let P be Instruction-Sequence of SCM+FSA; :: thesis: for s being State of SCM+FSA holds
( ( s . (intloc (4 + 1)) > 0 implies (IExec ((if>0 ((intloc (4 + 1)),(Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))))),P,s)) . (intloc (1 + 1)) = 0 ) & ( s . (intloc (4 + 1)) <= 0 implies (IExec ((if>0 ((intloc (4 + 1)),(Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))))),P,s)) . (intloc (1 + 1)) = (s . (intloc (1 + 1))) - 1 ) )

let s be State of SCM+FSA; :: thesis: ( ( s . (intloc (4 + 1)) > 0 implies (IExec ((if>0 ((intloc (4 + 1)),(Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))))),P,s)) . (intloc (1 + 1)) = 0 ) & ( s . (intloc (4 + 1)) <= 0 implies (IExec ((if>0 ((intloc (4 + 1)),(Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))))),P,s)) . (intloc (1 + 1)) = (s . (intloc (1 + 1))) - 1 ) )
set s0 = Initialized s;
set s1 = Exec ((AddTo ((intloc (3 + 1)),())),());
hereby :: thesis: ( s . (intloc (4 + 1)) <= 0 implies (IExec ((if>0 ((intloc (4 + 1)),(Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))))),P,s)) . (intloc (1 + 1)) = (s . (intloc (1 + 1))) - 1 )
assume s . (intloc (4 + 1)) > 0 ; :: thesis: (IExec ((if>0 ((intloc (4 + 1)),(Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))))),P,s)) . (intloc (1 + 1)) = 0
hence (IExec ((if>0 ((intloc (4 + 1)),(Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))))),P,s)) . (intloc (1 + 1)) = (IExec ((Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),P,s)) . (intloc (1 + 1)) by SCM_HALT:44
.= (IExec ((Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),P,s)) . (intloc (1 + 1))
.= (Exec ((SubFrom ((intloc (1 + 1)),(intloc (1 + 1)))),())) . (intloc (1 + 1)) by SCMFSA6C:5
.= (Exec ((SubFrom ((intloc (1 + 1)),(intloc (1 + 1)))),())) . (intloc (1 + 1))
.= (() . (intloc (1 + 1))) - (() . (intloc (1 + 1))) by SCMFSA_2:65
.= 0 ;
:: thesis: verum
end;
intloc (1 + 1) <> intloc (3 + 1) by SCMFSA_2:101;
then A1: (Exec ((AddTo ((intloc (3 + 1)),())),())) . (intloc (1 + 1)) = () . (intloc (1 + 1)) by SCMFSA_2:64
.= s . (intloc (1 + 1)) by SCMFSA_M:37 ;
A2: (Exec ((AddTo ((intloc (3 + 1)),())),())) . () = () . () by SCMFSA_2:64
.= 1 by SCMFSA_M:9 ;
hereby :: thesis: verum
assume s . (intloc (4 + 1)) <= 0 ; :: thesis: (IExec ((if>0 ((intloc (4 + 1)),(Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))))),P,s)) . (intloc (1 + 1)) = (s . (intloc (1 + 1))) - 1
hence (IExec ((if>0 ((intloc (4 + 1)),(Macro (SubFrom ((intloc (1 + 1)),(intloc (1 + 1))))),((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))))),P,s)) . (intloc (1 + 1)) = (IExec (((AddTo ((intloc (3 + 1)),())) ";" (SubFrom ((intloc (1 + 1)),()))),P,s)) . (intloc (1 + 1)) by SCM_HALT:44
.= (Exec ((SubFrom ((intloc (1 + 1)),())),(Exec ((AddTo ((intloc (3 + 1)),())),())))) . (intloc (1 + 1)) by SCMFSA6C:8
.= (s . (intloc (1 + 1))) - 1 by ;
:: thesis: verum
end;