Theory Eg1Eg2RefinementSimple

theory Eg1Eg2RefinementSimple
imports Eg1Eg2
begin

context sifum_refinement_eg1_eg2
begin

inductive_set RelS_Eg1Eg2 :: "(
    (((var, aexp, bexp) Stmt × (Mode ⇒ var set)) × (var ⇒ val)) ×
     ((var⇩C, aexp⇩C, bexp⇩C) Stmt × (Mode ⇒ var⇩C set)) × (var⇩C ⇒ val)
    ) set"
where
  acq_mode_rel: "⟦c⇩A = ModeDecl Skip (Acq x SomeMode) ;; c⇩A_tail;
    c⇩C = ModeDecl Skip (Acq (Eg2_var⇩C_of_Eg1 x) SomeMode) ;; c⇩C_tail;
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range Eg2_var⇩C_of_Eg1 ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A, ⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" |

  rel_mode_rel: "⟦c⇩A = ModeDecl Skip (Rel x SomeMode);
    c⇩C = ModeDecl Skip (Rel (Eg2_var⇩C_of_Eg1 x) SomeMode);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range Eg2_var⇩C_of_Eg1 ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A, ⟨Stop, mds⇩A', mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨Stop, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop, mds⇩C', mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" |

  assign_load_rel: "⟦c⇩A = (x ← aexp.Load y) ;; c⇩A_tail;
    c⇩C = ((Eg2_var⇩C_of_Eg1 x) ← aexp⇩C.Load (Eg2_var⇩C_of_Eg1 y)) ;; c⇩C_tail;
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range Eg2_var⇩C_of_Eg1 ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    ― ‹With this requirement it is possible to establish ‹x ∉ mds⇩A GuarNoReadOrWrite›.›
    ⌦‹x ≠ y;›
    ― ‹However since we've deemed it reasonable to require ‹x ∉ mds⇩A GuarNoWrite›,›
    ― ‹it makes little sense not to just require ‹x ∉ mds⇩A GuarNoReadOrWrite› as well.›
    x ∉ mds⇩A GuarNoReadOrWrite;
    ― ‹Without this requirement, we would have to prove preservation of ‹doesnt_modify c x››
    ― ‹because ‹x ∈ mds⇩A GuarNoWrite› holds in the case where ‹mem⇩A x = mem⇩A y›.›
    ― ‹It makes more sense just to assume a blanket ban on this guarantee for this instruction,›
    ― ‹seeing as it is clearly a write operation to ‹x›.›
    x ∉ mds⇩A GuarNoWrite;
    ― ‹This command loads from ‹y›, so it makes little sense to guarantee we're not reading it›
    y ∉ mds⇩A GuarNoReadOrWrite;
    ― ‹Requirements for sound mode use preservation for variables other than ‹x› and ‹y››
    x ∉ 𝒞;
    y ∉ 𝒞;
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A, ⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" |

  assign_const_rel: "⟦c⇩A = (x ← aexp.Const z) ;; c⇩A_tail;
    c⇩C = ((Eg2_var⇩C_of_Eg1 x) ← aexp⇩C.Const z) ;; c⇩C_tail;
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range Eg2_var⇩C_of_Eg1 ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    x ∉ mds⇩A GuarNoReadOrWrite;
    x ∉ mds⇩A GuarNoWrite;
    x ∉ 𝒞;
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A, ⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" |

  if_reg_load_rel: "⟦
    c⇩A = (If (Eg1.Eq x 0) c⇩A_then c⇩A_else) ;; c⇩A_tail;
    c⇩C = (reg⇩C ← (Load (Eg2_var⇩C_of_Eg1 x))) ;; ((If (Eq reg⇩C 0) c⇩C_then c⇩C_else) ;; c⇩C_tail);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range Eg2_var⇩C_of_Eg1 ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    reg⇩C ∉ mds⇩C GuarNoReadOrWrite;
    reg⇩C ∉ mds⇩C GuarNoWrite;
    x ∉ mds⇩A GuarNoReadOrWrite;
    ― ‹Nope: need to make this one versatile enough to allow ‹c = control_var› for our example›
    ⌦‹x ∉ 𝒞;›
    ∀x'. x ∈ 𝒞_vars x' ⟶ x' ∉ mds⇩A GuarNoReadOrWrite;
    (∀mem⇩A' mem⇩C' mem⇩A'' mem⇩C''.
        (
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹The change in ‹mem⇩C› does not affect ‹mem⇩A››
         mem⇩A'' = mem⇩A' ∧
         ― ‹The concrete and abstract versions of the bool condition must become consistent›
         ev⇩B⇩C mem⇩C' (Eq reg⇩C 0) = ev⇩B mem⇩A' (Eg1.Eq x 0) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
          ⟨Stop ;; (If (Eq reg⇩C 0) c⇩C_then c⇩C_else) ;; c⇩C_tail, mds⇩C, mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A,
          ⟨Stop ;; (If (Eq reg⇩C 0) c⇩C_then c⇩C_else) ;; c⇩C_tail, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2)
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" |

  if_reg_stop_rel: "⟦
    c⇩A = (If (Eg1.Eq x 0) c⇩A_then c⇩A_else) ;; c⇩A_tail;
    c⇩C = Stop ;; ((If (Eq reg⇩C 0) c⇩C_then c⇩C_else) ;; c⇩C_tail);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range Eg2_var⇩C_of_Eg1 ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    x ∈ mds⇩A AsmNoWrite ∧ x ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹Likely we will need to carry this through to the ‹if_reg_rel› case.›
    ev⇩B⇩C mem⇩C (Eq reg⇩C 0) = ev⇩B mem⇩A (Eg1.Eq x 0);
    (∀mem⇩A' mem⇩C' mem⇩A'' mem⇩C''.
        (
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹The change in ‹mem⇩C› does not affect ‹mem⇩A››
         mem⇩A'' = mem⇩A' ∧
         ― ‹The concrete and abstract versions of the bool condition must remain consistent›
         ev⇩B⇩C mem⇩C' (Eq reg⇩C 0) = ev⇩B mem⇩A' (Eg1.Eq x 0) ∧
         ev⇩B⇩C mem⇩C'' (Eq reg⇩C 0) = ev⇩B mem⇩A'' (Eg1.Eq x 0) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
          ⟨(If (Eq reg⇩C 0) c⇩C_then c⇩C_else) ;; c⇩C_tail, mds⇩C, mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A,
          ⟨(If (Eq reg⇩C 0) c⇩C_then c⇩C_else) ;; c⇩C_tail, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2)
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" |

  if_reg_rel: "⟦
― ‹Is a more generic version possible for an arbitrary ‹b⇩A›?›
    ⌦‹c⇩A = (If b⇩A c⇩A_then c⇩A_else) ;; c⇩A_tail;›
    ⌦‹b⇩A = Eg1.Eq x 0;›  ― ‹‹ev⇩B mem⇩A b⇩A››
    c⇩A = (If (Eg1.Eq x 0) c⇩A_then c⇩A_else) ;; c⇩A_tail;
    c⇩C = (If (Eq reg⇩C 0) c⇩C_then c⇩C_else) ;; c⇩C_tail;
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range Eg2_var⇩C_of_Eg1 ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    x ∈ mds⇩A AsmNoWrite ∧ x ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹The concrete and abstract versions of the bool condition must have remained consistent›
    ev⇩B⇩C mem⇩C (Eq reg⇩C 0) = ev⇩B mem⇩A (Eg1.Eq x 0);
    ― ‹As for ‹if_reg_load_rel››
    reg⇩C ∉ mds⇩C GuarNoReadOrWrite;
    reg⇩C ∉ mds⇩C GuarNoWrite;
    x ∉ mds⇩A GuarNoReadOrWrite;
    ∀x'. x ∈ 𝒞_vars x' ⟶ x' ∉ mds⇩A GuarNoReadOrWrite;
    (∀mem⇩A' mem⇩C' mem⇩A'' mem⇩C''.
       mem⇩A' = mem⇩A_of mem⇩C' ∧
       mem⇩A'' = mem⇩A_of mem⇩C'' ∧
       ev⇩B⇩C mem⇩C'' (Eq reg⇩C 0) = ev⇩B mem⇩A'' (Eg1.Eq x 0) ∧
       ev⇩B⇩C mem⇩C' (Eq reg⇩C 0) = ev⇩B mem⇩A' (Eg1.Eq x 0) ∧
       (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A,
        ⟨(if (ev⇩B mem⇩A'' (Eg1.Eq x 0)) then c⇩A_then else c⇩A_else) ;; c⇩A_tail, mds⇩A, mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
       (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
        ⟨(if (ev⇩B⇩C mem⇩C'' (Eq reg⇩C 0)) then c⇩C_then else c⇩C_else) ;; c⇩C_tail, mds⇩C, mem⇩C'⟩⇩C) ∈ C.eval⇩w
       ⟶
       (⟨(if (ev⇩B mem⇩A'' (Eg1.Eq x 0)) then c⇩A_then else c⇩A_else) ;; c⇩A_tail, mds⇩A, mem⇩A'⟩⇩A,
        ⟨(if (ev⇩B⇩C mem⇩C'' (Eq reg⇩C 0)) then c⇩C_then else c⇩C_else) ;; c⇩C_tail, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2);
    ― ‹Disallow branching on variables that can potentially be in the high domain›
    x ≠ buffer ∧ x ≠ high_var
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" |

  stop_seq_rel: "⟦c⇩A = Stop ;; c⇩A_tail;
    c⇩C = Stop ;; c⇩C_tail;
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (⟨c⇩A_tail, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C_tail, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" |

  stop_rel:
    "(⟨Stop, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A, ⟨Stop, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2"


definition abs_steps' :: "(_,_,_) Stmt ⇒ (_,_,_) Stmt ⇒ nat" where
  "abs_steps' c⇩A c⇩C ≡
    (if (∃x m c⇩A_tail. c⇩A = ((Skip@[x +=⇩m m]) ;; c⇩A_tail)) ∧
        (∃x m c⇩C_tail. c⇩C = ((Skip@[Eg2_var⇩C_of_Eg1 x +=⇩m m]) ;; c⇩C_tail)) then (Suc 0)
     else if (∃ c⇩A_tail c⇩C_tail. c⇩A = (Stop ;; c⇩A_tail) ∧ c⇩C = (Stop ;; c⇩C_tail)) then (Suc 0)
     else if (∃ x then⇩A else⇩A tail⇩A then⇩C else⇩C tail⇩C.
        c⇩A = (Stmt.If (bexp.Eq x 0) then⇩A else⇩A ;; tail⇩A) ∧
        (c⇩C = ((reg⇩C ← aexp⇩C.Load (Eg2_var⇩C_of_Eg1 x)) ;; Stmt.If (bexp⇩C.Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C)) ∨
         c⇩C = (Stop ;; Stmt.If (bexp⇩C.Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C))
        then 0
     else (Suc 0))"

fun abs_steps
where
"abs_steps ⟨c⇩A, _, _⟩⇩A ⟨c⇩C, _, _⟩⇩C = abs_steps' c⇩A c⇩C"

lemma closed_others_RelS_Eg1Eg2:
  "closed_others RelS_Eg1Eg2"
unfolding closed_others_def
proof(clarify)
fix c⇩A c⇩C mds⇩C mem⇩C mem⇩C'
assume
  in_rel: "(⟨c⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A,
    ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" and
  vars: " ∀x. mem⇩C x ≠ mem⇩C' x ⟶ ¬ var_asm_not_written mds⇩C x"
and  dmas: "∀x. dma⇩C mem⇩C x ≠ dma⇩C mem⇩C' x ⟶ ¬ var_asm_not_written mds⇩C x"
from in_rel vars dmas
show "(⟨c⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
  proof (induct rule: RelS_Eg1Eg2.induct)
  case (acq_mode_rel c⇩A x SomeMode tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using acq_mode_rel
    by (simp add:RelS_Eg1Eg2.acq_mode_rel)
  next
  case (rel_mode_rel c⇩A x SomeMode c⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using rel_mode_rel
    by (simp add:RelS_Eg1Eg2.rel_mode_rel)
  next
  case (assign_load_rel c⇩A x y tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using assign_load_rel
    by (simp add:RelS_Eg1Eg2.assign_load_rel)
  next
  case (assign_const_rel c⇩A x z tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using assign_const_rel
    by (simp add:RelS_Eg1Eg2.assign_const_rel)
  next
  case (if_reg_load_rel c⇩A x then⇩A else⇩A tail⇩A c⇩C then⇩C else⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using if_reg_load_rel
    by (simp add:RelS_Eg1Eg2.if_reg_load_rel)
  next
  case (if_reg_stop_rel c⇩A x then⇩A else⇩A tail⇩A c⇩C then⇩C else⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using if_reg_stop_rel
    proof (clarsimp)
      from if_reg_stop_rel.hyps(3,5,6) if_reg_stop_rel.prems(1)
      have reg⇩C_untouched: "mem⇩C reg⇩C = mem⇩C' reg⇩C" and
        x⇩C_untouched: "mem⇩C (Eg2_var⇩C_of_Eg1 x) = mem⇩C' (Eg2_var⇩C_of_Eg1 x)" and
        x⇩A_untouched: "mem⇩A_of mem⇩C x = mem⇩A_of mem⇩C' x"
        using reg⇩C_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C
        by (clarsimp simp:var_asm_not_written_def, blast)+
      with if_reg_stop_rel.hyps
      have conds_still_match: "(mem⇩C' reg⇩C = 0) = (mem⇩A_of mem⇩C' x = 0)"
        by simp
      with if_reg_stop_rel RelS_Eg1Eg2.if_reg_stop_rel
      show "(⟨Stmt.If (bexp.Eq x 0) then⇩A else⇩A ;; tail⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨Stop ;; Stmt.If (bexp⇩C.Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C, mds⇩C, mem⇩C'⟩⇩C)
             ∈ RelS_Eg1Eg2"
        by clarsimp
    qed
  next
  case (if_reg_rel c⇩A x then⇩A else⇩A tail⇩A c⇩C then⇩C else⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using if_reg_rel
    proof (clarsimp)
      from if_reg_rel.hyps(3,5,6) if_reg_rel.prems(1)
      have reg⇩C_untouched: "mem⇩C reg⇩C = mem⇩C' reg⇩C" and
        x⇩C_untouched: "mem⇩C (Eg2_var⇩C_of_Eg1 x) = mem⇩C' (Eg2_var⇩C_of_Eg1 x)" and
        x⇩A_untouched: "mem⇩A_of mem⇩C x = mem⇩A_of mem⇩C' x"
        using reg⇩C_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C
        by (clarsimp simp:var_asm_not_written_def, blast)+
      with if_reg_rel.hyps
      have conds_still_match: "(mem⇩C' reg⇩C = 0) = (mem⇩A_of mem⇩C' x = 0)"
        by simp
      show "(⟨Stmt.If (bexp.Eq x 0) then⇩A else⇩A ;; tail⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨Stmt.If (bexp⇩C.Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C, mds⇩C, mem⇩C'⟩⇩C)
             ∈ RelS_Eg1Eg2"
        apply (rule RelS_Eg1Eg2.if_reg_rel, simp+)
            using if_reg_rel apply simp
           using if_reg_rel apply simp
          using conds_still_match apply simp
         using if_reg_rel apply blast+
        done
    qed
  next
  case (stop_seq_rel c⇩A tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using stop_seq_rel
    by (simp add:RelS_Eg1Eg2.stop_seq_rel)
  next
  case (stop_rel mds⇩C mem⇩C)
  show ?case by (simp add:RelS_Eg1Eg2.stop_rel)
  qed
qed

lemma preserves_modes_mem_RelS_Eg1Eg2:
  "preserves_modes_mem RelS_Eg1Eg2"
unfolding preserves_modes_mem_def2
proof(clarsimp)
  fix c⇩A mds⇩A mem⇩A c⇩C mds⇩C mem⇩C
  assume in_rel: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2"
  thus "mem⇩A = mem⇩A_of mem⇩C ∧ mds⇩A = mds⇩A_of mds⇩C"
    by (cases rule:RelS_Eg1Eg2.cases, blast+)
qed

(* Just some exploration to see what's likely to be needed *)

lemma mem_twist_other: "z ≠ x ⟹ z ≠ y ⟹ mem (x := mem y, z := v) = mem (z := v, x := (mem (z := v)) y)"
  by (simp add: fun_upd_other fun_upd_twist)

lemma reg⇩C_load_helper:
  "x⇩C ≠ Eg2_var⇩C_of_Eg1 x ⟹
   (⟨reg⇩C ← aexp⇩C.Load (Eg2_var⇩C_of_Eg1 x), mds, mem(x⇩C := v)⟩⇩C, ⟨Stop, mds, mem
            (x⇩C := v, reg⇩C := mem (Eg2_var⇩C_of_Eg1 x))⟩⇩C) =
   (⟨reg⇩C ← aexp⇩C.Load (Eg2_var⇩C_of_Eg1 x), mds, mem(x⇩C := v)⟩⇩C, ⟨Stop, mds, mem
            (x⇩C := v, reg⇩C := (mem(x⇩C := v)) (Eg2_var⇩C_of_Eg1 x))⟩⇩C)"
  using fun_upd_other by simp

lemma preserves_local_guarantee_compliance_RelS_Eg1Eg2:
  "preserves_local_guarantee_compliance RelS_Eg1Eg2"
proof(clarsimp simp:preserves_local_guarantee_compliance_def2)
  fix c⇩A mds⇩A mem⇩A c⇩C mds⇩C mem⇩C
  assume in_RelS: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" and
    respects⇩A: "A.respects_own_guarantees (c⇩A, mds⇩A)"
  thus "conc.respects_own_guarantees (c⇩C, mds⇩C)"
  unfolding conc.respects_own_guarantees_def conc.doesnt_read_or_modify_def conc.doesnt_read_or_modify_vars_def conc.doesnt_modify_def
  proof(induct rule:RelS_Eg1Eg2.induct)
    case (acq_mode_rel c⇩A x m tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
      from acq_mode_rel.hyps(2-3)
      show ?case using C.decl_eval⇩w' C.eval⇩w.seq C.seq_decl_elim by fastforce+
    next
    case (rel_mode_rel c⇩A x m c⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
      from rel_mode_rel.hyps(2-3)
      show ?case using C.decl_eval⇩w' C.eval⇩w.seq C.seq_decl_elim by fastforce+
    next
    case (assign_load_rel c⇩A x y tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
      hence in_RelS: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2"
        by (simp add:RelS_Eg1Eg2.intros(3))

      from assign_load_rel.prems show ?case
      proof (clarify)
        assume respects⇩A: "A.respects_own_guarantees (c⇩A, mds⇩A)"
        fix x⇩C
        let ?case_x⇩C = "(x⇩C ∈ snd (c⇩C, mds⇩C) GuarNoReadOrWrite ⟶
               (∀mds mem c' mds' mem'.
                   (⟨fst (c⇩C, mds⇩C), mds, mem⟩⇩C, ⟨c', mds', mem'⟩⇩C)
                   ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ⟶
                   (∀x∈{x⇩C} ∪ 𝒞_vars⇩C x⇩C.
                       ∀v. (⟨fst (c⇩C, mds⇩C), mds, mem(x := v)⟩⇩C, ⟨c', mds', mem'(x := v)⟩⇩C)
                           ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C))) ∧
              (x⇩C ∈ snd (c⇩C, mds⇩C) GuarNoWrite ⟶
               (∀mds mem c' mds' mem'.
                   (⟨fst (c⇩C, mds⇩C), mds, mem⟩⇩C, ⟨c', mds', mem'⟩⇩C)
                   ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ⟶
                   mem x⇩C = mem' x⇩C ∧ dma⇩C mem x⇩C = dma⇩C mem' x⇩C))"

        (* For x⇩C = x, we have to argue that the abstract version of x⇩C must have the same
           guarantees as for x⇩C, which yields contradictions in both cases. *)
        from assign_load_rel(3,6,7) preserves_modes_mem_RelS_Eg1Eg2 has_mode⇩A
        have notGuarNoRW_x⇩C: "x⇩C = Eg2_var⇩C_of_Eg1 x ⟹ x⇩C ∉ mds⇩C GuarNoReadOrWrite" and
             notGuarNoWrite_x⇩C: "x⇩C = Eg2_var⇩C_of_Eg1 x ⟹ x⇩C ∉ mds⇩C GuarNoWrite" by clarsimp+

        (* For x⇩C = y, waive doesnt_read_or_modify using ¬ GuarNoRW y from refinement relation,
           and the proof for doesnt_modify is straightforward *)
        from assign_load_rel(3,8) preserves_modes_mem_RelS_Eg1Eg2 has_mode⇩A
        have "x⇩C = Eg2_var⇩C_of_Eg1 y ⟹ x⇩C ∉ mds⇩C GuarNoReadOrWrite" by clarsimp
        with assign_load_rel(2)
        have "⟦x⇩C = Eg2_var⇩C_of_Eg1 y; Eg2_var⇩C_of_Eg1 x ∉ 𝒞_vars⇩C x⇩C⟧ ⟹ ?case_x⇩C"
          apply clarsimp
          apply(drule C.seq_assign_elim, clarsimp)
          using 𝒞_vars⇩C_def dma⇩C_def by auto

        (* For all other x⇩C, the proof should be straightforward because c⇩C does not touch x⇩C,
           and we've required that x and y cannot potentially be the control var of x⇩C *)
        moreover have "⟦x⇩C ≠ Eg2_var⇩C_of_Eg1 x; x⇩C ≠ Eg2_var⇩C_of_Eg1 y;
               Eg2_var⇩C_of_Eg1 x ∉ 𝒞_vars⇩C x⇩C; Eg2_var⇩C_of_Eg1 y ∉ 𝒞_vars⇩C x⇩C⟧
              ⟹ ?case_x⇩C"
          using assign_load_rel(2,6) apply safe
             apply(clarsimp, drule C.seq_assign_elim)
             apply(simp add: mem_twist_other C.eval⇩w.seq assign_eval⇩w_load⇩C del:fun_upd_apply)
            apply(clarsimp, drule C.seq_assign_elim, clarsimp)
            apply(subgoal_tac "xa ≠ Eg2_var⇩C_of_Eg1 x ∧ xa ≠ Eg2_var⇩C_of_Eg1 y")
             apply(simp add: mem_twist_other C.eval⇩w.seq assign_eval⇩w_load⇩C del:fun_upd_apply)
            apply blast
           apply(clarsimp, drule C.seq_assign_elim, clarsimp)
          apply(clarsimp, drule C.seq_assign_elim)
          using 𝒞_vars⇩C_def dma⇩C_def by auto

        moreover have "Eg2_var⇩C_of_Eg1 x ∉ 𝒞_vars⇩C x⇩C" and "Eg2_var⇩C_of_Eg1 y ∉ 𝒞_vars⇩C x⇩C"
          using assign_load_rel(9-10) unfolding 𝒞_vars⇩C_def
          by (metis Eg2_var⇩C_of_Eg1.simps(1) A.𝒞_simp empty_iff insert_iff inv_f_eq var⇩C_of_inj)+
        moreover note notGuarNoRW_x⇩C notGuarNoWrite_x⇩C
        moreover have "x⇩C ∉ mds⇩C GuarNoReadOrWrite ⟹ x⇩C ∉ mds⇩C GuarNoWrite ⟹ ?case_x⇩C" by auto
        ultimately show ?case_x⇩C by fastforce
      qed
    next
    case (assign_const_rel c⇩A x z tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
      from assign_const_rel.prems show ?case
      proof (clarify)
        assume respects⇩A: "A.respects_own_guarantees (c⇩A, mds⇩A)"
        fix x⇩C
        let ?case_x⇩C = "(x⇩C ∈ snd (c⇩C, mds⇩C) GuarNoReadOrWrite ⟶
               (∀mds mem c' mds' mem'.
                   (⟨fst (c⇩C, mds⇩C), mds, mem⟩⇩C, ⟨c', mds', mem'⟩⇩C)
                   ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ⟶
                   (∀x∈{x⇩C} ∪ 𝒞_vars⇩C x⇩C.
                       ∀v. (⟨fst (c⇩C, mds⇩C), mds, mem(x := v)⟩⇩C, ⟨c', mds', mem'(x := v)⟩⇩C)
                           ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C))) ∧
              (x⇩C ∈ snd (c⇩C, mds⇩C) GuarNoWrite ⟶
               (∀mds mem c' mds' mem'.
                   (⟨fst (c⇩C, mds⇩C), mds, mem⟩⇩C, ⟨c', mds', mem'⟩⇩C)
                   ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ⟶
                   mem x⇩C = mem' x⇩C ∧ dma⇩C mem x⇩C = dma⇩C mem' x⇩C))"
        from assign_const_rel(3,6,7) preserves_modes_mem_RelS_Eg1Eg2 has_mode⇩A
        have notGuarNoRW_x⇩C: "x⇩C = Eg2_var⇩C_of_Eg1 x ⟹ x⇩C ∉ mds⇩C GuarNoReadOrWrite" and
             notGuarNoWrite_x⇩C: "x⇩C = Eg2_var⇩C_of_Eg1 x ⟹ x⇩C ∉ mds⇩C GuarNoWrite" by clarsimp+

        moreover have "⟦x⇩C ≠ Eg2_var⇩C_of_Eg1 x; Eg2_var⇩C_of_Eg1 x ∉ 𝒞_vars⇩C x⇩C⟧ ⟹ ?case_x⇩C"
          using assign_const_rel(2,8) apply safe
             apply(clarsimp, drule C.seq_assign_elim)
             apply(simp add: fun_upd_twist C.eval⇩w.seq assign_eval⇩w_const⇩C)
            apply(clarsimp, drule C.seq_assign_elim, clarsimp)
            apply(subgoal_tac "xa ≠ Eg2_var⇩C_of_Eg1 x")
             apply(simp add: fun_upd_twist C.eval⇩w.seq assign_eval⇩w_const⇩C)
            apply blast
           apply(clarsimp, drule C.seq_assign_elim, clarsimp)
          apply(clarsimp, drule C.seq_assign_elim)
          using 𝒞_vars⇩C_def dma⇩C_def by auto

        moreover have "Eg2_var⇩C_of_Eg1 x ∉ 𝒞_vars⇩C x⇩C"
          using assign_const_rel(8) unfolding 𝒞_vars⇩C_def
          by (metis Eg2_var⇩C_of_Eg1.simps(1) A.𝒞_simp empty_iff insert_iff inv_f_eq var⇩C_of_inj)
        moreover note notGuarNoRW_x⇩C notGuarNoWrite_x⇩C
        moreover have "x⇩C ∉ mds⇩C GuarNoReadOrWrite ⟹ x⇩C ∉ mds⇩C GuarNoWrite ⟹ ?case_x⇩C" by auto
        ultimately show ?case_x⇩C by fastforce
      qed
    next
    case (if_reg_load_rel c⇩A x then⇩A else⇩A tail⇩A c⇩C then⇩C else⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
      from if_reg_load_rel.prems show ?case
      proof (clarify)
        assume respects⇩A: "A.respects_own_guarantees (c⇩A, mds⇩A)"
        fix x⇩C
        let ?case_x⇩C = "(x⇩C ∈ snd (c⇩C, mds⇩C) GuarNoReadOrWrite ⟶
               (∀mds mem c' mds' mem'.
                   (⟨fst (c⇩C, mds⇩C), mds, mem⟩⇩C, ⟨c', mds', mem'⟩⇩C)
                   ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ⟶
                   (∀x∈{x⇩C} ∪ 𝒞_vars⇩C x⇩C.
                       ∀v. (⟨fst (c⇩C, mds⇩C), mds, mem(x := v)⟩⇩C, ⟨c', mds', mem'(x := v)⟩⇩C)
                           ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C))) ∧
              (x⇩C ∈ snd (c⇩C, mds⇩C) GuarNoWrite ⟶
               (∀mds mem c' mds' mem'.
                   (⟨fst (c⇩C, mds⇩C), mds, mem⟩⇩C, ⟨c', mds', mem'⟩⇩C)
                   ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ⟶
                   mem x⇩C = mem' x⇩C ∧ dma⇩C mem x⇩C = dma⇩C mem' x⇩C))"
        (* For x⇩C = x, waive doesnt_read_or_modify using ¬ GuarNoRW x from refinement relation
           (makes sense because it's being read), then doesnt_modify is straightforward *)
        from if_reg_load_rel(3,8) preserves_modes_mem_RelS_Eg1Eg2 has_mode⇩A
        have "x⇩C = Eg2_var⇩C_of_Eg1 x ⟹ x⇩C ∉ mds⇩C GuarNoReadOrWrite" by clarsimp
        with if_reg_load_rel(2)
        have "x⇩C = Eg2_var⇩C_of_Eg1 x ⟹ ?case_x⇩C"
          apply clarsimp
          apply(drule C.seq_assign_elim, clarsimp)
          using 𝒞_vars⇩C_def dma⇩C_def by auto

        moreover from if_reg_load_rel(2)
        have "⟦x⇩C ≠ reg⇩C; x⇩C ≠ Eg2_var⇩C_of_Eg1 x; reg⇩C ∉ 𝒞_vars⇩C x⇩C;
               Eg2_var⇩C_of_Eg1 x ∈ 𝒞_vars⇩C x⇩C ⟹ x⇩C ∉ mds⇩C GuarNoReadOrWrite⟧ ⟹ ?case_x⇩C"
          apply safe
             apply(clarsimp, drule C.seq_assign_elim)
             apply(simp add:fun_upd_twist del:fun_upd_apply)
             apply(rule C.eval⇩w.seq, clarsimp)
             apply(simp add:reg⇩C_load_helper del:fun_upd_apply)
             apply(rule assign_eval⇩w_load⇩C)
            apply(clarsimp, drule C.seq_assign_elim)
            apply(simp add:fun_upd_twist del:fun_upd_apply)
            apply(rule C.eval⇩w.seq, clarsimp)
            apply(subgoal_tac "xa ≠ Eg2_var⇩C_of_Eg1 x ∧ xa ≠ reg⇩C")
             apply clarsimp
             apply(simp add:fun_upd_twist reg⇩C_load_helper assign_eval⇩w_load⇩C del:fun_upd_apply)
            apply blast
           apply(clarsimp, drule C.seq_assign_elim, clarsimp)
          apply(clarsimp, drule C.seq_assign_elim)
          using 𝒞_vars⇩C_def dma⇩C_def by auto
        moreover from if_reg_load_rel(3,9)
        have "Eg2_var⇩C_of_Eg1 x ∈ 𝒞_vars⇩C x⇩C ⟹ x⇩C ∉ mds⇩C GuarNoReadOrWrite"
          by (metis Eg2_var⇩C_of_Eg1.simps(1-2) 𝒞_vars⇩C_def 𝒞_vars_def empty_iff has_mode⇩A insert_iff inv_f_f var⇩C_of_inj)

        (* We waive cases where x⇩C = reg⇩C by requiring ¬ GuarNoRW reg⇩C and ¬ GuarNoWrite reg⇩C
           which makes sense if we consider concrete-only variables like reg⇩C to be private.
           Furthermore we establish that reg⇩C cannot be a control var.  *)
        moreover have "x⇩C = reg⇩C ⟹ ?case_x⇩C"
          using if_reg_load_rel(6-7) by clarsimp
        moreover have "reg⇩C ∉ 𝒞_vars⇩C x⇩C"
          using reg⇩C_is_not_the_var⇩C_of_anything 𝒞_vars⇩C_def by clarsimp
        ultimately show ?case_x⇩C by fastforce
      qed
    next
    case (if_reg_stop_rel c⇩A x then⇩A else⇩A tail⇩A c⇩C then⇩C else⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
      from if_reg_stop_rel(2) show ?case
        by (metis C.seq_stop_elim C.seq_stop_eval⇩w fst_conv)
    next
    case (if_reg_rel c⇩A x then⇩A else⇩A tail⇩A c⇩C then⇩C else⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
      from if_reg_rel.prems show ?case
      proof (clarify)
        assume respects⇩A: "A.respects_own_guarantees (c⇩A, mds⇩A)"
        fix x⇩C
        let ?case_x⇩C = "(x⇩C ∈ snd (c⇩C, mds⇩C) GuarNoReadOrWrite ⟶
               (∀mds mem c' mds' mem'.
                   (⟨fst (c⇩C, mds⇩C), mds, mem⟩⇩C, ⟨c', mds', mem'⟩⇩C)
                   ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ⟶
                   (∀x∈{x⇩C} ∪ 𝒞_vars⇩C x⇩C.
                       ∀v. (⟨fst (c⇩C, mds⇩C), mds, mem(x := v)⟩⇩C, ⟨c', mds', mem'(x := v)⟩⇩C)
                           ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C))) ∧
              (x⇩C ∈ snd (c⇩C, mds⇩C) GuarNoWrite ⟶
               (∀mds mem c' mds' mem'.
                   (⟨fst (c⇩C, mds⇩C), mds, mem⟩⇩C, ⟨c', mds', mem'⟩⇩C)
                   ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ⟶
                   mem x⇩C = mem' x⇩C ∧ dma⇩C mem x⇩C = dma⇩C mem' x⇩C))"
        from if_reg_rel(3,10) preserves_modes_mem_RelS_Eg1Eg2 has_mode⇩A
        have "x⇩C = Eg2_var⇩C_of_Eg1 x ⟹ x⇩C ∉ mds⇩C GuarNoReadOrWrite" by clarsimp
        with if_reg_rel(2)
        have "x⇩C = Eg2_var⇩C_of_Eg1 x ⟹ ?case_x⇩C"
          apply clarsimp
          apply(drule C.seq_elim, clarsimp)
          using 𝒞_vars⇩C_def dma⇩C_def by auto
        moreover from if_reg_rel(2)
        have "⟦x⇩C ≠ reg⇩C; x⇩C ≠ Eg2_var⇩C_of_Eg1 x; reg⇩C ∉ 𝒞_vars⇩C x⇩C;
            Eg2_var⇩C_of_Eg1 x ∈ 𝒞_vars⇩C x⇩C ⟹ x⇩C ∉ mds⇩C GuarNoReadOrWrite⟧ ⟹ ?case_x⇩C"
          apply safe
             apply(subgoal_tac "(mem(x⇩C := v)) reg⇩C = mem reg⇩C")
              apply clarsimp
              apply(drule C.seq_elim, clarsimp+)
              apply(erule C.if_elim, clarsimp)
               apply(simp add: if_true_eval⇩w⇩C if_false_eval⇩w⇩C)+
            apply(subgoal_tac "xa ≠ Eg2_var⇩C_of_Eg1 x ∧ xa ≠ reg⇩C")
             apply(drule C.seq_elim, clarsimp+)
             apply(erule C.if_elim, clarsimp)
              apply(simp add: if_true_eval⇩w⇩C if_false_eval⇩w⇩C)+
            apply blast
           apply clarsimp
           apply(drule C.seq_elim, clarsimp+)
           apply(erule C.if_elim, clarsimp+)
          apply(drule C.seq_elim, clarsimp+)
          apply(erule C.if_elim, clarsimp+)
          done
        moreover from if_reg_rel(3,11)
        have "Eg2_var⇩C_of_Eg1 x ∈ 𝒞_vars⇩C x⇩C ⟹ x⇩C ∉ mds⇩C GuarNoReadOrWrite"
          by (metis Eg2_var⇩C_of_Eg1.simps(1-2) 𝒞_vars⇩C_def 𝒞_vars_def empty_iff has_mode⇩A insert_iff inv_f_f var⇩C_of_inj)
        moreover have "x⇩C = reg⇩C ⟹ ?case_x⇩C"
          using if_reg_rel(8-9) by clarsimp
        moreover have "reg⇩C ∉ 𝒞_vars⇩C x⇩C"
          using reg⇩C_is_not_the_var⇩C_of_anything 𝒞_vars⇩C_def by clarsimp
        ultimately show ?case_x⇩C by fastforce
      qed
    next
    case (stop_seq_rel c⇩A tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
      from stop_seq_rel(2)
      show ?case by (metis C.seq_stop_elim C.seq_stop_eval⇩w fst_conv)
    next
    case stop_rel
      thus ?case by (simp add: C.stop_no_eval)
  qed
qed

definition mdss⇩A_of :: "((var⇩C Mds) list) ⇒ ((var Mds) list)"
where
  "mdss⇩A_of mdss⇩C = map mds⇩A_of mdss⇩C"

lemma new_vars_private_RelS_Eg1Eg2:
  "sifum_refinement.new_vars_private dma⇩C C.eval⇩w Eg2_var⇩C_of_Eg1 RelS_Eg1Eg2"
unfolding new_vars_private_def
(* Slightly more intuitive goals without simp converting ∨ to ⟶ *)
proof(clarify)
  fix c⇩A mds⇩A mem⇩A c⇩C mds⇩C mem⇩C c⇩C' mds⇩C' mem⇩C'
  assume in_rel: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2" and
      does_eval: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩C', mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w"
  let "?diff_mem v⇩C" = "mem⇩C' v⇩C ≠ mem⇩C v⇩C"
  let "?diff_dma v⇩C" = "dma⇩C mem⇩C' v⇩C < dma⇩C mem⇩C v⇩C"
  let "?conc_only v⇩C" = "v⇩C ∉ range Eg2_var⇩C_of_Eg1"
  show "(∀v⇩C. (?diff_mem v⇩C ∨ ?diff_dma v⇩C) ∧ ?conc_only v⇩C ⟶ v⇩C ∈ mds⇩C' AsmNoReadOrWrite) ∧
         mds⇩C AsmNoReadOrWrite - range Eg2_var⇩C_of_Eg1
         ⊆ mds⇩C' AsmNoReadOrWrite - range Eg2_var⇩C_of_Eg1" (* not sure what to call this one *)
  using in_rel does_eval
  proof(cases rule:RelS_Eg1Eg2.cases)
  case (acq_mode_rel x SomeMode tail⇩A tail⇩C)
    moreover with does_eval
    have "mds⇩C' = mds⇩C (SomeMode := insert (Eg2_var⇩C_of_Eg1 x) (mds⇩C SomeMode))"
      by (metis (mono_tags) C.seq_decl_elim C.update_modes.simps(1))
    ultimately show ?thesis
      by simp
  next
  case (rel_mode_rel x SomeMode)
    moreover with does_eval
    have "mds⇩C' = mds⇩C (SomeMode := {y. y ∈ (mds⇩C SomeMode) ∧ y ≠ (Eg2_var⇩C_of_Eg1 x)})"
      by (metis (mono_tags) C.upd_elim C.skip_elim C.update_modes.simps(2))
    ultimately show ?thesis
      by auto
  next
  case (assign_load_rel x y tail⇩A tail⇩C)
    with does_eval
    show ?thesis
      by (metis C.assign_elim C.seq_elim Stmt.distinct(14) set_eq_subset)
  next
  case (assign_const_rel x z tail⇩A tail⇩C)
    with does_eval
    show ?thesis
      by (metis C.assign_elim C.seq_elim Stmt.distinct(14) set_eq_subset)
  next
  case (if_reg_load_rel x then⇩A else⇩A tail⇩A then⇩C else⇩C tail⇩C)
    with does_eval
    show ?thesis
      by (metis C.assign_elim C.seq_elim Stmt.distinct(14) set_eq_subset)
  next
  case (if_reg_stop_rel x then⇩A else⇩A tail⇩A then⇩C else⇩C tail⇩C)
    with does_eval
    show ?thesis
      by (metis C.seq_stop_elim subset_refl)
  next
  case (if_reg_rel x then⇩A else⇩A tail⇩A then⇩C else⇩C tail⇩C)
    with does_eval
    have mds⇩C_unchanged: "mds⇩C = mds⇩C'"
      by (metis C.if_elim C.seq_elim Stmt.distinct(50))
    moreover with if_reg_rel(5)
    have "∀v⇩C. (?diff_mem v⇩C ∨ ?diff_dma v⇩C) ∧ ?conc_only v⇩C ⟶ v⇩C ∈ mds⇩C' AsmNoReadOrWrite"
      by simp
    moreover from mds⇩C_unchanged
    have "mds⇩C AsmNoReadOrWrite - range Eg2_var⇩C_of_Eg1 ⊆ mds⇩C' AsmNoReadOrWrite - range Eg2_var⇩C_of_Eg1"
      by clarify
    ultimately show ?thesis
      by simp
  next
  case (stop_seq_rel tail⇩A tail⇩C)
    with does_eval C.seq_stop_elim
    show ?thesis
      by blast
  next
  case (stop_rel)
    with does_eval C.stop_no_eval have False by simp
    thus ?thesis by simp
  qed
qed

lemma simple_refinement_safe_RelS_Eg1Eg2:
assumes R_low_mds_eq:
  "⋀c mds mem mem'. (⟨c, mds, mem⟩⇩A, ⟨c, mds, mem'⟩⇩A) ∈ Some_R ⟹ A.low_mds_eq mds mem mem'"
shows
  "sifum_refinement.simple_refinement_safe C.eval⇩w Some_R RelS_Eg1Eg2 abs_steps"
unfolding simple_refinement_safe_def
proof(clarsimp)
  fix c⇩A mds⇩A mem⇩1⇩A mem⇩2⇩A c⇩C mds⇩C mem⇩1⇩C mem⇩2⇩C
  assume in_R: "(⟨c⇩A, mds⇩A, mem⇩1⇩A⟩⇩A, ⟨c⇩A, mds⇩A, mem⇩2⇩A⟩⇩A) ∈ Some_R" and
       in_RelS_1: "(⟨c⇩A, mds⇩A, mem⇩1⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C) ∈ RelS_Eg1Eg2" and
       in_RelS_2: "(⟨c⇩A, mds⇩A, mem⇩2⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RelS_Eg1Eg2"
  show "stops⇩C ⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C = stops⇩C ⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C ∧
       (∀mds⇩1⇩C' mds⇩2⇩C' mem⇩1⇩C' mem⇩2⇩C' c⇩1⇩C' c⇩2⇩C'.
           (⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩1⇩C', mem⇩1⇩C'⟩⇩C) ∈ C.eval⇩w ∧
           (⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩2⇩C', mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w  ⟶
           c⇩1⇩C' = c⇩2⇩C' ∧ mds⇩1⇩C' = mds⇩2⇩C')"
  using in_RelS_1 in_RelS_2
  proof(cases rule:RelS_Eg1Eg2.cases)
  case (acq_mode_rel x m tail⇩A tail⇩C)
    let ?mds⇩C' = "mds⇩C(m := insert (Eg2_var⇩C_of_Eg1 x) (mds⇩C m))"
    from acq_mode_rel have
    eval_1: "(⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨Stop ;; tail⇩C, ?mds⇩C', mem⇩1⇩C⟩⇩C) ∈ C.eval⇩w" and
    eval_2: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; tail⇩C, ?mds⇩C', mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp add: C.decl_eval⇩w' C.eval⇩w.seq)+
    thus ?thesis unfolding stops⇩C_def using C.eval_det by blast
  next
  case (rel_mode_rel x m)
    let ?mds⇩C' = "mds⇩C(m := {y. y ∈ (mds⇩C m) ∧ y ≠ (Eg2_var⇩C_of_Eg1 x)})"
    from rel_mode_rel have
    eval_1: "(⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨Stop, ?mds⇩C', mem⇩1⇩C⟩⇩C) ∈ C.eval⇩w" and
    eval_2: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop, ?mds⇩C', mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp add: C.decl_eval⇩w')+
    thus ?thesis unfolding stops⇩C_def using C.eval_det by blast
  next
  case (assign_load_rel x y tail⇩A tail⇩C)
    from assign_load_rel have
    eval_1: "(⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨Stop ;; tail⇩C, mds⇩C,
               mem⇩1⇩C((Eg2_var⇩C_of_Eg1 x) := mem⇩1⇩C (Eg2_var⇩C_of_Eg1 y))⟩⇩C) ∈ C.eval⇩w" and
    eval_2: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; tail⇩C, mds⇩C,
               mem⇩2⇩C((Eg2_var⇩C_of_Eg1 x) := mem⇩2⇩C (Eg2_var⇩C_of_Eg1 y))⟩⇩C) ∈ C.eval⇩w"
      by (simp add: assign_eval⇩w_load⇩C C.eval⇩w.seq)+
    thus ?thesis unfolding stops⇩C_def using C.eval_det by blast
  next
  case (assign_const_rel x z tail⇩A tail⇩C)
    from assign_const_rel have
    eval_1: "(⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨Stop ;; tail⇩C, mds⇩C,
               mem⇩1⇩C((Eg2_var⇩C_of_Eg1 x) := z)⟩⇩C) ∈ C.eval⇩w" and
    eval_2: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; tail⇩C, mds⇩C,
               mem⇩2⇩C((Eg2_var⇩C_of_Eg1 x) := z)⟩⇩C) ∈ C.eval⇩w"
      by (simp add: assign_eval⇩w_const⇩C C.eval⇩w.seq)+
    thus ?thesis unfolding stops⇩C_def using C.eval_det by blast
  next
  case (if_reg_load_rel x then⇩A else⇩A tail⇩A then⇩C else⇩C tail⇩C)
    from if_reg_load_rel have
    eval_1: "(⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨Stop ;; Stmt.If (bexp⇩C.Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C, mds⇩C,
               mem⇩1⇩C(reg⇩C := mem⇩1⇩C (Eg2_var⇩C_of_Eg1 x))⟩⇩C) ∈ C.eval⇩w" and
    eval_2: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; Stmt.If (bexp⇩C.Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C, mds⇩C,
               mem⇩2⇩C(reg⇩C := mem⇩2⇩C (Eg2_var⇩C_of_Eg1 x))⟩⇩C) ∈ C.eval⇩w"
      by (simp add: assign_eval⇩w_load⇩C C.eval⇩w.seq)+
    thus ?thesis unfolding stops⇩C_def using C.eval_det by blast
  next
  case (if_reg_stop_rel x then⇩A else⇩A tail⇩A then⇩C else⇩C tail⇩C)
    from if_reg_stop_rel have
    eval_1: "(⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C,
              ⟨Stmt.If (bexp⇩C.Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C, mds⇩C, mem⇩1⇩C⟩⇩C) ∈ C.eval⇩w" and
    eval_2: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
              ⟨Stmt.If (bexp⇩C.Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp add: C.seq_stop_eval⇩w)+
    thus ?thesis unfolding stops⇩C_def using C.eval_det by blast
  next
  case (if_reg_rel x then⇩A else⇩A tail⇩A then⇩C else⇩C tail⇩C)
    from if_reg_rel have
    eval_1: "(⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C,
              ⟨(if ev⇩B⇩C mem⇩1⇩C (bexp⇩C.Eq reg⇩C 0) then then⇩C else else⇩C) ;; tail⇩C, mds⇩C, mem⇩1⇩C⟩⇩C) ∈ C.eval⇩w" and
    eval_2: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
              ⟨(if ev⇩B⇩C mem⇩2⇩C (bexp⇩C.Eq reg⇩C 0) then then⇩C else else⇩C) ;; tail⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp add: if_true_eval⇩w⇩C if_false_eval⇩w⇩C)+
    hence stops_eq: "stops⇩C ⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C = stops⇩C ⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C"
      unfolding stops⇩C_def by blast
    (* Side-conditions ensure both programs take the same branch *)
    from in_R R_low_mds_eq
    have "A.low_mds_eq mds⇩A mem⇩1⇩A mem⇩2⇩A" by clarsimp
    with if_reg_rel(6,13) dma_def
    have "ev⇩B mem⇩1⇩A (bexp.Eq x 0) = ev⇩B mem⇩2⇩A (bexp.Eq x 0)"
      by (simp add:A.low_mds_eq_def)
    with if_reg_rel(1,2,7) in_RelS_2
    have "ev⇩B⇩C mem⇩1⇩C (bexp⇩C.Eq reg⇩C 0) = ev⇩B⇩C mem⇩2⇩C (bexp⇩C.Eq reg⇩C 0)"
      apply clarsimp
      by (cases rule:RelS_Eg1Eg2.cases, simp+)
    with if_reg_rel(1,2) eval_1 eval_2 C.eval_det have
      "(∀mds⇩1⇩C' mds⇩2⇩C' mem⇩1⇩C' mem⇩2⇩C' c⇩1⇩C' c⇩2⇩C'.
           (⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩1⇩C', mem⇩1⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ∧
           (⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩2⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A⇩C ev⇩B⇩C ⟶
           c⇩1⇩C' = c⇩2⇩C' ∧ mds⇩1⇩C' = mds⇩2⇩C')"
      by (clarsimp, blast)
    thus ?thesis using stops_eq by simp
  next
  case (stop_seq_rel tail⇩A tail⇩C)
    from stop_seq_rel have
    eval_1: "(⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨tail⇩C, mds⇩C, mem⇩1⇩C⟩⇩C) ∈ C.eval⇩w" and
    eval_2: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨tail⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp add: C.seq_stop_eval⇩w)+
    thus ?thesis unfolding stops⇩C_def using C.eval_det by blast
  next
  case stop_rel
    with C.stop_no_eval have
      stops_1: "stops⇩C ⟨c⇩C, mds⇩C, mem⇩1⇩C⟩⇩C" and
      stops_2: "stops⇩C ⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C"
      unfolding stops⇩C_def by simp+
    thus ?thesis unfolding stops⇩C_def by auto
  qed
qed

lemma induction_RelS_Eg1Eg2:
notes A.update_modes.simps[simp del]
shows
"(⟨c⇩1⇩A, mds⇩A, mem⇩1⇩A⟩⇩A, ⟨c⇩1⇩C, mds⇩C, mem⇩1⇩C⟩⇩C) ∈ RelS_Eg1Eg2 ⟹
       (⟨c⇩1⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C) ∈ C.eval⇩w ⟹
       ∃c⇩1⇩A' mds⇩A' mem⇩1⇩A'.
          A.neval ⟨c⇩1⇩A, mds⇩A, mem⇩1⇩A⟩⇩A
           (abs_steps ⟨c⇩1⇩A, mds⇩A, mem⇩1⇩A⟩⇩A ⟨c⇩1⇩C, mds⇩C, mem⇩1⇩C⟩⇩C)
           ⟨c⇩1⇩A', mds⇩A', mem⇩1⇩A'⟩⇩A ∧
          (⟨c⇩1⇩A', mds⇩A', mem⇩1⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
proof(induct rule: RelS_Eg1Eg2.induct)
case (acq_mode_rel c⇩A x m tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  let ?c⇩1⇩A' = "Stop ;; tail⇩A"
  from acq_mode_rel(1,2)
  have abs_steps_acq: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  moreover from acq_mode_rel.prems acq_mode_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C(m := insert (Eg2_var⇩C_of_Eg1 x) (mds⇩C m))" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    by (metis (mono_tags) C.seq_decl_elim C.update_modes.simps(1))+
  moreover from mds⇩C'_def
  have mds⇩A'_def: "?mds⇩A' = A.update_modes (x +=⇩m m) (mds⇩A_of mds⇩C)"
    unfolding A.update_modes.simps
    by(blast intro: mode_acquire_refinement_helper)
  moreover with mem⇩1⇩C'_def acq_mode_rel A.eval⇩w.seq A.decl_eval⇩w
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    by clarsimp
  moreover from acq_mode_rel(5)
  have mds⇩C'_concrete_vars_unwritable:
    "(∀v⇩C. v⇩C ∉ range Eg2_var⇩C_of_Eg1 ⟶ v⇩C ∈ mds⇩C' AsmNoReadOrWrite)"
    by(auto simp: mds⇩C'_def)
  moreover with acq_mode_rel(6)[simplified] acq_mode_rel.hyps(4) neval⇩A c⇩1⇩C'_def
  have in_Rel': "(⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    by (metis A.neval_Suc_simp One_nat_def acq_mode_rel.prems)
  ultimately show ?case
    by (metis (no_types, opaque_lifting) One_nat_def abs_steps.simps n_not_Suc_n)
next
case (rel_mode_rel c⇩A x m c⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  let ?c⇩1⇩A' = "Stop"
  from rel_mode_rel(1,2)
  have abs_steps_acq: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  moreover from rel_mode_rel.prems rel_mode_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = Stop" and
    mds⇩C'_def: "mds⇩C' = mds⇩C(m := {y. y ∈ (mds⇩C m) ∧ y ≠ (Eg2_var⇩C_of_Eg1 x)})" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    by (metis (mono_tags) C.upd_elim C.skip_elim C.update_modes.simps(2))+
  moreover from mds⇩C'_def
  have mds⇩A'_def: "?mds⇩A' = A.update_modes (x -=⇩m m) (mds⇩A_of mds⇩C)"
    unfolding A.update_modes.simps
    by(blast intro: mode_release_refinement_helper)
  moreover with mem⇩1⇩C'_def rel_mode_rel A.eval⇩w.seq A.decl_eval⇩w
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    by clarsimp
  moreover from rel_mode_rel(5)
  have mds⇩C'_concrete_vars_unwritable:
    "(∀v⇩C. v⇩C ∉ range Eg2_var⇩C_of_Eg1 ⟶ v⇩C ∈ mds⇩C' AsmNoReadOrWrite)"
    by(auto simp: mds⇩C'_def)
  moreover with rel_mode_rel(6)[simplified] rel_mode_rel.hyps(4) neval⇩A c⇩1⇩C'_def
  have in_Rel': "(⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    by (metis A.neval_Suc_simp One_nat_def rel_mode_rel.prems)
  ultimately show ?case
    by (metis (no_types, opaque_lifting) One_nat_def abs_steps.simps n_not_Suc_n)
next
case (assign_load_rel c⇩A x y tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "Stop ;; tail⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from assign_load_rel(1,2)
  have abs_steps_load: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  from assign_load_rel.prems assign_load_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C((Eg2_var⇩C_of_Eg1 x) := mem⇩C (Eg2_var⇩C_of_Eg1 y))"
    using C.seq_elim C.assign_elim C.skip_elim assign_eval⇩w_load⇩C
    by (metis (no_types, lifting) Stmt.distinct(14))+
  from assign_load_rel(1,3,4) mds⇩C'_def mem⇩1⇩C'_def
  have eval⇩A: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A,⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A) ∈ A.eval⇩w" and
    neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    using A.eval⇩w.seq assign_eval⇩w_load⇩A mem_assign_refinement_helper_var by simp+
  with assign_load_rel(11)[simplified] assign_load_rel.prems c⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using assign_load_rel.hyps(4-5) mds⇩C'_def by blast
  thus ?case using rel' abs_steps_load neval⇩A by auto
next
case (assign_const_rel c⇩A x z tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "Stop ;; tail⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from assign_const_rel(1,2)
  have abs_steps_const: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  from assign_const_rel.prems assign_const_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C((Eg2_var⇩C_of_Eg1 x) := z)"
    using C.seq_elim C.assign_elim C.skip_elim assign_eval⇩w_const⇩C
    by (metis (no_types, lifting) Stmt.distinct(14))+
  from assign_const_rel(1,3,4) mds⇩C'_def mem⇩1⇩C'_def
  have eval⇩A: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A,⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A) ∈ A.eval⇩w" and
    neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    using A.eval⇩w.seq assign_eval⇩w_const⇩A mem_assign_refinement_helper_const by simp+
  with assign_const_rel(9)[simplified] assign_const_rel.prems c⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using assign_const_rel.hyps(4) by blast
  thus ?case using rel' abs_steps_const neval⇩A by auto
next
case (if_reg_load_rel c⇩A x then⇩A else⇩A tail⇩A c⇩C then⇩C else⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_reg_load_rel.hyps(1,2)
  have abs_steps_if_reg_load: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_reg_load_rel.prems if_reg_load_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; If (Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C(reg⇩C := mem⇩C (Eg2_var⇩C_of_Eg1 x))"
    using C.seq_elim C.assign_elim C.skip_elim assign_eval⇩w_load⇩C
    by (metis (no_types, lifting) Stmt.distinct(14))+
  from if_reg_load_rel(1-4) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using reg⇩C_not_visible_abs conc_only_var_assign_not_visible_abs A.neval.intros(1) by simp+
  with if_reg_load_rel c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    apply clarsimp
    apply(erule_tac x=mem⇩1⇩C' in allE)
    apply(erule_tac impE)
     apply(rule_tac x=mem⇩C in exI)
     apply(rule conjI)
      apply(clarsimp)
     apply(rule conjI)
      apply clarsimp
      apply (simp add: mem⇩A_of_def)
     using if_reg_load_rel.prems mem⇩A_of_def apply blast
    apply clarsimp
    done
  show ?case using rel' abs_steps_if_reg_load neval⇩A by auto
next
case (if_reg_stop_rel c⇩A x then⇩A else⇩A tail⇩A c⇩C then⇩C else⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_reg_stop_rel.hyps(1,2)
  have abs_steps_if_reg_stop: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_reg_stop_rel.prems if_reg_stop_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (If (Eq reg⇩C 0) then⇩C else⇩C ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by simp+
  from if_reg_stop_rel(1-4) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using reg⇩C_not_visible_abs conc_only_var_assign_not_visible_abs A.neval.intros(1) by simp+
  with if_reg_stop_rel c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RelS_Eg1Eg2" by blast
  show ?case using rel' abs_steps_if_reg_stop neval⇩A by auto
next
case (if_reg_rel c⇩A x then⇩A else⇩A tail⇩A c⇩C then⇩C else⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "if (ev⇩B mem⇩A (bexp.Eq x 0)) then (then⇩A ;; tail⇩A) else (else⇩A ;; tail⇩A)"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_reg_rel(1) if_reg_rel(2)
  have abs_steps_if_reg: "(abs_steps' c⇩A c⇩C) = Suc 0"
    by (simp add:abs_steps'_def)
  from if_reg_rel.prems if_reg_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (if (ev⇩B⇩C mem⇩C (bexp⇩C.Eq reg⇩C 0)) then (then⇩C ;; tail⇩C) else (else⇩C ;; tail⇩C))" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    apply simp_all
    by (drule C.seq_elim, simp, erule exE, clarsimp, erule C.if_elim, clarsimp+)+
  from if_reg_rel(1,3,4) mds⇩C'_def mem⇩1⇩C'_def
  have eval⇩A: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A) ∈ A.eval⇩w"
    using if_seq_eval⇩w_helper⇩A A.if_eval⇩w by presburger
  hence neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A (abs_steps' c⇩A c⇩C) ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    using abs_steps_if_reg by (simp only:A.neval_Suc_simp)
  from if_reg_rel(3,4,7,12) if_reg_rel.prems c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def eval⇩A
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A, ⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    by (clarify, presburger)
  show ?case using rel' abs_steps_if_reg neval⇩A by auto
next
case (stop_seq_rel c⇩A tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "tail⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from stop_seq_rel(1,2)
  have abs_steps_stop: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  from stop_seq_rel
  have c⇩1⇩C'_def: "c⇩1⇩C' = tail⇩C" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by auto
  hence
    neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    rel': "(⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C) ∈ RelS_Eg1Eg2"
    using stop_seq_rel A.seq_stop_eval⇩w by auto
  thus ?case using abs_steps_stop by auto
next
case stop_rel
  with C.stop_no_eval have False by simp
  thus ?case by simp
qed

definition
  mds⇩0 :: "Mode ⇒ var⇩C set"
where
  "mds⇩0 ≡ λm. case m of AsmNoReadOrWrite ⇒ {reg⇩C} | _ ⇒ {}"

lemma read_buffer_assign_temp_onwards_RelS:
  "(⟨(temp ← aexp.Const 0) ;; (Skip@[temp -=⇩m AsmNoReadOrWrite]),
         mds⇩A_of ((case_Mode {reg⇩C} {} {} {}) (AsmNoWrite := {control_var⇩C},
                  AsmNoReadOrWrite := {temp⇩C, reg⇩C})),
         mem⇩A_of mem⇩C⟩⇩A,
        ⟨(temp⇩C ← aexp⇩C.Const 0) ;; (Skip@[temp⇩C -=⇩m AsmNoReadOrWrite]),
                  (case_Mode {reg⇩C} {} {} {}) (AsmNoWrite := {control_var⇩C},
                  AsmNoReadOrWrite := {temp⇩C, reg⇩C}),
                  mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2"
  (* Assign temp (Const 0) ;; *)
  apply(rule assign_const_rel, simp+)
   apply(clarsimp simp: reg⇩C_the_only_concrete_only_var doesnt_have_mode)+
  apply(drule C.seq_assign_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)
  (* ModeDecl Skip (Rel temp AsmNoReadOrWrite)" *)
  apply(rule rel_mode_rel, simp+)
   apply(clarsimp simp: reg⇩C_the_only_concrete_only_var)+
  apply(rule stop_rel)
  done

lemma read_buffer_RelS:
  "(⟨A.read_buffer, mds⇩A_of mds⇩0, mem⇩A_of mem⇩C⟩⇩A, ⟨C.read_buffer⇩C, mds⇩0, mem⇩C⟩⇩C) ∈ RelS_Eg1Eg2"
  unfolding A.read_buffer_def C.read_buffer⇩C_def mds⇩0_def
  (* ModeDecl Skip (Acq buffer AsmNoWrite) ;; *)
  apply(rule acq_mode_rel, simp+)
   apply(clarsimp simp: reg⇩C_the_only_concrete_only_var)+
  apply(drule C.seq_decl_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)
  (* ModeDecl Skip (Acq temp AsmNoReadOrWrite) ;; *)
  apply(rule acq_mode_rel, simp+)
   apply(clarsimp simp: reg⇩C_the_only_concrete_only_var)+
  apply(drule C.seq_decl_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)
  (* Assign temp (Load buffer) ;; *)
  apply(rule assign_load_rel, simp+)
   apply(clarsimp simp: reg⇩C_the_only_concrete_only_var doesnt_have_mode)+
  apply(drule C.seq_assign_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)
  (* If (Eq control_var 0) (Assign low_var (Load temp)) (Assign high_var (Load temp)) ;; *)
  apply(rule if_reg_load_rel, simp+)
   apply(clarsimp simp: reg⇩C_the_only_concrete_only_var doesnt_have_mode)+
  apply(drule C.seq_assign_elim, clarsimp)
  apply(rule if_reg_stop_rel, simp+)
     apply(clarsimp simp: reg⇩C_the_only_concrete_only_var)
    using has_mode⇩A NoRW⇩A_implies_NoRW⇩C apply fastforce
   apply(clarsimp simp: has_mode⇩A)+
  apply(rule if_reg_rel, simp+)
     apply(clarsimp simp: reg⇩C_the_only_concrete_only_var has_mode⇩A doesnt_have_mode)+
   apply(rule conjI)
    (* (Assign low_var (Load temp)) ;; *)
    apply clarsimp
    apply(rule assign_load_rel, simp+)
     apply(clarsimp simp: reg⇩C_the_only_concrete_only_var doesnt_have_mode)+
     apply(drule C.seq_assign_elim, clarsimp)
    apply(rule stop_seq_rel, simp+)
    apply(rule read_buffer_assign_temp_onwards_RelS)
   (* (Assign high_var (Load temp)) ;; *)
   apply clarsimp
   apply(rule assign_load_rel, simp+)
    apply(clarsimp simp: reg⇩C_the_only_concrete_only_var doesnt_have_mode)+
    apply(drule C.seq_assign_elim, clarsimp)
   apply(rule stop_seq_rel, simp+)
   apply(rule read_buffer_assign_temp_onwards_RelS)
  apply simp
  done

lemma control_var_visible:
  "control_var⇩C ∈ range Eg2_var⇩C_of_Eg1"
  apply(unfold Eg2_var⇩C_of_Eg1_def)
  apply(rule_tac x=control_var in range_eqI)
  apply clarsimp
  done

lemma mds⇩s_A_of_mds⇩0:
  "mds⇩s = mds⇩A_of mds⇩0"
  apply(rule preserves_modes_mem_mds⇩A_simp)
  apply clarsimp
  apply(case_tac m)
     unfolding mds⇩s_def mds⇩0_def mds⇩A_of_def
     apply(clarsimp simp: reg⇩C_not_visible_abs control_var_visible)+
  done

lemma A_of_mds⇩0_is_mds⇩s:
  "mds⇩A_of mds⇩0 = mds⇩s"
  by (simp add: mds⇩s_A_of_mds⇩0)

(* using the bisimulation established by the type system *)

lemma RelS_Eg1Eg2_secure_refinement_simple_ℛ:
  "secure_refinement_simple (A.ℛ Γ 𝒮 P) RelS_Eg1Eg2 abs_steps"
  apply(unfold secure_refinement_simple_def)
  apply(rule conjI)
   apply(rule closed_others_RelS_Eg1Eg2)
  apply(rule conjI)
   apply(rule preserves_modes_mem_RelS_Eg1Eg2)
  apply(rule conjI)
   apply(rule new_vars_private_RelS_Eg1Eg2)
  apply(rule conjI)
   apply(rule simple_refinement_safe_RelS_Eg1Eg2)
   using A.ℛ_to_ℛ⇩3 A.ℛ⇩3_mem_eq apply fast
  apply(rule conjI)
   apply(rule bisim_simple_ℛ)
  apply safe
  apply(drule (1) induction_RelS_Eg1Eg2, clarify)
  done

lemma RelS_Eg1Eg2_secure_refinement_ℛ:
  "secure_refinement (A.ℛ Γ 𝒮 P) RelS_Eg1Eg2 ℐsimple"
  apply(rule secure_refinement_simpler)
  apply(rule secure_refinement_simple)
  apply(rule RelS_Eg1Eg2_secure_refinement_simple_ℛ)
  done

lemma strong_low_bisim_mm_R⇩C_of_RelS_ℛ:
  "conc.strong_low_bisim_mm (R⇩C_of (A.ℛ Γ 𝒮 P) RelS_Eg1Eg2 ℐsimple)"
  apply(rule R⇩C_of_strong_low_bisim_mm)
    apply(rule A.ℛ_bisim)
   apply(rule RelS_Eg1Eg2_secure_refinement_ℛ)
  apply(simp add: sym_def ℐsimple_def)
  done

lemma read_buffer⇩C_secure:
  "conc.low_mds_eq mds⇩0 mem⇩1 mem⇩2 ⟹ ∃ Γ' 𝒮' P'.
   (⟨C.read_buffer⇩C, mds⇩0, mem⇩1⟩⇩C, ⟨C.read_buffer⇩C, mds⇩0, mem⇩2⟩⇩C) ∈ (R⇩C_of (A.ℛ Γ' 𝒮' P') RelS_Eg1Eg2 ℐsimple)"
  apply(insert A.read_buffer_typed[OF HOL.refl HOL.refl HOL.refl])
  apply clarsimp
  apply(rule_tac x=Γ' in exI)
  apply(rule_tac x=a in exI)
  apply(rule_tac x=b in exI)
  apply(rule_tac x=x in exI)
  apply(clarsimp simp: R⇩C_of_def)
  apply(rule_tac x=A.read_buffer in exI)
  apply(rule_tac x="mds⇩A_of mds⇩0" in exI)
  apply(rule_tac x="mem⇩A_of mem⇩1" in exI)
  apply(rule conjI)
   apply(rule read_buffer_RelS)
  apply(rule_tac x=A.read_buffer in exI)
  apply(rule_tac x="mds⇩A_of mds⇩0" in exI)
  apply(rule_tac x="mem⇩A_of mem⇩2" in exI)
  apply(rule conjI)
   apply(rule read_buffer_RelS)
  apply(simp add: A_of_mds⇩0_is_mds⇩s ℐsimple_def)
  apply(drule low_mds_eq_from_conc_to_abs)
  apply(rule A.Typed_in_ℛ, simp)
      unfolding A.tyenv_wellformed_def apply safe
       unfolding A.mds_consistent_def apply clarsimp
      unfolding A.types_wellformed_def mds⇩s_def apply simp
     unfolding A.types_stable_def apply simp
    apply clarsimp
    (* should be easy: low_mds_eq and low var ⟶ equal mem var *)
    unfolding A.low_mds_eq_def apply clarsimp
    apply(rename_tac v, erule_tac x=v in allE)
    apply clarsimp
    apply safe
     apply(clarsimp simp: mds⇩A_of_def mds⇩0_def)
     apply(rename_tac xb, case_tac xb, simp_all)
    apply(case_tac v, clarsimp)
       unfolding dma_def mds⇩0_def mds⇩A_of_def pred_def
       using reg⇩C_not_visible_abs apply auto[4]
   using A.pred_def apply clarsimp
  using A.pred_def apply clarsimp
  done

lemma "conc.com_sifum_secure (C.read_buffer⇩C, mds⇩0)"
  unfolding conc.com_sifum_secure_def conc.low_indistinguishable_def
  apply clarify
  apply(drule_tac read_buffer⇩C_secure)
  apply(erule exE)+
  apply(rule conc.mm_equiv_intro)
   apply(rule_tac Γ=Γ' and 𝒮=𝒮' and P=P' in strong_low_bisim_mm_R⇩C_of_RelS_ℛ)
  by simp

end

end