let s be State of SCM+FSA ; :: thesis: for a being Int-Location
for J being good Program of SCM+FSA st ( s . (intloc 0 ) = 1 or not a is read-only ) & ProperTimesBody a,J,s holds
for k being Element of NAT st k <= s . a holds
(((StepTimes a,J,s) . k) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + k = s . a
let a be Int-Location ; :: thesis: for J being good Program of SCM+FSA st ( s . (intloc 0 ) = 1 or not a is read-only ) & ProperTimesBody a,J,s holds
for k being Element of NAT st k <= s . a holds
(((StepTimes a,J,s) . k) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + k = s . a
let J be good Program of SCM+FSA ; :: thesis: ( ( s . (intloc 0 ) = 1 or not a is read-only ) & ProperTimesBody a,J,s implies for k being Element of NAT st k <= s . a holds
(((StepTimes a,J,s) . k) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + k = s . a )
set I = J;
assume that
A1: ( s . (intloc 0 ) = 1 or not a is read-only ) and
A2: ProperTimesBody a,J,s ; :: thesis: for k being Element of NAT st k <= s . a holds
(((StepTimes a,J,s) . k) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + k = s . a
set Is = Initialized s;
set au = 1 -stRWNotIn ({a} \/ (UsedIntLoc J));
set ST = StepTimes a,J,s;
set SW = StepWhile>0 (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(J ';' (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 ))),(Exec ((1 -stRWNotIn ({a} \/ (UsedIntLoc J))) := a),(Initialized s));
defpred S1[ Nat] means ( $1 <= s . a implies (((StepTimes a,J,s) . $1) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + $1 = s . a );
A3: for k being Element of NAT st S1[k] holds
S1[k + 1]
proof
not 1 -stRWNotIn ({a} \/ (UsedIntLoc J)) in {a} \/ (UsedIntLoc J) by SFMASTR1:21;
then A4: not 1 -stRWNotIn ({a} \/ (UsedIntLoc J)) in UsedIntLoc J by XBOOLE_0:def 3;
let k be Element of NAT ; :: thesis: ( S1[k] implies S1[k + 1] )
assume that
A5: ( k <= s . a implies (((StepTimes a,J,s) . k) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + k = s . a ) and
A6: k + 1 <= s . a ; :: thesis: (((StepTimes a,J,s) . (k + 1)) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + (k + 1) = s . a
reconsider sa = s . a as Element of NAT by A6, INT_1:16;
A7: k < sa by A6, NAT_1:13;
then A8: ((StepTimes a,J,s) . k) . (intloc 0 ) = 1 by A2, Th16;
A9: now
assume ((StepWhile>0 (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(J ';' (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 ))),(Exec ((1 -stRWNotIn ({a} \/ (UsedIntLoc J))) := a),(Initialized s))) . k) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J))) <= 0 ; :: thesis: contradiction
then (((StepWhile>0 (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(J ';' (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 ))),(Exec ((1 -stRWNotIn ({a} \/ (UsedIntLoc J))) := a),(Initialized s))) . k) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + k < (s . a) + 0 by A7, XREAL_1:10;
hence contradiction by A5, A7; :: thesis: verum
end;
A10: Macro (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 )) is_closed_on IExec J,((StepTimes a,J,s) . k) by SCMFSA7B:24;
A11: J is_closed_on (StepTimes a,J,s) . k by A2, A7, Def3;
then A12: J is_closed_on Initialized ((StepTimes a,J,s) . k) by A8, Th4;
J is_halting_on (StepTimes a,J,s) . k by A2, A7, Def3;
then A13: J is_halting_on Initialized ((StepTimes a,J,s) . k) by A8, A11, Th5;
Macro (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 )) is_halting_on IExec J,((StepTimes a,J,s) . k) by SCMFSA7B:25;
then J ';' (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 )) is_halting_on Initialized ((StepTimes a,J,s) . k) by A12, A13, A10, SFMASTR1:4;
then DataPart ((StepWhile>0 (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(J ';' (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 ))),(Exec ((1 -stRWNotIn ({a} \/ (UsedIntLoc J))) := a),(Initialized s))) . (k + 1)) = DataPart (IExec (J ';' (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 ))),((StepTimes a,J,s) . k)) by A8, A12, A13, A10, A9, SCMFSA9A:38, SFMASTR1:3;
then ((StepTimes a,J,s) . (k + 1)) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J))) = (IExec (J ';' (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 ))),((StepTimes a,J,s) . k)) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J))) by SCMFSA6A:38
.= (Exec (SubFrom (1 -stRWNotIn ({a} \/ (UsedIntLoc J))),(intloc 0 )),(IExec J,((StepTimes a,J,s) . k))) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J))) by A12, A13, SFMASTR1:12
.= ((IExec J,((StepTimes a,J,s) . k)) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) - ((IExec J,((StepTimes a,J,s) . k)) . (intloc 0 )) by SCMFSA_2:91
.= ((IExec J,((StepTimes a,J,s) . k)) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) - 1 by A12, A13, SCMFSA8C:96
.= ((Initialized ((StepTimes a,J,s) . k)) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) - 1 by A12, A13, A4, Th1
.= (((StepTimes a,J,s) . k) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) - 1 by SCMFSA6C:3 ;
hence (((StepTimes a,J,s) . (k + 1)) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + (k + 1) = s . a by A5, A7; :: thesis: verum
end;
A14: ( a = intloc 0 or not a is read-only ) by SF_MASTR:def 5;
A15: S1[ 0 ]
proof
assume 0 <= s . a ; :: thesis: (((StepTimes a,J,s) . 0 ) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + 0 = s . a
thus (((StepTimes a,J,s) . 0 ) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J)))) + 0 = (Exec ((1 -stRWNotIn ({a} \/ (UsedIntLoc J))) := a),(Initialized s)) . (1 -stRWNotIn ({a} \/ (UsedIntLoc J))) by SCMFSA_9:def 5
.= (Initialized s) . a by SCMFSA_2:89
.= s . a by A1, A14, SCMFSA6C:3 ; :: thesis: verum
end;
thus for k being Element of NAT holds S1[k] from NAT_1:sch 1(A15, A3); :: thesis: verum