reserve
  S for (4,1) integer bool-correct non empty non void BoolSignature,
  X for non-empty ManySortedSet of the carrier of S,
  T for vf-free integer all_vars_including inheriting_operations free_in_itself
  (X,S)-terms VarMSAlgebra over S,
  C for (4,1) integer bool-correct non-empty image of T,
  G for basic GeneratorSystem over S,X,T,
  A for IfWhileAlgebra of the generators of G,
  I for integer SortSymbol of S,
  x,y,z,m for pure (Element of (the generators of G).I),
  b for pure (Element of (the generators of G).the bool-sort of S),
  t,t1,t2 for Element of T,I,
  P for Algorithm of A,
  s,s1,s2 for Element of C-States(the generators of G);
reserve
  f for ExecutionFunction of A, C-States(the generators of G),
  (\falseC)-States(the generators of G, b);
reserve u for ManySortedFunction of FreeGen T, the Sorts of C;
reserve
  S for 1-1-connectives (4,1) integer (11,1,1)-array 11 array-correct
  bool-correct non empty non void BoolSignature,
  X for non-empty ManySortedSet of the carrier of S,
  T for vf-free all_vars_including inheriting_operations free_in_itself
  (X,S)-terms integer-array non-empty VarMSAlgebra over S,
  C for (11,1,1)-array (4,1) integer bool-correct non-empty image of T,
  G for basic GeneratorSystem over S,X,T,
  A for IfWhileAlgebra of the generators of G,
  I for integer SortSymbol of S,
  x,y,m,i for pure (Element of (the generators of G).I),
  M,N for pure (Element of (the generators of G).the_array_sort_of S),
  b for pure (Element of (the generators of G).the bool-sort of S),
  s,s1 for (Element of C-States(the generators of G));
reserve u for ManySortedFunction of FreeGen T, the Sorts of C;

theorem
  for f being ExecutionFunction of A, C-States(the generators of G),
  (\falseC)-States(the generators of G, b) st
  f in C-Execution(A,b,\falseC) & G is C-supported & i <> m &
  s.(the_array_sort_of S).M <> {} holds
  for n being Nat st
  f.(s, m:=(\0(T,I),A)\;
        for-do(i:=(\1(T,I),A), b gt(length(@M,I),@i,A), i:=(@i+\1(T,I),A),
               if-then(b gt(@M.(@i), @M.(@m), A), m:=(@i,A)))).I.m = n
  for X being non empty finite integer-membered set
  st X = rng (s.(the_array_sort_of S).M)
  holds (M.(n,I)) value_at(C,s) = max X
  proof let f be ExecutionFunction of A, C-States(the generators of G),
    (\falseC)-States(the generators of G, b) such that
A1: f in C-Execution(A,b,\falseC) & G is C-supported & i <> m and
A2: s.(the_array_sort_of S).M <> {};
    let n be Nat;
    assume
A3: f.(s, m:=(\0(T,I),A)\;
          for-do(i:=(\1(T,I),A), b gt(length(@M,I),@i,A), i:=(@i+\1(T,I),A),
            if-then(b gt(@M.(@i), @M.(@m), A), m:=(@i,A)
            )
          )
      ).I.m = n;
    let X be non empty finite integer-membered set;
    assume
A4: X = rng (s.(the_array_sort_of S).M);
    set ST = C-States(the generators of G);
    set TV = (\falseC)-States(the generators of G, b);
    defpred R[Element of ST] means
    s.(the_array_sort_of S).M = $1.(the_array_sort_of S).M;
    reconsider sm = s as ManySortedFunction of the generators of G,
    the Sorts of C by AOFA_A00:48;
    reconsider z = sm.(the_array_sort_of S).M as 0-based finite array of INT;
    defpred P[Element of ST] means R[$1] &
    $1.I.i in NAT & $1.I.m in NAT & $1.I.i <= len z & $1.I.m < $1.I.i &
    $1.I.m < len z &
    for mx being Integer st mx = $1.I.m
    for j being Nat st j < $1.I.i
    holds z.j <= z.mx;
    defpred Q[Element of ST] means R[$1] &
    $1.I.i < (length(@M,I)) value_at(C,s);
    set s0 = s;
    set s1 = f.(s,m:=(\0(T,I),A));
    set s2 = f.(s1,i:=(\1(T,I),A));
    set W = b gt(length(@M,I),@i,A);
    set K = i:=(@i+\1(T,I),A);
    set s3 = f.(s2,W);
    set CJ = b gt(@M.(@i), @M.(@m), A);
    set IJ = m:=(@i,A);
    set J = if-then(CJ, IJ);
    set a = the_array_sort_of S;
A5: I <> the bool-sort of S by AOFA_A00:53;
A6: f complies_with_if_wrt TV by AOFA_000:def 32;
A7: s1.I.m = \0(T,I) value_at(C,s) by A1,Th65;
A8:\0(T,I) value_at(C,s) = 0 by Th36;
A9: s2.I.m = s1.I.m by A1,Th65;
A10: s2.I.i = \1(T,I) value_at(C,s1) by A1,Th65 .= 1 by Th37;
A11: s3.I.i = s2.I.i by A1,A5,Th65;
    consider J1,K1,L1 being Element of S such that
A12: L1 = 1 & K1 = 1 & J1 <> L1 & J1 <> K1 &
    (the connectives of S).11 is_of_type <*J1,K1*>, L1 &
    (the connectives of S).(11+1) is_of_type <*J1,K1,L1*>, J1 &
    (the connectives of S).(11+2) is_of_type <*J1*>, K1 &
    (the connectives of S).(11+3) is_of_type <*K1,L1*>, J1 by AOFA_A00:def 51;
A13: (the Sorts of C).the_array_sort_of S = INT^omega &
    (the Sorts of C).the bool-sort of S = BOOLEAN by Th74,AOFA_A00:def 32;
A14: the bool-sort of S <> I by AOFA_A00:53;
A15: the_array_sort_of S <> I by A12,Th71;
    then
A16: s1.(the_array_sort_of S).M = s.(the_array_sort_of S).M by A1,Th65;
A17: s3.(the_array_sort_of S).M = s2.(the_array_sort_of S).M by A13,A1,Th65;
A18: P[s2]
    proof
      thus R[s2] by A15,A1,Th65,A16;
      thus s2.I.i in NAT & s2.I.m in NAT by A7,A8,A9,A10;
      0 < len z & 0+1 = 1 by A2,NAT_1:3;
      hence s2.I.i <= len z & s2.I.m < s2.I.i & s2.I.m < len z
      by A7,A8,A9,A10,NAT_1:13;
      let mx be Integer; assume
A19:   mx = s2.I.m;
      let j be Nat; assume
A20:   j < s2.I.i;
      1=0+1;
      then j <= 0 & j >= 0 by A20,A10,NAT_1:13;
      then
A21:   j = 0;
      thus z.j <= z.mx by A21,A19,A8,A9,A1,Th65;
    end;
    deffunc F(Element of ST)
    = In((len(s0.(the_array_sort_of S).M))-$1.I.i,NAT);
A22: f.(s2,W) in TV iff Q[f.(s2,W)]
    proof
A23:   @i value_at(C,s2) < length(@M,I) value_at(C,s2) iff f.(s2, W) in TV
      by A1,Th66;
      length(@M,I) value_at(C,s2) = length(@M value_at(C,s2),I) by Th81
      .= len (@M value_at(C,s2)) by Th74
      .= len(s2.(the_array_sort_of S).M) by Th61
      .= len(s0.(the_array_sort_of S).M) by A15,A1,Th65,A16
      .= len(@M value_at(C,s0)) by Th61
      .= length(@M value_at(C,s0), I) by Th74
      .= length(@M,I) value_at(C,s0) by Th81;
      hence thesis by A15,A1,Th65,A16,A17,A11,A23,Th61;
    end;
A24: len(@M value_at(C,s0))
     = length(@M value_at(C,s0),I) by Th74
     .= length(@M,I) value_at(C,s0) by Th81;
A25: for s being Element of ST st Q[s]
    holds (Q[f.(s,J\;K\;W)] iff f.(s,J\;K\;W) in TV) & F(f.(s,J\;K\;W)) < F(s)
    proof
      let s be Element of ST;
      assume A26: Q[s];
A27:   f.(s,J\;K\;W) = f.(f.(s, J\;K), W) & f.(s,J\;K) = f.(f.(s,J),K)
      by AOFA_000:def 29;
      hereby
A28:     f.(s,J\;K\;W).I.i = f.(s,J\;K).I.i by A14,A27,A1,Th65;
A29:     s.a.M = f.(s,CJ).a.M by A13,A1,Th65;
A30:     s.I.i = f.(s,CJ).I.i by A14,A1,Th65;
A31:     now
          per cases;
          suppose f.(s,CJ) in TV;
            then f.(s,J) = f.(f.(s,CJ),IJ) by A6;
            hence f.(s,J).a.M = s.a.M & f.(s,J).I.i = s.I.i
            by A15,A1,A29,A30,Th65;
          end;
          suppose f.(s,CJ) nin TV;
            then f.(s,J) = f.(f.(s,CJ),EmptyIns A) by A6;
            hence f.(s,J).a.M = s.a.M & f.(s,J).I.i = s.I.i
            by A29,A30,AOFA_000:def 28;
          end;
        end;
A32:    (f.(s,J\;K).(the_array_sort_of S).M)
        = (s.(the_array_sort_of S).M) by A31,A27,A15,A1,Th65;
        length(@M,I) value_at(C,f.(s,J\;K))
        = length(@M value_at(C,f.(s,J\;K)),I) by Th81
        .= len(@M value_at(C,f.(s,J\;K))) by Th74
        .= len(f.(s,J\;K).(the_array_sort_of S).M) by Th61
        .= len(@M value_at(C,s0)) by A32,A26,Th61;
        then
        Q[f.(s,J\;K\;W)] iff @i value_at(C,f.(s,J\;K)) <
        length(@M,I) value_at(C,f.(s,J\;K))
        by A26,A28,A24,A32,A27,A13,A1,Th65,Th61;
        hence Q[f.(s,J\;K\;W)] iff f.(s,J\;K\;W) in TV
        by A1,A27,Th66;
      end;
      reconsider sJ = f.(s,J) as ManySortedFunction of the generators of G,
      the Sorts of C by AOFA_A00:48;
      reconsider a = sJ.I.i as Element of C,I;
A33:   @i value_at(C,f.(s,J)) = f.(s,J).I.i &
      \1(T,I) value_at(C,f.(s,J)) = 1 by Th37,Th61;
      f.(s,J\;K\;W) = f.(f.(s,J\;K),W) by AOFA_000:def 29
      .= f.(f.(f.(s,J),K),W) by AOFA_000:def 29;
      then
A34:   f.(s,J\;K\;W).I.i
      = f.(f.(s,J),K).I.i by A1,Th65,A14
      .= (@i+\1(T,I)) value_at(C,f.(s,J)) by A1,Th65
      .= (@i value_at(C,f.(s,J)))+(\1(T,I) value_at(C,f.(s,J))) by Th39
      .= f.(s,J).I.i + 1 by A33,AOFA_A00:55;
      @M value_at(C,s0) = s0.(the_array_sort_of S).M &
      s.I.i < (length(@M,I)) value_at(C,s0) &
      (length(@M,I)) value_at(C,s0) = length(@M value_at(C,s0),I)
      by A26,Th61,Th81;
      then
A35:   s.I.i < len(s0.(the_array_sort_of S).M) by Th74;
      then
A36:   (len(s0.(the_array_sort_of S).M))-s.I.i > 0 by XREAL_1:50;
      (len(s0.(the_array_sort_of S).M))-s.I.i >= 0+1 by A35,XREAL_1:50,INT_1:7;
      then
A37:   (len(s0.(the_array_sort_of S).M))-s.I.i-1 >= 1-1 by XREAL_1:9;
      per cases;
      suppose @M.(@i) value_at(C,s) > @M.(@m) value_at(C,s);
        then f.(s,CJ) in TV & f complies_with_if_wrt TV
        by A1,Th66,AOFA_000:def 32;
        then
A38:     f.(s,J).I.i = f.(f.(s,CJ),IJ).I.i
        .= f.(s,CJ).I.i by A1,Th65
        .= s.I.i by A14,A1,Th65;
        F(f.(s,J\;K\;W)) = (len(s0.(the_array_sort_of S).M))-s.I.i-1
        by A34,A38,A37,INT_1:3,SUBSET_1:def 8;
        then F(f.(s,J\;K\;W)) = F(s)-1 by A36,INT_1:3,SUBSET_1:def 8;
        hence F(f.(s,J\;K\;W)) < F(s) by XREAL_1:44;
      end;
      suppose @M.(@i) value_at(C,s) <= @M.(@m) value_at(C,s);
        then f.(s,CJ) nin TV & f complies_with_if_wrt TV
        by A1,Th66,AOFA_000:def 32;
        then f.(s,J) = f.(f.(s,CJ),EmptyIns A)
        .= f.(s,CJ) by AOFA_000:def 28;
        then f.(s,J).I.i = s.I.i by A1,Th65,A14;
        then F(f.(s,J\;K\;W))
        = len(s0.(the_array_sort_of S).M)-s.I.i-1
        by A34,A37,INT_1:3,SUBSET_1:def 8
        .= F(s)-1 by A36,INT_1:3,SUBSET_1:def 8;
        hence F(f.(s,J\;K\;W)) < F(s) by XREAL_1:44;
      end;
    end;
A39: f iteration_terminates_for J\;K\;W, f.(s2,W) from AOFA_000:sch 3(A22,A25);
A40: for s being Element of ST st P[s] & s in TV & Q[s]
    holds P[f.(s,J\;K)]
    proof
      let s be Element of ST;
      assume A41: P[s];
      assume s in TV;
      assume A42: Q[s];
A43:   s.a.M = f.(s,CJ).a.M by A13,A1,Th65;
      thus R[f.(s,J\;K)]
      proof
        per cases;
        suppose f.(s,CJ) in TV;
          then f.(s,J) = f.(f.(s,CJ),IJ) by A6;
          then
A44:       f.(s,J).a.M = s0.a.M by A41,A15,A1,A43,Th65;
          f.(s,J\;K) = f.(f.(s,J),K) by AOFA_000:def 29;
          hence thesis by A44,A15,A1,Th65;
        end;
        suppose f.(s,CJ) nin TV;
          then f.(s,J) = f.(f.(s,CJ),EmptyIns A) by A6;
          then
A45:       f.(s,J).a.M = s0.a.M by A41,A43,AOFA_000:def 28;
          f.(s,J\;K) = f.(f.(s,J),K) by AOFA_000:def 29;
          hence thesis by A45,A15,A1,Th65;
        end;
      end;
A46:   @i value_at(C,f.(s,J)) = f.(s,J).I.i & @i value_at(C,s) = s.I.i &
      @m value_at(C,s) = s.I.m & \1(T,I) value_at(C,f.(s,J)) = 1
      by Th61,Th37;
A47:   f.(s,J\;K) = f.(f.(s,J),K) by AOFA_000:def 29;
      then
A48:   f.(s,J\;K).I.i = (@i+\1(T,I)) value_at(C,f.(s,J)) by A1,Th65
      .= (@i value_at(C,f.(s,J)))+(\1(T,I) value_at(C,f.(s,J))) by Th39
      .= f.(s,J).I.i+1 by A46,AOFA_A00:55;
A49:   f.(s,J\;K).I.m = f.(s,J).I.m by A47,A1,Th65;
A50:   f.(s,CJ).I.i = s.I.i & f.(s,CJ).I.m = s.I.m &
      f.(s,CJ).a.M = s.a.M by A13,A14,A1,Th65;
A51:   s.I.i is Nat & @M value_at(C,s) = s.a.M & @M value_at(C,s0) = s0.a.M
      by A41,Th61;
      then
A52:   @i value_at(C,s) in dom (@M value_at(C,s))
by A46,A24,A42,AFINSQ_1:86;
A53:   @m value_at(C,s) in dom (@M value_at(C,s))
by A51,A46,A41,AFINSQ_1:86;
A54:   z.(s.I.i) = (@M value_at(C,s)).(s.I.i) by A41,Th61
      .= (@M value_at(C,s) qua Function).(@i value_at(C,s))
      by Th61
      .= (@M value_at(C,s)).(@i value_at(C,s)) by A52,Th74
      .= @M.(@i) value_at(C,s) by Th79;
A55:   z.(s.I.m) = (@M value_at(C,s)).(s.I.m) by A41,Th61
      .= (@M value_at(C,s) qua Function).(@m value_at(C,s))
      by Th61
      .= (@M value_at(C,s)).(@m value_at(C,s)) by A53,Th74
      .= @M.(@m) value_at(C,s) by Th79;
A56:   now per cases;
        case
          z.(s.I.i) > z.(s.I.m);
          then f.(s,CJ) in TV by A1,A54,A55,Th66;
          then
A57:       f.(s,J) = f.(f.(s,CJ),IJ) by A6;
          hence f.(s,J).I.i = s.I.i by A50,A1,Th65;
          thus f.(s,J).I.m = @i value_at(C,f.(s,CJ)) by A57,A1,Th65
          .= s.I.i by A50,Th61;
          thus f.(s,J).a.M = s.a.M by A57,A50,A1,A15,Th65;
        end;
        case
          z.(s.I.i) <= z.(s.I.m);
          then f.(s,CJ) nin TV by A1,A54,A55,Th66;
          then
A58:       f.(s,J) = f.(f.(s,CJ),EmptyIns A) by A6;
          hence f.(s,J).I.i = s.I.i by A50,AOFA_000:def 28;
          thus f.(s,J).I.m = s.I.m by A58,A50,AOFA_000:def 28;
          thus f.(s,J).a.M = s.a.M by A58,A50,AOFA_000:def 28;
        end;
      end;
      reconsider sIi = s.I.i as Element of NAT by A41;
A59:   f.(s,J\;K).I.i = sIi+1 & sIi+1 in NAT by A48,A56,ORDINAL1:def 12;
      thus f.(s,J\;K).I.i in NAT & f.(s,J\;K).I.m in NAT
      by A56,A41,A47,A1,Th65,A48,ORDINAL1:def 12;
      len z = length(@M,I) value_at(C,s0) by A24,Th61;
      hence
      f.(s,J\;K).I.i <= len z by A56,A48,A42,INT_1:7;
      thus f.(s,J\;K).I.m < f.(s,J\;K).I.i by A56,A48,A49,A41,NAT_1:13;
      thus f.(s,J\;K).I.m < len z by A24,Th61,A56,A49,A41,A42;
      let mx be Integer;
      assume
A60:   mx = f.(s,J\;K).I.m;
      let j be Nat; assume
A61:   j < f.(s,J\;K).I.i;
      per cases by A61,A59,NAT_1:22;
      suppose
        j < s.I.i & z.(s.I.i) <= z.(s.I.m);
        hence z.j <= z.mx by A60,A41,A56,A49;
      end;
      suppose
        j < s.I.i & z.(s.I.i) > z.(s.I.m);
        then z.j <= z.(s.I.m) by A41;
        hence z.j <= z.mx by A60,A56,A49,XXREAL_0:2;
      end;
      suppose
        j = s.I.i & z.(s.I.i) <= z.(s.I.m);
        hence z.j <= z.mx by A60,A56,A47,A1,Th65;
      end;
      suppose
        j = s.I.i & z.(s.I.i) > z.(s.I.m);
        hence z.j <= z.mx by A60,A56,A47,A1,Th65;
      end;
    end;
A62: for s being Element of ST st P[s] holds
    P[f.(s,W)] &
    (f.(s,W) in TV iff Q[f.(s,W)])
    proof
      let s be Element of ST;
      assume A63: P[s];
      thus R[f.(s,W)] by A63,A1,A13,Th65;
A64:   f.(s,W).I.i = s.I.i & f.(s,W).I.m = s.I.m by A1,A14,Th65;
      thus f.(s,W).I.i in NAT & f.(s,W).I.m in NAT by A63,A1,A14,Th65;
      thus f.(s,W).I.i <= len z & f.(s,W).I.m < f.(s,W).I.i by A64,A63;
      thus f.(s,W).I.m < len z by A1,A14,Th65,A63;
      thus for mx being Integer st mx = f.(s,W).I.m
      for j being Nat st j < f.(s,W).I.i holds z.j <= z.mx by A64,A63;
A65:  length(@M,I) value_at(C,s)
      = length(@M value_at(C,s),I) by Th81
      .= len(@M value_at(C,s)) by Th74
      .= len(s.(the_array_sort_of S).M) by Th61
      .= len(@M value_at(C,s0)) by A63,Th61;
      hereby
        assume f.(s,W) in TV;
        then @i value_at(C,s) < length(@M,I) value_at(C,s) &
        s.I.i = @i value_at(C,s) by A1,Th66,Th61;
        hence Q[f.(s,W)] by A63,A1,A14,Th65,A13,A24,A65;
      end;
      assume Q[f.(s,W)];
      then @i value_at(C,s) < length(@M,I) value_at(C,s)
      by A64,A24,A65,Th61;
      hence f.(s,W) in TV by A1,Th66;
    end;
A66: P[f.(s2, while(W, J\;K))] &
    not Q[f.(s2, while(W, J\;K))]
    from AOFA_000:sch 5(A18,A39,A40,A62);
A67: f.(s, m:=(\0(T,I),A)\;for-do(i:=(\1(T,I),A),W,K,J))
    = f.(s1, for-do(i:=(\1(T,I),A),W,K,J)) by AOFA_000:def 29
    .= f.(f.(s1, i:=(\1(T,I),A)), while(W, J\;K)) by AOFA_000:def 29;
    then
A68: n in dom z by A66,A3,AFINSQ_1:86;
A69: ^(n,T,I) value_at(C,s) = n by Th90;
A70: z = @M value_at(C,s) by Th61;
A71: z.(f.(s, m:=(\0(T,I),A)\;for-do(i:=(\1(T,I),A),W,K,J)).I.m)
    = (@M value_at(C,s)).(^(n,T,I) value_at(C,s)) by A68,A70,A69,Th74,A3
    .= (@M. ^(n,T,I)) value_at(C,s) by Th79;
A72: (M.(n,I)) value_at(C,s) is UpperBound of X
    proof
      let x be ExtReal;
      assume x in X;
      then consider j being object such that
A73:   j in dom z & x = z.j by A4,FUNCT_1:def 3;
      reconsider j as Nat by A73;
      f.(s,m:=(\0(T,I),A)\;for-do(i:=(\1(T,I),A),W,K,J)).I.i <= len z &
      f.(s,m:=(\0(T,I),A)\;for-do(i:=(\1(T,I),A),W,K,J)).I.i >= len z
      by A24,Th61,A66,A67;
      then f.(s,m:=(\0(T,I),A)\;for-do(i:=(\1(T,I),A),W,K,J)).I.i = len z &
      j < len z by A73,AFINSQ_1:86,XXREAL_0:1;
      hence thesis by A71,A73,A66,A67;
    end;
    for x being UpperBound of X holds (M.(n,I)) value_at(C,s) <= x
    proof
      let x be UpperBound of X;
      n in dom z & M.(n,I) value_at(C,s) = z.n
by A66,A67,A71,A3,AFINSQ_1:86;
      then M.(n,I) value_at(C,s) in X by A4,FUNCT_1:def 3;
      hence (M.(n,I)) value_at(C,s) <= x by XXREAL_2:def 1;
    end;
    hence (M.(n,I)) value_at(C,s) = max X by A72,XXREAL_2:def 3;
  end;
