 100644
index 0000000..229b8c6
--- /dev/null
+++ b/test/testdata/eval-fail-overflowing-sub.nix
@@ -0,0 +1,4 @@
+let
+  a = -9223372036854775807;
+  b = 2;
+in a - b
diff --git a/test/testdata/eval-fail-path-slash.err.exp b/test/testdata/eval-fail-path-slash.err.exp
new file mode 100644
index 0000000..e3531d3
--- /dev/null
+++ b/test/testdata/eval-fail-path-slash.err.exp
@@ -0,0 +1,6 @@
+error: path has a trailing slash
+       at /pwd/lang/eval-fail-path-slash.nix:6:12:
+            5| # and https://nixos.org/nix-dev/2016-June/020829.html
+            6| /nix/store/
+             |            ^
+            7|
diff --git a/test/testdata/eval-fail-path-slash.nix b/test/testdata/eval-fail-path-slash.nix
new file mode 100644
index 0000000..8c2e104
--- /dev/null
+++ b/test/testdata/eval-fail-path-slash.nix
@@ -0,0 +1,6 @@
+# Trailing slashes in paths are not allowed.
+# This restriction could be lifted sometime,
+# for example if we make '/' a path concatenation operator.
+# See https://github.com/NixOS/nix/issues/1138
+# and https://nixos.org/nix-dev/2016-June/020829.html
+/nix/store/
diff --git a/test/testdata/eval-fail-pipe-operators.err.exp b/test/testdata/eval-fail-pipe-operators.err.exp
new file mode 100644
index 0000000..49f3fa8
--- /dev/null
+++ b/test/testdata/eval-fail-pipe-operators.err.exp
@@ -0,0 +1,5 @@
+error: experimental Nix feature 'pipe-operators' is disabled; add '--extra-experimental-features pipe-operators' to enable it
+       at /pwd/lang/eval-fail-pipe-operators.nix:1:3:
+            1| 1 |> 2
+             |   ^
+            2|
diff --git a/test/testdata/eval-fail-pipe-operators.nix b/test/testdata/eval-fail-pipe-operators.nix
new file mode 100644
index 0000000..433e0fd
--- /dev/null
+++ b/test/testdata/eval-fail-pipe-operators.nix
@@ -0,0 +1 @@
+1 |> 2
diff --git a/test/testdata/eval-fail-recursion.err.exp b/test/testdata/eval-fail-recursion.err.exp
new file mode 100644
index 0000000..19380dc
--- /dev/null
+++ b/test/testdata/eval-fail-recursion.err.exp
@@ -0,0 +1,12 @@
+error:
+       … in the right operand of the update (//) operator
+         at /pwd/lang/eval-fail-recursion.nix:1:12:
+            1| let a = {} // a; in a.foo
+             |            ^
+            2|
+       error: infinite recursion encountered
+       at /pwd/lang/eval-fail-recursion.nix:1:15:
+            1| let a = {} // a; in a.foo
+             |               ^
+            2|
diff --git a/test/testdata/eval-fail-recursion.nix b/test/testdata/eval-fail-recursion.nix
new file mode 100644
index 0000000..075b5ed
--- /dev/null
+++ b/test/testdata/eval-fail-recursion.nix
@@ -0,0 +1 @@
+let a = {} // a; in a.foo
diff --git a/test/testdata/eval-fail-remove.err.exp b/test/testdata/eval-fail-remove.err.exp
new file mode 100644
index 0000000..292b3c3
--- /dev/null
+++ b/test/testdata/eval-fail-remove.err.exp
@@ -0,0 +1,15 @@
+error:
+       … while evaluating the attribute 'body'
+         at /pwd/lang/eval-fail-remove.nix:4:3:
+            3|
+            4|   body = (removeAttrs attrs ["x"]).x;
+             |   ^
+            5| }
+       error: attribute 'x' missing
+       at /pwd/lang/eval-fail-remove.nix:4:10:
+            3|
+            4|   body = (removeAttrs attrs ["x"]).x;
+             |          ^
+            5| }
+       Did you mean y?
diff --git a/test/testdata/eval-fail-remove.nix b/test/testdata/eval-fail-remove.nix
new file mode 100644
index 0000000..539e0eb
--- /dev/null
+++ b/test/testdata/eval-fail-remove.nix
@@ -0,0 +1,5 @@
+let {
+  attrs = {x = 123; y = 456;};
+  body = (removeAttrs attrs ["x"]).x;
+}
+\ No newline at end of file
diff --git a/test/testdata/eval-fail-scope-5.err.exp b/test/testdata/eval-fail-scope-5.err.exp
new file mode 100644
index 0000000..b0b05ca
--- /dev/null
+++ b/test/testdata/eval-fail-scope-5.err.exp
@@ -0,0 +1,28 @@
+error:
+       … while evaluating the attribute 'body'
+         at /pwd/lang/eval-fail-scope-5.nix:8:3:
+            7|
+            8|   body = f {};
+             |   ^
+            9|
+       … from call site
+         at /pwd/lang/eval-fail-scope-5.nix:8:10:
+            7|
+            8|   body = f {};
+             |          ^
+            9|
+       … while calling 'f'
+         at /pwd/lang/eval-fail-scope-5.nix:6:7:
+            5|
+            6|   f = {x ? y, y ? x}: x + y;
+             |       ^
+            7|
+       error: infinite recursion encountered
+       at /pwd/lang/eval-fail-scope-5.nix:6:12:
+            5|
+            6|   f = {x ? y, y ? x}: x + y;
+             |            ^
+            7|
diff --git a/test/testdata/eval-fail-scope-5.nix b/test/testdata/eval-fail-scope-5.nix
new file mode 100644
index 0000000..f89a65a
--- /dev/null
+++ b/test/testdata/eval-fail-scope-5.nix
@@ -0,0 +1,10 @@
+let {
+  x = "a";
+  y = "b";
+  f = {x ? y, y ? x}: x + y;
+  body = f {};
+}
diff --git a/test/testdata/eval-fail-seq.err.exp b/test/testdata/eval-fail-seq.err.exp
new file mode 100644
index 0000000..3e3d71b
--- /dev/null
+++ b/test/testdata/eval-fail-seq.err.exp
@@ -0,0 +1,14 @@
+error:
+       … while calling the 'seq' builtin
+         at /pwd/lang/eval-fail-seq.nix:1:1:
+            1| builtins.seq (abort "foo") 2
+             | ^
+            2|
+       … while calling the 'abort' builtin
+         at /pwd/lang/eval-fail-seq.nix:1:15:
+            1| builtins.seq (abort "foo") 2
+             |               ^
+            2|
+       error: evaluation aborted with the following error message: 'foo'
diff --git a/test/testdata/eval-fail-seq.nix b/test/testdata/eval-fail-seq.nix
new file mode 100644
index 0000000..cddbbfd
--- /dev/null
+++ b/test/testdata/eval-fail-seq.nix
@@ -0,0 +1 @@
+builtins.seq (abort "foo") 2
diff --git a/test/testdata/eval-fail-set-override.err.exp b/test/testdata/eval-fail-set-override.err.exp
new file mode 100644
index 0000000..9006ca4
--- /dev/null
+++ b/test/testdata/eval-fail-set-override.err.exp
@@ -0,0 +1,4 @@
+error:
+       … while evaluating the `__overrides` attribute
+       error: expected a set but found an integer: 1
diff --git a/test/testdata/eval-fail-set-override.nix b/test/testdata/eval-fail-set-override.nix
new file mode 100644
index 0000000..03551c1
--- /dev/null
+++ b/test/testdata/eval-fail-set-override.nix
@@ -0,0 +1 @@
+rec { __overrides = 1; }
diff --git a/test/testdata/eval-fail-set.err.exp b/test/testdata/eval-fail-set.err.exp
new file mode 100644
index 0000000..6dd646e
--- /dev/null
+++ b/test/testdata/eval-fail-set.err.exp
@@ -0,0 +1,5 @@
+error: undefined variable 'x'
+       at /pwd/lang/eval-fail-set.nix:1:3:
+            1| 8.x
+             |   ^
+            2|
diff --git a/test/testdata/eval-fail-set.nix b/test/testdata/eval-fail-set.nix
new file mode 100644
index 0000000..c6b7980
--- /dev/null
+++ b/test/testdata/eval-fail-set.nix
@@ -0,0 +1 @@
+8.x
diff --git a/test/testdata/eval-fail-substring.err.exp b/test/testdata/eval-fail-substring.err.exp
new file mode 100644
index 0000000..0457a82
--- /dev/null
+++ b/test/testdata/eval-fail-substring.err.exp
@@ -0,0 +1,8 @@
+error:
+       … while calling the 'substring' builtin
+         at /pwd/lang/eval-fail-substring.nix:1:1:
+            1| builtins.substring (builtins.sub 0 1) 1 "x"
+             | ^
+            2|
+       error: negative start position in 'substring'
diff --git a/test/testdata/eval-fail-substring.nix b/test/testdata/eval-fail-substring.nix
new file mode 100644
index 0000000..f37c2bc
--- /dev/null
+++ b/test/testdata/eval-fail-substring.nix
@@ -0,0 +1 @@
+builtins.substring (builtins.sub 0 1) 1 "x"
diff --git a/test/testdata/eval-fail-to-path.err.exp b/test/testdata/eval-fail-to-path.err.exp
new file mode 100644
index 0000000..d6b17be
--- /dev/null
+++ b/test/testdata/eval-fail-to-path.err.exp
@@ -0,0 +1,10 @@
+error:
+       … while calling the 'toPath' builtin
+         at /pwd/lang/eval-fail-to-path.nix:1:1:
+            1| builtins.toPath "foo/bar"
+             | ^
+            2|
+       … while evaluating the first argument passed to builtins.toPath
+       error: string 'foo/bar' doesn't represent an absolute path
diff --git a/test/testdata/eval-fail-to-path.nix b/test/testdata/eval-fail-to-path.nix
new file mode 100644
index 0000000..5e322bc
--- /dev/null
+++ b/test/testdata/eval-fail-to-path.nix
@@ -0,0 +1 @@
+builtins.toPath "foo/bar"
diff --git a/test/testdata/eval-fail-toJSON.err.exp b/test/testdata/eval-fail-toJSON.err.exp
new file mode 100644
index 0000000..ad26771
--- /dev/null
+++ b/test/testdata/eval-fail-toJSON.err.exp
@@ -0,0 +1,50 @@
+error:
+       … while calling the 'toJSON' builtin
+         at /pwd/lang/eval-fail-toJSON.nix:1:1:
+            1| builtins.toJSON {
+             | ^
+            2|   a.b = [
+       … while evaluating attribute 'a'
+         at /pwd/lang/eval-fail-toJSON.nix:2:3:
+            1| builtins.toJSON {
+            2|   a.b = [
+             |   ^
+            3|     true
+       … while evaluating attribute 'b'
+         at /pwd/lang/eval-fail-toJSON.nix:2:3:
+            1| builtins.toJSON {
+            2|   a.b = [
+             |   ^
+            3|     true
+       … while evaluating list element at index 3
+         at /pwd/lang/eval-fail-toJSON.nix:2:3:
+            1| builtins.toJSON {
+            2|   a.b = [
+             |   ^
+            3|     true
+       … while evaluating attribute 'c'
+         at /pwd/lang/eval-fail-toJSON.nix:7:7:
+            6|     {
+            7|       c.d = throw "hah no";
+             |       ^
+            8|     }
+       … while evaluating attribute 'd'
+         at /pwd/lang/eval-fail-toJSON.nix:7:7:
+            6|     {
+            7|       c.d = throw "hah no";
+             |       ^
+            8|     }
+       … while calling the 'throw' builtin
+         at /pwd/lang/eval-fail-toJSON.nix:7:13:
+            6|     {
+            7|       c.d = throw "hah no";
+             |             ^
+            8|     }
+       error: hah no
diff --git a/test/testdata/eval-fail-toJSON.nix b/test/testdata/eval-fail-toJSON.nix
new file mode 100644
index 0000000..8112e1c
--- /dev/null
+++ b/test/testdata/eval-fail-toJSON.nix
@@ -0,0 +1,10 @@
+builtins.toJSON {
+  a.b = [
+    true
+    false
+    "it's a bird"
+    {
+      c.d = throw "hah no";
+    }
+  ];
+}
diff --git a/test/testdata/eval-fail-undeclared-arg.err.exp b/test/testdata/eval-fail-undeclared-arg.err.exp
new file mode 100644
index 0000000..6e13a13
--- /dev/null
+++ b/test/testdata/eval-fail-undeclared-arg.err.exp
@@ -0,0 +1,13 @@
+error:
+       … from call site
+         at /pwd/lang/eval-fail-undeclared-arg.nix:1:1:
+            1| ({x, z}: x + z) {x = "foo"; y = "bla"; z = "bar";}
+             | ^
+            2|
+       error: function 'anonymous lambda' called with unexpected argument 'y'
+       at /pwd/lang/eval-fail-undeclared-arg.nix:1:2:
+            1| ({x, z}: x + z) {x = "foo"; y = "bla"; z = "bar";}
+             |  ^
+            2|
+       Did you mean one of x or z?
diff --git a/test/testdata/eval-fail-undeclared-arg.nix b/test/testdata/eval-fail-undeclared-arg.nix
new file mode 100644
index 0000000..cafdf16
--- /dev/null
+++ b/test/testdata/eval-fail-undeclared-arg.nix
@@ -0,0 +1 @@
+({x, z}: x + z) {x = "foo"; y = "bla"; z = "bar";}
diff --git a/test/testdata/eval-fail-using-set-as-attr-name.err.exp b/test/testdata/eval-fail-using-set-as-attr-name.err.exp
new file mode 100644
index 0000000..4326c96
--- /dev/null
+++ b/test/testdata/eval-fail-using-set-as-attr-name.err.exp
@@ -0,0 +1,14 @@
+error:
+       … while evaluating an attribute name
+         at /pwd/lang/eval-fail-using-set-as-attr-name.nix:5:10:
+            4| in
+            5|   attr.${key}
+             |          ^
+            6|
+       error: expected a string but found a set: { }
+       at /pwd/lang/eval-fail-using-set-as-attr-name.nix:5:10:
+            4| in
+            5|   attr.${key}
+             |          ^
+            6|
diff --git a/test/testdata/eval-fail-using-set-as-attr-name.nix b/test/testdata/eval-fail-using-set-as-attr-name.nix
new file mode 100644
index 0000000..48e071a
--- /dev/null
+++ b/test/testdata/eval-fail-using-set-as-attr-name.nix
@@ -0,0 +1,5 @@
+let
+  attr = {foo = "bar";};
+  key = {};
+in
+  attr.${key}
diff --git a/test/testdata/eval-okay-any-all.exp b/test/testdata/eval-okay-any-all.exp
new file mode 100644
index 0000000..eb273f4
--- /dev/null
+++ b/test/testdata/eval-okay-any-all.exp
@@ -0,0 +1 @@
+[ false false true true true true false true ]
diff --git a/test/testdata/eval-okay-any-all.nix b/test/testdata/eval-okay-any-all.nix
new file mode 100644
index 0000000..a3f26ea
--- /dev/null
+++ b/test/testdata/eval-okay-any-all.nix
@@ -0,0 +1,11 @@
+with builtins;
+[ (any (x: x == 1) [])
+  (any (x: x == 1) [2 3 4])
+  (any (x: x == 1) [1 2 3 4])
+  (any (x: x == 1) [4 3 2 1])
+  (all (x: x == 1) [])
+  (all (x: x == 1) [1])
+  (all (x: x == 1) [1 2 3])
+  (all (x: x == 1) [1 1 1])
+]
diff --git a/test/testdata/eval-okay-arithmetic.exp b/test/testdata/eval-okay-arithmetic.exp
new file mode 100644
index 0000000..5c54d10
--- /dev/null
+++ b/test/testdata/eval-okay-arithmetic.exp
@@ -0,0 +1 @@
+2216
diff --git a/test/testdata/eval-okay-arithmetic.nix b/test/testdata/eval-okay-arithmetic.nix
new file mode 100644
index 0000000..7e9e6a0
--- /dev/null
+++ b/test/testdata/eval-okay-arithmetic.nix
@@ -0,0 +1,59 @@
+with import ./lib.nix;
+let {
+  /* Supposedly tail recursive version:
+  range_ = accum: first: last:
+    if first == last then ([first] ++ accum)
+    else range_ ([first] ++ accum) (builtins.add first 1) last;
+  range = range_ [];
+  */
+  x = 12;
+  err = abort "urgh";
+  body = sum
+    [ (sum (range 1 50))
+      (123 + 456)
+      (0 + -10 + -(-11) + -x)
+      (10 - 7 - -2)
+      (10 - (6 - -1))
+      (10 - 1 + 2)
+      (3 * 4 * 5)
+      (56088 / 123 / 2)
+      (3 + 4 * const 5 0 - 6 / id 2)
+      (builtins.bitAnd 12 10) # 0b1100 & 0b1010 =  8
+      (builtins.bitOr  12 10) # 0b1100 | 0b1010 = 14
+      (builtins.bitXor 12 10) # 0b1100 ^ 0b1010 =  6
+      (if 3 < 7 then 1 else err)
+      (if 7 < 3 then err else 1)
+      (if 3 < 3 then err else 1)
+      (if 3 <= 7 then 1 else err)
+      (if 7 <= 3 then err else 1)
+      (if 3 <= 3 then 1 else err)
+      (if 3 > 7 then err else 1)
+      (if 7 > 3 then 1 else err)
+      (if 3 > 3 then err else 1)
+      (if 3 >= 7 then err else 1)
+      (if 7 >= 3 then 1 else err)
+      (if 3 >= 3 then 1 else err)
+      (if 2 > 1 == 1 < 2 then 1 else err)
+      (if 1 + 2 * 3 >= 7 then 1 else err)
+      (if 1 + 2 * 3 < 7 then err else 1)
+      # Not integer, but so what.
+      (if "aa" < "ab" then 1 else err)
+      (if "aa" < "aa" then err else 1)
+      (if "foo" < "foobar" then 1 else err)
+    ];
+}
diff --git a/test/testdata/eval-okay-attrnames.exp b/test/testdata/eval-okay-attrnames.exp
new file mode 100644
index 0000000..b4aa387
--- /dev/null
+++ b/test/testdata/eval-okay-attrnames.exp
@@ -0,0 +1 @@
+"newxfoonewxy"
diff --git a/test/testdata/eval-okay-attrnames.nix b/test/testdata/eval-okay-attrnames.nix
new file mode 100644
index 0000000..e5b26e9
--- /dev/null
+++ b/test/testdata/eval-okay-attrnames.nix
@@ -0,0 +1,11 @@
+with import ./lib.nix;
+let
+  attrs = {y = "y"; x = "x"; foo = "foo";} // rec {x = "newx"; bar = x;};
+  names = builtins.attrNames attrs;
+  values = map (name: builtins.getAttr name attrs) names;
+in assert values == builtins.attrValues attrs; concat values
diff --git a/test/testdata/eval-okay-attrs.exp b/test/testdata/eval-okay-attrs.exp
new file mode 100644
index 0000000..45b0f82
--- /dev/null
+++ b/test/testdata/eval-okay-attrs.exp
@@ -0,0 +1 @@
+987
diff --git a/test/testdata/eval-okay-attrs.nix b/test/testdata/eval-okay-attrs.nix
new file mode 100644
index 0000000..810b31a
--- /dev/null
+++ b/test/testdata/eval-okay-attrs.nix
@@ -0,0 +1,5 @@
+let {
+  as = { x = 123; y = 456; } // { z = 789; } // { z = 987; };
+  body = if as ? a then as.a else assert as ? z; as.z;
+}
diff --git a/test/testdata/eval-okay-attrs2.exp b/test/testdata/eval-okay-attrs2.exp
new file mode 100644
index 0000000..45b0f82
--- /dev/null
+++ b/test/testdata/eval-okay-attrs2.exp
@@ -0,0 +1 @@
+987
diff --git a/test/testdata/eval-okay-attrs2.nix b/test/testdata/eval-okay-attrs2.nix
new file mode 100644
index 0000000..9e06b83
--- /dev/null
+++ b/test/testdata/eval-okay-attrs2.nix
@@ -0,0 +1,10 @@
+let {
+  as = { x = 123; y = 456; } // { z = 789; } // { z = 987; };
+  A = "a";
+  Z = "z";
+  body = if builtins.hasAttr A as
+         then builtins.getAttr A as
+         else assert builtins.hasAttr Z as; builtins.getAttr Z as;
+}
diff --git a/test/testdata/eval-okay-attrs3.exp b/test/testdata/eval-okay-attrs3.exp
new file mode 100644
index 0000000..19de4fd
--- /dev/null
+++ b/test/testdata/eval-okay-attrs3.exp
@@ -0,0 +1 @@
+"foo 22 80 itchyxac"
diff --git a/test/testdata/eval-okay-attrs3.nix b/test/testdata/eval-okay-attrs3.nix
new file mode 100644
index 0000000..f29de11
--- /dev/null
+++ b/test/testdata/eval-okay-attrs3.nix
@@ -0,0 +1,22 @@
+let
+  config = 
+    {
+      services.sshd.enable = true;
+      services.sshd.port = 22;
+      services.httpd.port = 80;
+      hostName = "itchy";
+      a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z = "x";
+      foo = {
+        a = "a";
+        b.c = "c";
+      };
+    };
+in
+  if config.services.sshd.enable
+  then "foo ${toString config.services.sshd.port} ${toString config.services.httpd.port} ${config.hostName}"
+       + "${config.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z}"
+       + "${config.foo.a}"
+       + "${config.foo.b.c}"
+  else "bar"
diff --git a/test/testdata/eval-okay-attrs4.exp b/test/testdata/eval-okay-attrs4.exp
new file mode 100644
index 0000000..1851731
--- /dev/null
+++ b/test/testdata/eval-okay-attrs4.exp
@@ -0,0 +1 @@
+[ true false true false false true false false ]
diff --git a/test/testdata/eval-okay-attrs4.nix b/test/testdata/eval-okay-attrs4.nix
new file mode 100644
index 0000000..43ec812
--- /dev/null
+++ b/test/testdata/eval-okay-attrs4.nix
@@ -0,0 +1,7 @@
+let
+  as = { x.y.z = 123; a.b.c = 456; };
+  bs = null;
+in [ (as ? x) (as ? y) (as ? x.y.z) (as ? x.y.z.a) (as ? x.y.a) (as ? a.b.c) (bs ? x) (bs ? x.y.z) ]
diff --git a/test/testdata/eval-okay-attrs5.exp b/test/testdata/eval-okay-attrs5.exp
new file mode 100644
index 0000000..ce0430d
--- /dev/null
+++ b/test/testdata/eval-okay-attrs5.exp
@@ -0,0 +1 @@
+[ 123 "foo" 456 456 "foo" "xyzzy" "xyzzy" true ]
diff --git a/test/testdata/eval-okay-attrs5.nix b/test/testdata/eval-okay-attrs5.nix
new file mode 100644
index 0000000..a4584cd
--- /dev/null
+++ b/test/testdata/eval-okay-attrs5.nix
@@ -0,0 +1,21 @@
+with import ./lib.nix;
+let
+  as = { x.y.z = 123; a.b.c = 456; };
+  bs = { f-o-o.bar = "foo"; };
+  or = x: y: x || y;
+  
+in
+  [ as.x.y.z
+    as.foo or "foo"
+    as.x.y.bla or as.a.b.c
+    as.a.b.c or as.x.y.z
+    as.x.y.bla or bs.f-o-o.bar or "xyzzy"
+    as.x.y.bla or bs.bar.foo or "xyzzy"
+    (123).bla or null.foo or "xyzzy"
+    # Backwards compatibility test.
+    (fold or [] [true false false])
+  ]
diff --git a/test/testdata/eval-okay-attrs6.exp b/test/testdata/eval-okay-attrs6.exp
new file mode 100644
index 0000000..b469380
--- /dev/null
+++ b/test/testdata/eval-okay-attrs6.exp
@@ -0,0 +1 @@
+{ __overrides = { bar = "qux"; }; bar = "qux"; foo = "bar"; }
diff --git a/test/testdata/eval-okay-attrs6.nix b/test/testdata/eval-okay-attrs6.nix
new file mode 100644
index 0000000..2e5c854
--- /dev/null
+++ b/test/testdata/eval-okay-attrs6.nix
@@ -0,0 +1,4 @@
+rec {
+  "${"foo"}" = "bar";
+   __overrides = { bar = "qux"; };
+}
diff --git a/test/testdata/eval-okay-autoargs.exp b/test/testdata/eval-okay-autoargs.exp
new file mode 100644
index 0000000..7a83917
--- /dev/null
+++ b/test/testdata/eval-okay-autoargs.exp
@@ -0,0 +1 @@
+"xyzzy!xyzzy!foobar"
diff --git a/test/testdata/eval-okay-autoargs.flags b/test/testdata/eval-okay-autoargs.flags
new file mode 100644
index 0000000..ae37622
--- /dev/null
+++ b/test/testdata/eval-okay-autoargs.flags
@@ -0,0 +1 @@
+--arg lib import(lang/lib.nix) --argstr xyzzy xyzzy! -A result
diff --git a/test/testdata/eval-okay-autoargs.nix b/test/testdata/eval-okay-autoargs.nix
new file mode 100644
index 0000000..815f51b
--- /dev/null
+++ b/test/testdata/eval-okay-autoargs.nix
@@ -0,0 +1,15 @@
+let
+  foobar = "foobar";
+in
+{ xyzzy2 ? xyzzy # mutually recursive args
+, xyzzy ? "blaat" # will be overridden by --argstr
+, fb ? foobar
+, lib # will be set by --arg
+}:
+{
+  result = lib.concat [xyzzy xyzzy2 fb];
+}
diff --git a/test/testdata/eval-okay-backslash-newline-1.exp b/test/testdata/eval-okay-backslash-newline-1.exp
new file mode 100644
index 0000000..3e75436
--- /dev/null
+++ b/test/testdata/eval-okay-backslash-newline-1.exp
@@ -0,0 +1 @@
+"a\nb"
diff --git a/test/testdata/eval-okay-backslash-newline-1.nix b/test/testdata/eval-okay-backslash-newline-1.nix
new file mode 100644
index 0000000..7fef3dd
--- /dev/null
+++ b/test/testdata/eval-okay-backslash-newline-1.nix
@@ -0,0 +1,2 @@
+"a\
+b"
diff --git a/test/testdata/eval-okay-backslash-newline-2.exp b/test/testdata/eval-okay-backslash-newline-2.exp
new file mode 100644
index 0000000..3e75436
--- /dev/null
+++ b/test/testdata/eval-okay-backslash-newline-2.exp
@@ -0,0 +1 @@
+"a\nb"
diff --git a/test/testdata/eval-okay-backslash-newline-2.nix b/test/testdata/eval-okay-backslash-newline-2.nix
new file mode 100644
index 0000000..35ddf49
--- /dev/null
+++ b/test/testdata/eval-okay-backslash-newline-2.nix
@@ -0,0 +1,2 @@
+''a''\
+b''
diff --git a/test/testdata/eval-okay-baseNameOf.exp b/test/testdata/eval-okay-baseNameOf.exp
new file mode 100644
index 0000000..52c33a5
--- /dev/null
+++ b/test/testdata/eval-okay-baseNameOf.exp
@@ -0,0 +1 @@
+"ok"
diff --git a/test/testdata/eval-okay-baseNameOf.nix b/test/testdata/eval-okay-baseNameOf.nix
new file mode 100644
index 0000000..a7afdd8
--- /dev/null
+++ b/test/testdata/eval-okay-baseNameOf.nix
@@ -0,0 +1,32 @@
+assert baseNameOf "" == "";
+assert baseNameOf "." == ".";
+assert baseNameOf ".." == "..";
+assert baseNameOf "a" == "a";
+assert baseNameOf "a." == "a.";
+assert baseNameOf "a.." == "a..";
+assert baseNameOf "a.b" == "a.b";
+assert baseNameOf "a.b." == "a.b.";
+assert baseNameOf "a.b.." == "a.b..";
+assert baseNameOf "a/" == "a";
+assert baseNameOf "a/." == ".";
+assert baseNameOf "a/.." == "..";
+assert baseNameOf "a/b" == "b";
+assert baseNameOf "a/b." == "b.";
+assert baseNameOf "a/b.." == "b..";
+assert baseNameOf "a/b/c" == "c";
+assert baseNameOf "a/b/c." == "c.";
+assert baseNameOf "a/b/c.." == "c..";
+assert baseNameOf "a/b/c/d" == "d";
+assert baseNameOf "a/b/c/d." == "d.";
+assert baseNameOf "a\\b" == "a\\b";
+assert baseNameOf "C:a" == "C:a";
+assert baseNameOf "a//b" == "b";
+# It's been like this for close to a decade. We ought to commit to it.
+# https://github.com/NixOS/nix/pull/582#issuecomment-121014450
+assert baseNameOf "a//" == "";
+assert baseNameOf ./foo == "foo";
+assert baseNameOf ./foo/bar == "bar";
+"ok"
diff --git a/test/testdata/eval-okay-builtins-add.exp b/test/testdata/eval-okay-builtins-add.exp
new file mode 100644
index 0000000..0350b51
--- /dev/null
+++ b/test/testdata/eval-okay-builtins-add.exp
@@ -0,0 +1 @@
+[ 5 4 "int" "tt" "float" 4 ]
diff --git a/test/testdata/eval-okay-builtins-add.nix b/test/testdata/eval-okay-builtins-add.nix
new file mode 100644
index 0000000..c841816
--- /dev/null
+++ b/test/testdata/eval-okay-builtins-add.nix
@@ -0,0 +1,8 @@
+[
+(builtins.add 2 3)
+(builtins.add 2 2)
+(builtins.typeOf (builtins.add 2  2))
+("t" + "t")
+(builtins.typeOf (builtins.add 2.0 2))
+(builtins.add 2.0 2)
+]
diff --git a/test/testdata/eval-okay-builtins.exp b/test/testdata/eval-okay-builtins.exp
new file mode 100644
index 0000000..0661686
--- /dev/null
+++ b/test/testdata/eval-okay-builtins.exp
@@ -0,0 +1 @@
+/foo
diff --git a/test/testdata/eval-okay-builtins.nix b/test/testdata/eval-okay-builtins.nix
new file mode 100644
index 0000000..e9d65e8
--- /dev/null
+++ b/test/testdata/eval-okay-builtins.nix
@@ -0,0 +1,12 @@
+assert builtins ? currentSystem;
+assert !builtins ? __currentSystem;
+let {
+  x = if builtins ? dirOf then builtins.dirOf /foo/bar else "";
+  y = if builtins ? fnord then builtins.fnord "foo" else "";
+  body = x + y;
+  
+}
diff --git a/test/testdata/eval-okay-callable-attrs.exp b/test/testdata/eval-okay-callable-attrs.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-callable-attrs.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-callable-attrs.nix b/test/testdata/eval-okay-callable-attrs.nix
new file mode 100644
index 0000000..310a030
--- /dev/null
+++ b/test/testdata/eval-okay-callable-attrs.nix
@@ -0,0 +1 @@
+({ __functor = self: x: self.foo && x; foo = false; } // { foo = true; }) true
diff --git a/test/testdata/eval-okay-catattrs.exp b/test/testdata/eval-okay-catattrs.exp
new file mode 100644
index 0000000..b4a1e66
--- /dev/null
+++ b/test/testdata/eval-okay-catattrs.exp
@@ -0,0 +1 @@
+[ 1 2 ]
diff --git a/test/testdata/eval-okay-catattrs.nix b/test/testdata/eval-okay-catattrs.nix
new file mode 100644
index 0000000..2c3dc10
--- /dev/null
+++ b/test/testdata/eval-okay-catattrs.nix
@@ -0,0 +1 @@
+builtins.catAttrs "a" [ { a = 1; } { b = 0; } { a = 2; } ]
diff --git a/test/testdata/eval-okay-closure.exp b/test/testdata/eval-okay-closure.exp
new file mode 100644
index 0000000..e7dbf97
--- /dev/null
+++ b/test/testdata/eval-okay-closure.exp
@@ -0,0 +1 @@
+[ { foo = true; key = -13; } { foo = true; key = -12; } { foo = true; key = -11; } { foo = true; key = -9; } { foo = true; key = -8; } { foo = true; key = -7; } { foo = true; key = -5; } { foo = true; key = -4; } { foo = true; key = -3; } { key = -1; } { foo = true; key = 0; } { foo = true; key = 1; } { foo = true; key = 2; } { foo = true; key = 4; } { foo = true; key = 5; } { foo = true; key = 6; } { key = 8; } { foo = true; key = 9; } { foo = true; key = 10; } { foo = true; key = 13; } { foo = true; key = 14; } { foo = true; key = 15; } { key = 17; } { foo = true; key = 18; } { foo = true; key = 19; } { foo = true; key = 22; } { foo = true; key = 23; } { key = 26; } { foo = true; key = 27; } { foo = true; key = 28; } { foo = true; key = 31; } { foo = true; key = 32; } { key = 35; } { foo = true; key = 36; } { foo = true; key = 40; } { foo = true; key = 41; } { key = 44; } { foo = true; key = 45; } { foo = true; key = 49; } { key = 53; } { foo = true; key = 54; } { foo = true; key = 58; } { key = 62; } { foo = true; key = 67; } { key = 71; } { key = 80; } ]
diff --git a/test/testdata/eval-okay-closure.exp.xml b/test/testdata/eval-okay-closure.exp.xml
new file mode 100644
index 0000000..dffc03a
--- /dev/null
+++ b/test/testdata/eval-okay-closure.exp.xml
@@ -0,0 +1,343 @@
+<?xml version='1.0' encoding='utf-8'?>
+<expr>
+  <list>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="-13" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="-12" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="-11" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="-9" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="-8" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="-7" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="-5" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="-4" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="-3" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="-1" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="0" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="1" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="2" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="4" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="5" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="6" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="8" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="9" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="10" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="13" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="14" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="15" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="17" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="18" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="19" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="22" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="23" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="26" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="27" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="28" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="31" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="32" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="35" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="36" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="40" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="41" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="44" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="45" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="49" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="53" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="54" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="58" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="62" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="foo">
+        <bool value="true" />
+      </attr>
+      <attr name="key">
+        <int value="67" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="71" />
+      </attr>
+    </attrs>
+    <attrs>
+      <attr name="key">
+        <int value="80" />
+      </attr>
+    </attrs>
+  </list>
+</expr>
diff --git a/test/testdata/eval-okay-closure.nix b/test/testdata/eval-okay-closure.nix
new file mode 100644
index 0000000..cccd4dc
--- /dev/null
+++ b/test/testdata/eval-okay-closure.nix
@@ -0,0 +1,13 @@
+let
+  closure = builtins.genericClosure {
+    startSet = [{key = 80;}];
+    operator = {key, foo ? false}:
+      if builtins.lessThan key 0
+      then []
+      else [{key = builtins.sub key 9;} {key = builtins.sub key 13; foo = true;}];
+  };
+  sort = (import ./lib.nix).sortBy (a: b: builtins.lessThan a.key b.key);
+in sort closure
diff --git a/test/testdata/eval-okay-comments.exp b/test/testdata/eval-okay-comments.exp
new file mode 100644
index 0000000..7182dc2
--- /dev/null
+++ b/test/testdata/eval-okay-comments.exp
@@ -0,0 +1 @@
+"abcdefghijklmnopqrstuvwxyz"
diff --git a/test/testdata/eval-okay-comments.nix b/test/testdata/eval-okay-comments.nix
new file mode 100644
index 0000000..cb2cce2
--- /dev/null
+++ b/test/testdata/eval-okay-comments.nix
@@ -0,0 +1,59 @@
+# A simple comment
+"a"+ # And another
+## A double comment
+"b"+  ## And another
+# Nested # comments #
+"c"+   # and # some # other #
+# An empty line, following here:
+"d"+      # and a comment not starting the line !
+"e"+
+/* multiline comments */
+"f" +
+/* multiline
+   comments,
+   on
+   multiple
+   lines
+*/
+"g" +
+# Small, tricky comments
+/**/ "h"+ /*/*/ "i"+ /***/ "j"+ /* /*/ "k"+ /*/* /*/ "l"+
+# Comments with an even number of ending '*' used to fail:
+"m"+
+/* */ /* **/ /* ***/ /* ****/ "n"+
+/* */ /** */ /*** */ /**** */ "o"+
+/** **/ /*** ***/ /**** ****/ "p"+
+/* * ** *** **** ***** */     "q"+
+# Random comments
+/* ***** ////// * / * / /* */ "r"+
+# Mixed comments
+/* # */
+"s"+
+# /* #
+"t"+
+# /* # */
+"u"+
+# /*********/
+"v"+
+## */*
+"w"+
+/*
+ * Multiline, decorated comments
+ * # This ain't a nest'd comm'nt
+ */
+"x"+
+''${/** with **/"y"
+  # real
+  /* comments
+     inside ! # */
+  # (and empty lines)
+}''+          /* And a multiline comment,
+                 on the same line,
+                 after some spaces
+*/             # followed by a one-line comment
+"z"
+/* EOF */
diff --git a/test/testdata/eval-okay-concat.exp b/test/testdata/eval-okay-concat.exp
new file mode 100644
index 0000000..bb4bbd5
--- /dev/null
+++ b/test/testdata/eval-okay-concat.exp
@@ -0,0 +1 @@
+[ 1 2 3 4 5 6 7 8 9 ]
diff --git a/test/testdata/eval-okay-concat.nix b/test/testdata/eval-okay-concat.nix
new file mode 100644
index 0000000..d158a9b
--- /dev/null
+++ b/test/testdata/eval-okay-concat.nix
@@ -0,0 +1 @@
+[1 2 3] ++ [4 5 6] ++ [7 8 9]
diff --git a/test/testdata/eval-okay-concatmap.exp b/test/testdata/eval-okay-concatmap.exp
new file mode 100644
index 0000000..3b8be77
--- /dev/null
+++ b/test/testdata/eval-okay-concatmap.exp
@@ -0,0 +1 @@
+[ [ 1 3 5 7 9 ] [ "a" "z" "b" "z" ] ]
diff --git a/test/testdata/eval-okay-concatmap.nix b/test/testdata/eval-okay-concatmap.nix
new file mode 100644
index 0000000..97da5d3
--- /dev/null
+++ b/test/testdata/eval-okay-concatmap.nix
@@ -0,0 +1,5 @@
+with import ./lib.nix;
+[ (builtins.concatMap (x: if x / 2 * 2 == x then [] else [ x ]) (range 0 10))
+  (builtins.concatMap (x: [x] ++ ["z"]) ["a" "b"])
+]
diff --git a/test/testdata/eval-okay-concatstringssep.exp b/test/testdata/eval-okay-concatstringssep.exp
new file mode 100644
index 0000000..9398764
--- /dev/null
+++ b/test/testdata/eval-okay-concatstringssep.exp
@@ -0,0 +1 @@
+[ "" "foobarxyzzy" "foo, bar, xyzzy" "foo" "" ]
diff --git a/test/testdata/eval-okay-concatstringssep.nix b/test/testdata/eval-okay-concatstringssep.nix
new file mode 100644
index 0000000..adc4c41
--- /dev/null
+++ b/test/testdata/eval-okay-concatstringssep.nix
@@ -0,0 +1,8 @@
+with builtins;
+[ (concatStringsSep "" [])
+  (concatStringsSep "" ["foo" "bar" "xyzzy"])
+  (concatStringsSep ", " ["foo" "bar" "xyzzy"])
+  (concatStringsSep ", " ["foo"])
+  (concatStringsSep ", " [])
+]
diff --git a/test/testdata/eval-okay-context-introspection.exp b/test/testdata/eval-okay-context-introspection.exp
new file mode 100644
index 0000000..a136b00
--- /dev/null
+++ b/test/testdata/eval-okay-context-introspection.exp
@@ -0,0 +1 @@
+[ true true true true true true true true true true true true true ]
diff --git a/test/testdata/eval-okay-context-introspection.nix b/test/testdata/eval-okay-context-introspection.nix
new file mode 100644
index 0000000..8886cf3
--- /dev/null
+++ b/test/testdata/eval-okay-context-introspection.nix
@@ -0,0 +1,59 @@
+let
+  drv = derivation {
+    name = "fail";
+    builder = "/bin/false";
+    system = "x86_64-linux";
+    outputs = [ "out" "foo" ];
+  };
+  path = "${./eval-okay-context-introspection.nix}";
+  desired-context = {
+    "${builtins.unsafeDiscardStringContext path}" = {
+      path = true;
+    };
+    "${builtins.unsafeDiscardStringContext drv.drvPath}" = {
+      outputs = [ "foo" "out" ];
+      allOutputs = true;
+    };
+  };
+  combo-path = "${path}${drv.outPath}${drv.foo.outPath}${drv.drvPath}";
+  legit-context = builtins.getContext combo-path;
+  reconstructed-path = builtins.appendContext
+    (builtins.unsafeDiscardStringContext combo-path)
+    desired-context;
+  # Eta rule for strings with context.
+  etaRule = str:
+    str == builtins.appendContext
+      (builtins.unsafeDiscardStringContext str)
+      (builtins.getContext str);
+  # Only holds true if string context contains both a `DrvDeep` and
+  # `Opaque` element.
+  almostEtaRule = str:
+    str == builtins.addDrvOutputDependencies
+      (builtins.unsafeDiscardOutputDependency str);
+  addDrvOutputDependencies_idempotent = str:
+    builtins.addDrvOutputDependencies str ==
+    builtins.addDrvOutputDependencies (builtins.addDrvOutputDependencies str);
+  rules = str: [
+    (etaRule str)
+    (almostEtaRule str)
+    (addDrvOutputDependencies_idempotent str)
+  ];
+in [
+  (legit-context == desired-context)
+  (reconstructed-path == combo-path)
+  (etaRule "foo")
+  (etaRule drv.foo.outPath)
+] ++ builtins.concatMap rules [
+  drv.drvPath
+  (builtins.addDrvOutputDependencies drv.drvPath)
+  (builtins.unsafeDiscardOutputDependency drv.drvPath)
+]
diff --git a/test/testdata/eval-okay-context.exp b/test/testdata/eval-okay-context.exp
new file mode 100644
index 0000000..2f535bd
--- /dev/null
+++ b/test/testdata/eval-okay-context.exp
@@ -0,0 +1 @@
+"foo eval-okay-context.nix bar"
diff --git a/test/testdata/eval-okay-context.nix b/test/testdata/eval-okay-context.nix
new file mode 100644
index 0000000..7b9531c
--- /dev/null
+++ b/test/testdata/eval-okay-context.nix
@@ -0,0 +1,6 @@
+let s = "foo ${builtins.substring 33 100 (baseNameOf "${./eval-okay-context.nix}")} bar";
+in
+  if s != "foo eval-okay-context.nix bar"
+  then abort "context not discarded"
+  else builtins.unsafeDiscardStringContext s
diff --git a/test/testdata/eval-okay-convertHash.err.exp b/test/testdata/eval-okay-convertHash.err.exp
new file mode 100644
index 0000000..41d7467
--- /dev/null
+++ b/test/testdata/eval-okay-convertHash.err.exp
@@ -0,0 +1,108 @@
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
diff --git a/test/testdata/eval-okay-convertHash.exp b/test/testdata/eval-okay-convertHash.exp
new file mode 100644
index 0000000..16b0240
--- /dev/null
+++ b/test/testdata/eval-okay-convertHash.exp
@@ -0,0 +1 @@
+{ hashesBase16 = [ "d41d8cd98f00b204e9800998ecf8427e" "6c69ee7f211c640419d5366cc076ae46" "bb3438fbabd460ea6dbd27d153e2233b" "da39a3ee5e6b4b0d3255bfef95601890afd80709" "cd54e8568c1b37cf1e5badb0779bcbf382212189" "6d12e10b1d331dad210e47fd25d4f260802b7e77" "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" "900a4469df00ccbfd0c145c6d1e4b7953dd0afafadd7534e3a4019e8d38fc663" "ad0387b3bd8652f730ca46d25f9c170af0fd589f42e7f23f5a9e6412d97d7e56" "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e" "9d0886f8c6b389398a16257bc79780fab9831c7fc11c8ab07fa732cb7b348feade382f92617c9c5305fefba0af02ab5fd39a587d330997ff5bd0db19f7666653" "21644b72aa259e5a588cd3afbafb1d4310f4889680f6c83b9d531596a5a284f34dbebff409d23bcc86aee6bad10c891606f075c6f4755cb536da27db5693f3a7" ]; hashesBase32 = [ "3y8bwfr609h3lh9ch0izcqq7fl" "26mrvc0v1nslch8r0w45zywsbc" "1v4gi57l97pmnylq6lmgxkhd5v" "143xibwh31h9bvxzalr0sjvbbvpa6ffs" "i4hj30pkrfdpgc5dbcgcydqviibfhm6d" "fxz2p030yba2bza71qhss79k3l5y24kd" "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73" "0qy6iz9yh6a079757mxdmypx0gcmnzjd3ij5q78bzk00vxll82lh" "0mkygpci4r4yb8zz5rs2kxcgvw0a2yf5zlj6r8qgfll6pnrqf0xd" "0zdl9zrg8r3i9c1g90lgg9ip5ijzv3yhz91i0zzn3r8ap9ws784gkp9dk9j3aglhgf1amqb0pj21mh7h1nxcl18akqvvf7ggqsy30yg" "19ncrpp37dx0nzzjw4k6zaqkb9mzaq2myhgpzh5aff7qqcj5wwdxslg6ixwncm7gyq8l761gwf87fgsh2bwfyr52s53k2dkqvw8c24x" "2kz74snvckxldmmbisz9ikmy031d28cs6xfdbl6rhxx42glpyz4vww4lajrc5akklxwixl0js4g84233pxvmbykiic5m7i5m9r4nr11" ]; hashesBase64 = [ "1B2M2Y8AsgTpgAmY7PhCfg==" "bGnufyEcZAQZ1TZswHauRg==" "uzQ4+6vUYOptvSfRU+IjOw==" "2jmj7l5rSw0yVb/vlWAYkK/YBwk=" "zVToVowbN88eW62wd5vL84IhIYk=" "bRLhCx0zHa0hDkf9JdTyYIArfnc=" "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" "kApEad8AzL/QwUXG0eS3lT3Qr6+t11NOOkAZ6NOPxmM=" "rQOHs72GUvcwykbSX5wXCvD9WJ9C5/I/Wp5kEtl9flY=" "z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==" "nQiG+MaziTmKFiV7x5eA+rmDHH/BHIqwf6cyy3s0j+reOC+SYXycUwX++6CvAqtf05pYfTMJl/9b0NsZ92ZmUw==" "IWRLcqolnlpYjNOvuvsdQxD0iJaA9sg7nVMVlqWihPNNvr/0CdI7zIau5rrRDIkWBvB1xvR1XLU22ifbVpPzpw==" ]; hashesNix32 = [ "3y8bwfr609h3lh9ch0izcqq7fl" "26mrvc0v1nslch8r0w45zywsbc" "1v4gi57l97pmnylq6lmgxkhd5v" "143xibwh31h9bvxzalr0sjvbbvpa6ffs" "i4hj30pkrfdpgc5dbcgcydqviibfhm6d" "fxz2p030yba2bza71qhss79k3l5y24kd" "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73" "0qy6iz9yh6a079757mxdmypx0gcmnzjd3ij5q78bzk00vxll82lh" "0mkygpci4r4yb8zz5rs2kxcgvw0a2yf5zlj6r8qgfll6pnrqf0xd" "0zdl9zrg8r3i9c1g90lgg9ip5ijzv3yhz91i0zzn3r8ap9ws784gkp9dk9j3aglhgf1amqb0pj21mh7h1nxcl18akqvvf7ggqsy30yg" "19ncrpp37dx0nzzjw4k6zaqkb9mzaq2myhgpzh5aff7qqcj5wwdxslg6ixwncm7gyq8l761gwf87fgsh2bwfyr52s53k2dkqvw8c24x" "2kz74snvckxldmmbisz9ikmy031d28cs6xfdbl6rhxx42glpyz4vww4lajrc5akklxwixl0js4g84233pxvmbykiic5m7i5m9r4nr11" ]; hashesSRI = [ "md5-1B2M2Y8AsgTpgAmY7PhCfg==" "md5-bGnufyEcZAQZ1TZswHauRg==" "md5-uzQ4+6vUYOptvSfRU+IjOw==" "sha1-2jmj7l5rSw0yVb/vlWAYkK/YBwk=" "sha1-zVToVowbN88eW62wd5vL84IhIYk=" "sha1-bRLhCx0zHa0hDkf9JdTyYIArfnc=" "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" "sha256-kApEad8AzL/QwUXG0eS3lT3Qr6+t11NOOkAZ6NOPxmM=" "sha256-rQOHs72GUvcwykbSX5wXCvD9WJ9C5/I/Wp5kEtl9flY=" "sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==" "sha512-nQiG+MaziTmKFiV7x5eA+rmDHH/BHIqwf6cyy3s0j+reOC+SYXycUwX++6CvAqtf05pYfTMJl/9b0NsZ92ZmUw==" "sha512-IWRLcqolnlpYjNOvuvsdQxD0iJaA9sg7nVMVlqWihPNNvr/0CdI7zIau5rrRDIkWBvB1xvR1XLU22ifbVpPzpw==" ]; }
diff --git a/test/testdata/eval-okay-convertHash.nix b/test/testdata/eval-okay-convertHash.nix
new file mode 100644
index 0000000..a0191ee
--- /dev/null
+++ b/test/testdata/eval-okay-convertHash.nix
@@ -0,0 +1,33 @@
+let
+  hashAlgos = [ "md5" "md5" "md5" "sha1" "sha1" "sha1" "sha256" "sha256" "sha256" "sha512" "sha512" "sha512" ];
+  hashesBase16 = import ./eval-okay-hashstring.exp;
+  map2 = f: { fsts, snds }: if fsts == [ ] then [ ] else [ (f (builtins.head fsts) (builtins.head snds)) ] ++ map2 f { fsts = builtins.tail fsts; snds = builtins.tail snds; };
+  map2' = f: fsts: snds: map2 f { inherit fsts snds; };
+  getOutputHashes = hashes: {
+    hashesBase16 = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "base16";}) hashAlgos hashes;
+    hashesNix32 = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "nix32";}) hashAlgos hashes;
+    hashesBase32 = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "base32";}) hashAlgos hashes;
+    hashesBase64 = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "base64";}) hashAlgos hashes;
+    hashesSRI    = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "sri"   ;}) hashAlgos hashes;
+  };
+  getOutputHashesColon = hashes: {
+    hashesBase16 = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "base16";}) hashAlgos hashes;
+    hashesNix32 = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "nix32";}) hashAlgos hashes;
+    hashesBase32 = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "base32";}) hashAlgos hashes;
+    hashesBase64 = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "base64";}) hashAlgos hashes;
+    hashesSRI    = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "sri"   ;}) hashAlgos hashes;
+  };
+  outputHashes = getOutputHashes hashesBase16;
+in
+# map2'`
+assert map2' (s1: s2: s1 + s2) [ "a" "b" ] [ "c" "d" ] == [ "ac" "bd" ];
+# hashesBase16
+assert outputHashes.hashesBase16 == hashesBase16;
+# standard SRI hashes
+assert outputHashes.hashesSRI == (map2' (hashAlgo: hashBody: hashAlgo + "-" + hashBody) hashAlgos outputHashes.hashesBase64);
+# without prefix
+assert builtins.all (x: getOutputHashes x == outputHashes) (builtins.attrValues outputHashes);
+# colon-separated.
+# Note that colon prefix must not be applied to the standard SRI. e.g. "sha256:sha256-..." is illegal.
+assert builtins.all (x: getOutputHashesColon x == outputHashes) (with outputHashes; [ hashesBase16 hashesBase32 hashesBase64 ]);
+outputHashes
diff --git a/test/testdata/eval-okay-curpos.exp b/test/testdata/eval-okay-curpos.exp
new file mode 100644
index 0000000..65fd65b
--- /dev/null
+++ b/test/testdata/eval-okay-curpos.exp
@@ -0,0 +1 @@
+[ 3 7 4 9 ]
diff --git a/test/testdata/eval-okay-curpos.nix b/test/testdata/eval-okay-curpos.nix
new file mode 100644
index 0000000..b79553d
--- /dev/null
+++ b/test/testdata/eval-okay-curpos.nix
@@ -0,0 +1,5 @@
+# Bla
+let
+  x = __curPos;
+    y = __curPos;
+in [ x.line x.column y.line y.column ]
diff --git a/test/testdata/eval-okay-deepseq.exp b/test/testdata/eval-okay-deepseq.exp
new file mode 100644
index 0000000..8d38505
--- /dev/null
+++ b/test/testdata/eval-okay-deepseq.exp
@@ -0,0 +1 @@
+456
diff --git a/test/testdata/eval-okay-deepseq.nix b/test/testdata/eval-okay-deepseq.nix
new file mode 100644
index 0000000..53aa4b1
--- /dev/null
+++ b/test/testdata/eval-okay-deepseq.nix
@@ -0,0 +1 @@
+builtins.deepSeq (let as = { x = 123; y = as; }; in as) 456
diff --git a/test/testdata/eval-okay-delayed-with-inherit.exp b/test/testdata/eval-okay-delayed-with-inherit.exp
new file mode 100644
index 0000000..eaacb55
--- /dev/null
+++ b/test/testdata/eval-okay-delayed-with-inherit.exp
@@ -0,0 +1 @@
+"b-overridden"
diff --git a/test/testdata/eval-okay-delayed-with-inherit.nix b/test/testdata/eval-okay-delayed-with-inherit.nix
new file mode 100644
index 0000000..84b388c
--- /dev/null
+++ b/test/testdata/eval-okay-delayed-with-inherit.nix
@@ -0,0 +1,24 @@
+let
+  pkgs_ = with pkgs; {
+    a = derivation {
+      name = "a";
+      system = builtins.currentSystem;
+      builder = "/bin/sh";
+      args = [ "-c" "touch $out" ];
+      inherit b;
+    };
+    inherit b;
+  };
+  packageOverrides = p: {
+    b = derivation {
+      name = "b-overridden";
+      system = builtins.currentSystem;
+      builder = "/bin/sh";
+      args = [ "-c" "touch $out" ];
+    };
+  };
+  pkgs = pkgs_ // (packageOverrides pkgs_);
+in pkgs.a.b.name
diff --git a/test/testdata/eval-okay-delayed-with.exp b/test/testdata/eval-okay-delayed-with.exp
new file mode 100644
index 0000000..8e7c61a
--- /dev/null
+++ b/test/testdata/eval-okay-delayed-with.exp
@@ -0,0 +1 @@
+"b-overridden b-overridden a"
diff --git a/test/testdata/eval-okay-delayed-with.nix b/test/testdata/eval-okay-delayed-with.nix
new file mode 100644
index 0000000..3fb023e
--- /dev/null
+++ b/test/testdata/eval-okay-delayed-with.nix
@@ -0,0 +1,29 @@
+let
+  pkgs_ = with pkgs; {
+    a = derivation {
+      name = "a";
+      system = builtins.currentSystem;
+      builder = "/bin/sh";
+      args = [ "-c" "touch $out" ];
+      inherit b;
+    };
+    b = derivation {
+      name = "b";
+      system = builtins.currentSystem;
+      builder = "/bin/sh";
+      args = [ "-c" "touch $out" ];
+      inherit a;
+    };
+    c = b;
+  };
+  packageOverrides = pkgs: with pkgs; {
+    b = derivation (b.drvAttrs // { name = "${b.name}-overridden"; });
+  };
+  pkgs = pkgs_ // (packageOverrides pkgs_);
+in "${pkgs.a.b.name} ${pkgs.c.name} ${pkgs.b.a.name}"
diff --git a/test/testdata/eval-okay-derivation-legacy.err.exp b/test/testdata/eval-okay-derivation-legacy.err.exp
new file mode 100644
index 0000000..94f0854
--- /dev/null
+++ b/test/testdata/eval-okay-derivation-legacy.err.exp
@@ -0,0 +1,6 @@
+warning: In a derivation named 'eval-okay-derivation-legacy', 'structuredAttrs' disables the effect of the derivation attribute 'allowedReferences'; use 'outputChecks.<output>.allowedReferences' instead
+warning: In a derivation named 'eval-okay-derivation-legacy', 'structuredAttrs' disables the effect of the derivation attribute 'allowedRequisites'; use 'outputChecks.<output>.allowedRequisites' instead
+warning: In a derivation named 'eval-okay-derivation-legacy', 'structuredAttrs' disables the effect of the derivation attribute 'disallowedReferences'; use 'outputChecks.<output>.disallowedReferences' instead
+warning: In a derivation named 'eval-okay-derivation-legacy', 'structuredAttrs' disables the effect of the derivation attribute 'disallowedRequisites'; use 'outputChecks.<output>.disallowedRequisites' instead
+warning: In a derivation named 'eval-okay-derivation-legacy', 'structuredAttrs' disables the effect of the derivation attribute 'maxClosureSize'; use 'outputChecks.<output>.maxClosureSize' instead
+warning: In a derivation named 'eval-okay-derivation-legacy', 'structuredAttrs' disables the effect of the derivation attribute 'maxSize'; use 'outputChecks.<output>.maxSize' instead
diff --git a/test/testdata/eval-okay-derivation-legacy.exp b/test/testdata/eval-okay-derivation-legacy.exp
new file mode 100644
index 0000000..4f374a1
--- /dev/null
+++ b/test/testdata/eval-okay-derivation-legacy.exp
@@ -0,0 +1 @@
+"/nix/store/mzgwvrjjir216ra58mwwizi8wj6y9ddr-eval-okay-derivation-legacy"
diff --git a/test/testdata/eval-okay-derivation-legacy.nix b/test/testdata/eval-okay-derivation-legacy.nix
new file mode 100644
index 0000000..b529cdf
--- /dev/null
+++ b/test/testdata/eval-okay-derivation-legacy.nix
@@ -0,0 +1,12 @@
+(builtins.derivationStrict {
+  name = "eval-okay-derivation-legacy";
+  system = "x86_64-linux";
+  builder = "/dontcare";
+  __structuredAttrs = true;
+  allowedReferences = [ ];
+  disallowedReferences = [ ];
+  allowedRequisites = [ ];
+  disallowedRequisites = [ ];
+  maxSize = 1234;
+  maxClosureSize = 12345;
+}).out
diff --git a/test/testdata/eval-okay-dynamic-attrs-2.exp b/test/testdata/eval-okay-dynamic-attrs-2.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-dynamic-attrs-2.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-dynamic-attrs-2.nix b/test/testdata/eval-okay-dynamic-attrs-2.nix
new file mode 100644
index 0000000..6d57bf8
--- /dev/null
+++ b/test/testdata/eval-okay-dynamic-attrs-2.nix
@@ -0,0 +1 @@
+{ a."${"b"}" = true; a."${"c"}" = false; }.a.b
diff --git a/test/testdata/eval-okay-dynamic-attrs-bare.exp b/test/testdata/eval-okay-dynamic-attrs-bare.exp
new file mode 100644
index 0000000..df8750a
--- /dev/null
+++ b/test/testdata/eval-okay-dynamic-attrs-bare.exp
@@ -0,0 +1 @@
+{ binds = true; hasAttrs = true; multiAttrs = true; recBinds = true; selectAttrs = true; selectOrAttrs = true; }
diff --git a/test/testdata/eval-okay-dynamic-attrs-bare.nix b/test/testdata/eval-okay-dynamic-attrs-bare.nix
new file mode 100644
index 0000000..0dbe15e
--- /dev/null
+++ b/test/testdata/eval-okay-dynamic-attrs-bare.nix
@@ -0,0 +1,17 @@
+let
+  aString = "a";
+  bString = "b";
+in {
+  hasAttrs = { a.b = null; } ? ${aString}.b;
+  selectAttrs = { a.b = true; }.a.${bString};
+  selectOrAttrs = { }.${aString} or true;
+  binds = { ${aString}."${bString}c" = true; }.a.bc;
+  recBinds = rec { ${bString} = a; a = true; }.b;
+  multiAttrs = { ${aString} = true; ${bString} = false; }.a;
+}
diff --git a/test/testdata/eval-okay-dynamic-attrs.exp b/test/testdata/eval-okay-dynamic-attrs.exp
new file mode 100644
index 0000000..df8750a
--- /dev/null
+++ b/test/testdata/eval-okay-dynamic-attrs.exp
@@ -0,0 +1 @@
+{ binds = true; hasAttrs = true; multiAttrs = true; recBinds = true; selectAttrs = true; selectOrAttrs = true; }
diff --git a/test/testdata/eval-okay-dynamic-attrs.nix b/test/testdata/eval-okay-dynamic-attrs.nix
new file mode 100644
index 0000000..ee02ac7
--- /dev/null
+++ b/test/testdata/eval-okay-dynamic-attrs.nix
@@ -0,0 +1,17 @@
+let
+  aString = "a";
+  bString = "b";
+in {
+  hasAttrs = { a.b = null; } ? "${aString}".b;
+  selectAttrs = { a.b = true; }.a."${bString}";
+  selectOrAttrs = { }."${aString}" or true;
+  binds = { "${aString}"."${bString}c" = true; }.a.bc;
+  recBinds = rec { "${bString}" = a; a = true; }.b;
+  multiAttrs = { "${aString}" = true; "${bString}" = false; }.a;
+}
diff --git a/test/testdata/eval-okay-elem.exp b/test/testdata/eval-okay-elem.exp
new file mode 100644
index 0000000..3cf6c0e
--- /dev/null
+++ b/test/testdata/eval-okay-elem.exp
@@ -0,0 +1 @@
+[ true false 30 ]
diff --git a/test/testdata/eval-okay-elem.nix b/test/testdata/eval-okay-elem.nix
new file mode 100644
index 0000000..71ea7a4
--- /dev/null
+++ b/test/testdata/eval-okay-elem.nix
@@ -0,0 +1,6 @@
+with import ./lib.nix;
+let xs = range 10 40; in
+[ (builtins.elem 23 xs) (builtins.elem 42 xs) (builtins.elemAt xs 20) ]
diff --git a/test/testdata/eval-okay-empty-args.exp b/test/testdata/eval-okay-empty-args.exp
new file mode 100644
index 0000000..cb5537d
--- /dev/null
+++ b/test/testdata/eval-okay-empty-args.exp
@@ -0,0 +1 @@
+"ab"
diff --git a/test/testdata/eval-okay-empty-args.nix b/test/testdata/eval-okay-empty-args.nix
new file mode 100644
index 0000000..78c133a
--- /dev/null
+++ b/test/testdata/eval-okay-empty-args.nix
@@ -0,0 +1 @@
+({}: {x,y,}: "${x}${y}") {} {x = "a"; y = "b";}
diff --git a/test/testdata/eval-okay-eq-derivations.exp b/test/testdata/eval-okay-eq-derivations.exp
new file mode 100644
index 0000000..ec04aab
--- /dev/null
+++ b/test/testdata/eval-okay-eq-derivations.exp
@@ -0,0 +1 @@
+[ true true true false ]
diff --git a/test/testdata/eval-okay-eq-derivations.nix b/test/testdata/eval-okay-eq-derivations.nix
new file mode 100644
index 0000000..d526cb4
--- /dev/null
+++ b/test/testdata/eval-okay-eq-derivations.nix
@@ -0,0 +1,10 @@
+let
+  drvA1 = derivation { name = "a"; builder = "/foo"; system = "i686-linux"; };
+  drvA2 = derivation { name = "a"; builder = "/foo"; system = "i686-linux"; };
+  drvA3 = derivation { name = "a"; builder = "/foo"; system = "i686-linux"; } // { dummy = 1; };
+  
+  drvC1 = derivation { name = "c"; builder = "/foo"; system = "i686-linux"; };
+  drvC2 = derivation { name = "c"; builder = "/bar"; system = "i686-linux"; };
+in [ (drvA1 == drvA1) (drvA1 == drvA2) (drvA1 == drvA3) (drvC1 == drvC2) ]
diff --git a/test/testdata/eval-okay-eq.exp b/test/testdata/eval-okay-eq.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-eq.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-eq.nix b/test/testdata/eval-okay-eq.nix
new file mode 100644
index 0000000..73d200b
--- /dev/null
+++ b/test/testdata/eval-okay-eq.nix
@@ -0,0 +1,3 @@
+["foobar" (rec {x = 1; y = x;})]
+==
+[("foo" + "bar") ({x = 1; y = 1;})]
diff --git a/test/testdata/eval-okay-filter.exp b/test/testdata/eval-okay-filter.exp
new file mode 100644
index 0000000..355d51c
--- /dev/null
+++ b/test/testdata/eval-okay-filter.exp
@@ -0,0 +1 @@
+[ 0 2 4 6 8 10 100 102 104 106 108 110 ]
diff --git a/test/testdata/eval-okay-filter.nix b/test/testdata/eval-okay-filter.nix
new file mode 100644
index 0000000..85109b0
--- /dev/null
+++ b/test/testdata/eval-okay-filter.nix
@@ -0,0 +1,5 @@
+with import ./lib.nix;
+builtins.filter
+  (x: x / 2 * 2 == x)
+  (builtins.concatLists [ (range 0 10) (range 100 110) ])
diff --git a/test/testdata/eval-okay-flake-ref-to-string.exp b/test/testdata/eval-okay-flake-ref-to-string.exp
new file mode 100644
index 0000000..110f844
--- /dev/null
+++ b/test/testdata/eval-okay-flake-ref-to-string.exp
@@ -0,0 +1 @@
+"github:NixOS/nixpkgs/23.05?dir=lib"
diff --git a/test/testdata/eval-okay-flake-ref-to-string.nix b/test/testdata/eval-okay-flake-ref-to-string.nix
new file mode 100644
index 0000000..dbb4e5b
--- /dev/null
+++ b/test/testdata/eval-okay-flake-ref-to-string.nix
@@ -0,0 +1,7 @@
+builtins.flakeRefToString {
+  type  = "github";
+  owner = "NixOS";
+  repo  = "nixpkgs";
+  ref   = "23.05";
+  dir   = "lib";
+}
diff --git a/test/testdata/eval-okay-flatten.exp b/test/testdata/eval-okay-flatten.exp
new file mode 100644
index 0000000..b979b2b
--- /dev/null
+++ b/test/testdata/eval-okay-flatten.exp
@@ -0,0 +1 @@
+"1234567"
diff --git a/test/testdata/eval-okay-flatten.nix b/test/testdata/eval-okay-flatten.nix
new file mode 100644
index 0000000..fe911e9
--- /dev/null
+++ b/test/testdata/eval-okay-flatten.nix
@@ -0,0 +1,8 @@
+with import ./lib.nix;
+let {
+  l = ["1" "2" ["3" ["4"] ["5" "6"]] "7"];
+  body = concat (flatten l);
+}
diff --git a/test/testdata/eval-okay-float.exp b/test/testdata/eval-okay-float.exp
new file mode 100644
index 0000000..3c50a8a
--- /dev/null
+++ b/test/testdata/eval-okay-float.exp
@@ -0,0 +1 @@
+[ 3.4 3.5 2.5 1.5 ]
diff --git a/test/testdata/eval-okay-float.nix b/test/testdata/eval-okay-float.nix
new file mode 100644
index 0000000..b2702c7
--- /dev/null
+++ b/test/testdata/eval-okay-float.nix
@@ -0,0 +1,6 @@
+[
+  (1.1 + 2.3)
+  (builtins.add (0.5 + 0.5) (2.0 + 0.5))
+  ((0.5 + 0.5) * (2.0 + 0.5))
+  ((1.5 + 1.5) / (0.5 * 4.0))
+]
diff --git a/test/testdata/eval-okay-floor-ceil.exp b/test/testdata/eval-okay-floor-ceil.exp
new file mode 100644
index 0000000..81f8042
--- /dev/null
+++ b/test/testdata/eval-okay-floor-ceil.exp
@@ -0,0 +1 @@
+"23;24;23;23"
diff --git a/test/testdata/eval-okay-floor-ceil.nix b/test/testdata/eval-okay-floor-ceil.nix
new file mode 100644
index 0000000..d76a0d8
--- /dev/null
+++ b/test/testdata/eval-okay-floor-ceil.nix
@@ -0,0 +1,9 @@
+with import ./lib.nix;
+let
+  n1 = builtins.floor 23.5;
+  n2 = builtins.ceil 23.5;
+  n3 = builtins.floor 23;
+  n4 = builtins.ceil 23;
+in
+  builtins.concatStringsSep ";" (map toString [ n1 n2 n3 n4 ])
diff --git a/test/testdata/eval-okay-foldlStrict-lazy-elements.exp b/test/testdata/eval-okay-foldlStrict-lazy-elements.exp
new file mode 100644
index 0000000..d81cc07
--- /dev/null
+++ b/test/testdata/eval-okay-foldlStrict-lazy-elements.exp
@@ -0,0 +1 @@
+42
diff --git a/test/testdata/eval-okay-foldlStrict-lazy-elements.nix b/test/testdata/eval-okay-foldlStrict-lazy-elements.nix
new file mode 100644
index 0000000..c666e07
--- /dev/null
+++ b/test/testdata/eval-okay-foldlStrict-lazy-elements.nix
@@ -0,0 +1,9 @@
+# Tests that the rhs argument of op is not forced unconditionally
+let
+  lst = builtins.foldl'
+    (acc: x: acc ++ [ x ])
+    [ ]
+    [ 42 (throw "this shouldn't be evaluated") ];
+in
+builtins.head lst
diff --git a/test/testdata/eval-okay-foldlStrict-lazy-initial-accumulator.exp b/test/testdata/eval-okay-foldlStrict-lazy-initial-accumulator.exp
new file mode 100644
index 0000000..d81cc07
--- /dev/null
+++ b/test/testdata/eval-okay-foldlStrict-lazy-initial-accumulator.exp
@@ -0,0 +1 @@
+42
diff --git a/test/testdata/eval-okay-foldlStrict-lazy-initial-accumulator.nix b/test/testdata/eval-okay-foldlStrict-lazy-initial-accumulator.nix
new file mode 100644
index 0000000..abcd536
--- /dev/null
+++ b/test/testdata/eval-okay-foldlStrict-lazy-initial-accumulator.nix
@@ -0,0 +1,6 @@
+# Checks that the nul value for the accumulator is not forced unconditionally.
+# Some languages provide a foldl' that is strict in this argument, but Nix does not.
+builtins.foldl'
+  (_: x: x)
+  (throw "This is never forced")
+  [ "but the results of applying op are" 42 ]
diff --git a/test/testdata/eval-okay-foldlStrict.exp b/test/testdata/eval-okay-foldlStrict.exp
new file mode 100644
index 0000000..837e12b
--- /dev/null
+++ b/test/testdata/eval-okay-foldlStrict.exp
@@ -0,0 +1 @@
+500500
diff --git a/test/testdata/eval-okay-foldlStrict.nix b/test/testdata/eval-okay-foldlStrict.nix
new file mode 100644
index 0000000..3b87188
--- /dev/null
+++ b/test/testdata/eval-okay-foldlStrict.nix
@@ -0,0 +1,3 @@
+with import ./lib.nix;
+builtins.foldl' (x: y: x + y) 0 (range 1 1000)
diff --git a/test/testdata/eval-okay-fromTOML-timestamps.exp b/test/testdata/eval-okay-fromTOML-timestamps.exp
new file mode 100644
index 0000000..08b3c69
--- /dev/null
+++ b/test/testdata/eval-okay-fromTOML-timestamps.exp
@@ -0,0 +1 @@
+{ "1234" = "value"; "127.0.0.1" = "value"; a = { b = { c = { }; }; }; arr1 = [ 1 2 3 ]; arr2 = [ "red" "yellow" "green" ]; arr3 = [ [ 1 2 ] [ 3 4 5 ] ]; arr4 = [ "all" "strings" "are the same" "type" ]; arr5 = [ [ 1 2 ] [ "a" "b" "c" ] ]; arr7 = [ 1 2 3 ]; arr8 = [ 1 2 ]; bare-key = "value"; bare_key = "value"; bin1 = 214; bool1 = true; bool2 = false; "character encoding" = "value"; d = { e = { f = { }; }; }; dog = { "tater.man" = { type = { name = "pug"; }; }; }; flt1 = 1; flt2 = 3.1415; flt3 = -0.01; flt4 = 5e+22; flt5 = 1e+06; flt6 = -0.02; flt7 = 6.626e-34; flt8 = 9.22462e+06; fruit = [ { name = "apple"; physical = { color = "red"; shape = "round"; }; variety = [ { name = "red delicious"; } { name = "granny smith"; } ]; } { name = "banana"; variety = [ { name = "plantain"; } ]; } ]; g = { h = { i = { }; }; }; hex1 = 3735928559; hex2 = 3735928559; hex3 = 3735928559; int1 = 99; int2 = 42; int3 = 0; int4 = -17; int5 = 1000; int6 = 5349221; int7 = 12345; j = { "ʞ" = { l = { }; }; }; key = "value"; key2 = "value"; ld1 = { _type = "timestamp"; value = "1979-05-27"; }; ldt1 = { _type = "timestamp"; value = "1979-05-27T07:32:00"; }; ldt2 = { _type = "timestamp"; value = "1979-05-27T00:32:00.999999"; }; lt1 = { _type = "timestamp"; value = "07:32:00"; }; lt2 = { _type = "timestamp"; value = "00:32:00.999999"; }; name = "Orange"; oct1 = 342391; oct2 = 493; odt1 = { _type = "timestamp"; value = "1979-05-27T07:32:00Z"; }; odt2 = { _type = "timestamp"; value = "1979-05-27T00:32:00-07:00"; }; odt3 = { _type = "timestamp"; value = "1979-05-27T00:32:00.999999-07:00"; }; odt4 = { _type = "timestamp"; value = "1979-05-27T07:32:00Z"; }; physical = { color = "orange"; shape = "round"; }; products = [ { name = "Hammer"; sku = 738594937; } { } { color = "gray"; name = "Nail"; sku = 284758393; } ]; "quoted \"value\"" = "value"; site = { "google.com" = true; }; str = "I'm a string. \"You can quote me\". Name\tJosé\nLocation\tSF."; table-1 = { key1 = "some string"; key2 = 123; }; table-2 = { key1 = "another string"; key2 = 456; }; x = { y = { z = { w = { animal = { type = { name = "pug"; }; }; name = { first = "Tom"; last = "Preston-Werner"; }; point = { x = 1; y = 2; }; }; }; }; }; "ʎǝʞ" = "value"; }
diff --git a/test/testdata/eval-okay-fromTOML-timestamps.flags b/test/testdata/eval-okay-fromTOML-timestamps.flags
new file mode 100644
index 0000000..9ed39dc
--- /dev/null
+++ b/test/testdata/eval-okay-fromTOML-timestamps.flags
@@ -0,0 +1 @@
+--extra-experimental-features parse-toml-timestamps
diff --git a/test/testdata/eval-okay-fromTOML-timestamps.nix b/test/testdata/eval-okay-fromTOML-timestamps.nix
new file mode 100644
index 0000000..74cff94
--- /dev/null
+++ b/test/testdata/eval-okay-fromTOML-timestamps.nix
@@ -0,0 +1,130 @@
+builtins.fromTOML ''
+  key = "value"
+  bare_key = "value"
+  bare-key = "value"
+  1234 = "value"
+  "127.0.0.1" = "value"
+  "character encoding" = "value"
+  "ʎǝʞ" = "value"
+  'key2' = "value"
+  'quoted "value"' = "value"
+  name = "Orange"
+  physical.color = "orange"
+  physical.shape = "round"
+  site."google.com" = true
+  # This is legal according to the spec, but cpptoml doesn't handle it.
+  #a.b.c = 1
+  #a.d = 2
+  str = "I'm a string. \"You can quote me\". Name\tJos\u00E9\nLocation\tSF."
+  int1 = +99
+  int2 = 42
+  int3 = 0
+  int4 = -17
+  int5 = 1_000
+  int6 = 5_349_221
+  int7 = 1_2_3_4_5
+  hex1 = 0xDEADBEEF
+  hex2 = 0xdeadbeef
+  hex3 = 0xdead_beef
+  oct1 = 0o01234567
+  oct2 = 0o755
+  bin1 = 0b11010110
+  flt1 = +1.0
+  flt2 = 3.1415
+  flt3 = -0.01
+  flt4 = 5e+22
+  flt5 = 1e6
+  flt6 = -2E-2
+  flt7 = 6.626e-34
+  flt8 = 9_224_617.445_991_228_313
+  bool1 = true
+  bool2 = false
+  odt1 = 1979-05-27T07:32:00Z
+  odt2 = 1979-05-27T00:32:00-07:00
+  odt3 = 1979-05-27T00:32:00.999999-07:00
+  odt4 = 1979-05-27 07:32:00Z
+  ldt1 = 1979-05-27T07:32:00
+  ldt2 = 1979-05-27T00:32:00.999999
+  ld1 = 1979-05-27
+  lt1 = 07:32:00
+  lt2 = 00:32:00.999999
+  arr1 = [ 1, 2, 3 ]
+  arr2 = [ "red", "yellow", "green" ]
+  arr3 = [ [ 1, 2 ], [3, 4, 5] ]
+  arr4 = [ "all", 'strings', """are the same""", ''''type'''']
+  arr5 = [ [ 1, 2 ], ["a", "b", "c"] ]
+  arr7 = [
+    1, 2, 3
+  ]
+  arr8 = [
+    1,
+    2, # this is ok
+  ]
+  [table-1]
+  key1 = "some string"
+  key2 = 123
+  [table-2]
+  key1 = "another string"
+  key2 = 456
+  [dog."tater.man"]
+  type.name = "pug"
+  [a.b.c]
+  [ d.e.f ]
+  [ g .  h  . i ]
+  [ j . "ʞ" . 'l' ]
+  [x.y.z.w]
+  name = { first = "Tom", last = "Preston-Werner" }
+  point = { x = 1, y = 2 }
+  animal = { type.name = "pug" }
+  [[products]]
+  name = "Hammer"
+  sku = 738594937
+  [[products]]
+  [[products]]
+  name = "Nail"
+  sku = 284758393
+  color = "gray"
+  [[fruit]]
+    name = "apple"
+    [fruit.physical]
+      color = "red"
+      shape = "round"
+    [[fruit.variety]]
+      name = "red delicious"
+    [[fruit.variety]]
+      name = "granny smith"
+  [[fruit]]
+    name = "banana"
+    [[fruit.variety]]
+      name = "plantain"
+''
diff --git a/test/testdata/eval-okay-fromTOML.exp b/test/testdata/eval-okay-fromTOML.exp
new file mode 100644
index 0000000..d0dd3af
--- /dev/null
+++ b/test/testdata/eval-okay-fromTOML.exp
@@ -0,0 +1 @@
+[ { clients = { data = [ [ "gamma" "delta" ] [ 1 2 ] ]; hosts = [ "alpha" "omega" ]; }; database = { connection_max = 5000; enabled = true; ports = [ 8001 8001 8002 ]; server = "192.168.1.1"; }; owner = { name = "Tom Preston-Werner"; }; servers = { alpha = { dc = "eqdc10"; ip = "10.0.0.1"; }; beta = { dc = "eqdc10"; ip = "10.0.0.2"; }; }; title = "TOML Example"; } { "1234" = "value"; "127.0.0.1" = "value"; a = { b = { c = { }; }; }; arr1 = [ 1 2 3 ]; arr2 = [ "red" "yellow" "green" ]; arr3 = [ [ 1 2 ] [ 3 4 5 ] ]; arr4 = [ "all" "strings" "are the same" "type" ]; arr5 = [ [ 1 2 ] [ "a" "b" "c" ] ]; arr7 = [ 1 2 3 ]; arr8 = [ 1 2 ]; bare-key = "value"; bare_key = "value"; bin1 = 214; bool1 = true; bool2 = false; "character encoding" = "value"; d = { e = { f = { }; }; }; dog = { "tater.man" = { type = { name = "pug"; }; }; }; flt1 = 1; flt2 = 3.1415; flt3 = -0.01; flt4 = 5e+22; flt5 = 1e+06; flt6 = -0.02; flt7 = 6.626e-34; flt8 = 9.22462e+06; fruit = [ { name = "apple"; physical = { color = "red"; shape = "round"; }; variety = [ { name = "red delicious"; } { name = "granny smith"; } ]; } { name = "banana"; variety = [ { name = "plantain"; } ]; } ]; g = { h = { i = { }; }; }; hex1 = 3735928559; hex2 = 3735928559; hex3 = 3735928559; int1 = 99; int2 = 42; int3 = 0; int4 = -17; int5 = 1000; int6 = 5349221; int7 = 12345; j = { "ʞ" = { l = { }; }; }; key = "value"; key2 = "value"; name = "Orange"; oct1 = 342391; oct2 = 493; physical = { color = "orange"; shape = "round"; }; products = [ { name = "Hammer"; sku = 738594937; } { } { color = "gray"; name = "Nail"; sku = 284758393; } ]; "quoted \"value\"" = "value"; site = { "google.com" = true; }; str = "I'm a string. \"You can quote me\". Name\tJosé\nLocation\tSF."; table-1 = { key1 = "some string"; key2 = 123; }; table-2 = { key1 = "another string"; key2 = 456; }; x = { y = { z = { w = { animal = { type = { name = "pug"; }; }; name = { first = "Tom"; last = "Preston-Werner"; }; point = { x = 1; y = 2; }; }; }; }; }; "ʎǝʞ" = "value"; } { metadata = { "checksum aho-corasick 0.6.4 (registry+https://github.com/rust-lang/crates.io-index)" = "d6531d44de723825aa81398a6415283229725a00fa30713812ab9323faa82fc4"; "checksum ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"; "checksum ansi_term 0.9.0 (registry+https://github.com/rust-lang/crates.io-index)" = "23ac7c30002a5accbf7e8987d0632fa6de155b7c3d39d0067317a391e00a2ef6"; "checksum arrayvec 0.4.7 (registry+https://github.com/rust-lang/crates.io-index)" = "a1e964f9e24d588183fcb43503abda40d288c8657dfc27311516ce2f05675aef"; }; package = [ { dependencies = [ "memchr 2.0.1 (registry+https://github.com/rust-lang/crates.io-index)" ]; name = "aho-corasick"; source = "registry+https://github.com/rust-lang/crates.io-index"; version = "0.6.4"; } { name = "ansi_term"; source = "registry+https://github.com/rust-lang/crates.io-index"; version = "0.9.0"; } { dependencies = [ "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)" "termion 1.5.1 (registry+https://github.com/rust-lang/crates.io-index)" "winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)" ]; name = "atty"; source = "registry+https://github.com/rust-lang/crates.io-index"; version = "0.2.10"; } ]; } { a = [ [ { b = true; } ] ]; c = [ [ { d = true; } ] ]; e = [ [ 123 ] ]; } ]
diff --git a/test/testdata/eval-okay-fromTOML.nix b/test/testdata/eval-okay-fromTOML.nix
new file mode 100644
index 0000000..9639326
--- /dev/null
+++ b/test/testdata/eval-okay-fromTOML.nix
@@ -0,0 +1,208 @@
+[
+  (builtins.fromTOML ''
+    # This is a TOML document.
+    title = "TOML Example"
+    [owner]
+    name = "Tom Preston-Werner"
+    #dob = 1979-05-27T07:32:00-08:00 # First class dates
+    [database]
+    server = "192.168.1.1"
+    ports = [ 8001, 8001, 8002 ]
+    connection_max = 5000
+    enabled = true
+    [servers]
+      # Indentation (tabs and/or spaces) is allowed but not required
+      [servers.alpha]
+      ip = "10.0.0.1"
+      dc = "eqdc10"
+      [servers.beta]
+      ip = "10.0.0.2"
+      dc = "eqdc10"
+    [clients]
+    data = [ ["gamma", "delta"], [1, 2] ]
+    # Line breaks are OK when inside arrays
+    hosts = [
+      "alpha",
+      "omega"
+    ]
+  '')
+  (builtins.fromTOML ''
+    key = "value"
+    bare_key = "value"
+    bare-key = "value"
+    1234 = "value"
+    "127.0.0.1" = "value"
+    "character encoding" = "value"
+    "ʎǝʞ" = "value"
+    'key2' = "value"
+    'quoted "value"' = "value"
+    name = "Orange"
+    physical.color = "orange"
+    physical.shape = "round"
+    site."google.com" = true
+    # This is legal according to the spec, but cpptoml doesn't handle it.
+    #a.b.c = 1
+    #a.d = 2
+    str = "I'm a string. \"You can quote me\". Name\tJos\u00E9\nLocation\tSF."
+    int1 = +99
+    int2 = 42
+    int3 = 0
+    int4 = -17
+    int5 = 1_000
+    int6 = 5_349_221
+    int7 = 1_2_3_4_5
+    hex1 = 0xDEADBEEF
+    hex2 = 0xdeadbeef
+    hex3 = 0xdead_beef
+    oct1 = 0o01234567
+    oct2 = 0o755
+    bin1 = 0b11010110
+    flt1 = +1.0
+    flt2 = 3.1415
+    flt3 = -0.01
+    flt4 = 5e+22
+    flt5 = 1e6
+    flt6 = -2E-2
+    flt7 = 6.626e-34
+    flt8 = 9_224_617.445_991_228_313
+    bool1 = true
+    bool2 = false
+    # FIXME: not supported because Nix doesn't have a date/time type.
+    #odt1 = 1979-05-27T07:32:00Z
+    #odt2 = 1979-05-27T00:32:00-07:00
+    #odt3 = 1979-05-27T00:32:00.999999-07:00
+    #odt4 = 1979-05-27 07:32:00Z
+    #ldt1 = 1979-05-27T07:32:00
+    #ldt2 = 1979-05-27T00:32:00.999999
+    #ld1 = 1979-05-27
+    #lt1 = 07:32:00
+    #lt2 = 00:32:00.999999
+    arr1 = [ 1, 2, 3 ]
+    arr2 = [ "red", "yellow", "green" ]
+    arr3 = [ [ 1, 2 ], [3, 4, 5] ]
+    arr4 = [ "all", 'strings', """are the same""", ''''type'''']
+    arr5 = [ [ 1, 2 ], ["a", "b", "c"] ]
+    arr7 = [
+      1, 2, 3
+    ]
+    arr8 = [
+      1,
+      2, # this is ok
+    ]
+    [table-1]
+    key1 = "some string"
+    key2 = 123
+    [table-2]
+    key1 = "another string"
+    key2 = 456
+    [dog."tater.man"]
+    type.name = "pug"
+    [a.b.c]
+    [ d.e.f ]
+    [ g .  h  . i ]
+    [ j . "ʞ" . 'l' ]
+    [x.y.z.w]
+    name = { first = "Tom", last = "Preston-Werner" }
+    point = { x = 1, y = 2 }
+    animal = { type.name = "pug" }
+    [[products]]
+    name = "Hammer"
+    sku = 738594937
+    [[products]]
+    [[products]]
+    name = "Nail"
+    sku = 284758393
+    color = "gray"
+    [[fruit]]
+      name = "apple"
+      [fruit.physical]
+        color = "red"
+        shape = "round"
+      [[fruit.variety]]
+        name = "red delicious"
+      [[fruit.variety]]
+        name = "granny smith"
+    [[fruit]]
+      name = "banana"
+      [[fruit.variety]]
+        name = "plantain"
+  '')
+  (builtins.fromTOML ''
+    [[package]]
+    name = "aho-corasick"
+    version = "0.6.4"
+    source = "registry+https://github.com/rust-lang/crates.io-index"
+    dependencies = [
+     "memchr 2.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
+    ]
+    [[package]]
+    name = "ansi_term"
+    version = "0.9.0"
+    source = "registry+https://github.com/rust-lang/crates.io-index"
+    [[package]]
+    name = "atty"
+    version = "0.2.10"
+    source = "registry+https://github.com/rust-lang/crates.io-index"
+    dependencies = [
+     "libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
+     "termion 1.5.1 (registry+https://github.com/rust-lang/crates.io-index)",
+     "winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)",
+    ]
+    [metadata]
+    "checksum aho-corasick 0.6.4 (registry+https://github.com/rust-lang/crates.io-index)" = "d6531d44de723825aa81398a6415283229725a00fa30713812ab9323faa82fc4"
+    "checksum ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
+    "checksum ansi_term 0.9.0 (registry+https://github.com/rust-lang/crates.io-index)" = "23ac7c30002a5accbf7e8987d0632fa6de155b7c3d39d0067317a391e00a2ef6"
+    "checksum arrayvec 0.4.7 (registry+https://github.com/rust-lang/crates.io-index)" = "a1e964f9e24d588183fcb43503abda40d288c8657dfc27311516ce2f05675aef"
+  '')
+  (builtins.fromTOML ''
+    a = [[{ b = true }]]
+    c = [ [ { d = true } ] ]
+    e = [[123]]
+  '')
+]
diff --git a/test/testdata/eval-okay-fromjson-escapes.exp b/test/testdata/eval-okay-fromjson-escapes.exp
new file mode 100644
index 0000000..add5505
--- /dev/null
+++ b/test/testdata/eval-okay-fromjson-escapes.exp
@@ -0,0 +1 @@
+"quote \" reverse solidus \\ solidus / backspace  formfeed  newline \n carriage return \r horizontal tab \t 1 char unicode encoded backspace  1 char unicode encoded e with accent é 2 char unicode encoded s with caron š 3 char unicode encoded rightwards arrow →"
diff --git a/test/testdata/eval-okay-fromjson-escapes.nix b/test/testdata/eval-okay-fromjson-escapes.nix
new file mode 100644
index 0000000..f007135
--- /dev/null
+++ b/test/testdata/eval-okay-fromjson-escapes.nix
@@ -0,0 +1,3 @@
+# This string contains all supported escapes in a JSON string, per json.org
+# \b and \f are not supported by Nix
+builtins.fromJSON ''"quote \" reverse solidus \\ solidus \/ backspace \b formfeed \f newline \n carriage return \r horizontal tab \t 1 char unicode encoded backspace \u0008 1 char unicode encoded e with accent \u00e9 2 char unicode encoded s with caron \u0161 3 char unicode encoded rightwards arrow \u2192"''
diff --git a/test/testdata/eval-okay-fromjson.exp b/test/testdata/eval-okay-fromjson.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-fromjson.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-fromjson.nix b/test/testdata/eval-okay-fromjson.nix
new file mode 100644
index 0000000..4c526b9
--- /dev/null
+++ b/test/testdata/eval-okay-fromjson.nix
@@ -0,0 +1,41 @@
+builtins.fromJSON
+  ''
+    {
+      "Video": {
+          "Title":  "The Penguin Chronicles",
+          "Width":  1920,
+          "Height": 1080,
+          "EmbeddedData": [3.14159, 23493,null, true  ,false, -10],
+          "Thumb": {
+              "Url":    "http://www.example.com/video/5678931",
+              "Width":  200,
+              "Height": 250
+          },
+          "Animated" : false,
+          "IDs": [116, 943, 234, 38793, true  ,false,null, -100],
+          "Escapes": "\"\\\/\t\n\r\t",
+          "Subtitle" : false,
+          "Latitude":  37.7668,
+          "Longitude": -122.3959
+        }
+    }
+  ''
+==
+  { Video =
+    { Title = "The Penguin Chronicles";
+      Width = 1920;
+      Height = 1080;
+      EmbeddedData = [ 3.14159 23493 null true false (0-10) ];
+      Thumb =
+        { Url = "http://www.example.com/video/5678931";
+          Width = 200;
+          Height = 250;
+        };
+      Animated = false;
+      IDs = [ 116 943 234 38793 true false null (0-100) ];
+      Escapes = "\"\\\/\t\n\r\t";  # supported in JSON but not Nix: \b\f
+      Subtitle = false;
+      Latitude = 37.7668;
+      Longitude = -122.3959;
+    };
+  }
diff --git a/test/testdata/eval-okay-functionargs.exp b/test/testdata/eval-okay-functionargs.exp
new file mode 100644
index 0000000..c1c9f8f
--- /dev/null
+++ b/test/testdata/eval-okay-functionargs.exp
@@ -0,0 +1 @@
+[ "stdenv" "fetchurl" "aterm-stdenv" "aterm-stdenv2" "libX11" "libXv" "mplayer-stdenv2.libXv-libX11" "mplayer-stdenv2.libXv-libX11_2" "nix-stdenv-aterm-stdenv" "nix-stdenv2-aterm2-stdenv2" ]
diff --git a/test/testdata/eval-okay-functionargs.exp.xml b/test/testdata/eval-okay-functionargs.exp.xml
new file mode 100644
index 0000000..651f54c
--- /dev/null
+++ b/test/testdata/eval-okay-functionargs.exp.xml
@@ -0,0 +1,15 @@
+<?xml version='1.0' encoding='utf-8'?>
+<expr>
+  <list>
+    <string value="stdenv" />
+    <string value="fetchurl" />
+    <string value="aterm-stdenv" />
+    <string value="aterm-stdenv2" />
+    <string value="libX11" />
+    <string value="libXv" />
+    <string value="mplayer-stdenv2.libXv-libX11" />
+    <string value="mplayer-stdenv2.libXv-libX11_2" />
+    <string value="nix-stdenv-aterm-stdenv" />
+    <string value="nix-stdenv2-aterm2-stdenv2" />
+  </list>
+</expr>
diff --git a/test/testdata/eval-okay-functionargs.nix b/test/testdata/eval-okay-functionargs.nix
new file mode 100644
index 0000000..68dca62
--- /dev/null
+++ b/test/testdata/eval-okay-functionargs.nix
@@ -0,0 +1,80 @@
+let
+  stdenvFun = { }: { name = "stdenv"; };
+  stdenv2Fun = { }: { name = "stdenv2"; };
+  fetchurlFun = { stdenv }: assert stdenv.name == "stdenv"; { name = "fetchurl"; };
+  atermFun = { stdenv, fetchurl }: { name = "aterm-${stdenv.name}"; };
+  aterm2Fun = { stdenv, fetchurl }: { name = "aterm2-${stdenv.name}"; };
+  nixFun = { stdenv, fetchurl, aterm }: { name = "nix-${stdenv.name}-${aterm.name}"; };
+  
+  mplayerFun =
+    { stdenv, fetchurl, enableX11 ? false, xorg ? null, enableFoo ? true, foo ? null  }:
+    assert stdenv.name == "stdenv2";
+    assert enableX11 -> xorg.libXv.name == "libXv";
+    assert enableFoo -> foo != null;
+    { name = "mplayer-${stdenv.name}.${xorg.libXv.name}-${xorg.libX11.name}"; };
+  makeOverridable = f: origArgs: f origArgs //
+    { override = newArgs:
+        makeOverridable f (origArgs // (if builtins.isFunction newArgs then newArgs origArgs else newArgs));
+    };
+    
+  callPackage_ = pkgs: f: args:
+    makeOverridable f ((builtins.intersectAttrs (builtins.functionArgs f) pkgs) // args);
+  allPackages =
+    { overrides ? (pkgs: pkgsPrev: { }) }:
+    let
+      callPackage = callPackage_ pkgs;
+      pkgs = pkgsStd // (overrides pkgs pkgsStd);
+      pkgsStd = {
+        inherit pkgs;
+        stdenv = callPackage stdenvFun { };
+        stdenv2 = callPackage stdenv2Fun { };
+        fetchurl = callPackage fetchurlFun { };
+        aterm = callPackage atermFun { };
+        xorg = callPackage xorgFun { };
+        mplayer = callPackage mplayerFun { stdenv = pkgs.stdenv2; enableFoo = false; };
+        nix = callPackage nixFun { };
+      };
+    in pkgs;
+  libX11Fun = { stdenv, fetchurl }: { name = "libX11"; };
+  libX11_2Fun = { stdenv, fetchurl }: { name = "libX11_2"; };
+  libXvFun = { stdenv, fetchurl, libX11 }: { name = "libXv"; };
+  
+  xorgFun =
+    { pkgs }:
+    let callPackage = callPackage_ (pkgs // pkgs.xorg); in
+    {
+      libX11 = callPackage libX11Fun { };
+      libXv = callPackage libXvFun { };
+    };
+in
+let
+  pkgs = allPackages { };
+  
+  pkgs2 = allPackages {
+    overrides = pkgs: pkgsPrev: {
+      stdenv = pkgs.stdenv2;
+      nix = pkgsPrev.nix.override { aterm = aterm2Fun { inherit (pkgs) stdenv fetchurl; }; };
+      xorg = pkgsPrev.xorg // { libX11 = libX11_2Fun { inherit (pkgs) stdenv fetchurl; }; };
+    };
+  };
+  
+in
+  [ pkgs.stdenv.name
+    pkgs.fetchurl.name
+    pkgs.aterm.name
+    pkgs2.aterm.name
+    pkgs.xorg.libX11.name
+    pkgs.xorg.libXv.name
+    pkgs.mplayer.name
+    pkgs2.mplayer.name
+    pkgs.nix.name
+    pkgs2.nix.name
+  ]
diff --git a/test/testdata/eval-okay-getattrpos-functionargs.exp b/test/testdata/eval-okay-getattrpos-functionargs.exp
new file mode 100644
index 0000000..7f9ac40
--- /dev/null
+++ b/test/testdata/eval-okay-getattrpos-functionargs.exp
@@ -0,0 +1 @@
+{ column = 11; file = "eval-okay-getattrpos-functionargs.nix"; line = 2; }
diff --git a/test/testdata/eval-okay-getattrpos-functionargs.nix b/test/testdata/eval-okay-getattrpos-functionargs.nix
new file mode 100644
index 0000000..11d6bb0
--- /dev/null
+++ b/test/testdata/eval-okay-getattrpos-functionargs.nix
@@ -0,0 +1,4 @@
+let
+  fun = { foo }: {};
+  pos = builtins.unsafeGetAttrPos "foo" (builtins.functionArgs fun);
+in { inherit (pos) column line; file = baseNameOf pos.file; }
diff --git a/test/testdata/eval-okay-getattrpos-undefined.exp b/test/testdata/eval-okay-getattrpos-undefined.exp
new file mode 100644
index 0000000..19765bd
--- /dev/null
+++ b/test/testdata/eval-okay-getattrpos-undefined.exp
@@ -0,0 +1 @@
+null
diff --git a/test/testdata/eval-okay-getattrpos-undefined.nix b/test/testdata/eval-okay-getattrpos-undefined.nix
new file mode 100644
index 0000000..14dd38f
--- /dev/null
+++ b/test/testdata/eval-okay-getattrpos-undefined.nix
@@ -0,0 +1 @@
+builtins.unsafeGetAttrPos "abort" builtins
diff --git a/test/testdata/eval-okay-getattrpos.exp b/test/testdata/eval-okay-getattrpos.exp
new file mode 100644
index 0000000..469249b
--- /dev/null
+++ b/test/testdata/eval-okay-getattrpos.exp
@@ -0,0 +1 @@
+{ column = 5; file = "eval-okay-getattrpos.nix"; line = 3; }
diff --git a/test/testdata/eval-okay-getattrpos.nix b/test/testdata/eval-okay-getattrpos.nix
new file mode 100644
index 0000000..ca6b079
--- /dev/null
+++ b/test/testdata/eval-okay-getattrpos.nix
@@ -0,0 +1,6 @@
+let
+  as = {
+    foo = "bar";
+  };
+  pos = builtins.unsafeGetAttrPos "foo" as;
+in { inherit (pos) column line; file = baseNameOf pos.file; }
diff --git a/test/testdata/eval-okay-getenv.exp b/test/testdata/eval-okay-getenv.exp
new file mode 100644
index 0000000..14e24d4
--- /dev/null
+++ b/test/testdata/eval-okay-getenv.exp
@@ -0,0 +1 @@
+"foobar"
diff --git a/test/testdata/eval-okay-getenv.nix b/test/testdata/eval-okay-getenv.nix
new file mode 100644
index 0000000..4cfec5f
--- /dev/null
+++ b/test/testdata/eval-okay-getenv.nix
@@ -0,0 +1 @@
+builtins.getEnv "TEST_VAR" + (if builtins.getEnv "NO_SUCH_VAR" == "" then "bar" else "bla")
diff --git a/test/testdata/eval-okay-groupBy.exp b/test/testdata/eval-okay-groupBy.exp
new file mode 100644
index 0000000..bfca565
--- /dev/null
+++ b/test/testdata/eval-okay-groupBy.exp
@@ -0,0 +1 @@
+{ "1" = [ 9 ]; "2" = [ 8 ]; "3" = [ 13 29 ]; "4" = [ 3 4 10 11 17 18 ]; "5" = [ 0 23 26 28 ]; "6" = [ 1 12 21 27 30 ]; "7" = [ 7 22 ]; "8" = [ 14 ]; "9" = [ 19 ]; b = [ 16 25 ]; c = [ 24 ]; d = [ 2 ]; e = [ 5 6 15 31 ]; f = [ 20 ]; }
diff --git a/test/testdata/eval-okay-groupBy.nix b/test/testdata/eval-okay-groupBy.nix
new file mode 100644
index 0000000..862d89d
--- /dev/null
+++ b/test/testdata/eval-okay-groupBy.nix
@@ -0,0 +1,5 @@
+with import ./lib.nix;
+builtins.groupBy (n:
+  builtins.substring 0 1 (builtins.hashString "sha256" (toString n))
+) (range 0 31)
diff --git a/test/testdata/eval-okay-hash.exp b/test/testdata/eval-okay-hash.exp
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/test/testdata/eval-okay-hash.exp
diff --git a/test/testdata/eval-okay-hashfile.exp b/test/testdata/eval-okay-hashfile.exp
new file mode 100644
index 0000000..ff1e829
--- /dev/null
+++ b/test/testdata/eval-okay-hashfile.exp
@@ -0,0 +1 @@
+[ "d3b07384d113edec49eaa6238ad5ff00" "0f343b0931126a20f133d67c2b018a3b" "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" "60cacbf3d72e1e7834203da608037b1bf83b40e8" "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" "5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef" "0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6" "8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461" ]
diff --git a/test/testdata/eval-okay-hashfile.nix b/test/testdata/eval-okay-hashfile.nix
new file mode 100644
index 0000000..aff5a18
--- /dev/null
+++ b/test/testdata/eval-okay-hashfile.nix
@@ -0,0 +1,4 @@
+let
+  paths = [ ./data ./binary-data ];
+in
+  builtins.concatLists (map (hash: map (builtins.hashFile hash) paths) ["md5" "sha1" "sha256" "sha512"])
diff --git a/test/testdata/eval-okay-hashstring.exp b/test/testdata/eval-okay-hashstring.exp
new file mode 100644
index 0000000..d720a08
--- /dev/null
+++ b/test/testdata/eval-okay-hashstring.exp
@@ -0,0 +1 @@
+[ "d41d8cd98f00b204e9800998ecf8427e" "6c69ee7f211c640419d5366cc076ae46" "bb3438fbabd460ea6dbd27d153e2233b" "da39a3ee5e6b4b0d3255bfef95601890afd80709" "cd54e8568c1b37cf1e5badb0779bcbf382212189" "6d12e10b1d331dad210e47fd25d4f260802b7e77" "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" "900a4469df00ccbfd0c145c6d1e4b7953dd0afafadd7534e3a4019e8d38fc663" "ad0387b3bd8652f730ca46d25f9c170af0fd589f42e7f23f5a9e6412d97d7e56" "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e" "9d0886f8c6b389398a16257bc79780fab9831c7fc11c8ab07fa732cb7b348feade382f92617c9c5305fefba0af02ab5fd39a587d330997ff5bd0db19f7666653" "21644b72aa259e5a588cd3afbafb1d4310f4889680f6c83b9d531596a5a284f34dbebff409d23bcc86aee6bad10c891606f075c6f4755cb536da27db5693f3a7" ]
diff --git a/test/testdata/eval-okay-hashstring.nix b/test/testdata/eval-okay-hashstring.nix
new file mode 100644
index 0000000..b0f62b2
--- /dev/null
+++ b/test/testdata/eval-okay-hashstring.nix
@@ -0,0 +1,4 @@
+let
+  strings = [ "" "text 1" "text 2" ];
+in
+  builtins.concatLists (map (hash: map (builtins.hashString hash) strings) ["md5" "sha1" "sha256" "sha512"])
diff --git a/test/testdata/eval-okay-if.exp b/test/testdata/eval-okay-if.exp
new file mode 100644
index 0000000..00750ed
--- /dev/null
+++ b/test/testdata/eval-okay-if.exp
@@ -0,0 +1 @@
+3
diff --git a/test/testdata/eval-okay-if.nix b/test/testdata/eval-okay-if.nix
new file mode 100644
index 0000000..23e4c74
--- /dev/null
+++ b/test/testdata/eval-okay-if.nix
@@ -0,0 +1 @@
+if "foo" != "f" + "oo" then 1 else if false then 2 else 3
diff --git a/test/testdata/eval-okay-import.exp b/test/testdata/eval-okay-import.exp
new file mode 100644
index 0000000..c508125
--- /dev/null
+++ b/test/testdata/eval-okay-import.exp
@@ -0,0 +1 @@
+[ 1 2 3 4 5 6 7 8 9 10 ]
diff --git a/test/testdata/eval-okay-import.nix b/test/testdata/eval-okay-import.nix
new file mode 100644
index 0000000..0b18d94
--- /dev/null
+++ b/test/testdata/eval-okay-import.nix
@@ -0,0 +1,11 @@
+let
+  overrides = {
+    import = fn: scopedImport overrides fn;
+    scopedImport = attrs: fn: scopedImport (overrides // attrs) fn;
+    builtins = builtins // overrides;
+  } // import ./lib.nix;
+in scopedImport overrides ./imported.nix
diff --git a/test/testdata/eval-okay-ind-string.exp b/test/testdata/eval-okay-ind-string.exp
new file mode 100644
index 0000000..7862331
--- /dev/null
+++ b/test/testdata/eval-okay-ind-string.exp
@@ -0,0 +1 @@
+"This is an indented multi-line string\nliteral.  An amount of whitespace at\nthe start of each line matching the minimum\nindentation of all lines in the string\nliteral together will be removed.  Thus,\nin this case four spaces will be\nstripped from each line, even though\n  THIS LINE is indented six spaces.\n\nAlso, empty lines don't count in the\ndetermination of the indentation level (the\nprevious empty line has indentation 0, but\nit doesn't matter).\nIf the string starts with whitespace\n  followed by a newline, it's stripped, but\n  that's not the case here. Two spaces are\n  stripped because of the \"  \" at the start. \nThis line is indented\na bit further.\nAnti-quotations, like so, are\nalso allowed.\n  The \\ is not special here.\n' can be followed by any character except another ', e.g. 'x'.\nLikewise for $, e.g. $$ or $varName.\nBut ' followed by ' is special, as is $ followed by {.\nIf you want them, use anti-quotations: '', \${.\n   Tabs are not interpreted as whitespace (since we can't guess\n   what tab settings are intended), so don't use them.\n\tThis line starts with a space and a tab, so only one\n   space will be stripped from each line.\nAlso note that if the last line (just before the closing ' ')\nconsists only of whitespace, it's ignored.  But here there is\nsome non-whitespace stuff, so the line isn't removed. \nThis shows a hacky way to preserve an empty line after the start.\nBut there's no reason to do so: you could just repeat the empty\nline.\n  Similarly you can force an indentation level,\n  in this case to 2 spaces.  This works because the anti-quote\n  is significant (not whitespace).\nstart on network-interfaces\n\nstart script\n\n  rm -f /var/run/opengl-driver\n  ln -sf 123 /var/run/opengl-driver\n\n  rm -f /var/log/slim.log\n   \nend script\n\nenv SLIM_CFGFILE=abc\nenv SLIM_THEMESDIR=def\nenv FONTCONFIG_FILE=/etc/fonts/fonts.conf  \t\t\t\t# !!! cleanup\nenv XKB_BINDIR=foo/bin         \t\t\t\t# Needed for the Xkb extension.\nenv LD_LIBRARY_PATH=libX11/lib:libXext/lib:/usr/lib/          # related to xorg-sys-opengl - needed to load libglx for (AI)GLX support (for compiz)\n\nenv XORG_DRI_DRIVER_PATH=nvidiaDrivers/X11R6/lib/modules/drivers/ \n\nexec slim/bin/slim\nEscaping of ' followed by ': ''\nEscaping of $ followed by {: \${\nAnd finally to interpret \\n etc. as in a string: \n, \r, \t.\nfoo\n'bla'\nbar\ncut -d $'\\t' -f 1\nending dollar $$\n"
diff --git a/test/testdata/eval-okay-ind-string.nix b/test/testdata/eval-okay-ind-string.nix
new file mode 100644
index 0000000..95d59b5
--- /dev/null
+++ b/test/testdata/eval-okay-ind-string.nix
@@ -0,0 +1,128 @@
+let
+  s1 = ''
+    This is an indented multi-line string
+    literal.  An amount of whitespace at
+    the start of each line matching the minimum
+    indentation of all lines in the string
+    literal together will be removed.  Thus,
+    in this case four spaces will be
+    stripped from each line, even though
+      THIS LINE is indented six spaces.
+    Also, empty lines don't count in the
+    determination of the indentation level (the
+    previous empty line has indentation 0, but
+    it doesn't matter).
+  '';
+  s2 = ''  If the string starts with whitespace
+    followed by a newline, it's stripped, but
+    that's not the case here. Two spaces are
+    stripped because of the "  " at the start. 
+  '';
+  s3 = ''
+      This line is indented
+      a bit further.
+        ''; # indentation of last line doesn't count if it's empty
+  s4 = ''
+    Anti-quotations, like ${if true then "so" else "not so"}, are
+    also allowed.
+  '';
+  s5 = ''
+      The \ is not special here.
+    ' can be followed by any character except another ', e.g. 'x'.
+    Likewise for $, e.g. $$ or $varName.
+    But ' followed by ' is special, as is $ followed by {.
+    If you want them, use anti-quotations: ${"''"}, ${"\${"}.
+  '';
+  s6 = ''  
+    Tabs are not interpreted as whitespace (since we can't guess
+    what tab settings are intended), so don't use them.
+        This line starts with a space and a tab, so only one
+    space will be stripped from each line.
+  '';
+  s7 = ''
+    Also note that if the last line (just before the closing ' ')
+    consists only of whitespace, it's ignored.  But here there is
+    some non-whitespace stuff, so the line isn't removed. '';
+  s8 = ''    ${""}
+    This shows a hacky way to preserve an empty line after the start.
+    But there's no reason to do so: you could just repeat the empty
+    line.
+  '';
+  s9 = ''
+  ${""}  Similarly you can force an indentation level,
+    in this case to 2 spaces.  This works because the anti-quote
+    is significant (not whitespace).
+  '';
+  s10 = ''
+  '';
+  s11 = '''';
+  s12 = ''   '';
+  s13 = ''
+    start on network-interfaces
+    start script
+    
+      rm -f /var/run/opengl-driver
+      ${if true
+        then "ln -sf 123 /var/run/opengl-driver"
+        else if true
+        then "ln -sf 456 /var/run/opengl-driver"
+        else ""
+      }
+      rm -f /var/log/slim.log
+       
+    end script
+    env SLIM_CFGFILE=${"abc"}
+    env SLIM_THEMESDIR=${"def"}
+    env FONTCONFIG_FILE=/etc/fonts/fonts.conf                           # !!! cleanup
+    env XKB_BINDIR=${"foo"}/bin                                         # Needed for the Xkb extension.
+    env LD_LIBRARY_PATH=${"libX11"}/lib:${"libXext"}/lib:/usr/lib/          # related to xorg-sys-opengl - needed to load libglx for (AI)GLX support (for compiz)
+    ${if true
+      then "env XORG_DRI_DRIVER_PATH=${"nvidiaDrivers"}/X11R6/lib/modules/drivers/"
+    else if true
+      then "env XORG_DRI_DRIVER_PATH=${"mesa"}/lib/modules/dri"
+      else ""
+    } 
+    exec ${"slim"}/bin/slim
+  '';
+  s14 = ''
+    Escaping of ' followed by ': '''
+    Escaping of $ followed by {: ''${
+    And finally to interpret \n etc. as in a string: ''\n, ''\r, ''\t.
+  '';
+  # Regression test: string interpolation in '${x}' should work, but didn't.
+  s15 = let x = "bla"; in ''
+    foo
+    '${x}'
+    bar
+  '';
+  # Regression test: accept $'.
+  s16 = ''
+    cut -d $'\t' -f 1
+  '';
+  # Accept dollars at end of strings 
+  s17 = ''ending dollar $'' + ''$'' + "\n";
+in s1 + s2 + s3 + s4 + s5 + s6 + s7 + s8 + s9 + s10 + s11 + s12 + s13 + s14 + s15 + s16 + s17
diff --git a/test/testdata/eval-okay-inherit-attr-pos.exp b/test/testdata/eval-okay-inherit-attr-pos.exp
new file mode 100644
index 0000000..e87d037
--- /dev/null
+++ b/test/testdata/eval-okay-inherit-attr-pos.exp
@@ -0,0 +1 @@
+[ { column = 17; file = "/pwd/lang/eval-okay-inherit-attr-pos.nix"; line = 4; } { column = 19; file = "/pwd/lang/eval-okay-inherit-attr-pos.nix"; line = 4; } { column = 21; file = "/pwd/lang/eval-okay-inherit-attr-pos.nix"; line = 5; } { column = 23; file = "/pwd/lang/eval-okay-inherit-attr-pos.nix"; line = 5; } ]
diff --git a/test/testdata/eval-okay-inherit-attr-pos.nix b/test/testdata/eval-okay-inherit-attr-pos.nix
new file mode 100644
index 0000000..017ab1d
--- /dev/null
+++ b/test/testdata/eval-okay-inherit-attr-pos.nix
@@ -0,0 +1,12 @@
+let
+  d = 0;
+  x = 1;
+  y = { inherit d x; };
+  z = { inherit (y) d x; };
+in
+  [
+    (builtins.unsafeGetAttrPos "d" y)
+    (builtins.unsafeGetAttrPos "x" y)
+    (builtins.unsafeGetAttrPos "d" z)
+    (builtins.unsafeGetAttrPos "x" z)
+  ]
diff --git a/test/testdata/eval-okay-inherit-from.err.exp b/test/testdata/eval-okay-inherit-from.err.exp
new file mode 100644
index 0000000..3227501
--- /dev/null
+++ b/test/testdata/eval-okay-inherit-from.err.exp
@@ -0,0 +1 @@
+trace: used
diff --git a/test/testdata/eval-okay-inherit-from.exp b/test/testdata/eval-okay-inherit-from.exp
new file mode 100644
index 0000000..024daff
--- /dev/null
+++ b/test/testdata/eval-okay-inherit-from.exp
@@ -0,0 +1 @@
+[ 1 2 { __overrides = { y = { d = [ ]; }; }; c = [ ]; d = 4; x = { c = [ ]; }; y = «repeated»; } { inner = { c = 3; d = 4; }; } ]
diff --git a/test/testdata/eval-okay-inherit-from.nix b/test/testdata/eval-okay-inherit-from.nix
new file mode 100644
index 0000000..b72a1c6
--- /dev/null
+++ b/test/testdata/eval-okay-inherit-from.nix
@@ -0,0 +1,16 @@
+let
+  inherit (builtins.trace "used" { a = 1; b = 2; }) a b;
+  x.c = 3;
+  y.d = 4;
+  merged = {
+    inner = {
+      inherit (y) d;
+    };
+    inner = {
+      inherit (x) c;
+    };
+  };
+in
+  [ a b rec { x.c = []; inherit (x) c; inherit (y) d; __overrides.y.d = []; } merged ]
diff --git a/test/testdata/eval-okay-intersectAttrs.exp b/test/testdata/eval-okay-intersectAttrs.exp
new file mode 100644
index 0000000..50445bc
--- /dev/null
+++ b/test/testdata/eval-okay-intersectAttrs.exp
@@ -0,0 +1 @@
+[ { } { a = 1; } { a = 1; } { a = "a"; } { m = 1; } { m = "m"; } { n = 1; } { n = "n"; } { n = 1; p = 2; } { n = "n"; p = "p"; } { n = 1; p = 2; } { n = "n"; p = "p"; } { a = "a"; b = "b"; c = "c"; d = "d"; e = "e"; f = "f"; g = "g"; h = "h"; i = "i"; j = "j"; k = "k"; l = "l"; m = "m"; n = "n"; o = "o"; p = "p"; q = "q"; r = "r"; s = "s"; t = "t"; u = "u"; v = "v"; w = "w"; x = "x"; y = "y"; z = "z"; } true ]
diff --git a/test/testdata/eval-okay-intersectAttrs.nix b/test/testdata/eval-okay-intersectAttrs.nix
new file mode 100644
index 0000000..39d4993
--- /dev/null
+++ b/test/testdata/eval-okay-intersectAttrs.nix
@@ -0,0 +1,50 @@
+let
+  alphabet =
+  { a = "a";
+    b = "b";
+    c = "c";
+    d = "d";
+    e = "e";
+    f = "f";
+    g = "g";
+    h = "h";
+    i = "i";
+    j = "j";
+    k = "k";
+    l = "l";
+    m = "m";
+    n = "n";
+    o = "o";
+    p = "p";
+    q = "q";
+    r = "r";
+    s = "s";
+    t = "t";
+    u = "u";
+    v = "v";
+    w = "w";
+    x = "x";
+    y = "y";
+    z = "z";
+  };
+  foo = {
+    inherit (alphabet) f o b a r z q u x;
+    aa = throw "aa";
+  };
+  alphabetFail = builtins.mapAttrs throw alphabet;
+in
+[ (builtins.intersectAttrs { a = abort "l1"; } { b = abort "r1"; })
+  (builtins.intersectAttrs { a = abort "l2"; } { a = 1; })
+  (builtins.intersectAttrs alphabetFail { a = 1; })
+  (builtins.intersectAttrs  { a = abort "laa"; } alphabet)
+  (builtins.intersectAttrs alphabetFail { m = 1; })
+  (builtins.intersectAttrs  { m = abort "lam"; } alphabet)
+  (builtins.intersectAttrs alphabetFail { n = 1; })
+  (builtins.intersectAttrs  { n = abort "lan"; } alphabet)
+  (builtins.intersectAttrs alphabetFail { n = 1; p = 2; })
+  (builtins.intersectAttrs  { n = abort "lan2"; p = abort "lap"; } alphabet)
+  (builtins.intersectAttrs alphabetFail { n = 1; p = 2; })
+  (builtins.intersectAttrs  { n = abort "lan2"; p = abort "lap"; } alphabet)
+  (builtins.intersectAttrs alphabetFail alphabet)
+  (builtins.intersectAttrs alphabet foo == builtins.intersectAttrs foo alphabet)
+]
diff --git a/test/testdata/eval-okay-let.exp b/test/testdata/eval-okay-let.exp
new file mode 100644
index 0000000..14e24d4
--- /dev/null
+++ b/test/testdata/eval-okay-let.exp
@@ -0,0 +1 @@
+"foobar"
diff --git a/test/testdata/eval-okay-let.nix b/test/testdata/eval-okay-let.nix
new file mode 100644
index 0000000..fe118c5
--- /dev/null
+++ b/test/testdata/eval-okay-let.nix
@@ -0,0 +1,5 @@
+let {
+  x = "foo";
+  y = "bar";
+  body = x + y;
+}
diff --git a/test/testdata/eval-okay-list.exp b/test/testdata/eval-okay-list.exp
new file mode 100644
index 0000000..f784f26
--- /dev/null
+++ b/test/testdata/eval-okay-list.exp
@@ -0,0 +1 @@
+"foobarblatest"
diff --git a/test/testdata/eval-okay-list.nix b/test/testdata/eval-okay-list.nix
new file mode 100644
index 0000000..d433bcf
--- /dev/null
+++ b/test/testdata/eval-okay-list.nix
@@ -0,0 +1,7 @@
+with import ./lib.nix;
+let {
+  body = concat ["foo" "bar" "bla" "test"];
+    
+}
+\ No newline at end of file
diff --git a/test/testdata/eval-okay-listtoattrs.exp b/test/testdata/eval-okay-listtoattrs.exp
new file mode 100644
index 0000000..74abef7
--- /dev/null
+++ b/test/testdata/eval-okay-listtoattrs.exp
@@ -0,0 +1 @@
+"AAbar"
diff --git a/test/testdata/eval-okay-listtoattrs.nix b/test/testdata/eval-okay-listtoattrs.nix
new file mode 100644
index 0000000..4186e02
--- /dev/null
+++ b/test/testdata/eval-okay-listtoattrs.nix
@@ -0,0 +1,11 @@
+# this test shows how to use listToAttrs and that evaluation is still lazy (throw isn't called)
+with import ./lib.nix;
+let 
+  asi = name: value : { inherit name value; };
+  list = [ ( asi "a" "A" ) ( asi "b" "B" ) ];
+  a = builtins.listToAttrs list;
+  b = builtins.listToAttrs ( list ++ list );
+  r = builtins.listToAttrs [ (asi "result" [ a b ]) ( asi "throw" (throw "this should not be thrown")) ];
+  x = builtins.listToAttrs [ (asi "foo" "bar") (asi "foo" "bla") ];
+in concat (map (x: x.a) r.result) + x.foo
diff --git a/test/testdata/eval-okay-logic.exp b/test/testdata/eval-okay-logic.exp
new file mode 100644
index 0000000..d00491f
--- /dev/null
+++ b/test/testdata/eval-okay-logic.exp
@@ -0,0 +1 @@
+1
diff --git a/test/testdata/eval-okay-logic.nix b/test/testdata/eval-okay-logic.nix
new file mode 100644
index 0000000..fbb1279
--- /dev/null
+++ b/test/testdata/eval-okay-logic.nix
@@ -0,0 +1 @@
+assert !false && (true || false) -> true; 1
diff --git a/test/testdata/eval-okay-map.exp b/test/testdata/eval-okay-map.exp
new file mode 100644
index 0000000..dbb64f7
--- /dev/null
+++ b/test/testdata/eval-okay-map.exp
@@ -0,0 +1 @@
+"foobarblabarxyzzybar"
diff --git a/test/testdata/eval-okay-map.nix b/test/testdata/eval-okay-map.nix
new file mode 100644
index 0000000..a76c1d8
--- /dev/null
+++ b/test/testdata/eval-okay-map.nix
@@ -0,0 +1,3 @@
+with import ./lib.nix;
+concat (map (x: x + "bar") [ "foo" "bla" "xyzzy" ])
+\ No newline at end of file
diff --git a/test/testdata/eval-okay-mapattrs.exp b/test/testdata/eval-okay-mapattrs.exp
new file mode 100644
index 0000000..3f113f1
--- /dev/null
+++ b/test/testdata/eval-okay-mapattrs.exp
@@ -0,0 +1 @@
+{ x = "x-foo"; y = "y-bar"; }
diff --git a/test/testdata/eval-okay-mapattrs.nix b/test/testdata/eval-okay-mapattrs.nix
new file mode 100644
index 0000000..f075b62
--- /dev/null
+++ b/test/testdata/eval-okay-mapattrs.nix
@@ -0,0 +1,3 @@
+with import ./lib.nix;
+builtins.mapAttrs (name: value: name + "-" + value) { x = "foo"; y = "bar"; }
diff --git a/test/testdata/eval-okay-merge-dynamic-attrs.exp b/test/testdata/eval-okay-merge-dynamic-attrs.exp
new file mode 100644
index 0000000..157d677
--- /dev/null
+++ b/test/testdata/eval-okay-merge-dynamic-attrs.exp
@@ -0,0 +1 @@
+{ set1 = { a = 1; b = 2; }; set2 = { a = 1; b = 2; }; set3 = { a = 1; b = 2; }; set4 = { a = 1; b = 2; }; }
diff --git a/test/testdata/eval-okay-merge-dynamic-attrs.nix b/test/testdata/eval-okay-merge-dynamic-attrs.nix
new file mode 100644
index 0000000..f459a55
--- /dev/null
+++ b/test/testdata/eval-okay-merge-dynamic-attrs.nix
@@ -0,0 +1,13 @@
+{
+  set1 = { a = 1; };
+  set1 = { "${"b" + ""}" = 2; };
+  set2 = { "${"b" + ""}" = 2; };
+  set2 = { a = 1; };
+  set3.a = 1;
+  set3."${"b" + ""}" = 2;
+  set4."${"b" + ""}" = 2;
+  set4.a = 1;
+}
diff --git a/test/testdata/eval-okay-nested-with.exp b/test/testdata/eval-okay-nested-with.exp
new file mode 100644
index 0000000..0cfbf08
--- /dev/null
+++ b/test/testdata/eval-okay-nested-with.exp
@@ -0,0 +1 @@
+2
diff --git a/test/testdata/eval-okay-nested-with.nix b/test/testdata/eval-okay-nested-with.nix
new file mode 100644
index 0000000..ba9d79a
--- /dev/null
+++ b/test/testdata/eval-okay-nested-with.nix
@@ -0,0 +1,3 @@
+with { x = 1; };
+with { x = 2; };
+x
diff --git a/test/testdata/eval-okay-new-let.exp b/test/testdata/eval-okay-new-let.exp
new file mode 100644
index 0000000..f98b388
--- /dev/null
+++ b/test/testdata/eval-okay-new-let.exp
@@ -0,0 +1 @@
+"xyzzyfoobar"
diff --git a/test/testdata/eval-okay-new-let.nix b/test/testdata/eval-okay-new-let.nix
new file mode 100644
index 0000000..7381231
--- /dev/null
+++ b/test/testdata/eval-okay-new-let.nix
@@ -0,0 +1,14 @@
+let
+  f = z: 
+    let
+      x = "foo";
+      y = "bar";
+      body = 1; # compat test
+    in
+      z + x + y;
+  arg = "xyzzy";
+in f arg
diff --git a/test/testdata/eval-okay-null-dynamic-attrs.exp b/test/testdata/eval-okay-null-dynamic-attrs.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-null-dynamic-attrs.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-null-dynamic-attrs.nix b/test/testdata/eval-okay-null-dynamic-attrs.nix
new file mode 100644
index 0000000..b060c0b
--- /dev/null
+++ b/test/testdata/eval-okay-null-dynamic-attrs.nix
@@ -0,0 +1 @@
+{ ${null} = true; } == {}
diff --git a/test/testdata/eval-okay-overrides.exp b/test/testdata/eval-okay-overrides.exp
new file mode 100644
index 0000000..0cfbf08
--- /dev/null
+++ b/test/testdata/eval-okay-overrides.exp
@@ -0,0 +1 @@
+2
diff --git a/test/testdata/eval-okay-overrides.nix b/test/testdata/eval-okay-overrides.nix
new file mode 100644
index 0000000..719bdc9
--- /dev/null
+++ b/test/testdata/eval-okay-overrides.nix
@@ -0,0 +1,9 @@
+let
+  overrides = { a = 2; b = 3; };
+in (rec {
+  __overrides = overrides;
+  x = a;
+  a = 1;
+}).x
diff --git a/test/testdata/eval-okay-parse-flake-ref.exp b/test/testdata/eval-okay-parse-flake-ref.exp
new file mode 100644
index 0000000..fc17ba0
--- /dev/null
+++ b/test/testdata/eval-okay-parse-flake-ref.exp
@@ -0,0 +1 @@
+{ dir = "lib"; owner = "NixOS"; ref = "23.05"; repo = "nixpkgs"; type = "github"; }
diff --git a/test/testdata/eval-okay-parse-flake-ref.nix b/test/testdata/eval-okay-parse-flake-ref.nix
new file mode 100644
index 0000000..db4ed27
--- /dev/null
+++ b/test/testdata/eval-okay-parse-flake-ref.nix
@@ -0,0 +1 @@
+  builtins.parseFlakeRef "github:NixOS/nixpkgs/23.05?dir=lib"
diff --git a/test/testdata/eval-okay-partition.exp b/test/testdata/eval-okay-partition.exp
new file mode 100644
index 0000000..cd8b8b0
--- /dev/null
+++ b/test/testdata/eval-okay-partition.exp
@@ -0,0 +1 @@
+{ right = [ 0 2 4 6 8 10 100 102 104 106 108 110 ]; wrong = [ 1 3 5 7 9 101 103 105 107 109 ]; }
diff --git a/test/testdata/eval-okay-partition.nix b/test/testdata/eval-okay-partition.nix
new file mode 100644
index 0000000..846d2ce
--- /dev/null
+++ b/test/testdata/eval-okay-partition.nix
@@ -0,0 +1,5 @@
+with import ./lib.nix;
+builtins.partition
+  (x: x / 2 * 2 == x)
+  (builtins.concatLists [ (range 0 10) (range 100 110) ])
diff --git a/test/testdata/eval-okay-path-string-interpolation.exp b/test/testdata/eval-okay-path-string-interpolation.exp
new file mode 100644
index 0000000..5b8ea02
--- /dev/null
+++ b/test/testdata/eval-okay-path-string-interpolation.exp
@@ -0,0 +1 @@
+{ absolute = /foo; expr = /pwd/lang/foo/bar; home = /fake-home/foo; notfirst = /pwd/lang/bar/foo; simple = /pwd/lang/foo; slashes = /foo/bar; surrounded = /pwd/lang/a-foo-b; }
diff --git a/test/testdata/eval-okay-path-string-interpolation.nix b/test/testdata/eval-okay-path-string-interpolation.nix
new file mode 100644
index 0000000..497d7c1
--- /dev/null
+++ b/test/testdata/eval-okay-path-string-interpolation.nix
@@ -0,0 +1,12 @@
+let
+  foo = "foo";
+in
+{
+  simple = ./${foo};
+  surrounded = ./a-${foo}-b;
+  absolute = /${foo};
+  expr = ./${foo + "/bar"};
+  home = ~/${foo};
+  notfirst = ./bar/${foo};
+  slashes = /${foo}/${"bar"};
+}
diff --git a/test/testdata/eval-okay-path.exp b/test/testdata/eval-okay-path.exp
new file mode 100644
index 0000000..635e224
--- /dev/null
+++ b/test/testdata/eval-okay-path.exp
@@ -0,0 +1 @@
+[ "/nix/store/ya937r4ydw0l6kayq8jkyqaips9c75jm-output" "/nix/store/m7y372g6jb0g4hh1dzmj847rd356fhnz-output" ]
diff --git a/test/testdata/eval-okay-path.nix b/test/testdata/eval-okay-path.nix
new file mode 100644
index 0000000..599b335
--- /dev/null
+++ b/test/testdata/eval-okay-path.nix
@@ -0,0 +1,15 @@
+[
+  (builtins.path
+    { path = ./.;
+      filter = path: _: baseNameOf path == "data";
+      recursive = true;
+      sha256 = "1yhm3gwvg5a41yylymgblsclk95fs6jy72w0wv925mmidlhcq4sw";
+      name = "output";
+    })
+  (builtins.path
+    { path = ./data;
+      recursive = false;
+      sha256 = "0k4lwj58f2w5yh92ilrwy9917pycipbrdrr13vbb3yd02j09vfxm";
+      name = "output";
+    })
+]
diff --git a/test/testdata/eval-okay-pathexists.exp b/test/testdata/eval-okay-pathexists.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-pathexists.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-pathexists.nix b/test/testdata/eval-okay-pathexists.nix
new file mode 100644
index 0000000..022b22f
--- /dev/null
+++ b/test/testdata/eval-okay-pathexists.nix
@@ -0,0 +1,34 @@
+builtins.pathExists (./lib.nix)
+&& builtins.pathExists (builtins.toPath ./lib.nix)
+&& builtins.pathExists (builtins.toString ./lib.nix)
+&& !builtins.pathExists (builtins.toString ./lib.nix + "/")
+&& !builtins.pathExists (builtins.toString ./lib.nix + "/.")
+# FIXME
+# && !builtins.pathExists (builtins.toString ./lib.nix + "/..")
+# && !builtins.pathExists (builtins.toString ./lib.nix + "/a/..")
+# && !builtins.pathExists (builtins.toString ./lib.nix + "/../lib.nix")
+&& !builtins.pathExists (builtins.toString ./lib.nix + "/./")
+&& !builtins.pathExists (builtins.toString ./lib.nix + "/./.")
+&& builtins.pathExists (builtins.toString ./.. + "/lang/lib.nix")
+&& !builtins.pathExists (builtins.toString ./.. + "lang/lib.nix")
+&& builtins.pathExists (builtins.toString ./. + "/../lang/lib.nix")
+&& builtins.pathExists (builtins.toString ./. + "/../lang/./lib.nix")
+&& builtins.pathExists (builtins.toString ./.)
+&& builtins.pathExists (builtins.toString ./. + "/")
+&& builtins.pathExists (builtins.toString ./. + "/../lang")
+&& builtins.pathExists (builtins.toString ./. + "/../lang/")
+&& builtins.pathExists (builtins.toString ./. + "/../lang/.")
+&& builtins.pathExists (builtins.toString ./. + "/../lang/./")
+&& builtins.pathExists (builtins.toString ./. + "/../lang//./")
+&& builtins.pathExists (builtins.toString ./. + "/../lang/..")
+&& builtins.pathExists (builtins.toString ./. + "/../lang/../")
+&& builtins.pathExists (builtins.toString ./. + "/../lang/..//")
+&& builtins.pathExists (builtins.toPath (builtins.toString ./lib.nix))
+&& !builtins.pathExists (builtins.toPath (builtins.toString ./bla.nix))
+&& builtins.pathExists (builtins.toPath { __toString = x: builtins.toString ./lib.nix; })
+&& builtins.pathExists (builtins.toPath { outPath = builtins.toString ./lib.nix; })
+&& builtins.pathExists ./lib.nix
+&& !builtins.pathExists ./bla.nix
+&& builtins.pathExists ./symlink-resolution/foo/overlays/overlay.nix
+&& builtins.pathExists ./symlink-resolution/broken
+&& builtins.pathExists (builtins.toString ./symlink-resolution/foo/overlays + "/.")
diff --git a/test/testdata/eval-okay-patterns.exp b/test/testdata/eval-okay-patterns.exp
new file mode 100644
index 0000000..a430401
--- /dev/null
+++ b/test/testdata/eval-okay-patterns.exp
@@ -0,0 +1 @@
+"abcxyzDDDDEFijk"
diff --git a/test/testdata/eval-okay-patterns.nix b/test/testdata/eval-okay-patterns.nix
new file mode 100644
index 0000000..96fd25a
--- /dev/null
+++ b/test/testdata/eval-okay-patterns.nix
@@ -0,0 +1,16 @@
+let
+  f = args@{x, y, z}: x + args.y + z;
+  g = {x, y, z}@args: f args;
+  h = {x ? "d", y ? x, z ? args.x}@args: x + y + z;
+  j = {x, y, z, ...}: x + y + z;
+in
+  f {x = "a"; y = "b"; z = "c";} +
+  g {x = "x"; y = "y"; z = "z";} +
+  h {x = "D";} +
+  h {x = "D"; y = "E"; z = "F";} +
+  j {x = "i"; y = "j"; z = "k"; bla = "bla"; foo = "bar";}
diff --git a/test/testdata/eval-okay-print.err.exp b/test/testdata/eval-okay-print.err.exp
new file mode 100644
index 0000000..80aa17c
--- /dev/null
+++ b/test/testdata/eval-okay-print.err.exp
@@ -0,0 +1 @@
+trace: [ «thunk» ]
diff --git a/test/testdata/eval-okay-print.exp b/test/testdata/eval-okay-print.exp
new file mode 100644
index 0000000..0d960fb
--- /dev/null
+++ b/test/testdata/eval-okay-print.exp
@@ -0,0 +1 @@
+[ null <PRIMOP> <PRIMOP-APP> <LAMBDA> [ [ «repeated» ] ] ]
diff --git a/test/testdata/eval-okay-print.nix b/test/testdata/eval-okay-print.nix
new file mode 100644
index 0000000..d36ba4d
--- /dev/null
+++ b/test/testdata/eval-okay-print.nix
@@ -0,0 +1 @@
+with builtins; trace [(1+1)] [ null toString (deepSeq "x") (a: a) (let x=[x]; in x) ]
diff --git a/test/testdata/eval-okay-readDir.exp b/test/testdata/eval-okay-readDir.exp
new file mode 100644
index 0000000..6413f6d
--- /dev/null
+++ b/test/testdata/eval-okay-readDir.exp
@@ -0,0 +1 @@
+{ bar = "regular"; foo = "directory"; ldir = "symlink"; linked = "symlink"; }
diff --git a/test/testdata/eval-okay-readDir.nix b/test/testdata/eval-okay-readDir.nix
new file mode 100644
index 0000000..a7ec929
--- /dev/null
+++ b/test/testdata/eval-okay-readDir.nix
@@ -0,0 +1 @@
+builtins.readDir ./readDir
diff --git a/test/testdata/eval-okay-readFileType.exp b/test/testdata/eval-okay-readFileType.exp
new file mode 100644
index 0000000..6413f6d
--- /dev/null
+++ b/test/testdata/eval-okay-readFileType.exp
@@ -0,0 +1 @@
+{ bar = "regular"; foo = "directory"; ldir = "symlink"; linked = "symlink"; }
diff --git a/test/testdata/eval-okay-readFileType.nix b/test/testdata/eval-okay-readFileType.nix
new file mode 100644
index 0000000..174fb6c
--- /dev/null
+++ b/test/testdata/eval-okay-readFileType.nix
@@ -0,0 +1,6 @@
+{
+  bar    = builtins.readFileType ./readDir/bar;
+  foo    = builtins.readFileType ./readDir/foo;
+  linked = builtins.readFileType ./readDir/linked;
+  ldir   = builtins.readFileType ./readDir/ldir;
+}
diff --git a/test/testdata/eval-okay-readfile.exp b/test/testdata/eval-okay-readfile.exp
new file mode 100644
index 0000000..a2c87d0
--- /dev/null
+++ b/test/testdata/eval-okay-readfile.exp
@@ -0,0 +1 @@
+"builtins.readFile ./eval-okay-readfile.nix\n"
diff --git a/test/testdata/eval-okay-readfile.nix b/test/testdata/eval-okay-readfile.nix
new file mode 100644
index 0000000..82f7cb1
--- /dev/null
+++ b/test/testdata/eval-okay-readfile.nix
@@ -0,0 +1 @@
+builtins.readFile ./eval-okay-readfile.nix
diff --git a/test/testdata/eval-okay-redefine-builtin.exp b/test/testdata/eval-okay-redefine-builtin.exp
new file mode 100644
index 0000000..c508d53
--- /dev/null
+++ b/test/testdata/eval-okay-redefine-builtin.exp
@@ -0,0 +1 @@
+false
diff --git a/test/testdata/eval-okay-redefine-builtin.nix b/test/testdata/eval-okay-redefine-builtin.nix
new file mode 100644
index 0000000..df9fc3f
--- /dev/null
+++ b/test/testdata/eval-okay-redefine-builtin.nix
@@ -0,0 +1,3 @@
+let
+  throw = abort "Error!";
+in (builtins.tryEval <foobaz>).success
diff --git a/test/testdata/eval-okay-regex-match.exp b/test/testdata/eval-okay-regex-match.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-regex-match.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-regex-match.nix b/test/testdata/eval-okay-regex-match.nix
new file mode 100644
index 0000000..273e259
--- /dev/null
+++ b/test/testdata/eval-okay-regex-match.nix
@@ -0,0 +1,29 @@
+with builtins;
+let
+  matches = pat: s: match pat s != null;
+  splitFN = match "((.*)/)?([^/]*)\\.(nix|cc)";
+in
+assert  matches "foobar" "foobar";
+assert  matches "fo*" "f";
+assert !matches "fo+" "f";
+assert  matches "fo*" "fo";
+assert  matches "fo*" "foo";
+assert  matches "fo+" "foo";
+assert  matches "fo{1,2}" "foo";
+assert !matches "fo{1,2}" "fooo";
+assert !matches "fo*" "foobar";
+assert  matches "[[:space:]]+([^[:space:]]+)[[:space:]]+" "  foo   ";
+assert !matches "[[:space:]]+([[:upper:]]+)[[:space:]]+" "  foo   ";
+assert match "(.*)\\.nix" "foobar.nix" == [ "foobar" ];
+assert match "[[:space:]]+([[:upper:]]+)[[:space:]]+" "  FOO   " == [ "FOO" ];
+assert splitFN "/path/to/foobar.nix" == [ "/path/to/" "/path/to" "foobar" "nix" ];
+assert splitFN "foobar.cc" == [ null null "foobar" "cc" ];
+true
diff --git a/test/testdata/eval-okay-regex-split.exp b/test/testdata/eval-okay-regex-split.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-regex-split.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-regex-split.nix b/test/testdata/eval-okay-regex-split.nix
new file mode 100644
index 0000000..0073e05
--- /dev/null
+++ b/test/testdata/eval-okay-regex-split.nix
@@ -0,0 +1,48 @@
+with builtins;
+# Non capturing regex returns empty lists
+assert  split "foobar" "foobar"  == ["" [] ""];
+assert  split "fo*" "f"          == ["" [] ""];
+assert  split "fo+" "f"          == ["f"];
+assert  split "fo*" "fo"         == ["" [] ""];
+assert  split "fo*" "foo"        == ["" [] ""];
+assert  split "fo+" "foo"        == ["" [] ""];
+assert  split "fo{1,2}" "foo"    == ["" [] ""];
+assert  split "fo{1,2}" "fooo"   == ["" [] "o"];
+assert  split "fo*" "foobar"     == ["" [] "bar"];
+# Capturing regex returns a list of sub-matches
+assert  split "(fo*)" "f"        == ["" ["f"] ""];
+assert  split "(fo+)" "f"        == ["f"];
+assert  split "(fo*)" "fo"       == ["" ["fo"] ""];
+assert  split "(f)(o*)" "f"      == ["" ["f" ""] ""];
+assert  split "(f)(o*)" "foo"    == ["" ["f" "oo"] ""];
+assert  split "(fo+)" "foo"      == ["" ["foo"] ""];
+assert  split "(fo{1,2})" "foo"  == ["" ["foo"] ""];
+assert  split "(fo{1,2})" "fooo" == ["" ["foo"] "o"];
+assert  split "(fo*)" "foobar"   == ["" ["foo"] "bar"];
+# Matches are greedy.
+assert  split "(o+)" "oooofoooo" == ["" ["oooo"] "f" ["oooo"] ""];
+# Matches multiple times.
+assert  split "(b)" "foobarbaz"  == ["foo" ["b"] "ar" ["b"] "az"];
+# Split large strings containing newlines. null are inserted when a
+# pattern within the current did not match anything.
+assert  split "[[:space:]]+|([',.!?])" ''
+  Nix Rocks!
+  That's why I use it.
+''  == [
+  "Nix" [ null ] "Rocks" ["!"] "" [ null ]
+  "That" ["'"] "s" [ null ] "why" [ null ] "I" [ null ] "use" [ null ] "it" ["."] "" [ null ]
+  ""
+];
+# Documentation examples
+assert  split  "(a)b" "abc"      == [ "" [ "a" ] "c" ];
+assert  split  "([ac])" "abc"    == [ "" [ "a" ] "b" [ "c" ] "" ];
+assert  split  "(a)|(c)" "abc"   == [ "" [ "a" null ] "b" [ null "c" ] "" ];
+assert  split  "([[:upper:]]+)" "  FOO   " == [ "  " [ "FOO" ] "   " ];
+true
diff --git a/test/testdata/eval-okay-regression-20220122.exp b/test/testdata/eval-okay-regression-20220122.exp
new file mode 100644
index 0000000..00750ed
--- /dev/null
+++ b/test/testdata/eval-okay-regression-20220122.exp
@@ -0,0 +1 @@
+3
diff --git a/test/testdata/eval-okay-regression-20220122.nix b/test/testdata/eval-okay-regression-20220122.nix
new file mode 100644
index 0000000..694e9a1
--- /dev/null
+++ b/test/testdata/eval-okay-regression-20220122.nix
@@ -0,0 +1 @@
+((_: _) 1) + ((__: __) 2)
diff --git a/test/testdata/eval-okay-regression-20220125.exp b/test/testdata/eval-okay-regression-20220125.exp
new file mode 100644
index 0000000..00750ed
--- /dev/null
+++ b/test/testdata/eval-okay-regression-20220125.exp
@@ -0,0 +1 @@
+3
diff --git a/test/testdata/eval-okay-regression-20220125.nix b/test/testdata/eval-okay-regression-20220125.nix
new file mode 100644
index 0000000..4855023
--- /dev/null
+++ b/test/testdata/eval-okay-regression-20220125.nix
@@ -0,0 +1,2 @@
+((__curPosFoo: __curPosFoo) 1) + ((__curPosBar: __curPosBar) 2)
diff --git a/test/testdata/eval-okay-remove.exp b/test/testdata/eval-okay-remove.exp
new file mode 100644
index 0000000..8d38505
--- /dev/null
+++ b/test/testdata/eval-okay-remove.exp
@@ -0,0 +1 @@
+456
diff --git a/test/testdata/eval-okay-remove.nix b/test/testdata/eval-okay-remove.nix
new file mode 100644
index 0000000..4ad5ba8
--- /dev/null
+++ b/test/testdata/eval-okay-remove.nix
@@ -0,0 +1,5 @@
+let {
+  attrs = {x = 123; y = 456;};
+  body = (removeAttrs attrs ["x"]).y;
+}
+\ No newline at end of file
diff --git a/test/testdata/eval-okay-repeated-empty-attrs.exp b/test/testdata/eval-okay-repeated-empty-attrs.exp
new file mode 100644
index 0000000..d21e6db
--- /dev/null
+++ b/test/testdata/eval-okay-repeated-empty-attrs.exp
@@ -0,0 +1 @@
+[ { } { } ]
diff --git a/test/testdata/eval-okay-repeated-empty-attrs.nix b/test/testdata/eval-okay-repeated-empty-attrs.nix
new file mode 100644
index 0000000..030a3b8
--- /dev/null
+++ b/test/testdata/eval-okay-repeated-empty-attrs.nix
@@ -0,0 +1,2 @@
+# Tests that empty attribute sets are not printed as `«repeated»`.
+[ {} {} ]
diff --git a/test/testdata/eval-okay-repeated-empty-list.exp b/test/testdata/eval-okay-repeated-empty-list.exp
new file mode 100644
index 0000000..701fc7e
--- /dev/null
+++ b/test/testdata/eval-okay-repeated-empty-list.exp
@@ -0,0 +1 @@
+[ [ ] [ ] ]
diff --git a/test/testdata/eval-okay-repeated-empty-list.nix b/test/testdata/eval-okay-repeated-empty-list.nix
new file mode 100644
index 0000000..376c51b
--- /dev/null
+++ b/test/testdata/eval-okay-repeated-empty-list.nix
@@ -0,0 +1 @@
+[ [] [] ]
diff --git a/test/testdata/eval-okay-replacestrings.exp b/test/testdata/eval-okay-replacestrings.exp
new file mode 100644
index 0000000..eac67c5
--- /dev/null
+++ b/test/testdata/eval-okay-replacestrings.exp
@@ -0,0 +1 @@
+[ "faabar" "fbar" "fubar" "faboor" "fubar" "XaXbXcX" "X" "a_b" "fubar" ]
diff --git a/test/testdata/eval-okay-replacestrings.nix b/test/testdata/eval-okay-replacestrings.nix
new file mode 100644
index 0000000..a803e65
--- /dev/null
+++ b/test/testdata/eval-okay-replacestrings.nix
@@ -0,0 +1,12 @@
+with builtins;
+[ (replaceStrings ["o"] ["a"] "foobar")
+  (replaceStrings ["o"] [""] "foobar")
+  (replaceStrings ["oo"] ["u"] "foobar")
+  (replaceStrings ["oo" "a"] ["a" "oo"] "foobar")
+  (replaceStrings ["oo" "oo"] ["u" "i"] "foobar")
+  (replaceStrings [""] ["X"] "abc")
+  (replaceStrings [""] ["X"] "")
+  (replaceStrings ["-"] ["_"] "a-b")
+  (replaceStrings ["oo" "XX"] ["u" (throw "unreachable")] "foobar")
+]
diff --git a/test/testdata/eval-okay-scope-1.exp b/test/testdata/eval-okay-scope-1.exp
new file mode 100644
index 0000000..00750ed
--- /dev/null
+++ b/test/testdata/eval-okay-scope-1.exp
@@ -0,0 +1 @@
+3
diff --git a/test/testdata/eval-okay-scope-1.nix b/test/testdata/eval-okay-scope-1.nix
new file mode 100644
index 0000000..fa38a71
--- /dev/null
+++ b/test/testdata/eval-okay-scope-1.nix
@@ -0,0 +1,6 @@
+(({x}: x:
+  { x = 1;
+    y = x;
+  }
+) {x = 2;} 3).y
diff --git a/test/testdata/eval-okay-scope-2.exp b/test/testdata/eval-okay-scope-2.exp
new file mode 100644
index 0000000..d00491f
--- /dev/null
+++ b/test/testdata/eval-okay-scope-2.exp
@@ -0,0 +1 @@
+1
diff --git a/test/testdata/eval-okay-scope-2.nix b/test/testdata/eval-okay-scope-2.nix
new file mode 100644
index 0000000..eb8b02b
--- /dev/null
+++ b/test/testdata/eval-okay-scope-2.nix
@@ -0,0 +1,6 @@
+((x: {x}:
+  rec {
+    x = 1;
+    y = x;
+  }
+) 2 {x = 3;}).y
diff --git a/test/testdata/eval-okay-scope-3.exp b/test/testdata/eval-okay-scope-3.exp
new file mode 100644
index 0000000..b8626c4
--- /dev/null
+++ b/test/testdata/eval-okay-scope-3.exp
@@ -0,0 +1 @@
+4
diff --git a/test/testdata/eval-okay-scope-3.nix b/test/testdata/eval-okay-scope-3.nix
new file mode 100644
index 0000000..10d6bc0
--- /dev/null
+++ b/test/testdata/eval-okay-scope-3.nix
@@ -0,0 +1,6 @@
+((x: as: {x}:
+  rec {
+    inherit (as) x;
+    y = x;
+  }
+) 2 {x = 4;} {x = 3;}).y
diff --git a/test/testdata/eval-okay-scope-4.exp b/test/testdata/eval-okay-scope-4.exp
new file mode 100644
index 0000000..00ff03a
--- /dev/null
+++ b/test/testdata/eval-okay-scope-4.exp
@@ -0,0 +1 @@
+"ccdd"
diff --git a/test/testdata/eval-okay-scope-4.nix b/test/testdata/eval-okay-scope-4.nix
new file mode 100644
index 0000000..dc8243b
--- /dev/null
+++ b/test/testdata/eval-okay-scope-4.nix
@@ -0,0 +1,10 @@
+let {
+  x = "a";
+  y = "b";
+  f = {x ? y, y ? x}: x + y;
+  body = f {x = "c";} + f {y = "d";};
+}
diff --git a/test/testdata/eval-okay-scope-6.exp b/test/testdata/eval-okay-scope-6.exp
new file mode 100644
index 0000000..00ff03a
--- /dev/null
+++ b/test/testdata/eval-okay-scope-6.exp
@@ -0,0 +1 @@
+"ccdd"
diff --git a/test/testdata/eval-okay-scope-6.nix b/test/testdata/eval-okay-scope-6.nix
new file mode 100644
index 0000000..0995d4e
--- /dev/null
+++ b/test/testdata/eval-okay-scope-6.nix
@@ -0,0 +1,7 @@
+let {
+  f = {x ? y, y ? x}: x + y;
+  body = f {x = "c";} + f {y = "d";};
+}
diff --git a/test/testdata/eval-okay-scope-7.exp b/test/testdata/eval-okay-scope-7.exp
new file mode 100644
index 0000000..d00491f
--- /dev/null
+++ b/test/testdata/eval-okay-scope-7.exp
@@ -0,0 +1 @@
+1
diff --git a/test/testdata/eval-okay-scope-7.nix b/test/testdata/eval-okay-scope-7.nix
new file mode 100644
index 0000000..4da0296
--- /dev/null
+++ b/test/testdata/eval-okay-scope-7.nix
@@ -0,0 +1,6 @@
+rec {
+  inherit (x) y;
+  x = {
+    y = 1;
+  };
+}.y
diff --git a/test/testdata/eval-okay-search-path.exp b/test/testdata/eval-okay-search-path.exp
new file mode 100644
index 0000000..4519bc4
--- /dev/null
+++ b/test/testdata/eval-okay-search-path.exp
@@ -0,0 +1 @@
+"abccX"
diff --git a/test/testdata/eval-okay-search-path.flags b/test/testdata/eval-okay-search-path.flags
new file mode 100644
index 0000000..dfad1c6
--- /dev/null
+++ b/test/testdata/eval-okay-search-path.flags
@@ -0,0 +1 @@
+-I lang/dir1 -I lang/dir2 -I dir5=lang/dir3
diff --git a/test/testdata/eval-okay-search-path.nix b/test/testdata/eval-okay-search-path.nix
new file mode 100644
index 0000000..6fe33de
--- /dev/null
+++ b/test/testdata/eval-okay-search-path.nix
@@ -0,0 +1,10 @@
+with import ./lib.nix;
+with builtins;
+assert isFunction (import <nix/fetchurl.nix>);
+assert length __nixPath == 5;
+assert length (filter (x: baseNameOf x.path == "dir4") __nixPath) == 1;
+import <a.nix> + import <b.nix> + import <c.nix> + import <dir5/c.nix>
+  + (let __nixPath = [ { path = ./dir2; } { path = ./dir1; } ]; in import <a.nix>)
diff --git a/test/testdata/eval-okay-seq.exp b/test/testdata/eval-okay-seq.exp
new file mode 100644
index 0000000..0cfbf08
--- /dev/null
+++ b/test/testdata/eval-okay-seq.exp
@@ -0,0 +1 @@
+2
diff --git a/test/testdata/eval-okay-seq.nix b/test/testdata/eval-okay-seq.nix
new file mode 100644
index 0000000..0a9a21c
--- /dev/null
+++ b/test/testdata/eval-okay-seq.nix
@@ -0,0 +1 @@
+builtins.seq 1 2
diff --git a/test/testdata/eval-okay-sort.exp b/test/testdata/eval-okay-sort.exp
new file mode 100644
index 0000000..899119e
--- /dev/null
+++ b/test/testdata/eval-okay-sort.exp
@@ -0,0 +1 @@
+[ [ 42 77 147 249 483 526 ] [ 526 483 249 147 77 42 ] [ "bar" "fnord" "foo" "xyzzy" ] [ { key = 1; value = "foo"; } { key = 1; value = "fnord"; } { key = 2; value = "bar"; } ] [ [ ] [ ] [ 1 ] [ 1 4 ] [ 1 5 ] [ 1 6 ] [ 2 ] [ 2 3 ] [ 3 ] [ 3 ] ] ]
diff --git a/test/testdata/eval-okay-sort.nix b/test/testdata/eval-okay-sort.nix
new file mode 100644
index 0000000..50aa78e
--- /dev/null
+++ b/test/testdata/eval-okay-sort.nix
@@ -0,0 +1,20 @@
+with builtins;
+[ (sort lessThan [ 483 249 526 147 42 77 ])
+  (sort (x: y: y < x) [ 483 249 526 147 42 77 ])
+  (sort lessThan [ "foo" "bar" "xyzzy" "fnord" ])
+  (sort (x: y: x.key < y.key)
+    [ { key = 1; value = "foo"; } { key = 2; value = "bar"; } { key = 1; value = "fnord"; } ])
+  (sort lessThan [
+    [ 1 6 ]
+    [ ]
+    [ 2 3 ]
+    [ 3 ]
+    [ 1 5 ]
+    [ 2 ]
+    [ 1 ]
+    [ ]
+    [ 1 4 ]
+    [ 3 ]
+  ])
+]
diff --git a/test/testdata/eval-okay-splitversion.exp b/test/testdata/eval-okay-splitversion.exp
new file mode 100644
index 0000000..153ceb8
--- /dev/null
+++ b/test/testdata/eval-okay-splitversion.exp
@@ -0,0 +1 @@
+[ "1" "2" "3" ]
diff --git a/test/testdata/eval-okay-splitversion.nix b/test/testdata/eval-okay-splitversion.nix
new file mode 100644
index 0000000..9e5c99d
--- /dev/null
+++ b/test/testdata/eval-okay-splitversion.nix
@@ -0,0 +1 @@
+builtins.splitVersion "1.2.3"
diff --git a/test/testdata/eval-okay-string.exp b/test/testdata/eval-okay-string.exp
new file mode 100644
index 0000000..63f650f
--- /dev/null
+++ b/test/testdata/eval-okay-string.exp
@@ -0,0 +1 @@
+"foobar/a/b/c/d/foo/xyzzy/foo.txt/../foo/x/yescape: \"quote\" \n \\end\nof\nlinefoobarblaatfoo$bar$\"$\"$"
diff --git a/test/testdata/eval-okay-string.nix b/test/testdata/eval-okay-string.nix
new file mode 100644
index 0000000..47cc989
--- /dev/null
+++ b/test/testdata/eval-okay-string.nix
@@ -0,0 +1,12 @@
+"foo" + "bar"
+  + toString (/a/b + /c/d)
+  + toString (/foo/bar + "/../xyzzy/." + "/foo.txt")
+  + ("/../foo" + toString /x/y)
+  + "escape: \"quote\" \n \\"
+  + "end
+of
+line"
+  + "foo${if true then "b${"a" + "r"}" else "xyzzy"}blaat"
+  + "foo$bar"
+  + "$\"$\""
+  + "$"
diff --git a/test/testdata/eval-okay-strings-as-attrs-names.exp b/test/testdata/eval-okay-strings-as-attrs-names.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-strings-as-attrs-names.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-strings-as-attrs-names.nix b/test/testdata/eval-okay-strings-as-attrs-names.nix
new file mode 100644
index 0000000..5e40928
--- /dev/null
+++ b/test/testdata/eval-okay-strings-as-attrs-names.nix
@@ -0,0 +1,20 @@
+let
+  attr = {
+    "key 1" = "test";
+    "key 2" = "caseok";
+  };
+  t1 = builtins.getAttr "key 1" attr;
+  t2 = attr."key 2";
+  t3 = attr ? "key 1";
+  t4 = builtins.attrNames { inherit (attr) "key 1"; };
+  # This is permitted, but there is currently no way to reference this
+  # variable.
+  "foo bar" = 1;
+in t1 == "test"
+   && t2 == "caseok"
+   && t3 == true
+   && t4 == ["key 1"]
diff --git a/test/testdata/eval-okay-substring-context.exp b/test/testdata/eval-okay-substring-context.exp
new file mode 100644
index 0000000..2fe7f71
--- /dev/null
+++ b/test/testdata/eval-okay-substring-context.exp
@@ -0,0 +1 @@
+"okay"
diff --git a/test/testdata/eval-okay-substring-context.nix b/test/testdata/eval-okay-substring-context.nix
new file mode 100644
index 0000000..d0ef70d
--- /dev/null
+++ b/test/testdata/eval-okay-substring-context.nix
@@ -0,0 +1,11 @@
+with builtins;
+let
+  s = "${builtins.derivation { name = "test"; builder = "/bin/sh"; system = "x86_64-linux"; }}";
+in
+if getContext s == getContext "${substring 0 0 s + unsafeDiscardStringContext s}"
+then "okay"
+else throw "empty substring should preserve context"
diff --git a/test/testdata/eval-okay-substring.exp b/test/testdata/eval-okay-substring.exp
new file mode 100644
index 0000000..f48b462
--- /dev/null
+++ b/test/testdata/eval-okay-substring.exp
@@ -0,0 +1 @@
+"ooxfoobarybarzobaabbc_bad"
diff --git a/test/testdata/eval-okay-substring.nix b/test/testdata/eval-okay-substring.nix
new file mode 100644
index 0000000..54c97e1
--- /dev/null
+++ b/test/testdata/eval-okay-substring.nix
@@ -0,0 +1,23 @@
+with builtins;
+let
+  s = "foobar";
+in
+substring 1 2 s
+ "x"
+ substring 0 (stringLength s) s
+ "y"
+ substring 3 100 s
+ "z"
+ substring 2 (sub (stringLength s) 3) s
+ "a"
+ substring 3 0 s
+ "b"
+ substring 3 1 s
+ "c"
+ substring 5 10 "perl"
+ "_"
+ substring 3 (-1) "tebbad"
diff --git a/test/testdata/eval-okay-symlink-resolution.exp b/test/testdata/eval-okay-symlink-resolution.exp
new file mode 100644
index 0000000..8b8441b
--- /dev/null
+++ b/test/testdata/eval-okay-symlink-resolution.exp
@@ -0,0 +1 @@
+"test"
diff --git a/test/testdata/eval-okay-symlink-resolution.nix b/test/testdata/eval-okay-symlink-resolution.nix
new file mode 100644
index 0000000..ffb1818
--- /dev/null
+++ b/test/testdata/eval-okay-symlink-resolution.nix
@@ -0,0 +1 @@
+import symlink-resolution/foo/overlays/overlay.nix
diff --git a/test/testdata/eval-okay-tail-call-1.exp-disabled b/test/testdata/eval-okay-tail-call-1.exp-disabled
new file mode 100644
index 0000000..f7393e8
--- /dev/null
+++ b/test/testdata/eval-okay-tail-call-1.exp-disabled
@@ -0,0 +1 @@
+100000
diff --git a/test/testdata/eval-okay-tail-call-1.nix b/test/testdata/eval-okay-tail-call-1.nix
new file mode 100644
index 0000000..a3962ce
--- /dev/null
+++ b/test/testdata/eval-okay-tail-call-1.nix
@@ -0,0 +1,3 @@
+let
+  f = n: if n == 100000 then n else f (n + 1);
+in f 0
diff --git a/test/testdata/eval-okay-tojson.exp b/test/testdata/eval-okay-tojson.exp
new file mode 100644
index 0000000..e92aae3
--- /dev/null
+++ b/test/testdata/eval-okay-tojson.exp
@@ -0,0 +1 @@
+"{\"a\":123,\"b\":-456,\"c\":\"foo\",\"d\":\"foo\\n\\\"bar\\\"\",\"e\":true,\"f\":false,\"g\":[1,2,3],\"h\":[\"a\",[\"b\",{\"foo\\nbar\":{}}]],\"i\":3,\"j\":1.44,\"k\":\"foo\"}"
diff --git a/test/testdata/eval-okay-tojson.nix b/test/testdata/eval-okay-tojson.nix
new file mode 100644
index 0000000..ce67943
--- /dev/null
+++ b/test/testdata/eval-okay-tojson.nix
@@ -0,0 +1,13 @@
+builtins.toJSON
+  { a = 123;
+    b = -456;
+    c = "foo";
+    d = "foo\n\"bar\"";
+    e = true;
+    f = false;
+    g = [ 1 2 3 ];
+    h = [ "a" [ "b" { "foo\nbar" = {}; } ] ];
+    i = 1 + 2;
+    j = 1.44;
+    k = { __toString = self: self.a; a = "foo"; };
+  }
diff --git a/test/testdata/eval-okay-toxml.exp b/test/testdata/eval-okay-toxml.exp
new file mode 100644
index 0000000..8282208
--- /dev/null
+++ b/test/testdata/eval-okay-toxml.exp
@@ -0,0 +1 @@
+"<?xml version='1.0' encoding='utf-8'?>\n<expr>\n  <attrs>\n    <attr name=\"a\">\n      <string value=\"s\" />\n    </attr>\n  </attrs>\n</expr>\n"
diff --git a/test/testdata/eval-okay-toxml.nix b/test/testdata/eval-okay-toxml.nix
new file mode 100644
index 0000000..068c97a
--- /dev/null
+++ b/test/testdata/eval-okay-toxml.nix
@@ -0,0 +1,3 @@
+# Make sure the expected XML output is produced; in particular, make sure it
+# doesn't contain source location information.
+builtins.toXML { a = "s"; }
diff --git a/test/testdata/eval-okay-toxml2.exp b/test/testdata/eval-okay-toxml2.exp
new file mode 100644
index 0000000..634a841
--- /dev/null
+++ b/test/testdata/eval-okay-toxml2.exp
@@ -0,0 +1 @@
+"<?xml version='1.0' encoding='utf-8'?>\n<expr>\n  <list>\n    <string value=\"ab\" />\n    <int value=\"10\" />\n    <attrs>\n      <attr name=\"x\">\n        <string value=\"x\" />\n      </attr>\n      <attr name=\"y\">\n        <string value=\"x\" />\n      </attr>\n    </attrs>\n  </list>\n</expr>\n"
diff --git a/test/testdata/eval-okay-toxml2.nix b/test/testdata/eval-okay-toxml2.nix
new file mode 100644
index 0000000..ff1791b
--- /dev/null
+++ b/test/testdata/eval-okay-toxml2.nix
@@ -0,0 +1 @@
+builtins.toXML [("a" + "b") 10 (rec {x = "x"; y = x;})]
diff --git a/test/testdata/eval-okay-tryeval.exp b/test/testdata/eval-okay-tryeval.exp
new file mode 100644
index 0000000..2b2e6fa
--- /dev/null
+++ b/test/testdata/eval-okay-tryeval.exp
@@ -0,0 +1 @@
+{ x = { success = true; value = "x"; }; y = { success = false; value = false; }; z = { success = false; value = false; }; }
diff --git a/test/testdata/eval-okay-tryeval.nix b/test/testdata/eval-okay-tryeval.nix
new file mode 100644
index 0000000..629bc44
--- /dev/null
+++ b/test/testdata/eval-okay-tryeval.nix
@@ -0,0 +1,5 @@
+{
+  x = builtins.tryEval "x";
+  y = builtins.tryEval (assert false; "y");
+  z = builtins.tryEval (throw "bla");
+}
diff --git a/test/testdata/eval-okay-types.exp b/test/testdata/eval-okay-types.exp
new file mode 100644
index 0000000..92a1532
--- /dev/null
+++ b/test/testdata/eval-okay-types.exp
@@ -0,0 +1 @@
+[ true false true false true false true false true true true true true true true true true true true false true true true false "int" "bool" "string" "null" "set" "list" "lambda" "lambda" "lambda" "lambda" ]
diff --git a/test/testdata/eval-okay-types.nix b/test/testdata/eval-okay-types.nix
new file mode 100644
index 0000000..9b58be5
--- /dev/null
+++ b/test/testdata/eval-okay-types.nix
@@ -0,0 +1,37 @@
+with builtins;
+[ (isNull null)
+  (isNull (x: x))
+  (isFunction (x: x))
+  (isFunction "fnord")
+  (isString ("foo" + "bar"))
+  (isString [ "x" ])
+  (isInt (1 + 2))
+  (isInt { x = 123; })
+  (isInt (1 / 2))
+  (isInt (1 + 1))
+  (isInt (1 / 2))
+  (isInt (1 * 2))
+  (isInt (1 - 2))
+  (isFloat (1.2))
+  (isFloat (1 + 1.0))
+  (isFloat (1 / 2.0))
+  (isFloat (1 * 2.0))
+  (isFloat (1 - 2.0))
+  (isBool (true && false))
+  (isBool null)
+  (isPath /nix/store)
+  (isPath ./.)
+  (isAttrs { x = 123; })
+  (isAttrs null)
+  (typeOf (3 * 4))
+  (typeOf true)
+  (typeOf "xyzzy")
+  (typeOf null)
+  (typeOf { x = 456; })
+  (typeOf [ 1 2 3 ])
+  (typeOf (x: x))
+  (typeOf ((x: y: x) 1))
+  (typeOf map)
+  (typeOf (map (x: x)))
+]
diff --git a/test/testdata/eval-okay-versions.exp b/test/testdata/eval-okay-versions.exp
new file mode 100644
index 0000000..27ba77d
--- /dev/null
+++ b/test/testdata/eval-okay-versions.exp
@@ -0,0 +1 @@
+true
diff --git a/test/testdata/eval-okay-versions.nix b/test/testdata/eval-okay-versions.nix
new file mode 100644
index 0000000..e9111f5
--- /dev/null
+++ b/test/testdata/eval-okay-versions.nix
@@ -0,0 +1,43 @@
+let
+  name1 = "hello-1.0.2";
+  name2 = "hello";
+  name3 = "915resolution-0.5.2";
+  name4 = "xf86-video-i810-1.7.4";
+  name5 = "name-that-ends-with-dash--1.0";
+  eq = 0;
+  lt = builtins.sub 0 1;
+  gt = 1;
+  versionTest = v1: v2: expected:
+    let d1 = builtins.compareVersions v1 v2;
+        d2 = builtins.compareVersions v2 v1;
+    in d1 == builtins.sub 0 d2 && d1 == expected;
+  tests = [
+    ((builtins.parseDrvName name1).name == "hello")
+    ((builtins.parseDrvName name1).version == "1.0.2")
+    ((builtins.parseDrvName name2).name == "hello")
+    ((builtins.parseDrvName name2).version == "")
+    ((builtins.parseDrvName name3).name == "915resolution")
+    ((builtins.parseDrvName name3).version == "0.5.2")
+    ((builtins.parseDrvName name4).name == "xf86-video-i810")
+    ((builtins.parseDrvName name4).version == "1.7.4")
+    ((builtins.parseDrvName name5).name == "name-that-ends-with-dash")
+    ((builtins.parseDrvName name5).version == "-1.0")
+    (versionTest "1.0" "2.3" lt)
+    (versionTest "2.1" "2.3" lt)
+    (versionTest "2.3" "2.3" eq)
+    (versionTest "2.5" "2.3" gt)
+    (versionTest "3.1" "2.3" gt)
+    (versionTest "2.3.1" "2.3" gt)
+    (versionTest "2.3.1" "2.3a" gt)
+    (versionTest "2.3pre1" "2.3" lt)
+    (versionTest "2.3pre3" "2.3pre12" lt)
+    (versionTest "2.3a" "2.3c" lt)
+    (versionTest "2.3pre1" "2.3c" lt)
+    (versionTest "2.3pre1" "2.3q" lt)
+  ];
+in (import ./lib.nix).and tests
diff --git a/test/testdata/eval-okay-with.exp b/test/testdata/eval-okay-with.exp
new file mode 100644
index 0000000..378c8dc
--- /dev/null
+++ b/test/testdata/eval-okay-with.exp
@@ -0,0 +1 @@
+"xyzzybarxyzzybar"
diff --git a/test/testdata/eval-okay-with.nix b/test/testdata/eval-okay-with.nix
new file mode 100644
index 0000000..033e8d3
--- /dev/null
+++ b/test/testdata/eval-okay-with.nix
@@ -0,0 +1,19 @@
+let {
+  a = "xyzzy";
+  as = {
+    a = "foo";
+    b = "bar";
+  };
+  bs = {
+    a = "bar";
+  };
+  x = with as; a + b;
+  y = with as; with bs; a + b;
+  body = x + y;
+}
diff --git a/test/testdata/eval-okay-xml.exp.xml b/test/testdata/eval-okay-xml.exp.xml
new file mode 100644
index 0000000..2009932
--- /dev/null
+++ b/test/testdata/eval-okay-xml.exp.xml
@@ -0,0 +1,52 @@
+<?xml version='1.0' encoding='utf-8'?>
+<expr>
+  <attrs>
+    <attr name="a">
+      <string value="foo" />
+    </attr>
+    <attr name="at">
+      <function>
+        <attrspat name="args">
+          <attr name="x" />
+          <attr name="y" />
+          <attr name="z" />
+        </attrspat>
+      </function>
+    </attr>
+    <attr name="b">
+      <string value="bar" />
+    </attr>
+    <attr name="c">
+      <string value="foobar" />
+    </attr>
+    <attr name="ellipsis">
+      <function>
+        <attrspat ellipsis="1">
+          <attr name="x" />
+          <attr name="y" />
+          <attr name="z" />
+        </attrspat>
+      </function>
+    </attr>
+    <attr name="f">
+      <function>
+        <attrspat>
+          <attr name="x" />
+          <attr name="y" />
+          <attr name="z" />
+        </attrspat>
+      </function>
+    </attr>
+    <attr name="id">
+      <function>
+        <varpat name="x" />
+      </function>
+    </attr>
+    <attr name="x">
+      <int value="123" />
+    </attr>
+    <attr name="y">
+      <float value="567.89" />
+    </attr>
+  </attrs>
+</expr>
diff --git a/test/testdata/eval-okay-xml.nix b/test/testdata/eval-okay-xml.nix
new file mode 100644
index 0000000..9ee9f8a
--- /dev/null
+++ b/test/testdata/eval-okay-xml.nix
@@ -0,0 +1,21 @@
+rec {
+  x = 123;
+  y = 567.890;
+  a = "foo";
+  b = "bar";
+  c = "foo" + "bar";
+  f = {z, x, y}: if y then x else z;
+  id = x: x;
+  at = args@{x, y, z}: x;
+  ellipsis = {x, y, z, ...}: x;
+}
diff --git a/test/testdata/eval-okay-zipAttrsWith.exp b/test/testdata/eval-okay-zipAttrsWith.exp
new file mode 100644
index 0000000..9c0b15d
--- /dev/null
+++ b/test/testdata/eval-okay-zipAttrsWith.exp
@@ -0,0 +1 @@
+{ "0" = { n = "0"; v = [ 5 23 29 ]; }; "1" = { n = "1"; v = [ 7 30 ]; }; "2" = { n = "2"; v = [ 18 ]; }; "4" = { n = "4"; v = [ 10 ]; }; "5" = { n = "5"; v = [ 15 25 26 31 ]; }; "6" = { n = "6"; v = [ 3 14 ]; }; "7" = { n = "7"; v = [ 12 ]; }; "8" = { n = "8"; v = [ 2 6 8 9 ]; }; "9" = { n = "9"; v = [ 0 16 ]; }; a = { n = "a"; v = [ 17 21 22 27 ]; }; c = { n = "c"; v = [ 11 24 ]; }; d = { n = "d"; v = [ 4 13 28 ]; }; e = { n = "e"; v = [ 20 ]; }; f = { n = "f"; v = [ 1 19 ]; }; }
diff --git a/test/testdata/eval-okay-zipAttrsWith.nix b/test/testdata/eval-okay-zipAttrsWith.nix
new file mode 100644
index 0000000..877d4e5
--- /dev/null
+++ b/test/testdata/eval-okay-zipAttrsWith.nix
@@ -0,0 +1,9 @@
+with import ./lib.nix;
+let
+  str = builtins.hashString "sha256" "test";
+in
+builtins.zipAttrsWith
+  (n: v: { inherit n v; })
+  (map (n: { ${builtins.substring n 1 str} = n; })
+    (range 0 31))
diff --git a/test/testdata/importdef.sexp b/test/testdata/importdef.sexp
new file mode 100644
index 0000000..bf8debb
--- /dev/null
+++ b/test/testdata/importdef.sexp
@@ -0,0 +1 @@
+(deps ./lib.nix)
diff --git a/test/testdata/imported.nix b/test/testdata/imported.nix
new file mode 100644
index 0000000..fb39ee4
--- /dev/null
+++ b/test/testdata/imported.nix
@@ -0,0 +1,3 @@
+# The function ‘range’ comes from lib.nix and was added to the lexical
+# scope by scopedImport.
+range 1 5 ++ import ./imported2.nix
diff --git a/test/testdata/imported2.nix b/test/testdata/imported2.nix
new file mode 100644
index 0000000..6d0a299
--- /dev/null
+++ b/test/testdata/imported2.nix
@@ -0,0 +1 @@
+range 6 10
diff --git a/test/testdata/lib.nix b/test/testdata/lib.nix
new file mode 100644
index 0000000..028a538
--- /dev/null
+++ b/test/testdata/lib.nix
@@ -0,0 +1,61 @@
+with builtins;
+rec {
+  fold = op: nul: list:
+    if list == []
+    then nul
+    else op (head list) (fold op nul (tail list));
+  concat =
+    fold (x: y: x + y) "";
+  and = fold (x: y: x && y) true;
+  flatten = x:
+    if isList x
+    then fold (x: y: (flatten x) ++ y) [] x
+    else [x];
+  sum = foldl' (x: y: add x y) 0;
+  hasSuffix = ext: fileName:
+    let lenFileName = stringLength fileName;
+        lenExt = stringLength ext;
+    in !(lessThan lenFileName lenExt) &&
+       substring (sub lenFileName lenExt) lenFileName fileName == ext;
+  # Split a list at the given position.
+  splitAt = pos: list:
+    if pos == 0 then {first = []; second = list;} else
+    if list == [] then {first = []; second = [];} else
+    let res = splitAt (sub pos 1) (tail list);
+    in {first = [(head list)] ++ res.first; second = res.second;};
+  # Stable merge sort.
+  sortBy = comp: list:
+    if lessThan 1 (length list)
+    then
+      let
+        split = splitAt (div (length list) 2) list;
+        first = sortBy comp split.first;
+        second = sortBy comp split.second;
+      in mergeLists comp first second
+    else list;
+  mergeLists = comp: list1: list2:
+    if list1 == [] then list2 else
+    if list2 == [] then list1 else
+    if comp (head list2) (head list1) then [(head list2)] ++ mergeLists comp list1 (tail list2) else
+    [(head list1)] ++ mergeLists comp (tail list1) list2;
+  id = x: x;
+  const = x: y: x;
+  range = first: last:
+    if first > last
+      then []
+      else genList (n: first + n) (last - first + 1);
+}
diff --git a/test/testdata/non-eval-fail-bad-drvPath.nix b/test/testdata/non-eval-fail-bad-drvPath.nix
new file mode 100644
index 0000000..23639bc
--- /dev/null
+++ b/test/testdata/non-eval-fail-bad-drvPath.nix
@@ -0,0 +1,14 @@
+let
+  package = {
+    type = "derivation";
+    name = "cachix-1.7.3";
+    system = builtins.currentSystem;
+    outputs = [ "out" ];
+    # Illegal, because does not end in `.drv`
+    drvPath = "${builtins.storeDir}/8qlfcic10lw5304gqm8q45nr7g7jl62b-cachix-1.7.3-bin";
+    outputName = "out";
+    outPath = "${builtins.storeDir}/8qlfcic10lw5304gqm8q45nr7g7jl62b-cachix-1.7.3-bin";
+    out = package;
+  };
+in
+package
diff --git a/test/testdata/parse-fail-dup-attrs-1.err.exp b/test/testdata/parse-fail-dup-attrs-1.err.exp
new file mode 100644
index 0000000..ffb5198
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-1.err.exp
@@ -0,0 +1,6 @@
+error: attribute 'x' already defined at «stdin»:1:3
+       at «stdin»:3:3:
+            2|   y = 456;
+            3|   x = 789;
+             |   ^
+            4| }
diff --git a/test/testdata/parse-fail-dup-attrs-1.nix b/test/testdata/parse-fail-dup-attrs-1.nix
new file mode 100644
index 0000000..2c02317
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-1.nix
@@ -0,0 +1,4 @@
+{ x = 123;
+  y = 456;
+  x = 789;
+}
diff --git a/test/testdata/parse-fail-dup-attrs-2.err.exp b/test/testdata/parse-fail-dup-attrs-2.err.exp
new file mode 100644
index 0000000..3105e60
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-2.err.exp
@@ -0,0 +1,6 @@
+error: attribute 'x' already defined at «stdin»:9:5
+       at «stdin»:10:18:
+            9|     x = 789;
+           10|     inherit (as) x;
+             |                  ^
+           11|   };
diff --git a/test/testdata/parse-fail-dup-attrs-2.nix b/test/testdata/parse-fail-dup-attrs-2.nix
new file mode 100644
index 0000000..864d986
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-2.nix
@@ -0,0 +1,13 @@
+let {
+  as = {
+    x = 123;
+    y = 456;
+  };
+  bs = {
+    x = 789;
+    inherit (as) x;
+  };
+  
+}
diff --git a/test/testdata/parse-fail-dup-attrs-3.err.exp b/test/testdata/parse-fail-dup-attrs-3.err.exp
new file mode 100644
index 0000000..3105e60
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-3.err.exp
@@ -0,0 +1,6 @@
+error: attribute 'x' already defined at «stdin»:9:5
+       at «stdin»:10:18:
+            9|     x = 789;
+           10|     inherit (as) x;
+             |                  ^
+           11|   };
diff --git a/test/testdata/parse-fail-dup-attrs-3.nix b/test/testdata/parse-fail-dup-attrs-3.nix
new file mode 100644
index 0000000..114d197
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-3.nix
@@ -0,0 +1,13 @@
+let {
+  as = {
+    x = 123;
+    y = 456;
+  };
+  bs = rec {
+    x = 789;
+    inherit (as) x;
+  };
+  
+}
diff --git a/test/testdata/parse-fail-dup-attrs-4.err.exp b/test/testdata/parse-fail-dup-attrs-4.err.exp
new file mode 100644
index 0000000..c98a8f8
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-4.err.exp
@@ -0,0 +1,6 @@
+error: attribute 'services.ssh.port' already defined at «stdin»:2:3
+       at «stdin»:3:3:
+            2|   services.ssh.port = 22;
+            3|   services.ssh.port = 23;
+             |   ^
+            4| }
diff --git a/test/testdata/parse-fail-dup-attrs-4.nix b/test/testdata/parse-fail-dup-attrs-4.nix
new file mode 100644
index 0000000..7741743
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-4.nix
@@ -0,0 +1,4 @@
+{
+  services.ssh.port = 22;
+  services.ssh.port = 23;
+}
diff --git a/test/testdata/parse-fail-dup-attrs-7.err.exp b/test/testdata/parse-fail-dup-attrs-7.err.exp
new file mode 100644
index 0000000..4e0a48e
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-7.err.exp
@@ -0,0 +1,6 @@
+error: attribute 'x' already defined at «stdin»:6:13
+       at «stdin»:7:13:
+            6|     inherit x;
+            7|     inherit x;
+             |             ^
+            8|   };
diff --git a/test/testdata/parse-fail-dup-attrs-7.nix b/test/testdata/parse-fail-dup-attrs-7.nix
new file mode 100644
index 0000000..bbc3eb0
--- /dev/null
+++ b/test/testdata/parse-fail-dup-attrs-7.nix
@@ -0,0 +1,9 @@
+rec {
+  x = 1;
+  as = {
+    inherit x;
+    inherit x;
+  };
+}
+\ No newline at end of file
diff --git a/test/testdata/parse-fail-dup-formals.err.exp b/test/testdata/parse-fail-dup-formals.err.exp
new file mode 100644
index 0000000..d7c7e02
--- /dev/null
+++ b/test/testdata/parse-fail-dup-formals.err.exp
@@ -0,0 +1,4 @@
+error: duplicate formal function argument 'x'
+       at «stdin»:1:8:
+            1| {x, y, x}: x
+             |        ^
diff --git a/test/testdata/parse-fail-dup-formals.nix b/test/testdata/parse-fail-dup-formals.nix
new file mode 100644
index 0000000..a0edd91
--- /dev/null
+++ b/test/testdata/parse-fail-dup-formals.nix
@@ -0,0 +1 @@
+{x, y, x}: x
+\ No newline at end of file
diff --git a/test/testdata/parse-fail-eof-in-string.err.exp b/test/testdata/parse-fail-eof-in-string.err.exp
new file mode 100644
index 0000000..17f34b6
--- /dev/null
+++ b/test/testdata/parse-fail-eof-in-string.err.exp
@@ -0,0 +1,5 @@
+error: syntax error, unexpected end of file, expecting '"'
+       at «stdin»:3:6:
+            2| # Note that this file must not end with a newline.
+            3| a 1"$
+             |      ^
diff --git a/test/testdata/parse-fail-eof-in-string.nix b/test/testdata/parse-fail-eof-in-string.nix
new file mode 100644
index 0000000..19775d2
--- /dev/null
+++ b/test/testdata/parse-fail-eof-in-string.nix
@@ -0,0 +1,3 @@
+# https://github.com/NixOS/nix/issues/6562
+# Note that this file must not end with a newline.
+a 1"$
+\ No newline at end of file
diff --git a/test/testdata/parse-fail-eof-pos.err.exp b/test/testdata/parse-fail-eof-pos.err.exp
new file mode 100644
index 0000000..ef9ca38
--- /dev/null
+++ b/test/testdata/parse-fail-eof-pos.err.exp
@@ -0,0 +1,5 @@
+error: syntax error, unexpected end of file
+       at «stdin»:3:1:
+            2| # no content
+            3|
+             | ^
diff --git a/test/testdata/parse-fail-eof-pos.nix b/test/testdata/parse-fail-eof-pos.nix
new file mode 100644
index 0000000..bd66a2c
--- /dev/null
+++ b/test/testdata/parse-fail-eof-pos.nix
@@ -0,0 +1,2 @@
+(
+# no content
diff --git a/test/testdata/parse-fail-mixed-nested-attrs1.err.exp b/test/testdata/parse-fail-mixed-nested-attrs1.err.exp
new file mode 100644
index 0000000..a447215
--- /dev/null
+++ b/test/testdata/parse-fail-mixed-nested-attrs1.err.exp
@@ -0,0 +1,6 @@
+error: attribute 'z' already defined at «stdin»:3:16
+       at «stdin»:2:3:
+            1| {
+            2|   x.z = 3;
+             |   ^
+            3|   x = { y = 3; z = 3; };
diff --git a/test/testdata/parse-fail-mixed-nested-attrs1.nix b/test/testdata/parse-fail-mixed-nested-attrs1.nix
new file mode 100644
index 0000000..11e40e6
--- /dev/null
+++ b/test/testdata/parse-fail-mixed-nested-attrs1.nix
@@ -0,0 +1,4 @@
+{ 
+  x.z = 3; 
+  x = { y = 3; z = 3; }; 
+}
diff --git a/test/testdata/parse-fail-mixed-nested-attrs2.err.exp b/test/testdata/parse-fail-mixed-nested-attrs2.err.exp
new file mode 100644
index 0000000..ead1f0d
--- /dev/null
+++ b/test/testdata/parse-fail-mixed-nested-attrs2.err.exp
@@ -0,0 +1,6 @@
+error: attribute 'y' already defined at «stdin»:3:9
+       at «stdin»:2:3:
+            1| {
+            2|   x.y.y = 3;
+             |   ^
+            3|   x = { y.y= 3; z = 3; };
diff --git a/test/testdata/parse-fail-mixed-nested-attrs2.nix b/test/testdata/parse-fail-mixed-nested-attrs2.nix
new file mode 100644
index 0000000..17da82e
--- /dev/null
+++ b/test/testdata/parse-fail-mixed-nested-attrs2.nix
@@ -0,0 +1,4 @@
+{ 
+  x.y.y = 3; 
+  x = { y.y= 3; z = 3; }; 
+}
diff --git a/test/testdata/parse-fail-patterns-1.err.exp b/test/testdata/parse-fail-patterns-1.err.exp
new file mode 100644
index 0000000..6ba39d8
--- /dev/null
+++ b/test/testdata/parse-fail-patterns-1.err.exp
@@ -0,0 +1,5 @@
+error: duplicate formal function argument 'args'
+       at «stdin»:1:1:
+            1| args@{args, x, y, z}: x
+             | ^
+            2|
diff --git a/test/testdata/parse-fail-patterns-1.nix b/test/testdata/parse-fail-patterns-1.nix
new file mode 100644
index 0000000..7b40616
--- /dev/null
+++ b/test/testdata/parse-fail-patterns-1.nix
@@ -0,0 +1 @@
+args@{args, x, y, z}: x
diff --git a/test/testdata/parse-fail-regression-20060610.err.exp b/test/testdata/parse-fail-regression-20060610.err.exp
new file mode 100644
index 0000000..6ae7c01
--- /dev/null
+++ b/test/testdata/parse-fail-regression-20060610.err.exp
@@ -0,0 +1,6 @@
+error: undefined variable 'gcc'
+       at «stdin»:9:13:
+            8|   body = ({
+            9|     inherit gcc;
+             |             ^
+           10|   }).gcc;
diff --git a/test/testdata/parse-fail-regression-20060610.nix b/test/testdata/parse-fail-regression-20060610.nix
new file mode 100644
index 0000000..b1934f7
--- /dev/null
+++ b/test/testdata/parse-fail-regression-20060610.nix
@@ -0,0 +1,11 @@
+let {
+  x =
+    {gcc}:
+    {
+      inherit gcc;
+    };
+  body = ({
+    inherit gcc;
+  }).gcc;
+}
diff --git a/test/testdata/parse-fail-undef-var-2.err.exp b/test/testdata/parse-fail-undef-var-2.err.exp
new file mode 100644
index 0000000..96e87b2
--- /dev/null
+++ b/test/testdata/parse-fail-undef-var-2.err.exp
@@ -0,0 +1,6 @@
+error: syntax error, unexpected ':', expecting '}' or ','
+       at «stdin»:3:13:
+            2|
+            3|   f = {x, y : ["baz" "bar" z "bat"]}: x + y;
+             |             ^
+            4|
diff --git a/test/testdata/parse-fail-undef-var-2.nix b/test/testdata/parse-fail-undef-var-2.nix
new file mode 100644
index 0000000..c10a52b
--- /dev/null
+++ b/test/testdata/parse-fail-undef-var-2.nix
@@ -0,0 +1,7 @@
+let {
+  f = {x, y : ["baz" "bar" z "bat"]}: x + y;
+  body = f {x = "foo"; y = "bar";};
+}
diff --git a/test/testdata/parse-fail-undef-var.err.exp b/test/testdata/parse-fail-undef-var.err.exp
new file mode 100644
index 0000000..3d143d9
--- /dev/null
+++ b/test/testdata/parse-fail-undef-var.err.exp
@@ -0,0 +1,5 @@
+error: undefined variable 'y'
+       at «stdin»:1:4:
+            1| x: y
+             |    ^
+            2|
diff --git a/test/testdata/parse-fail-undef-var.nix b/test/testdata/parse-fail-undef-var.nix
new file mode 100644
index 0000000..7b63008
--- /dev/null
+++ b/test/testdata/parse-fail-undef-var.nix
@@ -0,0 +1 @@
+x: y
diff --git a/test/testdata/parse-fail-utf8.err.exp b/test/testdata/parse-fail-utf8.err.exp
new file mode 100644
index 0000000..1c83f6e
--- /dev/null
+++ b/test/testdata/parse-fail-utf8.err.exp
@@ -0,0 +1,5 @@
+error: syntax error, unexpected invalid token, expecting end of file
+       at «stdin»:1:5:
+            1| 123 é 4
+             |     ^
+            2|
diff --git a/test/testdata/parse-fail-utf8.nix b/test/testdata/parse-fail-utf8.nix
new file mode 100644
index 0000000..34948d4
--- /dev/null
+++ b/test/testdata/parse-fail-utf8.nix
@@ -0,0 +1 @@
+123 é 4
diff --git a/test/testdata/parse-okay-1.exp b/test/testdata/parse-okay-1.exp
new file mode 100644
index 0000000..d5ab5f1
--- /dev/null
+++ b/test/testdata/parse-okay-1.exp
@@ -0,0 +1 @@
+({ x, y, z }: ((x + y) + z))
diff --git a/test/testdata/parse-okay-1.nix b/test/testdata/parse-okay-1.nix
new file mode 100644
index 0000000..23a58ed
--- /dev/null
+++ b/test/testdata/parse-okay-1.nix
@@ -0,0 +1 @@
+{x, y, z}: x + y + z
diff --git a/test/testdata/parse-okay-crlf.exp b/test/testdata/parse-okay-crlf.exp
new file mode 100644
index 0000000..4213609
--- /dev/null
+++ b/test/testdata/parse-okay-crlf.exp
@@ -0,0 +1 @@
+rec { foo = "multi\nline\n  string\n  test\r"; x = y; y = 123; z = 456; }
diff --git a/test/testdata/parse-okay-crlf.nix b/test/testdata/parse-okay-crlf.nix
new file mode 100644
index 0000000..21518d4
--- /dev/null
+++ b/test/testdata/parse-okay-crlf.nix
@@ -0,0 +1,17 @@
+rec {
+  /* Dit is
+  een test. */
+  x = 
+  # Dit is een test.
+y;
+  
+  y = 123;
+  # CR or CR/LF (but not explicit \r's) in strings should be
+  # translated to LF.
+  foo = "multi
+line
+  string
+  test\r";
+  z = 456;
+}
diff --git a/test/testdata/parse-okay-dup-attrs-5.exp b/test/testdata/parse-okay-dup-attrs-5.exp
new file mode 100644
index 0000000..88b0b03
--- /dev/null
+++ b/test/testdata/parse-okay-dup-attrs-5.exp
@@ -0,0 +1 @@
+{ services = { ssh = { enable = true; port = 23; }; }; }
diff --git a/test/testdata/parse-okay-dup-attrs-5.nix b/test/testdata/parse-okay-dup-attrs-5.nix
new file mode 100644
index 0000000..f4b9efd
--- /dev/null
+++ b/test/testdata/parse-okay-dup-attrs-5.nix
@@ -0,0 +1,4 @@
+{
+  services.ssh = { enable = true; };
+  services.ssh.port = 23;
+}
diff --git a/test/testdata/parse-okay-dup-attrs-6.exp b/test/testdata/parse-okay-dup-attrs-6.exp
new file mode 100644
index 0000000..88b0b03
--- /dev/null
+++ b/test/testdata/parse-okay-dup-attrs-6.exp
@@ -0,0 +1 @@
+{ services = { ssh = { enable = true; port = 23; }; }; }
diff --git a/test/testdata/parse-okay-dup-attrs-6.nix b/test/testdata/parse-okay-dup-attrs-6.nix
new file mode 100644
index 0000000..ae6d7a7
--- /dev/null
+++ b/test/testdata/parse-okay-dup-attrs-6.nix
@@ -0,0 +1,4 @@
+{
+  services.ssh.port = 23;
+  services.ssh = { enable = true; };
+}
diff --git a/test/testdata/parse-okay-ind-string.exp b/test/testdata/parse-okay-ind-string.exp
new file mode 100644
index 0000000..82e9940
--- /dev/null
+++ b/test/testdata/parse-okay-ind-string.exp
@@ -0,0 +1 @@
+(let string = "str"; in [ (/some/path) ((/some/path)) ((/some/path)) ((/some/path + "\n    end")) (string) ((string)) ((string)) ((string + "\n    end")) ("") ("") ("end") ])
diff --git a/test/testdata/parse-okay-ind-string.nix b/test/testdata/parse-okay-ind-string.nix
new file mode 100644
index 0000000..97c9de3
--- /dev/null
+++ b/test/testdata/parse-okay-ind-string.nix
@@ -0,0 +1,31 @@
+let
+  string = "str";
+in [
+  /some/path
+  ''${/some/path}''
+  ''
+    ${/some/path}''
+  ''${/some/path}
+    end''
+  string
+  ''${string}''
+  ''
+    ${string}''
+  ''${string}
+    end''
+  ''''
+  ''
+  ''
+  ''
+    end''
+]
diff --git a/test/testdata/parse-okay-inherits.exp b/test/testdata/parse-okay-inherits.exp
new file mode 100644
index 0000000..1355527
--- /dev/null
+++ b/test/testdata/parse-okay-inherits.exp
@@ -0,0 +1 @@
+(let b = 2; c = { }; in { inherit b; inherit (c) d e; a = 1; f = 3; })
diff --git a/test/testdata/parse-okay-inherits.nix b/test/testdata/parse-okay-inherits.nix
new file mode 100644
index 0000000..10596c8
--- /dev/null
+++ b/test/testdata/parse-okay-inherits.nix
@@ -0,0 +1,9 @@
+let
+  c = {};
+  b = 2;
+in {
+  a = 1;
+  inherit b;
+  inherit (c) d e;
+  f = 3;
+}
diff --git a/test/testdata/parse-okay-mixed-nested-attrs-1.exp b/test/testdata/parse-okay-mixed-nested-attrs-1.exp
new file mode 100644
index 0000000..89c66f7
--- /dev/null
+++ b/test/testdata/parse-okay-mixed-nested-attrs-1.exp
@@ -0,0 +1 @@
+{ x = { q = 3; y = 3; z = 3; }; }
diff --git a/test/testdata/parse-okay-mixed-nested-attrs-1.nix b/test/testdata/parse-okay-mixed-nested-attrs-1.nix
new file mode 100644
index 0000000..fd1001c
--- /dev/null
+++ b/test/testdata/parse-okay-mixed-nested-attrs-1.nix
@@ -0,0 +1,4 @@
+{ 
+  x = { y = 3; z = 3; }; 
+  x.q = 3; 
+}
diff --git a/test/testdata/parse-okay-mixed-nested-attrs-2.exp b/test/testdata/parse-okay-mixed-nested-attrs-2.exp
new file mode 100644
index 0000000..89c66f7
--- /dev/null
+++ b/test/testdata/parse-okay-mixed-nested-attrs-2.exp
@@ -0,0 +1 @@
+{ x = { q = 3; y = 3; z = 3; }; }
diff --git a/test/testdata/parse-okay-mixed-nested-attrs-2.nix b/test/testdata/parse-okay-mixed-nested-attrs-2.nix
new file mode 100644
index 0000000..ad066b6
--- /dev/null
+++ b/test/testdata/parse-okay-mixed-nested-attrs-2.nix
@@ -0,0 +1,4 @@
+{ 
+  x.q = 3; 
+  x = { y = 3; z = 3; }; 
+}
diff --git a/test/testdata/parse-okay-mixed-nested-attrs-3.exp b/test/testdata/parse-okay-mixed-nested-attrs-3.exp
new file mode 100644
index 0000000..b89a597
--- /dev/null
+++ b/test/testdata/parse-okay-mixed-nested-attrs-3.exp
@@ -0,0 +1 @@
+{ services = { httpd = { enable = true; }; ssh = { enable = true; port = 123; }; }; }
diff --git a/test/testdata/parse-okay-mixed-nested-attrs-3.nix b/test/testdata/parse-okay-mixed-nested-attrs-3.nix
new file mode 100644
index 0000000..45a33e4
--- /dev/null
+++ b/test/testdata/parse-okay-mixed-nested-attrs-3.nix
@@ -0,0 +1,7 @@
+{
+    services.ssh.enable = true;
+    services.ssh = { port = 123; };
+    services = {
+        httpd.enable = true;
+    };
+}
diff --git a/test/testdata/parse-okay-regression-20041027.exp b/test/testdata/parse-okay-regression-20041027.exp
new file mode 100644
index 0000000..9df7219
--- /dev/null
+++ b/test/testdata/parse-okay-regression-20041027.exp
@@ -0,0 +1 @@
+({ fetchurl, stdenv }: ((stdenv).mkDerivation { name = "libXi-6.0.1"; src = (fetchurl { md5 = "7e935a42428d63a387b3c048be0f2756"; url = "http://freedesktop.org/~xlibs/release/libXi-6.0.1.tar.bz2"; }); }))
diff --git a/test/testdata/parse-okay-regression-20041027.nix b/test/testdata/parse-okay-regression-20041027.nix
new file mode 100644
index 0000000..ae2e256
--- /dev/null
+++ b/test/testdata/parse-okay-regression-20041027.nix
@@ -0,0 +1,11 @@
+{stdenv, fetchurl /* pkgconfig, libX11 */ }:
+stdenv.mkDerivation {
+  name = "libXi-6.0.1";
+  src = fetchurl {
+    url = http://freedesktop.org/~xlibs/release/libXi-6.0.1.tar.bz2;
+    md5 = "7e935a42428d63a387b3c048be0f2756";
+  };
+/*  buildInputs = [pkgconfig];
+  propagatedBuildInputs = [libX11]; */
+}
diff --git a/test/testdata/parse-okay-regression-751.exp b/test/testdata/parse-okay-regression-751.exp
new file mode 100644
index 0000000..e2ed886
--- /dev/null
+++ b/test/testdata/parse-okay-regression-751.exp
@@ -0,0 +1 @@
+(let const = (a: "const"); in ((const { x = "q"; })))
diff --git a/test/testdata/parse-okay-regression-751.nix b/test/testdata/parse-okay-regression-751.nix
new file mode 100644
index 0000000..05c78b3
--- /dev/null
+++ b/test/testdata/parse-okay-regression-751.nix
@@ -0,0 +1,2 @@
+let const = a: "const"; in
+''${ const { x = "q"; }}''
diff --git a/test/testdata/parse-okay-subversion.exp b/test/testdata/parse-okay-subversion.exp
new file mode 100644
index 0000000..32fbba3
--- /dev/null
+++ b/test/testdata/parse-okay-subversion.exp
@@ -0,0 +1 @@
+({ db4 ? null, expat, fetchurl, httpServer ? false, httpd ? null, j2sdk ? null, javaSwigBindings ? false, javahlBindings ? false, localServer ? false, openssl ? null, pythonBindings ? false, sslSupport ? false, stdenv, swig ? null }: assert (expat != null); assert (localServer -> (db4 != null)); assert (httpServer -> ((httpd != null) && ((httpd).expat == expat))); assert (sslSupport -> ((openssl != null) && (httpServer -> ((httpd).openssl == openssl)))); assert (pythonBindings -> ((swig != null) && (swig).pythonSupport)); assert (javaSwigBindings -> ((swig != null) && (swig).javaSupport)); assert (javahlBindings -> (j2sdk != null)); ((stdenv).mkDerivation { inherit expat httpServer javaSwigBindings javahlBindings localServer pythonBindings sslSupport; builder = /foo/bar; db4 = (if localServer then db4 else null); httpd = (if httpServer then httpd else null); j2sdk = (if javaSwigBindings then (swig).j2sdk else (if javahlBindings then j2sdk else null)); name = "subversion-1.1.1"; openssl = (if sslSupport then openssl else null); patches = (if javahlBindings then [ (/javahl.patch) ] else [ ]); python = (if pythonBindings then (swig).python else null); src = (fetchurl { md5 = "a180c3fe91680389c210c99def54d9e0"; url = "http://subversion.tigris.org/tarballs/subversion-1.1.1.tar.bz2"; }); swig = (if (pythonBindings || javaSwigBindings) then swig else null); }))
diff --git a/test/testdata/parse-okay-subversion.nix b/test/testdata/parse-okay-subversion.nix
new file mode 100644
index 0000000..3562728
--- /dev/null
+++ b/test/testdata/parse-okay-subversion.nix
@@ -0,0 +1,43 @@
+{ localServer ? false
+, httpServer ? false
+, sslSupport ? false
+, pythonBindings ? false
+, javaSwigBindings ? false
+, javahlBindings ? false
+, stdenv, fetchurl
+, openssl ? null, httpd ? null, db4 ? null, expat, swig ? null, j2sdk ? null
+}:
+assert expat != null;
+assert localServer -> db4 != null;
+assert httpServer -> httpd != null && httpd.expat == expat;
+assert sslSupport -> openssl != null && (httpServer -> httpd.openssl == openssl);
+assert pythonBindings -> swig != null && swig.pythonSupport;
+assert javaSwigBindings -> swig != null && swig.javaSupport;
+assert javahlBindings -> j2sdk != null;
+stdenv.mkDerivation {
+  name = "subversion-1.1.1";
+  builder = /foo/bar;
+  src = fetchurl {
+    url = http://subversion.tigris.org/tarballs/subversion-1.1.1.tar.bz2;
+    md5 = "a180c3fe91680389c210c99def54d9e0";
+  };
+  # This is a hopefully temporary fix for the problem that
+  # libsvnjavahl.so isn't linked against libstdc++, which causes
+  # loading the library into the JVM to fail.
+  patches = if javahlBindings then [/javahl.patch] else [];
+  openssl = if sslSupport then openssl else null;
+  httpd = if httpServer then httpd else null;
+  db4 = if localServer then db4 else null;
+  swig = if pythonBindings || javaSwigBindings then swig else null;
+  python = if pythonBindings then swig.python else null;
+  j2sdk = if javaSwigBindings then swig.j2sdk else
+          if javahlBindings then j2sdk else null;
+  inherit expat localServer httpServer sslSupport
+          pythonBindings javaSwigBindings javahlBindings;
+}
diff --git a/test/testdata/parse-okay-url.exp b/test/testdata/parse-okay-url.exp
new file mode 100644
index 0000000..e5f0829
--- /dev/null
+++ b/test/testdata/parse-okay-url.exp
@@ -0,0 +1 @@
+[ ("x:x") ("https://svn.cs.uu.nl:12443/repos/trace/trunk") ("http://www2.mplayerhq.hu/MPlayer/releases/fonts/font-arial-iso-8859-1.tar.bz2") ("http://losser.st-lab.cs.uu.nl/~armijn/.nix/gcc-3.3.4-static-nix.tar.gz") ("http://fpdownload.macromedia.com/get/shockwave/flash/english/linux/7.0r25/install_flash_player_7_linux.tar.gz") ("https://ftp5.gwdg.de/pub/linux/archlinux/extra/os/x86_64/unzip-6.0-14-x86_64.pkg.tar.zst") ("ftp://ftp.gtk.org/pub/gtk/v1.2/gtk+-1.2.10.tar.gz") ]
diff --git a/test/testdata/parse-okay-url.nix b/test/testdata/parse-okay-url.nix
new file mode 100644
index 0000000..08de27d
--- /dev/null
+++ b/test/testdata/parse-okay-url.nix
@@ -0,0 +1,8 @@
+[ x:x
+  https://svn.cs.uu.nl:12443/repos/trace/trunk
+  http://www2.mplayerhq.hu/MPlayer/releases/fonts/font-arial-iso-8859-1.tar.bz2
+  http://losser.st-lab.cs.uu.nl/~armijn/.nix/gcc-3.3.4-static-nix.tar.gz
+  http://fpdownload.macromedia.com/get/shockwave/flash/english/linux/7.0r25/install_flash_player_7_linux.tar.gz
+  https://ftp5.gwdg.de/pub/linux/archlinux/extra/os/x86_64/unzip-6.0-14-x86_64.pkg.tar.zst
+  ftp://ftp.gtk.org/pub/gtk/v1.2/gtk+-1.2.10.tar.gz
+]
diff --git a/test/testdata/readDir/bar b/test/testdata/readDir/bar
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/test/testdata/readDir/bar
diff --git a/test/testdata/readDir/foo/git-hates-directories b/test/testdata/readDir/foo/git-hates-directories
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/test/testdata/readDir/foo/git-hates-directories
diff --git a/test/testdata/readDir/ldir b/test/testdata/readDir/ldir
new file mode 120000
index 0000000..1910281
--- /dev/null
+++ b/test/testdata/readDir/ldir
@@ -0,0 +1 @@
+foo
+\ No newline at end of file
diff --git a/test/testdata/readDir/linked b/test/testdata/readDir/linked
new file mode 120000
index 0000000..c503f86
--- /dev/null
+++ b/test/testdata/readDir/linked
@@ -0,0 +1 @@
+foo/git-hates-directories
+\ No newline at end of file
diff --git a/test/testdata/symlink-resolution/broken b/test/testdata/symlink-resolution/broken
new file mode 120000
index 0000000..e07da69
--- /dev/null
+++ b/test/testdata/symlink-resolution/broken
@@ -0,0 +1 @@
+nonexistent
+\ No newline at end of file
diff --git a/test/testdata/symlink-resolution/foo/lib/default.nix b/test/testdata/symlink-resolution/foo/lib/default.nix
new file mode 100644
index 0000000..8b8441b
--- /dev/null
+++ b/test/testdata/symlink-resolution/foo/lib/default.nix
@@ -0,0 +1 @@
+"test"
diff --git a/test/testdata/symlink-resolution/foo/overlays b/test/testdata/symlink-resolution/foo/overlays
new file mode 120000
index 0000000..0d44a21
--- /dev/null
+++ b/test/testdata/symlink-resolution/foo/overlays
@@ -0,0 +1 @@
+../overlays
+\ No newline at end of file
diff --git a/test/testdata/symlink-resolution/overlays/overlay.nix b/test/testdata/symlink-resolution/overlays/overlay.nix
new file mode 100644
index 0000000..b036830
--- /dev/null
+++ b/test/testdata/symlink-resolution/overlays/overlay.nix
@@ -0,0 +1 @@
+import ../lib
diff --git a/theories/dune b/theories/dune
new file mode 100644
index 0000000..0034b5d
--- /dev/null
+++ b/theories/dune
@@ -0,0 +1,8 @@
+(include_subdirs qualified)
+(coq.theory
+ (name mininix)
+ ; This ensures that all files are checked when using the install alias.
+ ; (This does not happen otherwise when just compiling the front-end.)
+ (package mininix)
+ (theories Flocq stdpp))
diff --git a/theories/dynlang/equiv.v b/theories/dynlang/equiv.v
new file mode 100644
index 0000000..aa0b7f3
--- /dev/null
+++ b/theories/dynlang/equiv.v
@@ -0,0 +1,154 @@
+From mininix Require Export lambda.interp_proofs dynlang.interp_proofs.
+From stdpp Require Import options.
+Class Lift A B := lift : A → B.
+Global Hint Mode Lift ! - : typeclass_instances.
+Arguments lift {_ _ _} !_ /.
+Notation "⌜ x ⌝" := (lift x) (at level 0).
+Notation "⌜* x ⌝" := (fmap lift x) (at level 0).
+Module lambda.
+  Global Instance lambda_expr_lift : Lift lambda.expr dynlang.expr :=
+    fix go e := let _ : Lift _ _ := go in
+    match e with
+    | lambda.EString s => dynlang.EString s
+    | lambda.EId x => dynlang.EId ∅ (dynlang.EString x)
+    | lambda.EAbs x e => dynlang.EAbs (dynlang.EString x) ⌜e⌝
+    | lambda.EApp e1 e2 => dynlang.EApp ⌜e1⌝ ⌜e2⌝
+    end.
+  Global Instance lambda_thunk_lift : Lift lambda.thunk dynlang.thunk :=
+    fix go t := let _ : Lift _ _ := go in
+    dynlang.Thunk ⌜*lambda.thunk_env t⌝ ⌜lambda.thunk_expr t⌝.
+  Global Instance lambda_val_lift : Lift lambda.val dynlang.val := λ v,
+    match v with
+    | lambda.VString s => dynlang.VString s
+    | lambda.VClo x E e => dynlang.VClo x ⌜*E⌝ ⌜e⌝
+    end.
+End lambda.
+Lemma interp_open_lambda_dynlang E e mv n :
+  lambda.closed_env E → lambda.closed (dom E) e →
+  lambda.interp n E e = Res mv →
+  ∃ m, dynlang.interp m ⌜*E⌝ ⌜e⌝ = Res ⌜*mv⌝.
+Proof.
+  revert E e mv. induction n as [|n IH]; [done|]; intros E e mv HE He Hinterp.
+  rewrite lambda.interp_S in Hinterp. destruct e as [s|z|ex e|e1 e2]; simplify_res.
+  - (* EString *) by exists 1.
+  - (* EId *)
+    apply elem_of_dom in He as [[Et et] Hz]. rewrite Hz /= in Hinterp.
+    apply lambda.closed_env_lookup in Hz as He; last done.
+    rewrite lambda.closed_thunk_eq/= in He. destruct He as [HEtclosed Hetclosed].
+    apply IH in Hinterp as [m Hinterp]; [|done..].
+    exists (S (S m)). rewrite !dynlang.interp_S /= -dynlang.interp_S.
+    rewrite lookup_empty /= right_id_L lookup_fmap Hz /=.
+    eauto using dynlang.interp_le with lia.
+  - (* EAbs *) by exists 2.
+  - (* EApp *)
+    destruct He as [He1 He2].
+    destruct (lambda.interp _ _ e1) as [mw|] eqn:Hinterp1; simplify_res.
+    pose proof Hinterp1 as Hinterp1'.
+    apply lambda.interp_closed in Hinterp1' as Hmw; [|done..].
+    eapply IH in Hinterp1 as [m1 Hinterp1]; [|done..].
+    destruct mw as [w|]; simplify_res; last first.
+    { exists (S m1). by rewrite dynlang.interp_S /= Hinterp1. }
+    destruct (maybe3 lambda.VClo w) eqn:?; simplify_res; last first.
+    { exists (S m1). rewrite dynlang.interp_S /= Hinterp1 /=. by destruct w. }
+    destruct w; simplify_res.
+    apply IH in Hinterp as [m2 Hinterp2].
+    + exists (S (m1 + m2)). rewrite dynlang.interp_S /=.
+      rewrite (dynlang.interp_le Hinterp1) /=; last lia.
+      rewrite fmap_insert /= in Hinterp2.
+      rewrite (dynlang.interp_le Hinterp2) /=; last lia. done.
+    + apply lambda.closed_env_insert; [by split|naive_solver].
+    + rewrite dom_insert_L. set_solver.
+Qed.
+Lemma interp_lambda_dynlang e mv n :
+  lambda.closed ∅ e →
+  lambda.interp n ∅ e = Res mv →
+  ∃ m, dynlang.interp m ∅ ⌜e⌝ = Res ⌜*mv⌝.
+Proof. intro. by apply interp_open_lambda_dynlang. Qed.
+Lemma interp_open_dynlang_lambda E e mv n :
+  lambda.closed_env E → lambda.closed (dom E) e →
+  dynlang.interp n ⌜*E⌝ ⌜e⌝ = Res mv →
+  ∃ mw, lambda.interp n E e = Res mw ∧ mv = ⌜*mw⌝.
+Proof.
+  revert E e mv. induction n as [|n IH]; [done|]; intros E e mv HE He Hinterp.
+  rewrite dynlang.interp_S in Hinterp. destruct e as [s|z|ex e|e1 e2]; simplify_res.
+  - (* EString *) rewrite lambda.interp_S /=. by eexists.
+  - (* EId *)
+    destruct n as [|n]; [done|].
+    rewrite dynlang.interp_S /= -dynlang.interp_S in Hinterp.
+    apply elem_of_dom in He as [[Et et] Hz].
+    pose proof (f_equal (fmap lift) Hz) as Hz'.
+    rewrite -lookup_fmap /= in Hz'. rewrite Hz' lookup_empty /= {Hz'} in Hinterp.
+    pose proof Hz as Hz'.
+    apply lambda.closed_env_lookup in Hz' as [HEt Het]; simpl in *; last done.
+    apply IH in Hinterp as (mw & Hinterp & ->); [|done..].
+    exists mw. rewrite lambda.interp_S /= Hz /=. done.
+  - (* EAbs *)
+    destruct n as [|n]; [done|].
+    rewrite dynlang.interp_S /= in Hinterp; simplify_res.
+    rewrite lambda.interp_S /=. by eexists.
+  - (* EApp *)
+    destruct He as [He1 He2].
+    destruct (dynlang.interp _ _ _) as [mw1|] eqn:Hinterp1; simplify_res.
+    eapply IH in Hinterp1 as (mv1 & Hinterp1 & ->); [|done..].
+    destruct mv1 as [v1|]; simplify_res; last first.
+    { exists None. by rewrite lambda.interp_S /= Hinterp1. }
+    destruct (maybe3 dynlang.VClo _) eqn:?; simplify_res; last first.
+    { exists None. rewrite lambda.interp_S /= Hinterp1 /=. by destruct v1. }
+    destruct v1; simplify_res.
+    change (dynlang.Thunk ⌜*E⌝ ⌜e2⌝) with ⌜lambda.Thunk E e2⌝ in Hinterp.
+    rewrite -fmap_insert in Hinterp.
+    apply lambda.interp_closed in Hinterp1 as Hmw; [|done..].
+    apply IH in Hinterp as (mv2 & Hinterp2 & ->).
+    + exists mv2. rewrite lambda.interp_S /= Hinterp1 /=. done.
+    + apply lambda.closed_env_insert; [by split|]. naive_solver.
+    + rewrite dom_insert_L. set_solver.
+Qed.
+Lemma interp_dynlang_lambda e mv n :
+  lambda.closed ∅ e →
+  dynlang.interp n ∅ ⌜e⌝ = Res mv →
+  ∃ mw, lambda.interp n ∅ e = Res mw ∧ mv = ⌜*mw⌝.
+Proof. intros. by apply interp_open_dynlang_lambda. Qed.
+(* The following equivalences about the semantics trivially follow: *)
+Theorem interp_equiv_ret_string e s :
+  lambda.closed ∅ e →
+  rtc lambda.step e (lambda.EString s)
+  ↔ rtc dynlang.step ⌜e⌝ (dynlang.EString s).
+Proof.
+  intros. rewrite -lambda.interp_sound_complete_ret_string //.
+  rewrite -dynlang.interp_sound_complete_ret_string. split; intros [n Hinterp].
+  + by apply interp_lambda_dynlang in Hinterp.
+  + apply interp_dynlang_lambda in Hinterp as ([[]|] & ?); naive_solver.
+Qed.
+Theorem interp_equiv_fail e :
+  lambda.closed ∅ e →
+  (∃ e', rtc lambda.step e e' ∧ lambda.stuck e')
+  ↔ (∃ e', rtc dynlang.step ⌜e⌝ e' ∧ dynlang.stuck e').
+Proof.
+  intros. rewrite -lambda.interp_sound_complete_fail //.
+  rewrite -dynlang.interp_sound_complete_fail. split; intros [n Hinterp].
+  + by apply interp_lambda_dynlang in Hinterp.
+  + apply interp_dynlang_lambda in Hinterp as ([] & ?); naive_solver.
+Qed.
+Theorem interp_equiv_no_fuel e :
+  lambda.closed ∅ e →
+  all_loop lambda.step e ↔ all_loop dynlang.step ⌜e⌝.
+Proof.
+  intros He. rewrite -lambda.interp_sound_complete_no_fuel; last done.
+  rewrite -dynlang.interp_sound_complete_no_fuel. split; intros Hnofuel n.
+  - destruct (dynlang.interp n ∅ _) as [mv|] eqn:Hinterp; [|done].
+    apply interp_dynlang_lambda in Hinterp as (? & Hinterp & _); [|done].
+    by rewrite Hnofuel in Hinterp.
+  - destruct (lambda.interp n ∅ _) as [mv|] eqn:Hinterp; [|done].
+    apply interp_lambda_dynlang in Hinterp as [m Hinterp]; [|done..].
+    by rewrite Hnofuel in Hinterp.
+Qed.
diff --git a/theories/dynlang/interp.v b/theories/dynlang/interp.v
new file mode 100644
index 0000000..dcf6b95
--- /dev/null
+++ b/theories/dynlang/interp.v
@@ -0,0 +1,49 @@
+From mininix Require Export res dynlang.operational_props.
+From stdpp Require Import options.
+Module Import dynlang.
+Export dynlang.
+Inductive thunk := Thunk { thunk_env : gmap string thunk; thunk_expr : expr }.
+Add Printing Constructor thunk.
+Notation env := (gmap string thunk).
+Inductive val :=
+  | VString (s : string)
+  | VClo (x : string) (E : env) (e : expr).
+Global Instance maybe_VString : Maybe VString := λ v,
+  if v is VString s then Some s else None.
+Global Instance maybe_VClo : Maybe3 VClo := λ v,
+  if v is VClo x E e then Some (x, E, e) else None.
+Definition interp1 (interp : env → expr → res val) (E : env) (e : expr) : res val :=
+  match e with
+  | EString s =>
+      mret (VString s)
+  | EId ds e =>
+      v ← interp E e;
+      x ← Res $ maybe VString v;
+      t ← Res $ (E !! x) ∪ (Thunk ∅ <$> ds !! x);
+      interp (thunk_env t) (thunk_expr t)
+  | EAbs ex e =>
+      v ← interp E ex;
+      x ← Res $ maybe VString v;
+      mret (VClo x E e)
+  | EApp e1 e2 =>
+      v1 ← interp E e1;
+      '(x, E', e') ← Res (maybe3 VClo v1);
+      interp (<[x:=Thunk E e2]> E') e'
+  end.
+Fixpoint interp (n : nat) (E : env) (e : expr) : res val :=
+  match n with
+  | O => NoFuel
+  | S n => interp1 (interp n) E e
+  end.
+Global Opaque interp.
+End dynlang.
+Add Printing Constructor dynlang.thunk.
diff --git a/theories/dynlang/interp_proofs.v b/theories/dynlang/interp_proofs.v
new file mode 100644
index 0000000..f18a91c
--- /dev/null
+++ b/theories/dynlang/interp_proofs.v
@@ -0,0 +1,426 @@
+From mininix Require Export dynlang.interp.
+From stdpp Require Import options.
+Module Import dynlang.
+Export dynlang.
+Lemma interp_S n : interp (S n) = interp1 (interp n).
+Proof. done. Qed.
+Fixpoint thunk_size (t : thunk) : nat :=
+  S (map_sum_with thunk_size (thunk_env t)).
+Definition env_size (E : env) : nat :=
+  map_sum_with thunk_size E.
+Lemma env_ind (P : env → Prop) :
+  (∀ E, map_Forall (λ i, P ∘ thunk_env) E → P E) →
+  ∀ E : env, P E.
+Proof.
+  intros Pbs E.
+  induction (Nat.lt_wf_0_projected env_size E) as [E _ IH].
+  apply Pbs, map_Forall_lookup=> y [E' e'] Hy.
+  apply (map_sum_with_lookup_le thunk_size) in Hy.
+  apply IH. by rewrite -Nat.le_succ_l.
+Qed.
+(** Correspondence to operational semantics *)
+Definition subst_env' (thunk_to_expr : thunk → expr) (E : env) : expr → expr :=
+  subst (thunk_to_expr <$> E).
+Fixpoint thunk_to_expr (t : thunk) : expr :=
+  subst_env' thunk_to_expr (thunk_env t) (thunk_expr t).
+Notation subst_env := (subst_env' thunk_to_expr).
+Lemma subst_env_eq e E :
+  subst_env E e =
+    match e with
+    | EString s => EString s
+    | EId ds e => EId ((thunk_to_expr <$> E) ∪ ds) (subst_env E e)
+    | EAbs ex e => EAbs (subst_env E ex) (subst_env E e)
+    | EApp e1 e2 => EApp (subst_env E e1) (subst_env E e2)
+    end.
+Proof. by destruct e. Qed.
+Lemma subst_env_alt E e : subst_env E e = subst (thunk_to_expr <$> E) e.
+Proof. done. Qed.
+(* Use the unfolding lemmas, don't rely on conversion *)
+Opaque subst_env'.
+Definition val_to_expr (v : val) : expr :=
+  match v with
+  | VString s => EString s
+  | VClo x E e => EAbs (EString x) (subst_env E e)
+  end.
+Lemma val_final v : final (val_to_expr v).
+Proof. by destruct v. Qed.
+Lemma subst_empty e : subst ∅ e = e.
+Proof. induction e; f_equal/=; auto. by rewrite left_id_L. Qed.
+Lemma subst_env_empty e : subst_env ∅ e = e.
+Proof. rewrite subst_env_alt. apply subst_empty. Qed.
+Lemma interp_le {n1 n2 E e mv} :
+  interp n1 E e = Res mv → n1 ≤ n2 → interp n2 E e = Res mv.
+Proof.
+  revert n2 E e mv.
+  induction n1 as [|n1 IH]; intros [|n2] E e mv He ?; [by (done || lia)..|].
+  rewrite interp_S in He; rewrite interp_S; destruct e;
+    repeat match goal with
+    | _ => case_match
+    | H : context [(_ <$> ?mx)] |- _ => destruct mx eqn:?; simplify_res
+    | H : ?r ≫= _ = _ |- _ => destruct r as [[]|] eqn:?; simplify_res
+    | H : _ <$> ?r = _ |- _ => destruct r as [[]|] eqn:?; simplify_res
+    | |- interp ?n ?E ?e ≫= _ = _ => erewrite (IH n E e) by (done || lia)
+    | _ => progress simplify_res
+    | _ => progress simplify_option_eq
+    end; eauto with lia.
+Qed.
+Lemma interp_agree {n1 n2 E e mv1 mv2} :
+  interp n1 E e = Res mv1 → interp n2 E e = Res mv2 → mv1 = mv2.
+Proof.
+  intros He1 He2. apply (inj Res). destruct (total (≤) n1 n2).
+  - rewrite -He2. symmetry. eauto using interp_le. 
+  - rewrite -He1. eauto using interp_le.
+Qed.
+Lemma subst_env_union E1 E2 e :
+  subst_env (E1 ∪ E2) e = subst_env E1 (subst_env E2 e).
+Proof.
+  revert E1 E2. induction e; intros E1 E2; rewrite subst_env_eq /=.
+  - done.
+  - rewrite !(subst_env_eq (EId _ _)) IHe. f_equal.
+    by rewrite assoc_L map_fmap_union.
+  - rewrite !(subst_env_eq (EAbs _ _)) /=. f_equal; auto.
+  - rewrite !(subst_env_eq (EApp _ _)) /=. f_equal; auto.
+Qed.
+Lemma subst_env_insert E x e t :
+  subst_env (<[x:=t]> E) e = subst {[x:=thunk_to_expr t]} (subst_env E e).
+Proof.
+  rewrite insert_union_singleton_l subst_env_union subst_env_alt.
+  by rewrite map_fmap_singleton.
+Qed.
+Lemma subst_env_insert_eq e1 e2 E1 E2 x E1' E2' e1' e2' :
+  subst_env E1 e1 = subst_env E2 e2 →
+  subst_env E1' e1' = subst_env E2' e2' →
+  subst_env (<[x:=Thunk E1' e1']> E1) e1 = subst_env (<[x:=Thunk E2' e2']> E2) e2.
+Proof. intros He He'. by rewrite !subst_env_insert //= He' He. Qed.
+Lemma interp_proper n E1 E2 e1 e2 mv :
+  subst_env E1 e1 = subst_env E2 e2 →
+  interp n E1 e1 = Res mv →
+  ∃ mw m, interp m E2 e2 = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  revert n E1 E2 e1 e2 mv. induction n as [|n IHn]; [done|].
+  intros E1 E2 e1 e2 mv Hsubst Hinterp.
+  rewrite 2!subst_env_eq in Hsubst.
+  rewrite interp_S in Hinterp. destruct e1, e2; simplify_res; try done.
+  - eexists (Some (VString _)), 1. by rewrite interp_S.
+  - destruct (interp n _ e1) as [mv1|] eqn:Hinterp'; simplify_eq/=.
+    eapply IHn in Hinterp' as (mw1 & m1 & Hinterp1 & ?); last done.
+    destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe VString v1) as [x|] eqn:Hv1;
+      simplify_res; last first.
+    { exists None, (S m1). split; [|done]. rewrite interp_S /= Hinterp1 /=.
+      destruct v1, w1; repeat destruct select base_lit; by simplify_eq/=. }
+    destruct v1, w1; repeat destruct select base_lit; simplify_eq/=.
+    assert (∀ (ds : stringmap expr) (E : env) x,
+      thunk_to_expr <$> (E !! x) ∪ (Thunk ∅ <$> ds !! x)
+      = ((thunk_to_expr <$> E) ∪ ds) !! x) as HE.
+    { intros ds' E x. rewrite lookup_union lookup_fmap.
+      repeat destruct (_ !! _); f_equal/=; by rewrite subst_env_empty. }
+    pose proof (f_equal (.!! s0) Hsubst) as Hs. rewrite -!HE {HE} in Hs.
+    destruct (E1 !! s0 ∪ _) as [[E1' e1']|],
+      (E2 !! s0 ∪ _) as [[E2' e2']|] eqn:HE2; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=. by rewrite HE2. }
+    eapply IHn in Hinterp as (mw & m2 & Hinterp2 & ?); [|by eauto..].
+    exists mw, (S (m1 `max` m2)). split; [|done]. rewrite interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia. rewrite HE2 /=.
+    eauto using interp_le with lia.
+  - destruct (interp n _ _) as [mv1|] eqn:Hinterp'; simplify_eq/=.
+    eapply IHn in Hinterp' as (mw1 & m1 & Hinterp1 & ?); last done.
+    destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe VString _) eqn:Hstring; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe VString w1 = None) as -> by (by destruct v1, w1). }
+    destruct v1, w1; simplify_eq/=.
+    eexists (Some (VClo _ _ _)), (S m1).
+    rewrite interp_S /= Hinterp1 /=. split; [done|]. by do 2 f_equal/=.
+  - destruct (interp n _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    eapply IHn in Hinterp' as (mw' & m1 & Hinterp1 & ?); last done.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe3 VClo _) eqn:Hclo; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe3 VClo w' = None) as -> by (by destruct v', w'). }
+    destruct v', w'; simplify_eq/=.
+    eapply IHn with (E2 := <[x0:=Thunk E2 e2_2]> E0) in Hinterp
+      as (w & m2 & Hinterp2 & ?); last by apply subst_env_insert_eq.
+    exists w, (S (m1 `max` m2)). rewrite interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    rewrite (interp_le Hinterp2) /=; last lia. done.
+Qed.
+Lemma subst_as_subst_env x e1 e2 :
+  subst {[x:=e2]} e1 = subst_env (<[x:=Thunk ∅ e2]> ∅) e1.
+Proof. rewrite subst_env_insert //= !subst_env_empty //. Qed.
+Lemma interp_subst n x e1 e2 mv :
+  interp n ∅ (subst {[x:=e2]} e1) = Res mv →
+  ∃ mw m, interp m (<[x:=Thunk ∅ e2]> ∅) e1 = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  apply interp_proper.
+  by rewrite subst_env_empty subst_as_subst_env.
+Qed.
+Lemma interp_step e1 e2 n mv :
+  e1 --> e2 →
+  interp n ∅ e2 = Res mv →
+  ∃ mw m, interp m ∅ e1 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  intros Hstep. revert mv n.
+  induction Hstep; intros mv n Hinterp.
+  - apply interp_subst in Hinterp as (w & [|m] & Hinterp & Hv);
+      simplify_eq/=; [|done..].
+    exists w, (S (S (S m))). rewrite !interp_S /= -!interp_S.
+    eauto using interp_le with lia.
+  - exists mv, (S (S n)). rewrite !interp_S /= -interp_S.
+    rewrite lookup_empty left_id_L H /=. eauto using interp_le with lia.
+  - destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    apply IHHstep in Hinterp' as (mw' & m1 & Hinterp1 & ?); simplify_res.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe VString _) eqn:Hstring; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe VString w' = None) as -> by (by destruct v', w'). }
+    destruct v', w'; simplify_eq/=.
+    eexists (Some (VClo _ _ _)), (S m1). rewrite !interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia. done.
+  - destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    apply IHHstep in Hinterp' as (mw' & m1 & Hinterp1 & ?); simplify_res.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe3 VClo _) eqn:Hclo; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe3 VClo w' = None) as -> by (by destruct v', w'). }
+    destruct v', w'; simplify_eq/=.
+    eapply interp_proper in Hinterp as (mw & m2 & Hinterp2 & Hv);
+      last apply subst_env_insert_eq; try done.
+    exists mw, (S (m1 `max` m2)). rewrite !interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    by rewrite (interp_le Hinterp2) /=; last lia.
+  - destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ e1') as [mv1|] eqn:Hinterp1; simplify_eq/=.
+    apply IHHstep in Hinterp1 as (mw1 & m & Hinterp1 & Hw1).
+    destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+    { exists None, (S m). by rewrite interp_S /= Hinterp1. }
+    exists mv, (S (n `max` m)). split; [|done].
+    rewrite interp_S /= (interp_le Hinterp1) /=; last lia.
+    assert (maybe VString w1 = maybe VString v1) as ->.
+    { destruct v1, w1; naive_solver. }
+    destruct (maybe VString v1); simplify_res; [|done].
+    destruct (_ ∪ _); simplify_res; eauto using interp_le with lia.
+Qed.
+Lemma final_interp e :
+  final e →
+  ∃ w m, interp m ∅ e = mret w ∧ e = val_to_expr w.
+Proof.
+  induction e as [| |[]|]; inv 1.
+  - eexists (VString _), 1. by rewrite interp_S /=.
+  - eexists (VClo _ _ _), 2. rewrite interp_S /=. split; [done|].
+    by rewrite subst_env_empty.
+Qed.
+Lemma red_final_interp e :
+  red step e ∨ final e ∨ ∃ m, interp m ∅ e = mfail.
+Proof.
+  induction e.
+  - (* ENat *) right; left. constructor.
+  - (* EId *) destruct IHe as [[??]|[Hfinal|[m Hinterp]]].
+    + left. by repeat econstructor.
+    + apply final_interp in Hfinal as (w & m & Hinterp & ->).
+      destruct (maybe VString w) as [x|] eqn:Hw; last first.
+      { do 2 right. eexists (S m). rewrite interp_S /= Hinterp /=.
+        by rewrite Hw. }
+      destruct w; simplify_eq/=.
+      destruct (ds !! x) as [e|] eqn:Hx; last first.
+      { do 2 right. eexists (S m). rewrite interp_S /= Hinterp /=.
+        by rewrite Hx. }
+      left. by repeat econstructor.
+    + do 2 right. exists (S m). rewrite interp_S /= Hinterp. done.
+  - (* EAbs *) destruct IHe1 as [[??]|[Hfinal|[m Hinterp]]].
+    + left. by repeat econstructor.
+    + apply final_interp in Hfinal as (w & m & Hinterp & ->).
+      destruct (maybe VString w) as [x|] eqn:Hw; last first.
+      { do 2 right. eexists (S m). rewrite interp_S /= Hinterp /=.
+        by rewrite Hw. }
+      destruct w; naive_solver.
+    + do 2 right. exists (S m). rewrite interp_S /= Hinterp. done.
+  - (* EApp *) destruct IHe1 as [[??]|[Hfinal|[m Hinterp]]].
+    + left. by repeat econstructor.
+    + apply final_interp in Hfinal as (w & m & Hinterp & ->).
+      destruct (maybe3 VClo w) eqn:Hw.
+      { destruct w; simplify_eq/=. left. by repeat econstructor. }
+      do 2 right. exists (S m). by rewrite interp_S /= Hinterp /= Hw.
+    + do 2 right. exists (S m). by rewrite interp_S /= Hinterp.
+Qed.
+Lemma interp_complete e1 e2 :
+  e1 -->* e2 →
+  nf step e2 →
+  ∃ mw m, interp m ∅ e1 = Res mw ∧
+    if mw is Some w then e2 = val_to_expr w else ¬final e2.
+Proof.
+  intros Hsteps Hnf. induction Hsteps as [e|e1 e2 e3 Hstep _ IH].
+  { destruct (red_final_interp e) as [?|[Hfinal|[m Hinterp]]]; [done|..].
+    - apply final_interp in Hfinal as (w & m & ? & ?).
+      by exists (Some w), m.
+    - exists None, m. split; [done|]. intros Hfinal.
+      apply final_interp in Hfinal as (w & m' & ? & _).
+      by assert (mfail = mret w) by eauto using interp_agree. }
+  destruct IH as (mw & m & Hinterp & ?); try done.
+  eapply interp_step in Hinterp as (mw' & m' & ? & ?); last done.
+  destruct mw, mw'; naive_solver.
+Qed.
+Lemma interp_complete_ret e1 e2 :
+  e1 -->* e2 → final e2 →
+  ∃ w m, interp m ∅ e1 = mret w ∧ e2 = val_to_expr w.
+Proof.
+  intros Hsteps Hfinal. apply interp_complete in Hsteps
+    as ([w|] & m & ? & ?); naive_solver eauto using final_nf.
+Qed.
+Lemma interp_complete_fail e1 e2 :
+  e1 -->* e2 → nf step e2 → ¬final e2 →
+  ∃ m, interp m ∅ e1 = mfail.
+Proof.
+  intros Hsteps Hnf Hforce.
+  apply interp_complete in Hsteps as ([w|] & m & ? & ?); simplify_eq/=; try by eauto.
+  destruct Hforce. apply val_final.
+Qed.
+Lemma interp_sound_open E e n mv :
+  interp n E e = Res mv →
+  ∃ e', subst_env E e -->* e' ∧
+    if mv is Some v then e' = val_to_expr v else stuck e'.
+Proof.
+  revert E e mv.
+  induction n as [|n IH]; intros E e mv Hinterp; first done.
+  rewrite subst_env_eq. rewrite interp_S in Hinterp.
+  destruct e; simplify_res.
+  - (* EString *) by eexists.
+  - (* EId *)
+    destruct (interp _ _ _) as [mv1|] eqn:Hinterp1; simplify_res.
+    apply IH in Hinterp1 as (e1' & Hsteps1 & He1').
+    destruct mv1 as [v1|]; simplify_res; last first.
+    { eexists; split; [by eapply SId_rtc|]. split; [|inv 1].
+      intros [??]. destruct He1' as [Hnf []].
+      inv_step; simpl; eauto. destruct Hnf; eauto. }
+    destruct (maybe VString _) as [x|] eqn:Hv1; simplify_res; last first.
+    { eexists; split; [by eapply SId_rtc|]. split; [|inv 1].
+      intros [??]. destruct v1; inv_step. }
+    destruct v1; simplify_eq/=.
+    assert (thunk_to_expr <$> (E !! x) ∪ (Thunk ∅ <$> ds !! x)
+      = ((thunk_to_expr <$> E) ∪ ds) !! x).
+    { rewrite lookup_union lookup_fmap.
+      repeat destruct (_ !! _); f_equal/=; by rewrite subst_env_empty. }
+    destruct (_ ∪ _) as [[E' e']|] eqn:Hx; simplify_res.
+    * apply IH in Hinterp as (e'' & Hsteps & He'').
+      exists e''; split; [|done]. etrans; [by eapply SId_rtc|].
+      eapply rtc_l; [|done]. by econstructor.
+    * eexists; split; [by eapply SId_rtc|]. split; [|inv 1].
+      intros [? Hstep]. inv_step; simplify_eq/=; congruence.
+  - (* EAbs *)
+    destruct (interp _ _ _) as [mv1|] eqn:Hinterp1; simplify_res.
+    apply IH in Hinterp1 as (e1' & Hsteps1 & He1').
+    destruct mv1 as [v1|]; simplify_res; last first.
+    { eexists; split; [by eapply SAbsL_rtc|]. split.
+      + intros [??]. destruct He1' as [Hnf []].
+        inv_step; simpl; eauto. destruct Hnf; eauto.
+      + intros ?. destruct He1' as [_ []]. by destruct e1'. }
+    eexists; split; [by eapply SAbsL_rtc|].
+    destruct (maybe VString _) as [x|] eqn:Hv1; simplify_res; last first.
+    { split; [|destruct v1; inv 1]. intros [??]. destruct v1; inv_step. }
+    by destruct v1; simplify_eq/=.
+  - (* EApp *) destruct (interp _ _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    apply IH in Hinterp' as (e' & Hsteps & He'); try done.
+    destruct mv' as [v'|]; simplify_res; last first.
+    { eexists; repeat split; [by apply SAppL_rtc| |inv 1].
+      intros [e'' Hstep]. destruct He' as [Hnf Hfinal].
+      inv Hstep; [by destruct Hfinal; constructor|]. destruct Hnf. eauto. }
+    destruct (maybe3 VClo v') eqn:?; simplify_res; last first.
+    { eexists; repeat split; [by apply SAppL_rtc| |inv 1].
+      intros [e'' Hstep]. inv Hstep; destruct v'; by repeat inv_step. }
+    destruct v'; simplify_res.
+    apply IH in Hinterp as (e'' & Hsteps' & He'').
+    eexists; split; [|done]. etrans; [by apply SAppL_rtc|].
+    eapply rtc_l; first by constructor.
+    rewrite subst_env_insert // in Hsteps'.
+Qed.
+Lemma interp_sound n e mv :
+  interp n ∅ e = Res mv →
+  ∃ e', e -->* e' ∧ if mv is Some v then e' = val_to_expr v else stuck e'.
+Proof.
+  intros Hsteps%interp_sound_open; try done.
+  by rewrite subst_env_empty in Hsteps.
+Qed.
+(** Final theorems *)
+Theorem interp_sound_complete_ret e v :
+  (∃ w n, interp n ∅ e = mret w ∧ val_to_expr v = val_to_expr w)
+  ↔ e -->* val_to_expr v.
+Proof.
+  split.
+  - by intros (n & w & (e' & ? & ->)%interp_sound & ->).
+  - intros Hsteps. apply interp_complete_ret in Hsteps as ([] & ? & ? & ?);
+      eauto using val_final.
+Qed.
+Theorem interp_sound_complete_ret_string e s :
+  (∃ n, interp n ∅ e = mret (VString s)) ↔ e -->* EString s.
+Proof.
+  split.
+  - by intros [n (e' & ? & ->)%interp_sound].
+  - intros Hsteps. apply interp_complete_ret in Hsteps as ([] & ? & ? & ?);
+      simplify_eq/=; eauto.
+Qed.
+Theorem interp_sound_complete_fail e :
+  (∃ n, interp n ∅ e = mfail) ↔ ∃ e', e -->* e' ∧ stuck e'.
+Proof.
+  split.
+  - by intros [n ?%interp_sound].
+  - intros (e' & Hsteps & Hnf & Hforced). by eapply interp_complete_fail.
+Qed.
+Theorem interp_sound_complete_no_fuel e :
+  (∀ n, interp n ∅ e = NoFuel) ↔ all_loop step e.
+Proof.
+  rewrite all_loop_alt. split.
+  - intros Hnofuel e' Hsteps.
+    destruct (red_final_interp e') as [|[|He']]; [done|..].
+    + apply interp_complete_ret in Hsteps as (w & m & Hinterp & _); last done.
+      by rewrite Hnofuel in Hinterp.
+    + apply interp_sound_complete_fail in He' as (e'' & ? & [Hnf _]).
+      destruct (interp_complete e e'') as (mv & n & Hinterp & _); [by etrans|done|].
+      by rewrite Hnofuel in Hinterp.
+  - intros Hred n. destruct (interp n ∅ e) as [mv|] eqn:Hinterp; [|done].
+    apply interp_sound in Hinterp as (e' & Hsteps%Hred & Hstuck).
+    destruct mv as [v|]; simplify_eq/=.
+    + apply final_nf in Hsteps as []. apply val_final.
+    + by destruct Hstuck as [[] ?].
+Qed.
+End dynlang.
diff --git a/theories/dynlang/operational.v b/theories/dynlang/operational.v
new file mode 100644
index 0000000..34cca7b
--- /dev/null
+++ b/theories/dynlang/operational.v
@@ -0,0 +1,41 @@
+From mininix Require Export utils.
+From stdpp Require Import options.
+Module Import dynlang.
+Inductive expr :=
+  | EString (s : string)
+  | EId (ds : gmap string expr) (ex : expr)
+  | EAbs (ex e : expr)
+  | EApp (e1 e2 : expr).
+Fixpoint subst (ds : gmap string expr) (e : expr) : expr :=
+  match e with
+  | EString s => EString s
+  | EId ds' e => EId (ds ∪ ds') (subst ds e)
+  | EAbs ex e => EAbs (subst ds ex) (subst ds e)
+  | EApp e1 e2 => EApp (subst ds e1) (subst ds e2)
+  end.
+Reserved Infix "-->" (right associativity, at level 55).
+Inductive step : expr → expr → Prop :=
+  | Sβ x e1 e2 : EApp (EAbs (EString x) e1) e2 --> subst {[x:=e2]} e1
+  | SIdString ds x e : ds !! x = Some e → EId ds (EString x) --> e
+  | SAbsL ex1 ex1' e : ex1 --> ex1' → EAbs ex1 e --> EAbs ex1' e
+  | SAppL e1 e1' e2 : e1 --> e1' → EApp e1 e2 --> EApp e1' e2
+  | SId ds e1 e1' : e1 --> e1' → EId ds e1 --> EId ds e1'
+where "e1 --> e2" := (step e1 e2).
+Infix "-->*" := (rtc step) (right associativity, at level 55).
+Definition final (e : expr) : Prop :=
+  match e with
+  | EString _ => True
+  | EAbs (EString _) _ => True
+  | _ => False
+  end.
+Definition stuck (e : expr) : Prop :=
+  nf step e ∧ ¬final e.
+End dynlang.
diff --git a/theories/dynlang/operational_props.v b/theories/dynlang/operational_props.v
new file mode 100644
index 0000000..9e8028c
--- /dev/null
+++ b/theories/dynlang/operational_props.v
@@ -0,0 +1,33 @@
+From mininix Require Export dynlang.operational.
+From stdpp Require Import options.
+Module Import dynlang.
+Export dynlang.
+(** Properties of operational semantics *)
+Lemma step_not_final e1 e2 : e1 --> e2 → ¬final e1.
+Proof. induction 1; simpl; repeat case_match; naive_solver. Qed.
+Lemma final_nf e : final e → nf step e.
+Proof. by intros ? [??%step_not_final]. Qed.
+Lemma SAbsL_rtc ex1 ex1' e : ex1 -->* ex1' → EAbs ex1 e -->* EAbs ex1' e.
+Proof. induction 1; econstructor; eauto using step. Qed.
+Lemma SAppL_rtc e1 e1' e2 : e1 -->* e1' → EApp e1 e2 -->* EApp e1' e2.
+Proof. induction 1; econstructor; eauto using step. Qed.
+Lemma SId_rtc ds e1 e1' : e1 -->* e1' → EId ds e1 -->* EId ds e1'.
+Proof. induction 1; econstructor; eauto using step. Qed.
+Ltac inv_step := repeat
+  match goal with H : ?e --> _ |- _ => assert_fails (is_var e); inv H end.
+Lemma step_det e d1 d2 :
+  e --> d1 →
+  e --> d2 →
+  d1 = d2.
+Proof.
+  intros Hred1. revert d2.
+  induction Hred1; intros d2 Hred2; inv Hred2; try by inv_step;
+    f_equal; by apply IHHred1.
+Qed.
+End dynlang.
diff --git a/theories/evallang/interp.v b/theories/evallang/interp.v
new file mode 100644
index 0000000..d98b87f
--- /dev/null
+++ b/theories/evallang/interp.v
@@ -0,0 +1,52 @@
+From mininix Require Export res evallang.operational_props.
+From stdpp Require Import options.
+Module Import evallang.
+Export evallang.
+Inductive thunk := Thunk { thunk_env : gmap string thunk; thunk_expr : expr }.
+Add Printing Constructor thunk.
+Notation env := (gmap string thunk).
+Inductive val :=
+  | VString (s : string)
+  | VClo (x : string) (E : env) (e : expr).
+Global Instance maybe_VString : Maybe VString := λ v,
+  if v is VString s then Some s else None.
+Global Instance maybe_VClo : Maybe3 VClo := λ v,
+  if v is VClo x E e then Some (x, E, e) else None.
+Definition interp1 (interp : env → expr → res val) (E : env) (e : expr) : res val :=
+  match e with
+  | EString s =>
+      mret (VString s)
+  | EId ds x =>
+      t ← Res $ (E !! x) ∪ (Thunk ∅ <$> ds);
+      interp (thunk_env t) (thunk_expr t)
+  | EEval ds e =>
+      v ← interp E e;
+      s ← Res $ maybe VString v;
+      e ← Res $ parse s;
+      interp (E ∪ (Thunk ∅ <$> ds)) e
+  | EAbs ex e =>
+      v ← interp E ex;
+      x ← Res $ maybe VString v;
+      mret (VClo x E e)
+  | EApp e1 e2 =>
+      v1 ← interp E e1;
+      '(x, E', e') ← Res (maybe3 VClo v1);
+      interp (<[x:=Thunk E e2]> E') e'
+  end.
+Fixpoint interp (n : nat) (E : env) (e : expr) : res val :=
+  match n with
+  | O => NoFuel
+  | S n => interp1 (interp n) E e
+  end.
+Global Opaque interp.
+End evallang.
+Add Printing Constructor evallang.thunk.
diff --git a/theories/evallang/interp_proofs.v b/theories/evallang/interp_proofs.v
new file mode 100644
index 0000000..0a26dd1
--- /dev/null
+++ b/theories/evallang/interp_proofs.v
@@ -0,0 +1,478 @@
+From mininix Require Export evallang.interp.
+From stdpp Require Import options.
+Module Import evallang.
+Export evallang.
+Lemma interp_S n : interp (S n) = interp1 (interp n).
+Proof. done. Qed.
+Fixpoint thunk_size (t : thunk) : nat :=
+  S (map_sum_with thunk_size (thunk_env t)).
+Definition env_size (E : env) : nat :=
+  map_sum_with thunk_size E.
+Lemma env_ind (P : env → Prop) :
+  (∀ E, map_Forall (λ i, P ∘ thunk_env) E → P E) →
+  ∀ E : env, P E.
+Proof.
+  intros Pbs E.
+  induction (Nat.lt_wf_0_projected env_size E) as [E _ IH].
+  apply Pbs, map_Forall_lookup=> y [E' e'] Hy.
+  apply (map_sum_with_lookup_le thunk_size) in Hy.
+  apply IH. by rewrite -Nat.le_succ_l.
+Qed.
+(** Correspondence to operational semantics *)
+Definition subst_env' (thunk_to_expr : thunk → expr) (E : env) : expr → expr :=
+  subst (thunk_to_expr <$> E).
+Fixpoint thunk_to_expr (t : thunk) : expr :=
+  subst_env' thunk_to_expr (thunk_env t) (thunk_expr t).
+Notation subst_env := (subst_env' thunk_to_expr).
+Lemma subst_env_eq e E :
+  subst_env E e =
+    match e with
+    | EString s => EString s
+    | EId ds x => EId ((thunk_to_expr <$> E !! x) ∪ ds) x
+    | EEval ds e => EEval ((thunk_to_expr <$> E) ∪ ds) (subst_env E e)
+    | EAbs ex e => EAbs (subst_env E ex) (subst_env E e)
+    | EApp e1 e2 => EApp (subst_env E e1) (subst_env E e2)
+    end.
+Proof. destruct e; rewrite /subst_env' /= ?lookup_fmap //. Qed.
+Lemma subst_env_alt E e : subst_env E e = subst (thunk_to_expr <$> E) e.
+Proof. done. Qed.
+(* Use the unfolding lemmas, don't rely on conversion *)
+Opaque subst_env'.
+Definition val_to_expr (v : val) : expr :=
+  match v with
+  | VString s => EString s
+  | VClo x E e => EAbs (EString x) (subst_env E e)
+  end.
+Lemma final_val_to_expr v : final (val_to_expr v).
+Proof. by destruct v. Qed.
+Lemma step_not_val_to_expr v e : val_to_expr v --> e → False.
+Proof. intros []%step_not_final. apply final_val_to_expr. Qed.
+Lemma subst_empty e : subst ∅ e = e.
+Proof. induction e; f_equal/=; rewrite ?lookup_empty ?left_id_L //. Qed.
+Lemma subst_env_empty e : subst_env ∅ e = e.
+Proof. rewrite subst_env_alt. apply subst_empty. Qed.
+Lemma interp_le {n1 n2 E e mv} :
+  interp n1 E e = Res mv → n1 ≤ n2 → interp n2 E e = Res mv.
+Proof.
+  revert n2 E e mv.
+  induction n1 as [|n1 IH]; intros [|n2] E e mv He ?; [by (done || lia)..|].
+  rewrite interp_S in He; rewrite interp_S; destruct e;
+    repeat match goal with
+    | _ => case_match
+    | H : context [(_ <$> ?mx)] |- _ => destruct mx eqn:?; simplify_res
+    | H : ?r ≫= _ = _ |- _ => destruct r as [[]|] eqn:?; simplify_res
+    | H : _ <$> ?r = _ |- _ => destruct r as [[]|] eqn:?; simplify_res
+    | |- interp ?n ?E ?e ≫= _ = _ => erewrite (IH n E e) by (done || lia)
+    | _ => progress simplify_res
+    | _ => progress simplify_option_eq
+    end; eauto with lia.
+Qed.
+Lemma interp_agree {n1 n2 E e mv1 mv2} :
+  interp n1 E e = Res mv1 → interp n2 E e = Res mv2 → mv1 = mv2.
+Proof.
+  intros He1 He2. apply (inj Res). destruct (total (≤) n1 n2).
+  - rewrite -He2. symmetry. eauto using interp_le. 
+  - rewrite -He1. eauto using interp_le.
+Qed.
+Lemma subst_env_union E1 E2 e :
+  subst_env (E1 ∪ E2) e = subst_env E1 (subst_env E2 e).
+Proof.
+  revert E1 E2. induction e; intros E1 E2; rewrite subst_env_eq /=.
+  - done.
+  - rewrite !subst_env_eq lookup_union. by destruct (E1 !! _), (E2 !! _), ds.
+  - rewrite !(subst_env_eq (EEval _ _)) IHe. f_equal.
+    by rewrite assoc_L map_fmap_union.
+  - rewrite !(subst_env_eq (EAbs _ _)) /=. f_equal; auto.
+  - rewrite !(subst_env_eq (EApp _ _)) /=. f_equal; auto.
+Qed.
+Lemma subst_env_insert E x e t :
+  subst_env (<[x:=t]> E) e = subst {[x:=thunk_to_expr t]} (subst_env E e).
+Proof.
+  rewrite insert_union_singleton_l subst_env_union subst_env_alt.
+  by rewrite map_fmap_singleton.
+Qed.
+Lemma subst_env_insert_eq e1 e2 E1 E2 x E1' E2' e1' e2' :
+  subst_env E1 e1 = subst_env E2 e2 →
+  subst_env E1' e1' = subst_env E2' e2' →
+  subst_env (<[x:=Thunk E1' e1']> E1) e1 = subst_env (<[x:=Thunk E2' e2']> E2) e2.
+Proof. intros He He'. by rewrite !subst_env_insert //= He' He. Qed.
+Lemma option_fmap_thunk_to_expr_Thunk (me : option expr) :
+  thunk_to_expr <$> (Thunk ∅ <$> me) = me.
+Proof. destruct me; f_equal/=. by rewrite subst_env_empty. Qed.
+Lemma map_fmap_thunk_to_expr_Thunk (es : gmap string expr) :
+  thunk_to_expr <$> (Thunk ∅ <$> es) = es.
+Proof.
+  apply map_eq=> x. by rewrite !lookup_fmap option_fmap_thunk_to_expr_Thunk.
+Qed.
+Lemma subst_env_eval_eq E1 E2 ds1 ds2 e :
+  (thunk_to_expr <$> E1) ∪ ds1 = (thunk_to_expr <$> E2) ∪ ds2 →
+  subst_env (E1 ∪ (Thunk ∅ <$> ds1)) e = subst_env (E2 ∪ (Thunk ∅ <$> ds2)) e.
+Proof.
+  intros HE.
+  by rewrite !subst_env_alt !map_fmap_union !map_fmap_thunk_to_expr_Thunk HE.
+Qed.
+Lemma interp_proper n E1 E2 e1 e2 mv :
+  subst_env E1 e1 = subst_env E2 e2 →
+  interp n E1 e1 = Res mv →
+  ∃ mw m, interp m E2 e2 = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  revert n E1 E2 e1 e2 mv. induction n as [|n IHn]; [done|].
+  intros E1 E2 e1 e2 mv Hsubst Hinterp.
+  rewrite 2!subst_env_eq in Hsubst.
+  rewrite interp_S in Hinterp. destruct e1, e2; simplify_res; try done.
+  - eexists (Some (VString _)), 1. by rewrite interp_S.
+  - assert (thunk_to_expr <$> E1 !! x0 ∪ (Thunk ∅ <$> ds) =
+      thunk_to_expr <$> E2 !! x0 ∪ (Thunk ∅ <$> ds0)).
+    { destruct (E1 !! _), (E2 !! _), ds, ds0; simplify_eq/=;
+        f_equal/=; by rewrite ?subst_env_empty. }
+    destruct (E1 !! x0 ∪ (Thunk ∅ <$> ds)) as [[E1' e1']|],
+      (E2 !! x0 ∪ (Thunk ∅ <$> ds0)) as [[E2' e2']|] eqn:HE2;
+      simplify_res; last first.
+    { exists None, 1. by rewrite interp_S /= HE2. }
+    eapply IHn in Hinterp as (mw & m & Hinterp2 & ?); [|by eauto..].
+    exists mw, (S m). split; [|done]. rewrite interp_S /= HE2 /=. done.
+  - destruct (interp n _ e1) as [mv1|] eqn:Hinterp'; simplify_eq/=.
+    eapply IHn in Hinterp' as (mw1 & m1 & Hinterp1 & ?); last done.
+    destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe VString v1) as [x|] eqn:Hv1;
+      simplify_res; last first.
+    { exists None, (S m1). split; [|done]. rewrite interp_S /= Hinterp1 /=.
+      destruct v1, w1; repeat destruct select base_lit; by simplify_eq/=. }
+    destruct v1, w1; repeat destruct select base_lit; simplify_eq/=.
+    destruct (parse _) as [e|] eqn:Hparse; simplify_res; last first.
+    { exists None, (S m1). split; [|done]. rewrite interp_S /= Hinterp1 /=.
+      by rewrite Hparse. }
+    eapply IHn in Hinterp
+      as (mw & m2 & Hinterp2 & ?); last by apply subst_env_eval_eq.
+    exists mw, (S (m1 `max` m2)). split; [|done]. rewrite interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia. rewrite Hparse /=.
+    eauto using interp_le with lia.
+  - destruct (interp n _ _) as [mv1|] eqn:Hinterp'; simplify_eq/=.
+    eapply IHn in Hinterp' as (mw1 & m1 & Hinterp1 & ?); last done.
+    destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe VString _) eqn:Hstring; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe VString w1 = None) as -> by (by destruct v1, w1). }
+    destruct v1, w1; simplify_eq/=.
+    eexists (Some (VClo _ _ _)), (S m1).
+    rewrite interp_S /= Hinterp1 /=. split; [done|]. by do 2 f_equal/=.
+  - destruct (interp n _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    eapply IHn in Hinterp' as (mw' & m1 & Hinterp1 & ?); last done.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe3 VClo _) eqn:Hclo; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe3 VClo w' = None) as -> by (by destruct v', w'). }
+    destruct v', w'; simplify_eq/=.
+    eapply IHn with (E2 := <[x0:=Thunk E2 e2_2]> E0) in Hinterp
+      as (w & m2 & Hinterp2 & ?); last by apply subst_env_insert_eq.
+    exists w, (S (m1 `max` m2)). rewrite interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    rewrite (interp_le Hinterp2) /=; last lia. done.
+Qed.
+Lemma subst_as_subst_env x e1 e2 :
+  subst {[x:=e2]} e1 = subst_env (<[x:=Thunk ∅ e2]> ∅) e1.
+Proof. rewrite subst_env_insert //= !subst_env_empty //. Qed.
+Lemma interp_subst_abs n x e1 e2 mv :
+  interp n ∅ (subst {[x:=e2]} e1) = Res mv →
+  ∃ mw m, interp m (<[x:=Thunk ∅ e2]> ∅) e1 = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  apply interp_proper. by rewrite subst_env_empty subst_as_subst_env.
+Qed.
+Lemma interp_subst_eval n e ds mv :
+  interp n ∅ (subst ds e) = Res mv →
+  ∃ mw m, interp m (Thunk ∅ <$> ds) e = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  apply interp_proper.
+  by rewrite subst_env_empty subst_env_alt map_fmap_thunk_to_expr_Thunk.
+Qed.
+Lemma interp_step e1 e2 n mv :
+  e1 --> e2 →
+  interp n ∅ e2 = Res mv →
+  ∃ mw m, interp m ∅ e1 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  intros Hstep. revert mv n.
+  induction Hstep; intros mv n Hinterp.
+  - apply interp_subst_abs in Hinterp as (mw & [|m] & Hinterp & Hv);
+      simplify_eq/=; [|done..].
+    exists mw, (S (S (S m))). rewrite !interp_S /= -!interp_S.
+    eauto using interp_le with lia.
+  - exists mv, (S n). rewrite !interp_S /=.
+    rewrite lookup_empty left_id_L /=. done.
+  - apply interp_subst_eval in Hinterp as (mw & [|m] & Hinterp & Hv);
+      simplify_eq/=; [|done..].
+    exists mw, (S (S m)). rewrite !interp_S /= -interp_S.
+    rewrite left_id_L H /=. done.
+  - destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    apply IHHstep in Hinterp' as (mw' & m1 & Hinterp1 & ?); simplify_res.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe VString _) eqn:Hstring; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe VString w' = None) as -> by (by destruct v', w'). }
+    destruct v', w'; simplify_eq/=.
+    eexists (Some (VClo _ _ _)), (S m1). rewrite !interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia. done.
+  - destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    apply IHHstep in Hinterp' as (mw' & m1 & Hinterp1 & ?); simplify_res.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe3 VClo _) eqn:Hclo; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe3 VClo w' = None) as -> by (by destruct v', w'). }
+    destruct v', w'; simplify_eq/=.
+    eapply interp_proper in Hinterp as (mw & m2 & Hinterp2 & Hv);
+      last apply subst_env_insert_eq; try done.
+    exists mw, (S (m1 `max` m2)). rewrite !interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    by rewrite (interp_le Hinterp2) /=; last lia.
+  - destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ e1') as [mv1|] eqn:Hinterp1; simplify_eq/=.
+    apply IHHstep in Hinterp1 as (mw1 & m & Hinterp1 & Hw1).
+    destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+    { exists None, (S m). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe VString _) eqn:Hstring; simplify_res; last first.
+    { exists None, (S m). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe VString w1 = None) as -> by (by destruct v1, w1). }
+    destruct v1, w1; simplify_eq/=.
+    exists mv, (S (n `max` m)). split; [|done]. rewrite interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    destruct (parse _); simplify_res; eauto using interp_le with lia.
+Qed.
+Lemma final_interp e :
+  final e →
+  ∃ w m, interp m ∅ e = mret w ∧ e = val_to_expr w.
+Proof.
+  induction e as [| | |[]|]; inv 1.
+  - eexists (VString _), 1. by rewrite interp_S /=.
+  - eexists (VClo _ _ _), 2. rewrite interp_S /=. split; [done|].
+    by rewrite subst_env_empty.
+Qed.
+Lemma red_final_interp e :
+  red step e ∨ final e ∨ ∃ m, interp m ∅ e = mfail.
+Proof.
+  induction e.
+  - (* ENat *) right; left. constructor.
+  - (* EId *) destruct ds as [e|].
+    + left. by repeat econstructor.
+    + do 2 right. by exists 1.
+  - (* EEval *) destruct IHe as [[??]|[Hfinal|[m Hinterp]]].
+    + left. by repeat econstructor.
+    + apply final_interp in Hfinal as (w & m & Hinterp & ->).
+      destruct (maybe VString w) as [x|] eqn:Hw; last first.
+      { do 2 right. exists (S m). rewrite interp_S /= Hinterp /=.
+        by rewrite Hw. }
+      destruct w; simplify_eq/=.
+      destruct (parse x) as [e|] eqn:Hparse; last first.
+      { do 2 right. exists (S m). rewrite interp_S /= Hinterp /=.
+        by rewrite Hparse. }
+      left. by repeat econstructor.
+    + do 2 right. exists (S m). rewrite interp_S /= Hinterp. done.
+  - (* EAbs *) destruct IHe1 as [[??]|[Hfinal|[m Hinterp]]].
+    + left. by repeat econstructor.
+    + apply final_interp in Hfinal as (w & m & Hinterp & ->).
+      destruct (maybe VString w) as [x|] eqn:Hw; last first.
+      { do 2 right. exists (S m). rewrite interp_S /= Hinterp /=.
+        by rewrite Hw. }
+      destruct w; naive_solver.
+    + do 2 right. exists (S m). rewrite interp_S /= Hinterp. done.
+  - (* EApp *) destruct IHe1 as [[??]|[Hfinal|[m Hinterp]]].
+    + left. by repeat econstructor.
+    + apply final_interp in Hfinal as (w & m & Hinterp & ->).
+      destruct (maybe3 VClo w) eqn:Hw.
+      { destruct w; simplify_eq/=. left. by repeat econstructor. }
+      do 2 right. exists (S m). by rewrite interp_S /= Hinterp /= Hw.
+    + do 2 right. exists (S m). by rewrite interp_S /= Hinterp.
+Qed.
+Lemma interp_complete e1 e2 :
+  e1 -->* e2 →
+  nf step e2 →
+  ∃ mw m, interp m ∅ e1 = Res mw ∧
+    if mw is Some w then e2 = val_to_expr w else ¬final e2.
+Proof.
+  intros Hsteps Hnf. induction Hsteps as [e|e1 e2 e3 Hstep _ IH].
+  { destruct (red_final_interp e) as [?|[Hfinal|[m Hinterp]]]; [done|..].
+    - apply final_interp in Hfinal as (w & m & ? & ?).
+      by exists (Some w), m.
+    - exists None, m. split; [done|]. intros Hfinal.
+      apply final_interp in Hfinal as (w & m' & ? & _).
+      by assert (mfail = mret w) by eauto using interp_agree. }
+  destruct IH as (mw & m & Hinterp & ?); try done.
+  eapply interp_step in Hinterp as (mw' & m' & ? & ?); last done.
+  destruct mw, mw'; naive_solver.
+Qed.
+Lemma interp_complete_ret e1 e2 :
+  e1 -->* e2 → final e2 →
+  ∃ w m, interp m ∅ e1 = mret w ∧ e2 = val_to_expr w.
+Proof.
+  intros Hsteps Hfinal. apply interp_complete in Hsteps
+    as ([w|] & m & ? & ?); naive_solver eauto using final_nf.
+Qed.
+Lemma interp_complete_fail e1 e2 :
+  e1 -->* e2 → nf step e2 → ¬final e2 →
+  ∃ m, interp m ∅ e1 = mfail.
+Proof.
+  intros Hsteps Hnf Hforce.
+  apply interp_complete in Hsteps as ([w|] & m & ? & ?); simplify_eq/=; try by eauto.
+  destruct Hforce. apply final_val_to_expr.
+Qed.
+Lemma interp_sound_open E e n mv :
+  interp n E e = Res mv →
+  ∃ e', subst_env E e -->* e' ∧
+    if mv is Some v then e' = val_to_expr v else stuck e'.
+Proof.
+  revert E e mv.
+  induction n as [|n IH]; intros E e mv Hinterp; first done.
+  rewrite subst_env_eq. rewrite interp_S in Hinterp.
+  destruct e; simplify_res.
+  - (* EString *) by eexists.
+  - (* EId *)
+    assert (thunk_to_expr <$> (E !! x) ∪ (Thunk ∅ <$> ds)
+      = (thunk_to_expr <$> E !! x) ∪ ds).
+    { destruct (_ !! _), ds; f_equal/=. by rewrite subst_env_empty. }
+    destruct (_ ∪ (_ <$> _)) as [[E1 e1]|], (_ ∪ _) as [e2|]; simplify_res.
+    * apply IH in Hinterp as (e'' & Hsteps & He'').
+      exists e''; split; [|done].
+      eapply rtc_l; [|done]. by econstructor.
+    * eexists; split; [done|]. split; [|inv 1].
+      intros [? Hstep]. inv_step; simplify_eq/=; congruence.
+  - (* EEval *)
+    destruct (interp _ _ _) as [mv1|] eqn:Hinterp1; simplify_res.
+    apply IH in Hinterp1 as (e1' & Hsteps1 & He1').
+    destruct mv1 as [v1|]; simplify_res; last first.
+    { eexists; split; [by eapply SEval_rtc|]. split; [|inv 1].
+      intros [??]. destruct He1' as [Hnf []].
+      inv_step; simpl; eauto. destruct Hnf; eauto. }
+    destruct (maybe VString _) as [x|] eqn:Hv1; simplify_res; last first.
+    { eexists; split; [by eapply SEval_rtc|]. split; [|inv 1].
+      intros [??]. destruct v1; inv_step. }
+    destruct v1; simplify_eq/=.
+    destruct (parse x) as [ex|] eqn:Hparse; simplify_res; last first.
+    { eexists; split; [by eapply SEval_rtc|].
+      split; [|inv 1]. intros [??]. inv_step. }
+    apply IH in Hinterp as (e'' & Hsteps & He'').
+    exists e''; split; [|done]. etrans; [by eapply SEval_rtc|].
+    eapply rtc_l; [by econstructor|].
+    by rewrite subst_env_alt map_fmap_union
+      map_fmap_thunk_to_expr_Thunk in Hsteps.
+  - (* EAbs *)
+    destruct (interp _ _ _) as [mv1|] eqn:Hinterp1; simplify_res.
+    apply IH in Hinterp1 as (e1' & Hsteps1 & He1').
+    destruct mv1 as [v1|]; simplify_res; last first.
+    { eexists; split; [by eapply SAbsL_rtc|]. split.
+      + intros [??]. destruct He1' as [Hnf []].
+        inv_step; simpl; eauto. destruct Hnf; eauto.
+      + intros ?. destruct He1' as [_ []]. by destruct e1'. }
+    eexists; split; [by eapply SAbsL_rtc|].
+    destruct (maybe VString _) as [x|] eqn:Hv1; simplify_res; last first.
+    { split; [|destruct v1; inv 1]. intros [??]. destruct v1; inv_step. }
+    by destruct v1; simplify_eq/=.
+  - (* EApp *) destruct (interp _ _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    apply IH in Hinterp' as (e' & Hsteps & He'); try done.
+    destruct mv' as [v'|]; simplify_res; last first.
+    { eexists; repeat split; [by apply SAppL_rtc| |inv 1].
+      intros [e'' Hstep]. destruct He' as [Hnf Hfinal].
+      inv Hstep; [by destruct Hfinal; constructor|]. destruct Hnf. eauto. }
+    destruct (maybe3 VClo v') eqn:?; simplify_res; last first.
+    { eexists; repeat split; [by apply SAppL_rtc| |inv 1].
+      intros [e'' Hstep]. inv Hstep; destruct v'; by repeat inv_step. }
+    destruct v'; simplify_res.
+    apply IH in Hinterp as (e'' & Hsteps' & He'').
+    eexists; split; [|done]. etrans; [by apply SAppL_rtc|].
+    eapply rtc_l; first by constructor.
+    rewrite subst_env_insert // in Hsteps'.
+Qed.
+Lemma interp_sound n e mv :
+  interp n ∅ e = Res mv →
+  ∃ e', e -->* e' ∧ if mv is Some v then e' = val_to_expr v else stuck e'.
+Proof.
+  intros Hsteps%interp_sound_open; try done.
+  by rewrite subst_env_empty in Hsteps.
+Qed.
+(** Final theorems *)
+Theorem interp_sound_complete_ret e v :
+  (∃ w n, interp n ∅ e = mret w ∧ val_to_expr v = val_to_expr w)
+    ↔ e -->* val_to_expr v.
+Proof.
+  split.
+  - by intros (n & w & (e' & ? & ->)%interp_sound & ->).
+  - intros Hsteps. apply interp_complete in Hsteps as ([] & ? & ? & ?);
+      unfold nf, red;
+      naive_solver eauto using final_val_to_expr, step_not_val_to_expr.
+Qed.
+Theorem interp_sound_complete_ret_string e s :
+  (∃ n, interp n ∅ e = mret (VString s)) ↔ e -->* EString s.
+Proof.
+  split.
+  - by intros [n (e' & ? & ->)%interp_sound].
+  - intros Hsteps. apply interp_complete_ret in Hsteps as ([] & ? & ? & ?);
+      simplify_eq/=; eauto.
+Qed.
+Theorem interp_sound_complete_fail e :
+  (∃ n, interp n ∅ e = mfail) ↔ ∃ e', e -->* e' ∧ stuck e'.
+Proof.
+  split.
+  - by intros [n ?%interp_sound].
+  - intros (e' & Hsteps & Hnf & Hforced). by eapply interp_complete_fail.
+Qed.
+Theorem interp_sound_complete_no_fuel e :
+  (∀ n, interp n ∅ e = NoFuel) ↔ all_loop step e.
+Proof.
+  rewrite all_loop_alt. split.
+  - intros Hnofuel e' Hsteps.
+    destruct (red_final_interp e') as [|[|He']]; [done|..].
+    + apply interp_complete_ret in Hsteps as (w & m & Hinterp & _); last done.
+      by rewrite Hnofuel in Hinterp.
+    + apply interp_sound_complete_fail in He' as (e'' & ? & [Hnf _]).
+      destruct (interp_complete e e'') as (mv & n & Hinterp & _); [by etrans|done|].
+      by rewrite Hnofuel in Hinterp.
+  - intros Hred n. destruct (interp n ∅ e) as [mv|] eqn:Hinterp; [|done].
+    apply interp_sound in Hinterp as (e' & Hsteps%Hred & Hstuck).
+    destruct mv as [v|]; simplify_eq/=.
+    + apply final_nf in Hsteps as []. apply final_val_to_expr.
+    + by destruct Hstuck as [[] ?].
+Qed.
+End evallang.
diff --git a/theories/evallang/operational.v b/theories/evallang/operational.v
new file mode 100644
index 0000000..79174dd
--- /dev/null
+++ b/theories/evallang/operational.v
@@ -0,0 +1,140 @@
+From Coq Require Import Ascii.
+From mininix Require Export utils.
+From stdpp Require Import options.
+Module Import evallang.
+Inductive expr :=
+  | EString (s : string)
+  | EId (ds : option expr) (x : string)
+  | EEval (ds : gmap string expr) (ee : expr)
+  | EAbs (ex e : expr)
+  | EApp (e1 e2 : expr).
+Module parser.
+  Inductive token :=
+    | TId (s : string)
+    | TString (s : string)
+    | TColon
+    | TExclamation
+    | TParenL
+    | TParenR.
+  Inductive token_state :=
+    TSString (s : string) | TSId (s : string) | TSOther.
+  Definition token_state_push (st : token_state) (k : list token) : list token :=
+    match st with
+    | TSId s => TId (String.rev s) :: k
+    | _ => k
+    end.
+  Fixpoint tokenize_go (sin : string) (st : token_state)
+      (k : list token) : option (list token) :=
+    match sin, st with
+    | "", TSString _ => None (* no closing "" *)
+    | "", _ => Some (reverse (token_state_push st k))
+    | String "\" (String """" sin), TSString s =>
+        tokenize_go sin (TSString (String """" s)) k
+    | String """" sin, TSString s =>
+        tokenize_go sin TSOther (TString (String.rev s) :: k)
+    | String a sin, TSString s => tokenize_go sin (TSString (String a s)) k
+    | String ":" sin, _ => tokenize_go sin TSOther (TColon :: token_state_push st k)
+    | String "!" sin, _ => tokenize_go sin TSOther (TExclamation :: token_state_push st k)
+    | String "(" sin, _ => tokenize_go sin TSOther (TParenL :: token_state_push st k)
+    | String ")" sin, _ => tokenize_go sin TSOther (TParenR :: token_state_push st k)
+    | String """" sin, _ => tokenize_go sin (TSString "") k
+    | String a sin, TSOther =>
+       if Ascii.is_space a then tokenize_go sin TSOther k
+       else tokenize_go sin (TSId (String a EmptyString)) k
+    | String a sin, TSId s =>
+       if Ascii.is_space a then tokenize_go sin TSOther (TId (String.rev s) :: k)
+       else tokenize_go sin (TSId (String a s)) k
+    end.
+  Definition tokenize (sin : string) : option (list token) :=
+    tokenize_go sin TSOther [].
+  Inductive stack_item :=
+    | SExpr (e : expr)
+    | SAbsR (e : expr)
+    | SEval
+    | SParenL.
+  Definition stack_push (e : expr) (k : list stack_item) : list stack_item :=
+    match k with
+    | SExpr e1 :: k => SExpr (EApp e1 e) :: k
+    | SEval :: k => SExpr (EEval ∅ e) :: k
+    | _ => SExpr e :: k
+    end.
+  Fixpoint stack_pop_go (e : expr)
+      (k : list stack_item) : option (expr * list stack_item) :=
+    match k with
+    | SAbsR e1 :: k => stack_pop_go (EAbs e1 e) k
+    | _ => Some (e, k)
+    end.
+  Definition stack_pop (k : list stack_item) : option (expr * list stack_item) :=
+    match k with
+    | SExpr e :: k => stack_pop_go e k
+    | _ => None
+    end.
+  Fixpoint parse_go (ts : list token) (k : list stack_item) : option expr :=
+    match ts with
+    | [] => '(e, k) ← stack_pop k; guard (k = []);; Some e
+    | TString x :: ts => parse_go ts (stack_push (EString x) k)
+    | TId "eval" :: TExclamation :: ts => parse_go ts (SEval :: k)
+    | TId x :: TColon :: ts => parse_go ts (SAbsR (EString x) :: k)
+    | TId x :: ts => parse_go ts (stack_push (EId None x) k)
+    | TColon :: ts =>
+       '(e, k) ← stack_pop k;
+       parse_go ts (SAbsR e :: k)
+    | TParenL :: ts => parse_go ts (SParenL :: k)
+    | TParenR :: ts =>
+       '(e, k) ← stack_pop k;
+       match k with
+       | SParenL :: k => parse_go ts (stack_push e k)
+       | _ => None
+       end
+    | _ => None
+    end.
+  Definition parse (sin : string) : option expr :=
+    ts ← tokenize sin; parse_go ts [].
+End parser.
+Definition parse := parser.parse.
+Fixpoint subst (ds : gmap string expr) (e : expr) : expr :=
+  match e with
+  | EString s => EString s
+  | EId ds' x => EId (ds !! x ∪ ds') x
+  | EEval ds' ee => EEval (ds ∪ ds') (subst ds ee)
+  | EAbs ex e => EAbs (subst ds ex) (subst ds e)
+  | EApp e1 e2 => EApp (subst ds e1) (subst ds e2)
+  end.
+Reserved Infix "-->" (right associativity, at level 55).
+Inductive step : expr → expr → Prop :=
+  | Sβ x e1 e2 : EApp (EAbs (EString x) e1) e2 --> subst {[x:=e2]} e1
+  | SId e x : EId (Some e) x --> e
+  | SEvalString ds s e : parse s = Some e → EEval ds (EString s) --> subst ds e
+  | SAbsL ex1 ex1' e : ex1 --> ex1' → EAbs ex1 e --> EAbs ex1' e
+  | SAppL e1 e1' e2 : e1 --> e1' → EApp e1 e2 --> EApp e1' e2
+  | SEval ds e1 e1' : e1 --> e1' → EEval ds e1 --> EEval ds e1'
+where "e1 --> e2" := (step e1 e2).
+Infix "-->*" := (rtc step) (right associativity, at level 55).
+Definition final (e : expr) : Prop :=
+  match e with
+  | EString _ => True
+  | EAbs (EString _) _ => True
+  | _ => False
+  end.
+Definition stuck (e : expr) : Prop :=
+  nf step e ∧ ¬final e.
+End evallang.
diff --git a/theories/evallang/operational_props.v b/theories/evallang/operational_props.v
new file mode 100644
index 0000000..31724c0
--- /dev/null
+++ b/theories/evallang/operational_props.v
@@ -0,0 +1,33 @@
+From mininix Require Export evallang.operational.
+From stdpp Require Import options.
+Module Import evallang.
+Export evallang.
+(** Properties of operational semantics *)
+Lemma step_not_final e1 e2 : e1 --> e2 → ¬final e1.
+Proof. induction 1; simpl; repeat case_match; naive_solver. Qed.
+Lemma final_nf e : final e → nf step e.
+Proof. by intros ? [??%step_not_final]. Qed.
+Lemma SAbsL_rtc ex1 ex1' e : ex1 -->* ex1' → EAbs ex1 e -->* EAbs ex1' e.
+Proof. induction 1; econstructor; eauto using step. Qed.
+Lemma SAppL_rtc e1 e1' e2 : e1 -->* e1' → EApp e1 e2 -->* EApp e1' e2.
+Proof. induction 1; econstructor; eauto using step. Qed.
+Lemma SEval_rtc ds e1 e1' : e1 -->* e1' → EEval ds e1 -->* EEval ds e1'.
+Proof. induction 1; econstructor; eauto using step. Qed.
+Ltac inv_step := repeat
+  match goal with H : ?e --> _ |- _ => assert_fails (is_var e); inv H end.
+Lemma step_det e d1 d2 :
+  e --> d1 →
+  e --> d2 →
+  d1 = d2.
+Proof.
+  intros Hred1. revert d2.
+  induction Hred1; intros d2 Hred2; inv Hred2; try by inv_step;
+    f_equal; by apply IHHred1.
+Qed.
+End evallang.
diff --git a/theories/evallang/tests.v b/theories/evallang/tests.v
new file mode 100644
index 0000000..eaba8a0
--- /dev/null
+++ b/theories/evallang/tests.v
@@ -0,0 +1,33 @@
+From mininix Require Export evallang.interp.
+From stdpp Require Import options.
+Import evallang.
+Definition interp' (n : nat) (s : string) : res val :=
+  interp n ∅ (EEval ∅ (EString s)).
+Lemma test_1_a : interp' 1000 ("(x: x) ""s""") = mret (VString "s").
+Proof. by vm_compute. Qed.
+Lemma test_1_b : interp' 1000 ("(""x"": x) ""s""") = mret (VString "s").
+Proof. by vm_compute. Qed.
+Lemma test_1_c : interp' 1000 ("((y:y) ""x"": x) ""s""") = mret (VString "s").
+Proof. by vm_compute. Qed.
+Lemma test_1_d : interp' 1000 ("(((y:y) ""x""): x) ""s""") = mret (VString "s").
+Proof. by vm_compute. Qed.
+Lemma test_2 : interp' 1000 ("(x: y: eval! y) ""s"" ""x""") = mret (VString "s").
+Proof. by vm_compute. Qed.
+Lemma test_3 : interp' 1000 ("eval! ""x: x"" ""s""") = mret (VString "s").
+Proof. by vm_compute. Qed.
+Lemma test_4_a :
+  interp' 1000 ("(x: y: eval! y) ""s"" ""x""") = mret (VString "s").
+Proof. by vm_compute. Qed.
+Lemma test_4_b :
+  interp' 1000 ("eval! ""(x: y: eval! y) \""s\"" \""x\""""") = mret (VString "s").
+Proof. by vm_compute. Qed.
+Lemma test_5 :
+  interp' 1000 ("(x: y: eval! ""x: x"" (eval! y)) ""s"" ""x""") = mret (VString "s").
+Proof. by vm_compute. Qed.
diff --git a/theories/lambda/interp.v b/theories/lambda/interp.v
new file mode 100644
index 0000000..5bc60d1
--- /dev/null
+++ b/theories/lambda/interp.v
@@ -0,0 +1,44 @@
+From mininix Require Export res lambda.operational_props.
+From stdpp Require Import options.
+Module Import lambda.
+Export lambda.
+Inductive thunk :=
+  Thunk { thunk_env : gmap string thunk; thunk_expr : expr }.
+Add Printing Constructor thunk.
+Notation env := (gmap string thunk).
+Inductive val :=
+  | VString (s : string)
+  | VClo (x : string) (E : env) (e : expr).
+Global Instance maybe_VClo : Maybe3 VClo := λ v,
+  if v is VClo x E e then Some (x, E, e) else None.
+Definition interp1 (interp : env → expr → res val) (E : env) (e : expr) : res val :=
+  match e with
+  | EString s =>
+      mret (VString s)
+  | EId x =>
+      t ← Res (E !! x);
+      interp (thunk_env t) (thunk_expr t)
+  | EAbs x e =>
+      mret (VClo x E e)
+  | EApp e1 e2 =>
+      v1 ← interp E e1;
+      '(x, E', e') ← Res (maybe3 VClo v1);
+      interp (<[x:=Thunk E e2]> E') e'
+  end.
+Fixpoint interp (n : nat) (E : env) (e : expr) : res val :=
+  match n with
+  | O => NoFuel
+  | S n => interp1 (interp n) E e
+  end.
+Global Opaque interp.
+End lambda.
+Add Printing Constructor lambda.thunk.
diff --git a/theories/lambda/interp_proofs.v b/theories/lambda/interp_proofs.v
new file mode 100644
index 0000000..efd0982
--- /dev/null
+++ b/theories/lambda/interp_proofs.v
@@ -0,0 +1,614 @@
+From mininix Require Export lambda.interp.
+From stdpp Require Import options.
+Module Import lambda.
+Export lambda.
+Lemma interp_S n : interp (S n) = interp1 (interp n).
+Proof. done. Qed.
+Fixpoint thunk_size (t : thunk) : nat :=
+  S (map_sum_with thunk_size (thunk_env t)).
+Definition env_size (E : env) : nat :=
+  map_sum_with thunk_size E.
+Lemma env_ind (P : env → Prop) :
+  (∀ E, map_Forall (λ i, P ∘ thunk_env) E → P E) →
+  ∀ E : env, P E.
+Proof.
+  intros Pbs E.
+  induction (Nat.lt_wf_0_projected env_size E) as [E _ IH].
+  apply Pbs, map_Forall_lookup=> y [E' e'] Hy.
+  apply (map_sum_with_lookup_le thunk_size) in Hy.
+  apply IH. by rewrite -Nat.le_succ_l.
+Qed.
+(** Correspondence to operational semantics *)
+Definition subst_env' (thunk_to_expr : thunk → expr) (E : env) : expr → expr :=
+  subst (thunk_to_expr <$> E).
+Fixpoint thunk_to_expr (t : thunk) : expr :=
+  subst_env' thunk_to_expr (thunk_env t) (thunk_expr t).
+Notation subst_env := (subst_env' thunk_to_expr).
+Lemma subst_env_eq e E :
+  subst_env E e =
+    match e with
+    | EString s => EString s
+    | EId x => if E !! x is Some t then thunk_to_expr t else EId x
+    | EAbs x e => EAbs x (subst_env (delete x E) e)
+    | EApp e1 e2 => EApp (subst_env E e1) (subst_env E e2)
+    end.
+Proof.
+  rewrite /subst_env. destruct e; simpl; try done.
+  - rewrite lookup_fmap. by destruct (E !! x) as [[]|].
+  - by rewrite fmap_delete.
+Qed.
+Lemma subst_env_id x E :
+  subst_env E (EId x) = if E !! x is Some t then thunk_to_expr t else EId x.
+Proof. by rewrite subst_env_eq. Qed.
+Lemma subst_env_alt E e : subst_env E e = subst (thunk_to_expr <$> E) e.
+Proof. done. Qed.
+(* Use the unfolding lemmas, don't rely on conversion *)
+Opaque subst_env'.
+Definition val_to_expr (v : val) : expr :=
+  match v with
+  | VString s => EString s
+  | VClo x E e => EAbs x (subst_env (delete x E) e)
+  end.
+Lemma final_val_to_expr v : final (val_to_expr v).
+Proof. by destruct v. Qed.
+Lemma step_not_val_to_expr v e : val_to_expr v --> e → False.
+Proof. intros []%step_not_final. apply final_val_to_expr. Qed.
+Lemma subst_empty e : subst ∅ e = e.
+Proof. induction e; f_equal/=; auto. Qed.
+Lemma subst_env_empty e : subst_env ∅ e = e.
+Proof. rewrite subst_env_alt. apply subst_empty. Qed.
+Lemma interp_le {n1 n2 E e mv} :
+  interp n1 E e = Res mv → n1 ≤ n2 → interp n2 E e = Res mv.
+Proof.
+  revert n2 E e mv.
+  induction n1 as [|n1 IH]; intros [|n2] E e mv He ?; [by (done || lia)..|].
+  rewrite interp_S in He; rewrite interp_S; destruct e;
+    repeat match goal with
+    | _ => case_match
+    | H : context [(_ <$> ?mx)] |- _ => destruct mx eqn:?; simplify_res
+    | H : ?r ≫= _ = _ |- _ => destruct r as [[]|] eqn:?; simplify_res
+    | H : _ <$> ?r = _ |- _ => destruct r as [[]|] eqn:?; simplify_res
+    | |- interp ?n ?E ?e ≫= _ = _ => erewrite (IH n E e) by (done || lia)
+    | _ => progress simplify_res
+    | _ => progress simplify_option_eq
+    end; eauto with lia.
+Qed.
+Lemma interp_agree {n1 n2 E e mv1 mv2} :
+  interp n1 E e = Res mv1 → interp n2 E e = Res mv2 → mv1 = mv2.
+Proof.
+  intros He1 He2. apply (inj Res). destruct (total (≤) n1 n2).
+  - rewrite -He2. symmetry. eauto using interp_le. 
+  - rewrite -He1. eauto using interp_le.
+Qed.
+Definition is_not_id (e : expr) : Prop :=
+  match e with EId _ => False | _ => True end.
+Lemma id_or_not e : (∃ x, e = EId x) ∨ is_not_id e.
+Proof. destruct e; naive_solver. Qed.
+Lemma interp_not_id n E e v :
+  interp n E e = mret v → is_not_id (subst_env E e).
+Proof.
+  revert E e v. induction n as [|n IH]; intros E e v; [done|].
+  rewrite interp_S. destruct e; simpl; try done.
+  rewrite subst_env_id. destruct (_ !! _) as [[[]]|]; naive_solver.
+Qed.
+Fixpoint closed (X : stringset) (e : expr) : Prop :=
+  match e with
+  | EString _ => True
+  | EId x => x ∈ X
+  | EAbs x e => closed ({[ x ]} ∪ X) e
+  | EApp e1 e2 => closed X e1 ∧ closed X e2
+  end.
+Inductive closed_thunk (t : thunk) : Prop := {
+  closed_thunk_env : map_Forall (λ _, closed_thunk) (thunk_env t);
+  closed_thunk_expr : closed (dom (thunk_env t)) (thunk_expr t);
+}.
+Notation closed_env := (map_Forall (M:=env) (λ _, closed_thunk)).
+Definition closed_val (v : val) : Prop :=
+  match v with
+  | VString _ => True
+  | VClo x E e => closed_env E ∧ closed ({[x]} ∪ dom E) e
+  end.
+Lemma closed_thunk_eq E e :
+  closed_thunk (Thunk E e) ↔ closed_env E ∧ closed (dom E) e.
+Proof. split; inv 1; constructor; done. Qed.
+Lemma closed_env_delete x E : closed_env E → closed_env (delete x E).
+Proof. apply map_Forall_delete. Qed.
+Lemma closed_env_insert x t E :
+  closed_thunk t → closed_env E → closed_env (<[x:=t]> E).
+Proof. apply: map_Forall_insert_2. Qed.
+Lemma closed_env_lookup E x t :
+  closed_env E → E !! x = Some t → closed_thunk t.
+Proof. apply map_Forall_lookup_1. Qed.
+Lemma closed_subst E ds e :
+  dom ds ## E → closed E e → subst ds e = e.
+Proof.
+  revert E ds.
+  induction e; intros E ds Hdisj Heclosed; simplify_eq/=; first done.
+  - assert (Hxds : x ∉ dom ds) by set_solver.
+    by rewrite (not_elem_of_dom_1 _ _ Hxds).
+  - f_equal. by apply IHe with (E := {[x]} ∪ E); first set_solver.
+  - f_equal; naive_solver.
+Qed.
+Lemma closed_weaken X Y e : closed X e → X ⊆ Y → closed Y e.
+Proof. revert X Y; induction e; naive_solver eauto with set_solver. Qed.
+Lemma subst_closed ds X e :
+  map_Forall (λ _, closed ∅) ds →
+  closed (dom ds ∪ X) e →
+  closed X (subst ds e).
+Proof.
+  revert X ds. induction e; intros X ds; repeat (case_decide || simplify_eq/=).
+  - done.
+  - intros. case_match.
+    + apply H in H1. by eapply closed_weaken.
+    + apply not_elem_of_dom in H1. set_solver.
+  - intros. apply IHe.
+    + by apply map_Forall_delete.
+    + by rewrite dom_delete_L assoc_L difference_union_L
+                 [dom _ ∪ _]comm_L -assoc_L.
+  - naive_solver.
+Qed.
+Lemma subst_env_delete_closed E X e x :
+  closed_env E →
+  closed ({[x]} ∪ X) (subst_env E e) →
+  closed ({[x]} ∪ X) (subst_env (delete x E) e).
+Proof.
+  revert E X x.
+  induction e as [s | z | z e IHe | e1 IHe1 e2 IHe2]; intros E X x.
+  - rewrite !subst_env_eq //.
+  - rewrite !subst_env_eq /=. case_match.
+    + destruct (decide (x = z)) as [->|?].
+      * rewrite lookup_delete. set_solver.
+      * rewrite lookup_delete_ne // H //.
+    + destruct (decide (x = z)) as [->|?].
+      * rewrite delete_notin // H //.
+      * rewrite lookup_delete_ne // H //.
+  - intros HE.
+    rewrite [subst_env (delete _ _) _]subst_env_eq subst_env_eq /=
+            delete_commute comm_L -assoc_L.
+    by apply IHe, map_Forall_delete.
+  - rewrite [subst_env (delete _ _) _]subst_env_eq subst_env_eq /=.
+    naive_solver.
+Qed.
+Lemma subst_env_closed E X e :
+  closed_env E → closed (dom E ∪ X) e → closed X (subst_env E e).
+Proof.
+  revert e X. induction E using env_ind.
+  induction e; intros X Hcenv Hclosed; simplify_eq/=.
+  - done.
+  - rewrite subst_env_eq. case_match.
+    + destruct t as [Et et]; simpl.
+      apply closed_env_lookup in H0 as Htclosed; last done.
+      apply closed_thunk_eq in Htclosed as [HEtclosed Hetclosed].
+      apply (H _ _ H0); simpl.
+      * exact HEtclosed.
+      * eapply closed_weaken; set_solver.
+    + simpl in *. apply not_elem_of_dom in H0. set_solver.
+  - rewrite subst_env_eq. simpl in *.
+    rewrite comm_L -assoc_L in Hclosed.
+    apply IHe in Hclosed; last exact Hcenv.
+    apply subst_env_delete_closed; first done.
+    by rewrite comm_L.
+  - rewrite subst_env_eq. naive_solver.
+Qed.
+Lemma thunk_to_expr_closed t : closed_thunk t → closed ∅ (thunk_to_expr t).
+Proof.
+  destruct t as [E e]. intros [HEclosed Heclosed]%closed_thunk_eq.
+  by apply subst_env_closed; last rewrite union_empty_r_L.
+Qed.
+Lemma subst_env_insert E x e t :
+  closed_env E → 
+  subst_env (<[x:=t]> E) e
+  = subst {[x:=thunk_to_expr t]} (subst_env (delete x E) e).
+Proof.
+  revert E. induction e; intros E HEclosed; simpl.
+  - done.
+  - destruct (decide (x = x0)) as [->|?].
+    + rewrite subst_env_eq lookup_insert subst_env_id
+        lookup_delete /= lookup_singleton. done.
+    + rewrite subst_env_eq lookup_insert_ne // subst_env_id.
+      destruct (E !! x0) eqn:Elookup.
+      * apply closed_env_lookup in Elookup as Hc0closed; last done.
+        apply thunk_to_expr_closed in Hc0closed.
+        rewrite lookup_delete_ne // Elookup.
+        by erewrite closed_subst with (E := ∅).
+      * by rewrite lookup_delete_ne // Elookup /= lookup_singleton_ne.
+  - rewrite (subst_env_eq (EAbs x0 e)) (subst_env_eq (EAbs _ _)) /=. f_equal.
+    destruct (decide (x0 = x)) as [->|?].
+    + by rewrite delete_insert_delete delete_idemp
+                 delete_singleton subst_empty.
+    + rewrite delete_insert_ne // delete_singleton_ne // delete_commute.
+      apply IHe. by apply closed_env_delete.
+  - rewrite (subst_env_eq (EApp _ _)) [subst_env (delete x E) _]subst_env_eq /=.
+    f_equal; auto.
+Qed.
+Lemma subst_env_insert_eq e1 e2 E1 E2 x E1' E2' e1' e2' :
+  closed_env E1 → closed_env E2 →
+  subst_env (delete x E1) e1 = subst_env (delete x E2) e2 →
+  subst_env E1' e1' = subst_env E2' e2' →
+  subst_env (<[x:=Thunk E1' e1']> E1) e1
+  = subst_env (<[x:=Thunk E2' e2']> E2) e2.
+Proof.
+  intros HE1closed HE2closed He' He.
+  rewrite !subst_env_insert //=. by rewrite He' He.
+Qed.
+Lemma interp_closed n E e mv :
+  closed_env E → closed (dom E) e → interp n E e = Res mv →
+  if mv is Some v then closed_val v else True.
+Proof.
+  revert E e mv.
+  induction n; first done; intros E e mv HEclosed Heclosed Hinterp.
+  destruct e.
+  - rewrite interp_S /= in Hinterp. by destruct mv; simplify_res.
+  - rewrite interp_S /= in Hinterp. simplify_option_eq.
+    destruct (E !! x) eqn:Hlookup; simplify_res; try done.
+    apply closed_env_lookup in Hlookup; last assumption.
+    destruct t as [E' e']. apply closed_thunk_eq in Hlookup as [Henv Hexpr].
+    by apply IHn with (E := E') (e := e').
+  - rewrite interp_S /= in Hinterp. simplify_option_eq.
+    destruct mv as [v|]; simplify_res. split_and!.
+    + set_solver.
+    + done.
+  - rewrite interp_S /= in Hinterp. simplify_option_eq.
+    destruct Heclosed as [He1closed He2closed].
+    destruct (interp n E e1) as [[[]|]|] eqn:Einterp; simplify_res; try done.
+    apply IHn in Einterp; try done.
+    simpl in Einterp. destruct Einterp as [Hinterp1 Hinterp2].
+    apply IHn in Hinterp; first done.
+    + rewrite <-insert_delete_insert.
+      apply map_Forall_insert; first apply lookup_delete. split.
+      * by split.
+      * by apply closed_env_delete.
+    + by rewrite dom_insert_L.
+Qed.
+Lemma interp_proper n E1 E2 e1 e2 mv :
+  closed_env E1 → closed_env E2 →
+  closed (dom E1) e1 → closed (dom E2) e2 →
+  subst_env E1 e1 = subst_env E2 e2 →
+  interp n E1 e1 = Res mv →
+  ∃ mw m, interp m E2 e2 = Res mw ∧
+         val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  revert n E2 E1 e1 e2 mv. induction n as [|n IHn]; [done|].
+  intros E2. induction E2 as [E2 IH] using env_ind.
+  intros E1 e1 e2 mv HE1closed HE2closed He1closed He2closed Hsubst Hinterp.
+  destruct (id_or_not e1) as [[x ->]|?].
+  { rewrite interp_S /= in Hinterp.
+    destruct (E1 !! x) as [[E' e']|] eqn:Hx; simplify_eq/=;
+      last by apply not_elem_of_dom in Hx.
+    rewrite subst_env_id Hx in Hsubst.
+    apply closed_env_lookup in Hx; last done.
+    rewrite closed_thunk_eq in Hx.
+    destruct Hx as [HE'close He'closed].
+    eauto. }
+  destruct (id_or_not e2) as [[x ->]|?].
+  { rewrite subst_env_id in Hsubst.
+    destruct (E2 !! x) as [[E' e']|] eqn:Hx; simplify_eq/=.
+    - apply closed_env_lookup in Hx as Hclosed; last done.
+      rewrite closed_thunk_eq in Hclosed.
+      destruct Hclosed as [HE'closed He'closed].
+      rewrite map_Forall_lookup in IH.
+      odestruct (IH _ _ Hx) as (w & m & Hinterp' & Hw);
+        first apply HE1closed; try done.
+      exists w, (S m). by rewrite interp_S /= Hx /=.
+    - destruct mv as [v|].
+      + apply interp_not_id in Hinterp. by rewrite Hsubst in Hinterp.
+      + exists None, 1. by rewrite interp_S /= Hx. }
+  rewrite (subst_env_eq e1) (subst_env_eq e2) in Hsubst.
+  rewrite interp_S in Hinterp. destruct e1, e2; simplify_res; try done.
+  - eexists (Some (VString _)), 1. by rewrite interp_S.
+  - eexists (Some (VClo _ _ _)), 1. split; first by rewrite interp_S.
+    by do 2 f_equal/=.
+  - destruct (interp n _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    destruct He1closed as [He1_1closed He1_2closed],
+             He2closed as [He2_1closed He2_2closed].
+    apply interp_closed in Hinterp' as Hclosed; [|done..].
+    eapply IHn with (e2 := e2_1) in Hinterp' as (mw' & m1 & Hinterp1 & ?);
+      try done.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe3 VClo _) eqn:Hclo; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe3 VClo w' = None) as -> by (by destruct v', w'). }
+    destruct v', w'; simplify_eq/=.
+    eapply IHn with (E2 := <[x0:=Thunk E2 e2_2]> E0) in Hinterp
+      as (w & m2 & Hinterp2 & ?).
+    + exists w, (S (m1 `max` m2)). rewrite interp_S /=.
+      rewrite (interp_le Hinterp1) /=; last lia.
+      rewrite (interp_le Hinterp2) /=; last lia. done.
+    + rewrite -insert_delete_insert.
+      apply map_Forall_insert; first apply lookup_delete.
+      split; first done. apply closed_env_delete. naive_solver.
+    + apply interp_closed in Hinterp1; [|done..].
+      rewrite /closed_val in Hinterp1. destruct Hinterp1 as [??].
+      by apply map_Forall_insert_2.
+    + rewrite dom_insert_L. naive_solver.
+    + rewrite dom_insert_L.
+      apply interp_closed in Hinterp1; [|done..].
+      rewrite /closed_val in Hinterp1. by destruct Hinterp1 as [_ ?].
+    + apply interp_closed in Hinterp1; [|done..].
+      rewrite /closed_val in Hinterp1. destruct Hinterp1 as [? _].
+      apply subst_env_insert_eq; try naive_solver.
+Qed.
+Lemma subst_as_subst_env x e1 e2 :
+  subst {[x:=e2]} e1 = subst_env (<[x:=Thunk ∅ e2]> ∅) e1.
+Proof. rewrite subst_env_insert //= !subst_env_empty //. Qed.
+Lemma interp_subst n x e1 e2 mv :
+  closed {[x]} e1 → closed ∅ e2 →
+  interp n ∅ (subst {[x:=e2]} e1) = Res mv →
+  ∃ mw m, interp m (<[x:=Thunk ∅ e2]> ∅) e1 = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  intros He1 He2.
+  apply interp_proper.
+  - done.
+  - by apply closed_env_insert.
+  - apply subst_closed.
+    + by apply map_Forall_singleton.
+    + by rewrite dom_singleton_L dom_empty_L union_empty_r_L.
+  - by rewrite insert_empty dom_singleton_L.
+  - by rewrite subst_env_empty subst_as_subst_env.
+Qed.
+Lemma closed_step e1 e2 : closed ∅ e1 → e1 --> e2 → closed ∅ e2.
+Proof.
+  intros Hclosed Hstep. revert Hclosed.
+  induction Hstep; intros He1closed.
+  - simplify_eq/=. destruct He1closed.
+    apply subst_closed.
+    + by eapply map_Forall_singleton.
+    + by rewrite dom_singleton_L.
+  - simplify_eq/=. destruct He1closed. auto.
+Qed.
+Lemma closed_steps e1 e2 : closed ∅ e1 → e1 -->* e2 → closed ∅ e2.
+Proof. induction 2; eauto using closed_step. Qed.
+Lemma interp_step e1 e2 n v :
+  closed ∅ e1 →
+  e1 --> e2 →
+  interp n ∅ e2 = Res v →
+  ∃ w m, interp m ∅ e1 = Res w ∧ val_to_expr <$> v = val_to_expr <$> w.
+Proof.
+  intros He1closed Hstep. revert v n He1closed.
+  induction Hstep as [|???? IH]; intros v n He1closed Hinterp.
+  { rewrite /= union_empty_r_L in He1closed.
+    destruct He1closed as [He1closed He2closed].
+    apply interp_subst in Hinterp as (w & [|m] & Hinterp & Hv);
+      simplify_eq/=; [|done..].
+    exists w, (S (S m)). by rewrite !interp_S /= -interp_S. }
+  simpl in He1closed. destruct He1closed as [He1closed He2closed].
+  destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+  destruct (interp n _ _) eqn:Hinterp'; simplify_res.
+  destruct x; simplify_res; last first.
+  { apply IH in Hinterp' as (mw' & m1 & Hinterp1 & ?); simplify_res; last done.
+    destruct mw'; try done. exists None, (S m1).
+    by rewrite interp_S /= Hinterp1. }
+  apply closed_step in Hstep as He1'closed; last done.
+  apply interp_closed in Hinterp' as Hcloclosed;
+    [|done|by rewrite dom_empty_L].
+  apply IH in Hinterp' as ([] & m1 & Hinterp1 & ?); simplify_eq/=; last done.
+  destruct (maybe3 VClo _) eqn:Hclo; simplify_res; last first.
+  { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+    by assert (maybe3 VClo v1 = None) as -> by (by destruct v1, v0). }
+  simplify_option_eq.
+  simpl in Hcloclosed. destruct Hcloclosed as [HEclosed Heclosed].
+  apply interp_closed in Hinterp1 as Hcloclosed;
+    [|done|by rewrite dom_empty_L]. simpl in Hcloclosed.
+  destruct v1; simplify_option_eq.
+  destruct Hcloclosed as [HE0closed He0closed].
+  eapply interp_proper with (E2 := <[x0:=Thunk ∅ e2]> E0) (e2 := e0)
+    in Hinterp as (w & m2 & Hinterp2 & Hv); last apply subst_env_insert_eq.
+  { exists w, (S (m1 `max` m2)). rewrite !interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    by rewrite (interp_le Hinterp2) /=; last lia. }
+  - by apply closed_env_insert.
+  - by apply closed_env_insert.
+  - by rewrite dom_insert_L.
+  - by rewrite dom_insert_L.
+  - done.
+  - done.
+  - done.
+  - done.
+Qed.
+Lemma final_interp e :
+  final e →
+  ∃ w m, interp m ∅ e = mret w ∧ e = val_to_expr w.
+Proof.
+  induction e; inv 1.
+  - eexists (VString _), 1. by rewrite interp_S /=.
+  - eexists (VClo _ _ _), 1. rewrite interp_S /=. split; [done|].
+    by rewrite delete_empty subst_env_empty.
+Qed.
+Lemma red_final_interp e :
+  red step e ∨ final e ∨ ∃ m, interp m ∅ e = mfail.
+Proof.
+  induction e.
+  - (* ENat *) right; left. constructor.
+  - (* EId *) do 2 right. by exists 1.
+  - (* EAbs *) right; left. constructor.
+  - (* EApp *) destruct IHe1 as [[??]|[Hfinal|[m Hinterp]]].
+    + left. by repeat econstructor.
+    + apply final_interp in Hfinal as (w & m & Hinterp & ->).
+      destruct (maybe3 VClo w) eqn:Hw.
+      { destruct w; simplify_eq/=. left. by repeat econstructor. }
+      do 2 right. exists (S m). by rewrite interp_S /= Hinterp /= Hw.
+    + do 2 right. exists (S m). by rewrite interp_S /= Hinterp.
+Qed.
+Lemma interp_complete e1 e2 :
+  closed ∅ e1 →
+  e1 -->* e2 →
+  nf step e2 →
+  ∃ mw m, interp m ∅ e1 = Res mw ∧
+    if mw is Some w then e2 = val_to_expr w else ¬final e2.
+Proof.
+  intros He1 Hsteps Hnf. induction Hsteps as [e|e1 e2 e3 Hstep _ IH].
+  { destruct (red_final_interp e) as [?|[Hfinal|[m Hinterp]]]; [done|..].
+    - apply final_interp in Hfinal as (w & m & ? & ?).
+      by exists (Some w), m.
+    - exists None, m. split; [done|]. intros Hfinal.
+      apply final_interp in Hfinal as (w & m' & ? & _).
+      by assert (mfail = mret w) by eauto using interp_agree. }
+  apply closed_step in Hstep as He2; last assumption.
+  destruct IH as (mw & m & Hinterp & ?); try done.
+  eapply interp_step in Hinterp as (mw' & m' & ? & ?).
+  - destruct mw, mw'; naive_solver.
+  - done.
+  - done.
+Qed.
+Lemma interp_complete_ret e1 e2 :
+  closed ∅ e1 →
+  e1 -->* e2 → final e2 →
+  ∃ w m, interp m ∅ e1 = mret w ∧ e2 = val_to_expr w.
+Proof.
+  intros Hclosed Hsteps Hfinal. apply interp_complete in Hsteps
+    as ([w|] & m & ? & ?); naive_solver eauto using final_nf.
+Qed.
+Lemma interp_complete_fail e1 e2 :
+  closed ∅ e1 →
+  e1 -->* e2 → nf step e2 → ¬final e2 →
+  ∃ m, interp m ∅ e1 = mfail.
+Proof.
+  intros Hclosed Hsteps Hnf Hforce.
+  apply interp_complete in Hsteps as ([w|] & m & ? & ?); simplify_eq/=; try by eauto.
+  destruct Hforce. apply final_val_to_expr.
+Qed.
+Lemma interp_sound_open E e n mv :
+  closed_env E → closed (dom E) e →
+  interp n E e = Res mv →
+  ∃ e', subst_env E e -->* e' ∧
+    if mv is Some v then e' = val_to_expr v else stuck e'.
+Proof.
+  revert E e mv.
+  induction n as [|n IH]; intros E e mv HEclosed Heclosed Hinterp; first done.
+  rewrite subst_env_eq. rewrite interp_S in Hinterp.
+  destruct e; simplify_res.
+  - (* ENat *) by eexists.
+  - (* EId *) destruct (_ !! _) as [[E' e]|] eqn:Hx; simplify_res.
+    + apply closed_env_lookup in Hx as Hxclosed; last done.
+      rewrite closed_thunk_eq in Hxclosed. destruct_and!.
+      apply IH in Hinterp as (e' & Hsteps & He'); naive_solver.
+    + eexists; repeat split; [done| |inv 1]. intros [? Hstep]. inv Hstep.
+  - (* EAbs *) by eexists.
+  - (* EApp *) destruct_and!.
+    destruct (interp _ _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+    apply interp_closed in Hinterp' as Hvclosed; [|done..].
+    apply IH in Hinterp' as (e' & Hsteps & He'); [|done..].
+    destruct mv' as [v'|]; simplify_res; last first.
+    { eexists; repeat split; [by apply SAppL_rtc| |inv 1].
+      intros [e'' Hstep]. destruct He' as [Hnf Hfinal].
+      inv Hstep; [by destruct Hfinal; constructor|]. destruct Hnf. eauto. }
+    destruct (maybe3 VClo v') eqn:?; simplify_res; last first.
+    { eexists; repeat split; [by apply SAppL_rtc| |inv 1].
+      intros [e'' Hstep]. inv Hstep; destruct v'; by repeat inv_step. }
+    destruct v'; simplify_res. destruct_and!.
+    apply IH in Hinterp as (e'' & Hsteps' & He'').
+    + eexists; split; [|done]. etrans; [by apply SAppL_rtc|].
+      eapply rtc_l; first by constructor.
+      rewrite subst_env_insert // in Hsteps'.
+    + by apply closed_env_insert.
+    + by rewrite dom_insert_L.
+Qed.
+Lemma interp_sound n e mv :
+  closed ∅ e →
+  interp n ∅ e = Res mv →
+  ∃ e', e -->* e' ∧ if mv is Some v then e' = val_to_expr v else stuck e'.
+Proof.
+  intros He Hsteps%interp_sound_open; try done.
+  by rewrite subst_env_empty in Hsteps.
+Qed.
+(** Final theorems *)
+Theorem interp_sound_complete_ret e v :
+  closed ∅ e →
+  (∃ w n, interp n ∅ e = mret w ∧ val_to_expr v = val_to_expr w)
+    ↔ e -->* val_to_expr v.
+Proof.
+  split.
+  - by intros (n & w & (e' & ? & ->)%interp_sound & ->).
+  - intros Hsteps. apply interp_complete in Hsteps as ([] & ? & ? & ?);
+      unfold nf, red;
+      naive_solver eauto using final_val_to_expr, step_not_val_to_expr.
+Qed.
+Theorem interp_sound_complete_ret_string e s :
+  closed ∅ e →
+  (∃ n, interp n ∅ e = mret (VString s)) ↔ e -->* EString s.
+Proof.
+  split.
+  - by intros [n (e' & ? & ->)%interp_sound].
+  - intros Hsteps. apply interp_complete_ret in Hsteps as ([] & ? & ? & ?);
+      simplify_eq/=; eauto.
+Qed.
+Theorem interp_sound_complete_fail e :
+  closed ∅ e →
+  (∃ n, interp n ∅ e = mfail) ↔ ∃ e', e -->* e' ∧ stuck e'.
+Proof.
+  split.
+  - by intros [n ?%interp_sound].
+  - intros (e' & Hsteps & Hnf & Hforced). by eapply interp_complete_fail.
+Qed.
+Theorem interp_sound_complete_no_fuel e :
+  closed ∅ e →
+  (∀ n, interp n ∅ e = NoFuel) ↔ all_loop step e.
+Proof.
+  rewrite all_loop_alt. split.
+  - intros Hnofuel e' Hsteps.
+    destruct (red_final_interp e') as [|[|He']]; [done|..].
+    + apply interp_complete_ret in Hsteps as (w & m & Hinterp & _); [|done..].
+      by rewrite Hnofuel in Hinterp.
+    + apply interp_sound_complete_fail in He' as (e'' & ? & [Hnf _]);
+        last by eauto using closed_steps.
+      destruct (interp_complete e e'') as (mv & n & Hinterp & _); [done|by etrans|done|].
+      by rewrite Hnofuel in Hinterp.
+  - intros Hred n. destruct (interp n ∅ e) as [mv|] eqn:Hinterp; [|done].
+    apply interp_sound in Hinterp as (e' & Hsteps%Hred & Hstuck); [|done].
+    destruct mv as [v|]; simplify_eq/=.
+    + apply final_nf in Hsteps as []. apply final_val_to_expr.
+    + by destruct Hstuck as [[] ?].
+Qed.
+End lambda.
diff --git a/theories/lambda/operational.v b/theories/lambda/operational.v
new file mode 100644
index 0000000..b0fa366
--- /dev/null
+++ b/theories/lambda/operational.v
@@ -0,0 +1,38 @@
+From mininix Require Export utils.
+From stdpp Require Import options.
+Module Import lambda.
+Inductive expr :=
+  | EString (s : string)
+  | EId (x : string)
+  | EAbs (x : string) (e : expr)
+  | EApp (e1 e2 : expr).
+Fixpoint subst (ds : gmap string expr) (e : expr) : expr :=
+  match e with
+  | EString s => EString s
+  | EId x => if ds !! x is Some d then d else EId x
+  | EAbs x e => EAbs x (subst (delete x ds) e)
+  | EApp e1 e2 => EApp (subst ds e1) (subst ds e2)
+  end.
+Reserved Infix "-->" (right associativity, at level 55).
+Inductive step : expr → expr → Prop :=
+  | Sβ x e1 e2 : EApp (EAbs x e1) e2 --> subst {[x:=e2]} e1
+  | SAppL e1 e1' e2 : e1 --> e1' → EApp e1 e2 --> EApp e1' e2
+where "e1 --> e2" := (step e1 e2).
+Infix "-->*" := (rtc step) (right associativity, at level 55).
+Definition final (e : expr) : Prop :=
+  match e with
+  | EString _ => True
+  | EAbs _ _ => True
+  | _ => False
+  end.
+Definition stuck (e : expr) : Prop :=
+  nf step e ∧ ¬final e.
+End lambda.
diff --git a/theories/lambda/operational_props.v b/theories/lambda/operational_props.v
new file mode 100644
index 0000000..c331924
--- /dev/null
+++ b/theories/lambda/operational_props.v
@@ -0,0 +1,29 @@
+From mininix Require Export lambda.operational.
+From stdpp Require Import options.
+Module Import lambda.
+Export lambda.
+(** Properties of operational semantics *)
+Lemma step_not_final e1 e2 : e1 --> e2 → ¬final e1.
+Proof. induction 1; inv 1; naive_solver. Qed.
+Lemma final_nf e : final e → nf step e.
+Proof. by intros ? [??%step_not_final]. Qed.
+Lemma SAppL_rtc e1 e1' e2 : e1 -->* e1' → EApp e1 e2 -->* EApp e1' e2.
+Proof. induction 1; repeat (done || econstructor). Qed.
+Ltac inv_step := repeat
+  match goal with H : ?e --> _ |- _ => assert_fails (is_var e); inv H end.
+Lemma step_det e d1 d2 :
+  e --> d1 →
+  e --> d2 →
+  d1 = d2.
+Proof.
+  intros Hred1. revert d2.
+  induction Hred1; intros d2 Hred2; inv Hred2; try by inv_step.
+  f_equal. by apply IHHred1.
+Qed.
+End lambda.
diff --git a/theories/nix/floats.v b/theories/nix/floats.v
new file mode 100644
index 0000000..246e0c3
--- /dev/null
+++ b/theories/nix/floats.v
@@ -0,0 +1,85 @@
+From stdpp Require Import prelude ssreflect.
+From Flocq.IEEE754 Require Import
+  Binary BinarySingleNaN (mode_NE, mode_DN, mode_UP) Bits.
+From stdpp Require Import options.
+Global Arguments B754_zero {_ _}.
+Global Arguments B754_infinity {_ _}.
+Global Arguments B754_nan {_ _}.
+Global Arguments B754_finite {_ _}.
+(** The bit representation of floats is not observable in Nix, and it appears
+that only negative NaNs are ever produced. So we setup the Flocq floats in
+the way that it always produces [-NaN], i.e., [indef_nan]. *)
+Definition float := binary64.
+Variant round_mode := Floor | Ceil | NearestEven.
+Global Instance round_mode_eq_dec : EqDecision round_mode.
+Proof. solve_decision. Defined.
+Module Float.
+  Definition prec : Z := 53.
+  Definition emax : Z := 1024.
+  Lemma Hprec : (0 < 53)%Z.
+  Proof. done. Qed.
+  Lemma Hprec_emax : (53 < 1024)%Z.
+  Proof. done. Qed.
+  Global Instance inhabited : Inhabited float := populate (B754_zero false).
+  Global Instance eq_dec : EqDecision float.
+  Proof.
+    refine (λ f1 f2,
+      match f1, f2 with
+      | B754_zero s1, B754_zero s2 => cast_if (decide (s1 = s2))
+      | B754_infinity s1, B754_infinity s2 => cast_if (decide (s1 = s2))
+      | B754_nan s1 pl1 _, B754_nan s2 pl2 _ =>
+          cast_if_and (decide (s1 = s2)) (decide (pl1 = pl2))
+      | B754_finite s1 m1 e1 _, B754_finite s2 m2 e2 _ =>
+          cast_if_and3 (decide (s1 = s2)) (decide (m1 = m2)) (decide (e1 = e2))
+      | _, _ => right _
+      end); abstract naive_solver (f_equal; apply (proof_irrel _)).
+  Defined.
+  Definition of_Z (x : Z) : float :=
+    binary_normalize prec emax (refl_equal _) (refl_equal _) mode_NE x 0 false.
+  Definition to_Z (f : float) : option Z :=
+    match f with
+    | B754_zero _ => Some 0
+    | B754_finite s m e _ => Some (Zaux.cond_Zopp s (Zpos m) ≪ e)
+    | _ => None
+    end%Z.
+  (** QNaN Floating-Point Indefinite; see Table 4-3. Floating-Point Number and
+  NaN Encodings. *)
+  Definition indef_nan : { f | is_nan prec emax f = true } :=
+    @B754_nan prec emax true (2^51) (refl_equal _) ↾ eq_refl _.
+  Definition to_flocq_round_mode (m : round_mode) : BinarySingleNaN.mode :=
+    match m with Floor => mode_DN | Ceil => mode_UP | NearestEven => mode_NE end.
+  Definition round (m : round_mode) : float → float :=
+    Bnearbyint prec emax (refl_equal _) (λ _, indef_nan) (to_flocq_round_mode m).
+  (* For add: not [mode_DN]; otherwise [+0.0 + -0.0] would yield [-0.0], but
+  [inf / (+0.0 + -0.0)] yields [inf] in C++, so this cannot be the case. *)
+  (* C++ compiles floating point addition to the x86 ADDSD instruction. Looking
+  at the Intel x86 Software Developer's Manual, it seems that the default
+  rounding mode on x86 is Round to Nearest (even); see table 4-8. (In §4.8.4.) *)
+  Definition add : float → float → float :=
+    Bplus _ _ Hprec Hprec_emax (λ _ _, indef_nan) mode_NE.
+  Definition sub : float → float → float :=
+    Bminus _ _ Hprec Hprec_emax (λ _ _, indef_nan) mode_NE.
+  Definition mul : float → float → float :=
+    Bmult _ _ Hprec Hprec_emax (λ _ _, indef_nan) mode_NE.
+  Definition div : float → float → float :=
+    Bdiv _ _ Hprec Hprec_emax (λ _ _, indef_nan) mode_NE.
+  Definition eqb (f1 f2 : float) : bool :=
+    bool_decide (b64_compare f1 f2 = Some Eq).
+  Definition ltb (f1 f2 : float) : bool :=
+    bool_decide (b64_compare f1 f2 = Some Lt).
+End Float.
diff --git a/theories/nix/interp.v b/theories/nix/interp.v
new file mode 100644
index 0000000..bb4e815
--- /dev/null
+++ b/theories/nix/interp.v
@@ -0,0 +1,351 @@
+From Coq Require Import Ascii.
+From mininix Require Export res nix.operational_props.
+From stdpp Require Import options.
+Section val.
+  Local Unset Elimination Schemes.
+  Inductive val :=
+    | VLit (bl : base_lit) (Hbl : base_lit_ok bl)
+    | VClo (x : string) (E : gmap string (kind * thunk)) (e : expr)
+    | VCloMatch (E : gmap string (kind * thunk))
+                (ms : gmap string (option expr))
+                (strict : bool) (e : expr)
+    | VList (ts : list thunk)
+    | VAttr (ts : gmap string thunk)
+  with thunk :=
+    | Forced (v : val) : thunk
+    | Thunk (E : gmap string (kind * thunk)) (e : expr) : thunk
+    | Indirect (x : string)
+               (E : gmap string (kind * thunk))
+               (tαs : gmap string (expr + thunk)).
+End val.
+Notation VLitI bl := (VLit bl I).
+Notation tattr := (expr + thunk)%type.
+Notation env := (gmap string (kind * thunk)).
+Definition maybe_VLit (v : val) : option base_lit :=
+  if v is VLit bl _ then Some bl else None.
+Global Instance maybe_VList : Maybe VList := λ v,
+  if v is VList ts then Some ts else None.
+Global Instance maybe_VAttr : Maybe VAttr := λ v,
+  if v is VAttr ts then Some ts else None.
+Fixpoint interp_eq_list_body (i : nat) (ts1 ts2 : list thunk) : expr :=
+  match ts1, ts2 with
+  | [], [] => ELit (LitBool true)
+  | _ :: ts1, _ :: ts2 =>
+      EIf (EBinOp EqOp (EId' ("1" +:+ pretty i)) (EId' ("2" +:+ pretty i)))
+          (interp_eq_list_body (S i) ts1 ts2) (ELit (LitBool false))
+  | _, _ => ELit (LitBool false)
+  end.
+Definition interp_eq_list (ts1 ts2 : list thunk) : thunk :=
+  Thunk (kmap (λ n : nat, String "1" (pretty n)) ((ABS,.) <$> map_seq 0 ts1) ∪
+         kmap (λ n : nat, String "2" (pretty n)) ((ABS,.) <$> map_seq 0 ts2)) $
+    interp_eq_list_body 0 ts1 ts2.
+Fixpoint interp_lt_list_body (i : nat) (ts1 ts2 : list thunk) : expr :=
+  match ts1, ts2 with
+  | [], _ => ELit (LitBool true)
+  | _ :: ts1, _ :: ts2 =>
+      EIf (EBinOp LtOp (EId' ("1" +:+ pretty i)) (EId' ("2" +:+ pretty i)))
+          (ELit (LitBool true))
+          (EIf (EBinOp EqOp (EId' ("1" +:+ pretty i)) (EId' ("2" +:+ pretty i)))
+            (interp_lt_list_body (S i) ts1 ts2) (ELit (LitBool false)))
+  | _ :: _, [] => ELit (LitBool false)
+  end.
+Definition interp_lt_list (ts1 ts2 : list thunk) : thunk :=
+  Thunk (kmap (λ n : nat, String "1" (pretty n)) ((ABS,.) <$> map_seq 0 ts1) ∪
+         kmap (λ n : nat, String "2" (pretty n)) ((ABS,.) <$> map_seq 0 ts2)) $
+    interp_lt_list_body 0 ts1 ts2.
+Definition interp_eq_attr (ts1 ts2 : gmap string thunk) : thunk :=
+  Thunk (kmap (String "1") ((ABS,.) <$> ts1) ∪
+         kmap (String "2") ((ABS,.) <$> ts2)) $
+    sem_and_attr $ map_imap (λ x _,
+      Some (EBinOp EqOp (EId' ("1" +:+ x)) (EId' ("2" +:+ x)))) ts1.
+Definition interp_eq (v1 v2 : val) : option thunk :=
+  match v1, v2 with
+  | VLit bl1 _, VLit bl2 _ =>
+      Some $ Forced $ VLitI (LitBool $ sem_eq_base_lit bl1 bl2)
+  | VClo _ _ _, VClo _ _ _ => None
+  | VList ts1, VList ts2 => Some $
+      if decide (length ts1 = length ts2) then interp_eq_list ts1 ts2
+      else Forced $ VLitI (LitBool false)
+  | VAttr ts1, VAttr ts2 => Some $
+      if decide (dom ts1 = dom ts2) then interp_eq_attr ts1 ts2
+      else Forced $ VLitI (LitBool false)
+  | _, _ => Some $ Forced $ VLitI (LitBool false)
+  end.
+Definition type_of_val (v : val) : string :=
+  match v with
+  | VLit bl _ => type_of_base_lit bl
+  | VClo _ _ _ | VCloMatch _ _ _ _ => "lambda"
+  | VList _ => "list"
+  | VAttr _ => "set"
+  end.
+Global Instance val_inhabited : Inhabited val := populate (VLitI inhabitant).
+Global Instance thunk_inhabited : Inhabited thunk := populate (Forced inhabitant).
+Definition interp_bin_op (op : bin_op) (v1 : val) : option (val → option thunk) :=
+  if decide (op = EqOp) then
+    Some (interp_eq v1)
+  else if decide (op = TypeOfOp) then
+    Some $ λ v2,
+      guard (maybe_VLit v2 = Some LitNull);;
+      Some $ Forced $ VLitI (LitString $ type_of_val v1)
+  else
+    match v1 with
+    | VLit (LitNum n1) Hn1 =>
+        if maybe RoundOp op is Some m then
+          Some $ λ v2,
+            guard (maybe_VLit v2 = Some LitNull);;
+            Some $ Forced $ VLit
+              (LitNum $ NInt $ float_to_bounded_Z $ Float.round m $ num_to_float n1)
+              (float_to_bounded_Z_ok _)
+        else
+          '(f ↾ Hf) ← option_to_eq_Some (sem_bin_op_num op n1);
+          Some $ λ v2,
+            if v2 is VLit (LitNum n2) Hn2 then
+              '(bl ↾ Hbl) ← option_to_eq_Some (f n2);
+              Some $ Forced $ VLit bl (sem_bin_op_num_ok Hn1 Hn2 Hf Hbl)
+            else None
+    | VLit (LitString s1) _ =>
+        match op with
+        | SingletonAttrOp => Some $ λ v2,
+            guard (maybe_VLit v2 = Some LitNull);;
+            Some $ Forced $ VClo "t" ∅ (EAttr {[ s1 := AttrN (EId' "t") ]})
+        | MatchStringOp => Some $ λ v2,
+            guard (maybe_VLit v2 = Some LitNull);;
+            match s1 with
+            | EmptyString => Some $ Forced $ VAttr {[
+                "empty" := Forced (VLitI (LitBool true));
+                "head" := Forced (VLitI LitNull);
+                "tail" := Forced (VLitI LitNull) ]}
+            | String a s1 => Some $ Forced $ VAttr {[
+                "empty" := Forced (VLitI (LitBool false));
+                "head" := Forced (VLitI (LitString (String a EmptyString)));
+                "tail" := Forced (VLitI (LitString s1)) ]}
+            end
+        | _ =>
+            '(f ↾ Hf) ← option_to_eq_Some (sem_bin_op_string op);
+            Some $ λ v2,
+              bl2 ← maybe_VLit v2;
+              s2 ← maybe LitString bl2;
+              Some $ Forced $ VLit (f s1 s2) (sem_bin_op_string_ok Hf)
+        end
+    | VClo _ _ _ =>
+       match op with
+       | FunctionArgsOp => Some $ λ v2,
+            guard (maybe_VLit v2 = Some LitNull);;
+            Some (Forced (VAttr ∅))
+        | _ => None
+        end
+    | VCloMatch _ ms _ _ =>
+        match op with
+        | FunctionArgsOp => Some $ λ v2,
+            guard (maybe_VLit v2 = Some LitNull);;
+            Some $ Forced $ VAttr $
+              (λ m, Forced $ VLitI (LitBool (from_option (λ _, true) false m))) <$> ms
+        | _ => None
+        end
+    | VList ts1 =>
+        match op with
+        | LtOp => Some $ λ v2,
+            ts2 ← maybe VList v2;
+            Some (interp_lt_list ts1 ts2)
+        | MatchListOp => Some $ λ v2,
+            guard (maybe_VLit v2 = Some LitNull);;
+            match ts1 with
+            | [] => Some $ Forced $ VAttr {[
+                "empty" := Forced (VLitI (LitBool true));
+                "head" := Forced (VLitI LitNull);
+                "tail" := Forced (VLitI LitNull) ]}
+            | t :: ts1 => Some $ Forced $ VAttr {[
+                "empty" := Forced (VLitI (LitBool false));
+                "head" := t;
+                "tail" := Forced (VList ts1) ]}
+            end
+        | AppendListOp => Some $ λ v2,
+            ts2 ← maybe VList v2;
+            Some (Forced (VList (ts1 ++ ts2)))
+        | _ => None
+        end
+    | VAttr ts1 =>
+        match op with
+        | SelectAttrOp => Some $ λ v2,
+            bl ← maybe_VLit v2;
+            x ← maybe LitString bl;
+            ts1 !! x
+        | UpdateAttrOp => Some $ λ v2,
+            ts2 ← maybe VAttr v2;
+            Some $ Forced $ VAttr $ ts2 ∪ ts1
+        | HasAttrOp => Some $ λ v2,
+            bl ← maybe_VLit v2;
+            x ← maybe LitString bl;
+            Some $ Forced $ VLitI (LitBool $ bool_decide (is_Some (ts1 !! x)))
+        | DeleteAttrOp => Some $ λ v2,
+            bl ← maybe_VLit v2;
+            x ← maybe LitString bl;
+            Some $ Forced $ VAttr $ delete x ts1
+        | MatchAttrOp => Some $ λ v2,
+            guard (maybe_VLit v2 = Some LitNull);;
+            match map_minimal_key attr_le ts1 with
+            | None => Some $ Forced $ VAttr {[
+                "empty" := Forced (VLitI (LitBool true));
+                "key" := Forced (VLitI LitNull);
+                "head" := Forced (VLitI LitNull);
+                "tail" := Forced (VLitI LitNull) ]}
+            | Some x => Some $ Forced $ VAttr {[
+                "empty" := Forced (VLitI (LitBool false));
+                "key" := Forced (VLitI (LitString x));
+                "head" := ts1 !!! x;
+                "tail" := Forced (VAttr (delete x ts1)) ]}
+            end
+        | _ => None
+        end
+    | _ => None
+    end.
+Definition interp_match
+    (ts : gmap string thunk) (mds : gmap string (option expr))
+    (strict : bool) : option (gmap string tattr) :=
+  map_mapM id $ merge (λ mt mmd,
+    (* Some (Some _) means keep, Some None means fail, None means skip *)
+    match mt, mmd with
+    | Some t, Some _ => Some $ Some (inr t)
+    | None, Some (Some e) => Some $ Some (inl e)
+    | None, Some _ => Some None (* bad *)
+    | Some _, None => guard strict;; Some None
+    | _, _ => None (* skip *)
+    end) ts mds.
+Definition force_deep1
+    (force_deep : val → res val)
+    (interp_thunk : thunk → res val) (v : val) : res val :=
+  match v with
+  | VList ts => VList ∘ fmap Forced <$>
+      mapM (mbind force_deep ∘ interp_thunk) ts
+  | VAttr ts => VAttr ∘ fmap Forced <$>
+      map_mapM_sorted attr_le (mbind force_deep ∘ interp_thunk) ts
+  | _ => mret v
+  end.
+Definition indirects_env (E : env) (tαs : gmap string tattr) : env :=
+  map_imap (λ y _, Some (ABS, Indirect y E tαs)) tαs ∪ E.
+Definition attr_to_tattr (E : env) (α : attr) : tattr :=
+  from_attr inl (inr ∘ Thunk E) α.
+Definition interp1
+    (force_deep : val → res val)
+    (interp : env → expr → res val)
+    (interp_thunk : thunk → res val)
+    (interp_app : val → thunk → res val)
+    (E : env) (e : expr) : res val :=
+  match e with
+  | ELit bl =>
+      bl_ok ← guard (base_lit_ok bl);
+      mret (VLit bl bl_ok)
+  | EId x mke =>
+      '(_,t) ← Res $ union_kinded (E !! x) (prod_map id (Thunk ∅) <$> mke);
+      interp_thunk t
+  | EAbs x e => mret (VClo x E e)
+  | EAbsMatch ms strict e => mret (VCloMatch E ms strict e)
+  | EApp e1 e2 =>
+      v1 ← interp E e1;
+      interp_app v1 (Thunk E e2)
+  | ESeq μ' e1 e2 =>
+      v ← interp E e1;
+      (if μ' is DEEP then force_deep else mret) v;;
+      interp E e2
+  | EList es => mret (VList (Thunk E <$> es))
+  | EAttr αs =>
+      let E' := indirects_env E (attr_to_tattr E <$> αs) in
+      mret (VAttr (from_attr (Thunk E') (Thunk E) <$> αs))
+  | ELetAttr k e1 e2 =>
+      v1 ← interp E e1;
+      ts ← Res (maybe VAttr v1);
+      interp (union_kinded ((k,.) <$> ts) E) e2
+  | EBinOp op e1 e2 =>
+      v1 ← interp E e1;
+      f ← Res (interp_bin_op op v1);
+      v2 ← interp E e2;
+      t2 ← Res (f v2);
+      interp_thunk t2
+  | EIf e1 e2 e3 =>
+      v1 ← interp E e1;
+      '(b : bool) ← Res (maybe_VLit v1 ≫= maybe LitBool);
+      interp E (if b then e2 else e3)
+  end.
+Definition interp_thunk1
+    (interp : env → expr → res val)
+    (interp_thunk : thunk → res val)
+    (t : thunk) : res val :=
+  match t with
+  | Forced v => mret v
+  | Thunk E e => interp E e
+  | Indirect x E tαs =>
+      tα ← Res $ tαs !! x;
+      match tα with
+      | inl e => interp (indirects_env E tαs) e
+      | inr t => interp_thunk t
+      end
+  end.
+Definition interp_app1
+    (interp : env → expr → res val)
+    (interp_thunk : thunk → res val)
+    (interp_app : val → thunk → res val)
+    (v1 : val) (t2 : thunk) : res val :=
+  match v1 with
+  | VClo x E e =>
+      interp (<[x:=(ABS, t2)]> E) e
+  | VCloMatch E ms strict e =>
+      vt ← interp_thunk t2;
+      ts ← Res (maybe VAttr vt);
+      tαs ← Res $ interp_match ts ms strict;
+      interp (indirects_env E tαs) e
+  | VAttr ts =>
+      t ← Res (ts !! "__functor");
+      vt ← interp_thunk t;
+      v ← interp_app vt (Forced v1);
+      interp_app v t2
+  | _ => mfail
+  end.
+Fixpoint force_deep (n : nat) (v : val) : res val :=
+  match n with
+  | O => NoFuel
+  | S n => force_deep1 (force_deep n) (interp_thunk n) v
+  end
+with interp (n : nat) (E : env) (e : expr) : res val :=
+  match n with
+  | O => NoFuel
+  | S n => interp1 (force_deep n) (interp n) (interp_thunk n) (interp_app n) E e
+  end
+with interp_thunk (n : nat) (t : thunk) : res val :=
+  match n with
+  | O => NoFuel
+  | S n => interp_thunk1 (interp n) (interp_thunk n) t
+  end
+with interp_app (n : nat) (v1 : val) (t2 : thunk) : res val :=
+  match n with
+  | O => NoFuel
+  | S n => interp_app1 (interp n) (interp_thunk n) (interp_app n) v1 t2
+  end.
+Definition force_deep' (n : nat) (μ : mode) : val → res val :=
+  match μ with SHALLOW => mret | DEEP => force_deep n end.
+Definition interp' (n : nat) (μ : mode) (E : env) (e : expr) : res val :=
+  interp n E e ≫= force_deep' n μ.
+Global Opaque force_deep interp interp_thunk interp_app.
diff --git a/theories/nix/interp_proofs.v b/theories/nix/interp_proofs.v
new file mode 100644
index 0000000..5780e48
--- /dev/null
+++ b/theories/nix/interp_proofs.v
@@ -0,0 +1,2690 @@
+From Coq Require Import Ascii.
+From mininix Require Export nix.interp.
+From stdpp Require Import options.
+Lemma force_deep_S n :
+  force_deep (S n) = force_deep1 (force_deep n) (interp_thunk n).
+Proof. done. Qed.
+Lemma interp_S n :
+  interp (S n) = interp1 (force_deep n) (interp n) (interp_thunk n) (interp_app n).
+Proof. done. Qed.
+Lemma interp_thunk_S n :
+  interp_thunk (S n) = interp_thunk1 (interp n) (interp_thunk n).
+Proof. done. Qed.
+Lemma interp_app_S n :
+  interp_app (S n) = interp_app1 (interp n) (interp_thunk n) (interp_app n).
+Proof. done. Qed.
+Lemma interp_shallow' m E e : interp' m SHALLOW E e = interp m E e.
+Proof. rewrite /interp'. by destruct (interp _ _ _) as [[]|]. Qed.
+Lemma interp_lit n E bl (Hbl : base_lit_ok bl) :
+  interp (S n) E (ELit bl) = mret (VLit bl Hbl).
+Proof.
+  rewrite interp_S /=. case_guard; simpl; [|done].
+  do 2 f_equal. apply (proof_irrel _).
+Qed.
+(** Induction *)
+Fixpoint val_size (v : val) : nat :=
+  match v with
+  | VLit _ _ => 1
+  | VClo _ E _ | VCloMatch E _ _ _ => S (map_sum_with (thunk_size ∘ snd) E)
+  | VList ts => S (sum_list_with thunk_size ts)
+  | VAttr ts => S (map_sum_with thunk_size ts)
+  end
+with thunk_size (t : thunk) : nat :=
+  match t with
+  | Forced v => S (val_size v)
+  | Thunk E _ => S (map_sum_with (thunk_size ∘ snd) E)
+  | Indirect _ E tαs => S (map_sum_with (thunk_size ∘ snd) E +
+      map_sum_with (from_sum (λ _, 1) thunk_size) tαs)
+  end.
+Notation env_size := (map_sum_with (thunk_size ∘ snd)).
+Definition from_thunk {A} (f : val → A) (g : env → expr → A)
+    (h : string → env → gmap string tattr → A) (t : thunk) : A :=
+  match t with
+  | Forced v => f v
+  | Thunk E e => g E e
+  | Indirect x E tαs => h x E tαs
+  end.
+Lemma env_val_ind (P : env → Prop) (Q : val → Prop) :
+  (∀ E,
+    map_Forall (λ _, from_thunk Q (λ E _, P E) (λ _ E _, P E) ∘ snd) E → P E) →
+  (∀ b Hbl, Q (VLit b Hbl)) →
+  (∀ x E e, P E → Q (VClo x E e)) →
+  (∀ E ms strict e, P E → Q (VCloMatch E ms strict e)) →
+  (∀ ts, Forall (from_thunk Q (λ E _, P E) (λ _ E _, P E)) ts → Q (VList ts)) →
+  (∀ ts, map_Forall (λ _, from_thunk Q (λ E _, P E) (λ _ E _, P E)) ts → Q (VAttr ts)) →
+  (∀ E, P E) ∧ (∀ v, Q v).
+Proof.
+  intros Penv Qlit Qclo Qmatch Qlist Qattr.
+  cut (∀ n, (∀ E, env_size E < n → P E) ∧ (∀ v, val_size v < n → Q v)).
+  { intros Hhelp; split.
+    - intros E. apply (Hhelp (S (env_size E))); lia.
+    - intros v. apply (Hhelp (S (val_size v))); lia. }
+  intros n. induction n as [|n IH]; [by auto with lia|]. split.
+  - intros E ?. apply Penv, map_Forall_lookup=> y [k ei] Hy.
+    apply (map_sum_with_lookup_le (thunk_size ∘ snd)) in Hy; simpl in *.
+    destruct ei as [v|E' e'|x E' tαs]; simplify_eq/=; try apply IH; eauto with lia.
+  - intros [] ?; simpl in *.
+    + apply Qlit.
+    + apply Qclo, IH. lia.
+    + apply Qmatch, IH. lia.
+    + apply Qlist, Forall_forall=> t Hy.
+      apply (sum_list_with_in _ thunk_size) in Hy.
+      destruct t; simpl in *; try apply IH; lia.
+    + apply Qattr, map_Forall_lookup=> y t Hy.
+      apply (map_sum_with_lookup_le thunk_size) in Hy.
+      destruct t; simpl in *; try apply IH; lia.
+Qed.
+Lemma env_ind (P : env → Prop) :
+  (∀ E,
+    map_Forall (λ i, from_thunk (λ _, True) (λ E _, P E) (λ _ E _, P E) ∘ snd) E →
+    P E) →
+  ∀ E : env, P E.
+Proof. intros. apply (env_val_ind P (λ _, True)); auto. Qed.
+Lemma val_ind (Q : val → Prop) :
+  (∀ bl Hbl, Q (VLit bl Hbl)) →
+  (∀ x E e, Q (VClo x E e)) →
+  (∀ ms strict E e, Q (VCloMatch ms strict E e)) →
+  (∀ ts, Forall (from_thunk Q (λ _ _, True) (λ _ _ _, True)) ts → Q (VList ts)) →
+  (∀ ts,
+    map_Forall (λ _, from_thunk Q (λ _ _, True) (λ _ _ _, True)) ts → Q (VAttr ts)) →
+  (∀ v, Q v).
+Proof. intros. apply (env_val_ind (λ _, True) Q); auto. Qed.
+(** Correspondence to operational semantics *)
+Definition subst_env' (thunk_to_expr : thunk → expr) (E : env) : expr → expr :=
+  subst (prod_map id thunk_to_expr <$> E).
+Definition tattr_to_attr'
+    (thunk_to_expr : thunk → expr) (subst_env : env → expr → expr)
+    (E : env) (α : tattr) : attr :=
+  from_sum (AttrR ∘ subst_env E) (AttrN ∘ thunk_to_expr) α.
+Fixpoint thunk_to_expr (t : thunk) : expr :=
+  match t with
+  | Forced v => val_to_expr v
+  | Thunk E e => subst_env' thunk_to_expr E e
+  | Indirect x E tαs => ESelect
+      (EAttr (tattr_to_attr' thunk_to_expr (subst_env' thunk_to_expr) E <$> tαs)) x
+  end
+with val_to_expr (v : val) : expr :=
+  match v with
+  | VLit bl _ => ELit bl
+  | VClo x E e => EAbs x (subst_env' thunk_to_expr E e)
+  | VCloMatch E ms strict e => EAbsMatch
+      (fmap (M:=option) (subst_env' thunk_to_expr E) <$> ms)
+      strict
+      (subst_env' thunk_to_expr E e)
+  | VList ts => EList (thunk_to_expr <$> ts)
+  | VAttr ts => EAttr (AttrN ∘ thunk_to_expr <$> ts)
+  end.
+Notation subst_env := (subst_env' thunk_to_expr).
+Notation tattr_to_attr := (tattr_to_attr' thunk_to_expr subst_env).
+Notation attr_subst_env E := (attr_map (subst_env E)).
+Lemma subst_env_eq e E :
+  subst_env E e =
+    match e with
+    | ELit n => ELit n
+    | EId x mkd => EId x $
+        union_kinded (prod_map id thunk_to_expr <$> E !! x) mkd
+    | EAbs x e => EAbs x (subst_env E e)
+    | EAbsMatch ms strict e =>
+        EAbsMatch (fmap (M:=option) (subst_env E) <$> ms) strict (subst_env E e)
+    | EApp e1 e2 => EApp (subst_env E e1) (subst_env E e2)
+    | ESeq μ e1 e2 => ESeq μ (subst_env E e1) (subst_env E e2)
+    | EList es => EList (subst_env E <$> es)
+    | EAttr αs => EAttr (attr_subst_env E <$> αs)
+    | ELetAttr k e1 e2 => ELetAttr k (subst_env E e1) (subst_env E e2)
+    | EBinOp op e1 e2 => EBinOp op (subst_env E e1) (subst_env E e2)
+    | EIf e1 e2 e3 => EIf (subst_env E e1) (subst_env E e2) (subst_env E e3)
+    end.
+Proof. rewrite /subst_env. destruct e; by rewrite /= ?lookup_fmap. Qed.
+Lemma subst_env_alt E e : subst_env E e = subst (prod_map id thunk_to_expr <$> E) e.
+Proof. done. Qed.
+(* Use the unfolding lemmas, don't rely on conversion *)
+Opaque subst_env'.
+Lemma subst_env_empty e : subst_env ∅ e = e.
+Proof. rewrite subst_env_alt. apply subst_empty. Qed.
+Lemma final_val_to_expr v : final SHALLOW (val_to_expr v).
+Proof. induction v; simpl; constructor; auto. Qed.
+Local Hint Resolve final_val_to_expr | 0 : core.
+Lemma step_not_val_to_expr v e : val_to_expr v -{SHALLOW}-> e → False.
+Proof. intros []%step_not_final. done. Qed.
+Lemma final_force_deep n t v :
+  force_deep n t = mret v → final DEEP (val_to_expr v).
+Proof.
+  revert t v. induction n as [|n IH]; intros v w; [done|].
+  rewrite force_deep_S /=.
+  intros; destruct v; simplify_res; eauto using final.
+  + destruct (mapM _ _) as [[vs|]|] eqn:Hmap; simplify_res; eauto.
+    constructor. revert vs Hmap.
+    induction ts as [|t ts IHts]; intros; simplify_res; [by constructor|..].
+    destruct (interp_thunk _ _) as [[w|]|]; simplify_res.
+    destruct (force_deep _ _) as [[w'|]|] eqn:?; simplify_res.
+    destruct (mapM _ _) as [[ws|]|]; simplify_res; eauto.
+  + destruct (map_mapM_sorted _ _ _) as [[vs|]|] eqn:Hmap; simplify_res.
+    constructor; [done|].
+    revert vs Hmap. induction ts as [|x t ts ?? IHts]
+      using (map_sorted_ind attr_le); intros ts' Hts.
+    { rewrite map_mapM_sorted_empty in Hts; simplify_res. done. }
+    rewrite map_mapM_sorted_insert //= in Hts.
+    destruct (interp_thunk _ _) as [[w|]|] eqn:?; simplify_res.
+    destruct (force_deep _ _) as [[w'|]|] eqn:?; simplify_res.
+    destruct (map_mapM_sorted _ _ _) as [[ws|]|] eqn:Hmap; simplify_res.
+    rewrite !fmap_insert /=. apply map_Forall_insert_2, IHts; eauto.
+Qed.
+Lemma interp_bin_op_Some_1 op v1 f :
+  interp_bin_op op v1 = Some f →
+  ∃ Φ, sem_bin_op op (val_to_expr v1) Φ.
+Proof.
+  intros Hinterp. unfold interp_bin_op, interp_eq in *.
+  repeat (case_match || simplify_option_eq);
+    eexists; by repeat econstructor; eauto using final.
+Qed.
+Lemma interp_bin_op_Some_2 op v1 Φ :
+  sem_bin_op op (val_to_expr v1) Φ →
+  is_Some (interp_bin_op op v1).
+Proof.
+  unfold interp_bin_op; destruct v1; inv 1;
+    repeat (case_match || simplify_option_eq); eauto.
+  destruct (option_to_eq_Some _) as [[??]|] eqn:Ho; simplify_eq/=; eauto.
+  by rewrite H2 in Ho.
+Qed.
+Lemma interp_eq_list_correct ts1 ts2 :
+  thunk_to_expr (interp_eq_list ts1 ts2) =D=>
+  sem_eq_list (thunk_to_expr <$> ts1) (thunk_to_expr <$> ts2).
+Proof.
+  simpl.
+  remember (kmap (λ n : nat, String "1" (pretty n)) ((ABS,.) <$> map_seq 0 ts1) ∪
+    kmap (λ n : nat, String "2" (pretty n)) ((ABS,.) <$> map_seq 0 ts2))
+    as E eqn:HE.
+  assert (∀ (i : nat) t, ts1 !! i = Some t →
+    E !! String "1" (pretty (i + 0)) = Some (ABS, t)) as Hts1.
+  { intros x t Hxt. rewrite Nat.add_0_r.
+    rewrite HE lookup_union (lookup_kmap _) lookup_fmap.
+    rewrite lookup_map_seq_0 Hxt /= union_Some_l. done. }
+  assert (∀ (i : nat) t, ts2 !! i = Some t →
+    E !! String "2" (pretty (i + 0)) = Some (ABS, t)) as Hts2.
+  { intros x t Hxt. rewrite Nat.add_0_r.
+    rewrite HE lookup_union_r; last by apply (lookup_kmap_None _).
+    rewrite (lookup_kmap _) lookup_fmap lookup_map_seq_0 Hxt /=. done. }
+  clear HE. revert ts2 Hts1 Hts2. generalize 0.
+  induction ts1 as [|t1 ts1 IH]; intros n [|t2 ts2] Hts1 Hts2; csimpl; [done..|].
+  rewrite 4!subst_env_eq /= !(subst_env_eq (ELit _)) /=. rewrite /String.app.
+  rewrite (Hts1 0 t1) // (Hts2 0 t2) //=.
+  constructor; [repeat constructor| |done].
+  apply IH; intros i t; rewrite Nat.add_succ_r;
+    [apply (Hts1 (S i))|apply (Hts2 (S i))].
+Qed.
+Lemma interp_lt_list_correct ts1 ts2 :
+  thunk_to_expr (interp_lt_list ts1 ts2) =D=>
+  sem_lt_list (thunk_to_expr <$> ts1) (thunk_to_expr <$> ts2).
+Proof.
+  simpl.
+  remember (kmap (λ n : nat, String "1" (pretty n)) ((ABS,.) <$> map_seq 0 ts1) ∪
+    kmap (λ n : nat, String "2" (pretty n)) ((ABS,.) <$> map_seq 0 ts2))
+    as E eqn:HE.
+  assert (∀ (i : nat) t, ts1 !! i = Some t →
+    E !! String "1" (pretty (i + 0)) = Some (ABS, t)) as Hts1.
+  { intros x t Hxt. rewrite Nat.add_0_r.
+    rewrite HE lookup_union (lookup_kmap _) lookup_fmap.
+    rewrite lookup_map_seq_0 Hxt /= union_Some_l. done. }
+  assert (∀ (i : nat) t, ts2 !! i = Some t →
+    E !! String "2" (pretty (i + 0)) = Some (ABS, t)) as Hts2.
+  { intros x t Hxt. rewrite Nat.add_0_r.
+    rewrite HE lookup_union_r; last by apply (lookup_kmap_None _).
+    rewrite (lookup_kmap _) lookup_fmap lookup_map_seq_0 Hxt /=. done. }
+  clear HE. revert ts2 Hts1 Hts2. generalize 0.
+  induction ts1 as [|t1 ts1 IH]; intros n [|t2 ts2] Hts1 Hts2; csimpl; [done..|].
+  rewrite 4!subst_env_eq /= !(subst_env_eq (ELit _)) /=. rewrite /String.app.
+  rewrite (Hts1 0 t1) // (Hts2 0 t2) //=.
+  constructor; [repeat constructor..|].
+  rewrite 4!subst_env_eq /= !(subst_env_eq (ELit _)) /=.
+  rewrite (Hts1 0 t1) // (Hts2 0 t2) //=.
+  constructor; [repeat constructor| |done].
+  apply IH; intros i t; rewrite Nat.add_succ_r;
+    [apply (Hts1 (S i))|apply (Hts2 (S i))].
+Qed.
+Lemma interp_eq_attr_correct ts1 ts2 :
+  dom ts1 = dom ts2 →
+  thunk_to_expr (interp_eq_attr ts1 ts2) =D=>
+  sem_eq_attr (AttrN ∘ thunk_to_expr <$> ts1) (AttrN ∘ thunk_to_expr <$> ts2).
+Proof.
+  intros Hdom. simpl.
+  remember (kmap (String "1") ((ABS,.) <$> ts1) ∪
+    kmap (String "2") ((ABS,.) <$> ts2)) as E eqn:HE.
+  assert (map_Forall (λ x t, E !! String "1" x = Some (ABS, t)) ts1) as Hts1.
+  { intros x t Hxt.
+    rewrite HE lookup_union (lookup_kmap (String "1")) lookup_fmap.
+    by rewrite Hxt /= union_Some_l. }
+  assert (map_Forall (λ x t, E !! String "2" x = Some (ABS, t)) ts2) as Hts2.
+  { intros x t Hxt.
+    rewrite HE lookup_union_r; last by apply (lookup_kmap_None _).
+    by rewrite (lookup_kmap (String "2")) lookup_fmap Hxt. }
+  clear HE. revert ts2 Hdom Hts1 Hts2.
+  induction ts1 as [|x t1 ts1 Hts1x IH] using (map_sorted_ind attr_le);
+    intros ts2 Hdom Hts1 Hts2.
+  { apply symmetry, dom_empty_inv_L in Hdom as ->. done. }
+  rewrite dom_insert_L in Hdom.
+  assert (is_Some (ts2 !! x)) as [t2 Hxt2] by (apply elem_of_dom; set_solver).
+  assert (dom ts1 = dom (delete x ts2)).
+  { rewrite dom_delete_L -Hdom. apply not_elem_of_dom in Hts1x. set_solver. }
+  rewrite -(insert_delete ts2 x t2) //. rewrite -(insert_delete ts2 x t2) // in Hts2.
+  apply map_Forall_insert in Hts1 as [Hx1 Hts1]; last done.
+  apply map_Forall_insert in Hts2 as [Hx2 Hts2]; last by rewrite lookup_delete.
+  rewrite /sem_eq_attr !fmap_insert /=. erewrite <-insert_merge by done.
+  rewrite sem_and_attr_insert; first last.
+  { intros y. rewrite lookup_merge !lookup_fmap /is_Some.
+    destruct (ts1 !! y) eqn:? , (delete x ts2 !! y); naive_solver. }
+  { rewrite lookup_merge !lookup_fmap lookup_delete /=. by destruct (ts1 !! x). }
+  rewrite map_imap_insert sem_and_attr_insert; first last.
+  { intros y. rewrite map_lookup_imap /is_Some.
+    destruct (ts1 !! y) eqn:?; naive_solver. }
+  { by rewrite map_lookup_imap Hts1x. }
+  rewrite 4!subst_env_eq /= !(subst_env_eq (ELit _)) /= Hx1 Hx2 /=.
+  constructor; [|apply IHts1; by auto|done]. by do 2 constructor.
+Qed.
+Lemma interp_bin_op_Some_Some_1 op v1 f Φ v2 t3 :
+  interp_bin_op op v1 = Some f →
+  sem_bin_op op (val_to_expr v1) Φ →
+  f v2 = Some t3 →
+  ∃ e3, Φ (val_to_expr v2) e3 ∧ thunk_to_expr t3 =D=> e3.
+Proof.
+  unfold interp_bin_op, interp_eq, type_of_val, type_of_expr;
+    destruct v1, v2; inv 2; intros;
+    repeat match goal with
+    | _ => progress simplify_option_eq
+    | H : _ <$> _ = ∅ |- _ => apply fmap_empty_inv in H
+    | H : context [dom (_ <$> _)] |- _ => rewrite !dom_fmap_L in H
+    | H : context [length (_ <$> _)] |- _ => rewrite !length_fmap in H
+    | _ => case_match
+    | _ => eexists; split; [done|]
+    | _ => by apply interp_eq_list_correct
+    | _ => eexists; split; [|by apply: interp_lt_list_correct]
+    | _ => by apply: interp_eq_attr_correct
+    | _ => eexists; split; [|done]
+    | _ => split; [|done]
+    | _ => rewrite map_fmap_singleton
+    | _ => rewrite fmap_delete
+    | _ => rewrite subst_env_empty
+    | _ => rewrite fmap_app
+    | _ => rewrite lookup_fmap
+    | _ => by constructor
+    end; eauto using final.
+  - apply reflexive_eq. f_equal. apply map_eq=> x.
+    rewrite !lookup_fmap. by destruct (_ !! _) as [[]|].
+  - by destruct (ts !! _).
+  - apply (map_minimal_key_Some _) in H as [[t Hx] ?].
+    split; [done|]. right. eexists s, _; split_and!.
+    + by rewrite lookup_fmap Hx.
+    + intros y. rewrite lookup_fmap fmap_is_Some. auto.
+    + rewrite 3!fmap_insert map_fmap_singleton /=.
+      by rewrite lookup_total_alt Hx fmap_delete.
+  - apply map_minimal_key_None in H as ->. auto.
+  - split; [done|]. by rewrite map_fmap_union.
+Qed.
+Lemma interp_bin_op_Some_Some_2 op v1 f Φ v2 e3 :
+  interp_bin_op op v1 = Some f →
+  sem_bin_op op (val_to_expr v1) Φ →
+  Φ (val_to_expr v2) e3 →
+  ∃ t3, f v2 = Some t3 ∧ thunk_to_expr t3 =D=> e3.
+Proof.
+  unfold interp_bin_op, interp_eq; destruct v1; inv 2; intros;
+    repeat match goal with
+    | H : ∃ _, _ |- _ => destruct H
+    | H : _ ∧ _ |- _ => destruct H
+    | H : _ <$> _ = ∅ |- _ => apply fmap_empty_inv in H
+    | H : context [(_ <$> _) !! _ = _] |- _ => rewrite lookup_fmap in H
+    | H : context [dom (_ <$> _)] |- _ => rewrite !dom_fmap_L in H
+    | H : context [length (_ <$> _)] |- _ => rewrite !length_fmap in H
+    | _ => progress simplify_option_eq
+    | H : val_to_expr ?v2 = _ |- _ => destruct v2
+    | _ => case_match
+    | _ => eexists; split; [|by apply interp_eq_attr_correct]
+    | _ => eexists; split; [|by apply interp_eq_list_correct]
+    | _ => eexists; split; [|by apply interp_lt_list_correct]
+    | _ => eexists; split; [done|]
+    | _ => rewrite map_fmap_singleton
+    | _ => rewrite fmap_delete
+    | _ => rewrite subst_env_empty
+    | _ => rewrite fmap_app
+    | _ => rewrite map_fmap_union
+    end; eauto.
+  - rewrite (option_to_eq_Some_Some _ _ H1) /=. by eexists.
+  - apply reflexive_eq. f_equal. apply map_eq=> x.
+    rewrite !lookup_fmap. by destruct (_ !! _) as [[]|].
+  - rewrite lookup_fmap. by destruct (_ !! _).
+  - destruct H1 as [[Hemp _]|(x & e' & Hx & Hleast & ->)].
+    { by apply fmap_empty_inv in Hemp as ->. }
+    rewrite lookup_fmap fmap_Some in Hx. destruct Hx as (t & Hx & [= ->]).
+    setoid_rewrite lookup_fmap in Hleast. setoid_rewrite fmap_is_Some in Hleast.
+    apply (map_minimal_key_Some _) in H as [??].
+    assert (s = x) as -> by (apply (anti_symm attr_le); naive_solver).
+    rewrite 3!fmap_insert map_fmap_singleton /= fmap_delete.
+    rewrite lookup_total_alt Hx. done.
+  - apply map_minimal_key_None in H as ->. naive_solver.
+Qed.
+Lemma interp_match_subst E ts ms strict :
+  interp_match ts (fmap (M:=option) (subst_env E) <$> ms) strict =
+  fmap (M:=gmap string) (sum_map (subst_env E) id) <$> interp_match ts ms strict.
+Proof.
+  unfold interp_match. set (f mt mme := match mt with _ => _ end).
+  revert ts. induction ms as [|x mt ms Hmsx IH] using map_ind; intros ts.
+  { rewrite fmap_empty merge_empty_r.
+    induction ts as [|x t ts Hmsx IH] using map_ind; [done|].
+    rewrite omap_insert /=. destruct strict; simplify_eq/=.
+    { rewrite map_mapM_insert_option //= lookup_omap Hmsx. done. }
+    rewrite -omap_delete delete_notin //. }
+  destruct (ts !! x) as [t|] eqn:Htsx.
+  { rewrite -(insert_delete ts x t) // fmap_insert.
+    rewrite -!(insert_merge _ _ _ _ (Some (inr t))) //.
+    rewrite !map_mapM_insert_option /=;
+      [|by rewrite lookup_merge lookup_delete ?lookup_fmap Hmsx..].
+    rewrite IH. destruct (map_mapM id _); rewrite /= ?fmap_insert //. }
+  rewrite -(insert_merge_r _ _ _ _ (inl <$> mt)) /=; last first.
+  { rewrite Htsx /=. by destruct mt. }
+  rewrite fmap_insert.
+  rewrite -(insert_merge_r _ _ _ _ (inl <$> (subst_env E <$> mt))) /=; last first.
+  { rewrite Htsx /=. by destruct mt. }
+    rewrite !map_mapM_insert_option /=;
+      [|by rewrite lookup_merge ?lookup_fmap Htsx Hmsx..].
+  rewrite IH. destruct mt, (map_mapM id _); rewrite /= ?fmap_insert //.
+Qed.
+Lemma interp_match_Some_1 ts ms strict tαs :
+  interp_match ts ms strict = Some tαs →
+  matches (thunk_to_expr <$> ts) ms strict (tattr_to_attr ∅ <$> tαs).
+Proof.
+  unfold interp_match. set (f mt mme := match mt with _ => _ end).
+  revert ts tαs.
+  induction ms as [|x mt ms Hmsx IH] using map_ind; intros ts αs Hmatch.
+  { rewrite merge_empty_r in Hmatch. revert αs Hmatch.
+    induction ts as [|x t ts Hmsx IH] using map_ind; intros ts' Hmatch.
+    { rewrite omap_empty map_mapM_empty in Hmatch. injection Hmatch as <-.
+      rewrite !fmap_empty. constructor. }
+    rewrite omap_insert /= in Hmatch. destruct strict; simplify_eq/=.
+    { rewrite map_mapM_insert_option //= in Hmatch. by rewrite lookup_omap Hmsx. }
+    rewrite fmap_insert.
+    rewrite -omap_delete delete_notin // in Hmatch. apply IH in Hmatch.
+    apply matches_strict; rewrite ?lookup_fmap ?Hmsx; eauto. }
+  destruct (ts !! x) as [t|] eqn:Htsx.
+  { rewrite -(insert_delete ts x t) //.
+    rewrite -(insert_delete ts x t) // in Hmatch.
+    rewrite -(insert_merge _ _ _ _ (Some (inr t))) // in Hmatch.
+    rewrite map_mapM_insert_option /= in Hmatch;
+      last (by rewrite lookup_merge lookup_delete Hmsx).
+    destruct (map_mapM id _) as [E''|] eqn:?; simplify_eq/=.
+    injection Hmatch as <-.
+    rewrite !fmap_insert /=. constructor.
+    - by rewrite lookup_fmap lookup_delete.
+    - done.
+    - by apply IH. }
+  rewrite -(insert_merge_r _ _ _ _ (inl <$> mt)) /= in Hmatch; last first.
+  { rewrite Htsx /=. by destruct mt. }
+  rewrite map_mapM_insert_option /= in Hmatch;
+    last (by rewrite lookup_merge Htsx Hmsx).
+  destruct mt as [t|]; simplify_eq/=.
+  destruct (map_mapM id _) as [E''|] eqn:?; simplify_eq/=.
+  injection Hmatch as <-. rewrite !fmap_insert /= subst_env_empty. constructor.
+  - by rewrite lookup_fmap Htsx.
+  - done.
+  - by apply IH.
+Qed.
+Lemma interp_match_Some_2 es ms strict αs :
+  matches es ms strict αs →
+  interp_match (Thunk ∅ <$> es) ms strict = Some (attr_to_tattr ∅ <$> αs).
+Proof.
+  unfold interp_match. set (f mt mme := match mt with _ => _ end).
+  induction 1; [done|..].
+  - rewrite fmap_empty merge_empty_r.
+    induction es as [|x e es ? IH] using map_ind; [done|].
+    rewrite fmap_insert omap_insert /= -omap_delete -fmap_delete delete_notin //.
+  - rewrite !fmap_insert /=.
+    rewrite -(insert_merge _ _ _ _ (Some (inr (Thunk ∅ e)))) //.
+    rewrite map_mapM_insert_option /=; last first.
+    { by rewrite lookup_merge !lookup_fmap H H0. }
+    by rewrite IHmatches.
+  - rewrite !fmap_insert /=.
+    rewrite -(insert_merge_r _ _ _ _ (Some (inl d))) /=; last first.
+    { by rewrite lookup_fmap H. }
+    rewrite map_mapM_insert_option /=; last first.
+    { by rewrite lookup_merge !lookup_fmap H H0. }
+    by rewrite IHmatches /=.
+Qed.
+Lemma force_deep_le {n1 n2 v mv} :
+  force_deep n1 v = Res mv → n1 ≤ n2 → force_deep n2 v = Res mv
+with interp_le {n1 n2 E e mv} :
+  interp n1 E e = Res mv → n1 ≤ n2 → interp n2 E e = Res mv
+with interp_thunk_le {n1 n2 t mvs} :
+  interp_thunk n1 t = Res mvs → n1 ≤ n2 → interp_thunk n2 t = Res mvs
+with interp_app_le {n1 n2 v t mv} :
+  interp_app n1 v t = Res mv → n1 ≤ n2 → interp_app n2 v t = Res mv.
+Proof.
+  - destruct n1 as [|n1], n2 as [|n2]; intros Ht ?; [done || lia..|].
+    rewrite force_deep_S in Ht; rewrite force_deep_S; simpl in *.
+    destruct v as []; simplify_res; try done.
+    + destruct (mapM _ _) as [mvs|] eqn:Hmap; simplify_res.
+      erewrite mapM_Res_impl; [done..|]. intros t mw Hinterp; simpl in *.
+      destruct (interp_thunk n1 _) as [mw'|] eqn:Hinterp'; simplify_res.
+      rewrite (interp_thunk_le _ _ _ _ Hinterp') /=; last lia.
+      destruct mw'; simplify_res; eauto with lia.
+    + destruct (map_mapM_sorted _ _ _) eqn:?; simplify_res.
+      erewrite (map_mapM_sorted_Res_impl attr_le); [done..|].
+      clear dependent ts. intros t mw Hinterp; simpl in *.
+      destruct (interp_thunk n1 _) as [mw'|] eqn:Hinterp'; simplify_res.
+      rewrite (interp_thunk_le _ _ _ _ Hinterp') /=; last lia.
+      destruct mw'; simplify_res; eauto with lia.
+  - destruct n1 as [|n1], n2 as [|n2]; intros He ?; [done || lia..|].
+    rewrite interp_S in He; rewrite interp_S; destruct e;
+      repeat match goal with
+      | _ => case_match
+      | H : context [(_ <$> ?mx)] |- _ => destruct mx eqn:?; simplify_res
+      | H : ?r ≫= _ = _ |- _ => destruct r as [[]|] eqn:?; simplify_res
+      | H : _ <$> ?r = _ |- _ => destruct r as [[]|] eqn:?; simplify_res
+      | H : interp ?n' _ _ = Res ?mv |- interp ?n ?E ?e ≫= _ = _ =>
+        rewrite (interp_le n' n E e mv); [|done || lia..]
+      | H : interp_app ?n' _ _ = Res ?mv |- interp_app ?n ?E ?e ≫= _ = _ =>
+        rewrite (interp_app_le n' n E e mv); [|done || lia..]
+      | H : force_deep ?n' _ = Res ?mv |- force_deep ?n ?t ≫= _ = _ =>
+        rewrite (force_deep_le n' n t mv); [|done || lia..]
+      | _ => progress simplify_res
+      | _ => progress simplify_option_eq
+      end; eauto with lia.
+  - destruct n1 as [|n1], n2 as [|n2]; intros He ?; [by (done || lia)..|].
+    rewrite interp_thunk_S in He. rewrite interp_thunk_S.
+    destruct t; repeat (case_match || destruct (_ !! _)
+                        || simplify_res); eauto with lia.
+  - destruct n1 as [|n1], n2 as [|n2]; intros He ?; [by (done || lia)..|].
+    rewrite interp_app_S /= in He; rewrite interp_app_S /=.
+    destruct v; simplify_res; eauto with lia.
+    + destruct (interp_thunk n1 t) as [mw|] eqn:?; simplify_res.
+      erewrite interp_thunk_le by eauto with lia. simpl.
+      destruct mw as [w|]; simplify_res; [|done].
+      destruct (maybe VAttr w) as [ts|]; simplify_res; [|done].
+      destruct (interp_match _ _ _); simplify_res; eauto with lia.
+    + destruct (_ !! "__functor") as [tf|]; simplify_res; [|done].
+      destruct (interp_thunk n1 tf) as [mw|] eqn:?; simplify_res.
+      erewrite interp_thunk_le by eauto with lia. simpl.
+      destruct mw as [w|]; simplify_res; [|done].
+      destruct (interp_app n1 _ _) as [mw|] eqn:?; simplify_res.
+      erewrite interp_app_le by eauto with lia; simpl.
+      destruct mw; simplify_res; eauto with lia.
+Qed.
+Lemma mapM_interp_le {n1 n2 ts mvs} :
+  mapM (mbind (force_deep n1) ∘ interp_thunk n1) ts = Res mvs →
+  n1 ≤ n2 →
+  mapM (mbind (force_deep n2) ∘ interp_thunk n2) ts = Res mvs.
+Proof.
+  intros. eapply mapM_Res_impl; [done|]; simpl; intros t mv ?.
+  destruct (interp_thunk _ _) as [mw|] eqn:Hthunk; simplify_res.
+  rewrite (interp_thunk_le Hthunk) //=.
+  destruct mw; simplify_res; eauto using force_deep_le.
+Qed.
+Lemma map_mapM_interp_le {n1 n2 ts mvs} :
+  map_mapM_sorted attr_le (mbind (force_deep n1) ∘ interp_thunk n1) ts = Res mvs →
+  n1 ≤ n2 →
+  map_mapM_sorted attr_le (mbind (force_deep n2) ∘ interp_thunk n2) ts = Res mvs.
+Proof.
+  intros. eapply (map_mapM_sorted_Res_impl attr_le); [done|]; simpl.
+  intros t mv ?. destruct (interp_thunk _ _) as [mw|] eqn:Hthunk; simplify_res.
+  rewrite (interp_thunk_le Hthunk) //=.
+  destruct mw; simplify_res; eauto using force_deep_le.
+Qed.
+Lemma interp_agree {n1 n2 E e mv1 mv2} :
+  interp n1 E e = Res mv1 → interp n2 E e = Res mv2 → mv1 = mv2.
+Proof.
+  intros He1 He2. apply (inj Res). destruct (total (≤) n1 n2).
+  - rewrite -He2. symmetry. eauto using interp_le.
+  - rewrite -He1. eauto using interp_le.
+Qed.
+Lemma subst_env_union E1 E2 e :
+  subst_env (union_kinded E1 E2) e = subst_env E1 (subst_env E2 e).
+Proof.
+  rewrite !subst_env_alt -subst_union. f_equal. apply map_eq=> x.
+  rewrite lookup_union_with !lookup_fmap lookup_union_with.
+  by repeat destruct (_ !! _) as [[[]]|].
+Qed.
+Lemma union_kinded_union {A} (E1 E2 : gmap string (kind * A)) :
+  map_Forall (λ _ ka, ka.1 = ABS) E1 → union_kinded E1 E2 = E1 ∪ E2.
+Proof.
+  rewrite map_Forall_lookup; intros.
+  apply map_eq=> x. rewrite lookup_union_with lookup_union.
+  destruct (E1 !! x) as [[[] a]|] eqn:?; naive_solver.
+Qed.
+Lemma subst_abs_env_insert E x e t :
+  subst_env (<[x:=(ABS, t)]> E) e
+  = subst {[x:=(ABS, thunk_to_expr t)]} (subst_env E e).
+Proof.
+  assert (<[x:=(ABS, t)]> E =
+    union_kinded {[x:=(ABS, t)]} E) as ->.
+  { apply map_eq=> y. rewrite lookup_union_with.
+    destruct (decide (x = y)) as [->|].
+    - rewrite lookup_insert lookup_singleton /=. by destruct (_ !! _).
+    - rewrite lookup_insert_ne // lookup_singleton_ne //. by destruct (_ !! _). }
+  rewrite subst_env_union subst_env_alt. by rewrite map_fmap_singleton.
+Qed.
+Lemma subst_abs_as_subst_env x e1 e2 :
+  subst {[x:=(ABS, e2)]} e1 = subst_env (<[x:=(ABS, Thunk ∅ e2)]> ∅) e1.
+Proof. rewrite subst_abs_env_insert //= !subst_env_empty //. Qed.
+Lemma subst_env_insert_proper e1 e2 E1 E2 x t1 t2 :
+  subst_env E1 e1 = subst_env E2 e2 →
+  thunk_to_expr t1 = thunk_to_expr t2 →
+  subst_env (<[x:=(ABS, t1)]> E1) e1 = subst_env (<[x:=(ABS, t2)]> E2) e2.
+Proof. rewrite !subst_abs_env_insert //. auto with f_equal. Qed.
+Lemma subst_env_insert_proper' e1 e2 E1 E2 x E1' E2' e1' e2' :
+  subst_env E1 e1 = subst_env E2 e2 →
+  subst_env E1' e1' = subst_env E2' e2' →
+  subst_env (<[x:=(ABS, Thunk E1' e1')]> E1) e1
+  = subst_env (<[x:=(ABS, Thunk E2' e2')]> E2) e2.
+Proof. intros. by apply subst_env_insert_proper. Qed.
+Lemma subst_env_union_fmap_proper k e1 e2 E1 E2 ts1 ts2 :
+  subst_env E1 e1 = subst_env E2 e2 →
+  AttrN ∘ thunk_to_expr <$> ts1 = AttrN ∘ thunk_to_expr <$> ts2 →
+  subst_env (union_kinded ((k,.) <$> ts1) E1) e1
+  = subst_env (union_kinded ((k,.) <$> ts2) E2) e2.
+Proof.
+  intros He Hes. rewrite !subst_env_union; [|by apply env_unionable_with..].
+  rewrite He !subst_env_alt /=. f_equal.
+  apply map_eq=> x. rewrite !lookup_fmap.
+  apply (f_equal (.!! x)) in Hes. rewrite !lookup_fmap in Hes.
+  destruct (ts1 !! x), (ts2 !! x); simplify_eq/=; auto with f_equal.
+Qed.
+Lemma subst_env_fmap_proper k e ts1 ts2 :
+  AttrN ∘ thunk_to_expr <$> ts1 = AttrN ∘ thunk_to_expr <$> ts2 →
+  subst_env ((k,.) <$> ts1) e = subst_env ((k,.) <$> ts2) e.
+Proof.
+  intros. rewrite -(right_id_L ∅ (union_kinded) (_ <$> ts1))
+    -(right_id_L ∅ (union_kinded) (_ <$> ts2)).
+  by apply subst_env_union_fmap_proper.
+Qed.
+Lemma tattr_to_attr_from_attr E (αs : gmap string attr) :
+  tattr_to_attr E <$> (attr_to_tattr E <$> αs) = attr_subst_env E <$> αs.
+Proof.
+  apply map_eq=> x. rewrite /tattr_to_attr !lookup_fmap.
+  destruct (αs !! x) as [[[] ]|] eqn:?; auto.
+Qed.
+Lemma tattr_to_attr_from_attr_empty (αs : gmap string attr) :
+  tattr_to_attr ∅ <$> (attr_to_tattr ∅ <$> αs) = αs.
+Proof.
+  rewrite tattr_to_attr_from_attr. apply map_eq=> x. rewrite !lookup_fmap.
+  destruct (αs !! x) as [[[] ]|] eqn:?; f_equal/=; by rewrite subst_env_empty.
+Qed.
+Lemma indirects_env_proper E1 E2 tαs1 tαs2 e1 e2 :
+  tattr_to_attr E1 <$> tαs1 = tattr_to_attr E2 <$> tαs2 →
+  subst_env E1 e1 = subst_env E2 e2 →
+  subst_env (indirects_env E1 tαs1) e1 = subst_env (indirects_env E2 tαs2) e2.
+Proof.
+  intros Htαs HE. rewrite /indirects_env -!union_kinded_union;
+    [|intros ??; rewrite map_lookup_imap=> ?; by simplify_option_eq..].
+  rewrite !subst_env_union HE !subst_env_alt. f_equal.
+  apply map_eq=> x. rewrite !lookup_fmap !map_lookup_imap.
+  pose proof (f_equal (.!! x) Htαs) as Hx. rewrite !lookup_fmap in Hx.
+  repeat destruct (_ !! x) as [[]|]; simplify_eq/=; auto with f_equal.
+Qed.
+Lemma subst_env_indirects_env E tαs e :
+  subst_env (indirects_env E tαs) e
+  = subst_env (indirects_env ∅ (attr_to_tattr ∅ <$> (tattr_to_attr E <$> tαs)))
+    (subst_env E e).
+Proof.
+  rewrite /indirects_env -!union_kinded_union;
+    [|intros ??; rewrite map_lookup_imap=> ?; by simplify_option_eq..].
+  rewrite !subst_env_union subst_env_empty !subst_env_alt.
+  f_equal. apply map_eq=> x. rewrite !lookup_fmap !map_lookup_imap !lookup_fmap.
+  destruct (_ !! _) as [[]|];
+    do 4 f_equal/=; auto using tattr_to_attr_from_attr_empty.
+Qed.
+Lemma subst_env_indirects_env_attr_to_tattr E αs e :
+  subst_env (indirects_env E (attr_to_tattr E <$> αs)) e
+  = subst (indirects (attr_subst_env E <$> αs)) (subst_env E e).
+Proof.
+  rewrite /indirects_env -!union_kinded_union;
+    [|intros ??; rewrite map_lookup_imap=> ?; by simplify_option_eq..].
+  rewrite subst_env_union !subst_env_alt. f_equal.
+  apply map_eq=> x. rewrite !lookup_fmap !map_lookup_imap !lookup_fmap.
+  repeat destruct (_ !! x) as [[]|]; simplify_eq/=; do 4 f_equal/=.
+  by rewrite tattr_to_attr_from_attr.
+Qed.
+Lemma subst_env_indirects_env_attr_to_tattr_empty αs e :
+  subst_env (indirects_env ∅ (attr_to_tattr ∅ <$> αs)) e =
+  subst (indirects αs) e.
+Proof.
+  rewrite subst_env_indirects_env_attr_to_tattr subst_env_empty. do 3 f_equal.
+  apply map_eq=> x. rewrite !lookup_fmap.
+  destruct (_ !! x) as [[]|]; do 2 f_equal/=; auto using subst_env_empty.
+Qed.
+Lemma interp_val_to_expr E e v :
+  subst_env E e = val_to_expr v →
+  ∃ w m, interp m E e = mret w ∧ val_to_expr v = val_to_expr w.
+Proof.
+  revert v. induction e; intros [];
+    rewrite subst_env_eq; intros; simplify_eq/=.
+  - eexists (VLit _ ltac:(done)), 1. split; [|done]. by rewrite interp_lit.
+  - eexists (VClo _ _ _), 1. rewrite interp_S /=. auto with f_equal.
+  - eexists (VCloMatch _ _ _ _), 1. rewrite interp_S /=. auto with f_equal.
+  - eexists (VList _), 1. rewrite interp_S /=. split; [done|].
+    f_equal. rewrite -H0. clear.
+    induction es; f_equal/=; auto.
+  - eexists (VAttr _), 1. rewrite interp_S /=. split; [done|].
+    assert (no_recs αs) as Hrecs.
+    { intros y α Hy.
+      apply (f_equal (.!! y)) in H0. rewrite !lookup_fmap Hy /= in H0.
+      destruct (ts !! y), α; by simplify_eq/=. }
+    rewrite from_attr_no_recs // -H0.
+    f_equal. apply map_eq=> y.
+    rewrite !lookup_fmap. destruct (αs !! y) as [[]|] eqn:?; do 2 f_equal/=.
+    eauto using no_recs_lookup.
+Qed.
+Lemma interp_val_to_expr_Res m E e v mw :
+  subst_env E e = val_to_expr v →
+  interp m E e = Res mw →
+  Some (val_to_expr v) = val_to_expr <$> mw.
+Proof.
+  intros (mw' & m' & Hinterp' & ->)%interp_val_to_expr Hinterp.
+  by assert (mw = Some mw') as -> by eauto using interp_agree.
+Qed.
+Lemma interp_empty_val_to_expr v :
+  ∃ w m, interp m ∅ (val_to_expr v) = mret w ∧ val_to_expr v = val_to_expr w.
+Proof. apply interp_val_to_expr. by rewrite subst_env_empty. Qed.
+Lemma interp_empty_val_to_expr_Res m v mw :
+  interp m ∅ (val_to_expr v) = Res mw →
+  Some (val_to_expr v) = val_to_expr <$> mw.
+Proof. apply interp_val_to_expr_Res. by rewrite subst_env_empty. Qed.
+Lemma interp_eq_list_proper ts1 ts2 ts1' ts2' :
+  thunk_to_expr <$> ts1 = thunk_to_expr <$> ts1' →
+  thunk_to_expr <$> ts2 = thunk_to_expr <$> ts2' →
+  thunk_to_expr (interp_eq_list ts1 ts2)
+  = thunk_to_expr (interp_eq_list ts1' ts2').
+Proof.
+  intros Hts1 Hts2. rewrite /= !subst_env_alt.
+  f_equal; last first.
+  { revert ts1' ts2 ts2' Hts1 Hts2. generalize 0.
+    induction ts1; intros ? [] [] [] ??; simplify_eq/=; auto with f_equal. }
+  rewrite !map_fmap_union. f_equal; apply map_eq=> y; rewrite !lookup_fmap.
+  - destruct (kmap _ _ !! y) as [[k e]|] eqn:Hy; simplify_eq/=.
+    + apply (lookup_kmap_Some _) in Hy as (y' & -> & Hy).
+      rewrite (lookup_kmap _) lookup_fmap lookup_map_seq_0.
+      rewrite lookup_fmap lookup_map_seq_0 in Hy.
+      apply (f_equal (.!! y')) in Hts1. rewrite !list_lookup_fmap in Hts1.
+      repeat destruct (_ !! _); simplify_eq/=; auto with f_equal.
+    + rewrite lookup_kmap_None in Hy.
+      apply symmetry, fmap_None, (lookup_kmap_None _).
+      intros y' ->. generalize (Hy _ eq_refl).
+      rewrite !lookup_fmap !lookup_map_seq_0.
+      apply (f_equal (.!! y')) in Hts1. rewrite !list_lookup_fmap in Hts1.
+      intros. repeat destruct (_ !! _); by simplify_eq/=.
+  - destruct (kmap _ _ !! y) as [[k e]|] eqn:Hy; simplify_eq/=.
+    + apply (lookup_kmap_Some _) in Hy as (y' & -> & Hy).
+      rewrite (lookup_kmap _) lookup_fmap lookup_map_seq_0.
+      rewrite lookup_fmap lookup_map_seq_0 in Hy.
+      apply (f_equal (.!! y')) in Hts2. rewrite !list_lookup_fmap in Hts2.
+      repeat destruct (_ !! _); simplify_eq/=; auto with f_equal.
+    + rewrite lookup_kmap_None in Hy.
+      apply symmetry, fmap_None, (lookup_kmap_None _).
+      intros y' ->. generalize (Hy _ eq_refl).
+      rewrite !lookup_fmap !lookup_map_seq_0.
+      apply (f_equal (.!! y')) in Hts2. rewrite !list_lookup_fmap in Hts2.
+      intros. repeat destruct (_ !! _); by simplify_eq/=.
+Qed.
+Lemma interp_lt_list_proper ts1 ts2 ts1' ts2' :
+  thunk_to_expr <$> ts1 = thunk_to_expr <$> ts1' →
+  thunk_to_expr <$> ts2 = thunk_to_expr <$> ts2' →
+  thunk_to_expr (interp_lt_list ts1 ts2)
+  = thunk_to_expr (interp_lt_list ts1' ts2').
+Proof.
+  intros Hts1 Hts2. rewrite /= !subst_env_alt.
+  f_equal; last first.
+  { revert ts1' ts2 ts2' Hts1 Hts2. generalize 0.
+    induction ts1; intros ? [] [] [] ??; simplify_eq/=; auto with f_equal. }
+  rewrite !map_fmap_union. f_equal; apply map_eq=> y; rewrite !lookup_fmap.
+  - destruct (kmap _ _ !! y) as [[k e]|] eqn:Hy; simplify_eq/=.
+    + apply (lookup_kmap_Some _) in Hy as (y' & -> & Hy).
+      rewrite (lookup_kmap _) lookup_fmap lookup_map_seq_0.
+      rewrite lookup_fmap lookup_map_seq_0 in Hy.
+      apply (f_equal (.!! y')) in Hts1. rewrite !list_lookup_fmap in Hts1.
+      repeat destruct (_ !! _); simplify_eq/=; auto with f_equal.
+    + rewrite lookup_kmap_None in Hy.
+      apply symmetry, fmap_None, (lookup_kmap_None _).
+      intros y' ->. generalize (Hy _ eq_refl).
+      rewrite !lookup_fmap !lookup_map_seq_0.
+      apply (f_equal (.!! y')) in Hts1. rewrite !list_lookup_fmap in Hts1.
+      intros. repeat destruct (_ !! _); by simplify_eq/=.
+  - destruct (kmap _ _ !! y) as [[k e]|] eqn:Hy; simplify_eq/=.
+    + apply (lookup_kmap_Some _) in Hy as (y' & -> & Hy).
+      rewrite (lookup_kmap _) lookup_fmap lookup_map_seq_0.
+      rewrite lookup_fmap lookup_map_seq_0 in Hy.
+      apply (f_equal (.!! y')) in Hts2. rewrite !list_lookup_fmap in Hts2.
+      repeat destruct (_ !! _); simplify_eq/=; auto with f_equal.
+    + rewrite lookup_kmap_None in Hy.
+      apply symmetry, fmap_None, (lookup_kmap_None _).
+      intros y' ->. generalize (Hy _ eq_refl).
+      rewrite !lookup_fmap !lookup_map_seq_0.
+      apply (f_equal (.!! y')) in Hts2. rewrite !list_lookup_fmap in Hts2.
+      intros. repeat destruct (_ !! _); by simplify_eq/=.
+Qed.
+Lemma interp_eq_attr_proper ts1 ts2 ts1' ts2' :
+  thunk_to_expr <$> ts1 = thunk_to_expr <$> ts1' →
+  thunk_to_expr <$> ts2 = thunk_to_expr <$> ts2' →
+  thunk_to_expr (interp_eq_attr ts1 ts2)
+  = thunk_to_expr (interp_eq_attr ts1' ts2').
+Proof.
+  intros Hts1 Hts2. rewrite /= !subst_env_alt.
+  f_equal; last first.
+  { clear Hts2. f_equal. apply map_eq=> y.
+    rewrite !map_lookup_imap. apply (f_equal (.!! y)) in Hts1.
+    rewrite !lookup_fmap in Hts1. by repeat destruct (_ !! _). }
+  rewrite !map_fmap_union. f_equal; apply map_eq=> y; rewrite !lookup_fmap.
+  - destruct (kmap _ _ !! y) as [[k e]|] eqn:Hy; simplify_eq/=.
+    + apply (lookup_kmap_Some _) in Hy as (y' & -> & Hy).
+      rewrite (lookup_kmap (String "1")) lookup_fmap.
+      rewrite lookup_fmap in Hy.
+      apply (f_equal (.!! y')) in Hts1. rewrite !lookup_fmap in Hts1.
+      repeat destruct (_ !! _); simplify_eq/=; auto with f_equal.
+    + rewrite lookup_kmap_None in Hy.
+      apply symmetry, fmap_None, (lookup_kmap_None _).
+      intros y' ->. generalize (Hy _ eq_refl). rewrite !lookup_fmap.
+      apply (f_equal (.!! y')) in Hts1. rewrite !lookup_fmap in Hts1.
+      intros. repeat destruct (_ !! _); by simplify_eq/=.
+  - destruct (kmap _ _ !! y) as [[k e]|] eqn:Hy; simplify_eq/=.
+    + apply (lookup_kmap_Some _) in Hy as (y' & -> & Hy).
+      rewrite (lookup_kmap (String "2")) lookup_fmap.
+      rewrite lookup_fmap in Hy.
+      apply (f_equal (.!! y')) in Hts2. rewrite !lookup_fmap in Hts2.
+      repeat destruct (_ !! _); simplify_eq/=; auto with f_equal.
+    + rewrite lookup_kmap_None in Hy.
+      apply symmetry, fmap_None, (lookup_kmap_None _).
+      intros y' ->. generalize (Hy _ eq_refl). rewrite !lookup_fmap.
+      apply (f_equal (.!! y')) in Hts2. rewrite !lookup_fmap in Hts2.
+      intros. repeat destruct (_ !! _); by simplify_eq/=.
+Qed.
+Opaque interp_eq_list interp_lt_list interp_eq_attr.
+Lemma interp_bin_op_proper op v1 v2 :
+  val_to_expr v1 = val_to_expr v2 →
+  match interp_bin_op op v1, interp_bin_op op v2 with
+  | None, None => True
+  | Some f1, Some f2 => ∀ v1' v2',
+     val_to_expr v1' = val_to_expr v2' →
+     thunk_to_expr <$> f1 v1' = thunk_to_expr <$> f2 v2'
+  | _, _ => False
+  end.
+Proof.
+  intros. unfold interp_bin_op, interp_eq;
+    repeat (done || case_match || simplify_eq/= || 
+      destruct (option_to_eq_Some _) as [[]|]);
+    intros [] [] ?; simplify_eq/=;
+    repeat match goal with
+    | _ => done
+    | _ => progress simplify_option_eq
+    | _ => rewrite map_fmap_singleton
+    | _ => rewrite map_fmap_union
+    | _ => case_match
+    | |- context[ maybe _ ?x ] => is_var x; destruct x
+    end; auto with congruence.
+  - f_equal. by apply interp_eq_list_proper.
+  - apply (f_equal length) in H, H0. rewrite !length_fmap in H H0. congruence.
+  - apply (f_equal length) in H, H0. rewrite !length_fmap in H H0. congruence.
+  - f_equal. apply interp_eq_attr_proper.
+    + rewrite 2!map_fmap_compose in H. by simplify_eq.
+    + rewrite 2!map_fmap_compose in H0. by simplify_eq.
+  - apply (f_equal dom) in H, H0. rewrite !dom_fmap_L in H H0. congruence.
+  - apply (f_equal dom) in H, H0. rewrite !dom_fmap_L in H H0. congruence.
+  - destruct v1, v2; by simplify_eq/=.
+  - repeat destruct (option_to_eq_Some _) as [[]|]; simplify_eq/=; auto.
+  - do 3 f_equal. apply map_eq=> y. rewrite !lookup_fmap.
+    apply (f_equal (.!! y)) in H. rewrite !lookup_fmap in H.
+    repeat destruct (_ !! _) as [[]|]; naive_solver.
+  - f_equal. by apply interp_lt_list_proper.
+  - rewrite !fmap_insert /=. auto 10 with f_equal.
+  - by rewrite !fmap_app H0 H.
+  - apply (f_equal (.!! s)) in H. rewrite !lookup_fmap in H.
+    repeat destruct (_ !! _); simplify_eq/=; by f_equal.
+  - apply (f_equal (.!! s)) in H. rewrite !lookup_fmap in H.
+    repeat destruct (_ !! _); simplify_eq/=; by f_equal.
+  - rewrite !fmap_delete. congruence.
+  - assert (∀ y, is_Some (ts !! y) ↔ is_Some (ts0 !! y)) as Hx.
+    { intros y. rewrite -!(fmap_is_Some (AttrN ∘ thunk_to_expr)) -!lookup_fmap.
+      by rewrite H. }
+    apply (map_minimal_key_Some _) in H5 as [[t1 Hx1] ?], H8 as [[t2 Hx2] ?].
+    assert (s0 = s) as -> by (apply (anti_symm attr_le); naive_solver).
+    pose proof (f_equal (.!! s) H) as Hs. rewrite !lookup_fmap in Hs.
+    rewrite !fmap_insert !fmap_empty /= !lookup_total_alt Hx1 Hx2 /=.
+    rewrite Hx1 Hx2 /= in Hs. simplify_eq/=. rewrite Hs !fmap_delete H. done.
+  - apply map_minimal_key_None in H8 as ->.
+    rewrite fmap_empty in H. by apply fmap_empty_inv in H as ->.
+  - apply map_minimal_key_None in H5 as ->.
+    rewrite fmap_empty in H. by apply symmetry, fmap_empty_inv in H as ->.
+Qed.
+Lemma interp_match_proper E1 E2 ts1 ts2 ms1 ms2 strict :
+  thunk_to_expr <$> ts1 = thunk_to_expr <$> ts2 →
+  fmap (M:=option) (subst_env E1) <$> ms1 = fmap (subst_env E2) <$> ms2 →
+  fmap (M:=gmap string) (tattr_to_attr E1) <$> interp_match ts1 ms1 strict
+  = fmap (tattr_to_attr E2) <$> interp_match ts2 ms2 strict.
+Proof.
+  revert ms2 ts1 ts2.
+  induction ms1 as [|x m1 ms1 Hmsx IH] using map_ind; intros ms2 ts1 ts2 Hts Hms.
+  { rewrite fmap_empty in Hms. apply symmetry, fmap_empty_inv in Hms as ->.
+    rewrite /interp_match !merge_empty_r. revert ts2 Hts.
+    induction ts1 as [|x t1 ts1 Htsx IH] using map_ind; intros ts2 Hts.
+    { rewrite fmap_empty in Hts. by apply symmetry, fmap_empty_inv in Hts as ->. }
+    rewrite fmap_insert in Hts.
+    apply symmetry, fmap_insert_inv in Hts as (t2&ts2'&?&Htsx2&->&Hts);
+      last by rewrite lookup_fmap Htsx.
+    rewrite !omap_insert /=. destruct strict; simpl;
+      rewrite ?map_mapM_insert_option ?delete_notin //= ?lookup_omap ?Htsx ?Htsx2;
+      auto. }
+  rewrite fmap_insert in Hms.
+  apply symmetry, fmap_insert_inv in Hms as (m2&ms2'&?&Hmsx2&->&Hms);
+    last by rewrite lookup_fmap Hmsx.
+  pose proof (f_equal (.!! x) Hts) as Hx. rewrite !lookup_fmap in Hx.
+  destruct (ts1 !! x) as [t1|] eqn:Hts1x, (ts2 !! x) as [t2|] eqn:Hts2x; simplify_eq/=.
+  - rewrite -(insert_delete ts1 x t1) // -(insert_delete ts2 x t2) //.
+    rewrite /interp_match. erewrite <-!insert_merge by done.
+    rewrite !map_mapM_insert_option ?lookup_merge ?lookup_delete ?Hmsx ?Hmsx2 //=.
+    apply (f_equal (delete x)) in Hts. rewrite -!fmap_delete in Hts.
+    eapply IH in Hms; [|done]. rewrite /interp_match in Hms.
+    repeat destruct (map_mapM id _); simplify_eq/=; [|done..].
+    rewrite !fmap_insert /=. auto with f_equal.
+  - rewrite /interp_match.
+    rewrite -!(insert_merge_r _ ts1 _ _ (inl <$> m1));
+      last (rewrite Hts1x; by destruct m1).
+    rewrite -!(insert_merge_r _ ts2 _ _ (inl <$> m2));
+      last (rewrite Hts2x; by destruct m2).
+    rewrite !map_mapM_insert_option ?lookup_merge ?Hts1x ?Hts2x ?Hmsx ?Hmsx2 //.
+    eapply IH in Hms; [|done]. rewrite /interp_match in Hms.
+    destruct m1, m2; simplify_eq/=; auto.
+    repeat destruct (map_mapM id _); simplify_eq/=; [|done..].
+    rewrite !fmap_insert /=. auto with f_equal.
+Qed.
+Lemma mapM_interp_proper' n ts1 ts2 mvs :
+  (∀ v1 v2 mv,
+    val_to_expr v1 = val_to_expr v2 →
+    force_deep n v1 = Res mv →
+    ∃ mw m, force_deep m v2 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw) →
+  (∀ t1 t2 mv,
+    thunk_to_expr t1 = thunk_to_expr t2 →
+    interp_thunk n t1 = Res mv →
+    ∃ mw m, interp_thunk m t2 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw) →
+  thunk_to_expr <$> ts1 = thunk_to_expr <$> ts2 →
+  mapM (mbind (force_deep n) ∘ interp_thunk n) ts1 = Res mvs →
+  ∃ mws m, mapM (mbind (force_deep m) ∘ interp_thunk m) ts2 = Res mws ∧
+           fmap (M:=list) val_to_expr <$> mvs = fmap (M:=list) val_to_expr <$> mws.
+Proof.
+  intros force_deep_proper interp_thunk_proper Hts.
+  revert mvs. rewrite list_eq_Forall2 Forall2_fmap in Hts.
+  induction Hts as [|t1 t2 ts1 ts2 ?? IH]; intros mvs ?; simplify_res.
+  { by exists (Some []), 0. }
+  destruct (interp_thunk _ _) as [mv|] eqn:Hinterp'; simplify_res.
+  eapply interp_thunk_proper in Hinterp'
+    as (mw & m1 & Hinterp1 & Hw); [|by eauto..].
+  destruct mv as [v|], mw as [w|]; simplify_res; last first.
+  { exists None, m1. by rewrite /= Hinterp1. }
+  destruct (force_deep _ _) as [mv'|] eqn:Hforce; simplify_res.
+  eapply force_deep_proper in Hforce as (mw' & m2 & Hforce2 & Hw'); last done.
+  destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+  { exists None, (m1 `max` m2).
+    rewrite (interp_thunk_le Hinterp1) /=; last lia.
+    rewrite (force_deep_le Hforce2) /=; last lia. done. }
+  destruct (mapM _ _) as [mvs'|] eqn:?; simplify_res.
+  destruct (IH _ eq_refl) as (mws & m3 & Hmap3 & ?).
+  exists ((w' ::.) <$> mws), (S (m1 `max` m2 `max` m3)).
+  rewrite (interp_thunk_le Hinterp1) /=; last lia.
+  rewrite (force_deep_le Hforce2) /=; last lia.
+  rewrite (mapM_interp_le Hmap3) /=; last lia. split; [by destruct mws|].
+  destruct mvs', mws; simplify_res; auto 10 with f_equal.
+Qed.
+Lemma force_deep_proper n v1 v2 mv :
+  val_to_expr v1 = val_to_expr v2 →
+  force_deep n v1 = Res mv →
+  ∃ mw m, force_deep m v2 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw
+with interp_proper n E1 E2 e1 e2 mv :
+  subst_env E1 e1 = subst_env E2 e2 →
+  interp n E1 e1 = Res mv →
+  ∃ mw m, interp m E2 e2 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw
+with interp_thunk_proper n t1 t2 mv :
+  thunk_to_expr t1 = thunk_to_expr t2 →
+  interp_thunk n t1 = Res mv →
+  ∃ mw m, interp_thunk m t2 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw
+with interp_app_proper n v1 v2 t1' t2' mv :
+  val_to_expr v1 = val_to_expr v2 →
+  thunk_to_expr t1' = thunk_to_expr t2' →
+  interp_app n v1 t1' = Res mv →
+  ∃ mw m, interp_app m v2 t2' = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  (* force_deep_proper *)
+  - destruct n as [|n]; [done|].
+    intros Hv Hinterp. rewrite force_deep_S /force_deep1 in Hinterp.
+    destruct v1 as [| | |ts1|ts1], v2 as [| | |ts2|ts2]; simplify_res.
+    { eexists _, 1; split; [by rewrite force_deep_S|]. done. }
+    { eexists _, 1; split; [by rewrite force_deep_S|]. simpl. auto with f_equal. }
+    { eexists _, 1; split; [by rewrite force_deep_S|]. simpl. auto with f_equal. }
+    { destruct (mapM _ _) as [mvs|] eqn:Hmap; simplify_res.
+      eapply mapM_interp_proper' in Hmap as (mws & m & Hmap & Hmvs); [|by eauto..].
+      exists (VList ∘ fmap Forced <$> mws), (S m).
+      rewrite force_deep_S /= Hmap. split; [done|].
+      destruct mvs, mws; simplify_eq/=; do 2 f_equal.
+      rewrite list_eq_Forall2 Forall2_fmap in Hmvs.
+      by rewrite list_eq_Forall2 !Forall2_fmap. }
+    destruct (map_mapM_sorted _ _ _) as [mvs|] eqn:Hmap; simplify_res.
+    assert (∃ mws m,
+      map_mapM_sorted attr_le
+        (mbind (force_deep m) ∘ interp_thunk m) ts2 = Res mws ∧
+      fmap (M:=gmap _) val_to_expr <$> mvs = fmap (M:=gmap _) val_to_expr <$> mws)
+      as (mws & m & Hmap' & Hmvs); last first.
+    { exists (VAttr ∘ fmap Forced <$> mws), (S m).
+      rewrite force_deep_S /= Hmap'. split; [done|].
+      destruct mvs, mws; simplify_eq/=; do 2 f_equal.
+      apply map_eq=> x. rewrite !lookup_fmap.
+      apply (f_equal (.!! x)) in Hmvs. rewrite !lookup_fmap in Hmvs.
+      repeat destruct (_ !! x); simplify_res; auto with f_equal. }
+    revert ts2 mvs Hmap Hv. induction ts1 as [|x t1 ts1 Hx1 ? IH]
+      using (map_sorted_ind attr_le); intros ts2' mvs Hmap Hts.
+    { exists (Some ∅), 0. rewrite fmap_empty in Hts.
+      apply symmetry, fmap_empty_inv in Hts as ->.
+      rewrite map_mapM_sorted_empty in Hmap; simplify_res.
+      by rewrite map_mapM_sorted_empty. }
+    rewrite map_mapM_sorted_insert //= in Hmap. rewrite fmap_insert in Hts.
+    apply symmetry, fmap_insert_inv in Hts as (t2 & ts2 & Ht & ? & -> & Hts);
+      simplify_eq/=; last by rewrite lookup_fmap Hx1.
+    assert (∀ j, is_Some (ts2 !! j) → attr_le x j).
+    { intros j. rewrite -(fmap_is_Some (AttrN ∘ thunk_to_expr)).
+      rewrite -lookup_fmap -Hts lookup_fmap fmap_is_Some. auto. }
+    destruct (interp_thunk _ _) as [mv|] eqn:Hinterp'; simplify_res.
+    eapply interp_thunk_proper in Hinterp'
+      as (mw & m1 & Hinterp1 & Hw); [|by eauto..].
+    destruct mv as [v|], mw as [w|]; simplify_res; last first.
+    { exists None, m1. by rewrite map_mapM_sorted_insert //= Hinterp1. }
+    destruct (force_deep _ _) as [mv'|] eqn:Hforce; simplify_res.
+    eapply force_deep_proper in Hforce as (mw' & m2 & Hforce2 & Hw'); last done.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (m1 `max` m2). rewrite map_mapM_sorted_insert //=.
+      rewrite (interp_thunk_le Hinterp1) /=; last lia.
+      rewrite (force_deep_le Hforce2) /=; last lia. done. }
+    destruct (map_mapM_sorted _ _ _) as [mvs'|] eqn:?; simplify_res.
+    eapply IH in Hts as (mws & m3 & Hmap3 & ?); last done.
+    exists (<[x:=w']> <$> mws), (S (m1 `max` m2 `max` m3)).
+    rewrite map_mapM_sorted_insert //=.
+    rewrite (interp_thunk_le Hinterp1) /=; last lia.
+    rewrite (force_deep_le Hforce2) /=; last lia.
+    rewrite (map_mapM_interp_le Hmap3) /=; last lia.
+    destruct mvs' as [vs'|], mws as [ws'|]; simplify_res; last done.
+    split; [done|]. rewrite !fmap_insert. auto 10 with f_equal.
+  (* interp_proper *)
+  - destruct n as [|n]; [done|]. intros Hsubst Hinterp.
+    rewrite 2!subst_env_eq in Hsubst.
+    rewrite interp_S in Hinterp. destruct e1, e2; simplify_res; try done.
+    + (* ELit *)
+      case_guard; simplify_res.
+      * eexists (Some (VLit _ ltac:(done))), 1. by rewrite interp_lit.
+      * exists None, 1. split; [|done]. rewrite interp_S /=. by case_guard.
+    + (* EId *)
+      assert (∀ (mke : option (kind * expr)) (E : env) x,
+        prod_map id thunk_to_expr <$>
+          union_kinded (E !! x) (prod_map id (Thunk ∅) <$> mke)
+        = union_kinded (prod_map id thunk_to_expr <$> E !! x) mke) as HE.
+      { intros mke' E x. destruct (E !! _) as [[[] ?]|], mke' as [[[] ?]|];
+          simplify_eq/=; rewrite ?subst_env_empty //. }
+      rewrite -!HE {HE} in H.
+      destruct (union_kinded (E1 !! _) _) as [[k1 t1]|],
+        (union_kinded (E2 !! _) _) as [[k2 t2]|] eqn:HE2; simplify_res; last first.
+      { exists None, (S n). rewrite interp_S /=. by rewrite HE2. }
+      eapply interp_thunk_proper
+        in Hinterp as (mw & m & Hinterp & ?); [|by eauto..].
+      exists mw, (S (n `max` m)). split; [|done]. rewrite interp_S /= HE2 /=.
+      eauto using interp_thunk_le with lia.
+    + (* EAbs *) eexists (Some (VClo _ _ _)), 1; split; [by rewrite interp_S|].
+      simpl. auto with f_equal.
+    + (* EAbsMatch *)
+      eexists (Some (VCloMatch _ _ _ _)), 1; split; [by rewrite interp_S|].
+      simpl. auto with f_equal.
+    + (* EApp *)
+      destruct (interp n _ e1_1) as [mv1|] eqn:Hinterp'; simplify_eq/=.
+      eapply interp_proper in Hinterp' as (mw1 & m1 & Hinterp1 & ?); last done.
+      destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+      { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+      destruct (interp_app n _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+      eapply (interp_app_proper _ _ _ _ (Thunk _ _)) in Hinterp'
+        as (mw & m2 & Hinterp2 & ?); [|done..].
+      exists mw, (S (m1 `max` m2)). rewrite interp_S /=.
+      rewrite (interp_le Hinterp1) /=; last lia.
+      rewrite (interp_app_le Hinterp2) /=; last lia. done.
+    + (* ESeq *)
+      destruct (interp n _ e1_1) as [mv1|] eqn:Hinterp'; simplify_eq/=.
+      eapply interp_proper in Hinterp' as (mw1 & m1 & Hinterp1 & ?); last done.
+      destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+      { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+      destruct μ0; simplify_res.
+      { eapply interp_proper in Hinterp as (w2 & m2 & Hinterp2 & ?); last done.
+        exists w2, (S (m1 `max` m2)). rewrite interp_S /=.
+        rewrite (interp_le Hinterp1) /=; last lia.
+        rewrite (interp_le Hinterp2) /=; last lia. done. }
+      destruct (force_deep _ _) as [mv'|] eqn:Hforce; simplify_res.
+      eapply force_deep_proper in Hforce as (mw' & m2 & Hforce & ?); last done.
+      destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+      { exists None, (S (m1 `max` m2)). rewrite interp_S /=.
+        rewrite (interp_le Hinterp1) /=; last lia.
+        rewrite (force_deep_le Hforce) /=; last lia. done. }
+      eapply interp_proper in Hinterp as (w2 & m3 & Hinterp3 & ?); last done.
+      exists w2, (S (m1 `max` m2 `max` m3)). rewrite interp_S /=.
+      rewrite (interp_le Hinterp1) /=; last lia.
+      rewrite (force_deep_le Hforce) /=; last lia.
+      rewrite (interp_le Hinterp3) /=; last lia. done.
+    + (* EList *)
+      eexists (Some (VList _)), 1; rewrite interp_S /=; split; [done|].
+      do 2 f_equal. revert es0 Hsubst.
+      induction es; intros [] ?; simplify_eq/=; f_equal/=; auto.
+    + (* EAttr *)
+      eexists (Some (VAttr _)), 1; rewrite interp_S /=; split; [done|].
+      do 2 f_equal. apply map_eq=> x. rewrite !lookup_fmap.
+      pose proof (f_equal (.!! x) Hsubst) as Hx. rewrite !lookup_fmap in Hx.
+      destruct (αs !! x) as [[[]]|], (αs0 !! x) as [[[]]|];
+        simplify_eq/=; do 2 f_equal; auto.
+      apply indirects_env_proper, Hx. by rewrite !tattr_to_attr_from_attr.
+    + (* ELetAttr *)
+      destruct (interp n _ _) as [mv'|] eqn:Hinterp'; simplify_eq/=.
+      eapply interp_proper in Hinterp' as (mw' & m1 & Hinterp1 & ?); last done.
+      destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+      { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+      destruct (maybe VAttr _) eqn:Hattr; simplify_res; last first.
+      { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+        by assert (maybe VAttr w' = None) as -> by (by destruct v', w'). }
+      destruct v', w'; simplify_res.
+      eapply interp_proper in Hinterp as (mw & m2 & Hinterp2 & ?);
+        [|by apply subst_env_union_fmap_proper].
+      exists mw, (S (m1 `max` m2)). rewrite interp_S /=.
+      rewrite (interp_le Hinterp1) /=; last lia.
+      rewrite (interp_le Hinterp2) /=; last lia. done.
+    + (* EBinOp *)
+      destruct (interp n _ e1_1) as [mv1|] eqn:Hinterp1; simplify_res.
+      eapply interp_proper in Hinterp1 as (mw1 & m1 & Hinterp1 & Hw1); last done.
+      destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+      { exists None. exists (S m1). by rewrite interp_S /= Hinterp1. }
+      apply (interp_bin_op_proper op0) in Hw1.
+      destruct (interp_bin_op _ v1) as [f|] eqn:Hop1,
+        (interp_bin_op _ w1) as [g|] eqn:Hop2; simplify_res; try done; last first.
+      { exists None. exists (S m1). by rewrite interp_S /= Hinterp1 /= Hop2. }
+      destruct (interp n _ e1_2) as [mv2|] eqn:Hinterp2; simplify_res.
+      eapply interp_proper in Hinterp2 as (mw2 & m2 & Hinterp2 & Hw2); last done.
+      destruct mv2 as [v2|], mw2 as [w2|]; simplify_res; last first.
+      { exists None. exists (S (m1 `max` m2)). rewrite interp_S /=.
+        rewrite (interp_le Hinterp1) /=; last lia.
+        rewrite Hop2 /= (interp_le Hinterp2) /=; last lia. done. }
+      apply Hw1 in Hw2.
+      destruct (f v2) as [t|] eqn:Hf,
+        (g w2) as [t'|] eqn:Hg; simplify_res; last first.
+      { exists None. exists (S (m1 `max` m2)). rewrite interp_S /=.
+        rewrite (interp_le Hinterp1) /=; last lia.
+        rewrite Hop2 /= (interp_le Hinterp2) /=; last lia. by rewrite Hg. }
+      eapply interp_thunk_proper in Hinterp
+        as (mw & m3 & Hforce3 & Hw); [|by eauto..].
+      exists mw, (S (m1 `max` m2 `max` m3)). rewrite interp_S /=. split; [|done].
+      rewrite (interp_le Hinterp1) /=; last lia.
+      rewrite Hop2 /= (interp_le Hinterp2) /=; last lia.
+      rewrite Hg /=. eauto using interp_thunk_le with lia.
+    + (* EIf *)
+      destruct (interp n _ e1_1) as [mv1|] eqn:Hinterp1; simplify_res.
+      eapply interp_proper in Hinterp1 as (mw1 & m1 & Hinterp1 & Hw1); last done.
+      destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+      { exists None. exists (S m1). by rewrite interp_S /= Hinterp1. }
+      destruct (maybe_VLit _ ≫= maybe LitBool) as [b|] eqn:Hbool;
+        simplify_res; last first.
+      { exists None. exists (S m1). rewrite interp_S /= Hinterp1 /=.
+        destruct v1, w1; repeat destruct select base_lit; naive_solver. }
+      eapply (interp_proper _ _ _ _ (if b then _ else _)) in Hinterp
+        as (mw & m2 & Hinterp & Hw); last by destruct b.
+      exists mw, (S (m1 `max` m2)). split; [|done]. rewrite interp_S /=.
+      rewrite (interp_le Hinterp1) /=; last lia.
+      assert (maybe_VLit w1 ≫= maybe LitBool = Some b) as ->.
+      { destruct v1, w1; repeat destruct select base_lit; naive_solver. }
+      rewrite /=. eauto using interp_le with lia.
+  (* interp_thunk_proper *)
+  - destruct n as [|n]; [done|].
+    intros Ht Hinterp. rewrite interp_thunk_S in Hinterp.
+    destruct t1 as [v1|E1 e1|x1 E1 tαs1], t2 as [v2|E2 e2|x2 E2 tαs2]; simplify_res.
+    + exists (Some v2), 1. rewrite interp_thunk_S /=. auto with f_equal.
+    + destruct (interp_val_to_expr E2 e2 v1) as (w & m & ? & ?); first done.
+      exists (Some w), (S m); simpl; auto with f_equal.
+    + by destruct v1.
+    + exists (Some v2), 1; split; [done|]; simpl.
+      symmetry. eauto using interp_val_to_expr_Res.
+    + eapply interp_proper in Hinterp as (mw & m & ? & ?); eauto.
+      exists mw, (S m). eauto.
+    + assert (∃ αs1, e1 = ESelect (EAttr αs1) x2 ∧
+        attr_subst_env E1 <$> αs1 = tattr_to_attr E2 <$> tαs2) as (αs1 & -> & Hαs).
+      { repeat match goal with
+        | H : subst_env _ ?e = _ |- _ =>
+            rewrite subst_env_eq in H; destruct e; simplify_eq; []
+        end; eauto. }
+      clear Ht. destruct n as [|n]; [done|].
+      rewrite !interp_S /= in Hinterp.
+      (* without [in Hinterp at 2 3] the termination checker loops *)
+      destruct n as [|n'] in Hinterp at 2 3; [done|].
+      rewrite !interp_S /= lookup_fmap in Hinterp.
+      pose proof (f_equal (.!! x2) Hαs) as Hx. rewrite !lookup_fmap in Hx.
+      destruct (αs1 !! x2) as [[[] e1]|],
+        (tαs2 !! x2) as [[e2|t2]|] eqn:Hx2; simplify_res.
+      * rewrite -tattr_to_attr_from_attr in Hαs.
+        destruct n as [|n]; [done|]. rewrite interp_thunk_S in Hinterp.
+        eapply interp_proper in Hinterp as (mw & m & Hinterp & ?);
+          last by apply indirects_env_proper.
+        exists mw, (S m). by rewrite interp_thunk_S /= Hx2.
+      * eapply interp_thunk_proper in Hinterp
+          as (mw & m & Hinterp & ?); last done.
+        exists mw, (S m). rewrite interp_thunk_S /= Hx2. done.
+      * exists None, (S n). by rewrite interp_thunk_S /= Hx2.
+    + by destruct v2.
+    + assert (∃ αs2, e2 = ESelect (EAttr αs2) x1 ∧
+        attr_subst_env E2 <$> αs2 = tattr_to_attr E1 <$> tαs1) as (αs2 & -> & Hαs).
+      { repeat match goal with
+        | H : _ = subst_env _ ?e |- _ =>
+            rewrite subst_env_eq in H; destruct e; simplify_eq; []
+        end; eauto. }
+      clear Ht.
+      pose proof (f_equal (.!! x1) Hαs) as Hx. rewrite !lookup_fmap in Hx.
+      destruct (tαs1 !! x1) as [[e1|t1]|],
+        (αs2 !! x1) as [[[] e2]|] eqn:Hx2; simplify_res.
+      * rewrite -tattr_to_attr_from_attr in Hαs.
+        eapply interp_proper in Hinterp as (mw & m & Hinterp & ?);
+          last by apply indirects_env_proper.
+        exists mw, (S (S (S m))). rewrite interp_thunk_S /= !interp_S /=.
+        rewrite lookup_fmap Hx2 /= interp_thunk_S /=. done.
+      * apply (interp_thunk_proper _ _ (Thunk E2 e2))
+          in Hinterp as (mw & m & Hinterp & ?); last done.
+        destruct m as [|m]; [done|].
+        exists mw, (S (S (S m))). rewrite interp_thunk_S /= !interp_S /=.
+        rewrite lookup_fmap Hx2 /= interp_thunk_S /=. done.
+      * exists None, (S (S (S n))). rewrite interp_thunk_S /= !interp_S /=.
+        rewrite lookup_fmap Hx2 /=. done.
+    + pose proof (f_equal (.!! x2) Ht) as Hx. rewrite !lookup_fmap in Hx.
+      destruct (tαs1 !! x2) as [[e1|t1]|] eqn:Hx1,
+        (tαs2 !! _) as [[e2|t2]|] eqn:Hx2; simplify_res.
+      * eapply interp_proper in Hinterp
+          as (mw & m & Hinterp & ?); [|by apply indirects_env_proper].
+        exists mw, (S m). rewrite interp_thunk_S /= Hx2. done. 
+      * eapply interp_thunk_proper in Hinterp as (mw & m & Hinterp & ?); [|done].
+        exists mw, (S m). rewrite interp_thunk_S /= Hx2. done.
+      * exists None, 1. by rewrite interp_thunk_S /= Hx2.
+  (* interp_app_proper *)
+  - destruct n as [|n]; [done|].
+    intros Hv Ht Hinterp. rewrite interp_app_S /= in Hinterp.
+    destruct v1, v2; simplify_res.
+    + (* VLit *) by eexists None, 1.
+    + (* VClo *)
+      eapply interp_proper in Hinterp as (mw & m & Hinterp' & ?);
+        last by eapply subst_env_insert_proper.
+      eexists _, (S m). rewrite interp_app_S /= Hinterp'. done.
+    + (* VCloMatch *)
+      destruct (interp_thunk n t1') as [mv1|] eqn:Hthunk; simplify_res.
+      eapply interp_thunk_proper in Hthunk as (mw1 & m1 & Hthunk & Hw); [|by eauto..].
+      destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+      { exists None, (S m1). split; [|done].
+        rewrite interp_app_S /= Hthunk /=. done. }
+      destruct (maybe VAttr v1) as [ts1|] eqn:?; simplify_res; last first.
+      { exists None, (S m1). split; [|done].
+        rewrite interp_app_S /= Hthunk /=. destruct v1, w1; naive_solver. }
+      destruct v1, w1; simplify_eq/=.
+      rewrite 2!map_fmap_compose in Hw. apply (inj _) in Hw.
+      eapply (interp_match_proper _ _ _ _ _ _ strict0) in Hw; last done.
+      destruct (interp_match ts1 _ _) as [tαs1|] eqn:Hmatch1,
+        (interp_match ts0 _ _) as [tαs2|] eqn:Hmatch2;
+        simplify_res; try done; last first.
+      { exists None, (S m1). split; [|done].
+        rewrite interp_app_S /= Hthunk /= Hmatch2. done. }
+      eapply interp_proper in Hinterp as (mw & m2 & Hinterp & ?); last first.
+      { by apply indirects_env_proper. }
+      exists mw, (S (m1 `max` m2)). split; [|done].
+      rewrite interp_app_S /=.
+      rewrite (interp_thunk_le Hthunk) /=; last lia.
+      rewrite Hmatch2 /=. eauto using interp_le with lia.
+    + (* VList *) by eexists None, 1.
+    + (* VAttr *)
+      pose proof (f_equal (.!! "__functor") Hv) as Htf.
+      rewrite !lookup_fmap /= in Htf.
+      destruct (ts !! _) as [e|] eqn:Hfunc, (ts0 !! _) as [e'|] eqn:Hfunc';
+        simplify_res; last first.
+      { exists None, 1. by rewrite interp_app_S /= Hfunc'. }
+      destruct (interp_thunk _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+      eapply interp_thunk_proper in Hinterp'
+        as (mw' & m1 & Hinterp1 & Hw'); [|by eauto..].
+      destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+      { exists None, (S m1). by rewrite interp_app_S /= Hfunc' /= Hinterp1. }
+      destruct (interp_app _ _ _) as [mv'|] eqn:Happ; simplify_res.
+      eapply (interp_app_proper _ _ _ _ (Forced (VAttr _))) in Happ
+        as (mw' & m2 & Happ2 & ?); [|done|by rewrite /= Hv].
+      destruct mv', mw'; simplify_res; last first.
+      { exists None, (S (m1 `max` m2)). rewrite interp_app_S /= Hfunc' /=.
+        rewrite (interp_thunk_le Hinterp1) /=; last lia.
+        rewrite (interp_app_le Happ2) /=; last lia. done. }
+      eapply interp_app_proper in Hinterp as (mw' & m3 & Happ3 & ?); [|done..].
+      exists mw', (S (m1 `max` m2 `max` m3)). rewrite interp_app_S /= Hfunc' /=.
+      rewrite (interp_thunk_le Hinterp1) /=; last lia.
+      rewrite (interp_app_le Happ2) /=; last lia.
+      rewrite (interp_app_le Happ3) /=; last lia. done.
+Qed.
+Lemma mapM_interp_proper n ts1 ts2 mvs :
+  thunk_to_expr <$> ts1 = thunk_to_expr <$> ts2 →
+  mapM (mbind (force_deep n) ∘ interp_thunk n) ts1 = Res mvs →
+  ∃ mws m, mapM (mbind (force_deep m) ∘ interp_thunk m) ts2 = Res mws ∧
+           fmap (M:=list) val_to_expr <$> mvs = fmap (M:=list) val_to_expr <$> mws.
+Proof. eauto using mapM_interp_proper', force_deep_proper, interp_thunk_proper. Qed.
+Lemma interp_thunk_as_interp n t mv :
+  interp_thunk n t = Res mv →
+  ∃ mw m, interp m ∅ (thunk_to_expr t) = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  revert t mv. induction n as [|n IH]; intros t mv Hinterp; [done|].
+  rewrite interp_thunk_S in Hinterp. destruct t as [v|E e|x E tαs]; simplify_res.
+  { destruct (interp_empty_val_to_expr v) as (w & m & Hinterp & ?).
+    exists (Some w), m; simpl; auto using f_equal. }
+  { eapply interp_proper, Hinterp. by rewrite subst_env_empty. }
+  destruct (tαs !! x) as [[e|t]|] eqn:Hx; simplify_res.
+  - eapply interp_proper in Hinterp as (mw & m & Hinterp & ?);
+      last apply subst_env_indirects_env.
+    exists mw, (S (S m)). rewrite !interp_S /=.
+    rewrite !lookup_fmap Hx /= interp_thunk_S /=. done.
+  - apply IH in Hinterp as (mw & m & Hinterp & ?).
+    exists mw, (S (S m)). rewrite !interp_S /=.
+    rewrite !lookup_fmap Hx /= interp_thunk_S //=.
+  - exists None, (S (S n)). rewrite !interp_S /=.
+    by rewrite !lookup_fmap Hx /=.
+Qed.
+Lemma interp_as_interp_thunk n t mv :
+  interp n ∅ (thunk_to_expr t) = Res mv →
+  ∃ mw m, interp_thunk m t = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  revert t mv. induction (lt_wf n) as [[|n] _ IH]; intros t mv Hinterp; [done|].
+  destruct t as [v|E e|x E tαs]; simplify_res.
+  { apply interp_empty_val_to_expr_Res in Hinterp. by exists (Some v), 1. }
+  { eapply (interp_proper _ _ E) in Hinterp as (mw & m & Hinterp & ?);
+      [|by rewrite subst_env_empty].
+    exists mw, (S m). by rewrite interp_thunk_S /=. }
+  destruct n as [|n]; [done|]. rewrite !interp_S /= in Hinterp.
+  rewrite !lookup_fmap in Hinterp.
+  destruct (tαs !! x) as [[e|t]|] eqn:Hx; simplify_res.
+  - rewrite interp_thunk_S /= in Hinterp.
+    eapply interp_proper in Hinterp as (mw & m & Hinterp & ?);
+      last apply symmetry, subst_env_indirects_env.
+    exists mw, (S m). rewrite interp_thunk_S /= Hx. done.
+  - rewrite interp_thunk_S /= in Hinterp.
+    eapply IH in Hinterp as (mw & m & Hinterp & ?); last lia.
+    exists mw, (S m). rewrite !interp_thunk_S /= Hx. done.
+  - exists None, (S n). rewrite !interp_thunk_S /= Hx. done.
+Qed.
+Lemma delayed_interp n e e' mv :
+  interp n ∅ e' = Res mv →
+  e =D=> e' →
+  ∃ m, interp m ∅ e = Res mv.
+Proof.
+  intros Hinterp Hdel. revert n mv Hinterp. induction Hdel; intros n mv Hinterp.
+  - by eauto.
+  - apply IHHdel in Hinterp as [m Hinterp].
+    exists (S (S m)). rewrite interp_S /= lookup_empty left_id_L /=.
+    by rewrite interp_thunk_S /=.
+  - destruct n as [|n]; [done|]. rewrite interp_S /= in Hinterp.
+    destruct (interp _ _ e1') as [mv1|] eqn:Hinterp1; simplify_res.
+    apply IHHdel1 in Hinterp1 as [m1 Hinterp1].
+    destruct mv1 as [v1|]; simplify_res; last first.
+    { exists (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (interp_bin_op op v1) as [f|] eqn:Hf; simplify_res; last first.
+    { exists (S m1). by rewrite interp_S /= Hinterp1 /= Hf. }
+    destruct (interp _ _ e2') as [mv2|] eqn:Hinterp2; simplify_res.
+    apply IHHdel2 in Hinterp2 as [m2 Hinterp2]. exists (S (n `max` m1 `max` m2)).
+    rewrite interp_S /= (interp_le Hinterp1); last lia.
+    rewrite /= Hf /= (interp_le Hinterp2); last lia.
+    destruct mv2; simplify_res; [|done].
+    destruct (f _); simplify_res; [|done].
+    eauto using interp_thunk_le with lia.
+  - destruct n as [|n]; [done|]. rewrite interp_S /= in Hinterp.
+    destruct (interp _ _ e1') as [mv1|] eqn:Hinterp1; simplify_res.
+    apply IHHdel1 in Hinterp1 as [m1 Hinterp1].
+    destruct mv1 as [v1|]; simplify_res; last first.
+    { exists (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe_VLit v1 ≫= maybe LitBool) as [[]|] eqn: Hbool; simplify_res.
+    + apply IHHdel2 in Hinterp as [m2 Hinterp2]. exists (S (m1 `max` m2)).
+      rewrite interp_S /= (interp_le Hinterp1); last lia.
+      rewrite /= Hbool /=. eauto using interp_le with lia.
+    + apply IHHdel3 in Hinterp as [m3 Hinterp3]. exists (S (m1 `max` m3)).
+      rewrite interp_S /= (interp_le Hinterp1); last lia.
+      rewrite /= Hbool /=. eauto using interp_le with lia.
+    + exists (S m1). rewrite interp_S /= Hinterp1 /= Hbool. done.
+Qed.
+Lemma interp_subst_abs n x e1 e2 mv :
+  interp n ∅ (subst {[x:=(ABS, e2)]} e1) = Res mv →
+  ∃ mw m, interp m (<[x:=(ABS, Thunk ∅ e2)]> ∅) e1 = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  apply interp_proper. by rewrite subst_env_empty subst_abs_as_subst_env.
+Qed.
+Lemma interp_subst_indirects n e αs mv :
+  interp n ∅ (subst (indirects αs) e) = Res mv →
+  ∃ mw m,
+    interp m (indirects_env ∅ (attr_to_tattr ∅ <$> αs)) e = Res mw ∧
+    val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  apply interp_proper. rewrite subst_env_empty. rewrite subst_env_alt.
+  f_equal. apply map_eq=> x. rewrite !lookup_fmap.
+  destruct (αs !! x) eqn:?; do 2 f_equal/=;
+    rewrite /indirects /indirects_env right_id_L !map_lookup_imap
+      !lookup_fmap !Heqo //=.
+  rewrite tattr_to_attr_from_attr_empty //.
+Qed.
+Lemma interp_subst_fmap k n e es mv :
+  interp n ∅ (subst ((k,.) <$> es) e) = Res mv →
+  ∃ mw m, interp m ((k,.) ∘ Thunk ∅ <$> es) e = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  apply interp_proper. rewrite subst_env_empty. rewrite subst_env_alt.
+  f_equal. apply map_eq=> x. rewrite !lookup_fmap.
+  destruct (es !! x) as [d|]; do 2 f_equal/=. by rewrite subst_env_empty.
+Qed.
+Lemma final_interp μ e :
+  final μ e →
+  ∃ w m, interp m ∅ e = mret w ∧ e = val_to_expr w.
+Proof.
+  revert μ. induction e; intros μ'; intros Hfinal; try by inv Hfinal.
+  - inv Hfinal. eexists (VLit _ _), 1. by rewrite interp_lit /=.
+  - eexists (VClo _ _ _), 1. rewrite interp_S /=. split; [done|].
+    by rewrite /= subst_env_empty.
+  - eexists (VCloMatch _ _ _ _), 1. rewrite interp_S /=. split; [done|].
+    rewrite /= subst_env_empty. f_equal.
+    apply map_eq=> x. rewrite lookup_fmap.
+    destruct (ms !! x) as [[]|]; do 2 f_equal/=. by rewrite subst_env_empty.
+  - eexists (VList _), 1. rewrite interp_S /=. split; [done|]. f_equal. clear.
+    induction es; f_equal/=; [|done].
+    by rewrite /= subst_env_empty.
+  - eexists (VAttr _), 1. rewrite interp_S /=. split; [done|].
+    f_equal. apply map_eq=> x.
+    assert (no_recs αs) by (by inv Hfinal).
+    rewrite from_attr_no_recs // !lookup_fmap.
+    destruct (_ !! _) as [[]|] eqn:?; f_equal/=.
+    f_equal; eauto using no_recs_lookup, subst_env_empty.
+Qed.
+Lemma final_force_deep' v :
+  final DEEP (val_to_expr v) →
+  ∃ w m, force_deep m v = mret w ∧ val_to_expr v = val_to_expr w.
+Proof.
+  intros Hfinal. remember (val_to_expr v) as e eqn:He.
+  revert v He. induction e; intros [] ?; simplify_eq/=; inv Hfinal.
+  - (* VLit *) eexists (VLit _ _), 1. by rewrite force_deep_S.
+  - (* VClo *)
+    eexists (VClo _ _ _), 1. by rewrite force_deep_S.
+  - (* VCloMatch *)
+    eexists (VCloMatch _ _ _ _), 1. by rewrite force_deep_S.
+  - (* VList *)
+    assert (∃ vs m, mapM (mbind (force_deep m) ∘ interp_thunk m) ts = mret vs ∧
+      val_to_expr <$> vs = thunk_to_expr <$> ts)
+      as (vs & m & Hmap & Hvs); last first.
+    { exists (VList (Forced <$> vs)), (S m). rewrite force_deep_S /= Hmap /=.
+      split; [done|]. f_equal. rewrite -Hvs.
+      clear. by induction vs; by f_equal/=. }
+    rewrite Forall_fmap in H1. induction H1 as [|t ts Ht ? IH]; simplify_eq/=.
+    { by exists [], 0. }
+    apply Forall_cons in H as [IHt IHts].
+    destruct IH as (ws & m1 & Hinterp1 & ?); simplify_eq/=; [done|]. clear IHts.
+    destruct (final_interp DEEP (thunk_to_expr t))
+      as (v' & m & Hinterp & ?); [done|].
+    apply interp_as_interp_thunk in Hinterp
+      as ([v''|] & m' & Hinterp & ?); simplify_res.
+    destruct (IHt Ht v'') as (w & m'' & Hforce & ?); [congruence|].
+    exists (w :: ws), (m1 `max` m' `max` m''); csimpl.
+    rewrite (interp_thunk_le Hinterp) /=; last lia.
+    rewrite (force_deep_le Hforce) /=; last lia.
+    rewrite (mapM_interp_le Hinterp1) /=; last lia. auto with f_equal.
+  - (* VAttr *) clear H1. assert (∃ vs m,
+      map_mapM_sorted attr_le
+        (mbind (force_deep m) ∘ interp_thunk m) ts = mret vs ∧
+      val_to_expr <$> vs = thunk_to_expr <$> ts)
+      as (vs & m & Hmap & Hvs); last first.
+    { exists (VAttr (Forced <$> vs)), (S m). rewrite force_deep_S /= Hmap /=.
+      split; [done|]. rewrite 2!map_fmap_compose -Hvs. f_equal.
+      apply map_eq=> x. rewrite !lookup_fmap. by destruct (vs !! x). }
+    induction ts as [|x t ts Hx ? IH] using (map_sorted_ind attr_le).
+    { exists ∅, 0. by rewrite map_mapM_sorted_empty. }
+    rewrite fmap_insert /= in H, H2.
+    apply map_Forall_insert in H as [IHt IHts]; last by rewrite lookup_fmap Hx.
+    apply map_Forall_insert in H2 as [Ht Hts]; last by rewrite lookup_fmap Hx.
+    apply IH in IHts as (ws & m1 & Hinterp1 & ?); clear IH; simplify_eq/=; last done.
+    destruct (final_interp DEEP (thunk_to_expr t))
+      as (v' & m & Hinterp & ?); [done|].
+    apply interp_as_interp_thunk in Hinterp
+      as ([v''|] & m' & Hinterp & ?); simplify_res.
+    destruct (IHt Ht v'') as (w & m'' & Hforce & ?); [congruence|].
+    exists (<[x:=w]> ws), (m1 `max` m' `max` m'').
+    rewrite fmap_insert map_mapM_sorted_insert //=.
+    rewrite (interp_thunk_le Hinterp) /=; last lia.
+    rewrite (force_deep_le Hforce) /=; last lia.
+    rewrite (map_mapM_interp_le Hinterp1) /=; last lia.
+    rewrite fmap_insert. auto with f_equal.
+Qed.
+Lemma interp_step μ e1 e2 :
+  e1 -{μ}-> e2 →
+  (∀ n mv,
+     ¬final SHALLOW e1 →
+     interp n ∅ e2 = Res mv →
+     exists mw m, interp m ∅ e1 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw) ∧
+  (∀ n v1 v2 mv,
+     μ = DEEP →
+     e1 = val_to_expr v1 →
+     e2 = val_to_expr v2 →
+     force_deep n v2 = Res mv →
+     exists mw m, force_deep m v1 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw).
+Proof.
+  intros Hstep. induction Hstep; inv_step.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    apply interp_subst_abs in Hinterp as (mw & [|m] & Hinterp & Hv); simplify_eq/=.
+    exists mw, (S (S (S m))). split; [|done].
+    rewrite interp_S /= interp_app_S /= /= !interp_S /=.
+    rewrite -!interp_S /=. rewrite (interp_le Hinterp); last lia. done.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct n as [|n]; simplify_eq/=. apply interp_match_Some_2 in H0.
+    apply interp_subst_indirects in Hinterp as (mw & m & Hinterp & ?).
+    exists mw, (S (S (S (S m)))); split; [|done].
+    rewrite !interp_S /= interp_app_S /= interp_thunk_S /= (interp_S m) /=.
+    rewrite from_attr_no_recs // map_fmap_compose H0 /=.
+    eauto using interp_le with lia.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct n as [|[|[|n]]]; simplify_eq/=.
+    rewrite !interp_S /= -!interp_S in Hinterp.
+    destruct (interp _ _ e1) as [mw|] eqn:Hinterp'; simplify_res.
+    destruct mw as [w|]; simplify_res; last first.
+    { exists None, (S (S (S (S n)))). split; [|done].
+      rewrite 2!interp_S /= interp_app_S /=.
+      rewrite from_attr_no_recs // lookup_fmap H0 /=.
+      rewrite interp_thunk_S /= Hinterp'. done. }
+    destruct (interp_app _ _ _) as [mv'|] eqn:Happ; simplify_res.
+    eapply (interp_app_proper _ _ _ _
+      (Forced (VAttr (Thunk ∅ ∘ attr_expr <$> αs))))
+      in Happ as (mw' & m1 & Happ1 & Hw); [|done|]; last first.
+    { rewrite /= subst_env_eq /=. f_equal.
+      apply map_eq=> y. rewrite !lookup_fmap.
+      destruct (αs !! y) as [[]|] eqn:?; do 2 f_equal/=; eauto using no_recs_lookup. }
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S (S (S (S (n `max` m1))))). split; [|done].
+      rewrite 2!interp_S /= interp_app_S /=.
+      rewrite from_attr_no_recs // lookup_fmap H0 /=.
+      rewrite interp_thunk_S /= (interp_le Hinterp') /=; last lia.
+      rewrite (interp_app_le Happ1); last lia. done. }
+    eapply interp_app_proper in Hinterp as (mw & m2 & ? & Hinterp); [|done..].
+    exists mw, (S (S (S (S (n `max` m1 `max` m2))))). split; [|done].
+    rewrite !interp_S /= interp_app_S /=.
+    rewrite from_attr_no_recs // lookup_fmap H0 /=.
+    rewrite interp_thunk_S /= (interp_le Hinterp') /=; last lia.
+    rewrite (interp_app_le Happ1) /=; last lia.
+    eauto using interp_app_le with lia.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct (final_interp μ' e1) as (v & m & Hinterp' & ->); first done.
+    destruct μ'.
+    { exists mv, (S (n `max` m)). rewrite interp_S /=.
+      rewrite (interp_le Hinterp) /=; last lia.
+      by rewrite (interp_le Hinterp') /=; last lia. }
+    destruct (final_force_deep' v) as (w & m' & Hforce & ?); first done.
+    exists mv, (S (n `max` m `max` m')). rewrite interp_S /=.
+    rewrite (interp_le Hinterp) /=; last lia.
+    rewrite (interp_le Hinterp') /=; last lia.
+    by rewrite (force_deep_le Hforce) /=; last lia.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    rewrite map_fmap_compose in Hinterp.
+    apply interp_subst_fmap in Hinterp as (mw & [|m] & Hinterp & Hv); simplify_eq/=.
+    rewrite map_fmap_compose in Hinterp.
+    exists mw, (S (S m)). rewrite !interp_S /= -interp_S.
+    rewrite from_attr_no_recs // right_id_L map_fmap_compose. done.
+  - split; last first.
+    { intros n [] v2 mv _ Hαs; simplify_eq/=. by destruct H. }
+    intros n mv _ Hinterp. destruct n as [|n]; [done|].
+    rewrite interp_S /= in Hinterp; simplify_res.
+    eexists _, 1; split; [by rewrite interp_S|].
+    do 2 f_equal/=. apply map_eq=> x /=. rewrite !lookup_fmap.
+    destruct (αs !! x) as [[[] ?]|]; do 2 f_equal/=.
+    by rewrite subst_env_indirects_env_attr_to_tattr_empty subst_env_empty.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    apply final_interp in H as (v1 & m1 & Hinterp1 & ->).
+    pose proof H1 as Hsem. apply interp_bin_op_Some_2 in H1 as [f Hf].
+    eapply final_interp in H0 as (v2 & m2 & Hinterp2 & ->).
+    eapply interp_bin_op_Some_Some_2 in H2 as (t3 & Hfv & Hdel); [|done..].
+    eapply delayed_interp in Hinterp as (m3 & Hinterp); [|done].
+    apply interp_as_interp_thunk in Hinterp as (mw & m & Hinterp3 & ?).
+    exists mw, (S (m `max` m1 `max` m2)). split; [|done]. rewrite interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    rewrite Hf /= (interp_le Hinterp2) /=; last lia.
+    rewrite Hfv /= (interp_thunk_le Hinterp3); last lia. done.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    exists mv, (S (S n)). rewrite !interp_S /= -interp_S.
+    eauto using interp_le with lia.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    exists mv, (S (S n)). rewrite !interp_S /= lookup_empty /=. done.
+  - split; [intros ?? []; constructor; by eauto|].
+    intros n [] [] mv _ Hts Hts' Hforce; simplify_eq.
+    destruct n as [|n]; [done|rewrite force_deep_S /= in Hforce].
+    destruct (mapM _ _) as [mvs|] eqn:Hmap; simplify_eq/=.
+    destruct IHHstep as [IH1 IH2].
+    apply symmetry, fmap_app_inv in Hts
+      as (ts1 & [|t1 ts1'] & ? & ? & ?); simplify_eq/=.
+    apply symmetry, fmap_app_inv in Hts'
+      as (ts2 & [|t2 ts2'] & Hts & ? & ?); simplify_eq/=.
+    assert (∃ mws m,
+      mapM (mbind (force_deep m) ∘ interp_thunk m) (ts1 ++ t1 :: ts1') = Res mws ∧
+      fmap (M:=list) val_to_expr <$> mvs = fmap (M:=list) val_to_expr <$> mws)
+      as (mws & m & Hmap' & Hmvs); last first.
+    { exists (VList ∘ fmap Forced <$> mws), (S m). rewrite force_deep_S /= Hmap'.
+      split; [done|].
+      destruct mvs as [vs|], mws as [ws|]; simplify_eq/=; do 2 f_equal.
+      rewrite list_eq_Forall2 Forall2_fmap in Hmvs.
+      by rewrite list_eq_Forall2 !Forall2_fmap. }
+    rewrite mapM_res_app in Hmap.
+    destruct (mapM _ ts2) as [mvs1|] eqn:Hmap1; simplify_res.
+    eapply mapM_interp_proper in Hmap1 as (mws1 & m1 & Hmap1 & ?); [|done].
+    destruct mvs1 as [vs1|], mws1 as [ws1|]; simplify_res; last first.
+    { exists None, m1. by rewrite mapM_res_app Hmap1. }
+    destruct (interp_thunk n t2) as [mw|] eqn:Hinterp; simplify_res.
+    apply interp_thunk_as_interp in Hinterp as (mw' & m & Hinterp & Hmw').
+    destruct (default mfail (force_deep n <$> mw))
+      as [mu|] eqn:Hforce; simplify_res.
+    destruct (step_any_shallow  _ _ _ Hstep) as [|Hfinal1].
+    + (* SHALLOW *)
+      apply IH1 in Hinterp as (mw'' & m' & Hinterp & Hmw'');
+        [|by eauto using step_not_final].
+      apply interp_as_interp_thunk in Hinterp as (mw''' & m2 & Hinterp & ?).
+      destruct mw as [w|], mw', mw'', mw''' as [w'''|]; simplify_res; last first.
+      { exists None, (m1 `max` m2). rewrite mapM_res_app.
+        rewrite (mapM_interp_le Hmap1) /=; last lia.
+        rewrite (interp_thunk_le Hinterp) /=; last lia. done. }
+      eapply (force_deep_proper _ _ w''')
+        in Hforce as (mu' & m3 & Hforce & ?); last congruence.
+      destruct mu as [u|], mu' as [u'|]; simplify_res; last first.
+      { exists None, (m1 `max` m2 `max` m3). rewrite mapM_res_app.
+        rewrite (mapM_interp_le Hmap1) /=; last lia.
+        rewrite (interp_thunk_le Hinterp) /=; last lia.
+        rewrite (force_deep_le Hforce) /=; last lia. done. }
+      destruct (mapM _ ts2') as [mvs2|] eqn:Hmap2; simplify_res.
+      eapply mapM_interp_proper in Hmap2 as (mws2 & m4 & Hmap2 & ?); [|done].
+      exists ((ws1 ++.) ∘ (u' ::.) <$> mws2), (m1 `max` m2 `max` m3 `max` m4).
+      rewrite mapM_res_app.
+      rewrite (mapM_interp_le Hmap1) /=; last lia.
+      rewrite (interp_thunk_le Hinterp) /=; last lia.
+      rewrite (force_deep_le Hforce) /=; last lia.
+      rewrite (mapM_interp_le Hmap2) /=; last lia. split; [by destruct mws2|].
+      destruct mvs2, mws2; simplify_res; f_equal. rewrite !fmap_app !fmap_cons.
+      congruence.
+    + (* DEEP *)
+      apply step_final_shallow in Hstep as Hfinal2; last done.
+      apply final_interp in Hfinal1 as (w1 & m2 & Hinterpt1 & ?).
+      apply interp_as_interp_thunk in Hinterpt1 as (mw'' & m3 & Hinterpt1 & ?).
+      apply final_interp in Hfinal2 as (w2' & m4 & Hinterpt2 & ?).
+      eapply interp_agree in Hinterp; last apply Hinterpt2.
+      destruct mw as [w2|], mw'' as [w2''|]; simplify_res.
+      eapply IH2 in Hforce as (mu' & m5 & Hforce & ?); [|by auto with congruence..].
+      eapply (force_deep_proper _ _ w2'')
+        in Hforce as (mu'' & m6 & Hforce & ?); last congruence.
+      destruct mu as [u|], mu' as [u'|], mu'' as [u''|]; simplify_res; last first.
+      { exists None, (m1 `max` m3 `max` m6). rewrite mapM_res_app.
+        rewrite (mapM_interp_le Hmap1) /=; last lia.
+        rewrite (interp_thunk_le Hinterpt1) /=; last lia.
+        rewrite (force_deep_le Hforce) /=; last lia. done. }
+      destruct (mapM _ ts2') as [mvs2|] eqn:Hmap2; simplify_res.
+      eapply mapM_interp_proper in Hmap2 as (mws2 & m7 & Hmap2 & ?); [|done].
+      exists ((ws1 ++.) ∘ (u'' ::.) <$> mws2), (m1 `max` m3 `max` m6 `max` m7).
+      rewrite mapM_res_app.
+      rewrite (mapM_interp_le Hmap1) /=; last lia.
+      rewrite (interp_thunk_le Hinterpt1) /=; last lia.
+      rewrite (force_deep_le Hforce) /=; last lia.
+      rewrite (mapM_interp_le Hmap2) /=; last lia. split; [by destruct mws2|].
+      destruct mvs2, mws2; simplify_res; f_equal. rewrite !fmap_app !fmap_cons.
+      congruence.
+  - split; [intros ?? []; constructor; by eauto using no_recs_insert|].
+    intros n [] [] mv _ Hts Hts' Hforce; simplify_eq.
+    destruct n as [|n]; [done|rewrite force_deep_S /= in Hforce].
+    destruct (map_mapM_sorted _ _ _) as [mvs|] eqn:Hmap; simplify_eq/=.
+    destruct IHHstep as [IH1 IH2].
+    apply symmetry, fmap_insert_inv in Hts
+      as (t1 & ts1 & ? & Hx1 & ? & ?); simplify_eq/=; last done.
+    apply symmetry, fmap_insert_inv in Hts' as (t2 & ts2 & ? & Hx2 & ? & Hts);
+      simplify_eq/=; last by rewrite lookup_fmap Hx1.
+    assert (∃ mws m,
+      map_mapM_sorted attr_le (mbind (force_deep m) ∘ interp_thunk m)
+        (<[x:=t1]> ts1) = Res mws ∧
+      fmap (M:=gmap _) val_to_expr <$> mvs = fmap (M:=gmap _) val_to_expr <$> mws)
+      as (mws & m & Hmap' & Hmvs); last first.
+    { exists (VAttr ∘ fmap Forced <$> mws), (S m). rewrite force_deep_S /= Hmap'.
+      split; [done|].
+      destruct mvs as [vs|], mws as [ws|]; simplify_eq/=; do 2 f_equal.
+      apply map_eq=> y. rewrite !lookup_fmap.
+      apply (f_equal (.!! y)) in Hmvs. rewrite !lookup_fmap in Hmvs.
+      destruct (vs !! _), (ws !! _); simplify_eq/=; auto with f_equal. }
+    destruct (step_any_shallow  _ _ _ Hstep) as [|Hfinal].
+    + (* SHALLOW *) assert (map_Forall2 (λ _ t1 t2, ∀ n mv,
+        interp n ∅ (thunk_to_expr t2) = Res mv →
+        ∃ mw m, interp m ∅ (thunk_to_expr t1) = Res mw ∧
+          val_to_expr <$> mv = val_to_expr <$> mw)
+        (<[x:=t1]> ts1) (<[x:=t2]> ts2)) as IHts.
+      { apply map_Forall2_insert_2; first by eauto using step_not_final.
+        intros y. apply (f_equal (.!! y)) in Hts. rewrite !lookup_fmap in Hts.
+        destruct (ts1 !! y), (ts2 !! y); simplify_eq/=; constructor.
+        rewrite -Hts; eauto. }
+      revert IHts Hmap. generalize (<[x:=t1]> ts1) (<[x:=t2]> ts2). clear.
+      intros ts1. revert n mvs.
+      induction ts1 as [|x t1 ts1 ?? IH] using (map_sorted_ind attr_le);
+        intros n mvs ts2' IHts Hmap.
+      { apply map_Forall2_empty_inv_l in IHts as ->.
+        rewrite map_mapM_sorted_empty in Hmap; simplify_res.
+        by exists (Some ∅), 1. }
+      apply map_Forall2_insert_inv_l in IHts
+        as (t2 & ts2 & -> & ? & IHt & IHts); simplify_eq/=; last done.
+      assert (∀ j, is_Some (ts2 !! j) → attr_le x j).
+      { apply map_Forall2_dom_L in IHts. intros j.
+        rewrite -elem_of_dom -IHts elem_of_dom. auto. }
+      rewrite map_mapM_sorted_insert //= in Hmap.
+      destruct (interp_thunk _ _) as [mv|] eqn:Hinterp; simplify_res.
+      assert (∃ mw m, interp_thunk m t1 = Res mw ∧
+        val_to_expr <$> mv = val_to_expr <$> mw) as (mw & m1 & Hinterp1 & ?).
+      { apply interp_thunk_as_interp in Hinterp as (mw & m & Hinterp & ?).
+        apply IHt in Hinterp as (mw' & m' & Hinterp & ?).
+        eapply interp_as_interp_thunk in Hinterp as (mw'' & m'' & Hinterp & ?).
+        exists mw'', m''. eauto with congruence. }
+      destruct mv as [v|], mw as [w|]; simplify_res; last first.
+      { exists None, m1. split; [|done]. rewrite map_mapM_sorted_insert //=.
+        by rewrite Hinterp1. }
+      destruct (force_deep _ _) as [mv|] eqn:Hforce; simplify_res.
+      eapply force_deep_proper in Hforce as (mw & m2 & Hforce' & ?); last done.
+      destruct mv as [v'|], mw as [w'|]; simplify_res; last first.
+      { exists None, (m1 `max` m2). split; [|done].
+        rewrite map_mapM_sorted_insert //=.
+        rewrite (interp_thunk_le Hinterp1) /=; last lia.
+        rewrite (force_deep_le Hforce') /=; last lia. done. }
+      destruct (map_mapM_sorted _ _ _) as [mvs'|] eqn:Hmap'; simplify_res.
+      apply IH in Hmap' as (mws & m3 & Hmap3 & ?); last done.
+      exists (fmap <[x:=w']> mws), (m1 `max` m2 `max` m3).
+      rewrite map_mapM_sorted_insert //=.
+      rewrite (interp_thunk_le Hinterp1) /=; last lia.
+      rewrite (force_deep_le Hforce') /=; last lia.
+      rewrite (map_mapM_interp_le Hmap3) /=; last lia.
+      destruct mvs', mws; simplify_res; last done.
+      rewrite !fmap_insert. auto with f_equal.
+    + (* DEEP *)
+      assert (map_Forall2 (λ _ t1 t2,
+        thunk_to_expr t1 = thunk_to_expr t2 ∨
+        ∃ v1 v2,
+          thunk_to_expr t1 = val_to_expr v1 ∧
+          thunk_to_expr t2 = val_to_expr v2 ∧
+          ∀ n mv,
+            force_deep n v2 = Res mv →
+            ∃ mw m, force_deep m v1 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw)
+        (<[x:=t1]> ts1) (<[x:=t2]> ts2)) as IHts.
+      { apply map_Forall2_insert_2; last first.
+        { intros y. apply (f_equal (.!! y)) in Hts. rewrite !lookup_fmap in Hts.
+          destruct (ts1 !! y), (ts2 !! y); simplify_eq/=; constructor; eauto. }
+        assert (final SHALLOW (thunk_to_expr t2))
+          as (v2 & m2 & Hinterp2 & Ht2)%final_interp
+          by eauto using step_final_shallow.
+        apply final_interp in Hfinal as (v1 & m1 & Hinterp1 & Ht1); eauto 10. }
+      revert IHts Hmap. generalize (<[x:=t1]> ts1) (<[x:=t2]> ts2). clear.
+      intros ts1. revert n mvs.
+      induction ts1 as [|x t1 ts1 ?? IH] using (map_sorted_ind attr_le);
+        intros n mvs ts2' IHts Hmap.
+      { apply map_Forall2_empty_inv_l in IHts as ->.
+        rewrite map_mapM_sorted_empty in Hmap; simplify_res.
+        by exists (Some ∅), 1. }
+      apply map_Forall2_insert_inv_l in IHts
+        as (t2 & ts2 & -> & ? & IHt & IHts); simplify_eq/=; last done.
+      assert (∀ j, is_Some (ts2 !! j) → attr_le x j).
+      { apply map_Forall2_dom_L in IHts. intros j.
+        rewrite -elem_of_dom -IHts elem_of_dom. auto. }
+      rewrite map_mapM_sorted_insert //= in Hmap.
+      destruct (interp_thunk n t2 ≫= force_deep n)
+        as [mv|] eqn:Hinterp; simplify_res.
+      assert (∃ mw m, interp_thunk m t1 ≫= force_deep m = Res mw ∧
+        val_to_expr <$> mv = val_to_expr <$> mw) as (mw & m1 & Hinterp1 & ?).
+      { destruct (interp_thunk _ _) as [mv'|] eqn:Hthunk; simplify_res.
+        destruct IHt as [|(v1 & v2 & Ht1 & Ht2 & IHt)].
+        * eapply interp_thunk_proper in Hthunk
+            as (mw' & m1 & Hthunk1 & ?); last done.
+          destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+          { exists None, m1. by rewrite Hthunk1. }
+          eapply force_deep_proper in Hinterp
+            as (mw & m2 & Hforce2 & ?); last done.
+          exists mw, (m1 `max` m2). split; [|done].
+          rewrite (interp_thunk_le Hthunk1) /=; last lia.
+          eauto using force_deep_le with lia.
+        * destruct (interp_empty_val_to_expr v1) as (v1' & m1 & Hinterp1 & ?).
+          rewrite -Ht1 in Hinterp1.
+          eapply interp_as_interp_thunk in Hinterp1
+            as ([v1''|] & m1' & Hthunk1 & ?); simplify_res.
+          eapply (interp_thunk_proper _ _ (Forced v2)) in Hthunk
+            as (mw2 & m2 & Hthunk2 & ?); simplify_res; [|done].
+          destruct m2 as [|m2]; [done|].
+          rewrite interp_thunk_S in Hthunk2; simplify_res.
+          destruct mv' as [v2'|]; simplify_res.
+          eapply force_deep_proper in Hinterp
+            as (mv' & m2' & Hforce2 & ?); last done.
+          eapply IHt in Hforce2 as (mw' & m2'' & Hforce2 & ?).
+          eapply (force_deep_proper _ _ v1'') in Hforce2
+            as (mw'' & m2''' & Hforce2 & ?); last congruence.
+          exists mw'', (m1' `max` m2''').
+          rewrite (interp_thunk_le Hthunk1) /=; last lia.
+          rewrite (force_deep_le Hforce2) /=; last lia. auto with congruence. }
+      destruct mv as [v|], mw as [w|]; simplify_res; last first.
+      { exists None, m1. split; [|done]. rewrite map_mapM_sorted_insert //=.
+        by rewrite Hinterp1. }
+      destruct (map_mapM_sorted _ _ _) as [mvs'|] eqn:Hmap'; simplify_res.
+      apply IH in Hmap' as (mws & m2 & Hmap2 & ?); last done.
+      exists (fmap <[x:=w]> mws), (m1 `max` m2).
+      rewrite map_mapM_sorted_insert //=.
+      destruct (interp_thunk m1 t1) as [[]|] eqn:Hinterp'; simplify_res.
+      rewrite (interp_thunk_le Hinterp') /=; last lia.
+      rewrite (force_deep_le Hinterp1) /=; last lia.
+      rewrite (map_mapM_interp_le Hmap2) /=; last lia.
+      destruct mvs', mws; simplify_res; last done.
+      rewrite !fmap_insert. auto with f_equal.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct n as [|n]; simplify_eq/=.
+    rewrite interp_S /= in Hinterp.
+    destruct (interp n ∅ e') as [mv'|] eqn:Hinterp'; simplify_res.
+    apply IHHstep in Hinterp'
+      as (mw' & m1 & Hinterp1 & ?); last by eauto using step_not_final.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S m1). split; [|done]. by rewrite interp_S /= Hinterp1. }
+    eapply interp_app_proper in Hinterp as (mw & m2 & Happ2 & ?); [|done..].
+    exists mw, (S (m1 `max` m2)). rewrite interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    rewrite (interp_app_le Happ2) /=; last lia. done.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct n as [|[|[|n]]]; simplify_eq/=.
+    rewrite !interp_S /= interp_app_S /= interp_thunk_S /= in Hinterp.
+    destruct (interp n ∅ e') as [mv'|] eqn:Hinterp'; simplify_res.
+    apply IHHstep in Hinterp'
+      as (mw' & m1 & Hinterp1 & Hw'); last by eauto using step_not_final.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S (S (S m1))). split; [|done].
+      rewrite !interp_S /= interp_app_S /= interp_thunk_S /=.
+      by rewrite Hinterp1. }
+    destruct (maybe VAttr v') as [ts|] eqn:?; simplify_res; last first.
+    { exists None, (S (S (S m1))). split; [|done].
+      rewrite !interp_S /= interp_app_S /= interp_thunk_S /= Hinterp1 /=.
+      assert (maybe VAttr w' = None) as ->; [|done].
+      destruct v', w'; naive_solver. }
+    destruct v', w'; simplify_eq/=.
+    rewrite 2!map_fmap_compose in Hw'. apply (inj _) in Hw'.
+    eapply (interp_match_proper ∅ ∅ _ _ ms ms strict) in Hw'; [|done].
+    destruct (interp_match ts _ strict) as [tαs1|] eqn:Hmatch1,
+      (interp_match ts1 _ strict) as [tαs2|] eqn:Hmatch2;
+      simplify_res; try done; last first.
+    { exists None, (S (S (S m1))). split; [|done].
+      rewrite !interp_S /= interp_app_S /= interp_thunk_S /=.
+      rewrite Hinterp1 /= Hmatch2. done. }
+    eapply interp_proper in Hinterp
+      as (mw & m2 & Hinterp & ?); last first.
+    { by apply indirects_env_proper. }
+    exists mw, (S (S (S (m1 `max` m2)))). split; [|done].
+    rewrite !interp_S /= interp_app_S /= interp_thunk_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    rewrite Hmatch2 /=. eauto using interp_le with lia.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ e') as [mv'|] eqn:Hinterp'; simplify_eq/=.
+    destruct (step_any_shallow μ e e') as [|Hfinal]; first done.
+    + apply IHHstep in Hinterp'
+        as (mw' & m & Hinterp' & Hw); last by eauto using step_not_final.
+      destruct mv' as [v|], mw' as [w'|]; simplify_res; last first.
+      { exists None, (S m). by rewrite interp_S /= Hinterp'. }
+      destruct μ; simplify_res.
+      { exists mv, (S (n `max` m)). rewrite interp_S /=.
+        rewrite (interp_le Hinterp') /=; last lia.
+        rewrite (interp_le Hinterp) /=; last lia. done. }
+      destruct (force_deep n v) as [mv'|] eqn:Hforce; simplify_res.
+      eapply force_deep_proper
+        in Hforce as (mw' & m2 & Hforce2 & ?); last done.
+      exists mv, (S (n `max` m `max` m2)). split; [|done]. rewrite interp_S /=.
+      rewrite (interp_le Hinterp') /=; last lia.
+      rewrite (force_deep_le Hforce2) /=; last lia.
+      destruct mv', mw'; simplify_res; eauto using interp_le with lia.
+    + destruct μ; [by odestruct step_not_final|].
+      assert (final SHALLOW e') as (w & m & Hinterp'' & ->)%final_interp
+        by eauto using step_final_shallow.
+      apply interp_empty_val_to_expr_Res in Hinterp'.
+      destruct mv' as [v|]; simplify_res.
+      destruct (force_deep n v) as [mv'|] eqn:Hforce; simplify_res.
+      apply final_interp in Hfinal as (w' & m' & Hinterp''' & ->).
+      eapply IHHstep in Hforce as (mw' & m'' & Hforce' & ?); [|done..].
+      exists mv, (S (n `max` m' `max` m'')). rewrite interp_S /=.
+      rewrite (interp_le Hinterp''') /=; last lia.
+      rewrite (force_deep_le Hforce') /=; last lia.
+      destruct mv', mw'; simplify_res; eauto using interp_le with lia.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ _) as [mv'|] eqn:Hinterp'; simplify_eq/=.
+    apply IHHstep in Hinterp'
+      as (mw' & m1 & Hinterp1 & Hw); last by eauto using step_not_final.
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, (S m1). by rewrite interp_S /= Hinterp1. }
+    destruct (maybe VAttr _) eqn:Hattr; simplify_res; last first.
+    { exists None, (S m1). rewrite interp_S /= Hinterp1 /=.
+      by assert (maybe VAttr w' = None) as -> by (by destruct v', w'). }
+    destruct v', w'; simplify_res.
+    rewrite right_id_L in Hinterp.
+    eapply interp_proper in Hinterp as (mw & m2 & Hinterp2 & ?);
+      last by apply subst_env_fmap_proper.
+    exists mw, (S (m1 `max` m2)). rewrite !interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia. rewrite right_id_L.
+    by rewrite (interp_le Hinterp2) /=; last lia.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ e') as [mv1|] eqn:Hinterp1; simplify_eq/=.
+    apply IHHstep in Hinterp1 as (mw1 & m & Hinterp1 & Hw1);
+      last by eauto using step_not_final.
+    destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+    { exists None, (S m). by rewrite interp_S /= Hinterp1. }
+    apply (interp_bin_op_proper op) in Hw1.
+    destruct (interp_bin_op _ v1) as [f|] eqn:Hopf; simplify_res; last first.
+    { exists None, (S m). rewrite interp_S /= Hinterp1 /=.
+      by destruct (interp_bin_op _ w1). }
+    destruct (interp_bin_op _ w1) as [g|] eqn:Hopg; simplify_res; [|done].
+    destruct (interp n _ e2) as [mv2|] eqn:Hinterp2; simplify_res.
+    destruct mv2 as [v2|]; simplify_res; last first.
+    { exists None, (S (n `max` m)). split; [|done]. rewrite interp_S /=.
+      rewrite (interp_le Hinterp1) /=; last lia.
+      rewrite (interp_le Hinterp2) /=; last lia. by rewrite Hopg. }
+    specialize (Hw1 v2 _ eq_refl).
+    destruct (f v2) as [t2|], (g v2) as [t2'|] eqn:Hg; simplify_res; last first.
+    { exists None, (S (n `max` m)). split; [|done]. rewrite interp_S /=.
+      rewrite (interp_le Hinterp1) /=; last lia.
+      rewrite (interp_le Hinterp2) /=; last lia. by rewrite Hopg /= Hg. }
+    eapply interp_thunk_proper in Hinterp as (mw & m' & Hthunk & ?); last done.
+    exists mw, (S (n `max` m `max` m')). split; [|done]. rewrite interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    rewrite (interp_le Hinterp2) /=; last lia. rewrite Hopg /= Hg /=.
+    rewrite (interp_thunk_le Hthunk) /=; last lia. done.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n ∅ e1) as [mw1|] eqn:Hinterp1; simplify_res.
+    apply final_interp in H0 as (v1 & m1 & Hinterp1' & ->).
+    apply interp_bin_op_Some_2 in H1 as [f Hop].
+    assert (mw1 = Some v1) as -> by eauto using interp_agree.
+    rewrite /= Hop /= in Hinterp.
+    destruct (interp _ _ e') as [mv2|] eqn:Hinterp2; simplify_res; last first.
+    apply IHHstep in Hinterp2 as (mw2 & m & Hinterp2 & Hw);
+      last by eauto using step_not_final.
+    destruct mv2 as [v2|], mw2 as [w2|]; simplify_res; last first.
+    { exists None, (S (n `max` m)). split; [|done]. rewrite interp_S /=.
+      rewrite (interp_le Hinterp1) /=; last lia.
+      rewrite (interp_le Hinterp2) /=; last lia. by rewrite Hop. }
+    pose proof @eq_refl as Hf%(interp_bin_op_proper op v1). rewrite !Hop in Hf.
+    apply Hf in Hw; clear Hf.
+    destruct (f v2) as [t|] eqn:Hf,
+      (f w2) as [t'|] eqn:Hf'; simplify_res; last first.
+    { exists None, (S (n `max` m)). split; [|done]. rewrite interp_S /=.
+      rewrite (interp_le Hinterp1) /=; last lia.
+      rewrite (interp_le Hinterp2) /=; last lia. by rewrite Hop /= Hf'. }
+    eapply interp_thunk_proper in Hinterp as (mw & m' & Hthunk & ?); last done.
+    exists mw, (S (n `max` m `max` m')). split; [|done]. rewrite interp_S /=.
+    rewrite (interp_le Hinterp1) /=; last lia.
+    rewrite (interp_le Hinterp2) /=; last lia. rewrite Hop /= Hf' /=.
+    eauto using interp_thunk_le with lia.
+  - split; [|by intros ? []]. intros n mv _ Hinterp.
+    destruct n as [|n]; [done|rewrite interp_S /= in Hinterp].
+    destruct (interp n _ e') as [mv1|] eqn:Hinterp1; simplify_eq/=.
+    apply IHHstep in Hinterp1 as (mw1 & m & Hinterp1 & Hw1);
+      last by eauto using step_not_final.
+    destruct mv1 as [v1|], mw1 as [w1|]; simplify_res; last first.
+    { exists None, (S m). by rewrite interp_S /= Hinterp1. }
+    exists mv, (S (n `max` m)). split; [|done].
+    rewrite interp_S /= (interp_le Hinterp1) /=; last lia.
+    assert (maybe_VLit w1 ≫= maybe LitBool = maybe_VLit v1 ≫= maybe LitBool) as ->.
+    { destruct v1, w1; repeat destruct select base_lit; naive_solver. }
+    destruct (maybe_VLit v1 ≫= maybe LitBool); simplify_res; [|done].
+    eauto using interp_le with lia.
+Qed.
+Lemma final_interp' μ e :
+  final μ e →
+  ∃ w m, interp' m μ ∅ e = mret w ∧ e = val_to_expr w.
+Proof.
+  intros Hfinal. destruct (final_interp _ _ Hfinal) as (w & m & Hinterp & ->).
+  destruct μ.
+  { exists w, m. by rewrite interp_shallow'. }
+  apply final_force_deep' in Hfinal as (w' & m' & Hforce & ?).
+  exists w', (m `max` m'); split; [|done]. rewrite /interp'.
+  rewrite (interp_le Hinterp) /=; last lia. eauto using force_deep_le with lia.
+Qed.
+Lemma force_deep_le' {n1 n2 μ v mv} :
+  force_deep' n1 μ v = Res mv → n1 ≤ n2 → force_deep' n2 μ v = Res mv.
+Proof. destruct μ; eauto using force_deep_le. Qed.
+Lemma interp_le' {n1 n2 μ E e mv} :
+  interp' n1 μ E e = Res mv → n1 ≤ n2 → interp' n2 μ E e = Res mv.
+Proof.
+  rewrite /interp'. intros.
+  destruct (interp n1 _ _) as [mw|] eqn:Hinterp; simplify_res.
+  rewrite (interp_le Hinterp); last lia.
+  destruct mw; simplify_res; eauto using force_deep_le'.
+Qed.
+Lemma interp_agree' {n1 n2 μ E e mv1 mv2} :
+  interp' n1 μ E e = Res mv1 → interp' n2 μ E e = Res mv2 → mv1 = mv2.
+Proof.
+  intros He1 He2. apply (inj Res). destruct (total (≤) n1 n2).
+  - rewrite -He2. symmetry. eauto using interp_le'.
+  - rewrite -He1. eauto using interp_le'.
+Qed.
+Lemma interp_step' n μ e1 e2 mv :
+  e1 -{μ}-> e2 →
+  interp' n μ ∅ e2 = Res mv →
+  ∃ mw m, interp' m μ ∅ e1 = Res mw ∧ val_to_expr <$> mv = val_to_expr <$> mw.
+Proof.
+  intros Hstep. destruct μ.
+  { setoid_rewrite interp_shallow'.
+    eapply interp_step; eauto using step_not_final. }
+  intros Hinterp. rewrite /interp' in Hinterp.
+  destruct (interp n ∅ e2) as [mv'|] eqn:Hinterp'; simplify_res.
+  destruct (step_any_shallow _ _ _ Hstep) as [|Hfinal].
+  - eapply interp_step in Hinterp' as (mw' & m & Hinterp' & ?);
+      [|by eauto using step_not_final..].
+    destruct mv' as [v'|], mw' as [w'|]; simplify_res; last first.
+    { exists None, m. by rewrite /interp' Hinterp'. }
+    eapply force_deep_proper in Hinterp as (mw' & m' & Hforce & ?); last done.
+    exists mw', (m `max` m'). rewrite /interp'.
+    rewrite (interp_le Hinterp') /=; last lia.
+    eauto using force_deep_le with lia.
+  - assert (final SHALLOW e2)
+      as (w2 & m2 & Hinterpw2 & ->)%final_interp by eauto using step_final_shallow.
+    apply final_interp in Hfinal as (w1 & m1 & Hinterpw1 & ->).
+    apply interp_empty_val_to_expr_Res in Hinterp'; destruct mv'; simplify_res.
+    eapply interp_step in Hstep as [_ Hstep].
+    eapply Hstep in Hinterp as (mw & m & Hforce & ?); [|done..].
+    exists mw, (m `max` m1). split; [|done]. rewrite /interp'.
+    rewrite (interp_le Hinterpw1) /=; last lia.
+    eauto using force_deep_le with lia.
+Qed.
+Lemma final_val_to_expr' n μ E e v :
+  interp' n μ E e = mret v → final μ (val_to_expr v).
+Proof.
+  rewrite /interp'. intros Hinterp.
+  destruct (interp _ _ e) as [[w|]|] eqn:Hinterp'; simplify_res.
+  destruct μ; simplify_res; eauto using final_force_deep.
+Qed.
+Lemma red_final_interp μ e :
+  red (step μ) e ∨ final μ e ∨ ∃ m, interp' m μ ∅ e = mfail.
+Proof.
+  revert μ. induction e; intros μ'.
+  - (* ELit *)
+    destruct (decide (base_lit_ok b)).
+    + right; left. by constructor.
+    + do 2 right. exists 1. rewrite /interp' interp_S /=. by case_guard.
+  - (* EId *) destruct mkd as [[k d]|].
+    + left. eexists; constructor.
+    + do 2 right. by exists 1.
+  - (* EAbs *) right; left. constructor.
+  - (* EAbsMatch *) right; left. constructor.
+  - (* EApp *) destruct (IHe1 SHALLOW) as [[??]|[Hfinal|[m Hinterp]]].
+    + left. eexists. by eapply SAppL.
+    + apply final_interp in Hfinal as ([] & m & _ & ->); simplify_res.
+      { do 2 right. exists 3. rewrite /interp' interp_S /= interp_lit //. }
+      { left. by repeat econstructor. }
+      { destruct (IHe2 SHALLOW) as [[??]|[Hfinal|[m2 Hinterp2]]].
+        * left. by repeat econstructor.
+        * apply final_interp in Hfinal as (w2 & m2 & Hinterp2 & ->).
+          destruct (maybe VAttr w2) as [ts|] eqn:Hw2; last first.
+          { do 2 right. exists (S (S (S m2))).
+            rewrite /interp' !interp_S /= interp_app_S /= interp_thunk_S /=.
+            rewrite Hinterp2 /= Hw2. done. }
+          destruct w2; simplify_eq/=.
+          destruct (interp_match ts (fmap (M:=option) (subst_env E) <$> ms) strict)
+            as [E'|] eqn:Hmatch; last first.
+          { do 2 right. exists (S (S (S m2))).
+            rewrite /interp' !interp_S /= interp_app_S /= interp_thunk_S /=.
+            rewrite Hinterp2 /= Hmatch. done. }
+          apply interp_match_Some_1 in Hmatch.
+          left. repeat econstructor; [done|].
+          by rewrite map_fmap_compose fmap_attr_expr_Attr.
+        * rewrite interp_shallow' in Hinterp2.
+          do 2 right. exists (S (S (S m2))).
+          rewrite /interp' !interp_S /= interp_app_S /= interp_thunk_S /=.
+          by rewrite Hinterp2. }
+      { do 2 right. by exists 3. }
+      destruct (ts !! "__functor") as [e|] eqn:Hfunc.
+      { left. repeat econstructor; by simplify_map_eq. }
+      do 2 right. exists (S (S m)). rewrite /interp' !interp_S /=.
+      rewrite interp_app_S /= !lookup_fmap Hfunc. done.
+    + rewrite interp_shallow' in Hinterp.
+      do 2 right. exists (S m). by rewrite /interp' interp_S /= Hinterp.
+  - (* ESeq *) destruct (IHe1 μ) as [[??]|[Hfinal|[m Hinterp]]].
+    + left. eexists. by eapply SSeq.
+    + left. by repeat econstructor.
+    + do 2 right. exists (S m). rewrite /interp' interp_S /=.
+      rewrite /interp' in Hinterp.
+      destruct (interp _ _ e1) as [[]|], μ; simplify_res; [|done..].
+      by rewrite Hinterp.
+  - (* EList *)
+    destruct μ'.
+    { right; left. by constructor. }
+    assert (red (step DEEP) (EList es) ∨ Forall (final DEEP) es ∨
+      ∃ m, mapM (mbind (force_deep m) ∘ interp_thunk m)
+             (Thunk ∅ <$> es) = mfail) as Hhelp; last first.
+    { destruct Hhelp as [?|[?|[m Hinterp]]]; [by auto using final..|].
+      do 2 right. exists (S m). rewrite /interp' interp_S /=.
+      rewrite force_deep_S /=. by rewrite Hinterp. }
+    induction H as [|e es He Hes IH]; [by right; left|].
+    destruct (He DEEP) as [[??]|[Hfinal|[m Hinterp]]]; simplify_eq/=.
+    + left. eexists. by eapply (SList []).
+    + destruct IH as [[??]|[?|[m2 Hinterp2]]]; [|by eauto|].
+      * left. inv_step. eexists. eapply (SList (_ :: _)); by eauto.
+      * apply final_interp' in Hfinal as (w & m1 & Hinterp1 & _).
+        do 2 right. exists (S (m1 `max` m2)).
+        rewrite /interp' /force_deep' in Hinterp1.
+        destruct (interp m1 _ _) as [[]|] eqn:Hinterp1'; simplify_res.
+        rewrite interp_thunk_S /= (interp_le Hinterp1') /=; last lia.
+        rewrite (force_deep_le Hinterp1) /=; last lia.
+        rewrite (mapM_interp_le Hinterp2) /=; last lia. done.
+    + do 2 right. exists (S m).
+      rewrite /interp' /force_deep' in Hinterp.
+      destruct (interp m _ _) as [mw|] eqn:Hinterp1'; simplify_res.
+      rewrite interp_thunk_S /= Hinterp1' /=.
+      destruct mw as [w|]; simplify_res; [|done].
+      rewrite (force_deep_le Hinterp) /=; last lia. done.
+  - (* EAttr *) destruct (decide (no_recs αs)) as [Hrecs|]; last first.
+    { left. by repeat econstructor. }
+    destruct μ'.
+    { right; left. by constructor. }
+    assert (red (step DEEP) (EAttr αs) ∨
+      map_Forall (λ _, final DEEP ∘ attr_expr) αs ∨
+      ∃ m, map_mapM_sorted attr_le (mbind (force_deep m) ∘ interp_thunk m)
+             (Thunk ∅ ∘ attr_expr <$> αs) = mfail) as Hhelp; last first.
+    { destruct Hhelp as [?|[?|[m Hinterp]]]; [by auto using final..|].
+      do 2 right. exists (S m). rewrite /interp' interp_S /=.
+      rewrite from_attr_no_recs //. rewrite force_deep_S /=. by rewrite Hinterp. }
+    induction αs as [|x [τ e] es Hx ? IH]
+      using (map_sorted_ind attr_le); [by right; left|].
+    rewrite !map_Forall_insert //.
+    apply map_Forall_insert in H as [He Hes%IH]; clear IH;
+      [|by eauto using no_recs_insert_inv..].
+    assert (τ = NONREC) as -> by (by eapply no_recs_lookup, lookup_insert).
+    assert (∀ y, is_Some ((Thunk ∅ ∘ attr_expr <$> es) !! y) → attr_le x y).
+    { intros y. rewrite lookup_fmap fmap_is_Some. eauto. }
+    destruct (He DEEP) as [[??]|[Hfinal|[m Hinterp]]]; simplify_eq/=.
+    + left. eexists; eapply SAttr; naive_solver eauto using no_recs_insert_inv.
+    + destruct Hes as [[??]|[?|[m2 Hinterp2]]]; [|by eauto|].
+      * left. inv_step; first by naive_solver eauto using no_recs_insert_inv.
+        apply lookup_insert_None in Hx as [??].
+        rewrite insert_commute // in Hrecs. rewrite insert_commute //.
+        eexists; eapply SAttr; [|by rewrite lookup_insert_ne| |done].
+        { eapply no_recs_insert_inv; [|done]. by rewrite lookup_insert_ne. }
+        intros ?? [[<- <-]|[??]]%lookup_insert_Some; eauto.
+      * apply final_interp' in Hfinal as (w & m1 & Hinterp1 & _).
+        do 2 right. exists (S (m1 `max` m2)). rewrite fmap_insert /=.
+        rewrite map_mapM_sorted_insert //=; last by rewrite lookup_fmap Hx.
+        rewrite /interp' /force_deep' in Hinterp1.
+        destruct (interp m1 _ _) as [[]|] eqn:Hinterp1'; simplify_res.
+        rewrite interp_thunk_S /= (interp_le Hinterp1') /=; last lia.
+        rewrite (force_deep_le Hinterp1) /=; last lia.
+        rewrite (map_mapM_interp_le Hinterp2) /=; last lia. done.
+    + do 2 right. exists (S m). rewrite fmap_insert /=.
+      rewrite map_mapM_sorted_insert //=; last by rewrite lookup_fmap Hx.
+      rewrite /interp' /force_deep' in Hinterp.
+      destruct (interp m _ _) as [mw|] eqn:Hinterp'; simplify_res.
+      rewrite interp_thunk_S /= (interp_le Hinterp') /=; last lia.
+      destruct mw as [w|]; simplify_res; [|done].
+      rewrite (force_deep_le Hinterp) /=; last lia. done.
+  - (* ELetAttr *) destruct (IHe1 SHALLOW) as [[??]|[Hfinal|[m Hinterp]]].
+    + left. eexists. by eapply SLetAttr.
+    + apply final_interp in Hfinal as (w & m & Hinterp & ->).
+      destruct (maybe VAttr w) eqn:Hw.
+      { destruct w; simplify_eq/=. left. by repeat econstructor. }
+      do 2 right. exists (S m). by rewrite /interp' interp_S /= Hinterp /= Hw.
+    + do 2 right. exists (S m). rewrite interp_shallow' in Hinterp.
+      by rewrite /interp' interp_S /= Hinterp /=.
+  - (* EBinOp *)
+    destruct (IHe1 SHALLOW) as [[??]|[Hfinal1|[m Hinterp]]].
+    + left. eexists. by eapply SBinOpL.
+    + apply final_interp in Hfinal1 as (w1 & m1 & Hinterp1 & ->).
+      destruct (interp_bin_op op w1) as [f|] eqn:Hop; last first.
+      { do 2 right. exists (S m1). rewrite /interp' interp_S /=.
+        by rewrite Hinterp1 /= Hop. }
+      pose proof Hop as [Φ ?]%interp_bin_op_Some_1.
+      destruct (IHe2 SHALLOW) as [[??]|[Hfinal2|[m Hinterp2]]].
+      * left. by repeat econstructor.
+      * apply final_interp in Hfinal2 as (w2 & m2 & Hinterp2 & ->).
+        destruct (f w2) as [w|] eqn:Hf; last first.
+        ** do 2 right. exists (S (m1 `max` m2)). rewrite /interp' interp_S /=.
+           rewrite (interp_le Hinterp1) /=; last lia.
+           rewrite Hop /= (interp_le Hinterp2) /=; last lia. by rewrite Hf.
+        ** eapply interp_bin_op_Some_Some_1 in Hf as (?&?&?); [|done..].
+           left. by repeat econstructor.
+      * rewrite interp_shallow' in Hinterp2.
+        do 2 right. exists (S (m `max` m1)). rewrite /interp' interp_S /=.
+        rewrite (interp_le Hinterp1) /=; last lia.
+        rewrite Hop /= (interp_le Hinterp2) /=; last lia. done.
+    + rewrite interp_shallow' in Hinterp.
+      do 2 right. exists (S m). by rewrite /interp' interp_S /= Hinterp.
+  - (* EIf *)
+    destruct (IHe1 SHALLOW) as [[??]|[Hfinal1|[m Hinterp]]].
+    + left. eexists. by eapply SIf.
+    + apply final_interp in Hfinal1 as (w1 & m1 & Hinterp1 & ->).
+      destruct (maybe_VLit w1 ≫= maybe LitBool) as [b|] eqn:Hbool; last first.
+      { do 2 right. exists (S m1).
+        rewrite /interp' interp_S /= Hinterp1 /= Hbool. done. }
+      left. destruct w1; repeat destruct select base_lit; simplify_eq/=.
+      eexists; constructor.
+    + rewrite interp_shallow' in Hinterp.
+      do 2 right. exists (S m). by rewrite /interp' interp_S /= Hinterp.
+Qed.
+Lemma interp_complete μ e1 e2 :
+  e1 -{μ}->* e2 → nf (step μ) e2 →
+  ∃ mw m, interp' m μ ∅ e1 = Res mw ∧
+    if mw is Some w then e2 = val_to_expr w else ¬final μ e2.
+Proof.
+  intros Hsteps Hnf. induction Hsteps as [e|e1 e2 e3 Hstep _ IH].
+  { destruct (red_final_interp μ  e) as [?|[Hfinal|[m Hinterp]]]; [done|..].
+    - apply final_interp' in Hfinal as (w & m & ? & ?).
+      by exists (Some w), m.
+    - exists None, m. split; [done|]. intros Hfinal.
+      apply final_interp' in Hfinal as (w & m' & Hinterp' & _).
+      rewrite /interp' in Hinterp, Hinterp'.
+      by assert (mfail = mret w) by eauto using interp_agree'. }
+  destruct IH as (mw & m & Hinterp & ?); first done.
+  eapply interp_step' in Hstep as (mw' & m' & ? & ?); last done.
+  destruct mw, mw'; naive_solver.
+Qed.
+Lemma interp_complete_ret μ e1 e2 :
+  e1 -{μ}->* e2 → final μ e2 →
+  ∃ w m, interp' m μ ∅ e1 = mret w ∧ e2 = val_to_expr w.
+Proof.
+  intros Hsteps Hfinal. apply interp_complete in Hsteps
+    as ([w|] & m & ? & ?); naive_solver eauto using final_nf.
+Qed.
+Lemma interp_complete_fail μ e1 e2 :
+  e1 -{μ}->* e2 → nf (step μ) e2 → ¬final μ e2 →
+  ∃ m, interp' m μ ∅ e1 = mfail.
+Proof.
+  intros Hsteps Hnf Hfinal.
+  apply interp_complete in Hsteps as ([w|] & m & ? & ?);
+    naive_solver eauto using final_val_to_expr'.
+Qed.
+Lemma interp_sound_open n E e mv :
+  interp n E e = Res mv →
+  ∃ e', subst_env E e -{SHALLOW}->* e' ∧
+        if mv is Some v' then e' = val_to_expr v' else stuck SHALLOW e'
+with interp_thunk_sound n t mv :
+  interp_thunk n t = Res mv →
+  ∃ e', thunk_to_expr t -{SHALLOW}->* e' ∧
+        if mv is Some v' then e' = val_to_expr v' else stuck SHALLOW e'
+with interp_app_sound n v1 t2 mv :
+  interp_app n v1 t2 = Res mv →
+  ∃ e', EApp (val_to_expr v1) (thunk_to_expr t2) -{SHALLOW}->* e' ∧
+        if mv is Some v' then e' = val_to_expr v' else stuck SHALLOW e'
+with force_deep_sound n v mv :
+  force_deep n v = Res mv →
+  ∃ e', val_to_expr v -{DEEP}->* e' ∧
+        if mv is Some v' then e' = val_to_expr v' else stuck DEEP e'.
+Proof.
+  - destruct n as [|n]; [done|].
+    rewrite subst_env_eq interp_S. intros Hinterp.
+    destruct e; simplify_res.
+    + (* ELit *) case_guard; simplify_res.
+      * by eexists.
+      * eexists; split; [done|]. split; [|by inv 1]. intros [??]; inv_step.
+    + (* EId *)
+      assert (union_kinded (prod_map id thunk_to_expr <$> E !! x) mke
+      = prod_map id thunk_to_expr <$> (union_kinded (E !! x)
+          (prod_map id (Thunk ∅) <$> mke))) as ->.
+      { destruct (_ !! _) as [[[]]|], mke as [[[]]|];
+          by rewrite /= ?thunk_to_expr_eq /= ?subst_env_empty. }
+      destruct (union_kinded _ _) as [[k t]|]; simplify_res.
+      * apply interp_thunk_sound in Hinterp as (e' & Hsteps & He').
+        exists e'; split; [|done]. eapply rtc_l; [constructor|done].
+      * eexists; split; [done|]. split; [|inv 1]. intros [? Hstep]. inv_step.
+    + (* EAbs *) by eexists.
+    + (* EAbsMatch *) by eexists.
+    + (* EApp *)
+      destruct (interp _ _ _) as [mv1|] eqn:Hinterp1; simplify_res.
+      apply interp_sound_open in Hinterp1 as (e1' & Hsteps1 & He1').
+      destruct mv1 as [v1|]; simplify_res; last first.
+      { eexists; split; [by eapply SAppL_rtc|]. split; [|inv 1].
+        intros [??]. destruct He1' as [Hnf []].
+        inv_step; eauto using final. destruct Hnf; eauto. }
+      apply interp_app_sound in Hinterp as (e' & Hsteps2 & He').
+      eexists e'; split; [|done]. etrans; [|done]. by eapply SAppL_rtc.
+    + (* ESeq *) destruct (interp _ _ e1) as [mv'|] eqn:Hinterp'; simplify_res.
+      apply interp_sound_open in Hinterp' as (e' & Hsteps & He').
+      destruct mv' as [v'|]; simplify_res; last first.
+      { eexists; repeat split; [by apply SSeq_rtc, steps_shallow_any| |inv 1].
+        intros [e'' Hstep]. destruct He' as [Hnf Hfinal].
+        destruct Hfinal. inv_step; eauto using final_any_shallow.
+        apply step_any_shallow in H2 as []; [|done]. destruct Hnf; eauto. }
+      destruct μ; simplify_res.
+      { apply interp_sound_open in Hinterp as (e'' & Hsteps' & He'').
+        eexists; split; [|done]. etrans; first by apply SSeq_rtc.
+        eapply rtc_l; first by apply SSeqFinal. done. }
+      destruct (force_deep _ _) as [mw|] eqn:Hforce; simplify_res.
+      pose proof Hforce as Hforce'.
+      apply force_deep_sound in Hforce' as (e'' & Hsteps' & He'').
+      destruct mw as [w|]; simplify_res; last first.
+      { eexists. split.
+        { etrans; [by eapply SSeq_rtc, steps_shallow_any|].
+          etrans; [by eapply SSeq_rtc|]. done. }
+        split; [|inv 1]. destruct He''. intros [e''' Hstep].
+        inv_step; eauto using step_not_final. }
+      apply interp_sound_open in Hinterp as (e''' & Hsteps'' & He''').
+      exists e'''. split; [|done].
+      etrans; [by eapply SSeq_rtc, steps_shallow_any|].
+      etrans; [by eapply SSeq_rtc|].
+      eapply rtc_l; first by eapply SSeqFinal, final_force_deep. done.
+    + (* EList *)
+      eexists; split; [done|]. f_equal.
+      induction es; f_equal/=; auto.
+    + (* EAttr *)
+      eexists; split; [apply SAttr_rec_rtc|].
+      f_equal. apply map_eq=> x. rewrite !lookup_fmap.
+      destruct (αs !! x) as [[[] e]|] eqn:?; do 2 f_equal/=.
+      by rewrite subst_env_indirects_env_attr_to_tattr.
+    + (* ELetAttr *) destruct (interp _ _ _) as [mv'|] eqn:Hinterp'; simplify_res.
+      apply interp_sound_open in Hinterp' as (e' & Hsteps & He').
+      destruct mv' as [v'|]; simplify_res; last first.
+      { eexists; repeat split; [by apply SLetAttr_rtc| |inv 1].
+        intros [e'' Hstep]. destruct He' as [Hnf Hfinal].
+        inv_step; [by destruct Hfinal; constructor|]. destruct Hnf; eauto. }
+      destruct (maybe VAttr v') eqn:?; simplify_res; last first.
+      { eexists; repeat split; [by apply SLetAttr_rtc| |inv 1].
+        intros [e'' Hstep]. destruct v'; inv_step; simplify_eq/=. }
+      destruct v'; simplify_res.
+      apply interp_sound_open in Hinterp as (e'' & Hsteps' & He'').
+      eexists; split; [|done]. etrans; [by apply SLetAttr_rtc|].
+      eapply rtc_l; [by econstructor|].
+      rewrite subst_env_union in Hsteps'.
+      rewrite subst_env_alt -!map_fmap_compose in Hsteps'.
+      by rewrite -map_fmap_compose.
+    + (* EBinOp *)
+      destruct (interp _ _ e1) as [mv1|] eqn:Hinterp1; simplify_res.
+      apply interp_sound_open in Hinterp1 as (e1' & Hsteps1 & He1').
+      destruct mv1 as [v1|]; simplify_res; last first.
+      { eexists; split; [by eapply SBinOpL_rtc|]. split; [|inv 1].
+        intros [? Hstep]. destruct He1'. inv_step; naive_solver. }
+      destruct (interp_bin_op _ v1) as [f|] eqn:Hop; simplify_res; last first.
+      { assert (¬∃ Φ, sem_bin_op op (val_to_expr v1) Φ).
+        { by intros [? ?%interp_bin_op_Some_2%not_eq_None_Some]. }
+        eexists; split; [by eapply SBinOpL_rtc|]. split; [|inv 1].
+        intros [? Hstep]. inv_step; eauto using step_not_val_to_expr. }
+      pose proof Hop as [Φ ?]%interp_bin_op_Some_1.
+      destruct (interp _ _ e2) as [mv2|] eqn:Hinterp2; simplify_res.
+      apply interp_sound_open in Hinterp2 as (e2' & Hsteps2 & He2').
+      destruct mv2 as [v2|]; simplify_res; last first.
+      { eexists; split.
+        { etrans; [by eapply SBinOpL_rtc|].
+          eapply SBinOpR_rtc; eauto using interp_bin_op_Some_1. }
+        split; [|inv 1]. destruct He2'.
+        intros [? Hstep]. inv_step; eauto using step_not_val_to_expr. }
+      destruct (f v2) eqn:Hf; simplify_res; last first.
+      { eexists; split.
+        { etrans; [by eapply SBinOpL_rtc|].
+          eapply SBinOpR_rtc; eauto using interp_bin_op_Some_1. }
+        split; [|inv 1]. pose proof @interp_bin_op_Some_Some_2.
+        intros [? Hstep]. inv_step; naive_solver eauto using step_not_val_to_expr. }
+      apply interp_thunk_sound in Hinterp as (e' & Hsteps3 & He').
+      eapply interp_bin_op_Some_Some_1 in Hf as (e3 & ? & ?); [|done..].
+      eapply delayed_steps_l in Hsteps3
+        as (e'' & Hsteps3 & Hdel); last done.
+      eexists e''; split.
+      { etrans; [by eapply SBinOpL_rtc|].
+        etrans; [eapply SBinOpR_rtc; eauto using interp_bin_op_Some_1|].
+        eapply rtc_l; [by econstructor|]. done. }
+      destruct mv.
+      { subst e'. eapply delayed_final_l in Hdel as <-; done. }
+      destruct He' as [Hnf Hfinal]. split.
+      { intros [e4 Hsteps4]. destruct Hnf.
+        eapply delayed_step_r in Hsteps4 as (e4' & Hstep4' & ?); [|done].
+        destruct Hstep4'; eauto. }
+      intros Hfinal'. eapply Hnf.
+      eapply delayed_final_r in Hfinal' as Hsteps; [|done].
+      destruct Hsteps; by eauto.
+    + (* EIf *)
+      destruct (interp _ _ e1) as [mv1|] eqn:Hinterp1; simplify_res.
+      apply interp_sound_open in Hinterp1 as (e1' & Hsteps1 & He1').
+      destruct mv1 as [v1|]; simplify_res; last first.
+      { eexists; repeat split; [by apply SIf_rtc| |inv 1].
+        intros [e'' Hstep]. destruct He1' as [Hnf Hfinal].
+        destruct Hfinal. inv_step; eauto using final. destruct Hnf; eauto. }
+      destruct (maybe_VLit v1 ≫= maybe LitBool) as [b|] eqn:Hbool;
+        simplify_res; last first.
+      { eexists; repeat split; [by apply SIf_rtc| |inv 1].
+        intros [e'' ?]. destruct v1; inv_step; eauto using final. }
+      apply interp_sound_open in Hinterp as (e' & Hsteps & He').
+      exists e'; split; [|done]. etrans; [by apply SIf_rtc|].
+      assert (val_to_expr v1 = ELit (LitBool b)) as ->.
+      { destruct v1; repeat destruct select base_lit; naive_solver. }
+      eapply rtc_l; [constructor|]. by destruct b.
+  - destruct n as [|n]; [done|]. rewrite interp_thunk_S /=.
+    intros Hthunk. destruct t; simplify_res; [by eauto using rtc..|].
+    destruct (tαs !! x) as [[e|t]|] eqn:Hx; simplify_res.
+    + apply interp_sound_open in Hthunk as (e' & Hsteps & ?).
+      exists e'; split; [|done]. etrans; [eapply SBinOpL_rtc, SAttr_rec_rtc|].
+      eapply rtc_l; [eapply SBinOp; repeat constructor|]; try done; simpl.
+      eexists; split; [done|]. rewrite !lookup_fmap Hx /=.
+      rewrite -subst_env_indirects_env_attr_to_tattr_empty.
+      by rewrite -subst_env_indirects_env.
+    + apply interp_thunk_sound in Hthunk as (e' & Hsteps & ?).
+      exists e'; split; [|done]. etrans; [eapply SBinOpL_rtc, SAttr_rec_rtc|].
+      eapply rtc_l; [eapply SBinOp; repeat constructor|]; try done; simpl.
+      eexists; split; [done|]. by rewrite !lookup_fmap Hx /=.
+    + eexists. split; [eapply SBinOpL_rtc, SAttr_rec_rtc|]. split; [|inv 1].
+      intros [??]. inv_step. inv H7. destruct H8 as (? & ? & Hx'); simplify_eq/=.
+      by rewrite !lookup_fmap Hx in Hx'.
+  - destruct n as [|n]; [done|]. rewrite interp_app_S /=. intros Happ.
+    destruct v1; simplify_res.
+    + eexists; split; [done|]. split; [|inv 1]. intros [??]; inv_step.
+    + eapply interp_sound_open in Happ as (e' & Hsteps & He').
+      eexists; split; [|done]. eapply rtc_l; [constructor|].
+      rewrite subst_abs_env_insert // in Hsteps.
+    + destruct (interp_thunk _ _) as [mv'|] eqn:Hthunk; simplify_res.
+      apply interp_thunk_sound in Hthunk as (et & Htsteps & Het).
+      destruct mv' as [v'|]; simplify_res; last first.
+      { eexists; split; [by eapply SAppR_rtc|].
+        split; [|inv 1]. destruct Het.
+        intros [??]; inv_step; eauto using final. }
+      destruct (maybe VAttr v') as [ts|] eqn:?; simplify_res; last first.
+      { eexists; repeat split; [by apply SAppR_rtc| |inv 1].
+        intros [e'' Hstep]. destruct v'; inv_step; simplify_eq/=. }
+      destruct v'; simplify_res.
+      destruct (interp_match _ _ _) as [tαs|] eqn:Hmatch;
+        simplify_res; last first.
+      { eexists; repeat split; [by apply SAppR_rtc| |inv 1].
+        intros [e'' Hstep]. inv_step.
+        rewrite map_fmap_compose fmap_attr_expr_Attr in H6.
+        apply interp_match_Some_2 in H6. rewrite interp_match_subst in H6.
+        opose proof (interp_match_proper ∅ ∅
+          (Thunk ∅ <$> (thunk_to_expr <$> ts)) ts ms ms strict _ _).
+        { apply map_eq=> x. rewrite !lookup_fmap.
+          destruct (ts !! x); f_equal/=. by rewrite subst_env_empty. }
+        { done. }
+        repeat destruct (interp_match _ _ _); simplify_eq/=. }
+      pose proof (interp_match_subst E ts ms strict) as Hmatch'.
+      rewrite Hmatch /= in Hmatch'.
+      apply interp_match_Some_1 in Hmatch'.
+      apply interp_sound_open in Happ as (e' & Hsteps & ?).
+      exists e'; split; [|done].
+      etrans; [by apply SAppR_rtc|].
+      eapply rtc_l; [constructor; [done|]|].
+      { rewrite map_fmap_compose fmap_attr_expr_Attr. done. }
+      etrans; [|apply Hsteps]. apply reflexive_eq. f_equal.
+      rewrite subst_env_indirects_env.
+      rewrite subst_env_indirects_env_attr_to_tattr_empty.
+      do 2 f_equal. apply map_eq=> y. rewrite !lookup_fmap.
+      destruct (_ !! y) as [[]|]; f_equal/=. by rewrite subst_env_empty.
+    + eexists; split; [done|]. split; [|inv 1]. intros [??]; inv_step.
+    + destruct (ts !! _) eqn:Hfunc; simplify_res; last first.
+      { eexists; split; [by eapply SAppL_rtc|]. split; [|inv 1].
+        intros [??]; inv_step; simplify_map_eq. }
+      destruct (interp_thunk _ _) as [mv'|] eqn:Hthunk; simplify_res.
+      apply interp_thunk_sound in Hthunk as (et & Htsteps & Het).
+      assert (EApp (EAttr (AttrN ∘ thunk_to_expr <$> ts)) (thunk_to_expr t2)
+        -{SHALLOW}->*
+        EApp (EApp et (EAttr (AttrN ∘ thunk_to_expr <$> ts))) (thunk_to_expr t2))
+        as Hsteps; [|clear Htsteps].
+      { eapply rtc_l; [constructor; by simplify_map_eq|].
+        eapply SAppL_rtc, SAppL_rtc, Htsteps. }
+      destruct mv' as [v'|]; simplify_res; last first.
+      { eexists; split; [exact Hsteps|].
+        split; [|inv 1]. intros [??]. destruct Het as [Hnf []].
+        inv_step; eauto using final. destruct Hnf; eauto. }
+      destruct (interp_app _ _ _) as [mv'|] eqn:Happ'; simplify_res.
+      apply interp_app_sound in Happ' as (e' & Hsteps' & He').
+      destruct mv' as [v''|]; simplify_res; last first.
+      { eexists; split; [etrans; [apply Hsteps|apply SAppL_rtc, Hsteps']|].
+        split; [|inv 1]. intros [??]. destruct He' as [Hnf []].
+        inv_step; eauto using final. destruct Hnf; eauto. }
+      apply interp_app_sound in Happ as (e'' & Hsteps'' & He'').
+      eexists e''; split; [|done].
+      etrans; [apply Hsteps|]. etrans; [apply SAppL_rtc, Hsteps'|]. done.
+  - destruct n as [|n]; [done|]. rewrite force_deep_S.
+    intros Hforce. destruct v; simplify_res.
+    + (* VLit *) by eexists.
+    + (* VAbs *) by eexists.
+    + (* VAbsMatch *) by eexists.
+    + (* VList *)
+      destruct (mapM _ _) as [mvs|] eqn:Hmap; simplify_res.
+      assert (∃ ts',
+        EList (thunk_to_expr <$> ts) -{DEEP}->* EList (thunk_to_expr <$> ts') ∧
+        if mvs is Some vs then thunk_to_expr <$> ts' = val_to_expr <$> vs
+        else nf (step DEEP) (EList (thunk_to_expr <$> ts')) ∧
+          ¬Forall (final DEEP ∘ thunk_to_expr) ts')
+        as (ts' & Hsteps & Hts'); last first.
+      { eexists; split; [done|]. destruct mvs as [vs|]; simplify_eq/=.
+        * f_equal. rewrite -list_fmap_compose Hts'.
+          clear. induction vs; f_equal/=; auto.
+        * destruct Hts' as [Hnf Hfinal]; split; [done|].
+          inv 1. by apply Hfinal, Forall_fmap. }
+      revert mvs Hmap. induction ts as [|t ts IH]; intros mv' Hmap; simplify_res.
+      { by exists []. }
+      destruct (interp_thunk _ _) as [mv''|] eqn:Hthunk; simplify_res.
+      apply interp_thunk_sound in Hthunk as (et & Htsteps & Het).
+      destruct mv'' as [v''|]; simplify_res; last first.
+      { exists (Thunk ∅ et :: ts); csimpl. rewrite subst_env_empty.
+        apply (stuck_shallow_any DEEP) in Het as [??]. split_and!.
+        * eapply (SList_rtc []); [done|].
+          etrans; [by apply steps_shallow_any|done].
+        * by apply List_nf_cons.
+        * rewrite Forall_cons /= subst_env_empty.
+          naive_solver eauto using final_any_shallow. }
+      destruct (force_deep _ _) as [mvf|] eqn:Hforce; simplify_res.
+      pose proof Hforce as Hforce'.
+      apply force_deep_sound in Hforce' as (e' & Hsteps' & He').
+      destruct mvf as [vf|]; simplify_res; last first.
+      { exists (Thunk ∅ e' :: ts). csimpl. rewrite subst_env_empty.
+        destruct He'. split_and!.
+        * eapply (SList_rtc []); [done|].
+          etrans; [by apply steps_shallow_any|done].
+        * by apply List_nf_cons.
+        * rewrite Forall_cons /= subst_env_empty. naive_solver. }
+      destruct (mapM _ _) as [mvs|] eqn:Hmap'; simplify_res.
+      destruct (IH _ eq_refl) as (ts' & Hsteps'' & Hts').
+      exists (Forced vf :: ts'); csimpl. split.
+      { etrans; [eapply (SList_rtc []); [done..|];
+          etrans; [by apply steps_shallow_any|done]|]; simpl.
+        eapply List_steps_cons; by eauto using final_force_deep. }
+      destruct mvs as [vs|]; simplify_res.
+      { by rewrite Hts'. }
+      split; [|rewrite Forall_cons; naive_solver].
+      apply List_nf_cons_final; naive_solver eauto using final_force_deep.
+    + (* VAttr *)
+      destruct (map_mapM_sorted _ _) as [mvs|] eqn:Hmap; simplify_res.
+      assert (∃ ts',
+        EAttr (AttrN ∘ thunk_to_expr <$> ts) -{DEEP}->*
+          EAttr (AttrN ∘ thunk_to_expr <$> ts') ∧
+        if mvs is Some vs then thunk_to_expr <$> ts' = val_to_expr <$> vs
+        else nf (step DEEP) (EAttr (AttrN ∘ thunk_to_expr <$> ts')) ∧
+          ¬map_Forall (λ _, final DEEP ∘ thunk_to_expr) ts')
+        as (ts' & Hsteps & Hts'); last first.
+      { eexists; split; [done|]. destruct mvs as [vs|]; simplify_eq/=.
+        * f_equal. rewrite map_fmap_compose Hts'.
+          apply map_eq=> x. rewrite !lookup_fmap. by destruct (vs !! x).
+        * destruct Hts' as [Hnf Hfinal]; split; [done|].
+          inv 1. apply Hfinal=> x t Hx /=.
+          ospecialize (H2 x _ _); first by rewrite lookup_fmap Hx. done. }
+      revert mvs Hmap. induction ts as [|x t ts Hx ? IH]
+        using (map_sorted_ind attr_le); intros mv' Hmap.
+      { rewrite map_mapM_sorted_empty in Hmap; simplify_res. by exists ∅. }
+      rewrite map_mapM_sorted_insert //= in Hmap.
+      assert ((AttrN ∘ thunk_to_expr <$> ts) !! x = None).
+      { by rewrite lookup_fmap Hx. }
+      assert (∀ y α, (AttrN ∘ thunk_to_expr <$> ts) !! y = Some α →
+        final DEEP (attr_expr α) ∨ attr_le x y).
+      { intros y α. rewrite lookup_fmap. destruct (ts !! y) eqn:?; naive_solver. }
+      destruct (interp_thunk _ _) as [mv''|] eqn:Hthunk; simplify_res.
+      apply interp_thunk_sound in Hthunk as (et & Htsteps & Het).
+      destruct mv'' as [v''|]; simplify_res; last first.
+      { exists (<[x:=Thunk ∅ et]> ts).
+        rewrite !fmap_insert /= subst_env_empty.
+        apply (stuck_shallow_any DEEP) in Het as [??]. split_and!.
+        * eapply SAttr_lookup_rtc; [done..|].
+          etrans; [by apply steps_shallow_any|done].
+        * apply Attr_nf_insert; auto.
+          intros y. rewrite lookup_fmap fmap_is_Some. eauto.
+        * rewrite map_Forall_insert //= subst_env_empty.
+          naive_solver eauto using final_any_shallow. }
+      destruct (force_deep _ _) as [mvf|] eqn:Hforce; simplify_res.
+      pose proof Hforce as Hforce'.
+      apply force_deep_sound in Hforce' as (e' & Hsteps' & He').
+      destruct mvf as [vf|]; simplify_res; last first.
+      { exists (<[x:=Thunk ∅ e']> ts). rewrite !fmap_insert /= subst_env_empty.
+        destruct He'. split_and!.
+        * eapply SAttr_lookup_rtc; [done..|].
+          etrans; [by apply steps_shallow_any|done].
+        * apply Attr_nf_insert; auto.
+          intros y. rewrite lookup_fmap fmap_is_Some. eauto.
+        * rewrite map_Forall_insert //= subst_env_empty. naive_solver. }
+      destruct (map_mapM_sorted _ _ _) as [mvs|] eqn:Hmap'; simplify_res.
+      destruct (IH _ eq_refl) as (ts' & Hsteps'' & Hts').
+      exists (<[x:=Forced vf]> ts'). split.
+      { rewrite !fmap_insert /=.
+        etrans; [eapply SAttr_lookup_rtc; [done..|];
+          etrans; [by apply steps_shallow_any|done]|].
+        eapply Attr_steps_insert; by eauto using final_force_deep. }
+      destruct mvs as [vs|]; simplify_res.
+      { by rewrite !fmap_insert Hts'. }
+      assert (∀ y, ts !! y = None ↔ ts' !! y = None) as Hdom.
+      { intros y. rewrite -!(fmap_None (AttrN ∘ thunk_to_expr)).
+        rewrite -!lookup_fmap. by eapply Attr_steps_dom. }
+      split; [|rewrite map_Forall_insert; naive_solver].
+      rewrite fmap_insert /=. apply Attr_nf_insert_final;
+        eauto using final_force_deep.
+      * rewrite lookup_fmap fmap_None. naive_solver.
+      * intros y. rewrite lookup_fmap fmap_is_Some.
+        rewrite -not_eq_None_Some -Hdom not_eq_None_Some. auto.
+      * naive_solver.
+Qed.
+Lemma interp_sound_open' n μ E e mv :
+  interp' n μ E e = Res mv →
+  ∃ e', subst_env E e -{μ}->* e' ∧
+        if mv is Some v' then e' = val_to_expr v' else stuck μ e'.
+Proof.
+  intros Hinterp. destruct μ.
+  { rewrite interp_shallow' in Hinterp. by eapply interp_sound_open. }
+  rewrite /interp' /= in Hinterp.
+  destruct (interp n E e) as [mv'|] eqn:Hinterp'; simplify_res.
+  apply interp_sound_open in Hinterp' as (e' & Hsteps & He').
+  destruct mv' as [v'|]; simplify_res; last first.
+  { eauto using steps_shallow_any, stuck_shallow_any. }
+  eapply force_deep_sound in Hinterp as (e'' & Hsteps' & He'').
+  eexists; split; [|done]. etrans; [by eapply steps_shallow_any|done].
+Qed.
+Lemma interp_sound n μ e mv :
+  interp' n μ ∅ e = Res mv →
+  ∃ e', e -{μ}->* e' ∧
+        if mv is Some v then e' = val_to_expr v else stuck μ e'.
+Proof.
+  intros Hsteps%interp_sound_open'. by rewrite subst_env_empty in Hsteps.
+Qed.
+(** Final theorems *)
+Theorem interp_sound_complete_ret e v :
+  (∃ w n, interp' n SHALLOW ∅ e = mret w ∧ val_to_expr v = val_to_expr w)
+    ↔ e -{SHALLOW}->* val_to_expr v.
+Proof.
+  split.
+  - by intros (n & w & (e' & ? & ->)%interp_sound & ->).
+  - intros Hsteps. apply interp_complete in Hsteps as ([] & ? & ? & ?);
+      unfold nf, red;
+      naive_solver eauto using final_val_to_expr, step_not_val_to_expr.
+Qed.
+Theorem interp_sound_complete_ret_lit μ e bl (Hbl : base_lit_ok bl) :
+  (∃ n, interp' n μ ∅ e = mret (VLit bl Hbl)) ↔ e -{μ}->* ELit bl.
+Proof.
+  split.
+  - intros [n (e' & ? & ->)%interp_sound]. done.
+  - intros Hsteps. apply interp_complete_ret in Hsteps
+      as ([] & n & ? & Hv); simplify_eq/=; last by constructor.
+    exists n. by rewrite (proof_irrel Hbl Hbl0).
+Qed.
+Theorem interp_sound_complete_fail μ e :
+  (∃ n, interp' n μ ∅ e = mfail) ↔ ∃ e', e -{μ}->* e' ∧ stuck μ e'.
+Proof.
+  split.
+  - by intros [n ?%interp_sound].
+  - intros (e' & Hsteps & Hnf & Hfinal). by eapply interp_complete_fail.
+Qed.
+Theorem interp_sound_complete_no_fuel μ e :
+  (∀ n, interp' n μ ∅ e = NoFuel) ↔ all_loop (step μ) e.
+Proof.
+  rewrite all_loop_alt. split.
+  - intros Hnofuel e' Hsteps.
+    destruct (red_final_interp μ e') as [|[|He']]; [done|..].
+    + apply interp_complete_ret in Hsteps as (w & m & Hinterp & _); last done.
+      by rewrite Hnofuel in Hinterp.
+    + apply interp_sound_complete_fail in He' as (e'' & ? & [Hnf _]).
+      destruct (interp_complete μ e e'')
+        as (mv & n & Hinterp & _); [by etrans|done|].
+      by rewrite Hnofuel in Hinterp.
+  - intros Hred n. destruct (interp' n μ ∅ e) as [mv|] eqn:Hinterp; [|done].
+    destruct (interp_sound _ _ _ _ Hinterp) as (e' & Hsteps & Hstuck).
+    destruct mv as [v|]; simplify_eq/=.
+    + apply Hred in Hsteps as []%final_nf. by eapply final_val_to_expr'.
+    + destruct Hstuck as [[] ?]; eauto.
+Qed.
diff --git a/theories/nix/notations.v b/theories/nix/notations.v
new file mode 100644
index 0000000..e9995b5
--- /dev/null
+++ b/theories/nix/notations.v
@@ -0,0 +1,43 @@
+From mininix Require Export nix.operational.
+(* Influenced by
+https://gitlab.mpi-sws.org/iris/iris/-/blob/master/iris_heap_lang/notation.v
+But always uses ":" instead of a scope. *)
+Coercion EId' : string >-> expr.
+Coercion NInt : Z >-> num.
+Coercion NFloat : float >-> num.
+Coercion LitNum : num >-> base_lit.
+Coercion LitBool : bool >-> base_lit.
+Coercion ELit : base_lit >-> expr.
+Coercion EApp : expr >-> Funclass.
+Notation "λattr: a , e" := (EAbsMatch a true e)
+  (at level 200, e, a at level 200,
+   format "'[' 'λattr:'  a  ,  '/  ' e ']'").
+Notation "λattr: a .., e" := (EAbsMatch a false e)
+  (at level 200, e, a at level 200,
+   format "'[' 'λattr:'  a  ..,  '/  ' e ']'").
+Notation "λ: x .. y , e" := (EAbs x .. (EAbs y e) ..)
+  (at level 200, x, y at level 1, e at level 200,
+   format "'[' 'λ:'  x  ..  y ,  '/  ' e ']'").
+Notation "'let:' x := e1 'in' e2" := (ELet x e1 e2)
+  (at level 200, x at level 1, e1, e2 at level 200,
+   format "'[' 'let:'  x  :=  '[' e1 ']'  'in'  '/' e2 ']'").
+Notation "'with:' a 'in' e" := (EWith a e)
+  (at level 200, a, e at level 200,
+   format "'[' 'with:'  a  'in'  '/' e ']'").
+Notation "'if:' e1 'then' e2 'else' e3" := (EIf e1 e2 e3)
+  (at level 200, e1, e2, e3 at level 200).
+Notation "e1 .: e2" := (ESelect e1 e2) (at level 70, no associativity).
+Notation "e1 +: e2" := (EBinOp AddOp e1 e2) (at level 50, left associativity).
+Notation "e1 *: e2" := (EBinOp MulOp e1 e2).
+Notation "e1 -: e2" := (EBinOp SubOp e1 e2) (at level 50, left associativity).
+Notation "e1 /: e2" := (EBinOp DivOp e1 e2) (at level 40).
+Notation "e1 =: e2" := (EBinOp EqOp e1 e2) (at level 70, no associativity).
+Notation "e1 <: e2" := (EBinOp LtOp e1 e2) (at level 70, no associativity).
+Notation "'ceil:' e" := (EBinOp (RoundOp Ceil) e LitNull) (at level 10).
diff --git a/theories/nix/operational.v b/theories/nix/operational.v
new file mode 100644
index 0000000..d3f0777
--- /dev/null
+++ b/theories/nix/operational.v
@@ -0,0 +1,527 @@
+From mininix Require Export utils nix.floats.
+From stdpp Require Import options.
+(** Our development does not rely on a particular order on attribute set names.
+It can be any decidable total order. We pick something concrete (lexicographic
+order on strings) to avoid having to parametrize the whole development. *)
+Definition attr_le := String.le.
+Global Instance attr_le_dec : RelDecision attr_le := _.
+Global Instance attr_le_po : PartialOrder attr_le := _.
+Global Instance attr_le_total : Total attr_le := _.
+Global Typeclasses Opaque attr_le.
+Inductive mode := SHALLOW | DEEP.
+Inductive kind := ABS | WITH.
+Inductive rec := REC | NONREC.
+Global Instance rec_eq_dec : EqDecision rec.
+Proof. solve_decision. Defined.
+Inductive num :=
+  | NInt (n : Z)
+  | NFloat (f : float).
+Inductive base_lit :=
+  | LitNum (n : num)
+  | LitBool (b : bool)
+  | LitString (s : string)
+  | LitNull.
+Global Instance num_inhabited : Inhabited num := populate (NInt 0).
+Global Instance base_lit_inhabited : Inhabited base_lit := populate LitNull.
+Global Instance num_eq_dec : EqDecision num.
+Proof. solve_decision. Defined.
+Global Instance base_lit_eq_dec : EqDecision base_lit.
+Proof. solve_decision. Defined.
+Global Instance maybe_NInt : Maybe NInt := λ n,
+  if n is NInt i then Some i else None.
+Global Instance maybe_NFloat : Maybe NFloat := λ n,
+  if n is NFloat f then Some f else None.
+Global Instance maybe_LitNum : Maybe LitNum := λ bl,
+  if bl is LitNum n then Some n else None.
+Global Instance maybe_LitBool : Maybe LitBool := λ bl,
+  if bl is LitBool b then Some b else None.
+Global Instance maybe_LitString : Maybe LitString := λ bl,
+  if bl is LitString s then Some s else None.
+Inductive bin_op : Set :=
+  | AddOp | SubOp | MulOp | DivOp | AndOp | OrOp | XOrOp (* Arithmetic *)
+  | LtOp | EqOp (* Relations *)
+  | RoundOp (m : round_mode) (* Conversions *)
+  | MatchStringOp (* Strings *)
+  | MatchListOp | AppendListOp (* Lists *)
+  | SelectAttrOp | UpdateAttrOp | HasAttrOp
+  | DeleteAttrOp | SingletonAttrOp | MatchAttrOp (* Attribute sets *)
+  | FunctionArgsOp | TypeOfOp.
+Global Instance bin_op_eq_dec : EqDecision bin_op.
+Proof. solve_decision. Defined.
+Global Instance maybe_RoundOp : Maybe RoundOp := λ op,
+  if op is RoundOp m then Some m else None.
+Section expr.
+  Local Unset Elimination Schemes.
+  Inductive expr :=
+    | ELit (bl : base_lit)
+    | EId (x : string) (mke : option (kind * expr))
+    | EAbs (x : string) (e : expr)
+    | EAbsMatch (ms : gmap string (option expr)) (strict : bool) (e : expr)
+    | EApp (e1 e2 : expr)
+    | ESeq (μ : mode) (e1 e2 : expr)
+    | EList (es : list expr)
+    | EAttr (αs : gmap string attr)
+    | ELetAttr (k : kind) (e1 e2 : expr)
+    | EBinOp (op : bin_op) (e1 e2 : expr)
+    | EIf (e1 e2 e3 : expr)
+  with attr :=
+    | Attr (τ : rec) (e : expr).
+End expr.
+Definition EId' x := EId x None.
+Notation AttrR := (Attr REC).
+Notation AttrN := (Attr NONREC).
+Notation ESelect e x := (EBinOp SelectAttrOp e (ELit (LitString x))).
+Notation ELet x e := (ELetAttr ABS (EAttr {[ x := AttrN e ]})).
+Notation EWith := (ELetAttr WITH).
+Definition attr_expr (α : attr) : expr := match α with Attr _ e => e end.
+Definition attr_rec (α : attr) : rec := match α with Attr μ _ => μ end.
+Definition attr_map (f : expr → expr) (α : attr) : attr :=
+  match α with Attr μ e => Attr μ (f e) end.
+Definition from_attr {A} (f g : expr → A) (α : attr) : A :=
+  match α with AttrR e => f e | AttrN e => g e end.
+Definition merge_kinded {A} (new old : kind * A) : option (kind * A) :=
+  match new.1, old.1 with
+  | WITH, ABS => Some old
+  | _, _ => Some new
+  end.
+Arguments merge_kinded {_} !_ !_ / : simpl nomatch.
+Notation union_kinded := (union_with merge_kinded).
+Definition no_recs : gmap string attr → Prop :=
+  map_Forall (λ _ α, attr_rec α = NONREC).
+Definition indirects (αs : gmap string attr) : gmap string (kind * expr) :=
+  map_imap (λ x _, Some (ABS, ESelect (EAttr αs) x)) αs.
+Fixpoint subst (ds : gmap string (kind * expr)) (e : expr) : expr :=
+  match e with
+  | ELit b => ELit b
+  | EId x mkd => EId x $ union_kinded (ds !! x) mkd
+  | EAbs x e => EAbs x (subst ds e)
+  | EAbsMatch ms strict e =>
+      EAbsMatch (fmap (M:=option) (subst ds) <$> ms) strict (subst ds e)
+  | EApp e1 e2 => EApp (subst ds e1) (subst ds e2)
+  | ESeq μ e1 e2 => ESeq μ (subst ds e1) (subst ds e2)
+  | EList es => EList (subst ds <$> es)
+  | EAttr αs => EAttr (attr_map (subst ds) <$> αs)
+  | ELetAttr k e1 e2 => ELetAttr k (subst ds e1) (subst ds e2)
+  | EBinOp op e1 e2 => EBinOp op (subst ds e1) (subst ds e2)
+  | EIf e1 e2 e3 => EIf (subst ds e1) (subst ds e2) (subst ds e3)
+  end.
+Notation attr_subst ds := (attr_map (subst ds)).
+Definition int_min : Z := -(1 ≪ 63).
+Definition int_max : Z := 1 ≪ 63 - 1.
+Definition int_ok (i : Z) : bool := bool_decide (int_min ≤ i ≤ int_max)%Z.
+Definition num_ok (n : num) : bool :=
+  match n with NInt i => int_ok i | _ => true end.
+Definition base_lit_ok (bl : base_lit) : bool :=
+  match bl with LitNum n => num_ok n | _ => true end.
+Inductive final : mode → expr → Prop :=
+  | ELitFinal μ bl : base_lit_ok bl → final μ (ELit bl)
+  | EAbsFinal μ x e : final μ (EAbs x e)
+  | EAbsMatchFinal μ ms strict e : final μ (EAbsMatch ms strict e)
+  | EListShallowFinal es : final SHALLOW (EList es)
+  | EListDeepFinal es : Forall (final DEEP) es → final DEEP (EList es)
+  | EAttrShallowFinal αs : no_recs αs → final SHALLOW (EAttr αs)
+  | EAttrDeepFinal αs :
+     no_recs αs →
+     map_Forall (λ _, final DEEP ∘ attr_expr) αs →
+     final DEEP (EAttr αs).
+Fixpoint sem_eq_list (es1 es2 : list expr) : expr :=
+  match es1, es2 with
+  | [], [] => ELit (LitBool true)
+  | e1 :: es1, e2 :: es2 =>
+      EIf (EBinOp EqOp e1 e2) (sem_eq_list es1 es2) (ELit (LitBool false))
+  | _, _ => ELit (LitBool false)
+  end.
+Fixpoint sem_lt_list (es1 es2 : list expr) : expr :=
+  match es1, es2 with
+  | [], _ => ELit (LitBool true)
+  | e1 :: es1, e2 :: es2 =>
+      EIf (EBinOp LtOp e1 e2) (ELit (LitBool true)) $
+        EIf (EBinOp EqOp e1 e2) (sem_lt_list es1 es2) (ELit (LitBool false))
+  | _ :: _, [] => ELit (LitBool false)
+  end.
+Definition sem_and_attr (es : gmap string expr) : expr :=
+  map_fold_sorted attr_le
+    (λ _ e1 e2, EIf e1 e2 (ELit (LitBool false)))
+    (ELit (LitBool true)) es.
+Definition sem_eq_attr (αs1 αs2 : gmap string attr) : expr :=
+  sem_and_attr $ merge (λ mα1 mα2,
+    α1 ← mα1; α2 ← mα2; Some (EBinOp EqOp (attr_expr α1) (attr_expr α2))) αs1 αs2.
+Definition num_to_float (n : num) : float :=
+  match n with
+  | NInt i => Float.of_Z i
+  | NFloat f => f
+  end.
+Definition sem_bin_op_lift
+    (fint : Z → Z → Z) (ffloat : float → float → float)
+    (n1 n2 : num) : option num :=
+  match n1, n2 with
+  | NInt i1, NInt i2 =>
+     let i := fint i1 i2 in
+     guard (int_ok i);;
+     Some (NInt i)
+  | _, _ => Some $ NFloat $ ffloat (num_to_float n1) (num_to_float n2)
+  end.
+Definition sem_bin_rel_lift
+    (fint : Z → Z → bool) (ffloat : float → float → bool)
+    (n1 n2 : num) : bool :=
+  match n1, n2 with
+  | NInt i1, NInt i2 => fint i1 i2
+  | _, _ => ffloat (num_to_float n1) (num_to_float n2)
+  end.
+Definition sem_eq_base_lit (bl1 bl2 : base_lit) : bool :=
+  match bl1, bl2 with
+  | LitNum n1, LitNum n2 => sem_bin_rel_lift Z.eqb Float.eqb n1 n2
+  | LitBool b1, LitBool b2 => bool_decide (b1 = b2)
+  | LitString s1, LitString s2 => bool_decide (s1 = s2)
+  | LitNull, LitNull => true
+  | _, _ => false
+  end.
+(** Precondition e1 and e2 are final *)
+Definition sem_eq (e1 e2 : expr) : option expr :=
+  match e1, e2 with
+  | ELit bl1, ELit bl2 => Some $ ELit (LitBool (sem_eq_base_lit bl1 bl2))
+  | EAbs _ _, EAbs _ _ => None
+  | EList es1, EList es2 => Some $
+      if decide (length es1 = length es2) then sem_eq_list es1 es2
+      else ELit $ LitBool false
+  | EAttr αs1, EAttr αs2 => Some $
+      if decide (dom αs1 = dom αs2) then sem_eq_attr αs1 αs2
+      else ELit $ LitBool false
+  | _, _ => Some $ ELit (LitBool false)
+  end.
+Definition div_allowed (n : num) : bool :=
+  match n with
+  | NInt n => bool_decide (n ≠ 0%Z)
+  | NFloat f => negb (Float.eqb f (Float.of_Z 0)) (* TODO: Check NaNs *)
+  end.
+Definition sem_bin_op_num (op : bin_op) (n1 : num) : option (num → option base_lit) :=
+  match op with
+  | AddOp => Some $ λ n2,
+      LitNum <$> sem_bin_op_lift Z.add Float.add n1 n2
+  | SubOp => Some $ λ n2,
+      LitNum <$> sem_bin_op_lift Z.sub Float.sub n1 n2
+  | MulOp => Some $ λ n2,
+      LitNum <$> sem_bin_op_lift Z.mul Float.mul n1 n2
+  | DivOp => Some $ λ n2,
+      (* Quot can overflow: [MIN_INT `quot` -1] equals [MAX_INT + 1] *)
+      guard (div_allowed n2);;
+      LitNum <$> sem_bin_op_lift Z.quot Float.div n1 n2
+  | AndOp =>
+      i1 ← maybe NInt n1;
+      Some $ λ n2, i2 ← maybe NInt n2;
+        Some $ LitNum $ NInt $ Z.land i1 i2
+  | OrOp =>
+      i1 ← maybe NInt n1;
+      Some $ λ n2, i2 ← maybe NInt n2;
+        Some $ LitNum $ NInt $ Z.lor i1 i2
+  | XOrOp =>
+      i1 ← maybe NInt n1;
+      Some $ λ n2, i2 ← maybe NInt n2;
+        Some $ LitNum $ NInt $ Z.lxor i1 i2
+  | LtOp => Some $ λ n2,
+      Some $ LitBool (sem_bin_rel_lift Z.ltb Float.ltb n1 n2)
+  | _ => None
+  end%Z.
+Definition sem_bin_op_string (op : bin_op) : option (string → string → base_lit) :=
+  match op with
+  | AddOp => Some $ λ s1 s2, LitString (s1 +:+ s2)
+  | LtOp => Some $ λ s1 s2, LitBool (bool_decide (strict attr_le s1 s2))
+  | _ => None
+  end.
+Definition type_of_num (n : num) : string :=
+  match n with
+  | NInt _ => "int"
+  | NFloat _ => "float"
+  end.
+Definition type_of_base_lit (bl : base_lit) : string :=
+  match bl with
+  | LitNum n => type_of_num n
+  | LitBool _ => "bool"
+  | LitString _ => "string"
+  | LitNull => "null"
+  end.
+Definition type_of_expr (e : expr) :=
+  match e with
+  | ELit bl => Some (type_of_base_lit bl)
+  | EAbs _ _ | EAbsMatch _ _ _ => Some "lambda"
+  | EList _ => Some "list"
+  | EAttr _ => Some "set"
+  | _ => None
+  end.
+(* Used for [RoundOp] *)
+Definition float_to_bounded_Z (f : float) : Z :=
+  match Float.to_Z f with
+  | Some x => if decide (int_ok x) then x else int_min
+  | None => int_min
+  end.
+Inductive sem_bin_op : bin_op → expr → (expr → expr → Prop) → Prop :=
+  | EqSem e1 :
+     sem_bin_op EqOp e1 (λ e2 e, sem_eq e1 e2 = Some e)
+  | LitNumSem op n1 f :
+     sem_bin_op_num op n1 = Some f →
+     sem_bin_op op (ELit (LitNum n1)) (λ e2 e, ∃ n2 bl,
+       e2 = ELit (LitNum n2) ∧ f n2 = Some bl ∧ e = ELit bl)
+  | RoundSem m n1 :
+     sem_bin_op (RoundOp m) (ELit (LitNum n1)) (λ e2 e,
+       e2 = ELit LitNull ∧
+       e = ELit $ LitNum $ NInt $ float_to_bounded_Z $ Float.round m $ num_to_float n1)
+  | LitStringSem op s1 f :
+     sem_bin_op_string op = Some f →
+     sem_bin_op op (ELit (LitString s1)) (λ e2 e, ∃ s2,
+       e2 = ELit (LitString s2) ∧ e = ELit (f s1 s2))
+  | MatchStringSem s :
+     sem_bin_op MatchStringOp (ELit (LitString s)) (λ e2 e,
+       e2 = ELit LitNull ∧
+       match s with
+       | EmptyString => e = EAttr {[
+           "empty" := AttrN (ELit (LitBool true));
+           "head" := AttrN (ELit LitNull);
+           "tail" := AttrN (ELit LitNull) ]}
+       | String a s => e = EAttr {[
+           "empty" := AttrN (ELit (LitBool false));
+           "head" := AttrN (ELit (LitString (String a EmptyString)));
+           "tail" := AttrN (ELit (LitString s)) ]}
+       end)
+  | LtListSem es :
+     sem_bin_op LtOp (EList es) (λ e2 e, ∃ es',
+       e2 = EList es' ∧
+       e = sem_lt_list es es')
+  | MatchListSem es :
+     sem_bin_op MatchListOp (EList es) (λ e2 e,
+       e2 = ELit LitNull ∧
+       match es with
+       | [] => e = EAttr {[
+           "empty" := AttrN (ELit (LitBool true));
+           "head" := AttrN (ELit LitNull);
+           "tail" := AttrN (ELit LitNull) ]}
+       | e' :: es => e = EAttr {[
+           "empty" := AttrN (ELit (LitBool false));
+           "head" := AttrN e';
+           "tail" := AttrN (EList es) ]}
+       end)
+  | AppendListSem es :
+     sem_bin_op AppendListOp (EList es) (λ e2 e, ∃ es',
+       e2 = EList es' ∧
+       e = EList (es ++ es'))
+  | SelectAttrSem αs :
+     no_recs αs →
+     sem_bin_op SelectAttrOp (EAttr αs) (λ e2 e, ∃ x,
+       e2 = ELit (LitString x) ∧ αs !! x = Some (AttrN e))
+  | UpdateAttrSem αs1 :
+     no_recs αs1 →
+     sem_bin_op UpdateAttrOp (EAttr αs1) (λ e2 e, ∃ αs2,
+       e2 = EAttr αs2 ∧ no_recs αs2 ∧ e = EAttr (αs2 ∪ αs1))
+  | HasAttrSem αs :
+     no_recs αs →
+     sem_bin_op HasAttrOp (EAttr αs) (λ e2 e, ∃ x,
+       e2 = ELit (LitString x) ∧ e = ELit (LitBool (bool_decide (is_Some (αs !! x)))))
+  | DeleteAttrSem αs :
+     no_recs αs →
+     sem_bin_op DeleteAttrOp (EAttr αs) (λ e2 e, ∃ x,
+       e2 = ELit (LitString x) ∧ e = EAttr (delete x αs))
+  | SingletonAttrSem x :
+     sem_bin_op SingletonAttrOp (ELit (LitString x)) (λ e2 e,
+       e2 = ELit LitNull ∧
+       e = EAbs "t" (EAttr {[ x := AttrN (EId' "t") ]}))
+  | MatchAttrSem αs :
+     no_recs αs →
+     sem_bin_op MatchAttrOp (EAttr αs) (λ e2 e,
+       e2 = ELit LitNull ∧
+       ((αs = ∅ ∧
+         e = EAttr {[
+           "empty" := AttrN (ELit (LitBool true));
+           "key" := AttrN (ELit LitNull);
+           "head" := AttrN (ELit LitNull);
+           "tail" := AttrN (ELit LitNull) ]}) ∨
+       (∃ x e',
+         αs !! x = Some (AttrN e') ∧
+         (∀ y, is_Some (αs !! y) → attr_le x y) ∧
+         e = EAttr {[
+           "empty" := AttrN (ELit (LitBool false));
+           "key" := AttrN (ELit (LitString x));
+           "head" := AttrN e';
+           "tail" := AttrN (EAttr (delete x αs)) ]})))
+  | FunctionArgsAbsSem x e' :
+     sem_bin_op FunctionArgsOp (EAbs x e') (λ e2 e,
+       e2 = ELit LitNull ∧
+       e = EAttr ∅)
+  | FunctionArgsAbsMatchSem ms strict e' :
+     sem_bin_op FunctionArgsOp (EAbsMatch ms strict e') (λ e2 e,
+       e2 = ELit LitNull ∧
+       e = EAttr (AttrN ∘ ELit ∘ LitBool ∘ from_option (λ _, true) false <$> ms))
+  | TypeOfSem e1 :
+     sem_bin_op TypeOfOp e1 (λ e2 e, ∃ x,
+       e2 = ELit LitNull ∧
+       type_of_expr e1 = Some x ∧
+       e = ELit (LitString x)).
+Inductive matches :
+     gmap string expr → gmap string (option expr) → bool → gmap string attr → Prop :=
+  | MatchEmpty strict :
+     matches ∅ ∅ strict ∅
+  | MatchAny es :
+     matches es ∅ false ∅
+  | MatchAvail x e es ms md strict βs :
+     es !! x = None →
+     ms !! x = None →
+     matches es ms strict βs →
+     matches (<[x:=e]> es) (<[x:=md]> ms) strict (<[x:=AttrN e]> βs)
+  | MatchOptDefault x es ms d strict βs :
+     es !! x = None →
+     ms !! x = None →
+     matches es ms strict βs →
+     matches es (<[x:=Some d]> ms) strict (<[x:=AttrR d]> βs).
+Reserved Notation "e1 -{ μ }-> e2"
+  (right associativity, at level 55, μ at level 1, format "e1  -{ μ }->  e2").
+Inductive ctx1 : mode → mode → (expr → expr) → Prop :=
+  | CList es1 es2 :
+     Forall (final DEEP) es1 →
+     ctx1 DEEP DEEP (λ e, EList (es1 ++ e :: es2))
+  | CAttr αs x :
+     no_recs αs →
+     αs !! x = None →
+     (∀ y α, αs !! y = Some α → final DEEP (attr_expr α) ∨ attr_le x y) →
+     ctx1 DEEP DEEP (λ e, EAttr (<[x:=AttrN e]> αs))
+  | CAppL μ e2 :
+     ctx1 SHALLOW μ (λ e1, EApp e1 e2)
+  | CAppR μ ms strict e1 :
+     ctx1 SHALLOW μ (EApp (EAbsMatch ms strict e1))
+  | CSeq μ μ' e2 :
+     ctx1 μ' μ (λ e1, ESeq μ' e1 e2)
+  | CLetAttr μ k e2 :
+     ctx1 SHALLOW μ (λ e1, ELetAttr k e1 e2)
+  | CBinOpL μ op e2 :
+     ctx1 SHALLOW μ (λ e1, EBinOp op e1 e2)
+  | CBinOpR μ op e1 Φ :
+     final SHALLOW e1 →
+     sem_bin_op op e1 Φ →
+     ctx1 SHALLOW μ (EBinOp op e1)
+  | CIf μ e2 e3 :
+     ctx1 SHALLOW μ (λ e1, EIf e1 e2 e3).
+Inductive step : mode → relation expr :=
+  | Sβ μ x e1 e2 :
+     EApp (EAbs x e1) e2 -{μ}-> subst {[x:=(ABS, e2)]} e1
+  | SβMatch μ ms strict e1 αs βs :
+     no_recs αs →
+     matches (attr_expr <$> αs) ms strict βs →
+     EApp (EAbsMatch ms strict e1) (EAttr αs) -{μ}->
+       subst (indirects βs) e1
+  | SFunctor μ αs e1 e2 :
+     no_recs αs →
+     αs !! "__functor" = Some (AttrN e1) →
+     EApp (EAttr αs) e2 -{μ}-> EApp (EApp e1 (EAttr αs)) e2
+  | SSeqFinal μ μ' e1 e2 :
+     final μ' e1 → ESeq μ' e1 e2 -{μ}-> e2
+  | SLetAttrAttr μ k αs e :
+     no_recs αs →
+     ELetAttr k (EAttr αs) e -{μ}-> subst ((k,.) ∘ attr_expr <$> αs) e
+  | SAttr_rec μ αs :
+     ¬no_recs αs →
+     EAttr αs -{μ}->
+       EAttr (AttrN ∘ from_attr (subst (indirects αs)) id <$> αs)
+  | SBinOp μ op e1 Φ e2 e :
+     final SHALLOW e1 →
+     final SHALLOW e2 →
+     sem_bin_op op e1 Φ → Φ e2 e →
+     EBinOp op e1 e2 -{μ}-> e
+  | SIfBool μ b e2 e3 :
+     EIf (ELit (LitBool b)) e2 e3 -{μ}-> if b then e2 else e3
+  | SId μ x k e :
+     EId x (Some (k,e)) -{μ}-> e
+  | SCtx K μ μ' e e' :
+     ctx1 μ μ' K → e -{μ}-> e' → K e -{μ'}-> K e'
+where "e1 -{ μ }-> e2" := (step μ e1 e2).
+Notation "e1 -{ μ }->* e2" := (rtc (step μ) e1 e2)
+  (right associativity, at level 55, μ at level 1, format "e1  -{ μ }->*  e2").
+Notation "e1 -{ μ }->+ e2" := (tc (step μ) e1 e2)
+  (right associativity, at level 55, μ at level 1, format "e1  -{ μ }->+  e2").
+Definition stuck (μ : mode) (e : expr) : Prop :=
+  nf (step μ) e ∧ ¬final μ e.
+(** Induction *)
+Fixpoint expr_size (e : expr) : nat :=
+  match e with
+  | ELit _ => 1
+  | EId _ mkd => S (from_option (expr_size ∘ snd) 1 mkd)
+  | EAbs _ d => S (expr_size d)
+  | EAbsMatch ms _ e =>
+     S (map_sum_with (from_option expr_size 1) ms + expr_size e)
+  | EApp e1 e2 | ESeq _ e1 e2 => S (expr_size e1 + expr_size e2)
+  | EList es => S (sum_list_with expr_size es)
+  | EAttr eτs => S (map_sum_with (expr_size ∘ attr_expr) eτs)
+  | ELetAttr _ e1 e2 => S (expr_size e1 + expr_size e2)
+  | EBinOp _ e1 e2 => S (expr_size e1 + expr_size e2)
+  | EIf e1 e2 e3 => S (expr_size e1 + expr_size e2 + expr_size e3)
+  end.
+Lemma expr_ind (P : expr → Prop) :
+  (∀ b, P (ELit b)) →
+  (∀ x mkd, from_option (P ∘ snd) True mkd → P (EId x mkd)) →
+  (∀ x e, P e → P (EAbs x e)) →
+  (∀ ms strict e,
+    map_Forall (λ _, from_option P True) ms → P e → P (EAbsMatch ms strict e)) →
+  (∀ e1 e2, P e1 → P e2 → P (EApp e1 e2)) →
+  (∀ μ e1 e2, P e1 → P e2 → P (ESeq μ e1 e2)) →
+  (∀ es, Forall P es → P (EList es)) →
+  (∀ αs, map_Forall (λ _, P ∘ attr_expr) αs → P (EAttr αs)) →
+  (∀ k e1 e2, P e1 → P e2 → P (ELetAttr k e1 e2)) →
+  (∀ op e1 e2, P e1 → P e2 → P (EBinOp op e1 e2)) →
+  (∀ e1 e2 e3, P e1 → P e2 → P e3 → P (EIf e1 e2 e3)) →
+  ∀ e, P e.
+Proof.
+  intros Hlit Hid Habs Hmatch Happ Hseq Hlist Hattr Hlet Hop Hif e.
+  induction (Nat.lt_wf_0_projected expr_size e) as [e _ IH].
+  destruct e; repeat destruct select (option _); simpl in *; eauto with lia.
+  - apply Hmatch; [|by eauto with lia]=> y [e'|] Hx //=. apply IH, Nat.lt_succ_r.
+    etrans; [|apply Nat.le_add_r].
+    eapply (map_sum_with_lookup_le (from_option expr_size 1) _ _ _ Hx).
+  - apply Hlist, Forall_forall=> e ?. apply IH, Nat.lt_succ_r.
+    by apply sum_list_with_in.
+  - apply Hattr, map_Forall_lookup=> y e ?. apply IH, Nat.lt_succ_r.
+    by eapply (map_sum_with_lookup_le (expr_size ∘ attr_expr)).
+Qed.
diff --git a/theories/nix/operational_props.v b/theories/nix/operational_props.v
new file mode 100644
index 0000000..4041bfe
--- /dev/null
+++ b/theories/nix/operational_props.v
@@ -0,0 +1,680 @@
+From mininix Require Export utils nix.operational.
+From stdpp Require Import options.
+(** Properties of operational semantics *)
+Lemma float_to_bounded_Z_ok f : int_ok (float_to_bounded_Z f).
+Proof.
+  rewrite /float_to_bounded_Z.
+  destruct (Float.to_Z f); simplify_option_eq; done.
+Qed.
+Lemma int_ok_alt i :
+  int_ok i ↔ ∀ n, (63 ≤ n)%Z → Z.testbit i n = bool_decide (i < 0)%Z.
+Proof.
+  rewrite -Z.bounded_iff_bits //.
+  rewrite /int_ok bool_decide_spec /int_min /int_max Z.shiftl_1_l. lia.
+Qed.
+Lemma int_ok_land i1 i2 : int_ok i1 → int_ok i2 → int_ok (Z.land i1 i2).
+Proof.
+  rewrite !int_ok_alt=> Hi1 Hi2 n ?. rewrite Z.land_spec Hi1 // Hi2 //.
+  apply eq_bool_prop_intro. rewrite andb_True !bool_decide_spec Z.land_neg //.
+Qed.
+Lemma int_ok_lor i1 i2 : int_ok i1 → int_ok i2 → int_ok (Z.lor i1 i2).
+Proof.
+  rewrite !int_ok_alt=> Hi1 Hi2 n ?. rewrite Z.lor_spec Hi1 // Hi2 //.
+  apply eq_bool_prop_intro. rewrite orb_True !bool_decide_spec Z.lor_neg //.
+Qed.
+Lemma int_ok_lxor i1 i2 : int_ok i1 → int_ok i2 → int_ok (Z.lxor i1 i2).
+Proof.
+  rewrite !int_ok_alt=> Hi1 Hi2 n ?. rewrite Z.lxor_spec Hi1 // Hi2 //.
+  apply eq_bool_prop_intro. rewrite xorb_True !bool_decide_spec.
+  rewrite !Z.lt_nge Z.lxor_nonneg. lia.
+Qed.
+Lemma sem_bin_op_num_ok {op f n1 n2 bl} :
+  num_ok n1 → num_ok n2 →
+  sem_bin_op_num op n1 = Some f → f n2 = Some bl → base_lit_ok bl.
+Proof.
+  intros; destruct op, n1, n2; simplify_option_eq;
+    try (by apply (bool_decide_pack _));
+    auto using int_ok_land, int_ok_lor, int_ok_lxor.
+Qed.
+Lemma sem_bin_op_string_ok {op f s1 s2} :
+  sem_bin_op_string op = Some f → base_lit_ok (f s1 s2).
+Proof. intros; destruct op; naive_solver. Qed.
+Global Hint Extern 0 (no_recs (_ <$> _)) => by apply map_Forall_fmap : core.
+Ltac inv_step := repeat
+  match goal with
+  | H : ¬no_recs (_ <$> _) |- _ => destruct H; by apply map_Forall_fmap
+  | H : ?e -{_}-> _ |- _ => assert_succeeds (is_app_constructor e); inv H
+  | H : ctx1 _ _ ?K |- _ => is_var K; inv H
+  end.
+Global Instance Attr_inj τ : Inj (=) (=) (Attr τ).
+Proof. by injection 1. Qed.
+Lemma fmap_attr_expr_Attr τ (es : gmap string expr) :
+  attr_expr <$> (Attr τ <$> es) = es.
+Proof. apply map_eq=> x. rewrite !lookup_fmap. by destruct (_ !! _). Qed.
+Lemma no_recs_insert αs x e : no_recs αs → no_recs (<[x:=AttrN e]> αs).
+Proof. by apply map_Forall_insert_2. Qed.
+Lemma no_recs_insert_inv αs x τ e :
+  αs !! x = None → no_recs (<[x:=Attr τ e]> αs) → no_recs αs.
+Proof. intros ??%map_Forall_insert; naive_solver. Qed.
+Lemma no_recs_lookup αs x τ e : no_recs αs → αs !! x = Some (Attr τ e) → τ = NONREC.
+Proof. intros Hall. apply Hall. Qed.
+Lemma no_recs_attr_subst αs ds : no_recs αs → no_recs (attr_subst ds <$> αs).
+Proof.
+  intros. eapply map_Forall_fmap, map_Forall_impl; [done|]. by intros ? [[]] [=].
+Qed.
+Lemma from_attr_no_recs {A} (f g : expr → A) (αs : gmap string attr) :
+  no_recs αs → from_attr f g <$> αs = g ∘ attr_expr <$> αs.
+Proof.
+  intros Hrecs. apply map_eq=> x. rewrite !lookup_fmap. specialize (Hrecs x).
+  destruct (αs !! x) as [[]|] eqn:?; naive_solver.
+Qed.
+Lemma sem_and_attr_empty : sem_and_attr ∅ = ELit (LitBool true).
+Proof. done. Qed.
+Lemma sem_and_attr_insert es x e :
+  es !! x = None → (∀ y, is_Some (es !! y) → attr_le x y) →
+  sem_and_attr (<[x:=e]> es) = EIf e (sem_and_attr es) (ELit (LitBool false)).
+Proof. intros. by rewrite /sem_and_attr map_fold_sorted_insert. Qed.
+Lemma matches_strict es ms ds x e :
+  es !! x = None →
+  ms !! x = None →
+  matches es ms false ds →
+  matches (<[x:=e]> es) ms false ds.
+Proof.
+  remember false as strict.
+  induction 3; simplify_eq/=;
+    repeat match goal with
+    | H : <[ _ := _ ]> _ !! _ = None |- _ => apply lookup_insert_None in H as [??]
+    | _ => rewrite (insert_commute _ x) //
+    | _ => constructor
+    | _ => apply lookup_insert_None
+    end; eauto.
+Qed.
+Lemma subst_empty e : subst ∅ e = e.
+Proof.
+  induction e; repeat destruct select (option _); do 2 f_equal/=; auto.
+  - apply map_eq=> x. rewrite lookup_fmap.
+    destruct (_ !! x) as [[e'|]|] eqn:Hx; do 2 f_equal/=. apply (H _ _ Hx).
+  - induction H; f_equal/=; auto.
+  - apply map_eq; intros i. rewrite lookup_fmap.
+    destruct (_ !! i) as [[τ e]|] eqn:?; do 2 f_equal/=.
+    by eapply (H _ (Attr _ _)).
+Qed.
+Lemma subst_union ds1 ds2 e :
+  subst (union_kinded ds1 ds2) e = subst ds1 (subst ds2 e).
+Proof.
+  revert ds1 ds2. induction e; intros ds1 ds2; f_equal/=; auto.
+  - rewrite lookup_union_with.
+    destruct mkd as [[[]]|],
+      (ds1 !! x) as [[[] t1]|], (ds2 !! x) as [[[] t2]|]; naive_solver.
+  - apply map_eq=> y. rewrite !lookup_fmap.
+    destruct (_ !! y) as [[e'|]|] eqn:Hy; do 2 f_equal/=.
+    rewrite -(H _ _ Hy) //.
+  - induction H; f_equal/=; auto.
+  - apply map_eq=> y. rewrite !lookup_fmap.
+    destruct (_ !! y) as [[τ e]|] eqn:Hy; do 2 f_equal/=.
+    rewrite -(H _ _ Hy) //.
+Qed.
+Lemma SAppL μ e1 e1' e2 :
+  e1 -{SHALLOW}-> e1' → EApp e1 e2 -{μ}-> EApp e1' e2.
+Proof. apply (SCtx (λ e, EApp e _)). constructor. Qed.
+Lemma SAppR μ ms strict e1 e2 e2' :
+  e2 -{SHALLOW}-> e2' →
+  EApp (EAbsMatch ms strict e1) e2 -{μ}-> EApp (EAbsMatch ms strict e1) e2'.
+Proof. apply SCtx. constructor. Qed.
+Lemma SSeq μ μ' e1 e1' e2 :
+  e1 -{μ'}-> e1' → ESeq μ' e1 e2 -{μ}-> ESeq μ' e1' e2.
+Proof. apply (SCtx (λ e, ESeq _ e _)). constructor. Qed.
+Lemma SList es1 e e' es2 :
+  Forall (final DEEP) es1 →
+  e -{DEEP}-> e' →
+  EList (es1 ++ e :: es2) -{DEEP}-> EList (es1 ++ e' :: es2).
+Proof. intros ?. apply (SCtx (λ e, EList (_ ++ e :: _))). by constructor. Qed.
+Lemma SAttr αs x e e' :
+  no_recs αs →
+  αs !! x = None →
+  (∀ y α, αs !! y = Some α → final DEEP (attr_expr α) ∨ attr_le x y) →
+  e -{DEEP}-> e' →
+  EAttr (<[x:=AttrN e]> αs) -{DEEP}-> EAttr (<[x:=AttrN e']> αs).
+Proof. intros ???. apply (SCtx (λ e, EAttr (<[x:=AttrN e]> _))). by constructor. Qed.
+Lemma SLetAttr μ k e1 e1' e2 :
+  e1 -{SHALLOW}-> e1' → ELetAttr k e1 e2 -{μ}-> ELetAttr k e1' e2.
+Proof. apply (SCtx (λ e, ELetAttr _ e _)). constructor. Qed.
+Lemma SBinOpL μ op e1 e1' e2 :
+  e1 -{SHALLOW}-> e1' → EBinOp op e1 e2 -{μ}-> EBinOp op e1' e2.
+Proof. apply (SCtx (λ e, EBinOp _ e _)). constructor. Qed.
+Lemma SBinOpR μ op e1 Φ e2 e2' :
+  final SHALLOW e1 → sem_bin_op op e1 Φ →
+  e2 -{SHALLOW}-> e2' → EBinOp op e1 e2 -{μ}-> EBinOp op e1 e2'.
+Proof. intros ??. apply SCtx. by econstructor. Qed.
+Lemma SIf μ e1 e1' e2 e3 :
+  e1 -{SHALLOW}-> e1' → EIf e1 e2 e3 -{μ}-> EIf e1' e2 e3.
+Proof. apply (SCtx (λ e, EIf e _ _)). constructor. Qed.
+Global Hint Constructors step : step.
+Global Hint Resolve SAppL SAppR SSeq SList SAttr SLetAttr SBinOpL SBinOpR SIf : step.
+Lemma step_not_final μ e1 e2 : e1 -{μ}-> e2 → ¬final μ e1.
+Proof.
+  assert (∀ (αs : gmap string attr) x μ e,
+    map_Forall (λ _, final DEEP ∘ attr_expr) (<[x:=Attr μ e]> αs) → final DEEP e).
+  { intros αs x μ' e Hall. eapply (Hall _ (Attr _ _)), lookup_insert. }
+  induction 1; inv 1; inv_step; decompose_Forall; naive_solver.
+Qed.
+Lemma final_nf μ e : final μ e → nf (step μ) e.
+Proof. by intros ? [??%step_not_final]. Qed.
+Lemma step_any_shallow μ e1 e2 :
+  e1 -{μ}-> e2 → e1 -{SHALLOW}-> e2 ∨ final SHALLOW e1.
+Proof.
+  induction 1; inv_step;
+    naive_solver eauto using final, no_recs_insert with step.
+Qed.
+Lemma step_shallow_any μ e1 e2 : e1 -{SHALLOW}-> e2 → e1 -{μ}-> e2.
+Proof.
+  remember SHALLOW as μ'. induction 1; inv_step; simplify_eq/=; eauto with step.
+Qed.
+Lemma steps_shallow_any μ e1 e2 : e1 -{SHALLOW}->* e2 → e1 -{μ}->* e2.
+Proof. induction 1; eauto using rtc, step_shallow_any. Qed.
+Lemma final_any_shallow μ e : final μ e → final SHALLOW e.
+Proof. destruct μ; [done|]. induction 1; simplify_eq/=; eauto using final. Qed.
+Lemma stuck_shallow_any μ e : stuck SHALLOW e → stuck μ e.
+Proof.
+  intros [Hnf Hfinal]. split; [|naive_solver eauto using final_any_shallow].
+  intros [e' Hstep%step_any_shallow]; naive_solver.
+Qed.
+Lemma step_final_shallow μ e1 e2 :
+  final SHALLOW e1 → e1 -{μ}-> e2 → final SHALLOW e2.
+Proof.
+  induction 1; intros; inv_step; decompose_Forall;
+    eauto using step, final, no_recs_insert; try done.
+  - by odestruct step_not_final.
+  - apply map_Forall_insert in H0 as [??]; simpl in *; last done.
+    by odestruct step_not_final.
+Qed.
+Lemma SAppL_rtc μ e1 e1' e2 :
+  e1 -{SHALLOW}->* e1' → EApp e1 e2 -{μ}->* EApp e1' e2.
+Proof. induction 1; econstructor; eauto with step. Qed.
+Lemma SAppR_rtc μ ms strict e1 e2 e2' :
+  e2 -{SHALLOW}->* e2' →
+  EApp (EAbsMatch ms strict e1) e2 -{μ}->* EApp (EAbsMatch ms strict e1) e2'.
+Proof. induction 1; econstructor; eauto with step. Qed.
+Lemma SSeq_rtc μ μ' e1 e1' e2 :
+  e1 -{μ'}->* e1' → ESeq μ' e1 e2 -{μ}->* ESeq μ' e1' e2.
+Proof. induction 1; econstructor; eauto with step. Qed.
+Lemma SList_rtc es1 e e' es2 :
+  Forall (final DEEP) es1 →
+  e -{DEEP}->* e' →
+  EList (es1 ++ e :: es2) -{DEEP}->* EList (es1 ++ e' :: es2).
+Proof. induction 2; econstructor; eauto with step. Qed.
+Lemma SLetAttr_rtc μ k e1 e1' e2 :
+  e1 -{SHALLOW}->* e1' → ELetAttr k e1 e2 -{μ}->* ELetAttr k e1' e2.
+Proof. induction 1; econstructor; eauto with step. Qed.
+Lemma SBinOpL_rtc μ op e1 e1' e2 :
+  e1 -{SHALLOW}->* e1' → EBinOp op e1 e2 -{μ}->* EBinOp op e1' e2.
+Proof. induction 1; econstructor; eauto with step. Qed.
+Lemma SBinOpR_rtc μ op e1 Φ e2 e2' :
+  final SHALLOW e1 → sem_bin_op op e1 Φ →
+  e2 -{SHALLOW}->* e2' → EBinOp op e1 e2 -{μ}->* EBinOp op e1 e2'.
+Proof. induction 3; econstructor; eauto with step. Qed.
+Lemma SIf_rtc μ e1 e1' e2 e3 :
+  e1 -{SHALLOW}->* e1' → EIf e1 e2 e3 -{μ}->* EIf e1' e2 e3.
+Proof. induction 1; econstructor; eauto with step. Qed.
+Lemma SApp_tc μ e1 e1' e2 :
+  e1 -{SHALLOW}->+ e1' → EApp e1 e2 -{μ}->+ EApp e1' e2.
+Proof. induction 1; by econstructor; eauto with step. Qed.
+Lemma SSeq_tc μ μ' e1 e1' e2 :
+  e1 -{μ'}->+ e1' → ESeq μ' e1 e2 -{μ}->+ ESeq μ' e1' e2.
+Proof. induction 1; by econstructor; eauto with step. Qed.
+Lemma SList_tc es1 e e' es2 :
+  Forall (final DEEP) es1 →
+  e -{DEEP}->+ e' →
+  EList (es1 ++ e :: es2) -{DEEP}->+ EList (es1 ++ e' :: es2).
+Proof. induction 2; by econstructor; eauto with step. Qed.
+Lemma SLetAttr_tc μ k e1 e1' e2 :
+  e1 -{SHALLOW}->+ e1' → ELetAttr k e1 e2 -{μ}->+ ELetAttr k e1' e2.
+Proof. induction 1; by econstructor; eauto with step. Qed.
+Lemma SBinOpL_tc μ op e1 e1' e2 :
+  e1 -{SHALLOW}->+ e1' → EBinOp op e1 e2 -{μ}->+ EBinOp op e1' e2.
+Proof. induction 1; by econstructor; eauto with step. Qed.
+Lemma SBinOpR_tc μ op e1 Φ e2 e2' :
+  final SHALLOW e1 → sem_bin_op op e1 Φ →
+  e2 -{SHALLOW}->+ e2' → EBinOp op e1 e2 -{μ}->+ EBinOp op e1 e2'.
+Proof. induction 3; by econstructor; eauto with step. Qed.
+Lemma SIf_tc μ e1 e1' e2 e3 :
+  e1 -{SHALLOW}->+ e1' → EIf e1 e2 e3 -{μ}->+ EIf e1' e2 e3.
+Proof. induction 1; by econstructor; eauto with step. Qed.
+Lemma SList_inv es1 e2 :
+  EList es1 -{DEEP}-> e2 ↔ ∃ ds1 ds2 e e',
+    es1 = ds1 ++ e :: ds2 ∧ e2 = EList (ds1 ++ e' :: ds2) ∧
+    Forall (final DEEP) ds1 ∧
+    e -{DEEP}-> e'.
+Proof. split; intros; inv_step; naive_solver eauto using SList. Qed.
+Lemma List_nf_cons_final es e :
+  final DEEP e →
+  nf (step DEEP) (EList es) →
+  nf (step DEEP) (EList (e :: es)).
+Proof.
+  intros Hfinal Hnf [e' (ds1 & ds2 & e1 & e2 & ? & -> & Hds1 & Hstep)%SList_inv].
+  destruct Hds1; simplify_eq/=.
+  - by apply step_not_final in Hstep.
+  - naive_solver eauto with step.
+Qed.
+Lemma List_nf_cons es e :
+  ¬final DEEP e →
+  nf (step DEEP) e →
+  nf (step DEEP) (EList (e :: es)).
+Proof.
+  intros Hfinal Hnf [e' (ds1 & ds2 & e1 & e2 & ? & -> & Hds1 & Hstep)%SList_inv].
+  destruct Hds1; naive_solver.
+Qed.
+Lemma List_steps_cons es1 es2 e :
+  final DEEP e →
+  EList es1 -{DEEP}->* EList es2 →
+  EList (e :: es1) -{DEEP}->* EList (e :: es2).
+Proof.
+  intros ? Hstep.
+  remember (EList es1) as e1 eqn:He1; remember (EList es2) as e2 eqn:He2.
+  revert es1 es2 He1 He2.
+  induction Hstep as [|e1 e2 e3 Hstep Hstep' IH];
+    intros es1 es3 ??; simplify_eq/=; [done|].
+  inv_step. eapply rtc_l; [apply (SList (_ :: _))|]; naive_solver.
+Qed.
+Lemma SAttr_rec_rtc μ αs :
+  EAttr αs -{μ}->*
+    EAttr (AttrN ∘ from_attr (subst (indirects αs)) id <$> αs).
+Proof.
+  destruct (decide (no_recs αs)) as [Hαs|]; [|by eauto using rtc_once, step].
+  eapply reflexive_eq. f_equal. apply map_eq=> x. rewrite lookup_fmap.
+  destruct (αs !! x) as [[τ e]|] eqn:?; [|done].
+  assert (τ = NONREC) as -> by eauto using no_recs_lookup. done.
+Qed.
+Lemma SAttr_lookup_rtc αs x e e' :
+  no_recs αs →
+  αs !! x = None →
+  (∀ y α, αs !! y = Some α → final DEEP (attr_expr α) ∨ attr_le x y) →
+  e -{DEEP}->* e' →
+  EAttr (<[x:=AttrN e]> αs) -{DEEP}->* EAttr (<[x:=AttrN e']> αs).
+Proof.
+  intros Hrecs Hx Hfirst He. revert αs Hrecs Hx Hfirst.
+  induction He as [e|e1 e2 e3 He12 He23 IH]; intros eτs Hrec Hx Hfirst; [done|].
+  eapply rtc_l; first by eapply SAttr. apply IH; [done..|].
+  apply step_not_final in He12. naive_solver.
+Qed.
+Lemma SAttr_inv αs1 e2 :
+  no_recs αs1 →
+  EAttr αs1 -{DEEP}-> e2 ↔ ∃ αs x e e',
+    αs1 = <[x:=AttrN e]> αs ∧ e2 = EAttr (<[x:=AttrN e']> αs) ∧
+    αs !! x = None ∧
+    (∀ y α, αs !! y = Some α → final DEEP (attr_expr α) ∨ attr_le x y) ∧
+    e -{DEEP}-> e'.
+Proof.
+  split; [intros; inv_step|];
+    naive_solver eauto using SAttr, no_recs_insert_inv.
+Qed.
+Lemma Attr_nf_insert_final αs x e :
+  no_recs αs →
+  αs !! x = None →
+  final DEEP e →
+  (∀ y, is_Some (αs !! y) → attr_le x y) →
+  nf (step DEEP) (EAttr αs) →
+  nf (step DEEP) (EAttr (<[x:=AttrN e]> αs)).
+Proof.
+  intros Hrecs Hx Hfinal Hleast Hnf
+    [? (αs'&x'&e'&e''&Hαs&->&Hx'&?&Hstep)%SAttr_inv];
+    last by eauto using no_recs_insert.
+  assert (x ≠ x').
+  { intros ->. apply (f_equal (.!! x')) in Hαs. rewrite !lookup_insert in Hαs.
+    apply step_not_final in Hstep. naive_solver. }
+  destruct Hnf. exists (EAttr (<[x':=AttrN e'']> (delete x αs'))).
+  rewrite -(delete_insert αs x (AttrN e)) // Hαs delete_insert_ne //.
+  refine (SCtx _ _ _ _ _ (CAttr _ _ _ _ _) _);
+    [|by rewrite lookup_delete_ne| |done].
+  - apply (no_recs_insert _ x e) in Hrecs. rewrite Hαs in Hrecs.
+    apply no_recs_insert_inv in Hrecs; last done. by apply map_Forall_delete.
+  - intros ?? ?%lookup_delete_Some; naive_solver.
+Qed.
+Lemma Attr_nf_insert αs x e :
+  no_recs αs →
+  αs !! x = None →
+  ¬final DEEP e →
+  (∀ y, is_Some (αs !! y) → attr_le x y) →
+  nf (step DEEP) e →
+  nf (step DEEP) (EAttr (<[x:=AttrN e]> αs)).
+Proof.
+  intros Hrecs Hx ?? Hnf [? (αs'&x'&e'&e''&Hαs&->&Hx'&Hleast'&Hstep)%SAttr_inv];
+    last eauto using no_recs_insert.
+  assert (x ≠ x') as Hxx'.
+  { intros ->. apply (f_equal (.!! x')) in Hαs. rewrite !lookup_insert in Hαs.
+    naive_solver. }
+  odestruct (Hleast' x (AttrN e)); [|done|].
+  - apply (f_equal (.!! x)) in Hαs.
+    by rewrite lookup_insert lookup_insert_ne in Hαs.
+  - apply (f_equal (.!! x')) in Hαs.
+    rewrite lookup_insert lookup_insert_ne // in Hαs.
+    destruct Hxx'. apply (anti_symm attr_le); naive_solver.
+Qed.
+Lemma Attr_step_dom μ αs1 e2 :
+  EAttr αs1 -{μ}-> e2 →
+  ∃ αs2, e2 = EAttr αs2 ∧ ∀ i, αs1 !! i = None ↔ αs2 !! i = None.
+Proof.
+  intros; inv_step; (eexists; split; [done|]).
+  - intros i. by rewrite lookup_fmap fmap_None.
+  - intros i. rewrite !lookup_insert_None; naive_solver.
+Qed.
+Lemma Attr_steps_dom μ αs1 αs2 :
+  EAttr αs1 -{μ}->* EAttr αs2 → ∀ i, αs1 !! i = None ↔ αs2 !! i = None.
+Proof.
+  intros Hstep.
+  remember (EAttr αs1) as e1 eqn:He1; remember (EAttr αs2) as e2 eqn:He2.
+  revert αs1 αs2 He1 He2. induction Hstep as [|e1 e2 e3 Hstep Hstep' IH];
+    intros αs1 αs3 ??; simplify_eq/=; [done|].
+  apply Attr_step_dom in Hstep; naive_solver.
+Qed.
+Lemma Attr_step_recs αs1 αs2 :
+  EAttr αs1 -{DEEP}-> EAttr αs2 → no_recs αs1 → no_recs αs2.
+Proof. intros. inv_step; by eauto using no_recs_insert. Qed.
+Lemma Attr_steps_recs αs1 αs2 :
+  EAttr αs1 -{DEEP}->* EAttr αs2 → no_recs αs1 → no_recs αs2.
+Proof.
+  intros Hstep.
+  remember (EAttr αs1) as e1 eqn:He1; remember (EAttr αs2) as e2 eqn:He2.
+  revert αs1 αs2 He1 He2. induction Hstep as [|e1 e2 e3 Hstep Hstep' IH];
+    intros αs1 αs3 ???; simplify_eq/=; [done|].
+  pose proof (Attr_step_dom _ _ _ Hstep) as (es2 & -> & ?).
+  apply Attr_step_recs in Hstep; naive_solver.
+Qed.
+Lemma Attr_step_insert αs1 αs2 x e :
+  no_recs αs1 →
+  αs1 !! x = None →
+  final DEEP e →
+  EAttr αs1 -{DEEP}-> EAttr αs2 →
+  EAttr (<[x:=AttrN e]> αs1) -{DEEP}-> EAttr (<[x:=AttrN e]> αs2).
+Proof.
+  intros Hrecs Hx ?
+    (αs' & x' & e1 & e1' & ? & ? & ? & ? & ?)%SAttr_inv; [|done]; simplify_eq.
+  apply lookup_insert_None in Hx as [??]. rewrite !(insert_commute _ x) //.
+  eapply SAttr; [|by rewrite lookup_insert_ne| |done].
+  - by eapply no_recs_insert, no_recs_insert_inv.
+  - intros y e' ?%lookup_insert_Some; naive_solver.
+Qed.
+Lemma Attr_steps_insert αs1 αs2 x e :
+  no_recs αs1 →
+  αs1 !! x = None →
+  final DEEP e →
+  EAttr αs1 -{DEEP}->* EAttr αs2 →
+  EAttr (<[x:=AttrN e]> αs1) -{DEEP}->* EAttr (<[x:=AttrN e]> αs2).
+Proof.
+  intros Hrecs Hx ? Hstep.
+  remember (EAttr αs1) as e1 eqn:He1; remember (EAttr αs2) as e2 eqn:He2.
+  revert αs1 αs2 Hx Hrecs He1 He2.
+  induction Hstep as [|e1 e2 e3 Hstep Hstep' IH];
+    intros αs1 αs3 ????; simplify_eq/=; [done|].
+  pose proof (Attr_step_dom _ _ _ Hstep) as (αs2 & -> & Hdom).
+  eapply rtc_l; first by eapply Attr_step_insert.
+  eapply IH; naive_solver eauto using Attr_step_recs.
+Qed.
+Reserved Infix "=D=>" (right associativity, at level 55).
+Inductive step_delayed : relation expr :=
+  | RDrefl e :
+      e =D=> e
+  | RDId x e1 e2 :
+      e1 =D=> e2 →
+      EId x (Some (ABS, e1)) =D=> e2
+  | RDBinOp op e1 e1' e2 e2' :
+      e1 =D=> e1' → e2 =D=> e2' → EBinOp op e1 e2 =D=> EBinOp op e1' e2'
+  | RDIf e1 e1' e2 e2' e3 e3' :
+      e1 =D=> e1' → e2 =D=> e2' → e3 =D=> e3' → EIf e1 e2 e3 =D=> EIf e1' e2' e3'
+where "e1 =D=> e2" := (step_delayed e1 e2).
+Global Instance step_delayed_po : PreOrder step_delayed.
+Proof.
+  split; [constructor|].
+  intros e1 e2 e3 Hstep. revert e3.
+  induction Hstep; inv 1; eauto using step_delayed.
+Qed.
+Hint Extern 0 (_ =D=> _) => reflexivity : core.
+Lemma delayed_final_l e1 e2 :
+  final SHALLOW e1 →
+  e1 =D=> e2 →
+  e1 = e2.
+Proof. intros Hfinal. induction 1; try by inv Hfinal. Qed.
+Lemma delayed_final_r μ e1 e2 :
+  final μ e2 →
+  e1 =D=> e2 →
+  e1 -{μ}->* e2.
+Proof.
+  intros Hfinal. induction 1; try by inv Hfinal.
+  eapply rtc_l; [constructor|]. eauto.
+Qed.
+Lemma delayed_step_l μ e1 e1' e2 :
+  e1 =D=> e1' →
+  e1 -{μ}-> e2 →
+  ∃ e2', e1' -{μ}->* e2' ∧ e2 =D=> e2'.
+Proof.
+  intros Hrem. revert μ e2.
+  induction Hrem; intros μ ? Hstep.
+  - eauto using rtc_once.
+  - inv_step. by exists e2.
+  - inv_step.
+    + eapply delayed_final_l in Hrem1 as ->, Hrem2 as ->; [|by eauto..].
+      eexists; split; [|done]. eapply rtc_once. by econstructor.
+    + apply IHHrem1 in H2 as (e1'' & ? & ?).
+      eexists; split; [by eapply SBinOpL_rtc|]. by constructor.
+    + eapply delayed_final_l in Hrem1 as ->; [|by eauto..].
+      apply IHHrem2 in H2 as (e2'' & ? & ?).
+      eexists (EBinOp _ e1' e2''); split; [|by constructor].
+      by eapply SBinOpR_rtc.
+  - inv_step.
+    + eapply delayed_final_l in Hrem1 as <-; [|by repeat constructor].
+      eexists; split; [eapply rtc_once; constructor|]. by destruct b.
+    + apply IHHrem1 in H2 as (e1'' & ? & ?).
+      eexists; split; [by eapply SIf_rtc|]. by constructor.
+Qed.
+Lemma delayed_steps_l μ e1 e1' e2 :
+  e1 =D=> e1' →
+  e1 -{μ}->* e2 →
+  ∃ e2', e1' -{μ}->* e2' ∧ e2 =D=> e2'.
+Proof.
+  intros Hdel Hsteps. revert e1' Hdel.
+  induction Hsteps as [e|e1 e2 e3 Hstep Hsteps IH]; intros e1' Hdel.
+  { eexists; by split. }
+  eapply delayed_step_l in Hstep as (e2' & Hstep2 & Hdel2); [|done].
+  apply IH in Hdel2 as (e3' & ? & ?). eexists; by split; [etrans|].
+Qed.
+Lemma delayed_step_r μ e1 e1' e2 :
+  e1' =D=> e1 →
+  e1 -{μ}-> e2 →
+  ∃ e2', e1' -{μ}->+ e2' ∧ e2' =D=> e2.
+Proof.
+  intros Hrem. revert μ e2.
+  induction Hrem; intros μ ? Hstep.
+  - eauto using tc_once.
+  - apply IHHrem in Hstep as (e1' & ? & ?).
+    eexists. split; [|done]. eapply tc_l; [econstructor|done].
+  - inv_step.
+    + exists e0; split; [|done].
+      eapply tc_rtc_l; [by eapply SBinOpL_rtc, delayed_final_r, Hrem1|].
+      eapply tc_rtc_l; [by eapply SBinOpR_rtc, delayed_final_r, Hrem2|].
+      eapply tc_once. by econstructor.
+    + apply IHHrem1 in H2 as (e1'' & ? & ?).
+      eexists; split; [by eapply SBinOpL_tc|]. by constructor.
+    + apply IHHrem2 in H2 as (e2'' & ? & ?).
+      eexists (EBinOp _ e1' e2''); split; [|by apply RDBinOp].
+      eapply tc_rtc_l; [by eapply SBinOpL_rtc, delayed_final_r, Hrem1|].
+      by eapply SBinOpR_tc.
+  - inv_step.
+    + exists (if b then e2 else e3). split; [|by destruct b].
+      eapply tc_rtc_l;
+        [eapply SIf_rtc, delayed_final_r, Hrem1; by repeat constructor|].
+      eapply tc_once; constructor.
+    + apply IHHrem1 in H2 as (e1'' & ? & ?).
+      eexists; split; [by eapply SIf_tc|]. by constructor.
+Qed.
+Lemma delayed_steps_r μ e1 e1' e2 :
+  e1' =D=> e1 →
+  e1 -{μ}->* e2 →
+  ∃ e2', e1' -{μ}->* e2' ∧ e2' =D=> e2.
+Proof.
+  intros Hdel Hsteps. revert e1' Hdel.
+  induction Hsteps as [e|e1 e2 e3 Hstep Hsteps IH]; intros e1' Hdel.
+  { eexists; by split. }
+  eapply delayed_step_r in Hstep as (e2' & Hstep2%tc_rtc & Hdel2); [|done].
+  apply IH in Hdel2 as (e3' & ? & ?). eexists; by split; [etrans|].
+Qed.
+(** Determinism *)
+Lemma bin_op_det op e Φ Ψ :
+  sem_bin_op op e Φ →
+  sem_bin_op op e Ψ →
+  Φ = Ψ.
+Proof. by destruct 1; inv 1. Qed.
+Lemma bin_op_rel_det op e1 Φ e2 d1 d2 :
+  sem_bin_op op e1 Φ →
+  Φ e2 d1 →
+  Φ e2 d2 →
+  d1 = d2.
+Proof.
+  assert (AntiSymm eq attr_le) by apply _.
+  unfold AntiSymm in *. inv 1; repeat case_match; naive_solver.
+Qed.
+Lemma matches_present x e md es ms strict βs :
+  es !! x = Some e → ms !! x = Some md →
+  matches es ms strict βs →
+  βs !! x = Some (AttrN e).
+Proof.
+  intros Hes Hms. induction 1; try done.
+  - by apply lookup_insert_Some in Hes as [[]|[]]; simplify_map_eq.
+  - by simplify_map_eq.
+Qed.
+Lemma matches_default x es ms d strict βs :
+  es !! x = None →
+  ms !! x = Some (Some d) →
+  matches es ms strict βs →
+  βs !! x = Some (AttrR d).
+Proof.
+  intros Hes Hms. induction 1; try done.
+  - by apply lookup_insert_None in Hes as []; simplify_map_eq.
+  - by apply lookup_insert_Some in Hms as [[]|[]]; simplify_map_eq.
+Qed.
+Lemma matches_weaken x es ms strict βs :
+  matches es ms strict βs →
+  matches (delete x es) (delete x ms) strict (delete x βs).
+Proof.
+  induction 1; [constructor|constructor|..]; rename x0 into y;
+    (destruct (decide (x = y)) as [->|Hxy];
+      [ rewrite !delete_insert_delete //
+      | rewrite !delete_insert_ne //; constructor;
+        by simplify_map_eq ]).
+Qed.
+Lemma matches_det es ms strict βs1 βs2 :
+  matches es ms strict βs1 →
+  matches es ms strict βs2 →
+  βs1 = βs2.
+Proof.
+  intros Hβs1. revert βs2. induction Hβs1; intros βs2 Hβs2;
+    try (inv Hβs2; done || (by exfalso; eapply (insert_non_empty (M:=stringmap)))).
+  - eapply (matches_weaken x) in Hβs2 as Hβs2'.
+    rewrite !delete_insert // in Hβs2'.
+    rewrite (IHHβs1 _ Hβs2') insert_delete //.
+    eapply matches_present; eauto; apply lookup_insert.
+  - eapply (matches_weaken x) in Hβs2 as Hβs2'.
+    rewrite delete_notin // delete_insert // in Hβs2'.
+    rewrite (IHHβs1 _ Hβs2') insert_delete //.
+    eapply matches_default; eauto. apply lookup_insert.
+Qed.
+Lemma ctx_det K1 K2 e1 e2 μ μ1' μ2' :
+  K1 e1 = K2 e2 →
+  ctx1 μ1' μ K1 →
+  ctx1 μ2' μ K2 →
+  red (step μ1') e1 →
+  red (step μ2') e2 →
+  K1 = K2 ∧ e1 = e2 ∧ μ1' = μ2'.
+Proof.
+  intros Hes HK1 HK2 Hred1 Hred2.
+  induction HK1; inv HK2; try done.
+  - apply not_elem_of_app_cons_inv_l in Hes as [<- [<- <-]]; first done.
+    + intros He1. apply (proj1 (Forall_forall _ _) H0) in He1.
+      inv Hred1. by apply step_not_final in H1.
+    + intros He2. apply (proj1 (Forall_forall _ _) H) in He2.
+      inv Hred2. by apply step_not_final in H1.
+  - destruct (decide (x = x0)) as [<-|].
+    { by apply map_insert_inv_eq in Hes as [[= ->] [= ->]]. }
+    apply map_insert_inv_ne in Hes as (Hx0 & Hx & Hαs); try done.
+    apply H1 in Hx0 as [contra | Hxlex0].
+    + inv Hred2. by apply step_not_final in H5.
+    + apply H4 in Hx as [contra | Hx0lex].
+      * inv Hred1. by apply step_not_final in H5.
+      * assert (Hasym : AntiSymm eq attr_le) by apply _.
+        by pose proof (Hasym _ _ Hxlex0 Hx0lex).
+  - inv Hred1. inv_step.
+  - inv Hred2. inv_step.
+  - inv Hred1. by apply step_not_final in H1.
+  - inv Hred2. by apply step_not_final in H1.
+Qed.
+Lemma step_det μ e d1 d2 :
+  e -{μ}-> d1 →
+  e -{μ}-> d2 →
+  d1 = d2.
+Proof.
+  intros Hred1. revert d2.
+  induction Hred1; intros d2 Hred2; inv Hred2; try by inv_step.
+  - by apply (matches_det _ _ _ _ _ H0) in H8 as <-.
+  - inv_step. by apply step_not_final in H3.
+  - inv_step. destruct H. by apply no_recs_insert.
+  - assert (Φ = Φ0) as <- by (by eapply bin_op_det).
+    by eapply bin_op_rel_det.
+  - inv_step; by apply step_not_final in H6.
+  - inv_step. by apply step_not_final in Hred1.
+  - inv_step. destruct H2. by apply no_recs_insert.
+  - inv_step; by apply step_not_final in Hred1.
+  - eapply ctx_det in H0 as (?&?&?); [|by eauto..]; naive_solver.
+Qed.
diff --git a/theories/nix/tests.v b/theories/nix/tests.v
new file mode 100644
index 0000000..cbce874
--- /dev/null
+++ b/theories/nix/tests.v
@@ -0,0 +1,185 @@
+From mininix Require Export nix.interp nix.notations.
+From stdpp Require Import options.
+Open Scope Z_scope.
+(** Compare base vals without comparing the proofs. Since we do not have
+definitional proof irrelevance, comparing the proofs would fail (and in practice
+make Coq loop). *)
+Definition res_eq (rv : res val) (bl2 : base_lit) :=
+  match rv with
+  | Res (Some (VLit bl1 _)) => bl1 = bl2
+  | _ => False
+  end.
+Infix "=?" := res_eq.
+Definition float_1 :=
+  ceil: (Float.of_Z 20 /: 3).
+Goal interp 100 ∅ float_1 =? 7.
+Proof. by vm_compute. Qed.
+Definition float_2 :=
+  Float.of_Z 100000000000000000000000000000000000000000000000000000000000000000000000000000 *:
+  Float.of_Z 100000000000000000000000000000000000000000000000000000000000000000000000000000 *:
+  Float.of_Z 100000000000000000000000000000000000000000000000000000000000000000000000000000 *:
+  Float.of_Z 100000000000000000000000000000000000000000000000000000000000000000000000000000 *:
+  Float.of_Z 100000000000000000000000000000000000000000000000000000000000000000000000000000.
+Goal interp 100 ∅ float_2 =? NFloat (Binary.B754_infinity false).
+Proof. by vm_compute. Qed.
+Definition float_3 := float_2 /: float_2.
+Goal interp 100 ∅ float_3 =? NFloat (`Float.indef_nan).
+Proof. by vm_compute. Qed.
+Definition let_let :=
+  let: "x" := 1 in let: "x" := 2 in "x".
+Goal interp 100 ∅ let_let =? 2.
+Proof. by vm_compute. Qed.
+Definition with_let :=
+  with: EAttr {[ "x" := AttrN 1 ]} in let: "x" := 2 in "x".
+Goal interp 100 ∅ with_let =? 2.
+Proof. by vm_compute. Qed.
+Definition let_with :=
+  let: "x" := 1 in with: EAttr {[ "x" := AttrN 2 ]} in "x".
+Goal interp 100 ∅ let_with =? 1.
+Proof. by vm_compute. Qed.
+Definition with_with :=
+  with: EAttr {[ "x" := AttrN 1 ]} in with: EAttr {[ "x" := AttrN 2 ]} in "x".
+Goal interp 100 ∅ with_with =? 2.
+Proof. by vm_compute. Qed.
+Definition with_with_inherit :=
+  with: EAttr {[ "x" := AttrN 1 ]} in with: EAttr {[ "x" := AttrN "x" ]} in "x".
+Goal interp 100 ∅ with_with_inherit =? 1.
+Proof. by vm_compute. Qed.
+Definition with_loop :=
+  with: EAttr {[ "x" := AttrR "x" ]} in "x".
+Goal interp 100 ∅ with_loop = NoFuel.
+Proof. by vm_compute. Qed.
+Definition rec_attr_shadow_1 :=
+  let: "foo" := EAttr {[ "bar" := AttrN 10 ]} in
+  EAttr {[
+    "bar" := AttrR ("foo" .: "bar");
+    "foo" := AttrR (EAttr {[ "bar" := AttrN 20 ]})
+  ]} .: "bar".
+Goal interp 100 ∅ rec_attr_shadow_1 =? 20.
+Proof. by vm_compute. Qed.
+Definition rec_attr_shadow_2 :=
+  EAttr {[
+    "y" := AttrR (EAttr {[ "y" := AttrN "z" ]} .: "y");
+    "z" := AttrR 20
+  ]} .: "y".
+Goal interp 100 ∅ rec_attr_shadow_2 =? 20.
+Proof. by vm_compute. Qed.
+Definition nested_functor_1 :=
+  EAttr {[ "__functor" := AttrN $ λ: "self",
+    EAttr {[ "__functor" := AttrN $ λ: "self" "x", 10 ]} ]} 10.
+Goal interp 100 ∅ nested_functor_1 =? 10.
+Proof. by vm_compute. Qed.
+Definition nested_functor_2 :=
+  EAttr {[ "__functor" := AttrN $
+    EAttr {[ "__functor" := AttrN $ λ: "self" "self" "x", 10 ]} ]} 10.
+Goal interp 100 ∅ nested_functor_2 =? 10.
+Proof. by vm_compute. Qed.
+Definition functor_loop_1 :=
+  EAttr {[ "__functor" := AttrN $
+    λ: "self", "self" "self"
+  ]} 10.
+Goal interp 1000 ∅ functor_loop_1 = NoFuel.
+Proof. by vm_compute. Qed.
+Definition functor_loop_2 :=
+  EAttr {[ "__functor" := AttrN $
+    λ: "self" "f", "f" ("self" "f")
+  ]} (λ: "go" "x", "go" "x") 10.
+Goal interp 1000 ∅ functor_loop_2 = NoFuel.
+Proof. by vm_compute. Qed.
+Fixpoint many_lets (i : nat) (e : expr) : expr :=
+  match i with
+  | O => e
+  | S i => let: "x" +:+ pretty i := 0 in many_lets i e
+  end.
+Fixpoint many_adds (i : nat) : expr :=
+  match i with
+  | O => 0
+  | S i => ("x" +:+ pretty i) +: many_adds i
+  end.
+Definition big_prog (i : nat) : expr := many_lets i $ many_adds i.
+Definition big := big_prog 1000.
+Goal interp 5000 ∅ big =? 0.
+Proof. by vm_compute. Qed.
+Definition matching_1 :=
+  (λattr: {[ "x" := None; "y" := None ]}, "x" +: "y")
+    (EAttr {[ "x" := AttrN 10; "y" := AttrN 11 ]}).
+Goal interp 1000 ∅ matching_1 =? 21.
+Proof. by vm_compute. Qed.
+Definition matching_2 :=
+  (λattr: {[ "x" := None; "y" := Some (EId' "x") ]}, "x" +: "y")
+    (EAttr {[ "x" := AttrN 10 ]}).
+Goal interp 1000 ∅ matching_2 =? 20.
+Proof. by vm_compute. Qed.
+Definition matching_3 :=
+  (λattr: {[ "x" := None; "y" := None ]}, "x" +: "y")
+    (EAttr {[ "x" := AttrN 10 ]}).
+Goal interp 1000 ∅ matching_3 = mfail.
+Proof. by vm_compute. Qed.
+Definition matching_4 :=
+  (λattr: {[ "x" := None; "y" := None ]}, "x" +: "y")
+    (EAttr {[ "x" := AttrN 10; "y" := AttrN 11; "z" := AttrN 12 ]}).
+Goal interp 1000 ∅ matching_4 = mfail.
+Proof. by vm_compute. Qed.
+Definition matching_5 :=
+  (λattr: {[ "x" := None; "y" := None ]} .., "x" +: "y")
+    (EAttr {[ "x" := AttrN 10; "y" := AttrN 11; "z" := AttrN 12 ]}).
+Goal interp 1000 ∅ matching_5 =? 21.
+Proof. by vm_compute. Qed.
+Definition matching_6 :=
+  (λattr: {[ "y" := Some (EId' "y") ]}, "y")
+    (EAttr {[ "y" := AttrN 10 ]}).
+Goal interp 1000 ∅ matching_6 =? 10.
+Proof. by vm_compute. Qed.
+Definition matching_7 :=
+  (λattr: {[ "y" := Some (EId' "y") ]}, "y") (EAttr ∅).
+Goal interp 1000 ∅ matching_7 = NoFuel.
+Proof. by vm_compute. Qed.
+Definition matching_8 :=
+  (λattr: {[ "y" := Some (EId' "y") ]}.., "y")
+  (EAttr {[ "x" := AttrN 10 ]}).
+Goal interp 1000 ∅ matching_8 = NoFuel.
+Proof. by vm_compute. Qed.
+Definition list_lt_1 :=
+  EList [ELit 2; ELit 3] <: EList [ELit 3].
+Goal interp 1000 ∅ list_lt_1 =? true.
+Proof. by vm_compute. Qed.
+Definition list_lt_2 :=
+  EList [ELit 2; ELit 3] <: EList [ELit 2].
+Goal interp 1000 ∅ list_lt_2 =? false.
+Proof. by vm_compute. Qed.
+Definition list_lt_3 :=
+  EList [ELit 2] <: EList [ELit 2; ELit 3].
+Goal interp 1000 ∅ list_lt_3 =? true.
+Proof. by vm_compute. Qed.
diff --git a/theories/nix/wp.v b/theories/nix/wp.v
new file mode 100644
index 0000000..0eca6e1
--- /dev/null
+++ b/theories/nix/wp.v
@@ -0,0 +1,143 @@
+From mininix Require Export nix.operational_props.
+From stdpp Require Import options.
+Definition wp (μ : mode) (e : expr) (Φ : expr → Prop) : Prop :=
+  ∃ e', e -{μ}->* e' ∧ final μ e' ∧ Φ e'.
+Lemma Lit_wp μ Φ bl :
+  base_lit_ok bl →
+  Φ (ELit bl) →
+  wp μ (ELit bl) Φ.
+Proof. exists (ELit bl). by repeat constructor. Qed.
+Lemma Abs_wp μ Φ x e :
+  Φ (EAbs x e) →
+  wp μ (EAbs x e) Φ.
+Proof. exists (EAbs x e). by repeat constructor. Qed.
+Lemma AbsMatch_wp μ Φ ms strict e :
+  Φ (EAbsMatch ms strict e) →
+  wp μ (EAbsMatch ms strict e) Φ.
+Proof. exists (EAbsMatch ms strict e). by repeat constructor. Qed.
+Lemma LetAttr_no_recs_wp μ Φ k αs e :
+  no_recs αs →
+  wp μ (subst ((k,.) ∘ attr_expr <$> αs) e) Φ →
+  wp μ (ELetAttr k (EAttr αs) e) Φ.
+Proof.
+  intros Hαs (e' & Hsteps & ? & HΦ). exists e'. split; [|done].
+  etrans; [|apply Hsteps]. apply rtc_once. by constructor.
+Qed.
+Lemma BinOp_wp μ Φ op e1 e2 :
+  wp SHALLOW e1 (λ e1', ∃ Φop,
+    sem_bin_op op e1' Φop ∧ 
+    wp SHALLOW e2 (λ e2', ∃ e', Φop e2' e' ∧ wp μ e' Φ)) →
+  wp μ (EBinOp op e1 e2) Φ.
+Proof.
+  intros (e1' & Hsteps1 & ? & Φop & Hop1 & e2' & Hsteps2 & ?
+          & e' & Hop2 & e'' & Hsteps & ? & HΦ).
+  exists e''. split; [|done].
+  etrans; [by apply SBinOpL_rtc|].
+  etrans; [by eapply SBinOpR_rtc|].
+  eapply rtc_l; [by econstructor|]. done.
+Qed.
+Lemma Id_wp μ Φ x k e :
+  wp μ e Φ →
+  wp μ (EId x (Some (k,e))) Φ.
+Proof.
+  intros (e' & Hsteps & ? & HΦ). exists e'. split; [|done].
+  etrans; [|apply Hsteps]. apply rtc_once. constructor.
+Qed.
+Lemma App_wp μ Φ e1 e2 :
+  wp SHALLOW e1 (λ e1', wp μ (EApp e1' e2) Φ) ↔
+  wp μ (EApp e1 e2) Φ.
+Proof.
+  split.
+  - intros (e1' & Hsteps1 & ? & e' & Hsteps2 & ? & HΦ).
+    exists e'; split; [|done]. etrans; [|apply Hsteps2].
+    by apply SAppL_rtc.
+  - intros (e' & Hsteps & Hfinal & HΦ).
+    cut (∃ e1', e1 -{SHALLOW}->* e1' ∧ final SHALLOW e1' ∧ EApp e1' e2 -{μ}->* e').
+    { intros (e1'&?&?&?). exists e1'. split_and!; [done..|]. by exists e'. }
+    clear Φ HΦ. apply rtc_nsteps in Hsteps as [n Hsteps].
+    revert e1 Hsteps. induction n as [|n IH]; intros e1 Hsteps.
+    { inv Hsteps. inv Hfinal. }
+    inv Hsteps. inv H0.
+    + eexists; split_and!; [done|by constructor|].
+      eapply rtc_l; [by constructor|by eapply rtc_nsteps_2].
+    + eexists; split_and!; [done|by constructor|].
+      eapply rtc_l; [by constructor|by eapply rtc_nsteps_2].
+    + eexists; split_and!; [done|by constructor|].
+      eapply rtc_l; [by constructor|by eapply rtc_nsteps_2].
+    + inv H2.
+      * apply IH in H1 as (e'' & Hsteps & ? & ?).
+        exists e''; split; [|done]. by eapply rtc_l.
+      * eexists; split_and!; [done|by constructor|].
+        eapply rtc_l; [by eapply SAppR|]. by eapply rtc_nsteps_2.
+Qed.
+Lemma Attr_wp_shallow Φ αs :
+  Φ (EAttr (AttrN ∘ from_attr (subst (indirects αs)) id <$> αs)) →
+  wp SHALLOW (EAttr αs) Φ.
+Proof.
+  eexists (EAttr (AttrN ∘ _ <$> αs)); split_and!; [ |by constructor|done].
+  destruct (decide (no_recs αs)); [|apply rtc_once; by constructor].
+  apply reflexive_eq; f_equal. apply map_eq=> x. rewrite lookup_fmap.
+  destruct (αs !! x) as [[? e]|] eqn:?; f_equal/=.
+  by assert (τ = NONREC) as -> by eauto using no_recs_lookup.
+Qed.
+Lemma β_wp μ Φ x e1 e2 :
+  wp μ (subst {[x:=(ABS, e2)]} e1) Φ →
+  wp μ (EApp (EAbs x e1) e2) Φ.
+Proof.
+  intros (e' & Hsteps & ? & ?). exists e'. split; [|done].
+  eapply rtc_l; [|done]. by constructor.
+Qed.
+Lemma βMatch_wp μ Φ ms strict e1 αs βs :
+  no_recs αs →
+  matches (attr_expr <$> αs) ms strict βs →
+  wp μ (subst (indirects βs) e1) Φ →
+  wp μ (EApp (EAbsMatch ms strict e1) (EAttr αs)) Φ.
+Proof.
+  intros ?? (e' & Hsteps & ? & ?). exists e'. split; [|done].
+  eapply rtc_l; [|done]. by constructor.
+Qed.
+Lemma Functor_wp μ Φ αs e1 e2 :
+  no_recs αs →
+  αs !! "__functor" = Some (AttrN e1) →
+  wp μ (EApp (EApp e1 (EAttr αs)) e2) Φ →
+  wp μ (EApp (EAttr αs) e2) Φ.
+Proof.
+  intros ?? (e' & Hsteps & ? & ?). exists e'. split; [|done].
+  eapply rtc_l; [|done]. by constructor.
+Qed.
+Lemma If_wp μ Φ e1 e2 e3 :
+  wp SHALLOW e1 (λ e1', ∃ b : bool,
+    e1' = ELit (LitBool b) ∧ wp μ (if b then e2 else e3) Φ) →
+  wp μ (EIf e1 e2 e3) Φ.
+Proof.
+  intros (e1' & Hsteps & ? & b & -> & e' & Hsteps' & ? & HΦ).
+  exists e'; split; [|done]. etrans; [by apply SIf_rtc|].
+  eapply rtc_l; [|done]. destruct b; constructor.
+Qed.
+Lemma wp_mono μ e Φ Ψ :
+  wp μ e Φ →
+  (∀ e', Φ e' → Ψ e') →
+  wp μ e Ψ.
+Proof. intros (e' & ? & ? & ?) ?. exists e'. naive_solver. Qed.
+Lemma union_kinded_abs {A} mkv (v2 : A) :
+  union_kinded (pair WITH <$> mkv) (Some (ABS, v2)) = Some (ABS, v2).
+Proof. by destruct mkv. Qed.
+Lemma union_kinded_with {A} (v : A) mkv2 :
+  union_kinded (Some (WITH, v)) (pair WITH <$> mkv2) = Some (WITH, v).
+Proof. by destruct mkv2. Qed.
diff --git a/theories/nix/wp_examples.v b/theories/nix/wp_examples.v
new file mode 100644
index 0000000..7bc2109
--- /dev/null
+++ b/theories/nix/wp_examples.v
@@ -0,0 +1,164 @@
+From mininix Require Import nix.wp nix.notations.
+From stdpp Require Import options.
+Local Open Scope Z_scope.
+Definition test αs :=
+  let: "x" := 1 in
+  with: EAttr αs in
+  with: EAttr {[ "y" := AttrN 2 ]} in
+  "x" =: "y".
+Example test_wp μ αs :
+  no_recs αs →
+  wp μ (test αs) (.= false).
+Proof.
+  intros Hαs. rewrite /test. apply LetAttr_no_recs_wp.
+  { by apply no_recs_insert. }
+  rewrite /= !map_fmap_singleton /= right_id_L lookup_singleton lookup_singleton_ne //=.
+  apply LetAttr_no_recs_wp.
+  { by apply no_recs_attr_subst. }
+  rewrite /= !map_fmap_singleton /= right_id_L.
+  rewrite (map_fmap_compose attr_expr) lookup_fmap union_kinded_abs.
+  rewrite !lookup_fmap.
+  apply LetAttr_no_recs_wp.
+  { by apply no_recs_insert. }
+  rewrite /= map_fmap_singleton lookup_singleton lookup_singleton_ne //=.
+  rewrite union_kinded_with.
+  apply BinOp_wp.
+  apply Id_wp, Lit_wp; first done. eexists; split; [constructor|].
+  apply Id_wp, Lit_wp; first done.
+  eexists; split; [done|]. by apply Lit_wp.
+Qed.
+Definition neg := λ: "b", if: "b" then false else true.
+Lemma neg_wp μ (Φ : expr → Prop) e :
+  wp SHALLOW e (λ e', ∃ b : bool, e' = b ∧ Φ (negb b)) →
+  wp μ (neg e) Φ.
+Proof.
+  intros Hwp. apply β_wp. rewrite /= lookup_singleton /=.
+  apply If_wp, Id_wp. eapply wp_mono; [done|].
+  intros ? (b & -> & ?). exists b; split; [done|].
+  destruct b; by apply Lit_wp.
+Qed.
+(* rec { f = x: if x = 0 then true else !(f (x - 1)); }.f n *)
+Definition even_rec_attr :=
+  EAttr {[ "f" := AttrR (λ: "x", if: "x" =: 0 then true else neg ("f" ("x" -: 1))) ]} .: "f".
+Lemma even_rec_attr_wp e n :
+  0 ≤ n ≤ int_max →
+  wp SHALLOW e (.= n) →
+  wp SHALLOW (even_rec_attr e) (.= Z.even n).
+Proof.
+  intros Hn Hwp. apply App_wp.
+  revert e Hwp. induction (Z.lt_wf 0 n) as [n _ IH]; intros e Hwp.
+  apply BinOp_wp. apply Attr_wp_shallow.
+  eexists; split; [by constructor|].
+  apply Lit_wp; [done|]. eexists; split; [by eexists|].
+  rewrite /=. apply Abs_wp, β_wp.
+  rewrite /= !lookup_singleton /= !lookup_singleton_ne //=.
+  rewrite !union_with_None_l !union_with_None_r.
+  rewrite /indirects map_imap_insert map_imap_empty lookup_insert.
+  rewrite -/even_rec_attr -/neg.
+  apply If_wp, BinOp_wp, Id_wp.
+  eapply wp_mono; [apply Hwp|]; intros ? ->.
+  eexists; split; [by constructor|].
+  apply Lit_wp; [done|]. eexists; split; [by eexists|]. simpl.
+  destruct (n =? 0) eqn:Hn0; (apply Lit_wp; [done|]; eexists; split; [done|]; simpl).
+  { apply Lit_wp; [done|]. by apply Z.eqb_eq in Hn0 as ->. }
+  apply neg_wp, App_wp, Id_wp.
+  eapply wp_mono; [apply (IH (n-1))|]; [lia..| |].
+  2:{ intros e' He'. eapply wp_mono; [apply He'|].
+      intros ? ->. eexists; split; [done|].
+      by rewrite Z.negb_even Z.sub_1_r Z.odd_pred. }
+  eapply BinOp_wp, Id_wp. eapply wp_mono; [apply Hwp|]. intros ? ->.
+  eexists; split; [by constructor|]. apply Lit_wp; [done|].
+  eexists; split; [eexists _, _; split_and!; [done| |done]|].
+  - rewrite /= option_guard_True //. apply bool_decide_pack.
+    rewrite /int_min Z.shiftl_mul_pow2 //. lia.
+  - apply Lit_wp; [|done]. apply bool_decide_pack.
+    rewrite /int_min Z.shiftl_mul_pow2 //. lia.
+Qed.
+Lemma even_rec_attr_wp' n :
+  0 ≤ n ≤ int_max →
+  wp SHALLOW (even_rec_attr n) (.= Z.even n).
+Proof.
+  intros ?. apply even_rec_attr_wp; [done|]. apply Lit_wp; [|done].
+  rewrite /= /int_ok. apply bool_decide_pack.
+  rewrite /int_min Z.shiftl_mul_pow2 //. lia.
+Qed.
+(* { "__functor " = r: x: if x == 0 then true else !(r (x - 1)); } n *)
+Definition even_rec_functor :=
+  EAttr {[ "__functor" :=
+    AttrN (λ: "r" "x", if: "x" =: 0 then true else neg ("r" ("x" -: 1))) ]}.
+Lemma even_rec_functor_wp e n :
+  0 ≤ n ≤ int_max →
+  wp SHALLOW e (.= n) →
+  wp SHALLOW (even_rec_functor e) (.= Z.even n).
+Proof.
+  intros Hn Hwp. apply App_wp.
+  revert e Hwp. induction (Z.lt_wf 0 n) as [n _ IH]; intros e Hwp.
+  apply Attr_wp_shallow. rewrite map_fmap_singleton /=. eapply Functor_wp.
+  { by apply no_recs_insert. }
+  { done. }
+  apply App_wp. apply β_wp.
+  rewrite /= !lookup_singleton !lookup_singleton_ne //=. apply Abs_wp, β_wp.
+  rewrite /= !lookup_singleton /= !lookup_singleton_ne //=.
+  rewrite -/even_rec_functor -/neg.
+  apply If_wp, BinOp_wp, Id_wp.
+  eapply wp_mono; [apply Hwp|]; intros ? ->.
+  eexists; split; [by constructor|].
+  apply Lit_wp; [done|]. eexists; split; [by eexists|]. simpl.
+  destruct (n =? 0) eqn:Hn0; (apply Lit_wp; [done|]; eexists; split; [done|]; simpl).
+  { apply Lit_wp; [done|]. by apply Z.eqb_eq in Hn0 as ->. }
+  apply neg_wp, App_wp, Id_wp.
+  eapply wp_mono; [apply (IH (n-1))|]; [lia..| |].
+  2:{ intros e' He'. eapply wp_mono; [apply He'|].
+      intros ? ->. eexists; split; [done|].
+      by rewrite Z.negb_even Z.sub_1_r Z.odd_pred. }
+  eapply BinOp_wp, Id_wp. eapply wp_mono; [apply Hwp|]. intros ? ->.
+  eexists; split; [by constructor|]. apply Lit_wp; [done|].
+  eexists; split; [eexists _, _; split_and!; [done| |done]|].
+  - rewrite /= option_guard_True //. apply bool_decide_pack.
+    rewrite /int_min Z.shiftl_mul_pow2 //. lia.
+  - apply Lit_wp; [|done]. apply bool_decide_pack.
+    rewrite /int_min Z.shiftl_mul_pow2 //. lia.
+Qed.
+Lemma even_rec_functor_wp' n :
+  0 ≤ n ≤ int_max →
+  wp SHALLOW (even_rec_functor n) (.= Z.even n).
+Proof.
+  intros ?. apply even_rec_functor_wp; [done|]. apply Lit_wp; [|done].
+  rewrite /= /int_ok. apply bool_decide_pack.
+  rewrite /int_min Z.shiftl_mul_pow2 //. lia.
+Qed.
+(* ({ f ? (x: if x == 0 then true else !(f (x - 1))) }: f) {} n *)
+Definition even_rec_default :=
+  (λattr:
+    {[ "f" := Some (λ: "x", if: "x" =: 0 then true else neg ("f" ("x" -: 1))) ]}, "f")
+  (EAttr ∅).
+Lemma even_rec_default_wp e n :
+  0 ≤ n ≤ int_max →
+  wp SHALLOW e (.= n) →
+  wp SHALLOW (even_rec_default e) (.= Z.even n).
+Proof.
+  intros Hn Hwp. apply App_wp.
+  eapply βMatch_wp; [done|repeat econstructor|]. simplify_map_eq.
+  rewrite -/even_rec_attr. by apply Id_wp, App_wp, even_rec_attr_wp.
+Qed.
+Lemma even_rec_default_wp' n :
+  0 ≤ n ≤ int_max →
+  wp SHALLOW (even_rec_default n) (.= Z.even n).
+Proof.
+  intros ?. apply even_rec_default_wp; [done|]. apply Lit_wp; [|done].
+  rewrite /= /int_ok. apply bool_decide_pack.
+  rewrite /int_min Z.shiftl_mul_pow2 //. lia.
+Qed.
diff --git a/theories/res.v b/theories/res.v
new file mode 100644
index 0000000..d13bfee
--- /dev/null
+++ b/theories/res.v
@@ -0,0 +1,75 @@
+From mininix Require Export utils.
+From stdpp Require Import options.
+Variant res A :=
+  | Res (x : option A)
+  | NoFuel.
+Arguments Res {_} _.
+Arguments NoFuel {_}.
+Instance res_fail : MFail res := λ {A} _, Res None.
+Instance res_mret : MRet res := λ {A} x, Res (Some x).
+Instance res_mbind : MBind res := λ {A B} f rx,
+  match rx with
+  | Res mx => default mfail (f <$> mx)
+  | NoFuel => NoFuel
+  end.
+Instance res_fmap : FMap res := λ {A B} f rx,
+  match rx with
+  | Res mx => Res (f <$> mx)
+  | NoFuel => NoFuel
+  end.
+Instance Res_inj A : Inj (=) (=) (@Res A).
+Proof. by injection 1. Qed.
+Ltac simplify_res :=
+  repeat match goal with
+  | H : Res _ = mfail |- _ => apply (inj Res) in H
+  | H : mfail = Res _ |- _ => apply (inj Res) in H
+  | H : Res _ = mret _ |- _ => apply (inj Res) in H
+  | H : mret _ = Res _ |- _ => apply (inj Res) in H
+  | _ => progress simplify_eq/=
+  end.
+Lemma mapM_Res_impl {A B} (f g : A → res B) (xs : list A) ys :
+  mapM f xs = Res ys →
+  (∀ x y, f x = Res y → g x = Res y) →
+  mapM g xs = Res ys.
+Proof.
+  intros Hxs Hf. revert ys Hxs.
+  induction xs as [|x xs IH]; intros ys ?; simplify_res; [done|].
+  destruct (f x) as [my|] eqn:?; simplify_res. rewrite (Hf x my) //=.
+  destruct my as [y|]; simplify_res; [|done].
+  destruct (mapM f _) as [mys|]; simplify_res; [|done..].
+  by rewrite (IH _ eq_refl).
+Qed.
+Lemma map_mapM_sorted_Res_impl `{FinMap K M}
+    (R : relation K) `{!RelDecision R, !PartialOrder R, !Total R}
+    {A B} (f g : A → res B) (m1 : M A) m2 :
+  map_mapM_sorted R f m1 = Res m2 →
+  (∀ x y, f x = Res y → g x = Res y) →
+  map_mapM_sorted R g m1 = Res m2.
+Proof.
+  intros Hm Hf. revert m2 Hm.
+  induction m1 as [|i x m1 ?? IH] using (map_sorted_ind R); intros m2.
+  { by rewrite !map_mapM_sorted_empty. }
+  rewrite !map_mapM_sorted_insert //. intros.
+  destruct (f x) as [my|] eqn:?; simplify_res. rewrite (Hf x my) //=.
+  destruct my as [y|]; simplify_res; [|done].
+  destruct (map_mapM_sorted _ f _) as [mm2'|]; simplify_res; [|done..].
+  by rewrite (IH _ eq_refl).
+Qed.
+Lemma mapM_res_app {A B} (f : A → res B) xs1 xs2 :
+  mapM f (xs1 ++ xs2) = ys1 ← mapM f xs1; ys2 ← mapM f xs2; mret (ys1 ++ ys2).
+Proof.
+  induction xs1 as [|x1 xs1 IH]; simpl.
+  { by destruct (mapM f xs2) as [[]|]. }
+  destruct (f x1) as [[y1|]|]; simpl; [|done..].
+  rewrite IH. by destruct (mapM f xs1) as [[]|],  (mapM f xs2) as [[]|].
+Qed.
diff --git a/theories/utils.v b/theories/utils.v
new file mode 100644
index 0000000..0cb1b33
--- /dev/null
+++ b/theories/utils.v
@@ -0,0 +1,275 @@
+(* Stuff that should be upstreamed to std++ *)
+From stdpp Require Export gmap stringmap ssreflect.
+From stdpp Require Import sorting.
+From stdpp Require Import options.
+Set Default Proof Using "Type*".
+(* Succeeds if [t] is syntactically a constructor applied to some arguments.
+Note that Coq's [is_constructor] succeeds on [S], but fails on [S n]. *)
+Ltac is_app_constructor t :=
+  lazymatch t with
+  | ?t _ => is_app_constructor t
+  | _ => is_constructor t
+  end.
+Lemma xorb_True b1 b2 : xorb b1 b2 ↔ ¬(b1 ↔ b2).
+Proof. destruct b1, b2; naive_solver. Qed.
+Definition option_to_eq_Some {A} (mx : option A) : option { x | mx = Some x } :=
+  match mx with
+  | Some x => Some (x ↾ eq_refl)
+  | None => None
+  end.
+(* Premise can probably be weakened to something with [ProofIrrel]. *)
+Lemma option_to_eq_Some_Some `{!EqDecision A} (mx : option A) x (H : mx = Some x) :
+  option_to_eq_Some mx = Some (x ↾ H).
+Proof.
+  destruct mx as [x'|]; simplify_eq/=; f_equal/=.
+  assert (x' = x) as Hx by congruence. destruct Hx.
+  f_equal. apply (proof_irrel _).
+Qed.
+Definition from_sum {A B C} (f : A → C) (g : B → C) (xy : A + B) : C :=
+  match xy with inl x => f x | inr y => g y end.
+Global Instance maybe_String : Maybe2 String := λ s,
+  if s is String a s then Some (a,s) else None.
+Global Instance String_inj a : Inj (=) (=) (String a).
+Proof. by injection 1. Qed.
+Global Instance full_relation_dec {A} : RelDecision (λ _ _ : A, True).
+Proof. unfold RelDecision. apply _. Defined.
+Global Instance prod_relation_dec `{RA : relation A, RB : relation B} :
+  RelDecision RA → RelDecision RB → RelDecision (prod_relation RA RB).
+Proof. unfold RelDecision. apply _. Defined.
+Global Hint Extern 0 (from_option _ _ _) => progress simpl : core.
+Definition map_sum_with `{MapFold K A M} (f : A → nat) : M → nat :=
+  map_fold (λ _, plus ∘ f) 0.
+Lemma map_sum_with_lookup_le `{FinMap K M} {A} (f : A → nat) (m : M A) i x :
+  m !! i = Some x → f x ≤ map_sum_with f m.
+Proof.
+  intros. rewrite /map_sum_with (map_fold_delete_L _ _ i x m) /=; auto with lia.
+Qed.
+Lemma map_Forall2_dom `{FinMapDom K M C} {A B} (P : K → A → B → Prop)
+    (m1 : M A) (m2 : M B) :
+  map_Forall2 P m1 m2 → dom m1 ≡ dom m2.
+Proof.
+  revert m2. induction m1 as [|i x1 m1 ? IH] using map_ind; intros m2.
+  { intros ->%map_Forall2_empty_inv_l. by rewrite !dom_empty. }
+  intros (x2 & m2' & -> & ? & ? & ?)%map_Forall2_insert_inv_l; last done.
+  rewrite !dom_insert IH //.
+Qed.
+Lemma map_Forall2_dom_L `{FinMapDom K M C, !LeibnizEquiv C} {A B}
+    (P : K → A → B → Prop) (m1 : M A) (m2 : M B) :
+  map_Forall2 P m1 m2 → dom m1 = dom m2.
+Proof. unfold_leibniz. apply map_Forall2_dom. Qed.
+Definition map_mapM
+    `{!∀ A, MapFold K A (M A), !∀ A, Empty (M A), !∀ A, Insert K A (M A)}
+    `{MBind F, MRet F} {A B} (f : A → F B) (m : M A) : F (M B) :=
+  map_fold (λ i x mm, y ← f x; m ← mm; mret $ <[i:=y]> m) (mret ∅) m.
+Section fin_map.
+  Context `{FinMap K M}.
+  Lemma map_insert_inv_eq {A} {m1 m2 : M A} x v u :
+    m1 !! x = None →
+    m2 !! x = None →
+    <[x:=v]> m1 = <[x:=u]> m2 →
+    v = u ∧ m1 = m2.
+  Proof.
+    intros Hm1 Hm2 Heq. split.
+    - assert (Huv : <[x:=v]> m1 !! x = Some v). { apply lookup_insert. }
+      rewrite Heq lookup_insert in Huv. by injection Huv as ->.
+    - apply map_eq. intros i.
+      replace m1 with (delete x (<[x:=v]> m1)) by (apply delete_insert; done).
+      replace m2 with (delete x (<[x:=u]> m2)) by (apply delete_insert; done).
+      by rewrite Heq.
+  Qed.
+  
+  Lemma map_insert_inv_ne {A} {m1 m2 : M A} x1 x2 v1 v2 :
+    x1 ≠ x2 →
+    m1 !! x1 = None →
+    m2 !! x2 = None →
+    <[x1:=v1]> m1 = <[x2:=v2]> m2 →
+    m1 !! x2 = Some v2 ∧ m2 !! x1 = Some v1 ∧ delete x2 m1 = delete x1 m2.
+  Proof.
+    intros Hx1x2 Hm1 Hm2 Hm1m2. rewrite map_eq_iff in Hm1m2. split_and!.
+    - rewrite -(lookup_insert_ne _ x1 _ v1) //  Hm1m2 lookup_insert //.
+    - rewrite -(lookup_insert_ne _ x2 _ v2) // -Hm1m2 lookup_insert //.
+    - apply map_eq. intros y. destruct (decide (y = x1)) as [->|];
+        first rewrite lookup_delete_ne // lookup_delete //.
+      destruct (decide (y = x2)) as [->|];
+        first rewrite lookup_delete lookup_delete_ne //.
+      rewrite !lookup_delete_ne //
+        -(lookup_insert_ne m2 x2 _ v2) //
+        -(lookup_insert_ne m1 x1 _ v1) //.
+  Qed.
+  Lemma map_mapM_empty `{MBind F, MRet F} {A B} (f : A → F B) :
+    map_mapM f (∅ : M A) =@{F (M B)} mret ∅.
+  Proof. unfold map_mapM. by rewrite map_fold_empty. Qed.
+  Lemma map_mapM_insert `{MBind F, MRet F} {A B} (f : A → F B) (m : M A) i x :
+    m !! i = None → map_first_key (<[i:=x]> m) i →
+    map_mapM f (<[i:=x]> m) = y ← f x; m ← map_mapM f m; mret $ <[i:=y]> m.
+  Proof. intros. rewrite /map_mapM map_fold_insert_first_key //. Qed.
+  Lemma map_mapM_insert_option {A B} (f : A → option B) (m : M A) i x :
+    m !! i = None →
+    map_mapM f (<[i:=x]> m) = y ← f x; m ← map_mapM f m; mret $ <[i:=y]> m.
+  Proof.
+    intros. apply: map_fold_insert; [|done].
+    intros ?? z1 z2 my ???. destruct (f z1), (f z2), my; f_equal/=.
+    by apply insert_commute.
+  Qed.
+End fin_map.
+Definition map_minimal_key `{MapFold K A M} (R : relation K) `{!RelDecision R}
+    (m : M) : option K :=
+  map_fold (λ i _ mj,
+    match mj with
+    | Some j => if decide (R i j) then Some i else Some j
+    | None => Some i
+    end) None m.
+Section map_sorted.
+  Context `{FinMap K M} (R : relation K) .
+  Lemma map_minimal_key_None {A} `{!RelDecision R} (m : M A) :
+    map_minimal_key R m = None ↔ m = ∅.
+  Proof.
+    split; [|intros ->; apply map_fold_empty].
+    induction m as [|j x m ?? _] using map_first_key_ind; intros Hm; [done|].
+    rewrite /map_minimal_key map_fold_insert_first_key // in Hm.
+    repeat case_match; simplify_option_eq.
+  Qed.
+  Lemma map_minimal_key_Some_1 {A} `{!RelDecision R, !PreOrder R, !Total R}
+      (m : M A) i :
+    map_minimal_key R m = Some i →
+      is_Some (m !! i) ∧ ∀ j, is_Some (m !! j) → R i j.
+  Proof.
+    revert i. induction m as [|j x m ?? IH] using map_first_key_ind; intros i Hm.
+    { by rewrite /map_minimal_key map_fold_empty in Hm. }
+    rewrite /map_minimal_key map_fold_insert_first_key // in Hm.
+    destruct (map_fold _ _ m) as [i'|] eqn:Hfold; simplify_eq.
+    - apply IH in Hfold as [??]. rewrite lookup_insert_is_Some.
+      case_decide as HR; simplify_eq/=.
+      + split; [by auto|]. intros j [->|[??]]%lookup_insert_is_Some; [done|].
+        trans i'; eauto.
+      + split.
+        { right; split; [|done]. intros ->. by destruct HR. }
+        intros j' [->|[??]]%lookup_insert_is_Some; [|by eauto].
+        by destruct (total R i j').
+    - apply map_minimal_key_None in Hfold as ->.
+      split; [rewrite lookup_insert; by eauto|].
+      intros j' [->|[? Hj']]%lookup_insert_is_Some; [done|].
+      rewrite lookup_empty in Hj'. by destruct Hj'.
+  Qed.
+  Lemma map_minimal_key_Some {A} `{!RelDecision R, !PartialOrder R, !Total R}
+      (m : M A) i :
+    map_minimal_key R m = Some i ↔
+      is_Some (m !! i) ∧ ∀ j, is_Some (m !! j) → R i j.
+  Proof.
+    split; [apply map_minimal_key_Some_1|].
+    intros [Hi ?]. destruct (map_minimal_key R m) as [i'|] eqn:Hmin.
+    - f_equal. apply map_minimal_key_Some_1 in Hmin as [??].
+      apply (anti_symm R); eauto.
+    - apply map_minimal_key_None in Hmin as ->.
+      rewrite lookup_empty in Hi. by destruct Hi.
+  Qed.
+  Lemma map_sorted_ind {A} `{!PreOrder R, !Total R} (P : M A → Prop) :
+    P ∅ →
+    (∀ i x m,
+      m !! i = None →
+      (∀ j, is_Some (m !! j) → R i j) →
+      P m →
+      P (<[i:=x]> m)) →
+    (∀ m, P m).
+  Proof.
+    intros Hemp Hins m. induction (Nat.lt_wf_0_projected size m) as [m _ IH].
+    cut (m = ∅ ∨ map_Exists (λ i _, ∀ j, is_Some (m !! j) → R i j) m).
+    { intros [->|(i & x & Hi & ?)]; [done|]. rewrite -(insert_delete m i x) //.
+      apply Hins; [by rewrite lookup_delete|..].
+      - intros j ?%lookup_delete_is_Some. naive_solver.
+      - apply IH.
+        rewrite -{2}(insert_delete m i x) // map_size_insert lookup_delete. lia. }
+    clear P Hemp Hins IH. induction m as [|i x m ? IH] using map_ind; [by auto|].
+    right. destruct IH as [->|(i' & x' & ? & ?)].
+    { rewrite insert_empty map_Exists_singleton.
+      by intros j [y [-> ->]%lookup_singleton_Some]. }
+    apply map_Exists_insert; first done. destruct (total R i i').
+    - left. intros j [->|[??]]%lookup_insert_is_Some; [done|]. trans i'; eauto.
+    - right. exists i', x'. split; [done|].
+      intros j [->|[??]]%lookup_insert_is_Some; eauto.
+  Qed.
+End map_sorted.
+Definition map_fold_sorted `{!MapFold K A M} {B}
+    (R : relation K) `{!RelDecision R}
+    (f : K → A → B → B) (b : B)
+    (m : M) : B := foldr (λ '(i,x), f i x) b $
+  merge_sort (prod_relation R (λ _ _, True)) (map_to_list m).
+Definition map_mapM_sorted
+    `{!∀ A, MapFold K A (M A), !∀ A, Empty (M A), !∀ A, Insert K A (M A)}
+    `{MBind F, MRet F} {A B}
+    (R : relation K) `{!RelDecision R}
+    (f : A → F B) (m : M A) : F (M B) :=
+  map_fold_sorted R (λ i x mm, y ← f x; m ← mm; mret $ <[i:=y]> m) (mret ∅) m.
+Section fin_map.
+  Context `{FinMap K M}.
+  Context (R : relation K) `{!RelDecision R, !PartialOrder R, !Total R}.
+  Lemma map_fold_sorted_empty {A B} (f : K → A → B → B) b :
+    map_fold_sorted R f b (∅ : M A) = b.
+  Proof. by rewrite /map_fold_sorted map_to_list_empty. Qed.
+  Lemma map_fold_sorted_insert {A B} (f : K → A → B → B) (m : M A) b i x :
+    m !! i = None → (∀ j, is_Some (m !! j) → R i j) →
+    map_fold_sorted R f b (<[i:=x]> m) = f i x (map_fold_sorted R f b m).
+  Proof.
+    intros Hi Hleast. unfold map_fold_sorted.
+    set (R' := prod_relation R _).
+    assert (PreOrder R').
+    { split; [done|].
+      intros [??] [??] [??] [??] [??]; split; [by etrans|done]. }
+    assert (Total R').
+    { intros [i1 ?] [i2 ?]. destruct (total R i1 i2); [by left|by right]. }
+    assert (merge_sort R' (map_to_list (<[i:=x]> m))
+      = (i,x) :: merge_sort R' (map_to_list m)) as ->; [|done].
+    eapply (Sorted_unique_strong R').
+    - intros [i1 y1] [i2 y2].
+      rewrite !merge_sort_Permutation elem_of_cons !elem_of_map_to_list.
+      rewrite lookup_insert_Some. intros ?? [? _] [? _].
+      assert (i1 = i2) as -> by (by apply (anti_symm R)); naive_solver.
+    - apply (Sorted_merge_sort _).
+    - apply Sorted_cons; [apply (Sorted_merge_sort _)|].
+      destruct (merge_sort R' (map_to_list m))
+        as [|[i' x'] ixs] eqn:Hixs; repeat constructor; simpl.
+      apply Hleast. exists x'. apply elem_of_map_to_list.
+      rewrite -(merge_sort_Permutation R' (map_to_list m)) Hixs. left.
+    - by rewrite !merge_sort_Permutation map_to_list_insert.
+  Qed.
+  Lemma map_mapM_sorted_empty `{MBind F, MRet F} {A B} (f : A → F B) :
+    map_mapM_sorted R f (∅ : M A) =@{F (M B)} mret ∅.
+  Proof. by rewrite /map_mapM_sorted map_fold_sorted_empty. Qed.
+  Lemma map_mapM_sorted_insert `{MBind F, MRet F}
+      {A B} (f : A → F B) (m : M A) i x :
+    m !! i = None → (∀ j, is_Some (m !! j) → R i j) →
+    map_mapM_sorted R f (<[i:=x]> m)
+    = y ← f x; m ← map_mapM_sorted R f m; mret $ <[i:=y]> m.
+  Proof. intros. by rewrite /map_mapM_sorted map_fold_sorted_insert. Qed.
+End fin_map.