reserve s for State of SCM+FSA,
  a, c for read-write Int-Location,
  aa, bb, cc,
  dd, x for Int-Location,
  f for FinSeq-Location,
  I, J for MacroInstruction of SCM+FSA,
  Ig for good MacroInstruction of SCM+FSA,
  i, k for Nat,
  p for Instruction-Sequence of SCM+FSA;
reserve I for MacroInstruction of SCM+FSA;

theorem
  1 <= s.aa & s.aa <= len (s.f) & 1 <= s.bb & s.bb <= len (s.f) & s.
  intloc 0 = 1 implies IExec(swap(f,aa,bb),p,s).f.(s.aa) = s.f.(s.bb) &
  IExec(swap(f,aa,bb),p,s).f.(s.bb) = s.f.(s.aa)
proof
  set a = aa, b = bb;
  assume that
A1: 1 <= s.a and
A2: s.a <= len (s.f) and
A3: 1 <= s.b and
A4: s.b <= len (s.f) and
A5: s.intloc 0 = 1;
A6: IExec(swap(f,a,b),p,s).f = (s.f+*(s.a, s.f.(s.b))+*(s.b, s.f.(s.a))) by A1
,A2,A3,A4,A5,Th31;
  reconsider sa = s.a as Element of NAT by A1,INT_1:3;
A7: sa in dom (s.f) by A1,A2,FINSEQ_3:25;
A8: dom (s.f+*(s.a, s.f.(s.b))) = dom (s.f) by FUNCT_7:30;
  reconsider sb = s.b as Element of NAT by A3,INT_1:3;
A9: sb in dom (s.f) by A3,A4,FINSEQ_3:25;
  per cases;
  suppose
    sa <> sb;
    hence
    IExec(swap(f,a,b),p,s).f.(s.a) = (s.f+*(s.a, s.f.(s.b))).(s.a) by A6,
FUNCT_7:32
      .= s.f.(s.b) by A7,FUNCT_7:31;
    thus thesis by A9,A6,A8,FUNCT_7:31;
  end;
  suppose
    sa = sb;
    hence IExec(swap(f,a,b),p,s).f.(s.a) = s.f.(s.b) by A7,A6,A8,FUNCT_7:31;
    thus thesis by A9,A6,A8,FUNCT_7:31;
  end;
end;
