Theory CSPM_Laws
section ‹Results for Throw›
theory CSPM_Laws
  imports Global_Deterministic_Choice Multi_Synchronization_Product
    Multi_Sequential_Composition Interrupt Throw
begin
subsection ‹Laws for Throw›
lemma Throw_GlobalDet :
  ‹(□ a ∈ A. P a) Θ b ∈ B. Q b = □ a ∈ A. P a Θ b ∈ B. Q b› (is ‹?lhs = ?rhs›)
proof (rule Process_eq_optimizedI)
  show ‹t ∈ 𝒟 ?lhs ⟹ t ∈ 𝒟 ?rhs› for t
    by (simp add: D_Throw GlobalDet_projs split: if_split_asm) blast
next
  show ‹t ∈ 𝒟 ?rhs ⟹ t ∈ 𝒟 ?lhs› for t
    by (simp add: D_Throw GlobalDet_projs) (meson empty_iff)
next
  fix t X assume ‹(t, X) ∈ ℱ ?lhs› ‹t ∉ 𝒟 ?lhs›
  then consider ‹(t, X) ∈ ℱ (□a ∈ A. P a)› ‹set t ∩ ev ` B = {}›
    | (failR) t1 b t2 where ‹t = t1 @ ev b # t2› ‹t1 @ [ev b] ∈ 𝒯 (□a ∈ A. P a)›
      ‹set t1 ∩ ev ` B = {}› ‹b ∈ B› ‹(t2, X) ∈ ℱ (Q b)›
    unfolding Throw_projs by blast
  thus ‹(t, X) ∈ ℱ ?rhs›
  proof cases
    show ‹(t, X) ∈ ℱ (□a ∈ A. P a) ⟹ set t ∩ ev ` B = {} ⟹ (t, X) ∈ ℱ ?rhs›
      by (cases t) (auto simp add: F_GlobalDet Throw_projs)
  next
    case failR
    from failR(2) obtain a where ‹a ∈ A› ‹t1 @ [ev b] ∈ 𝒯 (P a)›
      by (auto simp add: T_GlobalDet split: if_split_asm)
    with failR(3-5) show ‹(t, X) ∈ ℱ ?rhs›
      by (simp add: F_GlobalDet F_Throw failR(1)) blast
  qed
next
  fix t X assume ‹(t, X) ∈ ℱ ?rhs› ‹t ∉ 𝒟 ?rhs›
  then consider ‹t = []› ‹∀a∈A. (t, X) ∈ ℱ (P a Θ b ∈ B. Q b)›
    | a where ‹a ∈ A› ‹t ≠ []› ‹(t, X) ∈ ℱ (P a Θ b ∈ B. Q b)›
    | a r where ‹a ∈ A› ‹t = []› ‹✓(r) ∉ X› ‹[✓(r)] ∈ 𝒯 (P a Θ b ∈ B. Q b)›
    by (auto simp add: GlobalDet_projs)
  thus ‹(t, X) ∈ ℱ ?lhs›
  proof cases
    show ‹t = [] ⟹ ∀a∈A. (t, X) ∈ ℱ (P a Θ b ∈ B. Q b) ⟹ (t, X) ∈ ℱ ?lhs›
      by (auto simp add: F_Throw F_GlobalDet)
  next
    show ‹a ∈ A ⟹ t ≠ [] ⟹ (t, X) ∈ ℱ (P a Θ b ∈ B. Q b) ⟹ (t, X) ∈ ℱ ?lhs› for a
      by (simp add: F_Throw GlobalDet_projs) (metis empty_iff)
  next
    show ‹⟦a ∈ A; t = []; ✓(r) ∉ X; [✓(r)] ∈ 𝒯 (P a Θ b ∈ B. Q b)⟧ ⟹ (t, X) ∈ ℱ ?lhs› for a r
      by (simp add: Throw_projs F_GlobalDet Cons_eq_append_conv) (metis is_processT9_tick)
  qed
qed
lemma Throw_GlobalNdetR :
  ‹P Θ a ∈ A. ⊓b ∈ B. Q a b =
   (if B = {} then P Θ a ∈ A. STOP else □b ∈ B. P Θ a ∈ A. Q a b)›
  (is ‹?lhs = (if _ then _ else ?rhs)›)
proof (split if_split, intro conjI impI)
  show ‹B = {} ⟹ ?lhs = P Θ a ∈ A. STOP› by simp
next
  show ‹?lhs = ?rhs› if ‹B ≠ {}›
  proof (subst Process_eq_spec, safe)
    show ‹t ∈ 𝒟 ?lhs ⟹ t ∈ 𝒟 ?rhs› for t
      by (auto simp add: ‹B ≠ {}› D_Throw D_GlobalNdet D_GlobalDet)
  next
    show ‹t ∈ 𝒟 ?rhs ⟹ t ∈ 𝒟 ?lhs› for t
      by (auto simp add: ‹B ≠ {}› D_Throw D_GlobalNdet D_GlobalDet)
  next
    show ‹(t, X) ∈ ℱ ?lhs ⟹ (t, X) ∈ ℱ ?rhs› for t X
      by (cases t) (auto simp add: ‹B ≠ {}› F_Throw F_GlobalNdet F_GlobalDet)
  next
    show ‹(t, X) ∈ ℱ ?rhs ⟹ (t, X) ∈ ℱ ?lhs› for t X
      by (auto simp add: ‹B ≠ {}› Throw_projs F_GlobalNdet F_GlobalDet D_T
          is_processT7 Cons_eq_append_conv intro!: is_processT6_TR_notin)
  qed
qed
corollary Throw_Det : ‹P □ P' Θ a ∈ A. Q a = (P Θ a ∈ A. Q a) □ (P' Θ a ∈ A. Q a)›
proof -
  have ‹P □ P' Θ a ∈ A. Q a = (□a∈{0 :: nat, 1}. (if a = 0 then P else P')) Θ a ∈ A. Q a›
    by (simp add: GlobalDet_distrib_unit)
  also have ‹… = □a∈{0 :: nat, 1}. (if a = 0 then P else P') Θ a ∈ A. Q a›
    by (fact Throw_GlobalDet)
  also have ‹… = (P Θ a ∈ A. Q a) □ (P' Θ a ∈ A. Q a)›
    by (simp add: GlobalDet_distrib_unit)
  finally show ?thesis .
qed
corollary Throw_NdetR : ‹P Θ a ∈ A. Q a ⊓ Q' a = (P Θ a ∈ A. Q a) □ (P Θ a ∈ A. Q' a)›
proof -
  have ‹P Θ a ∈ A. Q a ⊓ Q' a = P Θ a ∈ A. ⊓b ∈ {0 :: nat, 1}. (if b = 0 then Q a else Q' a)›
    by (simp add: GlobalNdet_distrib_unit)
  also have ‹… = □b ∈ {0 :: nat, 1}. P Θ a ∈ A. (if b = 0 then Q a else Q' a)›
    by (simp add: Throw_GlobalNdetR)
  also have ‹… = (P Θ a ∈ A. Q a) □ (P Θ a ∈ A. Q' a)›
    by (simp add: GlobalDet_distrib_unit)
  finally show ?thesis .
qed
subsection ‹Laws for Sync›
lemma Sync_GlobalNdet_cartprod:
  ‹(⊓ (a, b) ∈ A × B. (P a ⟦S⟧ Q b)) = 
   (if A = {} ∨ B = {} then STOP else (⊓a ∈ A. P a) ⟦S⟧ (⊓b ∈ B. Q b))›  
  by (simp add: GlobalNdet_cartprod Sync_distrib_GlobalNdet_left
      Sync_distrib_GlobalNdet_right GlobalNdet_sets_commute[of A])
lemmas Inter_GlobalNdet_cartprod = Sync_GlobalNdet_cartprod[where S = ‹{}›]
  and   Par_GlobalNdet_cartprod = Sync_GlobalNdet_cartprod[where S = UNIV]
lemma MultiSync_Hiding_pseudo_distrib:
  ‹finite A ⟹ A ∩ S = {} ⟹ (❙⟦S❙⟧ p ∈# M. (P p \ A)) = (❙⟦S❙⟧ p ∈# M. P p) \ A›
  by (induct M, simp) (metis MultiSync_add MultiSync_rec1 Hiding_Sync)
lemma MultiSync_prefix_pseudo_distrib:
  ‹M ≠ {#} ⟹ a ∈ S ⟹ (❙⟦S❙⟧ p ∈# M. (a → P p)) = (a → (❙⟦S❙⟧ p ∈# M. P p))›
  by (induct M rule: mset_induct_nonempty) 
    (simp_all add: write0_Sync_write0_subset)
lemmas MultiInter_Hiding_pseudo_distrib =
  MultiSync_Hiding_pseudo_distrib[where S = ‹{}›, simplified]
  and MultiPar_prefix_pseudo_distrib =
  MultiSync_prefix_pseudo_distrib[where S = ‹UNIV›, simplified]
text ‹A result on Mndetprefix and Sync.›
lemma Mndetprefix_Sync_distr: ‹A ≠ {} ⟹ B ≠ {} ⟹ 
       (⊓ a ∈ A → P a) ⟦S⟧ (⊓ b ∈ B → Q b) =
        ⊓ a∈A. ⊓ b∈B. (□c ∈ ({a} - S) → (P a ⟦S⟧ (b → Q b))) □ 
                       (□d ∈ ({b} - S) → ((a → P a) ⟦S⟧ Q b)) □
                       (□c∈({a} ∩ {b} ∩ S) → (P a ⟦S⟧ Q b))›
  apply (subst (1 2) Mndetprefix_GlobalNdet) 
  apply (subst Sync_distrib_GlobalNdet_right, simp)
  apply (subst Sync_commute)
  apply (subst Sync_distrib_GlobalNdet_right, simp)
  apply (subst Sync_commute)
  apply (unfold write0_def)
  apply (subst Mprefix_Sync_Mprefix)
  by (fold write0_def, rule refl)
lemma ‹A ≠ {} ⟹ B ≠ {} ⟹ (⊓ a ∈ A → P a) ⟦S⟧ (⊓ b ∈ B → Q b) =
        ⊓ a∈A. ⊓ b∈B. (if a ∈ S then STOP else (a → (P a ⟦S⟧ (b → Q b)))) □ 
                       (if b ∈ S then STOP else (b → ((a → P a) ⟦S⟧ Q b))) □
                       (if a = b ∧ a ∈ S then (a → (P a ⟦S⟧ Q a)) else STOP)›
  apply (subst Mndetprefix_Sync_distr, assumption+)
  apply (intro mono_GlobalNdet_eq)
  apply (intro arg_cong2[where f = ‹(□)›])
  by (simp_all add: Mprefix_singl insert_Diff_if Int_insert_left)
subsection ‹GlobalDet, GlobalNdet and write0›
lemma GlobalDet_write0_is_GlobalNdet_write0:
  ‹(□ p ∈ A. (a → P p)) = ⊓ p ∈ A. (a → P p)› (is ‹?lhs = ?rhs›)
proof (subst Process_eq_spec, safe)
  show ‹s ∈ 𝒟 ?lhs ⟹ s ∈ 𝒟 ?rhs›
    and ‹s ∈ 𝒟 ?rhs ⟹ s ∈ 𝒟 ?lhs› for s
    by (simp_all add: D_GlobalDet write0_def D_Mprefix D_GlobalNdet)
next
  show ‹(s, X) ∈ ℱ ?lhs ⟹ (s, X) ∈ ℱ ?rhs›
    and ‹(s, X) ∈ ℱ ?rhs ⟹ (s, X) ∈ ℱ ?lhs› for s X
    by (auto simp add: F_GlobalDet write0_def F_Mprefix F_GlobalNdet split: if_split_asm)
qed    
lemma write0_GlobalNdet_bis:
  ‹A ≠ {} ⟹ (a → (⊓ p ∈ A. P p) = □ p ∈ A. (a → P p))›
  by (simp add: GlobalDet_write0_is_GlobalNdet_write0 write0_GlobalNdet)
section ‹Some Results on Renaming›
lemma Renaming_GlobalNdet:
  ‹Renaming (⊓ a ∈ A. P (f a)) f g = ⊓ b ∈ f ` A. Renaming (P b) f g›
  by (metis Renaming_distrib_GlobalNdet mono_GlobalNdet_eq2)
lemma Renaming_GlobalNdet_inj_on:
  ‹Renaming (⊓ a ∈ A. P a) f g =
   ⊓ b ∈ f ` A. Renaming (P (THE a. a ∈ A ∧ f a = b)) f g›
  if inj_on_f: ‹inj_on f A›
  by (smt (verit, ccfv_SIG) Renaming_distrib_GlobalNdet inj_on_def mono_GlobalNdet_eq2 that the_equality)
corollary Renaming_GlobalNdet_inj:
  ‹Renaming (⊓ a ∈ A. P a) f g =
   ⊓ b ∈ f ` A. Renaming (P (THE a. f a = b)) f g› if inj_f: ‹inj f›
  apply (subst Renaming_GlobalNdet_inj_on, metis inj_eq inj_onI inj_f)
  apply (rule mono_GlobalNdet_eq[rule_format])
  by (metis imageE inj_eq[OF inj_f])
lemma Renaming_distrib_GlobalDet :
  ‹Renaming (□a ∈ A. P a) f g = □a ∈ A. Renaming (P a) f g› (is ‹?lhs = ?rhs›)
proof (subst Process_eq_spec_optimized, safe)
  show ‹s ∈ 𝒟 ?lhs ⟹ s ∈ 𝒟 ?rhs›
    and ‹s ∈ 𝒟 ?rhs ⟹ s ∈ 𝒟 ?lhs› for s
    by (auto simp add: D_Renaming D_GlobalDet)
next
  assume same_div : ‹𝒟 ?lhs = 𝒟 ?rhs›
  fix s X assume ‹(s, X) ∈ ℱ ?lhs›
  then consider ‹s ∈ 𝒟 ?lhs›
    | t where ‹s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t› ‹(t, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (□a ∈ A. P a)›
    unfolding Renaming_projs by blast
  thus ‹(s, X) ∈ ℱ ?rhs›
  proof cases
    from same_div D_F show ‹s ∈ 𝒟 ?lhs ⟹ (s, X) ∈ ℱ ?rhs› by blast
  next
    show ‹s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t ⟹ (t, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (□a ∈ A. P a)
          ⟹ (s, X) ∈ ℱ ?rhs› for t
      by (cases t; simp add: F_GlobalDet Renaming_projs)
        (force, metis list.simps(9))
  qed
next
  assume same_div : ‹𝒟 ?lhs = 𝒟 ?rhs›
  fix s X assume ‹(s, X) ∈ ℱ ?rhs›
  then consider ‹s = []› ‹∀a∈A. (s, X) ∈ ℱ (Renaming (P a) f g)›
    | a where ‹a ∈ A› ‹s ≠ []› ‹(s, X) ∈ ℱ (Renaming (P a) f g)›
    | a where ‹a ∈ A› ‹s = []› ‹s ∈ 𝒟 (Renaming (P a) f g)›
    | a r where ‹a ∈ A› ‹s = []› ‹✓(r) ∉ X› ‹[✓(r)] ∈ 𝒯 (Renaming (P a) f g)›
    unfolding F_GlobalDet by blast
  thus ‹(s, X) ∈ ℱ ?lhs›
  proof cases
    show ‹s = [] ⟹ ∀a∈A. (s, X) ∈ ℱ (Renaming (P a) f g) ⟹ (s, X) ∈ ℱ ?lhs›
      by (auto simp add: F_Renaming F_GlobalDet)
  next
    show ‹a ∈ A ⟹ s ≠ [] ⟹ (s, X) ∈ ℱ (Renaming (P a) f g) ⟹ (s, X) ∈ ℱ ?lhs› for a
      by (simp add: F_Renaming GlobalDet_projs) (metis list.simps(8))
  next
    show ‹a ∈ A ⟹ s = [] ⟹ s ∈ 𝒟 (Renaming (P a) f g) ⟹ (s, X) ∈ ℱ ?lhs› for a
      by (auto simp add: Renaming_projs D_GlobalDet)
  next
    fix a r assume * : ‹a ∈ A› ‹s = []› ‹✓(r) ∉ X› ‹[✓(r)] ∈ 𝒯 (Renaming (P a) f g)›
    from "*"(4) consider s1 where ‹[✓(r)] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1› ‹s1 ∈ 𝒯 (P a)›
      | s1 s2 where ‹[✓(r)] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1 @ s2›
        ‹tickFree s1› ‹front_tickFree s2› ‹s1 ∈ 𝒟 (P a)›
      by (simp add: T_Renaming) meson
    thus ‹(s, X) ∈ ℱ ?lhs›
    proof cases
      fix s1 assume ‹[✓(r)] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1› ‹s1 ∈ 𝒯 (P a)›
      from ‹[✓(r)] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1› obtain r' where ‹r = g r'› ‹s1 = [✓(r')]›
        by (metis map_map_event⇩p⇩t⇩i⇩c⇩k_eq_tick_iff)
      with "*"(1, 2, 3) ‹s1 ∈ 𝒯 (P a)›
      show ‹(s, X) ∈ ℱ ?lhs› by (auto simp add: F_Renaming F_GlobalDet)
    next
      fix s1 s2 assume ‹[✓(r)] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1 @ s2›
        ‹tickFree s1› ‹front_tickFree s2› ‹s1 ∈ 𝒟 (P a)›
      from ‹[✓(r)] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1 @ s2› ‹tickFree s1›
      have ‹s1 = [] ∧ s2 = [✓(r)]›
        by (cases s1; simp) (metis event⇩p⇩t⇩i⇩c⇩k.disc(2) event⇩p⇩t⇩i⇩c⇩k.map_disc_iff(1))
      with "*"(1, 2) ‹s1 ∈ 𝒟 (P a)› show ‹(s, X) ∈ ℱ ?lhs›
        by (auto simp add: F_Renaming F_GlobalDet)
    qed
  qed
qed
lemma Renaming_Mprefix_bis :
  ‹Renaming (□a ∈ A → P a) f g = □a ∈ A. (f a → Renaming (P a) f g)›
  by (simp add: Mprefix_GlobalDet Renaming_distrib_GlobalDet Renaming_write0)
lemma Renaming_GlobalDet_alt:
  ‹Renaming (□ a ∈ A. P (f a)) f g = □ b ∈ f ` A. Renaming (P b) f g›
  (is ‹?lhs = ?rhs›)
  by (simp add: Renaming_distrib_GlobalDet mono_GlobalDet_eq2)
lemma Renaming_GlobalDet_inj_on:
  ‹inj_on f A ⟹ Renaming (□ a ∈ A. P a) f g =
   □ b ∈ f ` A. Renaming (P (THE a. a ∈ A ∧ f a = b)) f g›
  by (simp add: Renaming_distrib_GlobalDet inj_on_def mono_GlobalDet_eq2 the_equality)
corollary Renaming_GlobalDet_inj:
  ‹inj f ⟹ Renaming (□ a ∈ A. P a) f g = □ b ∈ f ` A. Renaming (P (THE a. f a = b)) f g›
  by (subst Renaming_GlobalDet_inj_on, metis inj_eq inj_onI)
    (rule mono_GlobalDet_eq, metis imageE inj_eq)
lemma Renaming_Interrupt :
  ‹Renaming (P △ Q) f g = Renaming P f g △ Renaming Q f g› (is ‹?lhs = ?rhs›)
proof (subst Process_eq_spec_optimized, safe)
  fix t assume ‹t ∈ 𝒟 ?lhs›
  then obtain t1 t2
    where * : ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1 @ t2› ‹tF t1› ‹ftF t2› ‹t1 ∈ 𝒟 (P △ Q)›
    unfolding D_Renaming by blast
  from "*"(4) consider ‹t1 ∈ 𝒟 P›
    | u1 u2 where ‹t1 = u1 @ u2› ‹u1 ∈ 𝒯 P› ‹tF u1› ‹u2 ∈ 𝒟 Q›
    unfolding D_Interrupt by blast
  thus ‹t ∈ 𝒟 ?rhs›
  proof cases
    from "*"(1-3) show ‹t1 ∈ 𝒟 P ⟹ t ∈ 𝒟 ?rhs›
      by (auto simp add: D_Interrupt D_Renaming)
  next
    show ‹t1 = u1 @ u2 ⟹ u1 ∈ 𝒯 P ⟹ tF u1 ⟹ u2 ∈ 𝒟 Q ⟹ t ∈ 𝒟 ?rhs› for u1 u2
      by (simp add: D_Interrupt Renaming_projs "*"(1))
        (metis "*"(2, 3) map_event⇩p⇩t⇩i⇩c⇩k_tickFree tickFree_append_iff)
  qed
next
  fix t assume ‹t ∈ 𝒟 ?rhs›
  then consider ‹t ∈ 𝒟 (Renaming P f g)›
    | t1 t2 where ‹t = t1 @ t2› ‹t1 ∈ 𝒯 (Renaming P f g)› ‹tF t1› ‹t2 ∈ 𝒟 (Renaming Q f g)›
    unfolding D_Interrupt by blast
  thus ‹t ∈ 𝒟 ?lhs›
  proof cases
    show ‹t ∈ 𝒟 (Renaming P f g) ⟹ t ∈ 𝒟 ?lhs›
      by (auto simp add: D_Renaming D_Interrupt)
  next
    show ‹t = t1 @ t2 ⟹ t1 ∈ 𝒯 (Renaming P f g) ⟹ tF t1 ⟹ t2 ∈ 𝒟 (Renaming Q f g) ⟹ t ∈ 𝒟 ?lhs› for t1 t2
      by (auto simp add: Renaming_projs D_Interrupt append.assoc map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
        (metis (no_types, opaque_lifting) append.assoc map_append tickFree_append_iff,
          metis front_tickFree_append map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
  qed
next
  fix t X assume same_div : ‹𝒟 ?lhs = 𝒟 ?rhs›
  assume ‹(t, X) ∈ ℱ ?lhs›
  then consider ‹t ∈ 𝒟 ?lhs›
    | u where ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u› ‹(u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (P △ Q)›
    unfolding Renaming_projs by blast
  thus ‹(t, X) ∈ ℱ ?rhs›
  proof cases
    from same_div D_F show ‹t ∈ 𝒟 ?lhs ⟹ (t, X) ∈ ℱ ?rhs› by blast
  next
    fix u assume * : ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u› ‹(u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (P △ Q)›
    from "*"(2) consider ‹u ∈ 𝒟 (P △ Q)›
      | u' r  where ‹u = u' @ [✓(r)]› ‹u' @ [✓(r)] ∈ 𝒯 P›
      | X' r  where ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X = X' - {✓(r)}› ‹u @ [✓(r)] ∈ 𝒯 P›
      | ‹(u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ P› ‹tF u› ‹([], map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ Q›
      | u1 u2 where ‹u = u1 @ u2› ‹u1 ∈ 𝒯 P› ‹tF u1› ‹(u2, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ Q› ‹u2 ≠ []›
      | X' r  where ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X = X' - {✓(r)}› ‹u ∈ 𝒯 P› ‹tF u› ‹[✓(r)] ∈ 𝒯 Q›
      unfolding Interrupt_projs by safe auto
    thus ‹(t, X) ∈ ℱ ?rhs›
    proof cases
      assume ‹u ∈ 𝒟 (P △ Q)›
      hence ‹t ∈ 𝒟 ?lhs›
        by (simp add: "*"(1) D_Renaming)
          (metis (no_types, opaque_lifting) D_imp_front_tickFree append_Nil2 snoc_eq_iff_butlast
            butlast.simps(1) div_butlast_when_non_tickFree_iff front_tickFree_Nil
            front_tickFree_iff_tickFree_butlast front_tickFree_single map_butlast)
      with same_div D_F show ‹(t, X) ∈ ℱ ?rhs› by blast
    next
      show ‹u = u' @ [✓(r)] ⟹ u' @ [✓(r)] ∈ 𝒯 P ⟹ (t, X) ∈ ℱ ?rhs› for u' r
        by (auto simp add: "*"(1) F_Interrupt T_Renaming)
    next
      fix X' r assume ** : ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X = X' - {✓(r)}› ‹u @ [✓(r)] ∈ 𝒯 P›
      from "**" obtain X'' where ‹X = X'' - {✓(g r)}›
        by (metis DiffD2 Diff_insert_absorb event⇩p⇩t⇩i⇩c⇩k.simps(10) insertI1 vimage_eq)
      moreover from "**"(2) have ‹t @ [✓(g r)] ∈ 𝒯 (Renaming P f g)›
        by (auto simp add: "*"(1) T_Renaming)
      ultimately show ‹(t, X) ∈ ℱ ?rhs› by (auto simp add: F_Interrupt)
    next
      show ‹(u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ P ⟹ tF u ⟹
            ([], map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ Q ⟹ (t, X) ∈ ℱ ?rhs›
        using map_event⇩p⇩t⇩i⇩c⇩k_tickFree by (auto simp add: "*"(1) F_Interrupt F_Renaming)
    next
      fix u1 u2 assume ‹u = u1 @ u2› ‹u1 ∈ 𝒯 P› ‹tF u1›
        ‹(u2, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ Q› ‹u2 ≠ []›
      hence ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2›
        ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 ∈ 𝒯 (Renaming P f g)›
        ‹tF (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1)›
        ‹(map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2, X) ∈ ℱ (Renaming Q f g)›
        ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2 ≠ []›
        by (auto simp add: "*"(1) Renaming_projs map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
      thus ‹(t, X) ∈ ℱ ?rhs› by (simp add: F_Interrupt) blast
    next
      fix X' r assume ** : ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X = X' - {✓(r)}› ‹u ∈ 𝒯 P› ‹tF u› ‹[✓(r)] ∈ 𝒯 Q›
      from "**"(1, 2) obtain X'' where ‹X = X'' - {✓(g r)}›
        by (metis DiffD2 Diff_insert_absorb event⇩p⇩t⇩i⇩c⇩k.simps(10) insertI1 vimage_eq)
      moreover from "**"(2-4) have ‹t ∈ 𝒯 (Renaming P f g)› ‹tF t›
        ‹[✓(g r)] ∈ 𝒯 (Renaming Q f g)›
        by (auto simp add: "*"(1) T_Renaming map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
      ultimately show ‹(t, X) ∈ ℱ ?rhs› by (simp add: F_Interrupt) blast
    qed
  qed
next
  fix t X assume same_div : ‹𝒟 ?lhs = 𝒟 ?rhs›
  assume ‹(t, X) ∈ ℱ ?rhs›
  then consider ‹t ∈ 𝒟 ?rhs›
    | t' s  where ‹t = t' @ [✓(s)]› ‹t' @ [✓(s)] ∈ 𝒯 (Renaming P f g)›
    | X' s  where ‹X = X' - {✓(s)}› ‹t  @ [✓(s)] ∈ 𝒯 (Renaming P f g)›
    | ‹(t, X) ∈ ℱ (Renaming P f g)› ‹tF t› ‹([], X) ∈ ℱ (Renaming Q f g)›
    | t1 t2 where ‹t = t1 @ t2› ‹t1 ∈ 𝒯 (Renaming P f g)› ‹tF t1›
      ‹(t2, X) ∈ ℱ (Renaming Q f g)› ‹t2 ≠ []›
    | X' s where ‹X = X' - {✓(s)}› ‹t ∈ 𝒯 (Renaming P f g)› ‹tF t› ‹[✓(s)] ∈ 𝒯 (Renaming Q f g)›
    by (simp add: Interrupt_projs) blast
  thus ‹(t, X) ∈ ℱ ?lhs›
  proof cases
    from same_div D_F show ‹t ∈ 𝒟 ?rhs ⟹ (t, X) ∈ ℱ ?lhs› by blast
  next
    show ‹⟦t = t' @ [✓(s)]; t' @ [✓(s)] ∈ 𝒯 (Renaming P f g)⟧ ⟹ (t, X) ∈ ℱ ?lhs› for t' s
      by (simp add: Renaming_projs Interrupt_projs)
        (metis T_nonTickFree_imp_decomp map_event⇩p⇩t⇩i⇩c⇩k_tickFree non_tickFree_tick tickFree_append_iff)
  next
    fix X' s assume * : ‹X = X' - {✓(s)}› ‹t @ [✓(s)] ∈ 𝒯 (Renaming P f g)›
    from "*"(2) consider u1 u2 where
      ‹t @ [✓(s)] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
    | u r where ‹s = g r› ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u› ‹u @ [✓(r)] ∈ 𝒯 P›
      by (simp add: T_Renaming)
        (metis (no_types, opaque_lifting) T_nonTickFree_imp_decomp event⇩p⇩t⇩i⇩c⇩k.disc(4)
          event⇩p⇩t⇩i⇩c⇩k.map_sel(2) event⇩p⇩t⇩i⇩c⇩k.sel(2) last_map map_butlast map_event⇩p⇩t⇩i⇩c⇩k_tickFree
          non_tickFree_tick snoc_eq_iff_butlast tickFree_append_iff)
    thus ‹(t, X) ∈ ℱ ?lhs›
    proof cases
      fix u1 u2 assume ‹t @ [✓(s)] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
      hence ‹t ∈ 𝒟 ?lhs›
        by (cases u2 rule: rev_cases)
          (auto simp add: D_Interrupt D_Renaming intro: front_tickFree_dw_closed,
            metis map_event⇩p⇩t⇩i⇩c⇩k_tickFree non_tickFree_tick tickFree_append_iff)
      with D_F show ‹(t, X) ∈ ℱ ?lhs› by blast
    next
      fix u r assume ‹s = g r› ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u› ‹u @ [✓(r)] ∈ 𝒯 P›
      moreover from "*"(1) ‹s = g r› obtain X'' where ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X = X'' - {✓(r)}›
        by (metis Diff_iff Diff_insert_absorb event⇩p⇩t⇩i⇩c⇩k.simps(10) vimage_eq vimage_singleton_eq)
      ultimately show ‹(t, X) ∈ ℱ ?lhs› by (simp add: F_Renaming F_Interrupt) metis
    qed
  next
    show ‹⟦(t, X) ∈ ℱ (Renaming P f g); tF t; ([], X) ∈ ℱ (Renaming Q f g)⟧ ⟹ (t, X) ∈ ℱ ?lhs›
      by (simp add: Renaming_projs Interrupt_projs)
        (metis is_processT8 map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
  next
    fix t1 t2 assume * : ‹t = t1 @ t2› ‹t1 ∈ 𝒯 (Renaming P f g)› ‹tF t1›
      ‹(t2, X) ∈ ℱ (Renaming Q f g)› ‹t2 ≠ []›
    from "*"(2) consider u1 u2 where
      ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
    | u1 where ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1› ‹u1 ∈ 𝒯 P›
      unfolding T_Renaming by blast
    thus ‹(t, X) ∈ ℱ ?lhs›
    proof cases
      fix u1 u2 assume ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
      hence ‹t1 ∈ 𝒟 ?lhs› by (auto simp add: D_Interrupt D_Renaming)
      with "*"(1, 3, 4) F_imp_front_tickFree is_processT7 have ‹t ∈ 𝒟 ?lhs› by blast
      with D_F show ‹(t, X) ∈ ℱ ?lhs› by blast
    next
      fix u1 assume ** : ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1› ‹u1 ∈ 𝒯 P›
      from "*"(4) consider u2 u3 where
        ‹t2 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2 @ u3› ‹tF u2› ‹ftF u3› ‹u2 ∈ 𝒟 Q›
      | u2 where ‹t2 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2› ‹(u2, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ Q›
        unfolding F_Renaming by blast
      thus ‹(t, X) ∈ ℱ ?lhs›
      proof cases
        fix u2 u3 assume ‹t2 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2 @ u3› ‹tF u2› ‹ftF u3› ‹u2 ∈ 𝒟 Q›
        hence ‹t ∈ 𝒟 ?lhs›
          by (simp add: "*"(1) "**"(1) D_Renaming D_Interrupt flip: map_append append.assoc)
            (metis "*"(3) "**"(1, 2) map_event⇩p⇩t⇩i⇩c⇩k_tickFree tickFree_append_iff)
        with D_F show ‹(t, X) ∈ ℱ ?lhs› by blast
      next
        show ‹t2 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2 ⟹ (u2, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ Q
              ⟹ (t, X) ∈ ℱ ?lhs› for u2
          by (simp add: F_Renaming F_Interrupt "*"(1) "**"(1) flip: map_append)
            (metis "*"(3, 5) "**"(1, 2) list.map_disc_iff map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
      qed
    qed
  next
    fix X' s assume * : ‹X = X' - {✓(s)}› ‹t ∈ 𝒯 (Renaming P f g)›
      ‹tF t› ‹[✓(s)] ∈ 𝒯 (Renaming Q f g)›
    from "*"(2) consider u1 u2 where
      ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
    | u where ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u› ‹u ∈ 𝒯 P›
      by (auto simp add: T_Renaming)
    thus ‹(t, X) ∈ ℱ ?lhs›
    proof cases
      fix u1 u2 assume ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
      hence ‹t ∈ 𝒟 ?lhs› by (auto simp add: D_Interrupt D_Renaming)
      with D_F show ‹(t, X) ∈ ℱ ?lhs› by blast
    next
      fix u assume ** : ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u› ‹u ∈ 𝒯 P›
      from "*"(4) consider ‹Renaming Q f g = ⊥› | r where ‹s = g r› ‹[✓(r)] ∈ 𝒯 Q›
        by (simp add: Renaming_projs BOT_iff_tick_D)
          (metis map_map_event⇩p⇩t⇩i⇩c⇩k_eq_tick_iff)
      thus ‹(t, X) ∈ ℱ ?lhs›
      proof cases
        assume ‹Renaming Q f g = ⊥›
        hence ‹Q = ⊥› by (simp add: Renaming_is_BOT_iff)
        hence ‹Renaming (P △ Q) f g = ⊥› by simp
        thus ‹(t, X) ∈ ℱ ?lhs› by (simp add: F_BOT "*"(3))
      next
        fix r assume ‹s = g r› ‹[✓(r)] ∈ 𝒯 Q›
        moreover from "*"(1) ‹s = g r› obtain X''
          where ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X = X'' - {✓(r)}›
          by (metis DiffD2 Diff_empty Diff_insert0 event⇩p⇩t⇩i⇩c⇩k.simps(10) insertI1 vimage_eq)
        ultimately show ‹(t, X) ∈ ℱ ?lhs›
          by (simp add: "**"(1) F_Renaming F_Interrupt)
            (metis "*"(3) "**"(1, 2) map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
      qed
    qed
  qed
qed
lemma inj_on_Renaming_Throw :
  ‹Renaming (P Θ a ∈ A. Q a) f g =
   Renaming P f g Θ b ∈ f ` A. Renaming (Q (inv_into A f b)) f g›
  (is ‹?lhs = ?rhs›) if inj_on_f : ‹inj_on f (events_of P ∪ A)›
proof -
  have $ : ‹set (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t) ∩ ev ` f ` A = {}
            ⟷ set t ∩ ev ` A = {}› if ‹t ∈ 𝒯 P› for t
  proof -
    from ‹t ∈ 𝒯 P› inj_on_f have ‹inj_on f ({a. ev a ∈ set t} ∪ A)›
      by (auto simp add: inj_on_def events_of_memI)
    thus ‹set (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t) ∩ ev ` f ` A = {}
          ⟷ set t ∩ ev ` A = {}›
      by (auto simp add: disjoint_iff image_iff inj_on_def map_event⇩p⇩t⇩i⇩c⇩k_eq_ev_iff)
        (metis event⇩p⇩t⇩i⇩c⇩k.simps(9), blast)
  qed
  show ‹?lhs = ?rhs›
  proof (subst Process_eq_spec_optimized, safe)
    fix t assume ‹t ∈ 𝒟 ?lhs›
    then obtain t1 t2 where * : ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1 @ t2› ‹tF t1›
      ‹ftF t2› ‹t1 ∈ 𝒟 (P Θ a ∈ A. Q a)›
      unfolding D_Renaming by blast
    from "*"(4) consider u1 u2 where ‹t1 = u1 @ u2› ‹u1 ∈ 𝒟 P› ‹tF u1›
      ‹set u1 ∩ ev ` A = {}› ‹ftF u2›
    | u1 a u2 where ‹t1 = u1 @ ev a # u2› ‹u1 @ [ev a] ∈ 𝒯 P›
      ‹set u1 ∩ ev ` A = {}› ‹a ∈ A› ‹u2 ∈ 𝒟 (Q a)›
      unfolding D_Throw by blast
    thus ‹t ∈ 𝒟 ?rhs›
    proof cases
      fix u1 u2 assume ** : ‹t1 = u1 @ u2› ‹u1 ∈ 𝒟 P› ‹tF u1›
        ‹set u1 ∩ ev ` A = {}› ‹ftF u2›
      from "$" "**"(2) "**"(4) D_T
      have *** : ‹set (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1) ∩ ev ` f ` A = {}› by blast
      have ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2 @ t2)›
        by (simp add: "*"(1) "**"(1))
      moreover from "*"(2, 3) "**"(1) have ‹ftF (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2 @ t2)›
        by (simp add: front_tickFree_append map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
      moreover have ‹tF (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1)›
        by (simp add: "**"(3) map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
      ultimately show ‹t ∈ 𝒟 ?rhs›
        by (simp add: D_Throw D_Renaming)
          (use "**"(2) "**"(3) "***" front_tickFree_Nil in blast)
    next
      fix u1 a u2 assume ** : ‹t1 = u1 @ ev a # u2› ‹u1 @ [ev a] ∈ 𝒯 P›
        ‹set u1 ∩ ev ` A = {}› ‹a ∈ A› ‹u2 ∈ 𝒟 (Q a)›
      have *** : ‹set (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1) ∩ ev ` f ` A = {}›
        by (meson "$" "**"(2) "**"(3) T_F_spec is_processT3)
      have ‹tF u2› using "*"(2) "**"(1) by auto
      moreover have ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ ev (f a) # map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2 @ t2›
        by (simp add: "*"(1) "**"(1))
      moreover from "**"(2) have ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ [ev (f a)] ∈ 𝒯 (Renaming P f g)›
        by (auto simp add: T_Renaming )
      moreover have ‹inv_into A f (f a) = a›
        by (meson "**"(4) inj_on_Un inv_into_f_eq inj_on_f)
      ultimately show ‹t ∈ 𝒟 ?rhs›
        by (simp add: D_Throw D_Renaming)
          (metis "*"(3) "**"(4) "**"(5) "***" imageI)
    qed
  next
    fix t assume ‹t ∈ 𝒟 ?rhs›
    then consider t1 t2 where ‹t = t1 @ t2› ‹t1 ∈ 𝒟 (Renaming P f g)›
      ‹tF t1› ‹set t1 ∩ ev ` f ` A = {}› ‹ftF t2›
    | t1 b t2 where ‹t = t1 @ ev b # t2› ‹t1 @ [ev b] ∈ 𝒯 (Renaming P f g)›
      ‹set t1 ∩ ev ` f ` A = {}› ‹b ∈ f ` A›
      ‹t2 ∈ 𝒟 (Renaming (Q (inv_into A f b)) f g)›
      unfolding D_Throw by blast
    thus ‹t ∈ 𝒟 ?lhs›
    proof cases
      fix t1 t2 assume * : ‹t = t1 @ t2› ‹t1 ∈ 𝒟 (Renaming P f g)›
        ‹tF t1› ‹set t1 ∩ ev ` f ` A = {}› ‹ftF t2›
      from "*"(2) obtain u1 u2
        where ** : ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
        unfolding D_Renaming by blast
      from "*"(4) "**"(1) have ‹set u1 ∩ ev ` A = {}› by auto
      moreover have ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ (u2 @ t2)›
        by (simp add: "*"(1) "**"(1))
      moreover from "*"(3, 5) "**"(1) front_tickFree_append tickFree_append_iff
      have ‹ftF (u2 @ t2)› by blast
      ultimately show ‹t ∈ 𝒟 ?lhs›
        by (simp add: D_Renaming D_Throw)
          (use "**"(2, 4) front_tickFree_Nil in blast)
    next
      fix t1 b t2 assume * : ‹t = t1 @ ev b # t2› ‹t1 @ [ev b] ∈ 𝒯 (Renaming P f g)›
        ‹set t1 ∩ ev ` f ` A = {}› ‹b ∈ f ` A›
        ‹t2 ∈ 𝒟 (Renaming (Q (inv_into A f b)) f g)›
      from ‹b ∈ f ` A› obtain a where ‹a ∈ A› ‹b = f a› by blast
      hence ‹inv_into A f b = a› by (meson inj_on_Un inv_into_f_f inj_on_f)
      from "*"(2) consider u1 u2 where
        ‹t1 @ [ev b] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹u2 ≠ []› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
      | u1 where ‹t1 @ [ev b] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1› ‹u1 ∈ 𝒯 P›
        by (simp add: D_T T_Renaming)
          (metis (no_types, opaque_lifting) D_T append.right_neutral)
      thus ‹t ∈ 𝒟 ?lhs›
      proof cases
        fix u1 u2
        assume ** : ‹t1 @ [ev b] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹u2 ≠ []› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
        from "**"(1, 2) obtain u2' where *** : ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2'›
          by (metis butlast_append butlast_snoc)
        from "*"(3) "***" have **** : ‹set u1 ∩ ev ` A = {}› by auto
        have ***** : ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ (u2' @ ev b # t2)› ‹ftF (u2' @ ev b # t2)›
          by (simp_all add: "*"(1) "***" "****" front_tickFree_append_iff)
            (metis "*"(2, 5) "***" D_imp_front_tickFree append_T_imp_tickFree
              event⇩p⇩t⇩i⇩c⇩k.disc(1) front_tickFree_Cons_iff not_Cons_self tickFree_append_iff)
        show ‹t ∈ 𝒟 ?lhs›
          by (simp add: D_Renaming D_Throw)
            (metis "**"(3) "**"(5) "****" "*****" append_Nil2 front_tickFree_Nil)
      next
        fix u1 assume ‹t1 @ [ev b] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1› ‹u1 ∈ 𝒯 P›
        then obtain u1' where ** : ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1'› ‹u1' @ [ev a] ∈ 𝒯 P›
          by (cases u1 rule: rev_cases, simp_all add: ‹b = f a› ev_eq_map_event⇩p⇩t⇩i⇩c⇩k_iff)
            (metis Nil_is_append_conv Un_iff ‹a ∈ A› events_of_memI inj_onD
              inj_on_f last_in_set last_snoc list.distinct(1))
        from "*"(3) "**"(1) have *** : ‹set u1' ∩ ev ` A = {}› by auto
        from "*"(5) ‹inv_into A f b = a› obtain u2 u3 where
          **** : ‹t2 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2 @ u3› ‹tF u2› ‹ftF u3› ‹u2 ∈ 𝒟 (Q a)›
          unfolding Renaming_projs by blast
        have ***** : ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) (u1' @ ev a # u2) @ u3› ‹tF (u1' @ ev a # u2)›
          by (simp_all add: "*"(1) "**"(1) ‹b = f a› "****"(1))
            (metis "**"(2) "****"(2) T_imp_front_tickFree butlast_snoc
              front_tickFree_iff_tickFree_butlast)
        show ‹t ∈ 𝒟 ?lhs›
          by (simp add: D_Renaming D_Throw)
            (metis "**"(2) "***" "****"(3, 4) "*****"(1, 2) ‹a ∈ A›)
      qed
    qed
  next
    fix t X assume same_div : ‹𝒟 ?lhs = 𝒟 ?rhs›
    assume ‹(t, X) ∈ ℱ ?lhs›
    then consider ‹t ∈ 𝒟 ?lhs›
      | u where ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u› ‹(u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (P Θ a ∈ A. Q a)›
      unfolding Renaming_projs by blast
    thus ‹(t, X) ∈ ℱ ?rhs›
    proof cases
      from same_div D_F show ‹t ∈ 𝒟 ?lhs ⟹ (t, X) ∈ ℱ ?rhs› by blast
    next
      fix u assume * : ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u›
        ‹(u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (P Θ a ∈ A. Q a)›
      then consider ‹(u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ P› ‹set u ∩ ev ` A = {}›
        | u1 u2   where ‹u = u1 @ u2› ‹u1 ∈ 𝒟 P› ‹tF u1› ‹set u1 ∩ ev ` A = {}› ‹ftF u2›
        | u1 a u2 where ‹u = u1 @ ev a # u2› ‹u1 @ [ev a] ∈ 𝒯 P› ‹set u1 ∩ ev ` A = {}›
          ‹a ∈ A› ‹(u2, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (Q a)›
        unfolding F_Throw by blast
      thus ‹(t, X) ∈ ℱ ?rhs›
      proof cases
        show ‹(u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ P ⟹ set u ∩ ev ` A = {} ⟹ (t, X) ∈ ℱ ?rhs›
          by (simp add: F_Throw F_Renaming) (metis "$" "*"(1) F_T)
      next
        fix u1 u2 assume ‹u = u1 @ u2› ‹u1 ∈ 𝒟 P› ‹tF u1› ‹set u1 ∩ ev ` A = {}› ‹ftF u2›
        hence ‹t ∈ 𝒟 ?lhs›
          by (simp add: "*"(1) D_Renaming D_Throw)
            (metis append_Nil2 front_tickFree_Nil map_event⇩p⇩t⇩i⇩c⇩k_front_tickFree)
        with same_div D_F show ‹(t, X) ∈ ℱ ?rhs› by blast
      next
        fix u1 a u2
        assume ** : ‹u = u1 @ ev a # u2› ‹u1 @ [ev a] ∈ 𝒯 P› ‹set u1 ∩ ev ` A = {}›
          ‹a ∈ A› ‹(u2, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (Q a)›
        have *** : ‹set (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1) ∩ ev ` f ` A = {}›
          by (meson "$" "**"(2, 3) T_F_spec is_processT3)
        have ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ ev (f a) # map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2›
          by (simp add: "*"(1) "**"(1))
        moreover from "**"(2) have ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ [ev (f a)] ∈ 𝒯 (Renaming P f g)›
          by (auto simp add: T_Renaming)
        moreover have ‹inv_into A f (f a) = a›
          by (meson "**"(4) inj_on_Un inv_into_f_f inj_on_f)
        moreover from "**"(5) have ‹(map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2, X) ∈ ℱ (Renaming (Q a) f g)›
          by (auto simp add: F_Renaming)
        ultimately show ‹(t, X) ∈ ℱ ?rhs›
          by (simp add: F_Throw) (metis "**"(4) "***" image_eqI)
      qed
    qed
  next
    fix t X assume same_div : ‹𝒟 ?lhs = 𝒟 ?rhs›
    assume ‹(t, X) ∈ ℱ ?rhs›
    then consider ‹t ∈ 𝒟 ?rhs›
      | ‹(t, X) ∈ ℱ (Renaming P f g)› ‹set t ∩ ev ` f ` A = {}›
      | t1 b t2 where ‹t = t1 @ ev b # t2› ‹t1 @ [ev b] ∈ 𝒯 (Renaming P f g)›
        ‹set t1 ∩ ev ` f ` A = {}› ‹b ∈ f ` A›
        ‹(t2, X) ∈ ℱ (Renaming (Q (inv_into A f b)) f g)›
      unfolding Throw_projs by auto
    thus ‹(t, X) ∈ ℱ ?lhs›
    proof cases
      from same_div D_F show ‹t ∈ 𝒟 ?rhs ⟹ (t, X) ∈ ℱ ?lhs› by blast
    next
      assume * : ‹(t, X) ∈ ℱ (Renaming P f g)› ‹set t ∩ ev ` f ` A = {}›
      from "*"(1) consider ‹t ∈ 𝒟 (Renaming P f g)›
        | u where ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u› ‹(u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ P›
        unfolding Renaming_projs by blast
      thus ‹(t, X) ∈ ℱ ?lhs›
      proof cases
        assume ‹t ∈ 𝒟 (Renaming P f g)›
        hence ‹t ∈ 𝒟 ?lhs›
          by (simp add: D_Renaming D_Throw)
            (metis (no_types, lifting) "$" "*"(2) D_T Un_Int_eq(3) append_Nil2
              front_tickFree_Nil inf_bot_right inf_sup_aci(2) set_append)
        with D_F show ‹(t, X) ∈ ℱ ?lhs› by blast
      next
        show ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u ⟹ (u, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ P
              ⟹ (t, X) ∈ ℱ ?lhs› for u
          by (simp add: F_Renaming F_Throw) (metis "$" "*"(2) F_T)
      qed
    next
      fix t1 b t2
      assume * : ‹t = t1 @ ev b # t2› ‹t1 @ [ev b] ∈ 𝒯 (Renaming P f g)›
        ‹set t1 ∩ ev ` f ` A = {}› ‹b ∈ f ` A›
        ‹(t2, X) ∈ ℱ (Renaming (Q (inv_into A f b)) f g)›
      from "*"(4) obtain a where ‹a ∈ A› ‹b = f a› by blast
      hence ‹inv_into A f b = a› by (meson inj_on_Un inv_into_f_f inj_on_f)
      from "*"(2) consider u1 u2 where
        ‹t1 @ [ev b] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹u2 ≠ []› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
      | u1 where ‹t1 @ [ev b] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1› ‹u1 ∈ 𝒯 P›
        by (simp add: D_T T_Renaming)
          (metis (no_types, opaque_lifting) D_T append.right_neutral)
      thus ‹(t, X) ∈ ℱ ?lhs›
      proof cases
        fix u1 u2
        assume ** : ‹t1 @ [ev b] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2› ‹u2 ≠ []› ‹tF u1› ‹ftF u2› ‹u1 ∈ 𝒟 P›
        from "**"(1, 2) obtain u2' where *** : ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1 @ u2'›
          by (metis butlast_append butlast_snoc)
        from "*"(3) "***" have ‹set u1 ∩ ev ` A = {}› by auto
        with "**"(3-5) "***" have ‹t ∈ 𝒟 ?rhs›
          by (simp add: D_Renaming D_Throw)
            (metis "*"(1, 3) F_imp_front_tickFree ‹(t, X) ∈ ℱ ?rhs› front_tickFree_Nil
              front_tickFree_append_iff front_tickFree_dw_closed list.discI)
        with same_div D_F show ‹(t, X) ∈ ℱ ?lhs› by blast
      next
        fix u1 assume ‹t1 @ [ev b] = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1› ‹u1 ∈ 𝒯 P›
        then obtain u1' where ** : ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u1'› ‹u1' @ [ev a] ∈ 𝒯 P›
          by (cases u1 rule: rev_cases, simp_all add: ‹b = f a› ev_eq_map_event⇩p⇩t⇩i⇩c⇩k_iff)
            (metis Nil_is_append_conv Un_iff ‹a ∈ A› events_of_memI inj_onD
              inj_on_f last_in_set last_snoc list.distinct(1))
        from "*"(3) "**"(1) have *** : ‹set u1' ∩ ev ` A = {}› by auto
        from "*"(5) ‹inv_into A f b = a› consider ‹t2 ∈ 𝒟 (Renaming (Q a) f g)›
          | u2 where ‹t2 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2› ‹(u2, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (Q a)›
          unfolding Renaming_projs by blast
        thus ‹(t, X) ∈ ℱ ?lhs›
        proof cases
          assume ‹t2 ∈ 𝒟 (Renaming (Q a) f g)›
          with "*"(1-4) ‹inv_into A f b = a› have ‹t ∈ 𝒟 ?rhs›
            by (auto simp add: D_Throw)
          with same_div D_F show ‹(t, X) ∈ ℱ ?lhs› by blast
        next
          fix u2 assume **** : ‹t2 = map (map_event⇩p⇩t⇩i⇩c⇩k f g) u2›
            ‹(u2, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (Q a)›
          from "****"(1) have ***** : ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) (u1' @ ev a # u2)›  
            by (simp add: "*"(1) "**"(1) "****" ‹b = f a›)
          show ‹(t, X) ∈ ℱ ?lhs›
            by (simp add: F_Renaming F_Throw)
              (use "**"(2) "***" "****"(2) "*****" ‹a ∈ A› in blast)
        qed
      qed
    qed
  qed
qed
subsection ‹\<^const>‹Renaming› and \<^const>‹Hiding››
text ‹When \<^term>‹f› is one to one, \<^term>‹Renaming (P \ S) f› will behave like we expect it to do.›
lemma strict_mono_map: ‹strict_mono g ⟹ strict_mono (λi. map f (g i))›
  unfolding strict_mono_def less_eq_list_def less_list_def prefix_def by fastforce
lemma trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k :
  ‹inj_on (map_event⇩p⇩t⇩i⇩c⇩k f g) (set s ∪ ev ` S) ⟹
   trace_hide (map (map_event⇩p⇩t⇩i⇩c⇩k f g) s) (ev ` f ` S) = 
   map (map_event⇩p⇩t⇩i⇩c⇩k f g) (trace_hide s (ev ` S))›
proof (induct s)
  case Nil
  show ?case by simp
next
  case (Cons e s)
  hence * : ‹trace_hide (map (map_event⇩p⇩t⇩i⇩c⇩k f g) s) (ev ` f ` S) = 
             map (map_event⇩p⇩t⇩i⇩c⇩k f g) (trace_hide s (ev ` S))› by fastforce
  from Cons.prems[unfolded inj_on_def, rule_format, of e, simplified] show ?case
    apply (simp add: "*")
    apply (simp add: image_iff)
    by (metis event⇩p⇩t⇩i⇩c⇩k.simps(9))
qed
lemma inj_on_map_event⇩p⇩t⇩i⇩c⇩k_set_T:
  ‹inj_on (map_event⇩p⇩t⇩i⇩c⇩k f g) (set s)› if ‹inj_on f (events_of P)› ‹s ∈ 𝒯 P›
proof (rule inj_onI)
  show ‹e ∈ set s ⟹ e' ∈ set s ⟹ map_event⇩p⇩t⇩i⇩c⇩k f g e = map_event⇩p⇩t⇩i⇩c⇩k f g e' ⟹ e = e'› for e e'
    by (cases e; cases e'; simp)
      (meson events_of_memI inj_onD that(1, 2),
        metis T_imp_front_tickFree event⇩p⇩t⇩i⇩c⇩k.disc(2) event⇩p⇩t⇩i⇩c⇩k.simps(2) front_tickFree_Cons_iff that(2)
        front_tickFree_nonempty_append_imp list.distinct(1) snoc_eq_iff_butlast split_list_last)
qed
theorem bij_Renaming_Hiding: ‹Renaming (P \ S) f g = Renaming P f g \ f ` S›
  (is ‹?lhs = ?rhs›) if bij_f: ‹bij f› and bij_g : ‹bij g›
proof -
  have inj_on_map_event⇩p⇩t⇩i⇩c⇩k : ‹inj_on (map_event⇩p⇩t⇩i⇩c⇩k f g) X› for X
  proof (rule inj_onI)
    show ‹e ∈ X ⟹ e' ∈ X ⟹ map_event⇩p⇩t⇩i⇩c⇩k f g e = map_event⇩p⇩t⇩i⇩c⇩k f g e' ⟹ e = e'› for e e'
      by (cases e; cases e'; simp)
        (metis bij_f bij_pointE, metis bij_g bij_pointE)
  qed
  have inj_on_map_event⇩p⇩t⇩i⇩c⇩k_inv : ‹inj_on (map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g)) X› for X
  proof (rule inj_onI)
    show ‹e ∈ X ⟹ e' ∈ X ⟹ map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g) e = map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g) e'
          ⟹ e = e'› for e e'
      by (cases e; cases e', simp_all)
        (metis bij_f bij_inv_eq_iff, metis bij_g bij_inv_eq_iff)
  qed
  show ‹?lhs = ?rhs›
  proof (subst Process_eq_spec_optimized, safe)
    fix s
    assume ‹s ∈ 𝒟 ?lhs›
    then obtain s1 s2 where * : ‹tickFree s1› ‹front_tickFree s2›
      ‹s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1 @ s2› ‹s1 ∈ 𝒟 (P \ S)›
      by (simp add: D_Renaming) blast
    from "*"(4) obtain t u
      where ** : ‹front_tickFree u› ‹tickFree t› ‹s1 = trace_hide t (ev ` S) @ u›
        ‹t ∈ 𝒟 P ∨ (∃h. isInfHiddenRun h P S ∧ t ∈ range h)›
      by (simp add: D_Hiding) blast
    from "**"(4) show ‹s ∈ 𝒟 ?rhs›
    proof (elim disjE)
      assume ‹t ∈ 𝒟 P›
      hence ‹front_tickFree (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u @ s2) ∧ tickFree (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t) ∧
             s = trace_hide (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t) (ev ` f ` S) @ map (map_event⇩p⇩t⇩i⇩c⇩k f g) u @ s2 ∧
             map (map_event⇩p⇩t⇩i⇩c⇩k f g) t ∈ 𝒟 (Renaming P f g)›
        apply (simp add: "*"(3) "**"(2, 3) map_event⇩p⇩t⇩i⇩c⇩k_tickFree, intro conjI)
        apply (metis "*"(1, 2) "**"(1) "**"(3) front_tickFree_append_iff
            map_event⇩p⇩t⇩i⇩c⇩k_front_tickFree map_event⇩p⇩t⇩i⇩c⇩k_tickFree tickFree_append_iff)
        apply (simp add: trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k inj_on_map_event⇩p⇩t⇩i⇩c⇩k)
        by (metis (mono_tags, lifting) "**"(2) CollectI D_Renaming append.right_neutral front_tickFree_Nil)
      thus ‹s ∈ 𝒟 ?rhs› by (simp add: D_Hiding) blast
    next
      assume ‹∃h. isInfHiddenRun h P S ∧ t ∈ range h›
      then obtain h where ‹isInfHiddenRun h P S› ‹t ∈ range h› by blast
      hence ‹front_tickFree (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u @ s2) ∧
             tickFree (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t) ∧
             s = trace_hide (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t) (ev ` f ` S) @ map (map_event⇩p⇩t⇩i⇩c⇩k f g) u @ s2 ∧
             isInfHiddenRun (λi. map (map_event⇩p⇩t⇩i⇩c⇩k f g) (h i)) (Renaming P f g) (f ` S) ∧ 
             map (map_event⇩p⇩t⇩i⇩c⇩k f g) t ∈ range (λi. map (map_event⇩p⇩t⇩i⇩c⇩k f g) (h i))›
        apply (simp add: "*"(3) "**"(2, 3) map_event⇩p⇩t⇩i⇩c⇩k_tickFree, intro conjI)
        apply (metis "*"(1, 2) "**"(3) front_tickFree_append map_event⇩p⇩t⇩i⇩c⇩k_tickFree tickFree_append_iff)
        apply (rule trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k, symmetric])
        apply (solves ‹rule strict_mono_map, simp›)
        apply (solves ‹auto simp add: T_Renaming›)
        apply (subst (1 2) trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k])
        by metis blast
      thus ‹s ∈ 𝒟 ?rhs› by (simp add: D_Hiding) blast
    qed
  next
    fix s
    assume ‹s ∈ 𝒟 ?rhs›
    then obtain t u
      where * : ‹front_tickFree u› ‹tickFree t› ‹s = trace_hide t (ev ` f ` S) @ u›
        ‹t ∈ 𝒟 (Renaming P f g) ∨ 
                 (∃h. isInfHiddenRun h (Renaming P f g) (f ` S) ∧ t ∈ range h)›
      by (simp add: D_Hiding) blast
    from "*"(4) show ‹s ∈ 𝒟 ?lhs›
    proof (elim disjE)
      assume ‹t ∈ 𝒟 (Renaming P f g)›
      then obtain t1 t2 where ** : ‹tickFree t1› ‹front_tickFree t2› 
        ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1 @ t2› ‹t1 ∈ 𝒟 P›
        by (simp add: D_Renaming) blast
      have ‹tickFree (trace_hide t1 (ev ` S)) ∧ 
            front_tickFree (trace_hide t2 (ev ` f ` S) @ u) ∧
            trace_hide (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1) (ev ` f ` S) @ trace_hide t2 (ev ` f ` S) @ u =
            map (map_event⇩p⇩t⇩i⇩c⇩k f g) (trace_hide t1 (ev ` S)) @ trace_hide t2 (ev ` f ` S) @ u ∧
            trace_hide t1 (ev ` S) ∈ 𝒟 (P \ S)›
        apply (simp, intro conjI)
        using "**"(1) Hiding_tickFree apply blast
        using "*"(1, 2) "**"(3) Hiding_tickFree front_tickFree_append tickFree_append_iff apply blast
        apply (rule trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k])
        using "**"(4) mem_D_imp_mem_D_Hiding by blast
      thus ‹s ∈ 𝒟 ?lhs› by (simp add: D_Renaming "*"(3) "**"(3)) blast
    next
      have inv_S: ‹S = inv f ` f ` S› by (simp add: bij_is_inj bij_f)
      have inj_inv_f: ‹inj (inv f)› 
        by (simp add: bij_imp_bij_inv bij_is_inj bij_f)
      have ** : ‹map (map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g) ∘ map_event⇩p⇩t⇩i⇩c⇩k f g) v = v› for v
        by (induct v, simp_all)
          (metis bij_f bij_g bij_inv_eq_iff event⇩p⇩t⇩i⇩c⇩k.exhaust event⇩p⇩t⇩i⇩c⇩k.simps(9) map_event⇩p⇩t⇩i⇩c⇩k_eq_tick_iff)
      assume ‹∃h. isInfHiddenRun h (Renaming P f g) (f ` S) ∧ t ∈ range h›
      then obtain h
        where *** : ‹isInfHiddenRun h (Renaming P f g) (f ` S)› ‹t ∈ range h› by blast
      then consider t1 where ‹t1 ∈ 𝒯 P› ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1›
        | t1 t2 where ‹tickFree t1› ‹front_tickFree t2› 
          ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1 @ t2› ‹t1 ∈ 𝒟 P›
        by (simp add: T_Renaming) blast
      thus ‹s ∈ 𝒟 ?lhs›
      proof cases
        fix t1 assume **** : ‹t1 ∈ 𝒯 P› ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1›
        have ***** : ‹t1 = map (map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g)) t› by (simp add: "****"(2) "**")
        have ****** : ‹trace_hide t1 (ev ` S) = trace_hide t1 (ev ` S) ∧
                       isInfHiddenRun (λi. map (map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g)) (h i)) P S ∧ 
                       t1 ∈ range (λi. map (map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g)) (h i))›
          apply (simp add: "***"(1) strict_mono_map, intro conjI)
          apply (subst Renaming_inv[where f = f and g = g, symmetric])
          apply (solves ‹simp add: bij_is_inj bij_f›)
          apply (solves ‹simp add: bij_is_inj bij_g›)
          using "***"(1) apply (subst T_Renaming, blast)
          apply (subst (1 2) inv_S, subst (1 2) trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k_inv])
          apply (metis "***"(1))
          using "***"(2) "*****" by blast
        have ‹tickFree (trace_hide t1 (ev ` S)) ∧ front_tickFree t1 ∧
              trace_hide (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1) (ev ` f ` S) @ u = 
              map (map_event⇩p⇩t⇩i⇩c⇩k f g) (trace_hide t1 (ev ` S)) @ u ∧ 
              trace_hide t1 (ev ` S) ∈ 𝒟 (P \ S)›
          apply (simp, intro conjI)
          using "*"(2) "****"(2) map_event⇩p⇩t⇩i⇩c⇩k_tickFree Hiding_tickFree apply blast
          using "****"(1) is_processT2_TR apply blast
          apply (rule trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k])
          apply (simp add: D_Renaming D_Hiding)
          using "*"(2) "*****" "******" map_event⇩p⇩t⇩i⇩c⇩k_tickFree front_tickFree_Nil by blast
        with "*"(1) show ‹s ∈ 𝒟 ?lhs› by (simp add: D_Renaming "*"(3) "****"(2)) blast
      next
        fix t1 t2 assume **** : ‹tickFree t1› ‹front_tickFree t2›
          ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1 @ t2› ‹t1 ∈ 𝒟 P›
        have ‹tickFree (trace_hide t1 (ev ` S)) ∧
              front_tickFree (trace_hide t2 (ev ` f ` S) @ u) ∧
              trace_hide (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t1) (ev ` f ` S) @ trace_hide t2 (ev ` f ` S) @ u =
              map (map_event⇩p⇩t⇩i⇩c⇩k f g) (trace_hide t1 (ev ` S)) @ trace_hide t2 (ev ` f ` S) @ u ∧
              trace_hide t1 (ev ` S) ∈ 𝒟 (P \ S)›
          apply (simp, intro conjI)
          using "****"(1) Hiding_tickFree apply blast
          using "*"(1, 2) "****"(3) Hiding_tickFree front_tickFree_append tickFree_append_iff apply blast
          apply (rule trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k])
          using "****"(4) mem_D_imp_mem_D_Hiding by blast
        thus ‹s ∈ 𝒟 ?lhs› by (simp add: D_Renaming "*"(3) "****"(3)) blast
      qed
    qed
  next
    fix s X
    assume same_div : ‹𝒟 ?lhs = 𝒟 ?rhs›
    assume ‹(s, X) ∈ ℱ ?lhs›
    then consider ‹s ∈ 𝒟 ?lhs›
      | s1 where ‹(s1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (P \ S)› ‹s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1›
      by (simp add: F_Renaming D_Renaming) blast
    thus ‹(s, X) ∈ ℱ ?rhs›
    proof cases
      from D_F same_div show ‹s ∈ 𝒟 ?lhs ⟹ (s, X) ∈ ℱ ?rhs› by blast
    next
      fix s1 assume * : ‹(s1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (P \ S)›
        ‹s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1›
      from this(1) consider ‹s1 ∈ 𝒟 (P \ S)›
        | t where ‹s1 = trace_hide t (ev ` S)› ‹(t, map_event⇩p⇩t⇩i⇩c⇩k f g -` X ∪ ev ` S) ∈ ℱ P›
        by (simp add: F_Hiding D_Hiding) blast
      thus ‹(s, X) ∈ ℱ ?rhs›
      proof cases
        assume ‹s1 ∈ 𝒟 (P \ S)›
        then obtain t u
          where ** : ‹front_tickFree u› ‹tickFree t› ‹s1 = trace_hide t (ev ` S) @ u›
            ‹t ∈ 𝒟 P ∨ (∃g. isInfHiddenRun g P S ∧ t ∈ range g)›
          by (simp add: D_Hiding) blast
        have *** : ‹front_tickFree (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u) ∧ tickFree (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t) ∧
                    map (map_event⇩p⇩t⇩i⇩c⇩k f g) (trace_hide t (ev ` S)) @ map (map_event⇩p⇩t⇩i⇩c⇩k f g) u = 
                    trace_hide (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t) (ev ` f ` S) @ (map (map_event⇩p⇩t⇩i⇩c⇩k f g) u)›
          by (simp add: map_event⇩p⇩t⇩i⇩c⇩k_front_tickFree map_event⇩p⇩t⇩i⇩c⇩k_tickFree "**"(1, 2))
            (rule trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k, symmetric])
        from "**"(4) show ‹(s, X) ∈ ℱ ?rhs›
        proof (elim disjE exE)
          assume ‹t ∈ 𝒟 P›
          hence $ : ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) t ∈ 𝒟 (Renaming P f g)›
            apply (simp add: D_Renaming)
            using "**"(2) front_tickFree_Nil by blast
          show ‹(s, X) ∈ ℱ ?rhs›
            by (simp add: F_Hiding) (metis "$" "*"(2) "**"(3) "***" map_append)
        next
          fix h assume ‹isInfHiddenRun h P S ∧ t ∈ range h›
          hence $ : ‹isInfHiddenRun (λi. map (map_event⇩p⇩t⇩i⇩c⇩k f g) (h i)) (Renaming P f g) (f ` S) ∧ 
                     map (map_event⇩p⇩t⇩i⇩c⇩k f g) t ∈ range (λi. map (map_event⇩p⇩t⇩i⇩c⇩k f g) (h i))›
            apply (subst (1 2) trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k])
            by (simp add: strict_mono_map T_Renaming image_iff) (metis (mono_tags, lifting))
          show ‹(s, X) ∈ ℱ ?rhs›
            apply (simp add: F_Hiding)
              
            by (smt (verit, del_insts) "$" "*"(2) "**"(3) "***" map_append)
        qed
      next
        fix t assume ** : ‹s1 = trace_hide t (ev ` S)› 
          ‹(t, map_event⇩p⇩t⇩i⇩c⇩k f g -` X ∪ ev ` S) ∈ ℱ P›
        have *** : ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X ∪ map_event⇩p⇩t⇩i⇩c⇩k f g -` ev ` f ` S = map_event⇩p⇩t⇩i⇩c⇩k f g -` X ∪ ev ` S›
          by (auto simp add: image_iff map_event⇩p⇩t⇩i⇩c⇩k_eq_ev_iff) (metis bij_f bij_pointE)
        have ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) (trace_hide t (ev ` S)) = 
              trace_hide (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t) (ev ` f ` S) ∧
              (map (map_event⇩p⇩t⇩i⇩c⇩k f g) t, X ∪ ev ` f ` S) ∈ ℱ (Renaming P f g)›
          apply (intro conjI)
          apply (rule trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k, symmetric])
          apply (simp add: F_Renaming)
          using "**"(2) "***" by auto
        show ‹(s, X) ∈ ℱ ?rhs›
          apply (simp add: F_Hiding "*"(2) "**"(1))
          using ‹?this› by blast
      qed
    qed
  next
    fix s X
    assume same_div : ‹𝒟 ?lhs = 𝒟 ?rhs›
    assume ‹(s, X) ∈ ℱ ?rhs›
    then consider ‹s ∈ 𝒟 ?rhs›
      | t where ‹s = trace_hide t (ev ` f ` S)› ‹(t, X ∪ ev ` f ` S) ∈ ℱ (Renaming P f g)›
      by (simp add: F_Hiding D_Hiding) blast
    thus ‹(s, X) ∈ ℱ ?lhs›
    proof cases
      from D_F same_div show ‹s ∈ 𝒟 ?rhs ⟹ (s, X) ∈ ℱ ?lhs› by blast
    next
      fix t assume ‹s = trace_hide t (ev ` f ` S)› ‹(t, X ∪ ev ` f ` S) ∈ ℱ (Renaming P f g)›
      then obtain t
        where * : ‹s = trace_hide t (ev ` f ` S)›
          ‹(t, X ∪ ev ` f ` S) ∈ ℱ (Renaming P f g)› by blast
      have ** : ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X ∪ map_event⇩p⇩t⇩i⇩c⇩k f g -` ev ` f ` S = map_event⇩p⇩t⇩i⇩c⇩k f g -` X ∪ ev ` S›
        by (auto simp add: image_iff map_event⇩p⇩t⇩i⇩c⇩k_eq_ev_iff) (metis bij_f bij_pointE)
      have ‹(∃s1. (s1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X ∪ map_event⇩p⇩t⇩i⇩c⇩k f g -` ev ` f ` S) ∈ ℱ P ∧ t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1) ∨ 
            (∃s1 s2. tickFree s1 ∧ front_tickFree s2 ∧ t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1 @ s2 ∧ s1 ∈ 𝒟 P)›
        using "*"(2) by (auto simp add: F_Renaming)
      thus ‹(s, X) ∈ ℱ ?lhs›
      proof (elim disjE exE conjE)
        fix s1
        assume ‹(s1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X ∪ map_event⇩p⇩t⇩i⇩c⇩k f g -` ev ` f ` S) ∈ ℱ P› ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1›
        hence ‹(trace_hide s1 (ev ` S), map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (P \ S) ∧
               s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) (trace_hide s1 (ev ` S))›
          apply (simp add: "*"(1) F_Hiding "**", intro conjI)
          by blast (rule trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k])
        show ‹(s, X) ∈ ℱ ?lhs›
          apply (simp add: F_Renaming)
          using ‹?this› by blast
      next
        fix s1 s2
        assume ‹tickFree s1› ‹front_tickFree s2› ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1 @ s2› ‹s1 ∈ 𝒟 P›
        hence ‹tickFree (trace_hide s1 (ev ` S)) ∧ 
               front_tickFree (trace_hide s2 (ev ` f ` S)) ∧ 
               s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) (trace_hide s1 (ev ` S)) @ trace_hide s2 (ev ` f ` S) ∧ 
               trace_hide s1 (ev ` S) ∈ 𝒟 (P \ S)›
          apply (simp add: F_Renaming "*"(1), intro conjI)
          using Hiding_tickFree apply blast
          using Hiding_front_tickFree apply blast
          apply (rule trace_hide_map_map_event⇩p⇩t⇩i⇩c⇩k[OF inj_on_map_event⇩p⇩t⇩i⇩c⇩k])
          using mem_D_imp_mem_D_Hiding by blast
        show ‹(s, X) ∈ ℱ ?lhs›
          apply (simp add: F_Renaming)
          using ‹?this› by blast
      qed
    qed
  qed
qed
subsection ‹\<^const>‹Renaming› and \<^const>‹Sync››
text ‹Idem for the synchronization: when \<^term>‹f› is one to one, 
      \<^term>‹Renaming (P ⟦S⟧ Q)› will behave as expected.›
lemma bij_map_setinterleaving_iff_setinterleaving :
  ‹map f r setinterleaves ((map f t, map f u), f ` S) ⟷
   r setinterleaves ((t, u), S)› if bij_f : ‹bij f›
proof (induct ‹(t, S, u)› arbitrary: t u r rule: setinterleaving.induct)
  case 1
  thus ?case by simp
next
  case (2 y u)
  show ?case
  proof (cases ‹y ∈ S›)
    show ‹y ∈ S ⟹ ?case› by simp
  next
    assume ‹y ∉ S›
    hence ‹f y ∉ f ` S› by (metis bij_betw_imp_inj_on inj_image_mem_iff bij_f)
    with "2.hyps"[OF ‹y ∉ S›, of ‹tl r›] show ?case
      by (cases r; simp add: ‹y ∉ S›) (metis bij_pointE bij_f)
  qed
next
  case (3 x t)
  show ?case
  proof (cases ‹x ∈ S›)
    show ‹x ∈ S ⟹ ?case› by simp
  next
    assume ‹x ∉ S›
    hence ‹f x ∉ f ` S› by (metis bij_betw_imp_inj_on inj_image_mem_iff bij_f)
    with "3.hyps"[OF ‹x ∉ S›, of ‹tl r›] show ?case
      by (cases r; simp add: ‹x ∉ S›) (metis bij_pointE bij_f)
  qed
next
  case (4 x t y u)
  have  * : ‹x ≠ y ⟹ f x ≠ f y› by (metis bij_pointE bij_f)
  have ** : ‹f z ∈ f ` S ⟷ z ∈ S› for z
    by (meson bij_betw_def inj_image_mem_iff bij_f)
  show ?case
  proof (cases ‹x ∈ S›; cases ‹y ∈ S›)
    from "4.hyps"(1)[of ‹tl r›] show ‹x ∈ S ⟹ y ∈ S ⟹ ?case›
      by (cases r; simp add: "*") (metis bij_pointE bij_f)
  next
    from "4.hyps"(2)[of ‹tl r›] show ‹x ∈ S ⟹ y ∉ S ⟹ ?case›
      by (cases r; simp add: "**") (metis bij_pointE bij_f)
  next
    from "4.hyps"(5)[of ‹tl r›] show ‹x ∉ S ⟹ y ∈ S ⟹ ?case›
      by (cases r; simp add: "**") (metis bij_pointE bij_f)
  next
    from "4.hyps"(3, 4)[of ‹tl r›] show ‹x ∉ S ⟹ y ∉ S ⟹ ?case›
      by (cases r; simp add: "**") (metis bij_pointE bij_f)
  qed
qed
theorem bij_Renaming_Sync:
  ‹Renaming (P ⟦S⟧ Q) f g = Renaming P f g ⟦f ` S⟧ Renaming Q f g›
  (is ‹?lhs P Q = ?rhs P Q›) if bij_f: ‹bij f› and bij_g : ‹bij g›
proof -
  
  have bij_map_event⇩p⇩t⇩i⇩c⇩k : ‹bij (map_event⇩p⇩t⇩i⇩c⇩k f g)›
  proof (rule bijI)
    show ‹inj (map_event⇩p⇩t⇩i⇩c⇩k f g)›
    proof (rule injI)
      show ‹map_event⇩p⇩t⇩i⇩c⇩k f g e = map_event⇩p⇩t⇩i⇩c⇩k f g e' ⟹ e = e'› for e e'
        by (cases e; cases e'; simp)
          (metis bij_f bij_pointE, metis bij_g bij_pointE)
    qed
  next
    show ‹surj (map_event⇩p⇩t⇩i⇩c⇩k f g)›
    proof (rule surjI)
      show ‹map_event⇩p⇩t⇩i⇩c⇩k f g (map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g) e) = e› for e
        by (cases e, simp_all)
          (meson bij_f bij_inv_eq_iff, meson bij_g bij_inv_eq_iff)
    qed
  qed
  moreover have ‹map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g) ∘ map_event⇩p⇩t⇩i⇩c⇩k f g = id›
  proof (rule ext)
    show ‹(map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g) ∘ map_event⇩p⇩t⇩i⇩c⇩k f g) e = id e› for e
      by (cases e, simp_all)
        (meson bij_betw_def bij_f inv_f_eq, meson bij_betw_def bij_g inv_f_eq)
  qed
  ultimately have inv_map_event⇩p⇩t⇩i⇩c⇩k_is_map_event⇩p⇩t⇩i⇩c⇩k_inv :
    ‹inv (map_event⇩p⇩t⇩i⇩c⇩k f g) = map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g)›
    by (metis bij_betw_imp_inj_on bij_betw_imp_surj_on inv_o_cancel surj_fun_eq)
  have sets_S_eq : ‹map_event⇩p⇩t⇩i⇩c⇩k f g ` (range tick ∪ ev ` S) = range tick ∪ ev ` f ` S›
    by (auto simp add: image_iff)
      (metis Un_iff bij_g bij_pointE event⇩p⇩t⇩i⇩c⇩k.simps(10) rangeI,
        metis Un_iff event⇩p⇩t⇩i⇩c⇩k.simps(9) imageI)
  have inj_map_event⇩p⇩t⇩i⇩c⇩k : ‹inj (map_event⇩p⇩t⇩i⇩c⇩k f g)›
    and inj_inv_map_event⇩p⇩t⇩i⇩c⇩k : ‹inj (inv (map_event⇩p⇩t⇩i⇩c⇩k f g))›
    by (use bij_betw_imp_inj_on bij_map_event⇩p⇩t⇩i⇩c⇩k in blast)
      (meson bij_betw_imp_inj_on bij_betw_inv_into bij_map_event⇩p⇩t⇩i⇩c⇩k)
  show ‹?lhs P Q = ?rhs P Q›
  proof (subst Process_eq_spec_optimized, safe)
    fix s
    assume ‹s ∈ 𝒟 (?lhs P Q)›
    then obtain s1 s2 where * : ‹tickFree s1› ‹front_tickFree s2›
      ‹s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1 @ s2› ‹s1 ∈ 𝒟 (P ⟦S⟧ Q)›
      by (simp add: D_Renaming) blast
    from "*"(4) obtain t u r v 
      where ** : ‹front_tickFree v› ‹tickFree r ∨ v = []› 
        ‹s1 = r @ v› ‹r setinterleaves ((t, u), range tick ∪ ev ` S)›
        ‹t ∈ 𝒟 P ∧ u ∈ 𝒯 Q ∨ t ∈ 𝒟 Q ∧ u ∈ 𝒯 P› 
      by (simp add: D_Sync) blast
    { fix t u P Q
      assume assms : ‹r setinterleaves ((t, u), range tick ∪ ev ` S)› 
        ‹t ∈ 𝒟 P› ‹u ∈ 𝒯 Q›
      have ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) r setinterleaves 
            ((map (map_event⇩p⇩t⇩i⇩c⇩k f g) t, map (map_event⇩p⇩t⇩i⇩c⇩k f g) u), range tick ∪ ev ` f ` S)›
        by (metis assms(1) bij_map_setinterleaving_iff_setinterleaving bij_map_event⇩p⇩t⇩i⇩c⇩k sets_S_eq)
      moreover have ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) t ∈ 𝒟 (Renaming P f g)›
        apply (cases ‹tickFree t›; simp add: D_Renaming)
        using assms(2) front_tickFree_Nil apply blast
        by (metis D_T D_imp_front_tickFree append_T_imp_tickFree assms(2) front_tickFree_Cons_iff
            is_processT9 list.simps(3) map_append nonTickFree_n_frontTickFree map_event⇩p⇩t⇩i⇩c⇩k_front_tickFree)
      moreover have ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) u ∈ 𝒯 (Renaming Q f g)›
        using assms(3) by (simp add: T_Renaming) blast
      ultimately have ‹s ∈ 𝒟 (?rhs P Q)›
        by (simp add: D_Sync "*"(3) "**"(3))
          (metis "*"(1, 2) "**"(3) map_event⇩p⇩t⇩i⇩c⇩k_tickFree front_tickFree_append tickFree_append_iff)
    } note *** = this
    from "**"(4, 5) "***" show ‹s ∈ 𝒟 (?rhs P Q)›
      apply (elim disjE)
      using "**"(4) "***" apply blast
      using "**"(4) "***" by (subst Sync_commute) blast
  next
    fix s
    assume ‹s ∈ 𝒟 (?rhs P Q)›
    then obtain t u r v
      where * : ‹front_tickFree v› ‹tickFree r ∨ v = []› ‹s = r @ v› 
        ‹r setinterleaves ((t, u), range tick ∪ ev ` f ` S)›
        ‹t ∈ 𝒟 (Renaming P f g) ∧ u ∈ 𝒯 (Renaming Q f g) ∨
                 t ∈ 𝒟 (Renaming Q f g) ∧ u ∈ 𝒯 (Renaming P f g)›
      by (simp add: D_Sync) blast
    { fix t u P Q
      assume assms : ‹r setinterleaves ((t, u), range tick ∪ ev ` f ` S)›
        ‹t ∈ 𝒟 (Renaming P f g)› ‹u ∈ 𝒯 (Renaming Q f g)›
      have ‹inv (map_event⇩p⇩t⇩i⇩c⇩k f g) ` (range tick ∪ ev ` f ` S) =
            inv (map_event⇩p⇩t⇩i⇩c⇩k f g) ` map_event⇩p⇩t⇩i⇩c⇩k f g ` (range tick ∪ ev ` S)›
        using sets_S_eq by presburger
      from bij_map_setinterleaving_iff_setinterleaving
        [THEN iffD2, OF _ assms(1), of ‹inv (map_event⇩p⇩t⇩i⇩c⇩k f g)›,
          simplified this image_inv_f_f[OF inj_map_event⇩p⇩t⇩i⇩c⇩k]]
      have ** : ‹(map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) r) setinterleaves
                 ((map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) t, map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) u), range tick ∪ ev ` S)›
        using bij_betw_inv_into bij_map_event⇩p⇩t⇩i⇩c⇩k by blast
      from assms(2) obtain s1 s2
        where ‹t = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1 @ s2› ‹tickFree s1› ‹front_tickFree s2› ‹s1 ∈ 𝒟 P›
        by (auto simp add: D_Renaming)
      hence ‹map (map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g)) t ∈ 𝒟 (Renaming (Renaming P f g) (inv f) (inv g))›
        apply (simp add: D_Renaming)
        apply (rule_tac x = ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1› in exI)
        apply (rule_tac x = ‹map (map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g)) s2› in exI)
        by simp (metis append_Nil2 front_tickFree_Nil map_event⇩p⇩t⇩i⇩c⇩k_front_tickFree map_event⇩p⇩t⇩i⇩c⇩k_tickFree)
      hence *** : ‹map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) t ∈ 𝒟 P›
        by (metis Renaming_inv bij_def bij_f bij_g inv_map_event⇩p⇩t⇩i⇩c⇩k_is_map_event⇩p⇩t⇩i⇩c⇩k_inv)
      have ‹map (map_event⇩p⇩t⇩i⇩c⇩k (inv f) (inv g)) u ∈ 𝒯 (Renaming (Renaming Q f g) (inv f) (inv g))›
        using assms(3) by (subst T_Renaming, simp) blast
      hence **** : ‹map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) u ∈ 𝒯 Q›
        by (simp add: Renaming_inv bij_f bij_g bij_is_inj inv_map_event⇩p⇩t⇩i⇩c⇩k_is_map_event⇩p⇩t⇩i⇩c⇩k_inv)
      have ***** : ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g ∘ inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) r = r›
        by (metis (no_types, lifting) bij_betw_imp_inj_on bij_betw_inv_into bij_map_event⇩p⇩t⇩i⇩c⇩k inj_iff list.map_comp list.map_id)
      have ‹s ∈ 𝒟 (?lhs P Q)›
      proof (cases ‹tickFree r›)
        assume ‹tickFree r›
        have $ : ‹r @ v = map (map_event⇩p⇩t⇩i⇩c⇩k f g) (map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) r) @ v›
          by (simp add: "*****")
        show ‹s ∈ 𝒟 (?lhs P Q)›
          apply (simp add: D_Renaming D_Sync "*"(3))
          by (metis "$" "*"(1) "**" "***" "****" map_event⇩p⇩t⇩i⇩c⇩k_tickFree ‹tickFree r› 
              append.right_neutral append_same_eq front_tickFree_Nil)
      next
        assume ‹¬ tickFree r›
        then obtain r' res where $ : ‹r = r' @ [✓(res)]› ‹tickFree r'›
          by (metis D_imp_front_tickFree assms butlast_snoc front_tickFree_charn
              front_tickFree_single ftf_Sync is_processT2_TR list.distinct(1)
              nonTickFree_n_frontTickFree self_append_conv2)
        then obtain t' u'
          where $$ : ‹t = t' @ [✓(res)]› ‹u = u' @ [✓(res)]›
          by (metis D_imp_front_tickFree SyncWithTick_imp_NTF T_imp_front_tickFree assms)
        hence $$$ : ‹(map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) r') setinterleaves
                     ((map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) t', map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) u'),
                      range tick ∪ ev ` S)›
          by (metis "$"(1) append_same_eq assms(1) bij_betw_imp_surj_on
              bij_map_setinterleaving_iff_setinterleaving bij_map_event⇩p⇩t⇩i⇩c⇩k
              ftf_Sync32 inj_imp_bij_betw_inv inj_map_event⇩p⇩t⇩i⇩c⇩k sets_S_eq)
        from "***" $$(1) have *** : ‹map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) t' ∈ 𝒟 P› 
          by simp (use inv_map_event⇩p⇩t⇩i⇩c⇩k_is_map_event⇩p⇩t⇩i⇩c⇩k_inv is_processT9 in force)
        from "****" $$(2) have **** : ‹map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) u' ∈ 𝒯 Q›
          using is_processT3_TR prefixI by simp blast
        have $$$$ : ‹r = map (map_event⇩p⇩t⇩i⇩c⇩k f g) (map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) r') @ [✓(res)]›
          using "$" "*****" by auto
        show ‹s ∈ 𝒟 (?lhs P Q)›
          by (simp add: D_Renaming D_Sync "*"(3) "$$$")
            (metis "$"(1) "$"(2) "$$$" "$$$$" "*"(2) "***" "****" map_event⇩p⇩t⇩i⇩c⇩k_tickFree ‹¬ tickFree r›
              append.right_neutral append_same_eq front_tickFree_Nil front_tickFree_single)
      qed
    } note ** = this
    show ‹s ∈ 𝒟 (?lhs P Q)› by (metis "*"(4, 5) "**" Sync_commute)
  next
    fix s X
    assume same_div : ‹𝒟 (?lhs P Q) = 𝒟 (?rhs P Q)›
    assume ‹(s, X) ∈ ℱ (?lhs P Q)›
    then consider ‹s ∈ 𝒟 (?lhs P Q)›
      | s1 where ‹(s1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (P ⟦S⟧ Q)› ‹s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1›
      by (simp add: F_Renaming D_Renaming) blast
    thus ‹(s, X) ∈ ℱ (?rhs P Q)›
    proof cases
      from same_div D_F show ‹s ∈ 𝒟 (?lhs P Q) ⟹ (s, X) ∈ ℱ (?rhs P Q)› by blast
    next
      fix s1 assume * : ‹(s1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X) ∈ ℱ (P ⟦S⟧ Q)› 
        ‹s = map (map_event⇩p⇩t⇩i⇩c⇩k f g) s1›
      from "*"(1) consider ‹s1 ∈ 𝒟 (P ⟦S⟧ Q)›
        | t_P t_Q X_P X_Q 
        where ‹(t_P, X_P) ∈ ℱ P› ‹(t_Q, X_Q) ∈ ℱ Q› 
          ‹s1 setinterleaves ((t_P, t_Q), range tick ∪ ev ` S)›
          ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X = (X_P ∪ X_Q) ∩ (range tick ∪ ev ` S) ∪ X_P ∩ X_Q›
        by (auto simp add: F_Sync D_Sync)
      thus ‹(s, X) ∈ ℱ (?rhs P Q)›
      proof cases
        assume ‹s1 ∈ 𝒟 (P ⟦S⟧ Q)›
        hence ‹s ∈ 𝒟 (?lhs P Q)›
          apply (cases ‹tickFree s1›; simp add: D_Renaming "*"(2)) 
          using front_tickFree_Nil apply blast
          by (metis (no_types, lifting) map_event⇩p⇩t⇩i⇩c⇩k_front_tickFree butlast_snoc front_tickFree_iff_tickFree_butlast
              front_tickFree_single map_butlast nonTickFree_n_frontTickFree process_charn)
        with same_div D_F show ‹(s, X) ∈ ℱ (?rhs P Q)› by blast
      next
        fix t_P t_Q X_P X_Q
        assume ** : ‹(t_P, X_P) ∈ ℱ P› ‹(t_Q, X_Q) ∈ ℱ Q›
          ‹s1 setinterleaves ((t_P, t_Q), range tick ∪ ev ` S)›
          ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X = (X_P ∪ X_Q) ∩ (range tick ∪ ev ` S) ∪ X_P ∩ X_Q›
        have ‹(map (map_event⇩p⇩t⇩i⇩c⇩k f g) t_P, (map_event⇩p⇩t⇩i⇩c⇩k f g) ` X_P) ∈ ℱ (Renaming P f g)›
          by (simp add: F_Renaming)
            (metis "**"(1) bij_betw_def bij_map_event⇩p⇩t⇩i⇩c⇩k inj_vimage_image_eq)  
        moreover have ‹(map (map_event⇩p⇩t⇩i⇩c⇩k f g) t_Q, (map_event⇩p⇩t⇩i⇩c⇩k f g) ` X_Q) ∈ ℱ (Renaming Q f g)›
          by (simp add: F_Renaming)
            (metis "**"(2) bij_betw_imp_inj_on bij_map_event⇩p⇩t⇩i⇩c⇩k inj_vimage_image_eq)
        moreover have ‹s setinterleaves ((map (map_event⇩p⇩t⇩i⇩c⇩k f g) t_P, map (map_event⇩p⇩t⇩i⇩c⇩k f g) t_Q),
                                         range tick ∪ ev ` f ` S)›
          by (metis "*"(2) "**"(3) bij_map_event⇩p⇩t⇩i⇩c⇩k sets_S_eq
              bij_map_setinterleaving_iff_setinterleaving)
        moreover have ‹X = ((map_event⇩p⇩t⇩i⇩c⇩k f g) ` X_P ∪ (map_event⇩p⇩t⇩i⇩c⇩k f g) ` X_Q) ∩ (range tick ∪ ev ` f ` S) ∪
                  (map_event⇩p⇩t⇩i⇩c⇩k f g) ` X_P ∩ (map_event⇩p⇩t⇩i⇩c⇩k f g) ` X_Q›
          apply (rule inj_image_eq_iff[THEN iffD1, OF inj_inv_map_event⇩p⇩t⇩i⇩c⇩k])
          apply (subst bij_vimage_eq_inv_image[OF bij_map_event⇩p⇩t⇩i⇩c⇩k, symmetric])
          apply (subst "**"(4), fold image_Un sets_S_eq)
          apply (subst (1 2) image_Int[OF inj_map_event⇩p⇩t⇩i⇩c⇩k, symmetric])
          apply (fold image_Un)
          apply (subst image_inv_f_f[OF inj_map_event⇩p⇩t⇩i⇩c⇩k])
          by simp
        ultimately show ‹(s, X) ∈ ℱ (?rhs P Q)›
          by (simp add: F_Sync) blast
      qed
    qed
  next
    fix s X
    assume same_div : ‹𝒟 (?lhs P Q) = 𝒟 (?rhs P Q)›
    assume ‹(s, X) ∈ ℱ (?rhs P Q)›
    then consider ‹s ∈ 𝒟 (?rhs P Q)›
      | t_P t_Q X_P X_Q where
        ‹(t_P, X_P) ∈ ℱ (Renaming P f g)› ‹(t_Q, X_Q) ∈ ℱ (Renaming Q f g)›
        ‹s setinterleaves ((t_P, t_Q), range tick ∪ ev ` f ` S)›
        ‹X = (X_P ∪ X_Q) ∩ (range tick ∪ ev ` f ` S) ∪ X_P ∩ X_Q›
      by (simp add: F_Sync D_Sync) blast
    thus ‹(s, X) ∈ ℱ (?lhs P Q)›
    proof cases
      from same_div D_F show ‹s ∈ 𝒟 (?rhs P Q) ⟹ (s, X) ∈ ℱ (?lhs P Q)› by blast
    next
      fix t_P t_Q X_P X_Q
      assume * : ‹(t_P, X_P) ∈ ℱ (Renaming P f g)› ‹(t_Q, X_Q) ∈ ℱ (Renaming Q f g)›
        ‹s setinterleaves ((t_P, t_Q), range tick ∪ ev ` f ` S)›
        ‹X = (X_P ∪ X_Q) ∩ (range tick ∪ ev ` f ` S) ∪ X_P ∩ X_Q›
      from "*"(1, 2) consider ‹t_P ∈ 𝒟 (Renaming P f g) ∨ t_Q ∈ 𝒟 (Renaming Q f g)›
        | t_P1 t_Q1 where ‹(t_P1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X_P) ∈ ℱ P› ‹t_P = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t_P1›
          ‹(t_Q1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X_Q) ∈ ℱ Q› ‹t_Q = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t_Q1›
        by (simp add: F_Renaming D_Renaming) blast
      thus ‹(s, X) ∈ ℱ (?lhs P Q)›
      proof cases
        assume ‹t_P ∈ 𝒟 (Renaming P f g) ∨ t_Q ∈ 𝒟 (Renaming Q f g)›
        hence ‹s ∈ 𝒟 (?rhs P Q)›
          apply (simp add: D_Sync)
          using "*"(1, 2, 3) F_T setinterleaving_sym front_tickFree_Nil by blast
        with same_div D_F show ‹(s, X) ∈ ℱ (?lhs P Q)› by blast
      next
        fix t_P1 t_Q1
        assume ** : ‹(t_P1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X_P) ∈ ℱ P› ‹t_P = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t_P1›
          ‹(t_Q1, map_event⇩p⇩t⇩i⇩c⇩k f g -` X_Q) ∈ ℱ Q› ‹t_Q = map (map_event⇩p⇩t⇩i⇩c⇩k f g) t_Q1›
        from "**"(2, 4) have *** : ‹t_P1 = map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) t_P›
          ‹t_Q1 = map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) t_Q›
          by (simp_all add: inj_map_event⇩p⇩t⇩i⇩c⇩k)
        have **** : ‹map (map_event⇩p⇩t⇩i⇩c⇩k f g) (map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) s) = s›
          by (metis bij_betw_imp_surj bij_map_event⇩p⇩t⇩i⇩c⇩k list.map_comp list.map_id surj_iff)
        from bij_map_setinterleaving_iff_setinterleaving
          [of ‹inv (map_event⇩p⇩t⇩i⇩c⇩k f g)› s t_P ‹range tick ∪ ev ` f ` S› t_Q, simplified "*"(3)]
        have ‹map (inv (map_event⇩p⇩t⇩i⇩c⇩k f g)) s setinterleaves ((t_P1, t_Q1), range tick ∪ ev ` S)›
          by (metis "***" bij_betw_def bij_map_event⇩p⇩t⇩i⇩c⇩k inj_imp_bij_betw_inv sets_S_eq)
        moreover have ‹map_event⇩p⇩t⇩i⇩c⇩k f g -` X = (map_event⇩p⇩t⇩i⇩c⇩k f g -` X_P ∪ map_event⇩p⇩t⇩i⇩c⇩k f g -` X_Q) ∩ (range tick ∪ ev ` S) ∪ 
                      map_event⇩p⇩t⇩i⇩c⇩k f g -` X_P ∩ map_event⇩p⇩t⇩i⇩c⇩k f g -` X_Q›
          by (metis (no_types, lifting) "*"(4) inj_map_event⇩p⇩t⇩i⇩c⇩k inj_vimage_image_eq sets_S_eq vimage_Int vimage_Un)
        ultimately show ‹(s, X) ∈ ℱ (?lhs P Q)›
          by (simp add: F_Renaming F_Sync) (metis "**"(1, 3) "****")
      qed
    qed
  qed
qed
end