reserve x for set,
  i for Instruction of SCM+FSA,
  a,b for Int-Location,
  f for FinSeq-Location,
  l, l1 for Nat,
  s,s1,s2 for State of SCM+FSA,
  P,P1,P2 for Instruction-Sequence of SCM+FSA;

theorem
  for a, b being read-write Int-Location holds IExec(swap(a,b),P,s).a =
  s.b & IExec(swap(a,b),P,s).b = s.a
proof
  let a, b be read-write Int-Location;
  set i0 = FirstNotUsed Macro (a := b) := a;
  set i1 = a := b;
  set i2 = b := FirstNotUsed Macro (a := b);
  set i01 = i0 ";" i1;
  UsedILoc Macro (a := b) = UsedIntLoc (a := b) by SF_MASTR:28;
  then UsedILoc Macro (a := b) = {a, b} by SF_MASTR:14;
  then
A1: not FirstNotUsed Macro (a := b) in {a, b} by SF_MASTR:50;
  then
A2: FirstNotUsed Macro (a := b) <> a by TARSKI:def 2;
A3: FirstNotUsed Macro (a := b) <> b by A1,TARSKI:def 2;
  hereby
    per cases;
    suppose
A4:   a <> b;
      thus IExec(swap(a,b),P,s).a = Exec(i2, IExec(i01,P,s)).a by Th5
        .= IExec(i01,P,s).a by A4,SCMFSA_2:63
        .= Exec(i1, Exec(i0, Initialized s)).a by Th7
        .= Exec(i0, Initialized s).b by SCMFSA_2:63
        .= (Initialized s).b by A3,SCMFSA_2:63
        .= s.b by SCMFSA_M:37;
    end;
    suppose
A5:   a = b;
      thus IExec(swap(a,b),P,s).a = Exec(i2, IExec(i01,P,s)).a by Th5
        .= IExec(i01,P,s).(FirstNotUsed Macro (a := b)) by A5,SCMFSA_2:63
        .= Exec(i1, Exec(i0, Initialized s)).(FirstNotUsed Macro (a := b)) by
Th7
        .= Exec(i0, Initialized s).(FirstNotUsed Macro (a := b)) by A2,
SCMFSA_2:63
        .= (Initialized s).a by SCMFSA_2:63
        .= s.b by A5,SCMFSA_M:37;
    end;
  end;
  thus IExec(swap(a,b),P,s).b = Exec(i2, IExec(i01,P,s)).b by Th5
    .= IExec(i01,P,s).(FirstNotUsed Macro (a := b)) by SCMFSA_2:63
    .= Exec(i1, Exec(i0, Initialized s)).(FirstNotUsed Macro (a := b)) by Th7
    .= Exec(i0, Initialized s).(FirstNotUsed Macro (a := b)) by A2,SCMFSA_2:63
    .= (Initialized s).a by SCMFSA_2:63
    .= s.a by SCMFSA_M:37;
end;
