Theory EgHighBranchRevC

theory EgHighBranchRevC
imports Dependent_SIFUM_Type_Systems.Compositionality
        Dependent_SIFUM_Type_Systems.Language
        "HOL-Eisbach.Eisbach_Tools"
        "../CompositionalRefinement"
begin

text ‹
  Theory for exploring refinement of a program that branches on a high variable.

  The purpose of this particular example is to demonstrate that in order to prove any branching
  on a High-classified variable remains safe when refined to a concrete implementation, it is
  necessary to ensure that the two concrete branches of execution take the same number of steps,
  possibly by skip-padding the one with less steps in it, and provide an appropriate coupling
  invariant to link the corresponding concrete steps of the two branches of the if-statement.
›

type_synonym 'var addr = 'var
type_synonym val = nat
type_synonym 'var mem = "'var addr ⇒ val"

(* Arithmetic expression evaluation *)
datatype 'var aexp = Const "val" |
                     Load "'var addr" |
                     Add "'var aexp" "'var aexp" |
                     Sub "'var aexp" "'var aexp"

fun
  ev⇩A :: "'var mem ⇒ 'var aexp ⇒ val"
where
  "ev⇩A mem (Const v) = v" |
  "ev⇩A mem (Load x) = mem x" |
  "ev⇩A mem (Add x y) = ev⇩A mem x + ev⇩A mem y" |
  "ev⇩A mem (Sub x y) = ev⇩A mem x - ev⇩A mem y"

(* Boolean expression evaluation *)
datatype 'var bexp = Eq "'var aexp" "'var aexp" |
                     Neq "'var aexp" "'var aexp" |
                     Lte "'var aexp" "'var aexp" |
                     Gt "'var aexp" "'var aexp"

fun
  ev⇩B :: "'var mem ⇒ 'var bexp ⇒ bool"
where
  "ev⇩B mem (Eq x y) = (ev⇩A mem x = ev⇩A mem y)" |
  "ev⇩B mem (Neq x y) = (ev⇩A mem x ≠ ev⇩A mem y)" |
  "ev⇩B mem (Lte x y) = (ev⇩A mem x ≤ ev⇩A mem y)" |
  "ev⇩B mem (Gt x y) = (ev⇩A mem x > ev⇩A mem y)"

(* Function that gives the control variables of a given variable.
 * None for this example. *)
definition
  𝒞_vars :: "'var addr ⇒ 'var addr set"
where
  "𝒞_vars x ≡ {}"

(* NB: mds ~ "mode state"
 * mds⇩s is the initial mode state *)
definition
  mds⇩s :: "Mode ⇒ 'var set"
where
  "mds⇩s ≡ λm. case m of AsmNoReadOrWrite ⇒ {} | _ ⇒ {}"

primrec
  aexp_vars :: "'var aexp ⇒ 'var set"
where
  "aexp_vars (Const _) = {}" |
  "aexp_vars (Load v) = {v}" |
  "aexp_vars (Add x y) = aexp_vars x ∪ aexp_vars y" |
  "aexp_vars (Sub x y) = aexp_vars x ∪ aexp_vars y"

fun
  bexp_vars :: "'var bexp ⇒ 'var addr set"
where
  "bexp_vars (Neq x y) = aexp_vars x ∪ aexp_vars y" |
  "bexp_vars (Eq x y) = aexp_vars x ∪ aexp_vars y" |
  "bexp_vars (Lte x y) = aexp_vars x ∪ aexp_vars y" |
  "bexp_vars (Gt x y) = aexp_vars x ∪ aexp_vars y"

fun
  bexp_neg :: "'var bexp ⇒ 'var bexp"
where
  "bexp_neg (Neq x y) = (Eq x y)" |
  "bexp_neg (Eq x y) = (Neq x y)" |
  "bexp_neg (Lte x y) = (Gt x y)" |
  "bexp_neg (Gt x y) = (Lte x y)"

fun
  bexp_assign :: "'var addr ⇒ 'var aexp ⇒ 'var bexp"
where
  "bexp_assign x a = (Eq (Load x) a)"

datatype var = h_var | x_var | y_var | z_var

definition
  dma :: "var mem ⇒ var addr ⇒ Sec"
where
  "dma m x ≡ if x = h_var then High else Low"

type_synonym t_ev⇩A = "var mem ⇒ var aexp ⇒ val"
type_synonym t_ev⇩B = "var mem ⇒ var bexp ⇒ bool"
type_synonym t_aexp_vars = "var aexp ⇒ var set"
type_synonym t_bexp_vars = "var bexp ⇒ var addr set"

locale sifum_example =
  sifum_lang_no_dma "ev⇩A::t_ev⇩A" "ev⇩B::t_ev⇩B" "aexp_vars::t_aexp_vars" "bexp_vars::t_bexp_vars" +
  assumes eval_det: "(lc, lc') ∈ eval⇩w ⟹ (lc, lc'') ∈ eval⇩w ⟹ lc' = lc''"

definition
  𝒞 :: "var addr set"
where
  "𝒞 ≡ ⋃x. 𝒞_vars x"

sublocale sifum_example ⊆  sifum_security dma 𝒞_vars 𝒞 eval⇩w undefined
  apply(unfold_locales)
       apply(blast intro: eval_det)
      apply(rule Var_finite)
     apply(auto simp: 𝒞_vars_def dma_def 𝒞_def split: if_splits)[3]
  apply(auto simp: 𝒞_def)
  done

context sifum_example begin
(*
  y := 0; z := 0;
  x := y;
  if h then x := y
       else x := y + z

  Must have NoWrite z to prevent an agent getting something observable by spiking the value of z.
  Also take NoWrite y & h to simplify reasoning about reg values staying consistent with the mem.
 *)
definition
  prog_high_branch :: "(var addr, var aexp, var bexp) Stmt"
where
  "prog_high_branch ≡
     ModeDecl Skip (Acq h_var AsmNoWrite) ;;
     ModeDecl Skip (Acq y_var AsmNoWrite) ;;
     ModeDecl Skip (Acq z_var AsmNoWrite) ;;
     Assign y_var (Const 0) ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     )"
end

datatype var⇩C = h_mem | x_mem | y_mem | z_mem | reg0 | reg1 | reg2 | reg3

definition
  dma⇩C :: "var⇩C mem ⇒ var⇩C addr ⇒ Sec"
where
  "dma⇩C m x ≡ if x = h_mem then High else Low"

type_synonym t_ev⇩A⇩C = "var⇩C mem ⇒ var⇩C aexp ⇒ val"
type_synonym t_ev⇩B⇩C = "var⇩C mem ⇒ var⇩C bexp ⇒ bool"
type_synonym t_aexp_vars⇩C = "var⇩C aexp ⇒ var⇩C set"
type_synonym t_bexp_vars⇩C = "var⇩C bexp ⇒ var⇩C addr set"

locale sifum_example⇩C =
  sifum_lang_no_dma "ev⇩A::t_ev⇩A⇩C" "ev⇩B::t_ev⇩B⇩C" "aexp_vars::t_aexp_vars⇩C" "bexp_vars::t_bexp_vars⇩C" +
  assumes eval_det: "(lc, lc') ∈ eval⇩w ⟹ (lc, lc'') ∈ eval⇩w ⟹ lc' = lc''"

definition
  𝒞⇩C :: "var⇩C addr set"
where
  "𝒞⇩C ≡ ⋃x. 𝒞_vars x"

sublocale sifum_example⇩C ⊆  sifum_security dma⇩C 𝒞_vars 𝒞⇩C eval⇩w undefined
  apply(unfold_locales)
       apply(blast intro: eval_det)
      apply(rule Var_finite)
     apply(auto simp: 𝒞_vars_def dma⇩C_def 𝒞_def split: if_splits)[3]
  apply(auto simp: 𝒞⇩C_def)
  done

context sifum_example⇩C begin
(*
  y := 0; z := 0;
  x := y;
  if h
    then
      // "then"-branch: x := y
      NOP ;
      NOP ;
      LOAD r0 y ;
      STORE x r0 ;
    else
      // "else"-branch: x := y + z
      LOAD r1 y ;
      LOAD r2 z ;
      ADD r0 r1 r2 ;
      STORE x r0 ;
 *)
definition
  prog_high_branch⇩C :: "(var⇩C addr, var⇩C aexp, var⇩C bexp) Stmt"
where
  "prog_high_branch⇩C ≡
     ModeDecl Skip (Acq h_mem AsmNoWrite) ;;
     ModeDecl Skip (Acq y_mem AsmNoWrite) ;;
     ModeDecl Skip (Acq z_mem AsmNoWrite) ;;
     ― ‹Just set up the memory to match our assumptions›
     Assign y_mem (Const 0) ;;
     Assign z_mem (Const 0) ;;
     Assign x_mem (Load y_mem) ;;
     ― ‹From this point onwards we model the if-statement using registers.›
     ― ‹Note that we can just as well (re-)use reg0 instead of reg3 - verify with a search-replace.›
     ― ‹Leaving it this way to make the reg usages easier to distinguish for the reader, though.›
     Assign reg3 (Load h_mem) ;;
     If (Neq (Load reg3) (Const 0)) (
       Skip ;;
       Skip ;;
       Assign reg0 (Load y_mem) ;;
       Assign x_mem (Load reg0)
     ) (
       Assign reg1 (Load y_mem) ;;
       Assign reg2 (Load z_mem) ;;
       Assign reg0 (Add (Load reg1) (Load reg2)) ;;
       Assign x_mem (Load reg0)
     )"
end

context sifum_example begin
lemma 𝒞_simp[simp]:
  "𝒞 = {}"
  by(auto simp: 𝒞_def 𝒞_vars_def split: if_splits)

declare 𝒞_vars_def [simp]

(* Manual proof of bisimulation because we can't use the type system *)
inductive inv :: "(((var addr, var aexp, var bexp) Stmt, var addr, val) LocalConf) ⇒ bool"
where
  inv⇩1h: "⟦c = prog_high_branch; mds AsmNoReadOrWrite = {}; mds AsmNoWrite = {}⟧ ⟹ inv ⟨c, mds, mem⟩" |
  inv⇩1h': "⟦c =
     Stop ;;
     ModeDecl Skip (Acq y_var AsmNoWrite) ;;
     ModeDecl Skip (Acq z_var AsmNoWrite) ;;
     Assign y_var (Const 0) ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {h_var}; mds AsmNoReadOrWrite = {}⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩1y: "⟦c =
     ModeDecl Skip (Acq y_var AsmNoWrite) ;;
     ModeDecl Skip (Acq z_var AsmNoWrite) ;;
     Assign y_var (Const 0) ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {h_var}; mds AsmNoReadOrWrite = {}⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩1y': "⟦c =
     Stop ;;
     ModeDecl Skip (Acq z_var AsmNoWrite) ;;
     Assign y_var (Const 0) ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {y_var, h_var}; mds AsmNoReadOrWrite = {}⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩1z: "⟦c =
     ModeDecl Skip (Acq z_var AsmNoWrite) ;;
     Assign y_var (Const 0) ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {y_var, h_var}; mds AsmNoReadOrWrite = {}⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩1z': "⟦c =
     Stop ;;
     Assign y_var (Const 0) ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩2: "⟦c =
     Assign y_var (Const 0) ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩2': "⟦c =
     Stop ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩3: "⟦c =
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩3': "⟦c =
     Stop ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}; mem z_var = 0⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩4: "⟦c =
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}; mem z_var = 0⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩4': "⟦c =
     Stop ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}; mem z_var = 0⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩5: "⟦c =
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ); mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}; mem z_var = 0⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩5_then: "⟦c = Assign x_var (Load y_var);
     mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}; mem z_var = 0⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩5_else: "⟦c = Assign x_var (Add (Load y_var) (Load z_var));
     mds AsmNoWrite = {z_var, y_var, h_var}; mds AsmNoReadOrWrite = {}; mem z_var = 0⟧ ⟹
   inv ⟨c, mds, mem⟩" |
  inv⇩6: "⟦c = Stop⟧ ⟹
   inv ⟨c, mds, mem⟩"

definition z_locked_steps
where "z_locked_steps ≡ {
     Stop ;;
     Assign y_var (Const 0) ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ),
     Assign y_var (Const 0) ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ),
     Stop ;;
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     ),
     Assign z_var (Const 0) ;;
     Assign x_var (Load y_var) ;;
     If (Neq (Load h_var) (Const 0)) (
       Assign x_var (Load y_var)
     ) (
       Assign x_var (Add (Load y_var) (Load z_var))
     )}"

inductive_set rel_inv :: "(((var addr, var aexp, var bexp) Stmt, var addr, val) LocalConf) rel"
where
  rel_inv_if:
  "⟦c = Assign x_var (Load y_var);
    c' = Assign x_var (Add (Load y_var) (Load z_var));
    z_var ∈ mds AsmNoWrite; mds AsmNoReadOrWrite = {}; mem z_var = mem' z_var⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv" |
  rel_inv_if':
  "⟦c' = Assign x_var (Load y_var);
    c = Assign x_var (Add (Load y_var) (Load z_var));
    z_var ∈ mds AsmNoWrite; mds AsmNoReadOrWrite = {}; mem z_var = mem' z_var⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv" |
  rel_inv_start:
  "⟦c = c'; z_var ∉ mds AsmNoWrite; mds AsmNoReadOrWrite = {}⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv" |
  rel_inv_z_locked:
  "⟦c ∈ z_locked_steps;
    c = c'; z_var ∈ mds AsmNoWrite; mds AsmNoReadOrWrite = {}⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv" |
  rel_inv_z_initted:
  "⟦c ∉ z_locked_steps;
    c = c'; mem z_var = mem' z_var; z_var ∈ mds AsmNoWrite; mds AsmNoReadOrWrite = {}⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv"

declare z_locked_steps_def[simp add]

(* the bisimulation is phrased as a conjunction of a global invariant and a
   relational invariant, defined above, plus the background requirement
   of low-equivalence modulo modes *)
inductive_set  R :: "(((var addr, var aexp, var bexp) Stmt, var addr, val) LocalConf) rel"
where
(* Having a c = c' requirement here is actually too restrictive *)
  "⟦mds = mds'; low_mds_eq mds mem mem'; inv ⟨c,mds,mem⟩; inv ⟨c',mds',mem'⟩;
    (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⟧ ⟹
 (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ R"

lemma rel_inv_sym:
  "low_mds_eq mds mem mem' ⟹ (⟨c, mds, mem⟩, ⟨c, mds, mem'⟩) ∈ rel_inv ⟹
    (⟨c, mds, mem'⟩, ⟨c, mds, mem⟩) ∈ rel_inv"
  apply(auto elim!: rel_inv.cases intro: rel_inv.intros)
  done

lemma R_sym':
  "(⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ R ⟹
   (⟨c', mds', mem'⟩, ⟨c, mds, mem⟩) ∈ R"
  apply(rule R.intros)
      apply(blast elim: R.cases dest: low_mds_eq_sym dest: rel_inv_sym)+
  apply(erule R.cases)
  apply(erule rel_inv.cases)
      apply clarsimp
      apply(rule rel_inv_if', simp+)
     apply(rule rel_inv_if, simp+)
    apply(rule rel_inv_start, simp+)
   apply(rule rel_inv_z_locked, simp+)
  apply(rule rel_inv_z_initted, simp+)
  done

lemma R_sym:
  "sym R"
  by(rule symI, clarify, erule R_sym')

lemma inv_closed_glob_consistent:
  "inv ⟨c', mds', mem⟩ ⟹
       ∀x. case A x of None ⇒ True | Some (v, v') ⇒ mem x ≠ v ⟶ ¬ var_asm_not_written mds' x ⟹
       ∀x. dma mem [∥⇩1 A] x ≠ dma mem x ⟶ ¬ var_asm_not_written mds' x  ⟹
       inv ⟨c', mds', mem [∥⇩1 A]⟩"
  apply(erule inv.cases)
             using inv.intros apply (force, force, force, force, force, force, force, force, force)
        apply(rule inv⇩3', clarsimp+)
        apply(erule_tac x=z_var in allE)
        apply(erule_tac x=z_var in allE)
        apply(cases "A z_var")
         apply(simp add:apply_adaptation_def)
        apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
       apply(rule inv⇩4, clarsimp+)
       apply(erule_tac x=z_var in allE)
       apply(erule_tac x=z_var in allE)
       apply(cases "A z_var")
        apply(simp add:apply_adaptation_def)
       apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
      apply(rule inv⇩4', clarsimp+)
      apply(erule_tac x=z_var in allE)
      apply(erule_tac x=z_var in allE)
      apply(cases "A z_var")
       apply(simp add:apply_adaptation_def)
      apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
     apply(rule inv⇩5, clarsimp+)
     apply(erule_tac x=z_var in allE)
     apply(erule_tac x=z_var in allE)
     apply(cases "A z_var")
      apply(simp add:apply_adaptation_def)
     apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
    apply(rule inv⇩5_then, clarsimp+)
    apply(erule_tac x=z_var in allE)
    apply(erule_tac x=z_var in allE)
    apply(cases "A z_var")
     apply(simp add:apply_adaptation_def)
    apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
   apply(rule inv⇩5_else, clarsimp+)
   apply(erule_tac x=z_var in allE)
   apply(erule_tac x=z_var in allE)
   apply(cases "A z_var")
    apply(simp add:apply_adaptation_def)
   apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
  apply(rule inv⇩6, clarsimp+)
  done

(* The "right-hand" side of inv_closed_glob_consistent *)
lemma inv_closed_glob_consistent_r:
  "inv ⟨c', mds', mem⟩ ⟹
       ∀x. case A x of None ⇒ True | Some (v, v') ⇒ mem x ≠ v' ⟶ ¬ var_asm_not_written mds' x ⟹
       ∀x. dma mem [∥⇩2 A] x ≠ dma mem x ⟶ ¬ var_asm_not_written mds' x  ⟹
       inv ⟨c', mds', mem [∥⇩2 A]⟩"
  apply(erule inv.cases)
               using inv.intros apply (force, force, force, force, force, force, force, force, force)
        apply(rule inv⇩3', clarsimp+)
        apply(erule_tac x=z_var in allE)
        apply(erule_tac x=z_var in allE)
        apply(cases "A z_var")
         apply(simp add:apply_adaptation_def)
        apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
       apply(rule inv⇩4, clarsimp+)
       apply(erule_tac x=z_var in allE)
       apply(erule_tac x=z_var in allE)
       apply(cases "A z_var")
        apply(simp add:apply_adaptation_def)
       apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
      apply(rule inv⇩4', clarsimp+)
      apply(erule_tac x=z_var in allE)
      apply(erule_tac x=z_var in allE)
      apply(cases "A z_var")
       apply(simp add:apply_adaptation_def)
      apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
     apply(rule inv⇩5, clarsimp+)
     apply(erule_tac x=z_var in allE)
     apply(erule_tac x=z_var in allE)
     apply(cases "A z_var")
      apply(simp add:apply_adaptation_def)
     apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
    apply(rule inv⇩5_then, clarsimp+)
    apply(erule_tac x=z_var in allE)
    apply(erule_tac x=z_var in allE)
    apply(cases "A z_var")
     apply(simp add:apply_adaptation_def)
    apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
   apply(rule inv⇩5_else, clarsimp+)
   apply(erule_tac x=z_var in allE)
   apply(erule_tac x=z_var in allE)
   apply(cases "A z_var")
    apply(simp add:apply_adaptation_def)
   apply(clarsimp simp add:var_asm_not_written_def dma_def apply_adaptation_def)
  apply(rule inv⇩6, clarsimp+)
  done

lemma rel_inv_closed_glob_consistent:
  "(⟨c, mds', mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv ⟹
       ∀x a b.
          A x = Some (a, b) ⟶
          (mem x = a ⟶ mem' x ≠ b) ⟶ ¬ var_asm_not_written mds' x ⟹
       ∀x. dma mem [∥⇩1 A] x ≠ dma mem x ⟶ ¬ var_asm_not_written mds' x ⟹
       ∀x. dma mem [∥⇩1 A] x = Low ∧ (x ∈ mds' AsmNoReadOrWrite ⟶ x ∈ 𝒞) ⟶
           mem [∥⇩1 A] x = mem' [∥⇩2 A] x ⟹
       (⟨c, mds', mem [∥⇩1 A]⟩, ⟨c', mds', mem' [∥⇩2 A]⟩) ∈ rel_inv"
  apply(safe elim!: rel_inv.cases)
  using rel_inv.intros dma_def by simp+

lemma R_closed_glob_consistent:
  "closed_glob_consistent R"
  unfolding closed_glob_consistent_def
  apply clarsimp
  apply(erule R.cases)
  apply clarsimp
  apply(rule R.intros)
      apply simp
     apply(fastforce simp: low_mds_eq_def)
    apply(rule inv_closed_glob_consistent)
      apply simp
     apply(fastforce split: option.splits)
    apply assumption
   apply(rule inv_closed_glob_consistent_r)
     apply simp
    apply(fastforce split: option.splits)
   apply(subgoal_tac "dma mem = dma mem' ∧ dma mem [∥⇩1 A] = dma mem' [∥⇩2 A]")
    apply simp
   apply(rule conjI)
    apply(rule low_mds_eq_dma)
    apply assumption
   apply(rule dma_𝒞)
   apply(simp add: 𝒞_Low)
  apply(rule rel_inv_closed_glob_consistent)
  apply(simp_all)
  apply(fastforce split: option.splits)
  done

lemma R_low_mds_eq:
  "(⟨c⇩1, mds, mem⇩1⟩, ⟨c⇩2, mds, mem⇩2⟩) ∈ R ⟹
        low_mds_eq mds mem⇩1 mem⇩2"
  apply(blast elim: R.cases)
  done

inductive_cases rel_invE: "(⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv"

method seq_decl_inv_method uses inv_rule rel_inv_rule =
 (erule rel_invE, simp+,
   drule seq_elim, simp,
   clarsimp,
   drule upd_elim, drule skip_elim, simp,
   clarsimp,
   rule conjI,
    rule eval⇩w.seq,
    rule decl_eval⇩w', simp+,
   rule R.intros, simp+,
      fastforce simp: low_mds_eq_def,
     rule inv_rule, simp+,
    rule inv_rule, simp+,
   rule rel_inv_rule, simp+)

method seq_stop_inv_method uses inv_rule rel_inv_rule =
 (erule rel_invE, simp+,
   drule seq_stop_elim, clarsimp,
   (rule exI)+,
   intro conjI,
    rule seq_stop_eval⇩w,
   rule R.intros, (simp|clarsimp simp: low_mds_eq_def dma_def ev⇩A.simps)+,
     (rule inv_rule; simp|blast?),
    (rule inv_rule; simp|blast?),
   rule rel_inv_rule, simp+)

method assign_inv⇩6_method =
 (rule_tac x=c⇩1' in exI,
  rule_tac x="mem⇩2(x_var := ev⇩A mem⇩2 (Load y_var))" in exI,
  erule rel_invE, simp+,
  (drule assign_elim, simp,
   rule conjI,
    clarsimp simp: ev⇩A.simps,
    erule_tac x=z_var in allE,
    clarsimp,
    rule assign_eval⇩w', simp+,
    clarsimp simp: ev⇩A.simps,
   rule R.intros, simp+,
      unfold low_mds_eq_def dma_def, clarsimp simp: ev⇩A.simps,
     (rule inv⇩6, simp+)+,
   rule rel_inv_z_initted, simp+)+)

lemma R_inv:
  notes ev⇩A.simps[simp del]
  shows  "(⟨c⇩1, mds, mem⇩1⟩, ⟨c⇩2, mds, mem⇩2⟩) ∈ R ⟹
       (⟨c⇩1, mds, mem⇩1⟩, ⟨c⇩1', mds', mem⇩1'⟩) ∈ eval⇩w ⟹
       ∃c⇩2' mem⇩2'.
          (⟨c⇩2, mds, mem⇩2⟩, ⟨c⇩2', mds', mem⇩2'⟩) ∈ eval⇩w ∧
          (⟨c⇩1', mds', mem⇩1'⟩, ⟨c⇩2', mds', mem⇩2'⟩) ∈ R"
  apply(erule R.cases)
  apply clarsimp
  apply(erule inv.cases)
                 apply(unfold prog_high_branch_def)
                 apply clarsimp
                 apply(rule_tac x=c⇩1' in exI)
                 apply(rule_tac x=mem⇩2 in exI)
                 apply(seq_decl_inv_method inv_rule:inv⇩1h' rel_inv_rule:rel_inv_start)
                apply(seq_stop_inv_method inv_rule:inv⇩1y rel_inv_rule:rel_inv_start)
               apply(rule_tac x=c⇩1' in exI)
               apply(rule_tac x=mem⇩2 in exI)
               apply(seq_decl_inv_method inv_rule:inv⇩1y' rel_inv_rule:rel_inv_start)
              apply(seq_stop_inv_method inv_rule:inv⇩1z rel_inv_rule:rel_inv_start)
             apply(rule_tac x=c⇩1' in exI)
             apply(rule_tac x=mem⇩2 in exI)
             apply(seq_decl_inv_method inv_rule:inv⇩1z' rel_inv_rule:rel_inv_z_locked)
            apply(seq_stop_inv_method inv_rule:inv⇩2 rel_inv_rule:rel_inv_z_locked)

           (* Assign ;; *)
           apply clarsimp
           apply(rule_tac x=c⇩1' in exI)
           apply(rule_tac x="mem⇩2(y_var := ev⇩A mem⇩2 (Const 0))" in exI)
           apply(erule rel_invE, simp+)
            apply(drule seq_elim, simp)
            apply clarsimp
            apply(drule assign_elim, simp)
            apply(rule conjI)
             apply(rule eval⇩w.seq)
             apply(rule assign_eval⇩w)
            apply(rule R.intros, simp+)
               apply(unfold low_mds_eq_def dma_def, clarsimp simp: ev⇩A.simps)
              apply(rule inv⇩2', fast+)+
            apply(rule rel_inv_z_locked, simp+)
          apply(seq_stop_inv_method inv_rule:inv⇩3 rel_inv_rule:rel_inv_z_locked)

         (* Assign ;; *)
         apply clarsimp
         apply(rule_tac x=c⇩1' in exI)
         apply(rule_tac x="mem⇩2(z_var := ev⇩A mem⇩2 (Const 0))" in exI)
         apply(erule rel_invE, simp+)
          apply(drule seq_elim, simp)
          apply clarsimp
          apply(drule assign_elim, simp)
          apply(rule conjI)
           apply(rule eval⇩w.seq)
           apply(rule assign_eval⇩w)
          apply(rule R.intros, simp+)
             apply(unfold low_mds_eq_def dma_def, clarsimp simp: ev⇩A.simps)
            apply(rule inv⇩3', simp+)
            apply(simp add: ev⇩A.simps)
           apply(rule inv⇩3', simp+)
           apply(simp add: ev⇩A.simps)
          apply(rule rel_inv_z_initted, simp+)
            apply(simp add: ev⇩A.simps) (* do it separately so it doesn't mess everything else up *)
           apply simp+
        apply(seq_stop_inv_method inv_rule:inv⇩4 rel_inv_rule:rel_inv_z_initted)

       (* Assign ;; *)
       apply clarsimp
       apply(rule_tac x=c⇩1' in exI)
       apply(rule_tac x="mem⇩2(x_var := ev⇩A mem⇩2 (Load y_var))" in exI)
       apply(erule rel_invE, simp+)
       apply(drule seq_elim, simp)
       apply clarsimp
       apply(drule assign_elim, simp)
       apply(rule conjI)
        apply(rule eval⇩w.seq)
        apply(rule assign_eval⇩w)
       apply(rule R.intros, simp+)
          apply(unfold low_mds_eq_def dma_def, clarsimp simp: ev⇩A.simps)
         apply(rule inv⇩4', simp+)+
       apply(rule rel_inv_z_initted, simp+)
      apply(seq_stop_inv_method inv_rule:inv⇩5 rel_inv_rule:rel_inv_z_initted)

     (* (If (cond) Then Else) *)
     apply clarsimp
     apply(erule rel_invE, simp+)
     apply(rule_tac x="(if ev⇩B mem⇩2 (Neq (Load h_var) (Const 0))
                        then (x_var ← Load y_var)
                        else (x_var ← Add (Load y_var) (Load z_var)))" in exI)
     apply(rule_tac x="mem⇩2" in exI)
     apply(rule conjI)
       apply(erule if_elim)
        apply clarify
        apply(rule if_eval⇩w)
       apply clarify
       apply(rule if_eval⇩w)
      apply(erule if_elim)
       apply(rule R.intros, simp+)
          apply(unfold low_mds_eq_def dma_def, clarsimp)
         apply(rule inv⇩5_then, simp+)
        apply safe
         apply(rule inv⇩5_then, simp+)
        apply(rule inv⇩5_else, simp+)
       apply safe
        apply(rule rel_inv_z_initted, simp+)
       apply(rule rel_inv_if, simp, simp, simp, simp, simp)
 
     apply(rule R.intros, simp+)
        apply(unfold low_mds_eq_def dma_def, clarsimp)
       apply(rule inv⇩5_else, simp+)
      apply safe
       apply(rule inv⇩5_then, simp+)
      apply(rule inv⇩5_else, simp+)
     apply safe
      apply(rule rel_inv_if', simp+)
     apply(rule rel_inv_z_initted, simp+)
 
    (* Assign - then | else *)
    apply assign_inv⇩6_method
   apply assign_inv⇩6_method
  using stop_no_eval by fastforce

lemma strong_low_bisim_mm_R:
  "strong_low_bisim_mm R"
  unfolding strong_low_bisim_mm_def
  proof(safe)
    show "sym R" by(rule R_sym)
  next
    show "closed_glob_consistent R" by(rule R_closed_glob_consistent)
  next
    fix c⇩1 mds mem⇩1 c⇩2  mem⇩2
    assume "(⟨c⇩1, mds, mem⇩1⟩, ⟨c⇩2, mds, mem⇩2⟩) ∈ R"
    thus "low_mds_eq mds mem⇩1 mem⇩2"
    by(rule R_low_mds_eq)
  next
    fix c⇩1 mds mem⇩1 c⇩2  mem⇩2 c⇩1' mds' mem⇩1'
    assume "(⟨c⇩1, mds, mem⇩1⟩, ⟨c⇩2, mds, mem⇩2⟩) ∈ R"
       and "(⟨c⇩1, mds, mem⇩1⟩, ⟨c⇩1', mds', mem⇩1'⟩) ∈ eval⇩w"
    thus "∃c⇩2' mem⇩2'.
          (⟨c⇩2, mds, mem⇩2⟩, ⟨c⇩2', mds', mem⇩2'⟩) ∈ eval⇩w ∧
          (⟨c⇩1', mds', mem⇩1'⟩, ⟨c⇩2', mds', mem⇩2'⟩) ∈ R"
       by(rule R_inv)
  qed

lemma prog_high_branch_secure':
  "low_mds_eq mds⇩s mem⇩1 mem⇩2 ⟹
       (⟨prog_high_branch, mds⇩s, mem⇩1⟩, ⟨prog_high_branch, mds⇩s, mem⇩2⟩) ∈ R"
  apply(rule R.intros)
  apply simp_all
   apply(rule inv⇩1h)
     apply (simp_all add: mds⇩s_def)
   apply(rule inv⇩1h)
     apply (simp_all add: mds⇩s_def)
  unfolding prog_high_branch_def by(fastforce intro: rel_inv.intros)

lemma "com_sifum_secure (prog_high_branch, mds⇩s)"
  unfolding com_sifum_secure_def low_indistinguishable_def
  apply clarify
  apply(rule mm_equiv_intro)
   apply(rule strong_low_bisim_mm_R)
  by (rule prog_high_branch_secure')

end

locale sifum_refinement_high_branch =
  A: sifum_example +
  C: sifum_example⇩C

primrec var⇩C_of :: "var ⇒ var⇩C"
where
  "var⇩C_of h_var = h_mem" |
  "var⇩C_of x_var = x_mem" |
  "var⇩C_of y_var = y_mem" |
  "var⇩C_of z_var = z_mem"

sublocale sifum_refinement_high_branch ⊆
  sifum_refinement dma dma⇩C 𝒞_vars 𝒞_vars 𝒞 𝒞⇩C A.eval⇩w C.eval⇩w undefined var⇩C_of
  apply(unfold_locales)
     apply(rule inj_onI, simp)
     apply(case_tac x)
         apply(case_tac y, simp+)
        apply(case_tac y, simp+)
       apply(case_tac y, simp+)
      apply(case_tac y, simp+)
    apply(case_tac x⇩A)
       apply(clarsimp simp:dma_def dma⇩C_def)+
  done

context sifum_refinement_high_branch begin

(* Adapted these helpers from Eg1Eg2 *)
lemma conc_only_vars_not_visible_abs:
  "(∀v⇩C. v⇩C ∈ range var⇩C_of ⟶ mem⇩C v⇩C = mem⇩C' v⇩C) ⟹ mem⇩A_of mem⇩C = mem⇩A_of mem⇩C'"
  by (simp add: mem⇩A_of_def)

lemma conc_only_var_assign_not_visible_abs:
  "∀v⇩C e. v⇩C ∉ range var⇩C_of ⟶ mem⇩A_of mem⇩C = mem⇩A_of (mem⇩C(v⇩C := e))"
  using conc_only_vars_not_visible_abs
  by simp

lemma reg_is_not_the_var⇩C_of_anything:
  "reg ∈ {reg0, reg1, reg2, reg3} ⟹ reg = var⇩C_of x ⟹ False"
  by (induct x, clarsimp+)

lemma reg_not_visible_abs:
  "reg ∈ {reg0, reg1, reg2, reg3} ⟹ reg ∉ range var⇩C_of"
  using reg_is_not_the_var⇩C_of_anything
  by blast

(* Helpers carried over from Eg1Eg2 *)
lemma assign_eval⇩w_load⇩A:
  shows "(⟨x ← Load y, mds, mem⟩⇩A, ⟨Stop, mds, mem (x := mem y)⟩⇩A) ∈ A.eval⇩w"
  by (metis A.assign_eval⇩w ev⇩A.simps(2))

lemma assign_eval⇩w_load⇩C:
  shows "(⟨x ← Load y, mds, mem⟩⇩C, ⟨Stop, mds, mem (x := mem y)⟩⇩C) ∈ C.eval⇩w"
  using C.unannotated[OF C.assign, where E="[]", simplified]
  apply(drule_tac x=x in meta_spec)
  apply(drule_tac x="Load y" in meta_spec)
  apply(drule_tac x=mds in meta_spec)
  apply(drule_tac x=mem in meta_spec)
  apply clarsimp
  done

lemma assign_eval⇩w_const⇩A:
  shows "(⟨x ← Const c, mds, mem⟩, ⟨Stop, mds, mem (x := c)⟩) ∈ A.eval⇩w"
  by (metis A.assign_eval⇩w ev⇩A.simps(1))

lemma assign_eval⇩w_const⇩C:
  shows "(⟨x ← Const c, mds, mem⟩, ⟨Stop, mds, mem (x := c)⟩) ∈ C.eval⇩w"
  using C.unannotated[OF C.assign, where E="[]", simplified]
  apply(drule_tac x=x in meta_spec)
  apply(drule_tac x="Const c" in meta_spec)
  apply(drule_tac x=mds in meta_spec)
  apply(drule_tac x=mem in meta_spec)
  apply clarsimp
  done

lemma mem_assign_refinement_helper_var:
  "mem⇩A_of (mem⇩C (var⇩C_of x := mem⇩C (var⇩C_of y)))
       = (mem⇩A_of mem⇩C) (x := (mem⇩A_of mem⇩C) y)"
  apply(clarsimp simp: mem⇩A_of_def)
  apply(rule ext, clarsimp)
  apply(cases x)
   apply(case_tac x⇩A, clarsimp+)+
  done

lemma mem_assign_refinement_helper_const:
  "mem⇩A_of (mem⇩C (var⇩C_of x := c))
       = (mem⇩A_of mem⇩C) (x := c)"
  apply(clarsimp simp: mem⇩A_of_def)
  apply(rule ext, clarsimp)
  apply(cases x)
      apply(case_tac x⇩A, clarsimp+)+
  done

lemma NoRW⇩A_implies_NoRW⇩C:
  "x ∈ mds⇩A_of mds⇩C AsmNoReadOrWrite ⟹
   var⇩C_of x ∈ mds⇩C AsmNoReadOrWrite"
  unfolding mds⇩A_of_def
  apply clarsimp
  apply (simp only: var⇩C_of_def)
  apply clarsimp
  apply (simp add: f_inv_into_f)
  done

lemma NoWrite⇩A_implies_NoWrite⇩C:
  "x ∈ mds⇩A_of mds⇩C AsmNoWrite ⟹
   var⇩C_of x ∈ mds⇩C AsmNoWrite"
  unfolding mds⇩A_of_def
  apply clarsimp
  apply (simp only: var⇩C_of_def)
  apply clarsimp
  apply (simp add: f_inv_into_f)
  done

lemma if_seq_eval⇩w_helper⇩A:
  "(⟨If B T E, mds, mem⟩,
    ⟨if ev⇩B mem B then T else E, mds, mem⟩⇩A) ∈ A.eval⇩w
    ⟹
   (⟨If B T E ;; TAIL, mds, mem⟩,
    ⟨if ev⇩B mem B then T ;; TAIL else E ;; TAIL, mds, mem⟩⇩A) ∈ A.eval⇩w"
  using A.eval⇩w.seq
  by auto

lemma if_seq_eval⇩w_helper⇩C:
  "(⟨If B T E, mds, mem⟩,
    ⟨if ev⇩B⇩C mem B then T else E, mds, mem⟩⇩C) ∈ C.eval⇩w
    ⟹
   (⟨If B T E ;; TAIL, mds, mem⟩,
    ⟨if ev⇩B⇩C mem B then T ;; TAIL else E ;; TAIL, mds, mem⟩⇩C) ∈ C.eval⇩w"
  using C.eval⇩w.seq
  by auto

fun aexp⇩C_of
where
  "aexp⇩C_of (Const c) = (Const c)" |
  "aexp⇩C_of (Load v) = (Load (var⇩C_of v))" |
  "aexp⇩C_of (Add x y) = Add (aexp⇩C_of x) (aexp⇩C_of y)" |
  "aexp⇩C_of (Sub x y) = Sub (aexp⇩C_of x) (aexp⇩C_of y)"

lemma mem_assign_refinement_helper_aexp:
  "mem⇩A_of (mem⇩C (var⇩C_of x := ev⇩A mem⇩C (aexp⇩C_of a)))
       = (mem⇩A_of mem⇩C) (x := ev⇩A (mem⇩A_of mem⇩C) a)"
  apply(clarsimp simp: mem⇩A_of_def)
  apply(rule ext, clarsimp)
  apply(rename_tac x⇩A)
  apply(cases x)
     apply(case_tac x⇩A, induct rule:aexp⇩C_of.induct, clarsimp+)
    apply(case_tac x⇩A, induct rule:aexp⇩C_of.induct, clarsimp+)
      apply(induct rule:aexp⇩C_of.induct, clarsimp+)
   apply(case_tac x⇩A, induct rule:aexp⇩C_of.induct, clarsimp+)
    apply(induct rule:aexp⇩C_of.induct, clarsimp+)
  apply(case_tac x⇩A, induct rule:aexp⇩C_of.induct, clarsimp+)
  apply(induct rule:aexp⇩C_of.induct, clarsimp+)
  done

inductive_set rel_inv⇩C :: "(((var⇩C addr, var⇩C aexp, var⇩C bexp) Stmt, var⇩C addr, val) LocalConf) rel"
where
  rel_inv⇩C_1:
  "⟦c =
     Skip ;;
     Skip ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c' =
     Assign reg1 (Load y_mem) ;;
     Assign reg2 (Load z_mem) ;;
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_1':
  "⟦c' =
     Skip ;;
     Skip ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c =
     Assign reg1 (Load y_mem) ;;
     Assign reg2 (Load z_mem) ;;
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_2:
  "⟦c =
     Stop ;;
     Skip ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c' =
     Stop ;;
     Assign reg2 (Load z_mem) ;;
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_2':
  "⟦c' =
     Stop ;;
     Skip ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c =
     Stop ;;
     Assign reg2 (Load z_mem) ;;
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_3:
  "⟦c =
     Skip ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c' =
     Assign reg2 (Load z_mem) ;;
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_3':
  "⟦c' =
     Skip ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c =
     Assign reg2 (Load z_mem) ;;
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_4:
  "⟦c =
     Stop ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c' =
     Stop ;;
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_4':
  "⟦c' =
     Stop ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c =
     Stop ;;
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_5:
  "⟦c =
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c' =
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_5':
  "⟦c' =
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    c =
     Assign reg0 (Add (Load reg1) (Load reg2)) ;;
     Assign x_mem (Load reg0)⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C" |
  rel_inv⇩C_default:
  "⟦c = c'⟧ ⟹
      (⟨c, mds, mem⟩, ⟨c', mds', mem'⟩) ∈ rel_inv⇩C"

inductive_cases rel_inv⇩CE: "(⟨c, mds, mem⟩⇩C, ⟨c', mds', mem'⟩⇩C) ∈ rel_inv⇩C"

lemma rel_inv⇩C_sym:
  "sym rel_inv⇩C"
  unfolding sym_def
  apply(auto elim!: rel_inv⇩C.cases intro: rel_inv⇩C.intros)
  done

lemma rel_inv⇩C_closed_glob_consistent:
  "C.closed_glob_consistent rel_inv⇩C"
  unfolding C.closed_glob_consistent_def
  apply(safe elim!: rel_inv⇩C.cases)
  using rel_inv⇩C.intros by simp+

inductive_set RefRel_HighBranch :: "(
    (((var, var aexp, var bexp) Stmt × (Mode ⇒ var set)) × (var ⇒ val)) ×
     ((var⇩C, var⇩C aexp, var⇩C bexp) Stmt × (Mode ⇒ var⇩C set)) × (var⇩C ⇒ val)
    ) set"
where
  acq_mode_rel: "⟦c⇩A = ModeDecl Skip (Acq x SomeMode) ;; c⇩A_tail;
    c⇩C = ModeDecl Skip (Acq (var⇩C_of x) SomeMode) ;; c⇩C_tail;
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A, ⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  assign_load_rel: "⟦c⇩A = (x ← aexp.Load y) ;; c⇩A_tail;
    c⇩C = ((var⇩C_of x) ← aexp.Load (var⇩C_of y)) ;; c⇩C_tail;
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    x ∉ mds⇩A GuarNoReadOrWrite;
    x ∉ mds⇩A GuarNoWrite;
    y ∉ mds⇩A GuarNoReadOrWrite;
    x ∉ 𝒞;
    y ∉ 𝒞;
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A, ⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  assign_const_rel: "⟦c⇩A = (x ← Const z) ;; c⇩A_tail;
    c⇩C = ((var⇩C_of x) ← Const z) ;; c⇩C_tail;
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    x ∉ mds⇩A GuarNoReadOrWrite;
    x ∉ mds⇩A GuarNoWrite;
    x ∉ 𝒞;
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A, ⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨Stop ;; c⇩A_tail, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_reg_load_rel: "⟦
    c⇩A = (If (Neq (Load x) (Const 0)) c⇩A_then c⇩A_else);
    c⇩C = (reg3 ← (Load (var⇩C_of x))) ;; ((If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else));
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    x ∈ mds⇩A AsmNoWrite ∧ x ∉ mds⇩A AsmNoReadOrWrite;
    reg3 ∉ mds⇩C GuarNoReadOrWrite ∧ reg3 ∉ mds⇩C GuarNoWrite;
    x ∉ mds⇩A GuarNoReadOrWrite;
    ∀x'. x ∈ 𝒞_vars x' ⟶ x' ∉ mds⇩A GuarNoReadOrWrite;
    (∀mem⇩A' mem⇩C' mem⇩A'' mem⇩C''.
        (
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹The change in ‹mem⇩C› does not affect ‹mem⇩A››
         mem⇩A'' = mem⇩A' ∧
         ― ‹The concrete and abstract versions of the bool condition must become consistent›
         ev⇩B mem⇩C' (Neq (Load reg3) (Const 0)) = ev⇩B mem⇩A' (Neq (Load x) (Const 0)) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
          ⟨Stop ;; (If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else), mds⇩C, mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A,
          ⟨Stop ;; (If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else), mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch)
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_reg_stop_rel: "⟦
    c⇩A = (If (Neq (Load x) (Const 0)) c⇩A_then c⇩A_else);
    c⇩C = Stop ;; ((If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else));
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    x ∈ mds⇩A AsmNoWrite ∧ x ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹We will need to carry this through to the ‹if_reg_rel› case.›
    ev⇩B mem⇩C (Neq (Load reg3) (Const 0)) = ev⇩B mem⇩A (Neq (Load x) (Const 0));
    (∀mem⇩A' mem⇩C' mem⇩A'' mem⇩C''.
        (
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹The change in ‹mem⇩C› does not affect ‹mem⇩A››
         mem⇩A'' = mem⇩A' ∧
         ― ‹The concrete and abstract versions of the bool condition must remain consistent›
         ev⇩B mem⇩C' (Neq (Load reg3) (Const 0)) = ev⇩B mem⇩A' (Neq (Load x) (Const 0)) ∧
         ev⇩B mem⇩C'' (Neq (Load reg3) (Const 0)) = ev⇩B mem⇩A'' (Neq (Load x) (Const 0)) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
          ⟨(If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else), mds⇩C, mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A,
          ⟨(If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else), mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch)
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_reg_rel: "⟦
    ― ‹Is a more generic version possible for an arbitrary ‹b⇩A›?›
    ⌦‹c⇩A = (If b⇩A c⇩A_then c⇩A_else);›
    ⌦‹b⇩A = Eq (Load x) (Const 0);›  ― ‹‹ev⇩B mem⇩A b⇩A››
    c⇩A = (If (Neq (Load x) (Const 0)) c⇩A_then c⇩A_else);
    c⇩C = (If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    x ∈ mds⇩A AsmNoWrite ∧ x ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹The concrete and abstract versions of the bool condition must have remained consistent›
    ev⇩B mem⇩C (Neq (Load reg3) (Const 0)) = ev⇩B mem⇩A (Neq (Load x) (Const 0));
    ― ‹As for ― ‹if_reg_load_rel››
    reg3 ∉ mds⇩C GuarNoReadOrWrite ∧ reg3 ∉ mds⇩C GuarNoWrite;
    x ∉ mds⇩A GuarNoReadOrWrite;
    ∀x'. x ∈ 𝒞_vars x' ⟶ x' ∉ mds⇩A GuarNoReadOrWrite;
    ― ‹As we would expect, the two branches must be related by the coupling invariant.›
    ∀mem⇩C' mem⇩C''. (⟨c⇩C_then, mds⇩C, mem⇩C'⟩⇩C, ⟨c⇩C_else, mds⇩C, mem⇩C''⟩⇩C) ∈ rel_inv⇩C;
    (∀mem⇩A' mem⇩C' mem⇩A'' mem⇩C''.
       mem⇩A' = mem⇩A_of mem⇩C' ∧
       mem⇩A'' = mem⇩A_of mem⇩C'' ∧
       ev⇩B mem⇩C'' (Neq (Load reg3) (Const 0)) = ev⇩B mem⇩A'' (Neq (Load x) (Const 0)) ∧
       ev⇩B mem⇩C' (Neq (Load reg3) (Const 0)) = ev⇩B mem⇩A' (Neq (Load x) (Const 0)) ∧
       (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A,
        ⟨(if (ev⇩B mem⇩A'' (Neq (Load x) (Const 0))) then c⇩A_then else c⇩A_else), mds⇩A, mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
       (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
        ⟨(if (ev⇩B mem⇩C'' (Neq (Load reg3) (Const 0))) then c⇩C_then else c⇩C_else), mds⇩C, mem⇩C'⟩⇩C) ∈ C.eval⇩w
       ⟶
       (⟨(if (ev⇩B mem⇩A'' (Neq (Load x) (Const 0))) then c⇩A_then else c⇩A_else), mds⇩A, mem⇩A'⟩⇩A,
        ⟨(if (ev⇩B mem⇩C'' (Neq (Load reg3) (Const 0))) then c⇩C_then else c⇩C_else), mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch)
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

(*
  Assign x_var (Load y_var)
    - to -
  Skip ;;
  Skip ;;
  Assign reg0 (Load y_mem) ;;
  Assign x_mem (Load reg0);
*)
  if_then_rel_1: "⟦c⇩A = (x_var ← Load y_var);
    c⇩C = Skip ;; c⇩C_tail;
    c⇩C_tail =
     Skip ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_then_rel_1': "⟦c⇩A = (x_var ← Load y_var);
    c⇩C = Stop ;; c⇩C_tail;
    c⇩C_tail =
     Skip ;;
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_then_rel_2: "⟦c⇩A = (x_var ← Load y_var);
    c⇩C = Skip ;; c⇩C_tail;
    c⇩C_tail =
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_then_rel_2': "⟦c⇩A = (x_var ← Load y_var);
    c⇩C = Stop ;; c⇩C_tail;
    c⇩C_tail =
     Assign reg0 (Load y_mem) ;;
     Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_then_rel_3: "⟦c⇩A = (x_var ← Load y_var);
    c⇩C = Assign reg0 (Load y_mem) ;; c⇩C_tail;
    c⇩C_tail = Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹The value of ‹reg0› and ‹y_var› must now become consistent›
         ev⇩A mem⇩C' (Load reg0) = ev⇩A mem⇩A' (Load y_var) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_then_rel_3': "⟦c⇩A = (x_var ← Load y_var);
    c⇩C = Stop ;; c⇩C_tail;
    c⇩C_tail = Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹The value of ‹reg0› and ‹y_var› at this point must be consistent›
    ev⇩A mem⇩C (Load reg0) = ev⇩A mem⇩A (Load y_var);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹and must remain consistent›
         ev⇩A mem⇩C' (Load reg0) = ev⇩A mem⇩A' (Load y_var) ∧
         ev⇩A mem⇩C'' (Load reg0) = ev⇩A mem⇩A'' (Load y_var) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_then_rel_4: "⟦c⇩A = (x_var ← Load y_var);
    c⇩C = Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹The value of ‹reg0› and ‹y_var› at this point must be consistent›
    ev⇩A mem⇩C (Load reg0) = ev⇩A mem⇩A (Load y_var);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A, ⟨Stop, mds⇩A', mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨Stop, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

(*
  Assign x_var (Add (Load y_var) (Load z_var))
    - to -
  Assign reg1 (Load y_mem) ;;
  Assign reg2 (Load z_mem) ;;
  Assign reg0 (Add (Load reg1) (Load reg2)) ;;
  Assign x_mem (Load reg0)
*)
  if_else_rel_1: "⟦c⇩A = (x_var ← Add (Load y_var) (Load z_var));
    c⇩C = (reg1 ← Load y_mem) ;; c⇩C_tail;
    c⇩C_tail =
      Assign reg2 (Load z_mem) ;;
      Assign reg0 (Add (Load reg1) (Load reg2)) ;;
      Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹Now ‹reg1› takes on ‹y_var››
         ev⇩A mem⇩C' (Load reg1) = ev⇩A mem⇩A' (Load y_var) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_else_rel_1': "⟦c⇩A = (x_var ← Add (Load y_var) (Load z_var));
    c⇩C = Stop ;; c⇩C_tail;
    c⇩C_tail =
      Assign reg2 (Load z_mem) ;;
      Assign reg0 (Add (Load reg1) (Load reg2)) ;;
      Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹At this point ‹reg1› contains ‹y_var››
    ev⇩A mem⇩C (Load reg1) = ev⇩A mem⇩A (Load y_var);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹maintain it›
         ev⇩A mem⇩C' (Load reg1) = ev⇩A mem⇩A' (Load y_var) ∧
         ev⇩A mem⇩C'' (Load reg1) = ev⇩A mem⇩A'' (Load y_var) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_else_rel_2: "⟦c⇩A = (x_var ← Add (Load y_var) (Load z_var));
    c⇩C = Assign reg2 (Load z_mem) ;; c⇩C_tail;
    c⇩C_tail =
      Assign reg0 (Add (Load reg1) (Load reg2)) ;;
      Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹At this point ‹reg1› contains ‹y_var››
    ev⇩A mem⇩C (Load reg1) = ev⇩A mem⇩A (Load y_var);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹maintain it›
         ev⇩A mem⇩C'' (Load reg1) = ev⇩A mem⇩A'' (Load y_var) ∧
         ev⇩A mem⇩C' (Load reg1) = ev⇩A mem⇩A' (Load y_var) ∧
         ― ‹Now ‹reg2› takes on ‹z_var››
         ev⇩A mem⇩C' (Load reg2) = ev⇩A mem⇩A' (Load z_var) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_else_rel_2': "⟦c⇩A = (x_var ← Add (Load y_var) (Load z_var));
    c⇩C = Stop ;; c⇩C_tail;
    c⇩C_tail =
      Assign reg0 (Add (Load reg1) (Load reg2)) ;;
      Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    z_var ∈ mds⇩A AsmNoWrite ∧ z_var ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹At this point ‹reg1› contains ‹y_var› and ‹reg2› contains z_var›
    ev⇩A mem⇩C (Load reg1) = ev⇩A mem⇩A (Load y_var);
    ev⇩A mem⇩C (Load reg2) = ev⇩A mem⇩A (Load z_var);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹maintain it›
         ev⇩A mem⇩C'' (Load reg1) = ev⇩A mem⇩A'' (Load y_var) ∧
         ev⇩A mem⇩C'' (Load reg2) = ev⇩A mem⇩A'' (Load z_var) ∧
         ev⇩A mem⇩C' (Load reg1) = ev⇩A mem⇩A' (Load y_var) ∧
         ev⇩A mem⇩C' (Load reg2) = ev⇩A mem⇩A' (Load z_var) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_else_rel_3: "⟦c⇩A = (x_var ← Add (Load y_var) (Load z_var));
    c⇩C = Assign reg0 (Add (Load reg1) (Load reg2)) ;; c⇩C_tail;
    c⇩C_tail = Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    z_var ∈ mds⇩A AsmNoWrite ∧ z_var ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹At this point ‹reg1› contains ‹y_var› and ‹reg2› contains ‹z_var››
    ev⇩A mem⇩C (Load reg1) = ev⇩A mem⇩A (Load y_var);
    ev⇩A mem⇩C (Load reg2) = ev⇩A mem⇩A (Load z_var);
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ev⇩A mem⇩C'' (Load reg1) = ev⇩A mem⇩A'' (Load y_var) ∧
         ev⇩A mem⇩C'' (Load reg2) = ev⇩A mem⇩A'' (Load z_var) ∧
         ― ‹Thus the value of ‹reg0› becomes consistent with ‹y_var + z_var››
         ev⇩A mem⇩C' (Load reg0) = ev⇩A mem⇩A' (Add (Load y_var) (Load z_var)) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop ;; c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_else_rel_3': "⟦c⇩A = (x_var ← Add (Load y_var) (Load z_var));
    c⇩C = Stop ;; c⇩C_tail;
    c⇩C_tail = Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    z_var ∈ mds⇩A AsmNoWrite ∧ z_var ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹The value of ‹reg0› and ‹y_var + z_var› at this point must be consistent›
    ev⇩A mem⇩C (Load reg0) = ev⇩A mem⇩A (Add (Load y_var) (Load z_var));
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         ― ‹and must remain consistent›
         ev⇩A mem⇩C' (Load reg0) = ev⇩A mem⇩A' (Add (Load y_var) (Load z_var)) ∧
         ev⇩A mem⇩C'' (Load reg0) = ev⇩A mem⇩A'' (Add (Load y_var) (Load z_var)) ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨c⇩A, mds⇩A', mem⇩A'⟩⇩A, ⟨c⇩C_tail, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  if_else_rel_4: "⟦c⇩A = (x_var ← Add (Load y_var) (Load z_var));
    c⇩C = Assign x_mem (Load reg0);
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C AsmNoReadOrWrite);
    y_var ∈ mds⇩A AsmNoWrite ∧ y_var ∉ mds⇩A AsmNoReadOrWrite;
    z_var ∈ mds⇩A AsmNoWrite ∧ z_var ∉ mds⇩A AsmNoReadOrWrite;
    ― ‹The value of ‹reg0› and ‹y_var + z_var› at this point must be consistent›
    ev⇩A mem⇩C (Load reg0) = ev⇩A mem⇩A (Add (Load y_var) (Load z_var));
    ∀mds⇩A' mem⇩A' mem⇩A'' mds⇩C' mem⇩C' mem⇩C''.
        (
         mds⇩A' = mds⇩A_of mds⇩C' ∧
         mem⇩A' = mem⇩A_of mem⇩C' ∧
         mem⇩A'' = mem⇩A_of mem⇩C'' ∧
         (⟨c⇩A, mds⇩A, mem⇩A''⟩⇩A, ⟨Stop, mds⇩A', mem⇩A'⟩⇩A) ∈ A.eval⇩w ∧
         (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C, ⟨Stop, mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w
        )
         ⟶
         (⟨Stop, mds⇩A', mem⇩A'⟩⇩A, ⟨Stop, mds⇩C', mem⇩C'⟩⇩C) ∈ RefRel_HighBranch
    ⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  stop_seq_rel: "⟦c⇩A = Stop ;; c⇩A_tail;
    c⇩C = Stop ;; c⇩C_tail;
    mds⇩A = mds⇩A_of mds⇩C;
    mem⇩A = mem⇩A_of mem⇩C;
    (⟨c⇩A_tail, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C_tail, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch⟧
    ⟹
    (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" |

  stop_rel:
    "(⟨Stop, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A, ⟨Stop, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch"

inductive_cases RefRelE: "(⟨c, mds, mem⟩⇩A, ⟨c', mds', mem'⟩⇩C) ∈ RefRel_HighBranch"

definition abs_steps' :: "(_,_,_) Stmt ⇒ (_,_,_) Stmt ⇒ nat" where
  "abs_steps' c⇩A c⇩C ≡
    (if (∃x m c⇩A_tail. c⇩A = ((Skip@[x +=⇩m m]) ;; c⇩A_tail)) ∧
        (∃x m c⇩C_tail. c⇩C = ((Skip@[var⇩C_of x +=⇩m m]) ;; c⇩C_tail)) then (Suc 0)
     else if (∃ c⇩A_tail c⇩C_tail. c⇩A = (Stop ;; c⇩A_tail) ∧ c⇩C = (Stop ;; c⇩C_tail)) then (Suc 0)
     else if (∃ x then⇩A else⇩A then⇩C else⇩C.
        c⇩A = (Stmt.If (Neq (Load x) (Const 0)) then⇩A else⇩A) ∧
        (c⇩C = ((reg3 ← Load (var⇩C_of x)) ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C)) ∨
         c⇩C = (Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C))
        then 0
     else if (c⇩A = (x_var ← Load y_var) ∧
        c⇩C ∈ {Skip ;; Skip ;; Assign reg0 (Load y_mem) ;; Assign x_mem (Load reg0),
              Stop ;; Skip ;; Assign reg0 (Load y_mem) ;; Assign x_mem (Load reg0),
              Skip ;; Assign reg0 (Load y_mem) ;; Assign x_mem (Load reg0),
              Stop ;; Assign reg0 (Load y_mem) ;; Assign x_mem (Load reg0),
              Assign reg0 (Load y_mem) ;; Assign x_mem (Load reg0),
              Stop ;; Assign x_mem (Load reg0)})
        then 0
     else if (c⇩A = (x_var ← Add (Load y_var) (Load z_var)) ∧
        c⇩C ∈ {(reg1 ← Load y_mem) ;; Assign reg2 (Load z_mem) ;;
                Assign reg0 (Add (Load reg1) (Load reg2)) ;; Assign x_mem (Load reg0),
              Stop ;; Assign reg2 (Load z_mem) ;;
                Assign reg0 (Add (Load reg1) (Load reg2)) ;; Assign x_mem (Load reg0),
              Assign reg2 (Load z_mem) ;;
                Assign reg0 (Add (Load reg1) (Load reg2)) ;; Assign x_mem (Load reg0),
              Stop ;;
                Assign reg0 (Add (Load reg1) (Load reg2)) ;; Assign x_mem (Load reg0),
              Assign reg0 (Add (Load reg1) (Load reg2)) ;; Assign x_mem (Load reg0),
              Stop ;; Assign x_mem (Load reg0)})
        then 0
     else (Suc 0))"

fun abs_steps
where
"abs_steps ⟨c⇩A, _, _⟩⇩A ⟨c⇩C, _, _⟩⇩C = abs_steps' c⇩A c⇩C"

lemma closed_others_RefRel_HighBranch:
  "closed_others RefRel_HighBranch"
unfolding closed_others_def
proof(clarify)
fix c⇩A c⇩C mds⇩C mem⇩C mem⇩C'
assume
  in_rel: "(⟨c⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A,
    ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" and
  vars: " ∀x. mem⇩C x ≠ mem⇩C' x ⟶ ¬ var_asm_not_written mds⇩C x"
and  dmas: "∀x. dma⇩C mem⇩C x ≠ dma⇩C mem⇩C' x ⟶ ¬ var_asm_not_written mds⇩C x"
from in_rel vars dmas
show "(⟨c⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
  proof (induct rule: RefRel_HighBranch.induct)
  case (acq_mode_rel c⇩A x SomeMode tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using acq_mode_rel
    by (simp add:RefRel_HighBranch.acq_mode_rel)
  next
  case (assign_load_rel c⇩A x y tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using assign_load_rel
    by (simp add:RefRel_HighBranch.assign_load_rel)
  next
  case (assign_const_rel c⇩A x z tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using assign_const_rel
    by (simp add:RefRel_HighBranch.assign_const_rel)
  next
  case (if_reg_load_rel c⇩A x then⇩A else⇩A c⇩C then⇩C else⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_reg_load_rel
    by (simp add:RefRel_HighBranch.if_reg_load_rel)
  next
  case (if_reg_stop_rel c⇩A x then⇩A else⇩A c⇩C then⇩C else⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_reg_stop_rel
    proof (clarsimp)
      from if_reg_stop_rel.hyps(3,5,6) if_reg_stop_rel.prems(1)
      have reg_untouched: "mem⇩C reg3 = mem⇩C' reg3" and
        x⇩C_untouched: "mem⇩C (var⇩C_of x) = mem⇩C' (var⇩C_of x)" and
        x⇩A_untouched: "mem⇩A_of mem⇩C x = mem⇩A_of mem⇩C' x"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C
        by (clarsimp simp:var_asm_not_written_def, blast)+
      with if_reg_stop_rel.hyps
      have conds_still_match: "(mem⇩C' reg3 = 0) = (mem⇩A_of mem⇩C' x = 0)"
        by fastforce
      with if_reg_stop_rel RefRel_HighBranch.if_reg_stop_rel
      show "(⟨Stmt.If (Neq (Load x) (Const 0)) then⇩A else⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C, mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        by auto
    qed
  next
  case (if_reg_rel c⇩A x then⇩A else⇩A c⇩C then⇩C else⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_reg_rel(1-11)
    proof (clarsimp)
      from if_reg_rel.hyps(3,5,6) if_reg_rel.prems(1)
      have reg_untouched: "mem⇩C reg3 = mem⇩C' reg3" and
        x⇩C_untouched: "mem⇩C (var⇩C_of x) = mem⇩C' (var⇩C_of x)" and
        x⇩A_untouched: "mem⇩A_of mem⇩C x = mem⇩A_of mem⇩C' x"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C
        by (clarsimp simp:var_asm_not_written_def, blast)+
      with if_reg_rel.hyps
      have conds_still_match: "(mem⇩C' reg3 = 0) = (mem⇩A_of mem⇩C' x = 0)"
        by auto
      show "(⟨Stmt.If (Neq (Load x) (Const 0)) then⇩A else⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C, mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        apply (rule RefRel_HighBranch.if_reg_rel, simp+)
            using if_reg_rel apply simp
           using if_reg_rel apply simp
          using conds_still_match apply simp
         using if_reg_rel apply blast+
        done
    qed
  next
  case (if_then_rel_1 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_then_rel_1
    by (simp add:RefRel_HighBranch.if_then_rel_1)
  next
  case (if_then_rel_1' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_then_rel_1'
    by (simp add:RefRel_HighBranch.if_then_rel_1')
  next
  case (if_then_rel_2 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_then_rel_2
    by (simp add:RefRel_HighBranch.if_then_rel_2)
  next
  case (if_then_rel_2' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_then_rel_2'
    by (simp add:RefRel_HighBranch.if_then_rel_2')
  next
  case (if_then_rel_3 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_then_rel_3
    by (simp add:RefRel_HighBranch.if_then_rel_3)
  next
  case (if_then_rel_3' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_then_rel_3'
    proof (clarsimp)
      from if_then_rel_3'.hyps(4,5,6,7) if_then_rel_3'.prems(1)
      have reg_untouched: "mem⇩C reg0 = mem⇩C' reg0" and
        y⇩C_untouched: "mem⇩C (var⇩C_of y_var) = mem⇩C' (var⇩C_of y_var)" and
        y⇩A_untouched: "mem⇩A_of mem⇩C y_var = mem⇩A_of mem⇩C' y_var"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C var_asm_not_written_def
        by fastforce+
      with if_then_rel_3'.hyps
      have conds_still_match: "mem⇩C' reg0 = mem⇩A_of mem⇩C' y_var"
        by simp
      show "(⟨x_var ← Load y_var, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨Stop ;; (x_mem ← Load reg0), mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        using RefRel_HighBranch.if_then_rel_3' if_then_rel_3' conds_still_match by simp
    qed
  next
  case (if_then_rel_4 c⇩A c⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_then_rel_4
    proof (clarsimp)
      from if_then_rel_4.hyps(3-7) if_then_rel_4.prems(1)
      have reg_untouched: "mem⇩C reg0 = mem⇩C' reg0" and
        y⇩C_untouched: "mem⇩C (var⇩C_of y_var) = mem⇩C' (var⇩C_of y_var)" and
        y⇩A_untouched: "mem⇩A_of mem⇩C y_var = mem⇩A_of mem⇩C' y_var"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C var_asm_not_written_def
        by (fast, metis+)
      with if_then_rel_4.hyps
      have conds_still_match: "mem⇩C' reg0 = mem⇩A_of mem⇩C' y_var"
        by simp
      show "(⟨x_var ← Load y_var, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨x_mem ← Load reg0, mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        using RefRel_HighBranch.if_then_rel_4 if_then_rel_4 conds_still_match by simp
    qed
  next
  case (if_else_rel_1 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_else_rel_1
    by (simp add:RefRel_HighBranch.if_else_rel_1)
  next
  case (if_else_rel_1' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_else_rel_1'
    proof (clarsimp)
      from if_else_rel_1'.hyps(4-7) if_else_rel_1'.prems(1)
      have reg_untouched: "mem⇩C reg1 = mem⇩C' reg1" and
        y⇩C_untouched: "mem⇩C (var⇩C_of y_var) = mem⇩C' (var⇩C_of y_var)" and
        y⇩A_untouched: "mem⇩A_of mem⇩C y_var = mem⇩A_of mem⇩C' y_var"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C var_asm_not_written_def
        by (metis (no_types) insertCI reg_not_visible_abs, metis+)
      with if_else_rel_1'.hyps
      have conds_still_match: "mem⇩C' reg1 = mem⇩A_of mem⇩C' y_var"
        by simp
      show "(⟨x_var ← Add (Load y_var) (Load z_var), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨Stop ;; (reg2 ← Load z_mem) ;; (reg0 ← Add (Load reg1) (Load reg2)) ;; (x_mem ← Load reg0), mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        using RefRel_HighBranch.if_else_rel_1' if_else_rel_1' conds_still_match by simp
    qed
  next
  case (if_else_rel_2 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_else_rel_2
    proof (clarsimp)
      from if_else_rel_2.hyps(4-7) if_else_rel_2.prems(1)
      have reg_untouched: "mem⇩C reg1 = mem⇩C' reg1" and
        y⇩C_untouched: "mem⇩C (var⇩C_of y_var) = mem⇩C' (var⇩C_of y_var)" and
        y⇩A_untouched: "mem⇩A_of mem⇩C y_var = mem⇩A_of mem⇩C' y_var"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C var_asm_not_written_def
        by (metis (no_types) insertCI reg_not_visible_abs, metis+)
      with if_else_rel_2.hyps
      have conds_still_match: "mem⇩C' reg1 = mem⇩A_of mem⇩C' y_var"
        by simp
      show "(⟨x_var ← Add (Load y_var) (Load z_var), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨(reg2 ← Load z_mem) ;; (reg0 ← Add (Load reg1) (Load reg2)) ;; (x_mem ← Load reg0), mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        using RefRel_HighBranch.if_else_rel_2 if_else_rel_2 conds_still_match by simp
    qed
  next
  case (if_else_rel_2' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_else_rel_2'
    proof (clarsimp)
      from if_else_rel_2'.hyps(4-8) if_else_rel_2'.prems(1)
      have regs_untouched: "mem⇩C reg1 = mem⇩C' reg1 ∧ mem⇩C reg2 = mem⇩C' reg2" and
        y⇩C_untouched: "mem⇩C (var⇩C_of y_var) = mem⇩C' (var⇩C_of y_var)" and
        y⇩A_untouched: "mem⇩A_of mem⇩C y_var = mem⇩A_of mem⇩C' y_var" and
        z⇩C_untouched: "mem⇩C (var⇩C_of z_var) = mem⇩C' (var⇩C_of z_var)" and
        z⇩A_untouched: "mem⇩A_of mem⇩C z_var = mem⇩A_of mem⇩C' z_var"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C var_asm_not_written_def
        by (metis (no_types) insertCI reg_not_visible_abs, metis+)
      with if_else_rel_2'.hyps(5,9,10)
      have conds_still_match: "mem⇩C' reg1 = mem⇩A_of mem⇩C' y_var ∧ mem⇩C' reg2 = mem⇩A_of mem⇩C' z_var"
        by simp
      show "(⟨x_var ← Add (Load y_var) (Load z_var), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨Stop ;; (reg0 ← Add (Load reg1) (Load reg2)) ;; (x_mem ← Load reg0), mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        using RefRel_HighBranch.if_else_rel_2' if_else_rel_2' conds_still_match by simp
    qed
  next
  case (if_else_rel_3 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_else_rel_3
    proof (clarsimp)
      from if_else_rel_3.hyps(4-8) if_else_rel_3.prems(1)
      have regs_untouched: "mem⇩C reg1 = mem⇩C' reg1 ∧ mem⇩C reg2 = mem⇩C' reg2" and
        y⇩C_untouched: "mem⇩C (var⇩C_of y_var) = mem⇩C' (var⇩C_of y_var)" and
        y⇩A_untouched: "mem⇩A_of mem⇩C y_var = mem⇩A_of mem⇩C' y_var" and
        z⇩C_untouched: "mem⇩C (var⇩C_of z_var) = mem⇩C' (var⇩C_of z_var)" and
        z⇩A_untouched: "mem⇩A_of mem⇩C z_var = mem⇩A_of mem⇩C' z_var"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C var_asm_not_written_def
        by (metis (no_types) insertCI reg_not_visible_abs, metis+)
      with if_else_rel_3.hyps(5,9,10)
      have conds_still_match: "mem⇩C' reg1 = mem⇩A_of mem⇩C' y_var ∧ mem⇩C' reg2 = mem⇩A_of mem⇩C' z_var"
        by simp
      show "(⟨x_var ← Add (Load y_var) (Load z_var), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨(reg0 ← Add (Load reg1) (Load reg2)) ;; (x_mem ← Load reg0), mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        using RefRel_HighBranch.if_else_rel_3 if_else_rel_3 conds_still_match by simp
    qed
  next
  case (if_else_rel_3' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_else_rel_3'
    proof (clarsimp)
      from if_else_rel_3'.hyps(4-8) if_else_rel_3'.prems(1)
      have reg_untouched: "mem⇩C reg0 = mem⇩C' reg0" and
        y⇩C_untouched: "mem⇩C (var⇩C_of y_var) = mem⇩C' (var⇩C_of y_var)" and
        y⇩A_untouched: "mem⇩A_of mem⇩C y_var = mem⇩A_of mem⇩C' y_var" and
        z⇩C_untouched: "mem⇩C (var⇩C_of z_var) = mem⇩C' (var⇩C_of z_var)" and
        z⇩A_untouched: "mem⇩A_of mem⇩C z_var = mem⇩A_of mem⇩C' z_var"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C var_asm_not_written_def
        by (metis (no_types) insertCI reg_not_visible_abs, metis+)
      with if_else_rel_3'.hyps(5,9)
      have conds_still_match:
        "ev⇩A mem⇩C' (Load reg0) = ev⇩A (mem⇩A_of mem⇩C') (Add (Load y_var) (Load z_var))"
        by simp
      show "(⟨x_var ← Add (Load y_var) (Load z_var), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨Stop ;; (x_mem ← Load reg0), mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        using RefRel_HighBranch.if_else_rel_3' if_else_rel_3' conds_still_match by simp
    qed
  next
  case (if_else_rel_4 c⇩A c⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using if_else_rel_4
    proof (clarsimp)
      from if_else_rel_4.hyps(3-7) if_else_rel_4.prems(1)
      have reg_untouched: "mem⇩C reg0 = mem⇩C' reg0" and
        y⇩C_untouched: "mem⇩C (var⇩C_of y_var) = mem⇩C' (var⇩C_of y_var)" and
        y⇩A_untouched: "mem⇩A_of mem⇩C y_var = mem⇩A_of mem⇩C' y_var" and
        z⇩C_untouched: "mem⇩C (var⇩C_of z_var) = mem⇩C' (var⇩C_of z_var)" and
        z⇩A_untouched: "mem⇩A_of mem⇩C z_var = mem⇩A_of mem⇩C' z_var"
        using reg_is_not_the_var⇩C_of_anything mem⇩A_of_def NoWrite⇩A_implies_NoWrite⇩C var_asm_not_written_def
        by (metis (no_types) insertCI reg_not_visible_abs, metis+)
      with if_else_rel_4.hyps(4,8)
      have conds_still_match:
        "ev⇩A mem⇩C' (Load reg0) = ev⇩A (mem⇩A_of mem⇩C') (Add (Load y_var) (Load z_var))"
        by simp
      show "(⟨x_var ← Add (Load y_var) (Load z_var), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C'⟩⇩A,
             ⟨(x_mem ← Load reg0), mds⇩C, mem⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
        using RefRel_HighBranch.if_else_rel_4 if_else_rel_4 conds_still_match by simp
    qed
  next
  case (stop_seq_rel c⇩A tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  show "(⟨c⇩A, mds⇩A, mem⇩A_of mem⇩C'⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using stop_seq_rel
    by (simp add:RefRel_HighBranch.stop_seq_rel)
  next
  case (stop_rel mds⇩C mem⇩C)
  show ?case by (simp add:RefRel_HighBranch.stop_rel)
  qed
qed

lemma preserves_modes_mem_RefRel_HighBranch:
  "preserves_modes_mem RefRel_HighBranch"
unfolding preserves_modes_mem_def2
proof(clarsimp)
  fix c⇩A mds⇩A mem⇩A c⇩C mds⇩C mem⇩C
  assume in_rel: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch"
  thus "mem⇩A = mem⇩A_of mem⇩C ∧ mds⇩A = mds⇩A_of mds⇩C"
    by (cases rule:RefRel_HighBranch.cases, blast+)
qed

lemma new_vars_private_RefRel_HighBranch:
  "sifum_refinement.new_vars_private dma⇩C C.eval⇩w var⇩C_of RefRel_HighBranch"
unfolding new_vars_private_def
(* Slightly more intuitive goals without simp converting ∨ to ⟶ *)
proof(clarify)
  fix c⇩A mds⇩A mem⇩A c⇩C mds⇩C mem⇩C c⇩C' mds⇩C' mem⇩C'
  assume in_rel: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch" and
      does_eval: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩C', mds⇩C', mem⇩C'⟩⇩C) ∈ C.eval⇩w"
  let "?diff_mem v⇩C" = "mem⇩C' v⇩C ≠ mem⇩C v⇩C"
  let "?diff_dma v⇩C" = "dma⇩C mem⇩C' v⇩C < dma⇩C mem⇩C v⇩C"
  let "?conc_only v⇩C" = "v⇩C ∉ range var⇩C_of"
  show "(∀v⇩C. (?diff_mem v⇩C ∨ ?diff_dma v⇩C) ∧ ?conc_only v⇩C ⟶ v⇩C ∈ mds⇩C' AsmNoReadOrWrite) ∧
         mds⇩C AsmNoReadOrWrite - range var⇩C_of ⊆ mds⇩C' AsmNoReadOrWrite - range var⇩C_of"
  using in_rel does_eval
  proof(cases rule:RefRel_HighBranch.cases)
  case (acq_mode_rel x SomeMode tail⇩A tail⇩C)
    moreover with does_eval
    have "mds⇩C' = mds⇩C (SomeMode := insert (var⇩C_of x) (mds⇩C SomeMode))"
      by (metis (mono_tags) C.seq_decl_elim C.update_modes.simps(1))
    ultimately show ?thesis
      by simp
  next
  case (assign_load_rel x y tail⇩A tail⇩C)
    with does_eval
    show ?thesis
      by (metis C.assign_elim C.seq_elim Stmt.distinct(13) set_eq_subset)
  next
  case (assign_const_rel x z tail⇩A tail⇩C)
    with does_eval
    show ?thesis
      by (metis C.assign_elim C.seq_elim Stmt.distinct(13) set_eq_subset)
  next
  case (if_reg_load_rel x then⇩A else⇩A then⇩C else⇩C)
    with does_eval
    show ?thesis
      by (metis C.assign_elim C.seq_elim Stmt.distinct(13) set_eq_subset)
  next
  case (if_reg_stop_rel x then⇩A else⇩A then⇩C else⇩C)
    with does_eval
    show ?thesis
      by (metis C.seq_stop_elim subset_refl)
  next
  case (if_reg_rel x then⇩A else⇩A then⇩C else⇩C)
    with does_eval
    have mds⇩C_unchanged: "mds⇩C = mds⇩C'"
      by (metis C.if_elim C.seq_elim Stmt.distinct(39))
    moreover with if_reg_rel(5)
    have "∀v⇩C. (?diff_mem v⇩C ∨ ?diff_dma v⇩C) ∧ ?conc_only v⇩C ⟶ v⇩C ∈ mds⇩C' AsmNoReadOrWrite"
      by simp
    moreover from mds⇩C_unchanged
    have "mds⇩C AsmNoReadOrWrite - range var⇩C_of ⊆ mds⇩C' AsmNoReadOrWrite - range var⇩C_of"
      by clarify
    ultimately show ?thesis
      by simp
  next
  case (if_then_rel_1 tail⇩C)
    with does_eval
    show ?thesis
      by (metis (no_types, opaque_lifting) C.eval⇩w.seq C.eval_det C.seq_stop_elim C.seq_stop_eval⇩w C.skip_eval⇩w subsetI)
  next
  case (if_then_rel_1' tail⇩C)
    with does_eval
    show ?thesis
      by (metis (no_types, opaque_lifting) C.seq_stop_elim subsetI)
  next
  case (if_then_rel_2 tail⇩C)
    with does_eval
    show ?thesis
      by (metis (no_types, opaque_lifting) C.eval⇩w.seq C.eval_det C.seq_stop_elim C.seq_stop_eval⇩w C.skip_eval⇩w subsetI)
  next
  case (if_then_rel_2' tail⇩C)
    with does_eval
    show ?thesis
      by (metis (no_types, opaque_lifting) C.seq_stop_elim subsetI)
  next
  case (if_then_rel_3 tail⇩C)
    with does_eval
    show ?thesis
      by (metis (full_types) C.seq_assign_elim subset_refl)
  next
  case (if_then_rel_3' tail⇩C)
    with does_eval
    show ?thesis
      by (metis (no_types, opaque_lifting) C.seq_stop_elim subsetI)
  next
  case (if_then_rel_4)
    with does_eval
    show ?thesis
      by (metis C.assign_elim order_refl)
  next
  case (if_else_rel_1 tail⇩C)
    with does_eval
    show ?thesis
      by (metis (full_types) C.seq_assign_elim subset_refl)
  next
  case (if_else_rel_1' tail⇩C)
    with does_eval
    show ?thesis
      by (metis (no_types, opaque_lifting) C.seq_stop_elim subsetI)
  next
  case (if_else_rel_2 tail⇩C)
    with does_eval
    show ?thesis
      by (metis (full_types) C.seq_assign_elim subset_refl)
  next
  case (if_else_rel_2' tail⇩C)
    with does_eval
    show ?thesis
      by (metis (no_types, opaque_lifting) C.seq_stop_elim subsetI)
  next
  case (if_else_rel_3 tail⇩C)
    with does_eval
    show ?thesis
      by (metis (full_types) C.seq_assign_elim subset_refl)
  next
  case (if_else_rel_3' tail⇩C)
    with does_eval
    show ?thesis
      by (metis (no_types, opaque_lifting) C.seq_stop_elim subsetI)
  next
  case (if_else_rel_4)
    with does_eval
    show ?thesis
      by (metis C.assign_elim order_refl)
  next
  case (stop_seq_rel tail⇩A tail⇩C)
    with does_eval C.seq_stop_elim
    show ?thesis by blast
  next
  case (stop_rel)
    with does_eval C.stop_no_eval have False by simp
    thus ?thesis by simp
  qed
qed

inductive_cases inR_E:
"(⟨c, mds, mem⟩⇩A, ⟨c', mds', mem'⟩⇩A) ∈ A.R"

lemma refrel_helper_Acq_Rel_ex1I:
"
  (⟨(Skip@[x +=⇩m SomeMode]) ;; c⇩A_tail, mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A,
      ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
     ∈ RefRel_HighBranch
  ⟹
  ∃!c⇩C_tail.
  c⇩2⇩C = (Skip@[var⇩C_of x +=⇩m SomeMode]) ;; c⇩C_tail ∧
        ((⟨(Skip@[var⇩C_of x +=⇩m SomeMode]) ;; c⇩C_tail, mds⇩C, mem⇩2⇩C⟩⇩C,
          ⟨Stop ;; c⇩C_tail, mds⇩C(SomeMode := insert (var⇩C_of x) (mds⇩C SomeMode)), mem⇩2⇩C⟩⇩C)
          ∈ C.eval⇩w)"
  apply(cases rule:RefRel_HighBranch.cases)
       apply simp
      apply clarsimp
      apply(erule_tac x="mem⇩A_of mem⇩2⇩C" in allE)
      apply(erule_tac x="mds⇩C(SomeMode := insert (var⇩C_of x) (mds⇩C SomeMode))" in allE)
      apply(erule_tac x="mem⇩2⇩C" in allE)
      apply(erule impE)
       apply(rule_tac x="mem⇩2⇩C" in exI)
       apply(rule conjI)
        apply(rule HOL.refl)
       apply(rule conjI)
        apply(rule A.eval⇩w.seq)
        apply(rule A.decl_eval⇩w', rule HOL.refl, clarsimp)
        apply(rule mode_acquire_refinement_helper)
       apply(rule C.eval⇩w.seq)
       apply(rule C.decl_eval⇩w', rule HOL.refl, clarsimp)
      apply(rule_tac a=c⇩C_tail in ex1I)
       apply clarsimp
        apply(rule C.eval⇩w.seq)
        apply(rule C.decl_eval⇩w', rule HOL.refl, clarsimp)
       apply blast+
  done

lemma refrel_helper_Assign_Load_ex1I:
"
  (⟨(x ← Load y) ;; tail⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A,
      ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
     ∈ RefRel_HighBranch
  ⟹
  ∃!tail⇩C.
  c⇩2⇩C = (var⇩C_of x ← Load (var⇩C_of y)) ;; tail⇩C ∧
        ((⟨(var⇩C_of x ← Load (var⇩C_of y)) ;; tail⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
          ⟨Stop ;; tail⇩C, mds⇩C, mem⇩2⇩C((var⇩C_of x) := mem⇩2⇩C (var⇩C_of y))⟩⇩C)
          ∈ C.eval⇩w)"
  apply(cases rule:RefRel_HighBranch.cases, simp+)
          apply clarsimp
          apply(erule_tac x="mem⇩A_of mem⇩2⇩C" in allE)
          apply(erule_tac x="mds⇩C" in allE)
          apply(erule_tac x="mem⇩2⇩C((var⇩C_of x) := mem⇩2⇩C (var⇩C_of y))" in allE)
          apply(erule impE)
           apply(rule_tac x="mem⇩2⇩C" in exI)
           apply(rule conjI)
            apply(rule HOL.refl)
           apply(rule conjI)
            apply(rule A.eval⇩w.seq)
            apply(simp add: assign_eval⇩w_load⇩A mem_assign_refinement_helper_var)
           apply(rule C.eval⇩w.seq)
           apply(simp add: assign_eval⇩w_load⇩C)
          apply(rule_tac a=c⇩C_tail in ex1I)
           apply clarsimp
           apply(rule C.eval⇩w.seq)
           apply(simp add:assign_eval⇩w_load⇩C)
          apply blast
         apply clarsimp
        apply(simp add: assign_eval⇩w_load⇩A mem_assign_refinement_helper_var)
       apply(simp add:assign_eval⇩w_load⇩C)
      apply(rule_tac a=c⇩C_tail in ex1I)
       apply clarsimp
      apply(simp add:assign_eval⇩w_load⇩C)
     apply blast
    apply(rule ex1I, clarsimp+)
  done


lemma refrel_helper_Assign_Const_ex1I:
"
  (⟨(x ← Const z) ;; tail⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A,
      ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
     ∈ RefRel_HighBranch
  ⟹
  ∃!tail⇩C.
  c⇩2⇩C = (var⇩C_of x ← Const z) ;; tail⇩C ∧
        ((⟨(var⇩C_of x ← Const z) ;; tail⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
          ⟨Stop ;; tail⇩C, mds⇩C, mem⇩2⇩C((var⇩C_of x) := z)⟩⇩C)
          ∈ C.eval⇩w)"
  apply(cases rule:RefRel_HighBranch.cases, simp+)
          apply clarsimp
          apply(erule_tac x="mem⇩A_of mem⇩2⇩C" in allE)
          apply(erule_tac x="mds⇩C" in allE)
          apply(erule_tac x="mem⇩2⇩C((var⇩C_of x) := z)" in allE)
          apply(erule impE)
           apply(rule_tac x="mem⇩2⇩C" in exI)
           apply(rule conjI)
            apply(rule HOL.refl)
           apply(rule conjI)
            apply(rule A.eval⇩w.seq)
            apply(simp add: assign_eval⇩w_const⇩A mem_assign_refinement_helper_const)
           apply(rule C.eval⇩w.seq)
           apply(simp add:assign_eval⇩w_const⇩C)
          apply(rule_tac a=c⇩C_tail in ex1I)
           apply clarsimp
           apply(rule C.eval⇩w.seq)
           apply(simp add:assign_eval⇩w_const⇩C)
          apply blast
         apply clarsimp
        apply(simp add: assign_eval⇩w_load⇩A mem_assign_refinement_helper_var)
       apply(simp add:assign_eval⇩w_const⇩C)
      apply(rule_tac a=c⇩C_tail in ex1I)
       apply clarsimp
      apply(simp add:assign_eval⇩w_const⇩C)
     apply blast
    apply(rule ex1I, clarsimp+)
  done

(* Could possibly be useful if we have one that just does seq *)
lemma refrel_helper_Assign_Const:
"
  (⟨(x ← Const z), mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A,
      ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
     ∈ RefRel_HighBranch
  ⟹
  c⇩2⇩C = (var⇩C_of x ← Const z) ∧
        ((⟨(var⇩C_of x ← Const z), mds⇩C, mem⇩2⇩C⟩⇩C,
          ⟨Stop, mds⇩C, mem⇩2⇩C((var⇩C_of x) := z)⟩⇩C)
          ∈ C.eval⇩w)"
  by (cases rule:RefRel_HighBranch.cases, (simp add:assign_eval⇩w_const⇩C)+)

type_synonym t_Neq_C = "(var⇩C aexp ⇒ var⇩C aexp ⇒ var⇩C bexp)"

lemma refrel_helper_If_Reg_Load_exI:
  "
  c⇩C = (reg3 ← Load (var⇩C_of x)) ;; Stmt.If ((Neq::t_Neq_C) (Load reg3) (Const 0)) then⇩C else⇩C
  ⟹
  c⇩2⇩A = If (Neq (Load x) (Const 0)) then⇩A else⇩A
  ⟹
  (⟨c⇩2⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A,
    ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
   ∈ RefRel_HighBranch
  ⟹
  A.neval
     ⟨c⇩2⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A 0
     ⟨c⇩2⇩A, mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A
  ⟹
  ― ‹Distinguish between the different concrete cases›
  ― ‹for which the abstract program remains the same.›
  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C
  ⟹
  ∃then⇩C' else⇩C'.
  ((c⇩2⇩C = (reg3 ← Load (var⇩C_of x)) ;; Stmt.If ((Neq::t_Neq_C) (Load reg3) (Const 0)) then⇩C' else⇩C')
 ∧
   (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
    ⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, mem⇩2⇩C(reg3 := mem⇩2⇩C (var⇩C_of x))⟩⇩C)
     ∈ C.eval⇩w
)"
  apply(cases rule:RefRel_HighBranch.cases, simp+)
       apply clarsimp
       apply(erule_tac x="mem⇩2⇩C(reg3 := mem⇩2⇩C (var⇩C_of x))" in allE)
       apply(erule impE)
        apply(rule_tac x="mem⇩2⇩C" in exI)
        apply(rule conjI)
         apply(simp add: conc_only_var_assign_not_visible_abs reg_not_visible_abs)
        apply(rule conjI)
         apply clarsimp
         apply(simp add: mem⇩A_of_def)
        apply(rule C.eval⇩w.seq)
        apply(simp add:assign_eval⇩w_load⇩C)
       apply(rule C.eval⇩w.seq)
       apply(simp add:assign_eval⇩w_load⇩C)
      apply(erule rel_inv⇩CE, simp+)+
  done

lemma refrel_helper_If_Reg_Stop_exI:
  "
  c⇩C = Stop ;; Stmt.If ((Neq::t_Neq_C) (Load reg3) (Const 0)) then⇩C else⇩C
  ⟹
  c⇩2⇩A = If (Neq (Load x) (Const 0)) then⇩A else⇩A
  ⟹
  (⟨c⇩2⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A,
    ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
   ∈ RefRel_HighBranch
  ⟹
  A.neval
     ⟨c⇩2⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A 0
     ⟨c⇩2⇩A, mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A
  ⟹
  ― ‹Distinguish between concrete cases for which abstract program remains the same.›
  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C
  ⟹
  ∃then⇩C' else⇩C'.
  ((c⇩2⇩C = Stop ;; Stmt.If ((Neq::t_Neq_C) (Load reg3) (Const 0)) then⇩C' else⇩C')
 ∧
   (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
    ⟨Stmt.If ((Neq::t_Neq_C) (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, mem⇩2⇩C⟩⇩C)
     ∈ C.eval⇩w
)"
  apply(cases rule:RefRel_HighBranch.cases, simp+)
      apply(erule rel_inv⇩CE, simp+)+
     apply(rule C.seq_stop_eval⇩w)+
    apply(erule rel_inv⇩CE, simp+)+
  done

lemma refrel_helper_If_Reg_exI:
assumes
  conds_match: "ev⇩B (sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C) (Neq (Load x) (Const 0)) =
    ev⇩B mem⇩2⇩C ((Neq::t_Neq_C) (Load reg3) (Const 0))" and
  rest_assms: "c⇩C = Stmt.If ((Neq::t_Neq_C) (Load reg3) (Const 0)) then⇩C else⇩C ∧
  ― ‹Distinguish between concrete cases for which abstract program remains the same.›
  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
shows
"
  ∃then⇩C' else⇩C'.
  ((c⇩2⇩C = Stmt.If ((Neq::t_Neq_C) (Load reg3) (Const 0)) then⇩C' else⇩C')
 ∧
   (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
    ⟨if (ev⇩B mem⇩2⇩C ((Neq::t_Neq_C) (Load reg3) (Const 0))) then (then⇩C') else (else⇩C'),
                  mds⇩C, mem⇩2⇩C⟩⇩C)
     ∈ C.eval⇩w
)"
  using rest_assms
  apply(clarsimp simp del:ev⇩B.simps split del:if_splits)
  apply(erule rel_inv⇩CE, (clarsimp simp del:ev⇩B.simps split del:if_splits)+)
  apply(rule C.if_eval⇩w)
  done

inductive_cases Skip_tail_RefRel_HighBranchE: "(⟨Skip ;; c⇩A_tail, mds⇩A, mem⇩A⟩, ⟨Skip ;; c⇩C_tail, mds⇩C, mem⇩C⟩) ∈ RefRel_HighBranch"
thm Skip_tail_RefRel_HighBranchE

inductive_cases Stop_tail_RefRel_HighBranchE: "(⟨Stop ;; c⇩A_tail, mds⇩A, mem⇩A⟩, ⟨Stop ;; c⇩C_tail, mds⇩C, mem⇩C⟩) ∈ RefRel_HighBranch"
thm Stop_tail_RefRel_HighBranchE

inductive_cases Acq_Mode_RefRel_HighBranchE:
"(⟨(Skip@[x +=⇩m SomeMode]) ;; c⇩A_tail, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A,
  ⟨(Skip@[var⇩C_of x +=⇩m SomeMode]) ;; c⇩C_tail, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch"
thm Acq_Mode_RefRel_HighBranchE

inductive_cases Assign_Load_RefRel_HighBranchE:
"(⟨(x ← aexp.Load y) ;; c⇩A_tail, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A,
  ⟨((var⇩C_of x) ← Load (var⇩C_of y)) ;; c⇩C_tail, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch"
thm Assign_Load_RefRel_HighBranchE

inductive_cases Assign_Const_RefRel_HighBranchE:
"(⟨(x ← Const z) ;; c⇩A_tail, mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A,
  ⟨((var⇩C_of x) ← Const z) ;; c⇩C_tail, mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch"
thm Assign_Const_RefRel_HighBranchE

inductive_cases If_Reg_Load_RefRel_HighBranchE:
"(⟨(If (Neq (Load x) (Const 0)) c⇩A_then c⇩A_else), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A,
  ⟨(reg3 ← Load (var⇩C_of y)) ;; ((If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else)), mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch"
thm If_Reg_Load_RefRel_HighBranchE

inductive_cases If_Reg_Stop_RefRel_HighBranchE:
"(⟨(If (Neq (Load x) (Const 0)) c⇩A_then c⇩A_else), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A,
  ⟨Stop ;; ((If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else)), mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch"
thm If_Reg_Stop_RefRel_HighBranchE

inductive_cases If_Reg_RefRel_HighBranchE:
"(⟨(If (Neq (Load x) (Const 0)) c⇩A_then c⇩A_else), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A,
  ⟨((If (Neq (Load reg3) (Const 0)) c⇩C_then c⇩C_else)), mds⇩C, mem⇩C⟩⇩C) ∈ RefRel_HighBranch"
thm If_Reg_RefRel_HighBranchE

inductive_cases If_Then_RefRel_HighBranchE:
"(⟨(x_var ← Load y_var), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C)
  ∈ RefRel_HighBranch"

inductive_cases If_Else_RefRel_HighBranchE:
"(⟨(x_var ← Add (Load y_var) (Load z_var)), mds⇩A_of mds⇩C, mem⇩A_of mem⇩C⟩⇩A, ⟨c⇩C, mds⇩C, mem⇩C⟩⇩C)
  ∈ RefRel_HighBranch"

inductive_cases inv⇩5E:
"A.inv ⟨Assign x_var (Load y_var), mds, mem⟩"

inductive_cases inv⇩6E:
"A.inv ⟨Assign x_var (Add (Load y_var) (Load z_var)), mds, mem⟩"

lemma induction_full_RefRel_HighBranch:
  notes neq0_conv[simp del] neq0_conv[symmetric, simp add]
  shows
  "⟦(⟨c⇩1⇩A, sifum_refinement.mds⇩A_of var⇩C_of mds⇩C, sifum_refinement.mem⇩A_of var⇩C_of mem⇩1⇩C⟩⇩A,
         ⟨c⇩1⇩C, mds⇩C, mem⇩1⇩C⟩⇩C)
        ∈ RefRel_HighBranch;
        (⟨c⇩1⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B⟧
       ⟹ ∃n c⇩1⇩A'.
              A.neval
               ⟨c⇩1⇩A, sifum_refinement.mds⇩A_of var⇩C_of mds⇩C, sifum_refinement.mem⇩A_of var⇩C_of mem⇩1⇩C⟩⇩A n
               ⟨c⇩1⇩A', sifum_refinement.mds⇩A_of var⇩C_of
                         mds⇩C', sifum_refinement.mem⇩A_of var⇩C_of mem⇩1⇩C'⟩⇩A ∧
              (⟨c⇩1⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', sifum_refinement.mem⇩A_of var⇩C_of mem⇩1⇩C'⟩⇩A,
               ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C)
              ∈ RefRel_HighBranch ∧
              (∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩1⇩A, sifum_refinement.mds⇩A_of var⇩C_of
                            mds⇩C, sifum_refinement.mem⇩A_of var⇩C_of mem⇩1⇩C⟩⇩A,
                   ⟨c⇩2⇩A, sifum_refinement.mds⇩A_of var⇩C_of
                            mds⇩C, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A)
                  ∈ A.R ∧
                  (⟨c⇩2⇩A, sifum_refinement.mds⇩A_of var⇩C_of
                            mds⇩C, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A,
                   ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩1⇩C, mds⇩C, mem⇩1⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, sifum_refinement.mds⇩A_of var⇩C_of mds⇩C, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A
                   n ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A,
                       ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
proof(induct rule: RefRel_HighBranch.induct)
case (acq_mode_rel c⇩A x m tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  let ?c⇩1⇩A' = "Stop ;; tail⇩A"
  from acq_mode_rel(1,2)
  have abs_steps_acq: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  moreover from acq_mode_rel.prems acq_mode_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C(m := insert (var⇩C_of x) (mds⇩C m))" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    by (metis (mono_tags) C.seq_decl_elim C.update_modes.simps(1))+
  moreover from mds⇩C'_def
  have mds⇩A'_def: "?mds⇩A' = A.update_modes (x +=⇩m m) (mds⇩A_of mds⇩C)"
    unfolding A.update_modes.simps
    by(blast intro: mode_acquire_refinement_helper)
  moreover with mem⇩1⇩C'_def acq_mode_rel A.eval⇩w.seq A.decl_eval⇩w
  have eval⇩A: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A) ∈ A.eval⇩w"
    by presburger
  hence neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    by clarsimp
  moreover from acq_mode_rel(5)
  have mds⇩C'_concrete_vars_unwritable:
    "(∀v⇩C. v⇩C ∉ range var⇩C_of ⟶ v⇩C ∈ mds⇩C' AsmNoReadOrWrite)"
    by(auto simp: mds⇩C'_def)
  moreover with acq_mode_rel(6)[simplified] acq_mode_rel.hyps(4) neval⇩A c⇩1⇩C'_def
  have in_Rel': "(⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by (metis A.neval_Suc_simp One_nat_def acq_mode_rel.prems)
  moreover have "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
           (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
           (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
           ∈ RefRel_HighBranch ∧
           (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
           A.neval
            ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 1
            ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
           (∃c⇩2⇩C' mem⇩2⇩C'.
               (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
               (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
               ∈ RefRel_HighBranch ∧
               (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
    proof(clarsimp)
      fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
      assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
        in_RefRel: "(⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
           ∈ RefRel_HighBranch" and
        in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
        eval⇩2⇩A: "(⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A,
         ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A)
        ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B"
      let ?c⇩2⇩C' = "Stop ;; tail⇩C"
      from in_rel_inv⇩C acq_mode_rel(2) rel_inv⇩CE
      have "c⇩2⇩C = (Skip@[var⇩C_of x +=⇩m m]) ;; tail⇩C" by blast
      hence eval_tail⇩C: "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; tail⇩C, mds⇩C', mem⇩2⇩C⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B"
        by (simp del:fun_upd_apply add:C.eval⇩w.seq C.decl_eval⇩w' mds⇩C'_def)
      from in_R acq_mode_rel(1)
      have c⇩2⇩A_def: "c⇩2⇩A = (Skip@[x +=⇩m m]) ;; tail⇩A" by (blast elim:inR_E A.rel_invE)
      with acq_mode_rel(1,3,4)
      have "(⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A,
            ⟨Stop ;; tail⇩A, sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.eval⇩w"
        by (simp del:fun_upd_apply add:A.eval⇩w.seq A.decl_eval⇩w' mds⇩C'_def mode_acquire_refinement_helper)
      with eval⇩2⇩A acq_mode_rel(1,3,4)
      have c⇩2⇩A'_def: "c⇩2⇩A' = Stop ;; tail⇩A" and
        mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
        using A.eval_det by blast+
      from acq_mode_rel(3) in_RefRel c⇩2⇩A_def refrel_helper_Acq_Rel_ex1I
      obtain tail⇩C' where
        c⇩2⇩C_def: "c⇩2⇩C = (Skip@[var⇩C_of x +=⇩m m]) ;; tail⇩C'" and
        eval⇩2⇩C': "(⟨(Skip@[var⇩C_of x +=⇩m m]) ;; tail⇩C', mds⇩C, mem⇩2⇩C⟩⇩C,
                   ⟨Stop ;; tail⇩C', mds⇩C(m := insert (var⇩C_of x) (mds⇩C m)), mem⇩2⇩C⟩⇩C)
                  ∈ C.eval⇩w"
        by blast
      have eval_tail⇩C': "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; tail⇩C', mds⇩C', mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
        by(simp add: mds⇩C'_def c⇩2⇩C_def eval⇩2⇩C')
      with eval_tail⇩C C.eval_det have
        tails_eq: "tail⇩C = tail⇩C'" by blast
      moreover have "(⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨Stop ;; tail⇩C', mds⇩C', mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
      proof -
        from Acq_Mode_RefRel_HighBranchE[OF in_RefRel[simplified c⇩2⇩A_def c⇩2⇩C_def acq_mode_rel(3)]]
        have "((⟨(Skip@[x +=⇩m m]) ;; tail⇩A, mds⇩A_of  mds⇩C,  mem⇩A_of mem⇩2⇩C⟩⇩A,
                ⟨Stop ;; tail⇩A, mds⇩A_of mds⇩C', mem⇩A_of mem⇩2⇩C⟩⇩A)
               ∈ A.eval⇩w) ⟶
              (⟨Stop ;; tail⇩A, mds⇩A_of mds⇩C', mem⇩A_of mem⇩2⇩C⟩⇩A,
               ⟨Stop ;; tail⇩C', mds⇩C', mem⇩2⇩C⟩⇩C)
              ∈ RefRel_HighBranch"
        using eval⇩2⇩C' mds⇩C'_concrete_vars_unwritable
          by (metis (mono_tags, lifting) mds⇩C'_def)
        hence "(⟨Stop ;; tail⇩A, mds⇩A_of mds⇩C', mem⇩A_of mem⇩2⇩C⟩⇩A,
                ⟨Stop ;; tail⇩C', mds⇩C', mem⇩2⇩C⟩⇩C)
               ∈ RefRel_HighBranch"
        using A.eval⇩w.seq A.decl_eval⇩w' mds⇩C'_def A.update_modes.simps mode_acquire_refinement_helper
          by simp
        thus ?thesis
          by(simp add: c⇩2⇩C_def c⇩2⇩A'_def mem⇩2⇩A'_def)
      qed
      moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; tail⇩C', mds⇩C', mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
        using c⇩1⇩C'_def tails_eq rel_inv⇩C_default
        by simp
      moreover note eval_tail⇩C
      ultimately show "∃c⇩2⇩C' mem⇩2⇩C'.
              (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
              (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
              ∈ RefRel_HighBranch ∧
              (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
              by blast
    qed
  thus ?case using in_Rel' abs_steps_acq neval⇩A by blast
next
case (assign_load_rel c⇩A x y tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "Stop ;; tail⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from assign_load_rel(1) assign_load_rel(2)
  have abs_steps_load: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  from assign_load_rel.prems assign_load_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C((var⇩C_of x) := mem⇩C (var⇩C_of y))"
    using C.seq_elim C.assign_elim assign_eval⇩w_load⇩C
    by (metis (no_types, lifting) Stmt.distinct(13))+
  from assign_load_rel(1,3,4) mds⇩C'_def mem⇩1⇩C'_def
  have eval⇩A: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A,⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A) ∈ A.eval⇩w" and
    neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    using A.eval⇩w.seq assign_eval⇩w_load⇩A mem_assign_refinement_helper_var abs_steps_load by simp+
  with assign_load_rel(11)[simplified] assign_load_rel.prems c⇩1⇩C'_def
  have in_Rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using assign_load_rel.hyps(4-5) mds⇩C'_def by blast
  have
    "∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 1
                   ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
    proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           eval⇩2⇩A: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A) ∈ A.eval⇩w"
    let ?mem⇩2⇩C' = "(mem⇩2⇩C((var⇩C_of x) := mem⇩2⇩C (var⇩C_of y)))"
    from in_rel_inv⇩C assign_load_rel(2) reg_is_not_the_var⇩C_of_anything
    have "c⇩2⇩C = (var⇩C_of x ← Load (var⇩C_of y)) ;; tail⇩C"
      by (blast elim:rel_inv⇩CE)
    hence eval_tail⇩C: "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; tail⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B"
      by (simp del:fun_upd_apply add:C.eval⇩w.seq assign_eval⇩w_load⇩C mds⇩C'_def)
    from assign_load_rel(1) in_R inR_E
    have c⇩2⇩A_def: "c⇩2⇩A = (x ← aexp.Load y) ;; tail⇩A"
      by (blast elim:inR_E A.rel_invE)
    hence c⇩2⇩A'_def: "c⇩2⇩A' = Stop ;; tail⇩A"
      and mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of ?mem⇩2⇩C'"
      using eval⇩2⇩A abs_steps_load A.assign_elim A.seq_elim mem_assign_refinement_helper_var
      by fastforce+
    from assign_load_rel(3) in_Rel c⇩2⇩A_def refrel_helper_Assign_Load_ex1I
    obtain tail⇩C' where
      c⇩2⇩C_def: "c⇩2⇩C = (var⇩C_of x ← Load (var⇩C_of y)) ;; tail⇩C'" and
      eval⇩2⇩C': "(⟨(var⇩C_of x ← Load (var⇩C_of y)) ;; tail⇩C', mds⇩C, mem⇩2⇩C⟩⇩C,
                 ⟨Stop ;; tail⇩C', mds⇩C, mem⇩2⇩C((var⇩C_of x) := mem⇩2⇩C (var⇩C_of y))⟩⇩C)
                ∈ C.eval⇩w"
      by blast
    have eval_tail⇩C': "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
                  ⟨Stop ;; tail⇩C', mds⇩C', mem⇩2⇩C((var⇩C_of x) := mem⇩2⇩C (var⇩C_of y))⟩⇩C)
                  ∈ C.eval⇩w"
      by(simp add: mds⇩C'_def c⇩2⇩C_def eval⇩2⇩C')
    with eval_tail⇩C C.eval_det have
        tails_eq: "tail⇩C = tail⇩C'" by blast
    moreover have "(⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨Stop ;; tail⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C)
                    ∈ RefRel_HighBranch"
    proof -
      from Assign_Load_RefRel_HighBranchE[OF in_Rel[simplified c⇩2⇩A_def c⇩2⇩C_def assign_load_rel(3)]]
      have "((⟨(x ← aexp.Load y) ;; tail⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A,
              ⟨Stop ;; tail⇩A, mds⇩A_of mds⇩C', mem⇩A_of ?mem⇩2⇩C'⟩⇩A)
             ∈ A.eval⇩w) ⟶
            (⟨Stop ;; tail⇩A, mds⇩A_of mds⇩C', mem⇩A_of ?mem⇩2⇩C'⟩⇩A,
             ⟨Stop ;; tail⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C)
            ∈ RefRel_HighBranch"
      using eval⇩2⇩C'
        by (metis mds⇩C'_def)
      hence "(⟨Stop ;; tail⇩A, mds⇩A_of mds⇩C', mem⇩A_of ?mem⇩2⇩C'⟩⇩A,
              ⟨Stop ;; tail⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
      using A.eval⇩w.seq assign_eval⇩w_load⇩A mds⇩C'_def A.update_modes.simps mem_assign_refinement_helper_var
        by simp
      thus ?thesis
        by(simp add: c⇩2⇩C_def c⇩2⇩A'_def mem⇩2⇩A'_def)
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; tail⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def tails_eq rel_inv⇩C_default
      by simp
    moreover note eval_tail⇩C eval_tail⇩C'
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                  (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w ∧
                  (⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch ∧
                  (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      by blast
  qed
  thus ?case using in_Rel' abs_steps_load neval⇩A by blast
next
case (assign_const_rel c⇩A x z tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "Stop ;; tail⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from assign_const_rel(1,2)
  have abs_steps_const: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  from assign_const_rel.prems assign_const_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = Stop ;; tail⇩C" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C((var⇩C_of x) := z)"
    using C.seq_elim C.assign_elim assign_eval⇩w_const⇩C
    by (metis (no_types, lifting) Stmt.distinct(13))+
  from assign_const_rel(1,3,4) mds⇩C'_def mem⇩1⇩C'_def
  have eval⇩A: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A) ∈ A.eval⇩w" and
    neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    using A.eval⇩w.seq assign_eval⇩w_const⇩A mem_assign_refinement_helper_const abs_steps_const by simp+
  with assign_const_rel c⇩1⇩C'_def stop_rel mds⇩C'_def
  have in_Rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch" by blast
  have
    "∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 1
                   ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
    proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           eval⇩2⇩A: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A) ∈ A.eval⇩w"
    let ?mem⇩2⇩C' = "(mem⇩2⇩C((var⇩C_of x) := z))"
    from in_rel_inv⇩C assign_const_rel(2) rel_inv⇩CE
    have "c⇩2⇩C = (var⇩C_of x ← Const z) ;; tail⇩C" by blast
    moreover hence eval_tail⇩C: "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; tail⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B"
      by (simp del:fun_upd_apply add:C.eval⇩w.seq assign_eval⇩w_const⇩C mds⇩C'_def)
    moreover from assign_const_rel(1) in_R inR_E
    have c⇩2⇩A_def: "c⇩2⇩A = (x ← Const z) ;; tail⇩A"
      by (blast elim:inR_E A.rel_invE)
    moreover hence c⇩2⇩A'_def: "c⇩2⇩A' = Stop ;; tail⇩A"
      and mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of ?mem⇩2⇩C'"
      using eval⇩2⇩A abs_steps_const A.assign_elim A.seq_elim mem_assign_refinement_helper_const
      by fastforce+
    moreover from assign_const_rel(3) in_Rel c⇩2⇩A_def refrel_helper_Assign_Const_ex1I
    obtain tail⇩C' where c⇩2⇩C_def: "c⇩2⇩C = (var⇩C_of x ← Const z) ;; tail⇩C'" and
      eval⇩2⇩C': "(⟨(var⇩C_of x ← Const z) ;; tail⇩C', mds⇩C, mem⇩2⇩C⟩⇩C,
                 ⟨Stop ;; tail⇩C', mds⇩C, mem⇩2⇩C((var⇩C_of x) := z)⟩⇩C)
                ∈ C.eval⇩w"
      by blast
    have eval_tail⇩C': "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
                  ⟨Stop ;; tail⇩C', mds⇩C', mem⇩2⇩C((var⇩C_of x) := z)⟩⇩C)
                  ∈ C.eval⇩w"
      by(simp add: mds⇩C'_def c⇩2⇩C_def eval⇩2⇩C')
    with eval_tail⇩C C.eval_det have
        tails_eq: "tail⇩C = tail⇩C'" by blast
    moreover have "(⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨Stop ;; tail⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C)
                    ∈ RefRel_HighBranch"
    proof -
      from Assign_Const_RefRel_HighBranchE[OF in_Rel[simplified c⇩2⇩A_def c⇩2⇩C_def assign_const_rel(3)]]
      have "((⟨(x ← Const z) ;; tail⇩A, mds⇩A_of mds⇩C, mem⇩A_of mem⇩2⇩C⟩⇩A,
              ⟨Stop ;; tail⇩A, mds⇩A_of mds⇩C', mem⇩A_of ?mem⇩2⇩C'⟩⇩A)
             ∈ A.eval⇩w) ⟶
            (⟨Stop ;; tail⇩A, mds⇩A_of mds⇩C', mem⇩A_of ?mem⇩2⇩C'⟩⇩A,
             ⟨Stop ;; tail⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C)
            ∈ RefRel_HighBranch"
      using eval⇩2⇩C'
        by (metis mds⇩C'_def)
      hence "(⟨Stop ;; tail⇩A, mds⇩A_of mds⇩C', mem⇩A_of ?mem⇩2⇩C'⟩⇩A,
              ⟨Stop ;; tail⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"
      using A.eval⇩w.seq assign_eval⇩w_const⇩A mds⇩C'_def A.update_modes.simps mem_assign_refinement_helper_const
        by simp
      thus ?thesis
        by(simp add: c⇩2⇩C_def c⇩2⇩A'_def mem⇩2⇩A'_def)
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; tail⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def tails_eq rel_inv⇩C_default
      by simp
    moreover note eval_tail⇩C eval_tail⇩C'
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                  (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w ∧
                  (⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch ∧
                  (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      by blast
  qed
  thus ?case using in_Rel' abs_steps_const neval⇩A by blast
next
case (if_reg_load_rel c⇩A x then⇩A else⇩A c⇩C then⇩C else⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_reg_load_rel.hyps(1,2)
  have abs_steps_if_reg_load: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_reg_load_rel.prems if_reg_load_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; If (Neq (Load reg3) (Const 0)) then⇩C else⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C(reg3 := mem⇩C (var⇩C_of x))"
    using C.seq_elim C.assign_elim C.skip_elim assign_eval⇩w_load⇩C
    by (metis (no_types, lifting) Stmt.distinct(13))+
  from if_reg_load_rel(1-4) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using reg_not_visible_abs conc_only_var_assign_not_visible_abs A.neval.intros(1) by simp+
  with if_reg_load_rel c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    apply clarsimp
    apply(erule_tac x=mem⇩1⇩C' in allE)
    apply(erule_tac impE)
     apply(rule_tac x=mem⇩C in exI)
     apply(rule conjI)
      apply(clarsimp)
     apply(rule conjI)
      apply clarsimp
      apply (simp add: mem⇩A_of_def)
     using if_reg_load_rel.prems mem⇩A_of_def apply blast
    apply clarsimp
    done
  (* This might be usable for an Isar proof of rel', but not sure how best to approach that *)
  from reg_not_visible_abs conc_only_var_assign_not_visible_abs mem⇩A_of_def mem⇩1⇩C'_def
  have mem⇩1⇩C'_conds_match: "(mem⇩1⇩C' reg3 = 0) = (mem⇩A_of mem⇩1⇩C' x = 0)"
    by simp
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
    proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?mem⇩2⇩C' = "(mem⇩2⇩C(reg3 := mem⇩2⇩C (var⇩C_of x)))"
    from in_rel_inv⇩C if_reg_load_rel(2) rel_inv⇩CE
    have "c⇩2⇩C = (reg3 ← Load (var⇩C_of x)) ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C" by blast
    hence eval_tail⇩C: "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B"
      by (simp del:fun_upd_apply add:C.eval⇩w.seq assign_eval⇩w_load⇩C mds⇩C'_def)
    from if_reg_load_rel(1) in_R
    have c⇩2⇩A_def: "c⇩2⇩A = If (Neq (Load x) (Const 0)) then⇩A else⇩A"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
    using neval⇩2⇩A abs_steps_if_reg_load A.neval_ZeroE
      by (clarsimp, blast)+
    from if_reg_load_rel.hyps(2,3) c⇩2⇩A_def c⇩2⇩A'_def in_Rel neval⇩2⇩A abs_steps_if_reg_load in_rel_inv⇩C
         refrel_helper_If_Reg_Load_exI
    obtain then⇩C' else⇩C' where
      c⇩2⇩C_def: "(c⇩2⇩C = (reg3 ← Load (var⇩C_of x)) ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C')" and
      eval_tail⇩C': "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
                 ⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C',
                      mds⇩C, mem⇩2⇩C(reg3 := mem⇩2⇩C (var⇩C_of x))⟩⇩C)
                ∈ C.eval⇩w"
      by metis
    with eval_tail⇩C C.eval_det have
      tails_eq: "else⇩C = else⇩C' ∧ then⇩C = then⇩C'" by blast
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_reg_load_rel(1-9)
    have "(⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A,
                    ⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C',
                       mds⇩C, mem⇩2⇩C(reg3 := mem⇩2⇩C (var⇩C_of x))⟩⇩C)
                   ∈ RefRel_HighBranch"
    proof -
      from If_Reg_Load_RefRel_HighBranchE[OF in_Rel[simplified c⇩2⇩A_def c⇩2⇩C_def if_reg_load_rel(1-9)]]
      have "(∃mem⇩C''.
           sifum_refinement.mem⇩A_of var⇩C_of mem⇩C'' = sifum_refinement.mem⇩A_of var⇩C_of ?mem⇩2⇩C' ∧
           (?mem⇩2⇩C' reg3 = 0) = (sifum_refinement.mem⇩A_of var⇩C_of ?mem⇩2⇩C' x = 0) ∧
           (⟨(reg3 ← Load (var⇩C_of x)) ;;
             Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, mem⇩C''⟩⇩C,
            ⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C)
           ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B) ⟶
             (⟨Stmt.If (Neq (Load x) (Const 0)) then⇩A else⇩A,
              sifum_refinement.mds⇩A_of var⇩C_of mds⇩C, sifum_refinement.mem⇩A_of var⇩C_of ?mem⇩2⇩C'⟩⇩A,
              ⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C)
             ∈ RefRel_HighBranch"  
        by (metis neq0_conv)
      moreover have "(?mem⇩2⇩C' reg3 = 0) = (sifum_refinement.mem⇩A_of var⇩C_of ?mem⇩2⇩C' x = 0)"
         using conc_only_var_assign_not_visible_abs reg_not_visible_abs mem⇩A_of_def if_reg_load_rel(1-9)
         by simp
      moreover obtain mem⇩C'' where
        "sifum_refinement.mem⇩A_of var⇩C_of mem⇩C'' = sifum_refinement.mem⇩A_of var⇩C_of ?mem⇩2⇩C'"
        by simp
      ultimately have "(⟨Stmt.If (Neq (Load x) (Const 0)) then⇩A else⇩A,
              sifum_refinement.mds⇩A_of var⇩C_of mds⇩C, sifum_refinement.mem⇩A_of var⇩C_of ?mem⇩2⇩C'⟩⇩A,
             ⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C)
            ∈ RefRel_HighBranch"
        using c⇩2⇩C_def eval_tail⇩C' if_reg_load_rel(1-9) conc_only_var_assign_not_visible_abs reg_not_visible_abs
        by auto
      thus ?thesis
      using if_reg_load_rel(1-9) c⇩2⇩A'_def c⇩2⇩A_def conc_only_var_assign_not_visible_abs mds⇩C'_def mem⇩2⇩A'_def reg_not_visible_abs
        by simp
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default tails_eq
      by simp
    moreover note eval_tail⇩C' eval_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_reg_load_rel.hyps(3) by blast
  qed
  thus ?case using rel' abs_steps_if_reg_load neval⇩A by blast
next
case (if_reg_stop_rel c⇩A x then⇩A else⇩A c⇩C then⇩C else⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_reg_stop_rel.hyps(1,2)
  have abs_steps_if_reg_stop: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_reg_stop_rel.prems if_reg_stop_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (If (Neq (Load reg3) (Const 0)) then⇩C else⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by simp+
  from if_reg_stop_rel(1-4) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using reg_not_visible_abs conc_only_var_assign_not_visible_abs A.neval.intros(1) by simp+
  with if_reg_stop_rel c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have in_Rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch" by blast
  have
    "∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
    proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?mem⇩2⇩C' = "mem⇩2⇩C"
    from in_rel_inv⇩C if_reg_stop_rel(2) rel_inv⇩CE
    have "c⇩2⇩C = Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C" by blast
    hence eval_tail⇩C: "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B"
      by (simp del:fun_upd_apply add:C.seq_stop_eval⇩w mds⇩C'_def)
    from if_reg_stop_rel in_R inR_E
    have c⇩2⇩A_def: "c⇩2⇩A = If (Neq (Load x) (Const 0)) then⇩A else⇩A"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
    using neval⇩2⇩A abs_steps_if_reg_stop A.neval_ZeroE
      by (clarsimp, blast)+
    from if_reg_stop_rel.hyps(2,3,7) c⇩2⇩A_def c⇩2⇩A'_def in_Rel neval⇩2⇩A abs_steps_if_reg_stop in_rel_inv⇩C
         refrel_helper_If_Reg_Stop_exI
    obtain then⇩C' else⇩C' where
      c⇩2⇩C_def: "(c⇩2⇩C = Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C')" and
      eval_tail⇩C': "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
                 ⟨Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, mem⇩2⇩C⟩⇩C)
                ∈ C.eval⇩w"
      by metis+
    with eval_tail⇩C C.eval_det have
      tails_eq: "else⇩C = else⇩C' ∧ then⇩C = then⇩C'" by blast
    moreover have "(⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A,
                    ⟨Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, mem⇩2⇩C⟩⇩C)
                   ∈ RefRel_HighBranch"
    proof -
      from If_Reg_Stop_RefRel_HighBranchE[OF in_Rel[simplified c⇩2⇩A_def c⇩2⇩C_def if_reg_stop_rel(3)]]
      have "(⟨Stop ;; Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, mem⇩2⇩C⟩⇩C,
             ⟨Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C)
                ∈ C.eval⇩w ⟶
            (⟨Stmt.If (Neq (Load x) (Const 0)) then⇩A else⇩A, sifum_refinement.mds⇩A_of var⇩C_of
                       mds⇩C, sifum_refinement.mem⇩A_of var⇩C_of ?mem⇩2⇩C'⟩⇩A,
             ⟨Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C)
            ∈ RefRel_HighBranch"
      using eval_tail⇩C' mds⇩C'_def
        by metis
      hence "(⟨Stmt.If (Neq (Load x) (Const 0)) then⇩A else⇩A, mds⇩A_of mds⇩C, mem⇩A_of ?mem⇩2⇩C'⟩⇩A,
             ⟨Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C)
            ∈ RefRel_HighBranch"
      using c⇩2⇩C_def eval_tail⇩C'
        by auto
      thus ?thesis
      using c⇩2⇩A'_def c⇩2⇩A_def conc_only_var_assign_not_visible_abs mds⇩C'_def mem⇩2⇩A'_def reg_not_visible_abs
        by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default tails_eq
      by simp
    moreover note eval_tail⇩C' eval_tail⇩C c⇩2⇩A'_def
    ultimately show "∃c⇩2⇩C' mem⇩2⇩C'.
              (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
              ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
              (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
              ∈ RefRel_HighBranch ∧
              (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using mds⇩C'_def if_reg_stop_rel.hyps(3) by blast
  qed
  thus ?case using in_Rel' abs_steps_if_reg_stop neval⇩A by blast
next
case (if_reg_rel c⇩A x then⇩A else⇩A c⇩C then⇩C else⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "if (ev⇩B mem⇩A (Neq (Load x) (Const 0))) then (then⇩A) else (else⇩A)"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_reg_rel(1) if_reg_rel(2)
  have abs_steps_if_reg: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  from if_reg_rel.prems if_reg_rel(2)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (if (ev⇩B mem⇩C (Neq (Load reg3) (Const 0))) then (then⇩C) else (else⇩C))" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    apply simp_all
    by (erule C.if_elim, clarsimp+)+
  from if_reg_rel(1,3,4) mds⇩C'_def mem⇩1⇩C'_def
  have eval⇩A: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A) ∈ A.eval⇩w"
    using if_seq_eval⇩w_helper⇩A A.if_eval⇩w by presburger
  hence neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    using abs_steps_if_reg by simp
  from if_reg_rel(3,4,7,12) if_reg_rel.prems c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def eval⇩A
  have in_Rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A, ⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by clarsimp
  have
    "∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 1
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
    proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           eval⇩2⇩A: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A) ∈ A.eval⇩w"
    let ?mem⇩2⇩C' = "mem⇩2⇩C"
    from in_rel_inv⇩C if_reg_rel(2) rel_inv⇩CE
    have "c⇩2⇩C = Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C" by blast
    hence eval_tail⇩C: "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
        ⟨if (ev⇩B mem⇩2⇩C (Neq (Load reg3) (Const 0)))
         then (then⇩C) else (else⇩C), mds⇩C, mem⇩2⇩C⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B"
      by (blast intro:C.if_eval⇩w if_seq_eval⇩w_helper⇩C)
    from if_reg_rel(1-10) in_R inR_E
    have c⇩2⇩A_def: "c⇩2⇩A = If (Neq (Load x) (Const 0)) then⇩A else⇩A"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = (if (ev⇩B (mem⇩A_of mem⇩2⇩C) (Neq (Load x) (Const 0)))
         then (then⇩A) else (else⇩A))" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using eval⇩2⇩A if_seq_eval⇩w_helper⇩A A.if_eval⇩w if_reg_rel(1-4) A.eval_det
      by blast+
    from in_Rel c⇩2⇩A_def in_rel_inv⇩C if_reg_rel(2)
    have mem⇩2⇩C_reg_mem⇩A_x: "ev⇩B (mem⇩A_of mem⇩2⇩C) (Neq (Load x) (Const 0)) = ev⇩B mem⇩2⇩C (Neq (Load reg3) (Const 0))"
      apply -
      apply(erule RefRelE, simp_all)
      by (erule rel_inv⇩CE, simp+)
    with if_reg_rel.hyps(2,3,7) c⇩2⇩A_def c⇩2⇩A'_def in_Rel eval⇩2⇩A abs_steps_if_reg in_rel_inv⇩C
         refrel_helper_If_Reg_exI
    obtain then⇩C' else⇩C' where
      c⇩2⇩C_def: "(c⇩2⇩C = Stmt.If (Neq (Load reg3) (Const 0)) then⇩C' else⇩C')" and
      eval_tail⇩C': "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C,
                 ⟨if (ev⇩B mem⇩2⇩C (Neq (Load reg3) (Const 0)))
                  then (then⇩C') else (else⇩C'), mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ C.eval⇩w"
      by blast
    with eval_tail⇩C C.eval_det have
      tails_eq: "else⇩C = else⇩C' ∧ then⇩C = then⇩C'"
      by (simp add: ‹c⇩2⇩C = Stmt.If (Neq (Load reg3) (Const 0)) then⇩C else⇩C›)
    let ?c⇩2⇩C' = "if (ev⇩B mem⇩2⇩C (Neq (Load reg3) (Const 0))) then (then⇩C') else (else⇩C')"
    have "(⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨?c⇩2⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      from in_Rel c⇩2⇩A_def c⇩2⇩C_def if_reg_rel(3,7,9) eval_tail⇩C mds⇩C'_def c⇩2⇩A'_def mem⇩2⇩A'_def
           eval⇩2⇩A abs_steps_if_reg
      have "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨?c⇩2⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w ⟶
            (⟨c⇩2⇩A', ?mds⇩A', mem⇩A_of ?mem⇩2⇩C'⟩⇩A, ⟨?c⇩2⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Reg_RefRel_HighBranchE)
        apply(erule_tac x=mem⇩2⇩C in allE)
        apply(erule_tac x=mem⇩2⇩C in allE)
        apply(clarsimp split del: if_split)
        by presburger
      hence "(⟨c⇩2⇩A', ?mds⇩A', mem⇩A_of ?mem⇩2⇩C'⟩⇩A, ⟨?c⇩2⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
      using c⇩2⇩C_def eval_tail⇩C' mds⇩C'_def
        by auto
      thus ?thesis
      using c⇩2⇩A'_def c⇩2⇩A_def conc_only_var_assign_not_visible_abs mds⇩C'_def mem⇩2⇩A'_def reg_not_visible_abs
        by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨?c⇩2⇩C', mds⇩C', ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
    proof -
      have "(⟨if ev⇩B mem⇩2⇩C (Neq (Load reg3) (Const 0)) then then⇩C' else else⇩C', mds⇩C', mem⇩2⇩C⟩⇩C,
             ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C)
             ∈ rel_inv⇩C ∨
            (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C,
             ⟨if ev⇩B mem⇩2⇩C (Neq (Load reg3) (Const 0)) then then⇩C' else else⇩C', mds⇩C', mem⇩2⇩C⟩⇩C)
             ∈ rel_inv⇩C"
        using c⇩1⇩C'_def if_reg_rel.hyps(11) mds⇩C'_def rel_inv⇩C.rel_inv⇩C_default tails_eq by auto
      thus ?thesis
        by (meson rel_inv⇩C_sym symE)
    qed
    moreover note eval_tail⇩C' eval_tail⇩C c⇩2⇩A'_def
    ultimately show "∃c⇩2⇩C' mem⇩2⇩C'.
              (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
              (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
              ∈ RefRel_HighBranch ∧
              (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using mds⇩C'_def by blast
  qed
  thus ?case using in_Rel' abs_steps_if_reg neval⇩A by blast
next
case (if_then_rel_1 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_then_rel_1.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_then_rel_1.prems if_then_rel_1(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_elim C.skip_elim by blast+
  from if_then_rel_1(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.intros(1) by auto
  with if_then_rel_1 c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?mem⇩2⇩C' = "mem⇩2⇩C(reg1 := mem⇩2⇩C y_mem)"
    let ?tail⇩2⇩C = "(reg2 ← Load z_mem) ;;
                (reg0 ← Add (Load reg1) (Load reg2)) ;; (x_mem ← Load reg0)"
    from in_rel_inv⇩C if_then_rel_1(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = (reg1 ← Load y_mem) ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_then_rel_1(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is also in the 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_then_rel_1(2,3) c⇩1⇩C'_def C.eval⇩w.seq C.skip_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_1(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_then_rel_1(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
      by (clarsimp, meson C.eval⇩w.seq C.skip_eval⇩w)
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    (* c⇩2⇩C is in the other, 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨(reg1 ← Load y_mem) ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.eval⇩w.seq assign_eval⇩w_load⇩C mds⇩C'_def)
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_1(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = (reg1 ← Load y_mem) ;; ?tail⇩2⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      from in_else c⇩2⇩A_def have
        c⇩2⇩A_else_def: "c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
        by clarsimp
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_then_rel_1.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C' ∧
           (⟨(reg1 ← Load y_mem) ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Else_RefRel_HighBranchE)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="mem⇩2⇩C(reg1 := mem⇩2⇩C y_mem)" in allE)
        using conc_only_var_assign_not_visible_abs reg_not_visible_abs mem⇩A_of_def by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'"
        by simp
      ultimately show ?thesis
        using conc_only_var_assign_not_visible_abs eval_else_tail⇩C reg_not_visible_abs by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_then_rel_1(3) rel_inv⇩C_2 by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_then_rel_1.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_else_rel_1 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_else_rel_1.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_else_rel_1.prems if_else_rel_1(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C(reg1 := mem⇩C y_mem)"
    using C.seq_elim C.assign_elim assign_eval⇩w_load⇩C
    by (metis (no_types, lifting) Stmt.distinct(13))+
  from if_else_rel_1(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.neval_0 conc_only_var_assign_not_visible_abs reg_not_visible_abs by simp+
  with if_else_rel_1 c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    apply clarsimp
    apply(erule_tac x=mem⇩A in allE)
    apply(erule_tac x=mds⇩C in allE)
    apply(erule_tac x=mem⇩1⇩C' in allE)
    apply(erule_tac impE)
     apply(rule_tac x=mem⇩C in exI)
     apply(rule conjI)
      apply(clarsimp)
     apply(rule conjI)
      apply clarsimp
      apply (simp add: mem⇩A_of_def)
     using if_else_rel_1.prems mem⇩A_of_def apply blast
    apply clarsimp
    done
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?mem⇩2⇩C' = "mem⇩2⇩C(reg1 := mem⇩2⇩C y_mem)"
    let ?tail⇩2⇩C = "Skip ;;
                (reg0 ← Load y_mem) ;; (x_mem ← Load reg0)"
    from in_rel_inv⇩C if_else_rel_1(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = Skip ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_else_rel_1(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Load y_var"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is in the other, 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨Skip ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_else_rel_1(2,3) c⇩1⇩C'_def C.eval⇩w.seq C.skip_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_1(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = Skip ;; ?tail⇩2⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover with c⇩2⇩A_def
    have c⇩2⇩A_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩A = x_var ← Load y_var"
      by clarsimp
    moreover have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_then: "c⇩2⇩A ≠ c⇩A"
      with in_then in_Rel c⇩2⇩A_def c⇩2⇩C_then_def if_else_rel_1.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨Skip ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Then_RefRel_HighBranchE)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="mem⇩2⇩C" in allE)
        by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C"
        by simp
      ultimately show ?thesis
        using eval_then_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_else_rel_1(2,3) rel_inv⇩C_2' mem⇩1⇩C'_def mds⇩C'_def by simp

    (* c⇩2⇩C is also in the 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.eval⇩w.seq assign_eval⇩w_load⇩C mds⇩C'_def c⇩1⇩C'_def if_else_rel_1(2,3))
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_1(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A = c⇩A"
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_else_rel_1.hyps(1-4) c⇩2⇩A'_def mem⇩2⇩A'_def c⇩1⇩C'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C' ∧
           (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Else_RefRel_HighBranchE)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="?mem⇩2⇩C'" in allE)
        using conc_only_var_assign_not_visible_abs reg_not_visible_abs mem⇩A_of_def by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'"
        by simp
      ultimately show ?thesis
        using conc_only_var_assign_not_visible_abs eval_else_tail⇩C reg_not_visible_abs by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_else_rel_1.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_then_rel_1' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_then_rel_1'.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_then_rel_1'.prems if_then_rel_1'(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = tail⇩C" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by blast+
  from if_then_rel_1'(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.intros(1) by auto
  with if_then_rel_1' c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?tail⇩2⇩C = "(reg2 ← Load z_mem) ;;
                (reg0 ← Add (Load reg1) (Load reg2)) ;; (x_mem ← Load reg0)"
    from in_rel_inv⇩C if_then_rel_1'(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_then_rel_1'(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is also in the 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_then_rel_1'(2,3) c⇩1⇩C'_def C.seq_stop_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_1'(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_then_rel_1'(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
      by (clarsimp, meson C.seq_stop_eval⇩w)
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    (* c⇩2⇩C is in the other, 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.seq_stop_eval⇩w mds⇩C'_def)
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_1'(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_then_rel_1'(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      from in_else c⇩2⇩A_def have
        c⇩2⇩A_else_def: "c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
        by clarsimp
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_then_rel_1'.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Else_RefRel_HighBranchE)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="mem⇩2⇩C" in allE)
        using eval_else_tail⇩C by blast+
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C" by simp
      ultimately show ?thesis using eval_else_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_then_rel_1'(3) rel_inv⇩C_3 by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_then_rel_1'.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_else_rel_1' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_else_rel_1'.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_else_rel_1'.prems if_else_rel_1'(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = tail⇩C" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by blast+
  from if_else_rel_1'(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.neval_0 by simp+
  with if_else_rel_1' c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?tail⇩2⇩C = "Skip ;; (reg0 ← Load y_mem) ;; (x_mem ← Load reg0)"
    from in_rel_inv⇩C if_else_rel_1'(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_else_rel_1'(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Load y_var"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is in the other, 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_else_rel_1'(2,3) c⇩1⇩C'_def C.seq_stop_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_1'(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover with c⇩2⇩A_def
    have c⇩2⇩A_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩A = x_var ← Load y_var"
      by clarsimp
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_else_rel_1'(1-8) c⇩1⇩C'_def c⇩2⇩A_then_def
    have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_then_def if_else_rel_1'.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        by (blast elim: If_Then_RefRel_HighBranchE)
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C"
        by simp
      ultimately show ?thesis
        using eval_then_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_else_rel_1'(2,3) rel_inv⇩C_3' mem⇩1⇩C'_def mds⇩C'_def by simp

    (* c⇩2⇩C is also in the 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.seq_stop_eval⇩w mds⇩C'_def c⇩1⇩C'_def if_else_rel_1'(2,3))
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_1'(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_else_rel_1'(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A = c⇩A"
      from in_else c⇩2⇩A_def if_else_rel_1'(1) have
        c⇩2⇩A_else_def: "c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
        by clarsimp
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_else_rel_1'.hyps(1-4) c⇩2⇩A'_def mem⇩2⇩A'_def c⇩1⇩C'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Else_RefRel_HighBranchE)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="mem⇩2⇩C" in allE)
        using eval_else_tail⇩C by blast+
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C" by simp
      ultimately show ?thesis using eval_else_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_else_rel_1'.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_then_rel_2 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_then_rel_2.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_then_rel_2.prems if_then_rel_2(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_elim C.skip_elim by blast+
  from if_then_rel_2(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.intros(1) by auto
  with if_then_rel_2 c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?mem⇩2⇩C' = "mem⇩2⇩C(reg2 := mem⇩2⇩C z_mem)"
    let ?tail⇩2⇩C = "(reg0 ← Add (Load reg1) (Load reg2)) ;; (x_mem ← Load reg0)"
    from in_rel_inv⇩C if_then_rel_2(2-3)
    have "c⇩2⇩C = c⇩C ∨ c⇩2⇩C = (reg2 ← Load z_mem) ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_then_rel_2(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is also in the 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_then_rel_2(2,3) c⇩1⇩C'_def C.eval⇩w.seq C.skip_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_2(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_then_rel_2(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
      by (clarsimp, meson C.eval⇩w.seq C.skip_eval⇩w)
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    (* c⇩2⇩C is in the other, 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨(reg2 ← Load z_mem) ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.eval⇩w.seq assign_eval⇩w_load⇩C mds⇩C'_def)
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_2(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = (reg2 ← Load z_mem) ;; ?tail⇩2⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      from in_else c⇩2⇩A_def have
        c⇩2⇩A_else_def: "c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
        by clarsimp
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_then_rel_2.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C' ∧
           (⟨(reg2 ← Load z_mem) ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Else_RefRel_HighBranchE, simp+)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="?mem⇩2⇩C'" in allE)
        using conc_only_var_assign_not_visible_abs reg_not_visible_abs mem⇩A_of_def eval_else_tail⇩C by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'" by simp
      ultimately show ?thesis
        using conc_only_var_assign_not_visible_abs eval_else_tail⇩C reg_not_visible_abs by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_then_rel_2(3) rel_inv⇩C_4 by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_then_rel_2.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_else_rel_2 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_else_rel_2.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_else_rel_2.prems if_else_rel_2(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C(reg2 := mem⇩C z_mem)"
    using C.seq_elim C.assign_elim assign_eval⇩w_load⇩C
    by (metis (no_types, lifting) Stmt.distinct(13))+
  from if_else_rel_2(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.neval_0 conc_only_var_assign_not_visible_abs reg_not_visible_abs by simp+
  with if_else_rel_2 c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    apply clarsimp
    apply(erule_tac x=mem⇩A in allE)
    apply(erule_tac x=mds⇩C in allE)
    apply(erule_tac x=mem⇩1⇩C' in allE)
    apply(erule_tac impE)
     apply(rule_tac x=mem⇩C in exI)
     apply(rule conjI)
      apply(clarsimp)
     apply(rule conjI)
      apply clarsimp
      apply (simp add: mem⇩A_of_def)
     using if_else_rel_2.prems mem⇩A_of_def apply blast
    apply clarsimp
    done
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?mem⇩2⇩C' = "mem⇩2⇩C(reg2 := mem⇩2⇩C z_mem)"
    let ?tail⇩2⇩C = "(reg0 ← Load y_mem) ;; (x_mem ← Load reg0)"
    from in_rel_inv⇩C if_else_rel_2(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = Skip ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_else_rel_2(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Load y_var"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is in the other, 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨Skip ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_else_rel_2(2,3) c⇩1⇩C'_def C.eval⇩w.seq C.skip_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_2(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = Skip ;; ?tail⇩2⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover with c⇩2⇩A_def
    have c⇩2⇩A_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩A = x_var ← Load y_var"
      by clarsimp
    moreover have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_then_def if_else_rel_2.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨Skip ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Then_RefRel_HighBranchE, simp+)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="mem⇩2⇩C" in allE)
        by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C"
        by simp
      ultimately show ?thesis
        using eval_then_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_else_rel_2(2,3) rel_inv⇩C_4' mem⇩1⇩C'_def mds⇩C'_def by simp

    (* c⇩2⇩C is also in the 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.eval⇩w.seq assign_eval⇩w_load⇩C mds⇩C'_def c⇩1⇩C'_def if_else_rel_2(2,3))
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_2(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A = c⇩A"
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_else_rel_2.hyps(1-4) c⇩2⇩A'_def mem⇩2⇩A'_def c⇩1⇩C'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C' ∧
           (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Else_RefRel_HighBranchE, simp+)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="?mem⇩2⇩C'" in allE)
        using conc_only_var_assign_not_visible_abs reg_not_visible_abs mem⇩A_of_def eval_else_tail⇩C by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'"
        by simp
      ultimately show ?thesis
        using conc_only_var_assign_not_visible_abs eval_else_tail⇩C reg_not_visible_abs by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_else_rel_2.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_then_rel_2' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_then_rel_2'.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_then_rel_2'.prems if_then_rel_2'(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = tail⇩C" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by blast+
  from if_then_rel_2'(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.intros(1) by auto
  with if_then_rel_2' c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?tail⇩2⇩C = "(reg0 ← Add (Load reg1) (Load reg2)) ;; (x_mem ← Load reg0)"
    from in_rel_inv⇩C if_then_rel_2'(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_then_rel_2'(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is also in the 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_then_rel_2'(2,3) c⇩1⇩C'_def C.seq_stop_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_2'(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_then_rel_2'(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
      by (clarsimp, meson C.seq_stop_eval⇩w)
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    (* c⇩2⇩C is in the other, 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.seq_stop_eval⇩w mds⇩C'_def)
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_2'(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      from in_else c⇩2⇩A_def have
        c⇩2⇩A_else_def: "c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
        by clarsimp
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_then_rel_2'.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        using eval_else_tail⇩C by (blast elim: If_Else_RefRel_HighBranchE)
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C" by simp
      ultimately show ?thesis using eval_else_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_then_rel_2'(3) rel_inv⇩C_5 by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_then_rel_2'.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_else_rel_2' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_else_rel_2'.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_else_rel_2'.prems if_else_rel_2'(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = tail⇩C" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by blast+
  from if_else_rel_2'(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.neval_0 by simp+
  with if_else_rel_2' c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?tail⇩2⇩C = "(reg0 ← Load y_mem) ;; (x_mem ← Load reg0)"
    from in_rel_inv⇩C if_else_rel_2'(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_else_rel_2'(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Load y_var"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is in the other, 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_else_rel_2'(2,3) c⇩1⇩C'_def C.seq_stop_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_2'(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover with c⇩2⇩A_def
    have c⇩2⇩A_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩A = x_var ← Load y_var"
      by clarsimp
    moreover have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_then_def if_else_rel_2'.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        by (blast elim: If_Then_RefRel_HighBranchE)
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C"
        by simp
      ultimately show ?thesis
        using eval_then_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_else_rel_2'(2,3) rel_inv⇩C_5' mem⇩1⇩C'_def mds⇩C'_def by simp

    (* c⇩2⇩C is also in the 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.seq_stop_eval⇩w mds⇩C'_def c⇩1⇩C'_def if_else_rel_2'(2,3))
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_2'(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A = c⇩A"
      from in_else c⇩2⇩A_def if_else_rel_2'(1) have
        c⇩2⇩A_else_def: "c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
        by clarsimp
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_else_rel_2'.hyps(1-4) c⇩2⇩A'_def mem⇩2⇩A'_def c⇩1⇩C'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        using eval_else_tail⇩C by (blast elim: If_Else_RefRel_HighBranchE)
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C" by simp
      ultimately show ?thesis using eval_else_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_else_rel_2'.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_then_rel_3 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_then_rel_3.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_then_rel_3.prems if_then_rel_3(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C(reg0 := mem⇩C y_mem)"
    using C.seq_elim C.assign_elim assign_eval⇩w_load⇩C
    by (metis (no_types, lifting) Stmt.distinct(13))+
  from if_then_rel_3(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.neval_0 conc_only_var_assign_not_visible_abs reg_not_visible_abs by simp+
  with if_then_rel_3 c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    apply clarsimp
    apply(erule_tac x=mem⇩A in allE)
    apply(erule_tac x=mds⇩C in allE)
    apply(erule_tac x=mem⇩1⇩C' in allE)
    apply(erule_tac impE)
     apply(rule_tac x=mem⇩C in exI)
     apply(rule conjI)
      apply(clarsimp)
     apply(rule conjI)
      apply clarsimp
      apply (simp add: mem⇩A_of_def)
     using if_then_rel_3.prems mem⇩A_of_def apply blast
    apply clarsimp
    done
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?mem⇩2⇩C'_t = "mem⇩2⇩C(reg0 := mem⇩2⇩C y_mem)"
    let ?mem⇩2⇩C'_e = "mem⇩2⇩C(reg0 := ev⇩A mem⇩2⇩C (Add (Load reg1) (Load reg2)))"
    let ?tail⇩2⇩C = "x_mem ← Load reg0"
    from in_rel_inv⇩C if_then_rel_3(2-3)
    have "c⇩2⇩C = c⇩C ∨ c⇩2⇩C = (reg0 ← Add (Load reg1) (Load reg2)) ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_then_rel_3(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is also in the 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ C.eval⇩w"
      using if_then_rel_3(2,3) c⇩1⇩C'_def C.eval⇩w.seq assign_eval⇩w_load⇩C by simp
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_3(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_then: "c⇩2⇩A = c⇩A"
      from in_then c⇩2⇩A_def if_then_rel_3(1) have
        c⇩2⇩A_then_def: "c⇩2⇩A = x_var ← Load y_var"
        by clarsimp
      with in_then in_Rel c⇩2⇩A_def c⇩2⇩C_then_def if_then_rel_3.hyps(2-4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'_t ∧
           (⟨(reg0 ← Load y_mem) ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Then_RefRel_HighBranchE, simp+)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="mem⇩2⇩C(reg0 := mem⇩2⇩C y_mem)" in allE)
        using conc_only_var_assign_not_visible_abs reg_not_visible_abs mem⇩A_of_def by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'_t" by simp
      moreover note c⇩2⇩A'_def mem⇩2⇩A'_def if_then_rel_3(1-3) c⇩1⇩C'_def
      ultimately show ?thesis
        using conc_only_var_assign_not_visible_abs eval_then_tail⇩C reg_not_visible_abs by fast
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    (* c⇩2⇩C is in the other, 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨(reg0 ← Add (Load reg1) (Load reg2)) ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ C.eval⇩w"
      using C.eval⇩w.seq C.assign_eval⇩w' ev⇩A.simps mds⇩C'_def by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_3(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = (reg0 ← Add (Load reg1) (Load reg2)) ;; ?tail⇩2⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_then_rel_3(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      from in_else c⇩2⇩A_def have
        c⇩2⇩A_else_def: "c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
        by clarsimp
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_then_rel_3.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'_e ∧
           (⟨(reg0 ← Add (Load reg1) (Load reg2)) ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Else_RefRel_HighBranchE, simp+)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="?mem⇩2⇩C'_e" in allE)
        using conc_only_var_assign_not_visible_abs reg_not_visible_abs eval_else_tail⇩C mem⇩A_of_def by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'_e" by simp
      ultimately show ?thesis
        using conc_only_var_assign_not_visible_abs eval_else_tail⇩C reg_not_visible_abs by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_then_rel_3(3) rel_inv⇩C_default by clarsimp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_then_rel_3.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_else_rel_3 c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_else_rel_3.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_else_rel_3.prems if_else_rel_3(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = (Stop ;; tail⇩C)" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C(reg0 := ev⇩A mem⇩C (Add (Load reg1) (Load reg2)))"
    using C.seq_elim C.assign_elim assign_eval⇩w_load⇩C
    by (metis (no_types, lifting) Stmt.distinct(13))+
  from if_else_rel_3(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.neval_0 conc_only_var_assign_not_visible_abs reg_not_visible_abs by simp+
  with if_else_rel_3 c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    apply clarsimp
    apply(erule_tac x=mem⇩A in allE)
    apply(erule_tac x=mds⇩C in allE)
    apply(erule_tac x=mem⇩1⇩C' in allE)
    apply(erule_tac impE)
     apply(rule_tac x=mem⇩C in exI)
     apply(rule conjI)
      apply(clarsimp)
     apply(rule conjI)
      apply clarsimp
      apply (simp add: mem⇩A_of_def)
     using if_else_rel_3.prems mem⇩A_of_def apply blast
    apply clarsimp
    done
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?mem⇩2⇩C'_t = "mem⇩2⇩C(reg0 := mem⇩2⇩C y_mem)"
    let ?mem⇩2⇩C'_e = "mem⇩2⇩C(reg0 := ev⇩A mem⇩2⇩C (Add (Load reg1) (Load reg2)))"
    let ?tail⇩2⇩C = "x_mem ← Load reg0"
    from in_rel_inv⇩C if_else_rel_3(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = (reg0 ← Load y_mem) ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_else_rel_3(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Load y_var"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is in the other, 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨(reg0 ← Load y_mem) ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ C.eval⇩w"
      using if_else_rel_3(2,3) C.eval⇩w.seq assign_eval⇩w_load⇩C by simp
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_3(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = (reg0 ← Load y_mem) ;; ?tail⇩2⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover with c⇩2⇩A_def
    have c⇩2⇩A_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩A = x_var ← Load y_var"
      by clarsimp
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_else_rel_3(1-8) c⇩1⇩C'_def c⇩2⇩A_then_def
    have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_then: "c⇩2⇩A ≠ c⇩A"
      with c⇩2⇩A_then_def in_Rel c⇩2⇩A_def c⇩2⇩C_then_def if_else_rel_3.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'_t ∧
           (⟨(reg0 ← Load y_mem) ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Then_RefRel_HighBranchE, simp+)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="?mem⇩2⇩C'_t" in allE)
        using conc_only_var_assign_not_visible_abs reg_not_visible_abs mem⇩A_of_def by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'_t" by simp
      ultimately show ?thesis
        using conc_only_var_assign_not_visible_abs eval_then_tail⇩C reg_not_visible_abs by fast
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop ;; ?tail⇩2⇩C, mds⇩C, ?mem⇩2⇩C'_t⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_else_rel_3(2,3) rel_inv⇩C_default mem⇩1⇩C'_def mds⇩C'_def by simp

    (* c⇩2⇩C is also in the 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ C.eval⇩w"
      using C.eval⇩w.seq C.assign_eval⇩w' ev⇩A.simps mds⇩C'_def c⇩1⇩C'_def if_else_rel_3(2,3) by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_3(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_else_rel_3(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A = c⇩A"
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_else_rel_3.hyps(1-4) c⇩2⇩A'_def mem⇩2⇩A'_def c⇩1⇩C'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'_e ∧
           (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ RefRel_HighBranch"
        apply clarsimp
        apply(erule If_Else_RefRel_HighBranchE, simp+)
        apply(erule_tac x="mem⇩A_of mem⇩C''" in allE)
        apply(erule_tac x="mds⇩C" in allE)
        apply(erule_tac x="?mem⇩2⇩C'_e" in allE)
        using conc_only_var_assign_not_visible_abs reg_not_visible_abs mem⇩A_of_def eval_else_tail⇩C by auto
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of ?mem⇩2⇩C'_e"
        by simp
      ultimately show ?thesis
        using conc_only_var_assign_not_visible_abs eval_else_tail⇩C reg_not_visible_abs by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'_e⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_else_rel_3.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_then_rel_3' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_then_rel_3'.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_then_rel_3'.prems if_then_rel_3'(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = tail⇩C" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by blast+
  from if_then_rel_3'(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.intros(1) by auto
  with if_then_rel_3' c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?tail⇩2⇩C = "x_mem ← Load reg0"
    from in_rel_inv⇩C if_then_rel_3'(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_then_rel_3'(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is also in the 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_then_rel_3'(2,3) c⇩1⇩C'_def C.seq_stop_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_3'(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_then_rel_3'(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_then: "c⇩2⇩A = c⇩A"
      from in_then c⇩2⇩A_def if_then_rel_3'(1) have
        c⇩2⇩A_then_def: "c⇩2⇩A = x_var ← Load y_var"
        by clarsimp
      with in_then in_Rel c⇩2⇩A_def c⇩2⇩C_then_def if_then_rel_3'.hyps(2-4) c⇩2⇩A'_def mem⇩2⇩A'_def c⇩1⇩C'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        using eval_then_tail⇩C by (blast elim: If_Then_RefRel_HighBranchE)
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C" by simp
      moreover note c⇩2⇩A'_def mem⇩2⇩A'_def if_then_rel_3'(1-3) c⇩1⇩C'_def
      ultimately show ?thesis using eval_then_tail⇩C by fast
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    (* c⇩2⇩C is in the other, 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.seq_stop_eval⇩w mds⇩C'_def)
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_then_rel_3'(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_then_rel_3'(1-8) c⇩1⇩C'_def
    have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      from in_else c⇩2⇩A_def have
        c⇩2⇩A_else_def: "c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
        by clarsimp
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_then_rel_3'.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        using eval_else_tail⇩C by (blast elim: If_Else_RefRel_HighBranchE)
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C" by simp
      ultimately show ?thesis using eval_else_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_then_rel_3'(3) rel_inv⇩C_default by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_then_rel_3'.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_else_rel_3' c⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "c⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_else_rel_3'.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 0"
    by (simp add:abs_steps'_def)
  from if_else_rel_3'.prems if_else_rel_3'(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = tail⇩C" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by blast+
  from if_else_rel_3'(1-5) mds⇩C'_def mem⇩1⇩C'_def
  have neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 0 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    mem⇩A_unchanged: "?mem⇩1⇩A' = mem⇩A"
    using A.neval.neval_0 by simp+
  with if_else_rel_3' c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 0
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           neval⇩2⇩A: "A.neval ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A 0 ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A"
    let ?tail⇩2⇩C = "x_mem ← Load reg0"
    from in_rel_inv⇩C if_else_rel_3'(2-3)
    have "c⇩2⇩C = c⇩C ∨
          c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: rel_inv⇩CE)
    moreover from in_R if_else_rel_3'(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Load y_var"
      by (blast elim: inR_E A.rel_invE)
    moreover hence
      c⇩2⇩A'_def: "c⇩2⇩A' = c⇩2⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
      using neval⇩2⇩A abs_steps_this A.neval_ZeroE
      by (clarsimp, blast)+

    (* c⇩2⇩C is in the other, 'then' branch *)
    moreover have eval_then_tail⇩C: "(⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      using if_else_rel_3'(2,3) c⇩1⇩C'_def C.seq_stop_eval⇩w by blast
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_3'(1-6)
    have c⇩2⇩C_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩C = Stop ;; ?tail⇩2⇩C"
      by (blast elim: If_Then_RefRel_HighBranchE rel_inv⇩CE)
    moreover with c⇩2⇩A_def
    have c⇩2⇩A_then_def: "c⇩2⇩A ≠ c⇩A ⟹ c⇩2⇩A = x_var ← Load y_var"
      by clarsimp
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_else_rel_3'(1-8) c⇩1⇩C'_def c⇩2⇩A_then_def
    have "c⇩2⇩A ≠ c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A ≠ c⇩A"
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_then_def if_else_rel_3'.hyps(4) c⇩2⇩A'_def mem⇩2⇩A'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨Stop ;; ?tail⇩2⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        using eval_then_tail⇩C by (blast elim: If_Then_RefRel_HighBranchE)
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C"
        by simp
      ultimately show ?thesis
        using eval_then_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨?tail⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_else_rel_3'(2,3) rel_inv⇩C_default mem⇩1⇩C'_def mds⇩C'_def by simp

    (* c⇩2⇩C is also in the 'else' branch *)
    moreover have eval_else_tail⇩C: "(⟨c⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (simp del:fun_upd_apply add:C.seq_stop_eval⇩w mds⇩C'_def c⇩1⇩C'_def if_else_rel_3'(2,3))
    moreover from c⇩2⇩A_def in_Rel in_rel_inv⇩C if_else_rel_3'(1-6)
    have c⇩2⇩C_else_def: "c⇩2⇩A = c⇩A ⟹ c⇩2⇩C = c⇩C"
      by (blast elim: If_Else_RefRel_HighBranchE rel_inv⇩CE)
    moreover have "c⇩2⇩A = c⇩A ⟹ (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
    proof -
      assume in_else: "c⇩2⇩A = c⇩A"
      from in_else c⇩2⇩A_def if_else_rel_3'(1) have
        c⇩2⇩A_else_def: "c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
        by clarsimp
      with in_else in_Rel c⇩2⇩A_def c⇩2⇩C_else_def if_else_rel_3'.hyps(1-4) c⇩2⇩A'_def mem⇩2⇩A'_def c⇩1⇩C'_def
      have "(∃mem⇩C''.
           mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C ∧
           (⟨c⇩C, mds⇩C, mem⇩C''⟩⇩C,
            ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w) ⟶
             (⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
        using eval_else_tail⇩C by (blast elim: If_Else_RefRel_HighBranchE)
      moreover obtain mem⇩C'' where "mem⇩A_of mem⇩C'' = mem⇩A_of mem⇩2⇩C" by simp
      ultimately show ?thesis using eval_else_tail⇩C by auto
    qed
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp

    moreover note eval_then_tail⇩C eval_else_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_else_rel_3'.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_then_rel_4 c⇩A c⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "Stop"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_then_rel_4.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  from if_then_rel_4.prems if_then_rel_4(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = Stop" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C(x_mem := mem⇩C reg0)"
    using C.assign_elim assign_eval⇩w_load⇩C
    by metis+
  from if_then_rel_4(1-7) mds⇩C'_def mem⇩1⇩C'_def
  have eval⇩A: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A,⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A) ∈ A.eval⇩w" and
    neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    using A.assign_eval⇩w' ev⇩A.simps(2) mem_assign_refinement_helper_const var⇩C_of.simps(2) abs_steps_this
    by (metis, simp, metis)
  with if_then_rel_4 c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 1
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           eval⇩2⇩A: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A) ∈ A.eval⇩w"
    let ?mem⇩2⇩C' = "mem⇩2⇩C(x_mem := mem⇩2⇩C reg0)"
    from in_rel_inv⇩C if_then_rel_4(2-3)
    have c⇩2⇩C_def: "c⇩2⇩C = c⇩C"
      by (blast elim: rel_inv⇩CE)
    from in_rel_inv⇩C if_then_rel_4(1-4,6) in_R
    have z⇩A: "mem⇩A z_var = 0"
      using A.prog_high_branch_def inR_E inv⇩5E
      by (metis if_then_rel_4.hyps(6))
    from in_rel_inv⇩C if_then_rel_4(1-4) in_R
    have "mem⇩A z_var = mem⇩A_of mem⇩2⇩C z_var"
      using inR_E A.low_mds_eq_def dma_def emptyE inv⇩5E var.distinct(5)
      by (metis (mono_tags, opaque_lifting))
    with z⇩A have z⇩2⇩A: "mem⇩A_of mem⇩2⇩C z_var = 0"
      by simp

    moreover from in_R if_then_rel_4(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Add (Load y_var) (Load z_var)"
      by (blast elim: inR_E A.rel_invE)

    from in_Rel c⇩2⇩C_def if_then_rel_4(1,2,3) in_rel_inv⇩C c⇩2⇩A_def z⇩2⇩A
    have r0y: "mem⇩2⇩C reg0 = mem⇩2⇩C y_mem"
      apply clarsimp
      apply(case_tac "c⇩A = c⇩2⇩A")
       apply clarsimp
       apply(erule If_Then_RefRel_HighBranchE, simp+)
       using mem⇩A_of_def apply force
      apply clarsimp
      apply(erule If_Else_RefRel_HighBranchE, simp+)
      using mem⇩A_of_def by force

    moreover from c⇩2⇩A_def have
      c⇩2⇩A'_def: "c⇩2⇩A' = Stop"
      using eval⇩2⇩A A.assign_elim if_then_rel_4(1)
      by (case_tac "c⇩A = c⇩2⇩A", clarsimp+)

    moreover with c⇩2⇩A_def if_then_rel_4(1-7) have
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of ?mem⇩2⇩C'"
      using eval⇩2⇩A c⇩2⇩A_def mds⇩C'_def
      apply clarsimp
      apply(case_tac "c⇩A = c⇩2⇩A")
       apply clarsimp
       apply(drule A.assign_elim)
       apply clarsimp
       using r0y apply clarsimp
       using mem⇩A_of_def
       apply (metis mem_assign_refinement_helper_const var⇩C_of.simps(2) var⇩C_of.simps(3))
      apply clarsimp
      apply(drule A.assign_elim)
      apply clarsimp
      using r0y z⇩2⇩A apply clarsimp
      using mem⇩A_of_def 
      apply (metis mem_assign_refinement_helper_const var⇩C_of.simps(2) var⇩C_of.simps(3))
      done

    moreover have eval_tail⇩C: "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w"
      using if_then_rel_4(2,3) c⇩2⇩C_def c⇩1⇩C'_def C.eval⇩w.seq assign_eval⇩w_load⇩C by simp
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_then_rel_4(1-8) c⇩1⇩C'_def
    have "(⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
      by (meson RefRel_HighBranch.stop_rel)
    (* c⇩2⇩C is also in the 'then' branch *)
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp
    (* c⇩2⇩C is in the other, 'else' branch *)
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_then_rel_4(3) rel_inv⇩C_default by clarsimp
    moreover note eval_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_then_rel_4.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (if_else_rel_4 c⇩A c⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "Stop"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from if_else_rel_4.hyps(1-3)
  have abs_steps_this: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  from if_else_rel_4.prems if_else_rel_4(2,3)
  have c⇩1⇩C'_def: "c⇩1⇩C' = Stop" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C(x_mem := mem⇩C reg0)"
    using C.assign_elim assign_eval⇩w_load⇩C
    by metis+
  from if_else_rel_4(1-8) mds⇩C'_def mem⇩1⇩C'_def
  have eval⇩A: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A,⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A) ∈ A.eval⇩w" and
    neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A"
    using A.assign_eval⇩w' ev⇩A.simps(2) mem_assign_refinement_helper_const var⇩C_of.simps(2) abs_steps_this
    by (metis, simp, metis)
  with if_else_rel_4 c⇩1⇩C'_def mds⇩C'_def mem⇩1⇩C'_def
  have rel': "(⟨?c⇩1⇩A',?mds⇩A',?mem⇩1⇩A'⟩⇩A,⟨c⇩1⇩C',mds⇩C',mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    by blast
  have
    "(∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 1
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C))"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           eval⇩2⇩A: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A) ∈ A.eval⇩w"
    let ?mem⇩2⇩C' = "mem⇩2⇩C(x_mem := mem⇩2⇩C reg0)"
    from in_rel_inv⇩C if_else_rel_4(2-3)
    have c⇩2⇩C_def: "c⇩2⇩C = c⇩C"
      by (blast elim: rel_inv⇩CE)
    from in_rel_inv⇩C if_else_rel_4(1-4,6) in_R
    have z⇩A: "mem⇩A z_var = 0"
      using A.prog_high_branch_def inR_E inv⇩6E
      by (metis if_else_rel_4.hyps(6))
    from in_rel_inv⇩C if_else_rel_4(1-4) in_R
    have "mem⇩A z_var = mem⇩A_of mem⇩2⇩C z_var"
      using inR_E A.low_mds_eq_def dma_def emptyE inv⇩6E var.distinct(5)
      by (metis (mono_tags, opaque_lifting))
    with z⇩A have z⇩2⇩A: "mem⇩A_of mem⇩2⇩C z_var = 0"
      by simp

    moreover from in_R if_else_rel_4(1) inR_E A.rel_invE have
      c⇩2⇩A_def: "c⇩2⇩A = c⇩A ∨ c⇩2⇩A = x_var ← Load y_var"
      by (blast elim: inR_E A.rel_invE)

    from in_Rel c⇩2⇩C_def if_else_rel_4(1,2,3) in_rel_inv⇩C c⇩2⇩A_def z⇩2⇩A
    have r0y: "mem⇩2⇩C reg0 = mem⇩2⇩C y_mem"
      apply clarsimp
      apply(case_tac "c⇩A = c⇩2⇩A")
       apply clarsimp
       apply(erule If_Else_RefRel_HighBranchE, simp+)
       using mem⇩A_of_def apply force
      apply clarsimp
      apply(erule If_Then_RefRel_HighBranchE, simp+)
      using mem⇩A_of_def by force

    moreover from c⇩2⇩A_def have
      c⇩2⇩A'_def: "c⇩2⇩A' = Stop"
      using eval⇩2⇩A A.assign_elim if_else_rel_4(1)
      by (case_tac "c⇩A = c⇩2⇩A", clarsimp+)

    moreover with c⇩2⇩A_def if_else_rel_4(1-7) have
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of ?mem⇩2⇩C'"
      using eval⇩2⇩A c⇩2⇩A_def mds⇩C'_def
      apply clarsimp
      apply(case_tac "c⇩A ≠ c⇩2⇩A")
       apply clarsimp
       apply(drule A.assign_elim)
       apply clarsimp
       using r0y apply clarsimp
       using mem⇩A_of_def
       apply (metis mem_assign_refinement_helper_const var⇩C_of.simps(2) var⇩C_of.simps(3))
      apply clarsimp
      apply(drule A.assign_elim)
      apply clarsimp
      using r0y z⇩2⇩A apply clarsimp
      using mem⇩A_of_def 
      apply (metis mem_assign_refinement_helper_const var⇩C_of.simps(2) var⇩C_of.simps(3))
      done

    moreover have eval_tail⇩C: "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ C.eval⇩w"
      using if_else_rel_4(2,3) c⇩2⇩C_def c⇩1⇩C'_def C.eval⇩w.seq assign_eval⇩w_load⇩C by simp
    moreover from c⇩2⇩A'_def mem⇩2⇩A'_def c⇩2⇩A_def if_else_rel_4(1-8) c⇩1⇩C'_def
    have "(⟨c⇩2⇩A', mds⇩A, mem⇩2⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ RefRel_HighBranch"
      by (meson RefRel_HighBranch.stop_rel)
    (* c⇩2⇩C is also in the 'then' branch *)
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩1⇩C', mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def rel_inv⇩C_default by simp
    (* c⇩2⇩C is in the other, 'else' branch *)
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨Stop, mds⇩C, ?mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def if_else_rel_4(3) rel_inv⇩C_default by clarsimp
    moreover note eval_tail⇩C c⇩2⇩A'_def
    ultimately show "(∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
      using mds⇩C'_def if_else_rel_4.hyps(1-6) by blast
  qed
  thus ?case using rel' abs_steps_this neval⇩A by blast
next
case (stop_seq_rel c⇩A tail⇩A c⇩C tail⇩C mds⇩A mds⇩C mem⇩A mem⇩C)
  let ?c⇩1⇩A' = "tail⇩A"
  let ?mds⇩A' = "mds⇩A_of mds⇩C'"
  let ?mem⇩1⇩A' = "mem⇩A_of mem⇩1⇩C'"
  from stop_seq_rel(1,2)
  have abs_steps_stop: "(abs_steps' c⇩A c⇩C) = 1"
    by (simp add:abs_steps'_def)
  from stop_seq_rel
  have c⇩1⇩C'_def: "c⇩1⇩C' = tail⇩C" and
    mds⇩C'_def: "mds⇩C' = mds⇩C" and
    mem⇩1⇩C'_def: "mem⇩1⇩C' = mem⇩C"
    using C.seq_stop_elim by auto
  hence neval⇩A: "A.neval ⟨c⇩A, mds⇩A, mem⇩A⟩⇩A 1 ⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A" and
    rel': "(⟨?c⇩1⇩A', ?mds⇩A', ?mem⇩1⇩A'⟩⇩A, ⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C) ∈ RefRel_HighBranch"
    using stop_seq_rel A.seq_stop_eval⇩w by auto
  have "∀c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'.
                  (⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A) ∈ A.R ∧
                  (⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C)
                  ∈ RefRel_HighBranch ∧
                  (⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C ∧
                  A.neval
                   ⟨c⇩2⇩A, mds⇩A, sifum_refinement.mem⇩A_of var⇩C_of mem⇩2⇩C⟩⇩A 1
                   ⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A ⟶
                  (∃c⇩2⇩C' mem⇩2⇩C'.
                      (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
                      (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
                      ∈ RefRel_HighBranch ∧
                      (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C)"
  proof(clarsimp)
    fix c⇩2⇩A c⇩2⇩C mem⇩2⇩C c⇩2⇩A' mem⇩2⇩A'
    assume in_R: "(⟨c⇩A, mds⇩A, mem⇩A⟩⇩A, ⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A) ∈ A.R" and
           in_Rel: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch" and
           in_rel_inv⇩C: "(⟨c⇩C, mds⇩C, mem⇩C⟩⇩C, ⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C" and
           eval⇩2⇩A: "(⟨c⇩2⇩A, mds⇩A, mem⇩A_of mem⇩2⇩C⟩⇩A, ⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A) ∈ A.eval⇩w"
    from in_rel_inv⇩C stop_seq_rel(2) obtain tail⇩C' where c⇩2⇩C_def:
      "c⇩2⇩C = Stop ;; tail⇩C'"
      by (blast elim:rel_inv⇩CE)
    hence eval_tail⇩C': "(⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨tail⇩C', mds⇩C, mem⇩2⇩C⟩⇩C) ∈ C.eval⇩w"
      by (blast intro:C.seq_stop_eval⇩w)
    moreover from stop_seq_rel(1) in_R inR_E
    have c⇩2⇩A_def: "c⇩2⇩A = Stop ;; tail⇩A"
      by (blast elim: inR_E A.rel_invE)
    moreover from c⇩2⇩A_def
    have c⇩2⇩A'_def: "c⇩2⇩A' = tail⇩A" and
      mem⇩2⇩A'_def: "mem⇩2⇩A' = mem⇩A_of mem⇩2⇩C"
    using eval⇩2⇩A abs_steps_stop A.seq_stop_elim
      by simp+
    moreover with c⇩2⇩C_def have
      "(⟨c⇩2⇩A', mds⇩A_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨tail⇩C', mds⇩C', mem⇩2⇩C⟩⇩C) ∈ RefRel_HighBranch"
      using in_Rel c⇩2⇩A_def c⇩2⇩C_def mds⇩C'_def Stop_tail_RefRel_HighBranchE C.seq_stop_eval⇩w
      by blast
    moreover have "(⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨tail⇩C', mds⇩C', mem⇩2⇩C⟩⇩C) ∈ rel_inv⇩C"
      using c⇩1⇩C'_def in_rel_inv⇩C stop_seq_rel(2) c⇩2⇩C_def
      by (blast elim:rel_inv⇩CE intro:rel_inv⇩C.intros)
    ultimately show "∃c⇩2⇩C' mem⇩2⇩C'.
              (⟨c⇩2⇩C, mds⇩C, mem⇩2⇩C⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ sifum_lang_no_dma.eval⇩w ev⇩A ev⇩B ∧
              (⟨c⇩2⇩A', sifum_refinement.mds⇩A_of var⇩C_of mds⇩C', mem⇩2⇩A'⟩⇩A, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C)
              ∈ RefRel_HighBranch ∧
              (⟨c⇩1⇩C', mds⇩C', mem⇩1⇩C'⟩⇩C, ⟨c⇩2⇩C', mds⇩C', mem⇩2⇩C'⟩⇩C) ∈ rel_inv⇩C"
      using mds⇩C'_def by blast
  qed
  thus ?case using rel' abs_steps_stop neval⇩A by blast
next
case stop_rel
  with C.stop_no_eval have False by simp
  thus ?case by simp
qed

lemma RefRel_HighBranch_secure_refinement:
  "secure_refinement A.R RefRel_HighBranch rel_inv⇩C"
  apply(unfold secure_refinement_def2)
  apply(rule conjI)
   apply(rule closed_others_RefRel_HighBranch)
  apply(rule conjI)
   apply(rule preserves_modes_mem_RefRel_HighBranch)
  apply(rule conjI)
   apply(rule new_vars_private_RefRel_HighBranch)
  apply(rule conjI)
   apply(rule rel_inv⇩C_closed_glob_consistent)
  apply clarsimp
  apply(rule induction_full_RefRel_HighBranch, simp+)
  done

lemma strong_low_bisim_mm_R⇩C_of_R:
  "C.strong_low_bisim_mm (R⇩C_of A.R RefRel_HighBranch rel_inv⇩C)"
  apply(rule R⇩C_of_strong_low_bisim_mm)
    apply(rule A.strong_low_bisim_mm_R)
   apply(rule RefRel_HighBranch_secure_refinement)
  apply(rule rel_inv⇩C_sym)
  done

definition
  mds⇩0 :: "Mode ⇒ var⇩C set"
where
  "mds⇩0 ≡ λm. case m of AsmNoReadOrWrite ⇒ {reg0, reg1, reg2, reg3} |
                        AsmNoWrite ⇒ {} |
                        _ ⇒ {}"

lemma regs_the_only_concrete_only_vars:
  "v⇩C ∉ range var⇩C_of ⟹ v⇩C ∈ {reg0, reg1, reg2, reg3}"
  by (case_tac v⇩C, (clarsimp|metis rangeI var⇩C_of.simps)+)

lemma prog_high_branch_RefRel:
  "(⟨A.prog_high_branch, mds⇩A_of mds⇩0, mem⇩A_of mem⇩C⟩⇩A, ⟨C.prog_high_branch⇩C, mds⇩0, mem⇩C⟩⇩C) ∈ RefRel_HighBranch"
  unfolding A.prog_high_branch_def C.prog_high_branch⇩C_def mds⇩0_def
  using regs_the_only_concrete_only_vars doesnt_have_mode has_mode⇩A NoRW⇩A_implies_NoRW⇩C
  apply clarsimp

  apply(rule acq_mode_rel, (simp|clarsimp)+)
  apply(drule C.seq_decl_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)

  apply(rule acq_mode_rel, (simp|clarsimp)+)
  apply(drule C.seq_decl_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)

  apply(rule acq_mode_rel, (simp|clarsimp)+)
  apply(drule C.seq_decl_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)

  apply(rule assign_const_rel, (simp|clarsimp)+)
  apply(drule C.seq_assign_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)
  
  apply(rule assign_const_rel, (simp|clarsimp)+)
  apply(drule C.seq_assign_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)

  apply(rule assign_load_rel, (simp|clarsimp)+)
  apply(drule C.seq_assign_elim, clarsimp)
  apply(rule stop_seq_rel, simp+)

  apply(rule if_reg_load_rel, (simp|clarsimp)+)
  apply(drule C.seq_assign_elim, clarsimp)
  apply(rule if_reg_stop_rel, (simp|clarsimp)+)

  apply(drule C.seq_stop_elim, clarsimp)

  apply(rule if_reg_rel, (simp|clarsimp)+)
   apply(rule rel_inv⇩C_1, clarsimp+)
  apply(rule conjI)

   (* Then *)
   apply clarsimp
   apply(rule if_then_rel_1, (simp|clarsimp)+)
   apply(drule C.if_elim, simp+)
   apply(drule C.seq_elim, simp+)
   apply(drule C.skip_elim, simp+)
   apply(rule if_then_rel_1', (simp|clarsimp)+)
   apply(drule C.seq_stop_elim, simp+)
   apply(rule if_then_rel_2, (simp|clarsimp)+)
   apply(drule C.seq_elim, simp+)
   apply(drule C.skip_elim, simp+)
   apply(rule if_then_rel_2', (simp|clarsimp)+)
   apply(drule C.seq_stop_elim, simp+)
   apply(rule if_then_rel_3, (simp|clarsimp)+)
   apply(drule C.seq_assign_elim, simp+)
   apply(rule if_then_rel_3', (simp|clarsimp)+)
   apply(drule C.seq_stop_elim, simp+)
   apply(rule if_then_rel_4, (simp|clarsimp)+)
   apply(drule C.assign_elim, simp+)
   apply(rule stop_rel)

  (* Else *)
  apply clarsimp
  apply(rule if_else_rel_1, (simp|clarsimp)+)
  apply(drule C.if_elim, simp+)
  apply(drule C.seq_assign_elim, simp+)
  apply(rule if_else_rel_1', (simp|clarsimp)+)
  apply(drule C.seq_stop_elim, simp+)
  apply(rule if_else_rel_2, (simp|clarsimp)+)
  apply(drule C.seq_assign_elim, simp+)
  apply(rule if_else_rel_2', (simp|clarsimp)+)
  apply(drule C.seq_stop_elim, simp+)
  apply(rule if_else_rel_3, (simp|clarsimp)+)
  apply(drule C.seq_assign_elim, simp+)
  apply(rule if_else_rel_3', (simp|clarsimp)+)
  apply(drule C.seq_stop_elim, simp+)
  apply(rule if_else_rel_4, (simp|clarsimp)+)
  apply(drule C.assign_elim, simp+)
  apply(rule stop_rel)
  done

lemma mds⇩s_A_of_mds⇩0:
  "mds⇩s = mds⇩A_of mds⇩0"
  apply(rule preserves_modes_mem_mds⇩A_simp)
  apply clarsimp
  apply(case_tac m)
     unfolding mds⇩s_def mds⇩0_def mds⇩A_of_def
     apply(clarsimp simp: reg_not_visible_abs)+
  done

lemma A_of_mds⇩0_is_mds⇩s:
  "mds⇩A_of mds⇩0 = mds⇩s"
  by (simp add: mds⇩s_A_of_mds⇩0)

lemma prog_high_branch⇩C_in_R⇩C_of_R:
  "C.low_mds_eq mds⇩0 mem⇩1 mem⇩2 ⟹
       (⟨C.prog_high_branch⇩C, mds⇩0, mem⇩1⟩⇩C, ⟨C.prog_high_branch⇩C, mds⇩0, mem⇩2⟩⇩C)
        ∈ (R⇩C_of A.R RefRel_HighBranch rel_inv⇩C)"
  apply(clarsimp simp: R⇩C_of_def)
  apply(rule_tac x=A.prog_high_branch in exI)
  apply(rule_tac x="mds⇩A_of mds⇩0" in exI)
  apply(rule_tac x="mem⇩A_of mem⇩1" in exI)
  apply(rule conjI)
   apply(rule prog_high_branch_RefRel)
  apply(rule_tac x=A.prog_high_branch in exI)
  apply(rule_tac x="mds⇩A_of mds⇩0" in exI)
  apply(rule_tac x="mem⇩A_of mem⇩2" in exI)
  apply(rule conjI)
   apply(rule prog_high_branch_RefRel)
  apply(simp add: A_of_mds⇩0_is_mds⇩s)
  apply(rule conjI)
   apply(rule A.prog_high_branch_secure')
   apply(clarsimp simp: A.low_mds_eq_def)
   apply(case_tac x)
   unfolding C.low_mds_eq_def mem⇩A_of_def dma_def dma⇩C_def 𝒞⇩C_def mds⇩0_def
   apply clarsimp+
  apply(rule rel_inv⇩C_default, simp)
  done

lemma "C.com_sifum_secure (C.prog_high_branch⇩C, mds⇩0)"
  unfolding C.com_sifum_secure_def C.low_indistinguishable_def
  apply clarify
  apply(rule C.mm_equiv_intro)
   apply(rule strong_low_bisim_mm_R⇩C_of_R)
  by (rule prog_high_branch⇩C_in_R⇩C_of_R)

end

end