SSL Statements.thy

java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
theory["\ edst)"
  importsSemantics of left expressions›
begin

locale statement_with_gasRightarrowEnvironment ==> CalldataT ==> State ==> (LType
  fixesS < Environment ==> State ==>
  assumes while_not_zeroimpe cd st ex s0. 0costs (WHILE ex s0) e cd st) "
      and invoke_not_zero[termination_simp]: "∧costs (INVOKE i xe) e cd st)"
      ndeternalr cd st ad i xe val. 0 < (costs (EXTERNAL ad i xe val) e cd st)"
      and transfer_not_zero[termination_simpe cd st ex ad. 0  (TRANSFER ad ex) e cd st)"
      and new_not_zero[termination_simp]: "∧e cd st i xe val. 0 < (costs (NEW i xe val) e cd st)"
begin

subsection ‹

text ‹

fun lexp :: " >Environment ==> ==> (LType * Type, Ex, Gas) state_monad"
 where "lexp (Id i) e _ st g =
 (case (denvalue e) $$ i of
 Some (tp, (Stackloc l)) ==> return (LStackloc l, tp)
 | Some (tp, (Storeloc l)) ==> return (LStoreloc l, tp)
 | _ ==> throw Err) g"
  "lexp (Ref i r) e cd st g =
 (case (denvalue e) $$ i of
 Some (tp, Stackloc l) ==>
 Some (K (KCDptr _) ==>
 Some (KCDptr _) ==>
 | Some (KMemptr l') ==> Some (KMempl') ==>do {
 do {
 t ← (case tp of Memory t ==> t | _==> Err);
 (l'', t') ← msel True t l' r e cd st;
 return (LMemloc l'', Memory t')
 }
 | Some (KStoptr l') ==>
 do {
 t ← (case tp of Storage t ==> return t | _ ==> throw Err);
 (l'', t') ← ssel t l' r e cd st;
 return (LStoreloc l'', Storage t')
 }
 | Some (KValue _) ==> throw Err
 | None ==> throw Err)
 | Some (tp, Storeloc l) ==>
 do {
 t ← (case tp of Storage t ==> return t | _ ==> throw Err);
 (l', t') ← ssel t l r e cd st;
 return (LStoreloc l', Storage t')
 }
 | None ==> throw Err) g"

  lexp_gas[rule_format]:
 "∀l5' t5' g5'. lexp l5 ev5 cd5 st5 g5 = Normal ((l5', t5'), g5') ⟶ g5' ≤ g5"
  (induct rule: lexp.induct[where ?P="λ (LMeml'', Memory t')
 
 then show ?caseusilexp.simps(1) byy (simp split: option.split Denvalue.split prod.s)
 
 case(2 i r e cd d st g)
 show ?case
 proof (rule allI[THEN allI, THEN at \leftarrow (case tp of Storage t ==>\<> 
 fix st5' xaxaa
 assume a1: "lexp (Ref i r) e cd st g = Normal ((st5', xa), xaa)"
 then show "xaa ≤ g"
 proof (cases "fmlookup (denvalue e) i")
 case None
 with a1 show ?thesis using lexp.simps(2) by simp
 next
 case
 then show ?thesis
 proof (cases a)
 case (Pair tp b)
 then show ?thesis
java.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41
 case (Stackloc l)
 then show ?thesis
 proof (cases "accessStore l (stack st)")
 case None
 with a1 Some Pair Stackloc show ?thesis using lexp.psimps(2) by simp
 next
 case s2: (Some a)
 then show ?thesis
 proof (cases a)
 case (KValue x1)
 with a1 Some Pair Stackloc s2 show ?thesis using lexp.psimps(2) by simp
 next
 case (KCDptr x2)
 with a1 Some Pair Stackloc s2 show ?thesis using lexp.psimps(2) by simp
 next
 case (KMemptr l')
 then show ?thesis
 proof (cases tp)
 case (Value _)
 with a1 Some Pair Stackloc s2 KMemptr show ?thesis using lexp.simps(2) by simp
 next
 case (Calldata _)
 with a1 Some Pair Stackloc s2 KMemptr show ?thesis using lexp.simps(2) by simp
 next
 case (Memory t)
 then show ?thesis
 proof (cases "msel True t l' r e cd st g")
 case (n _ _)
 with 2 a1 Some Pair Stackloc s2 KMemptr Memory show ?thesis using msel_ssel_expr_load_rexp_gas(1) by (simp split: prod.split_asm)
 next
 case (e _)
 with a1 Some Pair Stackloc s2 KMemptr Memory show ?thesis using lexp.psimps(2) by simp
 qed
 next
 case (Storage _)
 with a1 Some Pair Stackloc s2 KMemptr show ?thesis using lexp.psimps(2) by simp
 qed
 next
 case (KStoptr l')
 then show ?thesis
 proof (cases tp)
 case (Value _)
 with a1 Some Pair Stackloc s2 KStoptr show ?thesis using lexp.psimps(2) by simp
 next
 case (Calldata _)
 with a1 Some Pair Stackloc s2 KStoptr show ?thesis using lexp.psimps(2) by simp
 next
 case (Memory _)
 with a1 Some Pair Stackloc s2 KStoptr show ?thesis using lexp.psimps(2) by simp
 next
 case (Storage t)
 then show ?thesis
 proof (cases "ssel t l' r e cd st g")
 case (n _ _)
 with a1 Some Pair Stackloc s2 KStoptr Storage show ?thesis using msel_ssel_expr_load_rexp_gas(2) by (auto split: prod.split_asm)
 next
 case (e _)
 with a1 Some Pair Stackloc s2 KStoptr Storage show ?thesis using lexp.psimps(2) by simp
 qed
 qed
 qed
 qed
 next
 case (Storeloc l)
 then show ?thesis
 proof (cases tp)
 case (Value _)
 with a1 Some Pair Storeloc show ?thesis using lexp.psimps(2) by simp
 next
 case (Calldata _)
 with a1 Some Pair Storeloc show ?thesis using lexp.psimps(2) by simp
 next
 case (Memory _)
 with a1 Some Pair Storeloc show ?thesis using lexp.psimps(2) by simp
 next
 case (Storage t)
 then show ?thesis
 proof (cases "ssel t l r e cd st g")
 case (n _ _)
 with a1 Some Pair Storeloc Storage show ?thesis using msel_ssel_expr_load_rexp_gas(2) by (auto split: prod.split_asm)
 next
 case (e _)
 with a1 Some Pair Storeloc Storage show ?thesis using lexp.psimps(2) by simp
 qed
 qed
 qed
 qed
 qed
 qed
 

  ‹Semantics of statements›

  ‹The following is a helper function to connect the gas monad with the state monad.›

 
 toState :: "(State ==>do {
 "toState gm = (\<>s (case tp of Storage t ==> return t | _ ==>
 Normal (a,g) ==>gas:=g)
 | Exception e ==>

  wptoState[wprule]:
 assumes "∧ P a (s(s:=g)
 and "∧ (ga s) = =Excee ==>
 shows "wp (toState gm) P
 gassms unfolding wp_def bsimp split:result.it resesult.splilit_asm)

  ‹'. lexp l5l5 evev5 cd5 st5 g5= Norm ((l5', t5'), g5') ⟶le> g5"
  (domintros) stmt :: "S ==> Environment ==> CalldataT ==> (unit, Ex, State) state_monad"
 where "stmt SKIP e cd st =
 (do {
 assert Gas (λst. gas st > costs SKIP e cd st);
 modify (λ. st( costs SKIP e cd st) (1i e u uv st g)
 }) "
  "stmt (ASSIGN lv ex) env cd st =
 (do {
 asserte allI[THEN a allI, THEN allI, OF impI])
 modify \<lambdastgas := gas st - costs (ASSIGN lv ex) env cd st)
 re ← ex env cd);
 case re of
 (KValue v, Value t) ==> g"
 do {
 rl ←
 case rl of
 (LStackloc l, Value t') ==> (denvalue e)i")
 do {
 caseNone
 modify (\ ashowhes uigexpsms2 ys
 }
 
 do {
 <leftarrow _. convert t tv);
 modify (λ
 
 | (LMemloc l, Memor
 do {
 ' \<leftarrow _. convert t t' v);
 modify (λst. st(v')(emoy s))
 }
 | _ ==>
 }
 | (KCDptr p, Calldata (MTArray x t)) ==>stac st)")
 do {
 rl ← lv env cd);
 case rl of
 (LStackloc l, Memory _) ==> Some P Stackloc show ?thesis using lexp.psimps(2) by simp
  {
 sv \ : (Some a)
 p' ←
 m ← (cases a)
 modify (λ x1)
 }
 | (LStackloc l, Storage _) ==>Some Pair Stackloc s2 show ?thesisusing lexp.psimps(2) by imp
 do {
 sv ←
 p' ← (KCDptr x2) Pair Stackloc s2 s2 show ?t ?thesis using lexp.psimps(2) by simp
 s ←
 modify (λst. st ( l')
 }
 | (LStoreloc l, _) ==>
 do {
 proof (ca (cases tp)
 modify (λ _)
 }
 | (LMemloc l, _) ==> SomePair Stackloc s2 KMemptr show ?thesis using lexp.simps2) by simp
 do {
 m ← option Err (λnext
 modify (λ _)
 }
 | _ ==> throw Err
 }
 | (KMemptr p, Memory (MTArray x t)) ==>
 
 rl ← lv env cd)
 case rl of
 (LStackloc l, Memory _) ==>
 | (LStackloc l, Storage _) ==> "msel True t l l' ' e e cd st g"
 do {
 sv ← 2 a Pair Stackloc s2KMemptr Memory show ?t using msel_ssel_1) by (simp split: prod.split_asm)
 p' \< e show ?thesis uusilexp.psimps(2) by simp
 s ← option Err (λdx (Storage _)
 modify (λ 🚫 KStoptr show ?thesiusing lexp.psimp(
 }
 |
 do {
 s \<> ) (storage st (address env));
 modify (λst. st ( Stackloc s2 KStoptr show ?thesis using lexp.psimps(2) by simp
 }
 | (LMemloc l, _) \case(M _)
 | _ ==>SomePair Stackloc s2 KStoptr show ? ?thesis using lexp.psimps(2) b simp
 }
 | (KStoptr p, Storage (STArray x t)) ==>
 do {
 rl ←
 of
 (LStackloc l, Memory _) ==>"sse t l' r e cd stg")
 do {
 sv ←
 p' ←oePitackloc cs2 KStoptr orage show ?thesis using msel_sel_ssselexpr_lod_repgs2 y (aod.slit_asm)
 m ←
 modify (λst. st(
 }
 | (LStackloc l, Storageqed
 | (LStoreloc l, _) ==>
 do {
 
 modify (λ
 }
 | (LMemloc show ?ts
 do {
 m ←_)
 modify (λst. st(s2) by sip
 }
 | _ ==>
 }
 | (Kcaseallaa_
 do {
 with Some Pair Storec show ?esis using eppsimps(2) by simp
 l ←
 modify (λst. st(oc sw ?thesiesis us using lexp.psi) by sip
 }
 | _ ==>
 }) st"
  "stmt (COMP s1 s2) e cd st =
 (do{
 assert Gas (λ_)
 modify (λst. st\a1ome Pa Storeloc Storage show ?thesisugme_e_expr_load_rxp_gas() by (auto spit:podplit_asm)
 stmt next
 stmt s2 e cd
 }) st"
  "stmt (ITE ex s1 s2) e cd st =
 (do {
 assert Gas (λst. gas st > costs (ITE ex s1 s2) e cd st);
 modify (λst. st(gas := gas st - costs (ITE ex s1 s2) e cd st));
 v ←
 b ←imps2)b ip
java.lang.NullPointerException
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 else throw Err
 }) st"
  "stmt (WHILE ex s0) e c s=
 (do {
 assert Gas (λst. gas st > costs (WHILE ex s0) e cd st);
 openT following is a helper function to connect the gas monad with the state monad.›
 v ←no:"State ==> ('a, 'e, Gas) state_monad) ==>('a, ',Sasaemnd where
 b ← (case v of (KValue b, Value TBool) ==> return b | _ ==> thr Exception e ==>
java.lang.NullPointerException
 do {
 stmt s0 e cd;
 stmt (WHILE ex s0) e cd
 }
java.lang.NullPointerException
 else throw Err
 }) st"
  "stmt (INVOKE i xe) e cd st =
 (do {
 assert Gas (λst. gas st > costs (INVOKE i xe) e cd st);
 modify (λst. st(gas := gas st - costs (INVOKE i xe) e cd st));
 (ct, _) ← option Err (λ_. ep $$ contract e);
 (fp, f) ← case ct $$ i of Some (Method (fp, False, f)) ==> return (fp, f) | _ ==> "wp ( (toState gm)P E s"
 let e' = ffold_init ct (emptyEnv (address e) (contract e) (sender e) (svalue e)) (fmdom ct);
java.lang.NullPointerException
 (e_l, cd_l, k_l, m_l) ← toState (load False fp xe e' emptyStore emptyStore m_o e cd);
 k_<>
 modify (λst. st(stack:=k_l, memory:=m_l)> nviro ==>
 stmt f e_l cd_l;
java.lang.NullPointerException
 }) st"
(*External Method calls allow to send some money val with it*)
(*However this transfer does NOT trigger a fallback*)
(*External methods can only be called from externally*)
| "stmt (EXTERNAL ad i xe val) e cd st =
    (dodo {
      assert Gas (λst. gas st > costs (EXTERNAL ad i xe val) e cd st);
      modify (λst. st(gas := gas st - costs (EXTERNAL ad i xe val) e cd st));
      kad ← toState (expr ad e cd);
      adv ← case kad of (KValue adv, Value TAddr) ==> return adv | _ ==> throw Err;
      assert Err (λ_. adv ≠ address e);
      c ←(ASSIGN lv ex)env ccd st st =
      (ct, _, fb) ← option Err (λ_. ep $$ c);
      kv ← toState (expr val e cd);
      (v, t) ← case kv of (KValue v, Value t) ==>
      v' ← option Err (λ_. convert t (TUInt 256) v);
      let e' = ffold_init ct (emptyEnv adv c (address e) v') (fmdom ct);
      case ct $ i of
        Some (Method (fp, True, f)) ==>
          do{
            (e_l, cd_l, k_l, m_l) ←<> toState (xpr ex env cd);
            acc ←re of
            (k_>
java.lang.NullPointerException
            
java.lang.NullPointerException
          }
      | None \<(LStacklocv);
          do {
            acc ← option Err (λst. transfer (address e) adv v' (accounts st));
            (k_o, m_o) ← applyf (λst. (stack st, memory st));
            modify (\lambda. st\<\lparr
            stmt fb e' emptyStore;
            modify (λst. st(stack:=k_o, memory := m_o))
          
      | _ ==> throw Err
    }) st"
| "stmt (TRANSFER ad ex) e cd st =
    (do {
      assert Gas (λst. gas st > costs (TRANSFER ad ex) e cd st);
      modify (\lambda>stst\<lparrgas st\<parr)
      kv ← toState (expr ad e cd);
      adv ← case kv of (KValue adv, Value TAddr) ==> return adv | _ ==> throw Err;
      kv' ←modif λ) ad en := mupdl v' torage st (address ))\rparr)
      (v, t) ← case kv' of (KValue v, Value t) ==> return (v, t) | _ ==> throw Err;
      v' ← option Err (λ_. convert t (TUInt 256) v);
      acc ← applyf accounts;
      case type (acc adv) of
        Some (Contract c) ==>
          do {
            (ct, _, f) ← option Err (λ_. ep $$ c);
            let e' = ffold_init ct (
            (k_o, m_o) ← applyf (λst. (stack st, memory st));
            acc'Memloc l, Memory (LMemloc l, Memory (MTValue t')) ==>
            modify (λst. st(v' ←_. convert t t' v);
            stmt f e' emptyStore;
            modify (λst. st(stackmo \<lambdast l (MValue v') (memorst))
          }
      | Some EOA ==>
          do {
            acc' ← option Err (λst. transfer (address e) adv v' (accounts st));
            modify (λst. (st(acc }
          }
      | None ==> hrow Err
    }) st"
| java.lang.NullPointerException
   do{
      assert Gas (λst. gas st > costs (BLOCK ((id0, tp), None) s) e_v cd st);
      modify (λst. st( do {
      (cd', mem', sck', e') ← \<\leftarrow
      modify (λst. st( of
      stmt s e' cd'
    }(LStac l,Memory_) ==>
| "stmt (BLOCKdo
    (do {
      assertapplyf  (tack
      modify (λst. st(gas := gas st - costs (BLOCK ((id0, tp), Some ex') s) e_v cd ←p'   <>  ;
      (v, t) ← toState (expr ex' e_v cd);
      (cd', mem', sck', e') ← option Err (λst. decl id0 tp\leftarrow  \lambdast'x t cd( ))
      modify (λst. st(stack := sck', memory := mem'));
      stmt'
    }) st"
(*
  Note: We cannot use (ct, (fp, cn), fb) <- option Err (λ
*)
| "stmt (NEW i xe val) e cd st =            | (LStackloc Storage<Rightarrow
    (do {
      assert Gas (λst. gasdo
      modify (λstsvapplyf accessStore st
      adv ← applyf (λst. hash (address e) (ShowL_na __<Rightarrow
      assert Err (λst. type (accounts st adv) = None);
      kv ← toState (expr val e cd);
      (v, t) ← case kv of (KValue v, Value t) ==> return (v, t) | _ ==> throw Err;
      (ct, cn, _) ← option Errstp'xt  storage(address));
      let e' = ffold_init ct (emptyEnv adv i (address e) v) (fmdom ct);
      (e_l, cd_l, k_l, m_l) ← toState (loadmodifylambdast=storage:= )rparr
      modify (λst. st(accounts := (accounts st)(adv := (bal = ShowL_int 0, type = Some (Contract i), contracts = 0)),                }
      acc ← option Err (λst. transfer
      (k_lx t cdstorage env
      modify (λst. st(accounts := acc, stack:=k_l, memory:=m_l));
      stmt (snd cn) e_<> =( )(address
      modify (λst. st(stack:=k_o, memory := m_o));
      modify (incrementAccountContracts
    }) st,_)<<ightarrow
bydo

subsection ‹

  ‹Again, to prove termination we need a lemma regarding gas consumption.›

  stmt_dom_gas[rule_format]:
 "stmt_dom (s6, ev6, cd6, st6) ==> (\ <>st
  (induct rule: stmt.pinduct[where ?P="λs6 ev6 cd6 st6. (∀st6'. stmt s6 ev6 cd6 st6 = Normal ((), st6') ⟶ gas st6' ≤ gas st6)"]
 case (1 e cd st)
 then show ?case using stmt.psimps(1) by simp
 
 case (2 lv ex env cd st)
 define g where "g = costs (ASSIGN lv ex) env cd st"
 show ?case
 proof (rule a }
 fix st6'
 assume stmt_def: "stmt (ASSIGN lv ex) env cd st = Normal ((), st6')"
 then show "gas st6' ≤ gas st"
 proof cases
 assume "gas st ≤ g"
 with 2(1) stmt_def show ?thesis using stmt.psimps(2) g_def by simp
 next
 assume "¬Mx t)) \Rightarrow
 define st' where "st' = st(gas := gas st - g)"
 show ?thesis
 proof (cases "expr ex env cd st' (gas st - g)")
 case (n a g')
 define st'' here "st'' = st'\lparrga = g)
 then show ?thesis
 proof (cases a)
 case (Pair b c)
 then show ?thesis
 proof (cases b)
 case (KValue v)
 then show?thesis
 proof (cases c)
 case (Value t)
 then show ?thesis
 proof (cases "lexp lv env cd st'' g'")
 case n2: (n a g'')
 then show ?thesis
 proof (cases a)
 case p1: (Pair a b)
 then show ?thesis
 proof (cases a)
 case (LStackloc l)
 then show ?thesis
 proof (cases b)
 case v2: (Value t')
 then show ?thesis
 proof (cases "convert t t' v ")
 case None
 with stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStackloc v2 show ?thesis using stmt.psimps(2)[OF 2(1)] g_def st'_def st''_def by simp
 next
 case s3: (Some v')
 with 2(1) `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStackloc v2 s3
 have "stmt ((ASSIGNlv ex ex) env cd t = Normal ((), st''\<> 
 using stmt.psimps(2) g_def st'_def st''_def by simp
 with stmt_def have "st6'= st''(gas := g'', stack := updateStore l (KValue v') (stack st))" by simp
 moreover from lexp_gas `¬ gas st ≤ g` n2 p1 have "gas (st''(gas := g'', stack := updateStore l (KValue v') (stack st))) ≤ gas (st'(gas := g'))" using g_def st'_def by simp
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤
 ultimately show ?thesis by simp
 qed
 next
 case (Calldata x2)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStackloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Memory x3)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStackloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Storage x4)
 with 2(1) stmt_ef `¬ Value n2 p1 LStashow ?thes
 qed
 next
 case (LMemloc l)
 then show ?thesis
 proof (cases b)
 case v2: (Value t')
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LMemloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Calldata x2)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LMemloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Memory x3)
 then show ?thesis
 proof (cases x3)
 case (MTArray x11 x12)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LMemloc Memory show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (MTValue t')
 then show ?thesis
 proof (cases "convert t t' v ")
 case None
 with modify (λe := s))
 next
 case s3: (Some v')
 with 2(1) `¬ gas st ≤ g` n Pair KValue Value n2 p1 LMemloc Memory MTValue s3
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st''(gas := g'', memory := updateStore l (MValue v') (memory st'')))"
 using stmt.psimps(2) g_def st'_def st''_def by simp
 with stmt_dehave st6= (st (st''🚫
 moreover from lexp_gas `¬ gas st ≤ g` n2 p1 have "gas (st''(gas := g'', stack := updateStore l (KValue v') (stack st))) ≤ gas (st'(gas := g'))" using g_def st'_def by simp
 l_ssel_expr_load_rexp_gas(3)[ofex env env st' "gas st - g"] `¬ " (st( st - g\<>)
 ultimately show ?thesis by simp
 qed
 qed
 next
 case (Storage x4)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LMemloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 qed
 next
 case (LStoreloc l)
 then show ?thesis
 proof (cases b)
 case v2: (Value t')
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStoreloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Calldata x2)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStoreloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Memory x3)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStoreloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Storage x4)
 then show ?thesis
 proof (cases x4)
 case (STArray x11 x12)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStoreloc Storage show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (STMap x21 x22)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStoreloc Storage show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (STValue t')
 then show ?thesis
 proof (cases "convert t t' v ")
 case None
 with 2(1) stmt_def `¬ gas st ≤ x t (m st) s st addr env)));
 next
 case s3: (Some v')
 with 2(1) `¬ gas st ≤ g` n Pair KValue Value n2 p1 LStoreloc Storage STValue s3
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'' (gas := g'', storage := (storage st'') (address env := fmupd l v' (storage st'' (address env)))) ) ad e :: s)))
 using stmt.psimps(2) g_def st'_def st''_def by simp
 with stmt_def have "st6'= st'' (gas := g'', storage := (storage st'') (address env := fmupd l v' (storage st'' (address env))))" by simp
 moreover from lexp_gas `¬ gas st ≤ _) _) <> 
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤ g` n Pair KValue Value n2 p1 have "gas (st'(gas := g')) ≤ gas (st(gas := gas st - g))" using g_def by simp
 ultimatelyshow ?thesis by simp
 qed
 qed
 qed
 qed
 qed
 next
 case (e x)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 qed
 next
 case (Calldata x2)
 with 2(1) stmt_def `¬ gas st ≤ Storage (STArray x t)) ==>
 next
 case (Memory x3)
 with 2(1) stmt_def `¬ gas st ≤
 next
 case (Storage x4)
 with 2(1) stmt_rl ←
 qed
 next
 case (KCDptr p)
 then show ?thesis
 proof (cases c)
 case (Value x1)
 with 2(1) stmt_def `¬ gas st ≤
 next
 case (Calldata x2)
 then show ?thesis
 proof (cases x2)
 case (MTArray x t)
 then show ?thesis
 proof (cases "lexp lv env cd st'' g'")
 case n2: (n a g'')
 define st'' st''' whe st'' =st''\<>gas
 then show ?thesis
 proof (cases a)
 case p2: (Pair a b)
 then show ?thesis
 proof (cases a)
 case (LStackloc l)
 then show ?thesis
 proof (cases b)
 case v2: (Value t')
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStackloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case c2: (Calldata x2)
 with 2(1) stmt_def `¬p' | _ ==>
 next
 case (Memory x3)
 then show ?thesis
 proof (cases "accessStore l (stack st''')")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStackloc Memory show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case s3: (Some a)
 then show ?thesis
 proof (cases a)
 case (KValue x1)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p modify (λl>memory : m)
 next
 case c3: (KCDptr x2)
 with 2(1) stmt_def `¬ gas st ≤
 next
 ase (KMemptr p')
 then show ?thesis
 proof (cases "cpm2m p p' x t cd (memory st''')")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStackloc Memory s3 KMemptr show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by (simp split:if_split_asm)
 next
 case (Some m')
 with `\s← t (s st (address e)));
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st''' (memory := m'))"
 using stmt.psimps(2)[OF 2(1)] g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= st''' (memory := m')" by simp
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 have "gas (st'''(memory := m')) ≤st. st ()
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤ g` n Pair have "gas st'' ≤ gas st'" using st'_def st''_def by simp
 ultimately show ?thesis using st'_def by simp
 qed
 next
 case (KStoptr p')
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStackloc Memory s3 show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 qed
 qed
 next
 case (Storage x4)
 then show ?thesis
 proof (cases "accessStore l (stack st'')")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStackloc Storage show ?thesis using stmt.psimps(2) g_def st'_def do {
 next
 case s3: S a)
 then show ?thesis
 proof (cases a)
 case (KValue x1)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStackloc Storage s3 show ?th odify (λrp>)
 next
 case c3: (KCDptr x2)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStackloc Storage s3 show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case (KMemptr x3)
 ith 2(1) stmt_def `\<ot 
 next
 case (KStoptr p')
 then show ?thesis
 proof (cases "cpm2s p p' x t cd (storage st'' (address env))")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStackloc Storage s3 KStoptr show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case (Some s')
 with 2(1) `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStackloc Storage s3 KStoptr
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st''' (storage := (storage st'') (address env := s')))"
 using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= st''' (storage := (storage st'') (address env := s'))" by simp
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 have "gas s
 expr_load_rexp_gas(3)(3)[of ex env cd cd st'"gasst - g- g" `¬ st'' ≤_def by simp
 ultimately show ?thesis using st'_def by simp
 qed
 qed
 qed
 qed
 next
 case (LMemloc l)
 then show ?thesis
 proof (cases "cpm2m p l x t cd (memory st''')")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LMemloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by (simp split:if_split_asm)
 next
 case (Some m)
 with `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LMemloc
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'''(memory := m))"
 using stmt.psimps(2)[OF 2(1)] g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= (st'''(memory := m))" by simp
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 have "gas st''' ≤ gas st''" using st''_def st'''_def by simp
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬
 ultimately show ?thesis using st'_def by simp
 qed
 next
 case (LStoreloc l)
 then show ?thesis
 proof (cases "cpm2s p l x t cd (storage st'' (address env))")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStoreloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case (Some s)
 with `¬ gas st ≤ g` n Pair KCDptr Calldata MTArray n2 p2 LStoreloc
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st''' (storage := (storage st'') (address env := s)))"
 using stmt.psimps(2)[OF 2(1)] g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= (st'''(storage := (storage st'') (address env := s)))" by simp
 moreover from lexp_gas `¬ gas st ≤
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬
 ultimately show ?thesis using st'_def by simp
 qed
 qed
 qed
 next
 case (e x)
 with 2(1) stmt_d `¬KCalldata MTArray show ?thesis using .psimps(2) g_def st'_def st'st''_de by simp
 qed
 next
 case (MTValue x2)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr Calldata show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 qed
 next
 case (Memory x3)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Storage x4)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KCDptr show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 qed
 next
 case (KMp)
 then show ?thesis
 proof (cases c)
 case (Valu x1)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KMemptr show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Calldata x2)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KMemptr show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 
 then show ?thesis
 proof (cases x3)
 case do {
 then show ?thesis
 proof (cases "lexp lv env cd st'' g'")
 case n2: (n a g'')
 define st''' where "st''' = st''(gas := g'')"
 then show ?thesis
 proof (cases a)
 case p2: (Pair a b)
 then show ?thesis
 proof (cases a)
 case (LStackloc l)
 then show ?thesis
 proof (cases b)
 case v2: (Value t')
 with 2(1) stmt_def `¬lambda>st. st( gas stst - costs (ITE ex s1s2) ) e c st)
 next
 case c2: (Calldata x2)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 LStackloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case m2: (Memory x3)
 with 2(1) `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 LStackloc
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'''(> (casevof (KVal b, Value TBoo)\<ightarrow 
 using stmt.psimps(2)[OF 2(1)] g_def st'_def st''_def st'''_def by simp
 with stmt_def h "st6'= st''🚫
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 have "gas st''' ≤ gas st''" using st''_def st'''_def by simp
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤ g` n Pair have "gas st'' ≤ gas st'" using st'_def st''_def by simp
 ultimately show ?thesis using st'_def by simp
 next
 case (Storage x4)
 then show ?thesis
 proof (cases "accessStore l (stack st''')")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 LStackloc Storage show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 
 case s3: (Some a)
 then show ?thesis
 proof (cases a)
 case (KValue x1)
 with 2(1) stmt_def `¬
 next
 case c3: (KCDptr x2)
 with 2(1) stmt_def `\ `\<> 
 next
 case m3: (KMemptr x3)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 LStackloc Storage s3 show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case (KStoptr p')
 then show ?thesis
 proof (cases "cpm2s p p' x t (memory st''') (storage st''' (address env))")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 LStackloc Storage s3 KStoptr show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case (Some s)
 with 2(1) `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 LStackloc Storage s3 KStoptr
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'''(storage := (storage st''') (address env := s)))"
 using stmt.p (do {
 with stmt_def have "st6'= st'''(storage := (storage st''') (address env := s)) > cos (WHILE ex s0) e cd st);
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 have "gas st''' ≤ gas st''" using g_def st'_def st''_def st'''_def by simp
  fmsel_(3)[of ennv csgast- g"" \notg st\le ` P "gst'' ≤
 ultimately show ?thesis using st'_def by simp
 qed
 qed
 qed
 qed
 next
 case (LMemloc l)
 with 2(1) `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 LMemloc
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'''(memory := updateStore l (MPointer p) (memory st''')))"
 using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= st'''(memory := updateStore l (MPointer p) (memory st'''))" by simp
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 have "gas st''' ≤ gas st''" using g_def st'_def st''_def st'''_def by simp
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤ g` n Pair have "gas st'' ≤ gas st'" using st'_def st''_def by simp
 ultimately show ?thesis using st'_def by simp
 next
 case (LStoreloc l)
 then show ?thesis
 proof (cases "cpm2s p l x t (memory st''') (storage st'' (address env))")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 LStoreloc show ?thesis using stmt.psimps(2) g_def using st'_def st''_def st'''_def by simp
 next
 case (Some s)
 with 2(1) `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 LStoreloc
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'''(storage := (storage st''') (address env := s)))"
 using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= st'''(storage := (storage st''') (address env := s))" by simp
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 have "gas st''' ≤ gas st''" using g_def st'_def st''_def st'''_def by simp
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤ g` n Pair have "gas st'' ≤ gas st'" using st'_def st''_def by simp
 ultimately show ?tb \leftarrow( v of(KValueb, Valu TBool) \Rightarrowre b | _ <Rightarrow 
 qed
 qed
 qed
 next
 case (e _)
java.lang.NullPointerException
 qed
 next
 case (MTValue _)
 with 2(1) stmt_def `¬ gas st ≤
 qed
 next
 case (Storage x4)
 with 2(1) stmt_def `¬ gas st ≤
 qed
 next
 case (KStoptr p)
 then show ?thesis
 proof (cases c)
 case (Value x1)
 with 21) stmdef `\not g st \<le bysimp
 next
 case (Calldata x2)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Memory x3)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Storage x4)
 then show ?thesis
 proof (cases x4)
 case (STArray x t)
 then show ?thesis
 proof (cases "lexp lv env cd st'' g'")
 case n2: (n a g'')
 define st''' where "st''' = st''(
 then show ?thesis
 proof (cases a)
 case p2:(Pair a b)
 then show ?thesis
 proof (cases a)
 case (LStackloc l)
 then show ?thesis
 proof (cases b)
 case v2: (Value t')
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 LStackloc show ?th(do {
 next
 
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 LStackloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 next
 case (Me x3)
 then show ?thesis
 proof (cases "accessStore l (stack st''')")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 LStackloc Memory show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case s3: (Some a)
 then show ?thesis
 proof (cases a)
 case (KValue x1)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 LStackloc Memory s3 show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case c3: (KCDptr x2)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 LStackloc Memory s3 show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case (KMemptr p')
 then show ?thesis
 proof (cases "cps2m p p' x t (storage st''' (address env)) (memory st''')")
 case None
 with 21) stmt_d `\not ga st \le g` n Pair KStoptr Storage STArra n2 p2 LSLStacklo Me s3 K KMemptr show ? usi st.psim(2 g_d st_def st''_d st'''_de by simp
 next
 case (Some m)
 with 2(1) `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 LStackloc Memory s3 KMemptr
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'''(memory := m))"
 using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= st'''(memory := m)" by simp
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KMemptr Storage STArray n2 p2 have "gas (st'''(memory := m) e) (se) (sval e)) fmdomct);
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤ g` n Pair have "gas st'' ≤ gas st'" using st'_def st''_def by simp
 ultimately show ?thesis using st'_def by simp
 qed
 next
 case sp2: (KStoptr p')
 with 2(1) stmt_def `¬>l) ← emptyStore m\^>o e e cd);
 qed
 qed
 next
 case st2: (Storage x4)
 with 2(1) `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 LStackloc
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'''(stack := updateStore l (KStoptr p) (stack st''')))"
 using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= st'''(stack := updateStore l (KStoptr p) (stack st'''))" by simp
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 have "gas (st'''(stack := updateStore l (KStoptr p) (stack st'''))←
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤ g` n Pair have "gas st'' ≤modify (\lambdast.st(
 ultimately show ?thesis using st'_def by simp
 qed
 next
 case (LMemloc l)
 then show ?thesis
 proof (cases "cps2m p l x t (storage st'' (address env)) (memory st'')")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 LMemloc show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case (Some m)
java.lang.NullPointerException
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'''(memory := m))"
 using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= (st'''(memory := m)
 moreover from lexp_gas `¬ ga(*External
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤ g` n Pair have "gas st'' ≤
 ultimately show ?thesis using st'_def by simp
 qed
 next
 case (LStoreloc l)
 then sho tesis
 proof (cases "copy p l x t (storage st'' (address env))")
 case None
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr Storage STArray n2 p2 LStoreloc asGas (λt;
 next
 case (Some s)
 with 2(1) `¬ gas st ≤ rray n2 p p2 Ltoreloc
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st'''(storage := (storage st''') (address env := s)))"
 using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
 moreover from lexp_gas `¬
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex env cd st' "gas st - g"] `¬ gas st ≤
 ultimately show ?thesis using st'_def by simp
 qed
 qed
 qed
 next
 case (e x)
 with 2(1) stmt_def `¬ gas st ≤ g` n Pair KStoptr Storage STArray show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 qed
 next
 case (STMap t t')
 then show ?thesis
 proof (cases "lexp lv env cd st'' g'")
 case n2: (n a g'')
 define st''' where "st''' = st''(= g'')
 then show ?thesis
 proof (cases a)
 case p2: (Pair a b)
 then show ?thesis
 proofof (cases )
 case (LStackloc l)
 with 2(1) `¬ gas st ≤ g` n Pair KStoptr Storage STMap n2 p2
 have "stmt (ASSIGN lv ex) env cd st = Normal ((), st''' (stack := updateStore l (KStoptr p) (stack st''')))"(do {
 using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 with stmt_def have "st6'= st'''(" by simp
 moreover from lexp_gas `¬ gas st ≤ g` n Pair KStoptr Storage STMap n2 p2 have "gas (st'''(st. st();
 from m msel_pr__re(3of ex en c sas st - g"] `¬ g` n Pair have "gas st'' \le> gas st'" u st'_def st''_def by simp
 ultimately show ?thesis using st'_def by simp
 next
 case (LMemloc x2)
 with 2(1) stmt_def `¬ toState (expr ex e cd);
 next
 case (LStoreloc x3)
 with 2(1) stmt_def `¬ g` n Pair KStoptr Storage STMap n2 p2 show ?thesis using stmt.psimps(2) g_def st'_def st''_def by simp
 qed
 qed
 next
 case (e x)
 with 2(1) stmt_def `¬ ←;
 
 next
 case (STValue x3)
 with 2(1) stmt_def `¬ c) \Rightarrow>
 qed
 qed
 qed
 qed
 next
 case (e x)
 with 2(1) stmt_def `¬, __, f \leftarrowoption Err (λ_. ep $$ c);
 qed
 qed
 qed
 
 case (3 s1 s2 e cd st)
 define g where "g = costs (COMP s1 s2) e cd st"
 show ?case
 proof (rule allI[OF impI])
 fix st6'
 assume stmt_def: "stmt (COMP s1 s2) e cd st = Normal ((), st6')"
 then show "gas st6' ≤ Err (\lambda. transf (address e) adv v' (a st));
 proofca
 assume "gas st ≤ g"
  3(1) stmt_def g_def show ?thesis using stmt.psimps(3) by simp
 next
 assume "¬ gas st ≤ g"
 show ?thesis
 proof (cases "stmt s1 e cd (st(gas := gas st - g))")
 
 with 3(1) stmt_def `¬ gas st ≤
 with 3(3) stmt_def ‹ v' (accounts st));
 moreover from 3(2)[where ?s'a="st(gas := gas st - g)st. (st(= acc')
  }
 next
 case (e x)
 with 3 stmt_def `¬ g` show ?thesis using stmt.psimps(3)[of s1 s2 e cd st] g_def by (simp split: Ex.split_asm)
 qed
 qed
 qed
 
 case (4 ex s1 s2 e cd st)
 define g where "g = costs (ITE ex s1 s2) e cd st"
 show ?case
 proof (rule allI[OF impI])
 fix st6'
 assume stmt_def: "stmt (ITE ex s1 s2) e cd st = Normal ((), st6')"
 then Gas (λ sst > cos (BLOCK ((id0, tp), None s) e\^>v cd st);
 proof cases
 assume "gas st ≤st. st( (BLOCK ( (id0, tp), None) s) e\<^>v
 with 4(1) stmt_def show ?thesis using stmt.psimps(4) g_def by simp
 next
 assume "¬ gas st ≤ g"
 then have l1: "assert Gas (λst. costs (ITE ex s1 s2) e cd st < gas st) st = Normal ((), st) " using g_def by simp
 define st' where "st' = st( = ga st - g)
 >st. st( 1) e cst) = Normal ((), st')" using g_def by simp
 show ?thesis
 proof (cases "expr ex e cd st' (gas st - g)")
 case (n a g')
 define st'' where "st'' = st'(gas := g')
 with n have l3: "toState (expr ex e cd) st' = Normal (a, st'')" using st'_def by simp
 then show ?thesis
 proof (ca)
 case (Pair b c)
 then show ?thesis
 proof (cases b)
 case (KValue b)
 then show ?thesis
 proof (cases c)
 case (Value x1)
 then show ?thesis
 proof (cases x1)
 case (TSInt x1)
 with 4(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value show ?thesis using stmt.psimps(4) g_def st'_ odify (\lambdas. s\lparrs sts (Ci, me e)e<sub>)</sub>;
 next
 case (TUInt x2)
 with 4(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value show ?thesis using stmt.psimps(4) g_def st'_def by simp
 next
 case TBool
 then show ?thesis
 proof cases
java.lang.NullPointerException
 with 4(1) `¬ }) st"
java.lang.NullPointerException
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex e cd st' "gas st - g"] `¬ gas st ≤ fb)<- 
 ultimately show ?thesis using st'_def by simp
 next
 assume nt: "¬ b = ShowL<sub>bool</sub> True"
 show ?thesis
 proof cases
java.lang.NullPointerException
 with 4(1) `¬ gas st ≤ (E i xe val) cd st =
 (o {
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex e cd st' "gas st - g"] `¬st. gas st > costs (NEW i xe val) e ccd st;
 ultimately show ?thesis using st'_def by simp
 next
 assume "¬ b = ShowL<sub>bool</sub> False"
 with 4(1) stmt_def `¬ gas st ≤st. st();
 qed
 qed
 next
 case TAddr
 with 4(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value show ?thesis using stmt.psimps(4) g_def st'_def st''_def by simp
 qed
 next
 case (Calldata x2)
 with 4(1) stmt_def \not gas st ≤?tusing stmt.psimps(4 g_def st'_def st''_def by simp
 next
 case (Memory x3)
 with 4(1) stmt_def `¬ gas st ≤, _) ←_. ep $$ i);
 
 case (Storage x4)
 with 4(1) stmt_def `¬l, cd_lm ) xe e' emptyStore emptyStore emptyStore e cd);
 qed
 next
 case (KCDptr x2)
 with 4(1) stmt_def `¬>option Err (λst. transfer (address e) adv v (accounts st));
 next
 case (KMemptr x3)
 with 4(1) stmt_def `¬ gas st ≤ g` n Pair show ?thesis using stmt.psimps(4) g_def st'_def st''_def by simp
 next
 case (KStoptr x4)
 with 4(1) stmt_def `¬c e_l;
 qed
 qed
 next
 case (e e)
 with 4(1) stmt_def `¬ gas st ≤modify (incrementAccount (address e))
 qed
 ed
 qed
 
 case (5 ex s0 e cd st)
 define g where "g = costs (W
 show ?case
  allI[OF impI])
 fix st6'
 assume stmt_def: "stmt (WHILE ex s0) e cd st = Normal ((), st6')"
 then show "gas st6' ≤ gas st"
 proof cases
 assume "gas st \<le Again, to prove termination we need a lemma regarding gas consumption.›
 with 5(1) stmt_def show ?thesis using stmt.psimps(5) g_def by simp
 next
 assume gcost: "🚫et.pinduct[here ="\s6 ev6 cd6 st6. (∀ gas st6'\le gas st6)"
 then have l1: "assert Gas (λ
 define st' where "st' = st(gas := gas st - g)
 then have l2: " modify (λ
 show ?thesis
 proof (cases "expr ex e cd st' (gas st - g)")
 case (n a g')
 define st'' where "st'' = st'(
 with n have l3: "toState (expr ex e cd) st' = Normal (a, st'')" using st'_def by simp
 then show ?thesis
 proof (cases a)
 case (Pair b c)
 then show ?thesis
 proof (cases b)
 case (KValue b)
 then show ?thesis
 proof (cases c)
 ase(alue x1
 then show ?thesis
 proof (cases x1)
 case (TSInt x1)
 with 5(1) stmt_def gcost n Pair KValue Value show ?thesis using stmt.psimps(5) g_def st'_def by simp
 next
 case (TUInt x2)
 with 5(1) stmt_def gcost n Pair KValue Value show ?thesis using stmt.psimps(5) g_def st'_def by simp
 next
 case TBool
 then show ?thesis
 proof cases
 assume "b = ShowL<sub>b</sub> gas st ≤
 then ow ?thess
 proof (cases "stmt s0 e cd st''")
 case n2: (n a st''')
java.lang.NullPointerException
 with 5(3) stmt_def gcost n2 Pair KValue Value TBool `b = ShowL_b\<        define
java.lang.NullPointerException
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex e cd st' "gas st - g"] `¬ gas st ≤ g` n Paithen hw thes
 ly sow ?thesis uigs'df by sii
 next
 case (e x)
java.lang.NullPointerException
 qed
 next
 assumecase (Vaue t)
 show ?thesis
 proof cases
java.lang.NullPointerException
 with 5(1) gcost n Pair KValue Value TBool nt hpro (cases "lexp lv en cd s g'")
 with stmt_def have "gas st6' ≤ gas case n2 (n a g')
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex e cd st' "gas st - g"] `¬
 ultimately show ?thesis using g_def st'_def st''_def by simp
 next
 assume "¬
 with 5(1) stmt_def gcost n Pair KValue Value TBool nt show ?thesis using stmt.psimps(5) g_def st'_def st''_def by simp
 qed
 
 next
 case TAddr
 with 5(1) stmt_def gcost n Pair KValue Value show ?thesis using stmt.psimps(5) g_def st'_def st''_def by simp
 qed
 next
 case (Calldata x2)
 with 5(1) stmt_def gcost n Pair KValue show ?thesis using stmt.psimps(5) g_def st'_def st''_def by simp
 next
 case (Memory x3)
 with 5(1) stmt_def gcost n Pair KValue show ?thesis using stmt.psimps(5) g_def st'_def st''_def by simp
 next
 case (Storage x4)
 with 5(1) stmt_def gcost n Pair Kashow ?thesis sing stmtsimps(5) g_def st'_deef st''_deby sim
 qed
 next
 case (KCDprx2)
 with 5(1 case s3: (Some v')
 next
 tr 3)
 with 5(1) stmt_def gcost n Pair show ?thesis using stmt.psimps(5) g_def st'_def st''_def by simp
 next
 case (KStoptr x4)
 ith 5(1) stmtt_deef gcost n Pair showhow ?thesis usins using stmsimps( g_def stdef st''f y simp
 qed
 qed
 next
 case (e e)
 with 5(1) stmt_def gcost show ?thesis using stmt.psimps(5) g_def st'_def by simp
 qed
 qed
 qed
 
 case (6 i xe e cd st)
 efinegwhere = costs (INVOVOKE e) e cd st"
 show ?case
 proof (rule allI[OF impI])
 fix st6' assume a1: "stmt (INVOKE i xe) e cd st = Normal ((), st6')"
 show "gas st6' ≤ gas st"
 proof (cases)
 assume "gas st ≤calldata x2))
 with 6(1) a1 show ?thesis using stmt.psimps(6) g_def by simp
 next
 assume gcost: "¬ gas st ≤ g"
 then have l1: "assert Gas (λst. costs (INVOKE i xe) e cd st < gas
 define st' where "st' = st("
 then have l2: "modify (λst. st(gas := gas st - costs (INVOKE i xe) e cd st)
 then show ?thesis
 proof (cases "ep $$ contract e")
 case with (1 ttde \not gas st ≤usng stmt.psims()g_def st_dest''_def s
 with 6(1) a1 gcost show ?thesis using stmt.psimps(6) g_def by simp
 next
 case (Some x)
 then have l3: "option Err (λ_. ep $$ contract e) st' = Normal (x, st')" by simp
 then show ?thesis
 proof (cases x)
 case (fields ct _ _)
 then sh?thesis
 proof (cases "fmlookup ct i")
 case None
 with 6(1) g_def a1 gcost Some fields show ?thesis using stmt.psimps(6) by simp
 next
 case s1: (Some a)
 then show ?thesis
 proof (cases a)
 case (Method x1)
 then show ?thesis
 proof (cases x1)
 case p1: (fields fp ext f)
 then show ?thesis
 proof (cases ext)
 case True
 with 6(1) a1 g_def gcost Some fields s1 Method p1 show ?thesis using stmt.psimps(6) st'_def by auto
 next
 case False
 then have l4: "(case ct $$ i of None ==>
 | Some (Method (fp, Fawith 2(1) stdef`\<ot 
java.lang.NullPointerException
java.lang.NullPointerException
 and "e' = ffold (init ct) (emptyEnv (address e) (contract e) (sender e) (svalue e)) (fmdom ct)"
 then show ?thesis
 proof (cases "load False fp xe e' emptyStore emptyStore m_o e cd st' (gas st - g)")
 case s4: (n a g')
 define st'' where "st'' = st'(gas := g')"
 then show ?thesis
 proof (cases a)
 case f2: (fields e_l cd_l next
java.lang.NullPointerException
 define k gas st ≤
 then show ?thesis
 proof (cases "stmt f e_l (st''(:=k_l)
 case n2: (n a st''')
 with a1 g_def gcost Some fields s1 Method p1 m_{o_def} e'_def s4 f2 k_ytr (MVlevemo '>)")" by simp
 have "stmt (INVOKE i xe) e cd st = Normal ((), st'''(stack:=k₎"
 using stmt.psimps(6)[OF 6(1)] st'_def st''_def by auto
 with a1 have "gas st6' ≤m from xp_gas s `¬ast<le gas := g, sta:= updateStre l Vallue v') (stack st) ≤gas := g')
 also from 6(2)[OF l1 l2 l3 fields l4 _ _ _ l5, where ?s'g="st''(stack := k v d st' '"a t - g"] `¬ g` n Pair KValue Value n2 p1 have "gas (st'() ≤<parrgas
 have "…
java.lang.NullPointerException
 finally show ?thesis using st'_def by simp
 next
 case (e x)
 with 6(1) a1 g_def gcost Some fields s1 Method p1 m<sub>e</sub>)
 qed
 qed
 next
 case (e x)
 with 6(1) a1 g_def gcost Some fields s1 Method p1 m<sub>o_def</sub> e'_def show ?thesis using stmt.psimps(6) st'_def False by auto
 qed
 qed
 qed
 next
 case (Function _)
 with 6(1) g_def a1 gcost Some fields s1 show ?thesis using stmt.psimps(6) by simp
 next
 case case (Var _)
 with 6(1) g_def a1 gcost Some fields s1 show ?thesis using stmt.psimps(6) by simp
 qed
 qed
 qed
 qed
 qed
 qed
 
 case (7 ad i xe val e cd st)
 define g where "g = costs (EXTERNAL ad i xe val) e cd st"
 show ?case
 proof (rule allI[OF impI])
 fix st6' assume a1: "stmt (EXTERNAL ad i xe val) e cd st = Normal ((), st6')"
 show "gas st6' ≤ gas st ≤pLtoreoc hw ?thei usingm.imps(2) g_deff st_def st''f b simp
 proof (cases)
 assume "gas st ≤ g"
 with 7(1) a1 show ?thesis using stmt.psimps(7) g_def by simp
 next
 assume gcost: "¬ gas st ≤
 then hacas Stoa x4
 define st' where "st' = st(then sh ?thesiiis
 then have l2: " modify (λst. st(
 how ?sis
 proof (cases "expr ad e cd st' (gas st - g)")
 case (n a0 g')
 define st'' where "st'' = st'(gas := g')"
 with n have l3: "toState (expr ad e cd) st' = Normal (a0, st'')" using st'_def by next
 then show ?thesis
 proof (cases a0)
 case (Pair b c)
 then show ?thesis
 proof (cases b)
 case (KValue adv)
 then show ?thesis
 proof (cases c)
 case (Value x1)
 then show ?thesis
 proof (cases x1)
 case (TSInt x1)
 with 7(1) g_def a1 gcost n Pair KValue Value show ?thesis using stmt.psimps(7) st'_def by auto
 next
 case (TUInt x2)
 with 7(1) g_def a1 gcost n Pair KValue Value show ?thesis using stmt.psimps(7) st'_def by auto
 next
 case TBool
 with 7(1) g_def a1 gcost n Pair KValue Value show ?thesis using stmt.psimps(7) st'_def by auto
 nextpr(cacot' v "
 case TAddr
 then have l4: "(case a0 of (KValue adv, Value TAddr) ==> return adv | (KValue adv, Value _) \                          
 | (_, b) \<Rightarrow 
 then show ?thesis
 proof (cases "adv = address e")
 case True
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr show ?thesis using stmt.psimps(7) st'_def by auto
 ext
 case False
 then n have "ssetEr (\lambda_. adv ≠
 then show ?thesis
 proof (cases "type (accounts st'' adv)")
 case None
 with 7(1) g_def a1 st Pair alu Vaau TAdd Falselse show tei usin stmt.psimps(7 st'_dft'_def uto
 next
 case (Some x2)
 then show ?thesis
 proof (cases x2)
 case EOA
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some show ?thesis using stmt.psimps(7) st'_def st''_def by auto
java.lang.StringIndexOutOfBoundsException: Index 145 out of bounds for length 24
 case (Contract c)
 then have l6: "(λst. case type (accounts st adv) of Some (Contract c) ==> return c st | _ ==> throw Err s
 then shohesis
 proof (cases "ep $$ c")
 case None
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Contract Some show ?thesis using stmt.psimps(7) st'_def st''_def by auto
 next
 case s2: (Some x)
 then show ?thesis
 proof (cases x)
 case p2: (fields ct x0 fb)
 then have l7: "option Err (λ_. ep $$ c) st'' = Normal ((ct, x0, fb), st'')" using s2 by simp
 then show ?thesis
 proof (cases "expr val e cd st'' (gas st'')")
 case n1: (n kv g'')
 define st''' where "st''' = st''(gas := g'')"
  l8: "toState (expr val e cd) st'' = Normal (kv, st''')" by simp
 then show ?thesis
 proof (cases kv)
 case p3: (Pair a b)
 then show ?thesis
 proof (cases a)
 case k2: (KValue v)
 then show ?thesis
 proof (cases b)
 case v: (Value t)
 then have l9: "(case kv of (KValue v, Value t) ==> return (v, t) | (KValue v, _) ==>case (Sorae xx4)
 show ?thesis
 proof (cases "convert t (TUInt 256) v")
 case None
 with 7(1) gqed
 next
 case s3: (Some v')
 define e' where "e' = ffold (init ct) (emptyEnv adv c (address e) v') (fmdom ct)"
 show ?thesis
 proof (cases "fmlookup ct i")
 case None
 show ?thesis
 proof (cases "transfer (address e) adv v' (accounts st''')")
 case n2: None
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Contract Some s2 p2 None n1 p3 k2 v False s3 show ?thesis using stmt.psimps(7)[OF 7(1)] st'_def st''_def st'''_def by simp
  neext
 case s4: (Some acc)
 then have l10: "option Err (λst. transfer (address e) adv v' (accounts st)) st''' = Normal (acc, st''')" by simp
java.lang.NullPointerException
 where "k<sub>o</sub> = stack st'''"
 and "m<sub>then</sub> show ?theheis
 show ?thesis
 proof (cases "stmt fb e' emptyStore (st'''(accounts := acc, stack:=emptyStore, memory:=em
 case n2: (n a st'''')
 with g_def a1 gcost n Pair KValue Value TAddr False Contract Some s2 p2 None n1 p3 k2 v s4
 have "stmt (EXTERNAL ad i xe val) e cd st = Normal ((), st''''(stack:=stack st''', memory := memory st'''))"
 using stmt.psimps(7)[OF 7(1)] st'_def st''_def st'''_def e'_def False s3 by simp
 with a1 have "gas st6' ≤
 also from 7(3)[OF l1 l2 l3 l4 l5 l6 l7 _ _ l8 l9 _ _ _ None l10, where ?s
 have "… ≤ gas (st'''(
 also from msel_ssel_expr_load_rexp_gas(3)[of val e cd st'' "gas st''"]
 have then show?thesi
 also from msel_ssel_expr_load_rexp_gas(3)[of ad e cd st' "gas st - g"]
 have "…e t') 
 finally show ?thesis using st'_def by simp
 next
 case (e x)
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 None n1 p3 k2 v s4 s3 show ?thesis using stmt.psimps(7)[of ad i xenext
 qed
 qed
 xt
 case s1: (Some a)
 then show ?thesis
 proof (cases a)
 case (MeMry x3x3)
 then show ?thesis
 proof (cases x1)
 case p4: (fields fp ext f)
 then show ?thesis
 proof (cases ext)
 case True
 then show ?thesis
 proof (cases "load True fp xe e' emptyStore emptyStore emptyStore e cd st''' (gas st''')")
 case s4: (n a g''')
 define st'''' where "st'''' = st'''((Some)
 then show ?thesis
 proof (cases a)
java.lang.NullPointerException
 then have l10: "toState (lo case (KValue x)
 show ?thesis
  proof (cases "transfer"tranfer (a(aesse) adv v v' (accounts ''')")
 case n2: None
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 s1 Method p4 n1 p3 k2 v s3 f1 e'_def True s4 show ?thesis using stmt.psimps(7)[of ad i xe val e cd st] st'_def st''_def st'''_def st''''_def by simp
  next
 case s5: (Some acc)
 then have l11: "option Err (λ
java.lang.NullPointerException
java.lang.NullPointerException
  sow ?thesis 
 proof (cases "stmt f e<sub>l</sub> cd gas st ≤ usig stmt.psimppsimps(2)s(2) g_def sdef t'defdby (simp splt:i_split_m)
 case n2: (n a st''''')
java.lang.NullPointerException
 have "stmt (EXTERNAL ad i xe val) e cd st = Normal ((), st'''''( gas st ≤ta MTAr n2 LLSkloc Memory s3 KMeMer
 using stmt.psimps(7)[of ad i xe val e cd st] st'_def st''_def st'''_def st''''_def True False by simp
 with a1 have "gas st6' ≤
 also from 7(2)[OF l1 l2 l3 l4 l5 l6 l7 _ _ l8 l9 _ _ _ s1 Method _ _ _ l10 _ _ _ l11, where ?s'm="st''''(asing 2[2]dedfs'_''_e by
 have "… '''\<accounts 
 also from msel_ssel_expr_load_rexp_gas(4)[of True fp xe e' emptyStore emptyStore emptyStore e cd st''' "gas st'''"]
 have "…s s3 st'_ef st''_dst'''_de'_de st''''_dedef f1 sy simp
 also from msel_ssel_expr_load_rexp_gas(3)[of val e cd st'' "gas st''"]
 have "… ≤ gas st''" using n1 st'_def st''_def st'''_def by fastforce
 also from msel_ssel_expr_load_rexp_gas(3)[of ad e cd st' "gas st - g"]
 have "… ≤ gas st'" using n st'_def st''_def st'''_def by fastforce
 finally show ?thesis using st'_def by simp
 next
 case (e x)
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 s1 Method p4 n1 p3 k2 v k<sub>o_def</sub>
java.lang.StringIndexOutOfBoundsException: Index 50 out of bounds for length 45
 qed
 qed
 next
 case (e x)
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 s1 Method p4 n1 p3 k2 v e'_def True s3 show ?thesis using stmt.psimps(7) st'_def st''_def st'''_def by simp
 qed
 next
 case ft> s st≤ TArray2 p2 LStackloc oc Storashow hesis usistmt.psip()gdft'_def st''_'_def '''f by simp
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 s1 Method p4 n1 p3 k2 v s3 show ?thesis using stmt.psimps(7) st'_def st''_def st'''_def by simp
 qed
 qed
 next
 case (Function _)
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 s1 n1 p3 k2 v s3 show ?thesis using stmt.psimps(7) st'_def st''_def st'''_def by simp
 next
 case (Var _)
 with71ef acstnPar Kalue Value TdrFleSom s2 CContract ps 1p 2 s3show s usgstmt.psimps(7) st'_def st''def st'''_def by simp
 qed
 qed
 qed
 next
 case (Calldata x2)
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 n1 p3 k2 show ?thesis using stmt.psimps(7) st'_def st''_def st'''_def by simp
 next
 case (Memory x3)
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2
 next
 case (Storage x4)
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 n1 p3 k2 show ?thesis using stmt.psimps(7) st'_def st''_
 qed
 next
 case (KCDptr x2)
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 n1 p3 show ?thesis using stmt.psimps(7) st'_def st''_def st'''_def by simp
 next
 case (KMemptr x3)
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 n1 p3 show ?thesis using stmt.psimps(7) st'_def st''_def st'''_def by simp
 next
 
 with 7(1) g_def a1 gcost n Pair KValue Value TAddr False Some s2 Contract p2 n1 p3 show ?thesis using stmt.psimps(7) st'_def st''_def st'''_def by simp
 qed
 qed
 next
 case n2: (e x)
 with 7(1) g_ 1 gcost n Pair KVlue Valaddase Som2 Ctact p2 sthsgstpsmpsps(s(7) s_dest'dfsimp 
 qed
 qed
 qed
 qed
 qed
 qed
 qed
 next
 case (Calldata x2)
 with 7(1) g_def a1 gcost n Pair KValue show ?thesis using stmt.psimps(7) st'_def st''_def by simp
 next
 case (Memory x3)
 with 7(1) g_def a1 gcost n Pair KValue show ?thesis using stmt.psimps(7) st'_def st''_def by simp
 next
 case (Storage x4)
 with 7(1) g_def a1 gcost n Pair KValue show ?thesis using stmt.psimps(7) st'_def st''_def by simp
 qed
 next
 case (KCDptr x2)
 with 7(1) g_def a1 gcost n Pair show ?thesis using stmt.psimps(7) st'_def st''_def by simp
 next
 case (KMemptr x3)
 with 7(1) g_def a1 gcost n Pair show ?thesis using stmt.psimps(7) st'_def st''_def by simp
 next
 case (KStoptr x4)
 with 7(1) g_def a1 gcost n Pair show ?thesis using stmt.psimps(7) st'_def st''_def by simp
 qed
 qed
 next
 case (e _)
 with 7(1) g_def a1 gcost show ?thesis using stmt.psimps(7) st'_def by simp
 qed
 qed
 qed
java.lang.StringIndexOutOfBoundsException: Index 193 out of bounds for length 4
 case ase (Soe m)
 define g where "g = costs (TRANSFER ad ex) e cd st"
 show ?case
 proof (rule allI[OF impI])
 fix st6' assume stmt_def: "stmt (TRANSFER ad ex) e cd st = Normal ((), st6')"
 show "gas st6' e gas st"
 proof cases
 assume "gas st ≤
 with 8 stmt_def g_def show ?thesis using stmt.psimps(8)[of ad ex e cwithstmt_ havave "st6'= st'''\<>memory
 next
 assume "¬ gas st ≤xprr_lod_rexpgas(3)[not> gas st ≤ g` n Pair have "gas st'' ≤ gas st'" using st'_def st''_def by simp
 then have l1: "assert Gas (λst. costs (TRANSFER ad ex) e cd st < gas st) st = Normal ((), st) " using g_def by simp
 define st' where "st' = st("
 then have l2: " modify (λst. st(gas := gas st - costs (TRANSFER ad ex) e cd st)) st = Normal ((), st')" using g_def by simp
 show ?thesis
 proof (cases "expr ad e cd st' (gas st - g)")
 case (n a0 g')
 define st'' where "st'' = st'(gas := g')"
 with n have l3: "toState (expr ad e cd) st' = Normal (a0, st'')" using st'_def by simp
 siss
 proof (cases a0)
 case (Pair b c)
 then show ?thesis
 proof (cases b)
 case (KValue adv)
 then show ?thesis
 proof (cases c)
 case (Value x1
 then show ?thesis
 proof (cases x1)
 case (TSInt x1)
 with 8(1) stmt_def `\<not gas st ≤ g` n Pair KValue Value g_def show ?thesis using stmt.psimps(8) st'_def st''_def by simp
 next
 case (TUInt x2)
 with 8(1) stmt_def `¬ gas st ≤
 next
 case TBool
 with 8(1) stover from lepgs `\>gas st ≤ldt MTrry n2 p2 have "gas"a st' ≤
 next
 case TAddr
 then have l4: "(case a0 of (KValue adv, Value TAddr) ==> return adv | (KValue adv, Value _) ==> throw Err | (KValue adv, _) ==>
 | (_, b) ==> throw Err) st'' = Normal (adv, st'')" using Pair KValue Value by simp
 then show ?thesis
 proof (cases "expr ex e cd st'' (gas st'')")
 case n2: (n a1 g'')
 define st''' where "st''' = st''(gas := g'')"
 with n2 have l5: "toState (expr ex e cd) st'' = Normal (a1, st''')" by simp
 then show ?thesis
 proof (cases a1)
 case p2: (Pair b c)
 then show ?thesis
 proofn
 case k2: (KValue v)
 then show ?thesis
 proof (cases c)
 case v2: (Value t)
 then have l6: "(case a1 of (KValue v, Value t) ==> return (v, t) | (KValue v, _) ==>
 then show ?thesis
 proof (cases "convert t (TUInt 256) v")
 case None
 with 8(1) stmt_def g_def `¬ gas st ≤b simp
 next
 case (Some v')
 then show ?thesis
 proof (cases "type (accounts st''' adv)")
 case None
 with 8(1) stmt_def g_def `¬ gas st ≤ g` n Pair KValue Value n2 p2 k2 v2 T
 next
 case s0: (Some a)
 then show ?thesis
 proof (cases a)
 case EOA
 then show ?thesis
 proof (cases "transfer (address e) adv v' (accounts st''')")
 case None
  8(1) stmt_def g_def `¬ g` n Pair KValue Value n2 p2 k2 v2 ddr Some E s0 sho ?thesisusinng stmt.psimps(8) st'_def s_def ''_dest'''_de sim
 next
 case s1: (Some acc)
 then have l7: "option Err (λst. transfer (address e) adv v' (accounts st)) st''' = Normal (acc, (C x)
  gas st ≤
 have "stm
 with stmt_def have "gas st6' = gas (st'''(accounts:=acc)
 also from msel_ssel_expr_load_rexp_gas(3)[of ex e cd st'' "gas st''"]
 have "… ≤
 also from msel_ssel_expr_load_rexp_gas(3)[of ad e cd st' "gas st - g"]
 have "… ≤gas := g'')
 finallyshoow ?se si
 qed
 next
 case (Contract c)
 then show ?thesis
 proof (cases "ep $$ c")
 case None
 with 8(1) stmt_def g_def `¬ gas st ≤
 next
 case s2: (Some a)
 then show ?thesis
 proof (cases a)
 case p3: (fields ct cn f)
 
 define e' where "e' = ffold_init ct (emptyEnv adv c (address e) v') (fmdom ct)"
 show ?thesis
 proof (cases "transfer (address e) adv v' (accounts st''')")
 case None
  with 8(1) stmt_def g_def `¬ g` n Pair KValue Value n2 p2 k2 v2 TAddr Contract Some s2 p3 s0 show ?thesis using stmt.''_def by simp
 next
 case s3: (Some acc)
 then have l8: "option Err (λst. transfer (address e) adv v' (accounts st)) st''' = Normal (acc, st''')" by simp
 then show ?thesis
 proof (cases "stmt f e' emptyStore (st'''(emory:=emptyStore)
 case (nst'''')
 with 8(1) `¬ gas st ≤
 have "stmt (TRANSFER ad ex) e cd st = Normal ((),st''''()" using e'_def stmt.psimps(8)[of ad ex e cd st] st'_def st''_def st'''_def by simp
 with stmt_def have "gas st6' ≤s🚫 gas st ≤ g` n Pair KMemptr Memory MTArray n2 p2 have "gas st''' ≤ gas st''" using st''_def st'''_def by simp
 alsoromm 8(2)[OF l1 l2 4l 6,off v t _ _ "accunts st'''" "st''', F__l8,her ?s'="st'''\lparrcut: cc,sack = emptySor,memory :=ptyStr\rparr>"] `🚫
 have "… ≤
 also from msel_ssel_expr_load_rexp_gas(3)[of ex e cd st'' "gas st''"]
 have "…
 case None
 have "… gat \le g` n Pair KMemptr Memory MTArray n2 p2 LStackloc Storage show ?thesis using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 nextx
 case (e x)
 with 8(1) `¬
 qed
 qed
 qed
 qed
 qed
 qed
 qed
 next
 case (Calldata x2)
 with 8(1) stmt_def `¬ gas st ≤ g` n Pair KVal
 next
 case (Memory x3)
 with 8(1) stmt_def `¬
 next
 case (Storage x4)
 with 8(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value TAddr n2 p2 k2 g_def show ?thesis using stmt.psimps(8) st'_def st''_def st'''_def by simp
 qed
 next
 case (KCDptr x2)
 with 8(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value TAddr n2 p2 g_def show ?thesis using stmt.psimps(8) st'_def st''_def st'''_def by simp
 next
 case (KMemptr x3)
 with 8(1) stmt_def `¬
 next
 case (KStoptr x4)
 with 8(1) stmt_def `¬with 2(1) `¬ \>g` n Pair KMemptr Memory MTArray n2 p2 LStackloc Storage s3 KStoptr
 qed
 qed
 next
 case (e e)
 with 8(1) stmt_def `¬ gas st ≤ g` n Pair KValue Value with stdefs''lparr>storage := (storage st''') (address env := s))" by simp
 qed
 qed
 next
 case (Calldata x2)
 with 8(1) stmt_def `¬ gas st ≤ gas st ≤my TArra n2 p2 have "gas st''' e gas st''" using g_def s'_def st''_df st'''_'_defb smp
 next
 case (Memory x3)
 with 8(1) stmt_def `¬ gas st ≤ g` n Pair KValue g_def show ?thesis using stmt.psimps(8) st'_def st''_def by simp
 next
 case (Storage x4)
 with 8(1) stmt_def `¬ gas st ≤ g` n Pair KValue g_def show ?tqed
 qed
 next
 case (KCDptr x2)
 with 8(1) stmt_def `¬ gas st ≤ g` n Pair g_def show ?thesis using stmt.psimps(8) st'_def st''_def by simp
 next
 case (KMemptr x3)
 with 8(1) stmt_def `¬ gas st ≤ g` n Pair g_def show ?thesis using stmt.psimps(8) st'_def st''_dnext
 next
 case (KStoptr x4)
 with 8(1) stmt_def `¬as\<e ` n Pair g_def show ?thesis using stmt.psimps(8) st'_def st''_def by simp
 qed
 
 next
 case (e e)
 with 8(1) stmt_def `¬memory := updateStore l (MPointer p) (memory st'''))
 qed
 qed
 qed
 
 case (9 id0 tp s<^> 
 define g where "g = costs (BLOCK ((id0, tp), None) s) e_v cd st"
 show ?case
 proof (rule allI[OF impI])
 fix st6' assume stmt_def: "stmt (BLOCK ((id0, tp), None) s) e_v cd st = Normal ((), st6')"
 show "gas st6' ≤ gas st"
 proof roof (cases "cpm2s p l x t (memo s'' soge st'' (addressenv))")
 assume "gas st ≤ g"
 with 9 stmt_def g_def show ?thesis using stmt.psimps(9) by simp
 next
 assume "¬ gas st ≤ g"
 then have l1: "assert Gas (λst. costs (easeSome s)
 define st' where "st' = st(gas := gas st - g) gas st ≤
 then have l2: "modify (λx) en st =ormal ((,s'''(:= (storage st''') (address env := s)))"
 show ?thesis
java.lang.NullPointerException
 case n2: None
 with 9 stmt_def `¬ gas st ≤ g` tmt_deff have "st6'= stt''(:= (storage st''') (address env := s))" by simp
 next
 case (Some a)
 st, e<<^')"y sy simp
 then show ?thesis
 proof (cases a)
 case (fields cd' mem' sck' e')
 with 9(1) stmt_def `¬ gas st ≤ g` g_def have "stmt (BLOCK ((id0, tp), None) s) e_ultimately show ??thesis using _dey simp
 with 9(2)[OF l1 l2 l3] stmt_def `¬ gas st ≤ g` fields g_def have "gas st6' ≤
 then show ?thesis by simp
 qed
 qed
 qed
 qed
 
 case (10 id0 tp ex' s e_v cd st)
java.lang.NullPointerException
 show ?case
 proof (rule allI[OF impI])
 fix st6' assume stmt_def: "stmt (BLOCK with2() stmt_def `<not  st ≤ g` n Pair KMemptr Memory show ?thesis using stmt.psimps() _def'df '_fb smp
 show "gas st6' ≤ ext
 proof cases
 assume "gas st ≤ g"
 with 10 stmt_def g_def show ?thesis using stmt.psimps(10) by simp
 next
 assume "¬
java.lang.NullPointerException
 define st' where "st' = st(gas := gas st - g)"
 then have l2: "modify (λst. st(
 
 proof (cases "expr ex' e_v cd st' (gas st - g)")
 case (n a g')
 define st'' where "st
java.lang.NullPointerException
 then show ?thesis
 proof (cases a)
 case (Pair v t)
  show ?thesis
 proof (cases "decl id0 tp (Some (v, t)) False cd (memory st'') (storage st'') (cd, memory st'', stack st'', e_v)")
 case None
 with 10(1) stmt_def `¬ gas st ≤ g` n Pair g_def show ?thesis using stmt.psimps(10) st'_def st''_def by simp
 next
 case s2: (Some a)
 
 then show ?thesis
 proof (cases a)
 case (fields cd' mem' sck' e')
 with 10(1) stmt_def `¬')
 with 10(2)[OF l1 l2 l3 Pair l4 fields, where s'd="st''(' = '(as := g'')
 moreover from msel_ssel_expr_load_rexp_gas(3)[of ex' e<sub>v</sub>(ces)
 ultimately show ?thesis using st'_def by simp
 qed
 qed
 qed
 next
 case (e e)
 with 10 stmt_def `¬ gas st ≤ g` g_def show ?thesis using stmt.psimps(10) st'_def by simp
 qed
 qed
 qed
 
 case11i xe val e cd st)
 define g where "g = costs (NEW i xe val) e cd st"
 show ?case
 proof (rule allI[OF impI])
 fix st6' assume a1: "stmt (NEW i xe val) e cd st = Normal ((), st6')"
 show "gas st6' ≤
 proof (cases)
 assume "gas st ≤ g"
 with 11(1) a1 show ?thesis using stmt.psimps(11) g_def by simp
 next
 assume gcost: "¬ gas st ≤ g"
 then have l1: "assert Gas (λs3: (Some)
 define st' where "st' = st(gas := gas st - g)"
 then have l2: "modify (λst. st(gas := gas st - costs (NEW i xe val) e cd st)) st = Normal ((), st')"caseValuee)
 define adv where "adv = hash (address e) (ShowL<sub>n(</sub>)st_def `¬ g` n Pair KStoptr Storage STArray n2 p2 LStackloc Memory s3 show ?thesis using
 then show ?thesis
 proof (cases "type (accounts st' adv) = None")
 case T
 then show ?thesis
 proof (cases "expr val e cd st' (gas st')")
 case n0: (n kv g')
 define st'' where "st'' = st'(gas := g')
 nhavee l4 totate (expr e d' =Normal (kvv, st'')" using by simp
 then show ?thesis
 proof (cases kv)
 case p0: (Pair a b)
 then show ?thesis
 proof (cases a)
 case k0: (KValue v)
 then show ?thesis
 proof (cases b)
 case v0: (Value t)
 then show ?thesis
 proof (cases "ep $$ i")
 case None
 with a1 gcost g_def True n0 p0 k0 v0
 show ?thesis using st using stmt.psimps(2) g_def st'_def st''_def st'''_def by simp
 next
 case s0: (Some a)
 then have l5: "option Err (λ_. ep $$ i) st'' = Normal (a, st'')" by si with stmt_def have "st6' "st6'= st''(" b im
 then show ?thesis
 proof (cases a)
 case f0: (fields ct cn _)
 define e' where "e' = ffold_init ct (emptyEnv adv i (address e) v) (fmdom ct)"
 then show ?thesis
  pof(aes "load True (fst cn) xe e emptySttore emptyStore emptySto cd st'' (gas st'')")
 case n1: (n a g'')
 define st''' where "st''' = st''(gas := g'')"
 then have l6: "toState (load True (fst cn) xe e' emptyStore emptyStore emptyStore e cd) st'' = Normal (a, st''')" using n1n
 then show ?thesis
 proof (cases a)
java.lang.NullPointerException
java.lang.NullPointerException
 then show ?thesis
 proof (cases "transfer (address e) adv v (accounts st'''')")
 case None
 with a1 gcost g_def True n0 p0 k0 v0 s0 f0 n1 f1
 show ?thesis using stmt.psimps(11)[OF 11(1)] adv_def e'_def st'_def st''_def st'''_def st''''_def by (simp add:Let_def)
 next
 case s1: (Some acc)
java.lang.NullPointerException
 hen o ?thesis
 moreover fromlexp_gs `\<> or l KSttopt p) tks''') gas st''" using g_def st'dfs'_ef t''dfb simp
 case (n a st'''''')
 define st''''''' where "st''''''' = st''''''("
 define st'''''''' where "st'''''''' = incrementAccountContracts (address e) st'''''''"
 from a1 gcost g_def True n0 p0 k0 v0 s0 f0 n1 f1 s1 n have "st6' = st''''''''"
 using st'_d
 stmt.psimps(11)[OF 11(1)] adv_def e'_def by (simp add:Let_def)
 then have "gas st6' = gas st''''''''" by simp
 also have "… ≤ gas st'''''''" using st''''''''_def incrementAccountContracts_def by simp
 also have "…> gas st''''''" using st'''''''_def by simp
 also have "…
 also have "…ef `¬gas st ≤_dfb simp
 also have "…
 also have "…
 also have "… ≤ gas st ≤topt trg Tra 2Lelc
 also have "… ≤, st'''(memory := m\rparr)"
 finally show ?thesis .
 next
 case (e e)
 with a1 got g_def n0 True p0 k0 v0 s0 f0 1f s1
 show ?thesis using stmt.psimps(11)[OF 11(1)] adv_def e'_def st'_def st''_def st'''_def st''''_def st'''''_def by (simp add:Let_def)
 qed
 qed
 qed
 next
 case (e e)
 with a1 gcost g_def n0 True p0 k0 v0 s0 f0
 show ?thesis using stmt.psimps(11)[OF 11(1)] adv_def e'_def st'_def st''_def by (simp add:Let_def)
 qed
 qed
 qed
 next
 case (Calldata x2)
 with a1 gcost g_def n0 True p0 k0
 show ?thesis using stmt.psimps(11)[OF 11(1)] adv_def st'_def by simp
 next
 case (Memory x3)
 with a1 gcost g_def n0 True p0 k0
 show ?thesis using stmt.psimps(11)[OF 11(1)] adv_def st'_def by simp
 next
 case (Storage x4)
 with a1 gcost g_def n0 True p0 k0
 
 qed
 next
 case (KCDptr x2)
 with a1 gcst gde 0re 0
 show ?thesis using stmt.psimps(11)[OF 11(1)] adv_def st'_def by simp
 ext
 case (KMemptr x3)
 with a1 gcost g_def n0 True p0
 show ?thesis using stmt.psimps(11)[OF 11(1)] adv_def st'_def by simp
 next
 case (KStoptr x4)
 th 1got gdef n0rue0
 w?hssusig tmtpips(1)[F 1(1]ddefst'_ef ysmp
 qed
 qed
 next
 case (e e)
 with a1 gcost g_def True
 show ?thesis using stmt.psimps(11)[OF 11(1)] adv_def st'_def by simp
 qed
 next
 case False
  wih a1 cs gdf
 show ?thesis using stmt.psimps(11)[OF 11(1)] adv_def st'_def by (simp split:if_split_asm)
 qed
 qed
 qed
 

  ‹

  ‹

  sgas
 where "sgas l = gas (snd (snd (snd l)))"

  ssize
 where "ssize l = size (fst l)"

  stmt_dom_gas =
 match premises in s: "stmt _ _ __ = Nrml (_) nd d[tin]: "stm_dm_" \Rightarrow ‹
 msel_ssel_expr_load_rexp =
 match premises in e[thin]: "expr _ _ _ _ _ = Normal (_,_)" ==> ‹ have "s"st6'= st'''( l (KStoptr p) (stack st''')🚫 := updateSto l (KStoptr p) (stac st''')) gas st''" using g_def st'_def st''_def st'''_def by simp
 match premises in l[thin]: "load _ _ _ _ _ _ _ _ _ _ _ = Norma (_,_)" ==>insert msel_ssel_expr_load_rexp_gas(4)[OF l, THEN conjunct1]›
  costs =
  ult show ?thesis using st'_def by simp
 match premises in "costs (INVOKE i xe) e cd st < _
 match premises in "costs (EXTERNAL ad i xe val) e cd st < _
 match premises in "costs (TRANSFER ad ex) e cd st < _insert transfer_not_zero[of (unchecked) ad ex e cd st]› |
 match premises in "costs (NEW i xe val) e cd st < _" for i xe val and e::Environment and cd::CalldataT and st::State \                    

  stmt
 ply rltin "meauressgas,ssie]")
 apply (auto split: if_split_asm result.split_asm Stackvalue.split_asm Type.split_asm Types.split_asm option.split_asm Member.split_asm bool.split_asm atype.split_asm)
 apply ((stmt_dom_gas | msel_ssel_expr_load_rexp)+, costs?, simp)+
 done

  ‹

  ‹
 The following corollary is a generalization of @{thm [source] msel_ssel_expr_load_rexp_dom_gas}.
 We first prove that the function is defined for all input values and then obtain the final result as a corollary.
 >
  stmt_dom: "stmt_dom (s6, ev6, cd6, st6)"
 apply (induct rule: stmt.induct[where ?P="λs6 ev6 cd6 st6. stmt_dom (s6, ev6, cd6, st6)"])
 apply (simp_all add: stmt.domintros(1-10))
 apply (rule stmt.domintros(11), force)
 done

  stmt_gas = stmt_dom_gas[OF stmt_dom]

  skip:
 assumes "stmt SKIP ev cd st = Normal (x, st')"
 shows "gas st > costs SKIP ev cd st"
 and "st' = st(gas := gas st - costs SKIP e g` show ?thesis using stmt.psimps(2) g_def st'_def by simp
 using assms by (auto split:if_split_asm)

  assign:
 assumes "stmt (ASSIGN lv ex) ev cd st = Normal (xx, st')"
 obtains (1) v t g l t' g' v'
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)) (gas st - costs (ASSIGN lv ex) ev cd st) = Normal ((KValue v, Value t), g)"
 and "lexp lv ev cd (st(gas := g\definess)ec t
 and "convert t t' v = Some v'"
 and "st' = st(gas := g', stack := updateStore l (KVa proof (rul allI[OF impI])
 | (2) v t g l t' g' v'
 wheret6'
 and "lexp lv ev cd (st(gas := g)) g = Normal((LStoreloc l, ssume s stmt_def "mtCOPs s) ec t= oma () st')
 and "convert t t' v = Some v'"
 and "st' = st(gas := g', storage := (storage st) (address ev := (fmupd l v' (storage st (address ev)))))"
 | (3) v t g l t' g' v'
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)i(3b ip
 and "lexp lv ev cd (st(gas := g)) g = Normal((LMemloc l, Memory (MTVaassume "\oteg"
 and "convert t t' v = Some v'"
 and "st' = st(gas := g', memory := updateStore l (MValue v') (memory st))proof (cases "stmt s1 e cd cd (st()")
 | (4) p x t g l t' g' p' m
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)) (gas st - costs (ASSIGN lv ex) ev cd st) = Normal ((KCDptr p, Calldata (MTArray x t)), g)"
 and "lexp lv ev cd (st(gas := g)) g = Normal((LStackloc l, Memory t'),g')"
 and "accessStore l (stack st) = Some (KMemptr p')"
 ory st) = Some m"
 and "st' = st(gas := g', memory := m)"
 | (5) p x t g l t' g' p' s
 where "e ex v cd(st\<>as
 and "lexp lv ev cd (st(gas := g)) g = Normal((LStackloc l, Storage t'),g')"
 and "accessStore l (stack st) = Some (KStoptr p')"
 and "cpm2s p p' x t cd (storage st (address ev)) = Some s"
 and "st' = st(gas := g', storage := (storage st) (address ev := s))"
 | (6) p x t g l t' g' s
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)) (gas st - qed
 and "lexp lv ev cd (st(gas := g)) g = Normal((LStoreloc l, t'),g')"
 and "cpm2s p l x t cd (storage st (address ev)) = Some s"
 and "st' = st(gas := g', storage := (storage st) (address ev := s))"
 | (7) p x t g l t' g' m
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)) (gas st - costs (ASSIGN lvnext
 and "lexp lv ev cd (st(gas := g)) g = Normal((LMemloc l, t'),g')"
 and "cpm2m p l x t cd (memory st) = Some m"
 and "st' = st(
 | (8) p x t g l t' g'
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)) ( ix stst
 gas := g)) = Normal(Stcklo , emor t'),g'
 and "st' = st(gas := g', stack := updateStore l (KMemptr p) (stack st))"
 | (9) p x t g l t' g' p' s
 where "expr ex ev cd (st(
 assume ast≤
 and "accessStore l (stack st) = Some (KStoptr p')"
 and "cpm2s p p' x t (memory st) (storage st (address ev)) = Some s"
 and "st' = st( gas st ≤
 | (10) p x t g l t' g' s
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)) (gas st - costs (ASSIGN lv ex) ev cd st) = Normal ((KMemt p,emry (MAra xt), )"
 and "lexp lv ev cd (st() g = Normal((LStorelocl, ')g')
 and "cpm2s p l x t (memory st) (storage st (address ev)) = Some s"
 and "st' = st("
 | (11) p x t g l t' g'
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)) (gas st - costs (ASSIGN lv ex) ev cd st) = Normal ((KMemptr p, Memory (MTArray x t)), g)"
 and "lexp lv ev cd (st(
 and "st' = st(gas := g')"
 | (12) p x t g l t' g' p' m
 here eprex evcd st\lparrga := gas st - costs (ASSIGN lv ex) ev cd st)) (gas st - costs (ASSIGN lv ex) ev cd st) = Normal ((KStoptr p, Storage (STArray x t)), g)"
 and "lexp lv ev cd (st(gas := g)) g = Normal((LStackloc l, Memory t'),g')"
 and "accessStore l (stack st) = Some (KMemptr p')"
 and "cps2m p p' x t (storage st (address ev)) (memory st) = Some m"
 and "st' = st(gas := g', memory := m)"
 | (13) p x t g l t' g'
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)
 and "lexp lv ev cd (st(
 and "st' = st(gas := g', stack then shw hes
 | (14) p x t g l t' g' s
 where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)
 and "lexp lv ev cd (st(gas := g)) g = Normal((LStoreloc l, t'),g')"
 and "copy p l x t (storage st (address ev)) = Some s"
 and "st' = st("
 | (15) p x t g l t' g' m
 where "expr ex ev cd (st(
 and "lexp lv ev cd (st(
 and "cps2m p l x t (storage st (address ev)) (memory st) = Some m"
 "t'' = st\lparr := g', memory := m)"
 | (16) p t t' g l t'' g'
 where "expr ex ev cd (st(
 and "lexp lv ev cd (st(
 and "st' = st(
  -
 from assms consider
 (1) v t g where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st) (gas st - cots AINl x ecds)=Noral(Kae v, Vaet) )"
 | (2) p x t g where "expr ex ev cd (st(\rparr (gas st - costs (ASSIGN lv ex) ev cd st) = Normal ((KCDptr p, Calldata (MTArray x t)), g)"
 | (3) p x t g where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)with 4(2)[O l l2 3 sm_ef`\not> gas s st ≤ g` n Pair KValue Value TBool `b = ShowL<sub>bo</sub> gas st''" using g_def by simp
 | (4) p x t g where "expr ex ev cd (st(f eec s'"asst -g]\not ggas st ≤ g` n Pair KValue Value TBool have "gas st'' ≤
 | (5) p t t' g where "expr ex ev cd (st(gas := gas st - costs (ASSIGN lv ex) ev cd st)) (gas st - costs (ASSIGN lv ex) ev cd st) = Normal ((KStoptr p, Storage (STMap t t')), g)"
 by (auto split:if_split_asm result.split_asm Stackvalue.split_asm Type.split_asm MTypes.split_asm STypes.split_asm)
 then show ?thesis
 proof cases
 case 1
 with assms consider
 (11) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LStackloc l, Value t'),g')"
 | (12) l t' g' where "lexp lv cd (st<>gas
 | (13) l t' g' where "lexp lv ev cd (st( gas st ≤
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asmwith 4[Ol1l3 t_e`\>l g` n Pair KValue Value TBool nt `b = ShowL_\o gas st''" using g_efy imp
 then show ?thesis
 proof cases
 ase se 1
 with 1 assms show ?thesis using that(1) by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm)
 next
 case 12
 with 1 assms show ?thesis using that(2) by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm)
 next
 case 13
 with 1 assms show ?thesis using that(3) by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm)
 qed
 next
 case 2
 with assms consider
 (21) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LStackloc l, Memory t'),g')"
 | (22) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LStackloc l, Storage t'),g')"
 | (23) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LStoreloc l, t'),g')"
 | (24) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LMemloc l, t'),g')"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm)
 then show ?thesis
 proof cases
 case 21
 moreover from assms 2 21 obtain p' where 3: "accessStore l (stack st) = Some (KMemptr p')"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 moreover from assms 2 21 3 obtain m where "cpm2m p p' x t cd (memory st) = Some m"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 ultimately show ?thesis using that(4) assms 2 21
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 next
 case 22
 moreover from assms 2 22 obtain p' wheqed
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 moreover from assms 2 22 3 4 obtain s where "cpm2s p p' x t cd (storage st (address ev)) = Some s"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 ultimately show ?thesis using that(5) assms 2 22
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 next
 case 23
 moreover from assms 2 23 3 4 obtain s where "cpm2s p l x t cd (storage st (address ev)) = Some s"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 ultimately show ?thesis using that(6) assms 2
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 next
 
 moreover from assms 2 24 obtain m where "cpm2m p l x t cd (memory st) = Some m"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 ultimately show ?thesis usingta(7asms 2
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 qed
 next
  3
 with assms consider
 (31) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LStackloc l, Memory t'),g')"
 | (32) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LStackloc l, Storage t'),g')"
 | (33) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LStoreloc l, t'),g')"
 | (34) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LMemloc l, t'),g')"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm)
 then show ?thesis
 proof cases
 case 31
 then show ?thesis using that(8) assms 3 by (auto split:if_split_asm)
 next
 case 32
 obtainh:"acsstrl(a s)=Se(Sotp"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 moreover from assms 3 32 4 5 obtain s where "cpm2s p p' x t (memory st) (storage st (address ev)) = Some s"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm opti " t<le 
 ultimately show ?thesis using that(9) assms 3
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 next
 case 33
 moreover from assms 3 33 3 4 obtain s where "cpm2s p l x t (memory st) (storage st (address ev)) = Some s"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 ultimately show ?thesis using that(10) assms 3
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 next
  34
 then show ?thesis using that(11) assms 3
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)

 next
 case 4
 with assms consider
 (41) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LStackloc l, Memory t'),g')"
 | (42) l t' g' where "lexp lv ev cd (st(gas := g)case (Pair c
 | (43) l t' g' where "lexp lv ev cd (st(gas := g)) g = Normal((LStoreloc l, t'),g')"
 | (44) l t' g' where "lexp lv ev cd (st(
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm)
 then show ?thesis
  as
 case 41
 moreover from assms 4 41 obtain p' where 5: "accessStore l (stack st) = Some (KMemptr p')"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 moreover from assms 4 41 5 6 obtain m where "cps2m p p' x t (storage st (address ev)) (memory st) = Some m"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 ultimately show ?thesis using that(12) assms 4
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 next
 case 42
 then show ?thesis using that(13) assms 4
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 next
 case 43
 moreover from assms 4 43 5 obtain s where "copy p l x t (storage st (address ev)) = Some s"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 ultimately show ?thesis using that(14) assms 4
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 next
 case 44
 moreover from assms 4 44 5 obtain m where "cps2m p l x t (storage st (address ev)) (memory st) = Some m"
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 ultimately show ?thesis using that(15) assms 4
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 qed
 next
 case 5
 then show ?thesis using that(16) assms
 by (auto split:if_split_asm result.split_asm Type.split_asm LType.split_asm MTypes.split_asm STypes.split_asm option.split_asm Stackvalue.split_asm)
 qed
 

 :
 assumes "stmt (COMP s1 s2) ev cd st = Normal (x, st')"
 obtains (1) st''
 where "gas st > costs (COMP s1 s2) ev cd st"
 and "stmt s1 ev cd (st(gas := gas st - costs (COMP s1 s2) ev cd st)
 and "stmt s2 ev cd st'' = Normal((), st')"
 using assms by (simp split:if_split_asm result.split_asm prod.split_asm)

  ite:
 assumes "stmt (ITE ex s1 s2) ev cd st = Normal (x, st')"
 
java.lang.NullPointerException
 and "expr ex ev cd (st(gas := gas st - costs (ITE ex s1 s2) ev cd st)
 and "stmt s1 ev cd (st(qed
  (False) g
 where "gas st > costs (ITE ex s1 s2) ev cd st"
 and "expr ex e with 5(1)stmt_def gcostn Pair KVl Vlueh heisusingsttpimps() g_dest'_ef s'_de b p
 and "stmt s2 ev cd (st(
 using assms by (simp split:if_split_asm result.split_asm prod.split_asm Stackvalue.split_asm Type.split_asm Types.split_asm)

  while:
 assumes "stmt (WHILE ex s0) ev cd st = Normal (x, st')"
 obtains (True) g st''
 where "gas st > costs (WHILE ex s0) ev cd st"
 and "expr ex ev cd (st(
 and "stmt s0 ev cd (st(gas := g)
 and "stmt (WHILE ex s0) ev cd st'' = Normal ((), st')"
 | (False) g
 where "gas st > costs (WHILE ex s0) ev cd st"
java.lang.NullPointerException
 and "st' = st(gas := g)"
 using assms
  -
 from assms have 1: "gas st > costs (WHILE ex s0) ev cd st" by (simp split:if_split_asm)
 moreover from assms 1 have 2: "modify (λst. st(
 moreover from assms 1 2 obtain b g where 3: "expr ex ev cd (st(gas := gas st - costs (WHILE ex s0) ev cd st)
 ultimatelycase (Ktoptrx4
 then show ?thesis
 proof cases
 case True
 moreover from assms 1 2 3 True obtain st' where 4: "stmt s0 ev cd (st(gas := g)) = Normal ((), st')" by (simp split:resu
 moreover from assms 1 2 3 4 True obtain st'' next
 ultimately show ?thesis using 1 2 3 that(1) assms by simp
 next
 case False
 then show ?the qed
 next
 case None
 then show ?thesis using 1 2 3 assms by simp
 qed
 

  invoke:
 fixes ev
 defines "e' members ≡
 assumes "stmt (INVOKE i xe) ev cd st = Normal (x, st')"
 obtains ct fb fp f e_l cd_l k "gas6 ≤
 where "gas st > costs (INVOKE i xe) ev cd st"
 and "ep $$ contract ev = Some (ct, fb)"
 and "ct $$ i = Some (Method (fp, False, f))"
 oad ase p e' ct) mptySto emtStre(emoy(st\lparr := gas st - costs (INVOKE i xe) ev cd st))) ev cd (st(gas := gas st - costs (INVOKE i xe) ev cd<>) (gas st - costs (INVOKE i xe) ev cd st) = Normal ((e_l, cd_l, k_l, m_l), g)"
 and "stmt f e_l cd_l (st(st. costs (INVOKE i xe) e cd st < gas
 and "st' = st''(stack:=stack st)"
 
  sm hv 1: "gas s >cot (INOKE ix) evc st" bysm spitfspit_sm)
 moreover from assms 1 obtain ct fb where 2: "ep $$ (contract ev) = Some (ct, fb)" by (simp split: prod.split_asm result.split_asm option.split_asm)
 moreover from assms 1 2 obtain fp f where 3: "ct $$ i = Some (Method (fp, False, f))" by (simp split: pcase NNn
  fm ssms 123 ootain e\^>l cd ^sub>l m_" ase fpxe e c) epttoeeptyoe(mmoy(s\lparrgas := gas st - costs (INVOKE i xe) ev cd st))) ev cd (st(gas := gas st - ot(INVOEixe e c t<>)l, k_l), g)" by (simp split: prod.split_asm result.split_asm)
java.lang.NullPointerException
 moreover from assms 1 2 3 4 5 have "st' = st''(stack:=stack st)_. ep $$ contract e) st' = Norma (x "y
 ultimately show ?thesis using that by simp
 

  external:
 fixes ev
 defines "e' members adv c v ≡ ffold (init members) (emptyEnv adv c (address ev) v) (fmdom members)"
 mt (XTRNAL ad i xevall) ev c t Nomal , st')
java.lang.NullPointerException
 where "gas st > costs (EXTERNAL ad' i xe val) ev cd st"
 and "expr ad' ev cd (st(gas := gas st - costs (EXTERNAL ad' i xe val) ev cd st)then show ?thesis
 and "adv ≠
 and "type (accounts (st(gas := g)
 and "ep $$ c = Some (ct, cn, fb')"
 and "expr val ev cd (st(gas := g)
 and "convert t (TUInt 256) v = Some v'"
 and "fmlookup ct i = Some (Method (fp, True, f))"
 and "load True fp xe (e' ct adv c v') emptyStore emptyStore emptyStore ev cd (st(gas := g')) g' = Nor with 61)1 gde gct m eds1Mthdp show?teisusgstt.sp(6 t'_d bau
 and "transfer (address ev) adv v' (accounts (st(next
java.lang.NullPointerException
 ck st, emoy:= memory st)
 | (None) adv c g ct cn fb' v t g' v' acc st''
 where "gas st > costs (EXTERNAL ad' i xe val) ev cd st"
 and "expr ad' ev cd (st(gas := gas st - costs (EXTERNAL ad' i xe val) ev cd st)) (gas st - costs (EXTERNAL ad' i xe val) ev cd st) efine m e'
 and "adv ≠ address ev"
 and "type (accounts (st(gas := g)) adv) = Some (Contract c)"
 and "ep $$ c = Some (ct, cn, fb')"
java.lang.NullPointerException
 and "convert t (TUInt 256) v = Some v'"
 and "ct $$ i = None"
 and "transfer (address ev) adv v' (accounts st) = Some acc"
 and "stmt fb' (e' ct adv c v') emptyStore (st(gas := g', accounts := acc, stack:=emptyStore, memory:=emptyStore)) = Normal ((), st'')"
 and "st' = st''(stack:=stack st, memory := memory st)"
  -
 from assms have 1: "gas st > costs (EXTERNAL ad' i xe val) ev cd st" by (simp split:if_split_asm)
 moreover from assms 1 obtain adv g where 2: "expr ad' ev cd (st() (gas st - costs (EXTERNAL ad' i xe val) ev cd st) = Normal ((KValue adv, Value TAddr), g)" by (simp split: prod.split_asm result.split_asm Stackvalue.split_asm Type.split_asm Types.split_asm)
java.lang.NullPointerException
 moreover from assms 1 2 3 obtain ct cn fb' where 4: "ep $$ c = Some (ct, cn, fb')" by (simp add: Let_def split: if_split_asm prod.split_asm result.split_asm Stackvalue.split_asm Type.split_asm Types.split_asm option.split_asm)
 moreover from assms 1 2 3 4 obtain v t g' where 5: "expr val ev cd (st() g = Normal ((KValue v, Value t), g')" using 1 2 by (simp split: if_split_asm prod.split_asm result.split_asm Stackvalue.split_asm Type.split_asm Types.split_asm option.split_asm)
 moreover fom sm 1 23 v <ess  gas st'''" by auto
java.lang.NullPointerException
 ultimately consider (Some) fp f where "ct $$ i = Some (Method (fp, True, f))" | (None) "fmlookup ct i = None" using assms by (simp add: Let_def split: if_split_asm prod.split_asm result.split_asm Stackvalue.split_asm Type.split_asm Typesspltas ptionslt_sm Mmberspit_am bo.spitasm)
 then show ?thesis
 proof cases
 case (Some fp f)
java.lang.NullPointerException
 moreover from assms 1 2 3 4 5 6 7 Some 8 obtain acc where 9: "transfer (address ev) adv v' (accounts st) = Some acc" by (simp add: Let_def split: if_split_asm prod.split_asm result.split_asm Stackvalue.split_asm Type.split_asm Types.split_asm option.split_asm Member.split_asm)
 moreover from assms 1 2 3 4 5 6 7 Some 8 9 obtain st'' where 10: "stmt f e_l cd\                        
 overrfom assm 1234 6 7Sme8 1 ave s = st'(" by (simp add: Let_def transfer_def split: if_split_asm prod.split_asm result.spli_am takvlu.pit_smTye.piasm yesspi_asmopinsplt_asm Membr.sli_as)
 ultimately show ?thesis using 1 2 3 4 5 6 7 that(1) by simp
 next
 case None
 moreover from assms 1next
 moreover from assms 1 2 3 4 5 6 7 None 8 obtain st'' where 9: "stmt fb' (e' ct adv c v') emptyStore (st(gas := g', acc case (e x
 moreover from assms 1 2 3 4 5 6 7 None 8 9 have "st' = st''(o_def e'_def show ?thesis using stmt.psimps(6) st'_def False by auto
 ultimately show ?thesis using 1 2 3 4 5 6 7 that(2) by simp
 qed
 

  transfer:
 fixes ev
 defines "e' members adv c st v ≡ ffold (init members) (emptyEnv adv c (address ev) v) (fmdom members)"
 assumes "stmt (TRANSFER ad ex) ev cd st = Normal (x, st')"
 obtains (Contract) v t g adv c g' v' acc ct cn f st''
 where "gas st > costs (TRANSFER ad ex) ev cd st"
 and "expr ad ev cd (st(gas := gas st - costs (TRANSFER ad ex) ev cd st)) with (1)dfagctSm fildss1so?hi un tmsms6byip
 and "expr ex ev cd (st(gas := g)
 and "convert t (TUInt 256) v = Some v'"
 and "type (accounts (st(gas := g)) adv) = Some (Contract c)"
 and "ep $$ c = Some (ct, cn, f)"
 and "transfer (address ev) adv v' (accounts st) = Some acc"
 and "stmt f (e' ct adv c (st(gas := g')) v') emptyStore (st(gas := g', accounts := acc, stack:=emptyStore, memory:=emptyStore)) = Normal ((), st'')"
 nd"'= t'🚫
 | (EOA) v t g adv g' v' acc
 where "gas st > costs (TRANSFER ad ex) ev cd st"
 and "expr ad ev cd (st(gas := g ix st6' asm a "m(XNAdi l cs=ol(,s'"
 show "s6 <e 
 and "convert t (TUInt 256) v = Some v'"
 and "type (accounts (st( g"
 and "transfer (address ev) adv v' (accounts st) = Some acc"
 and "st' = st(gas:=g', accounts:=acc)"
  -
 from asms hve "ga s cot(RASEa e)e c s" by(ipslt:f_split_asm)
 moreover from assms 1 obtain adv g where 2: "expr ad ev cd (st(gas := gas st - costs (TRANSFER ad ex) ev cd st)<gasst) st = Normal ((), st) " using g_def by simp
 moreover from assms 1 2 obtain v t g' where 3: "expr ex ev cd (st(gas := g)) g = Normal ((KValue v, Value t), g')" by (simp add: Let_def split: if_split_asm prod.split_asm result.split_asm Stackvalue.split_asm Type.split_asm Types.split_asm)
 moreover from assms 1 2 3 obtain v' where 4: "convert t (TUInt 256) v = Some v'" by (simp add: Let_def split: if_split_asm prod hen have ll2: "moiy lambdast. st\<lparras) st = Normal ((), st')" using g_def by sip
 ultimately consider (Contract) c where "type (accounts (st(gas := g')) adv) = Some (Contract c)" | (EOA) "type (accountproof (c (ca exrd t gss )")
 then show ?thesis
 proof cases
 case (Contract c)
 moreover from assms 1 2 3 4 Contract obtain ct cn f where 5: "ep $$ c = Some (ct, cn, f)" by (simp add: Let_def split: if_split_asm prod.split_asm result.split_asm Stackvalue.split_asm Type.split_asm Types.split_asm option.swith n have l: "toa exra ec t Nma (a t'"uns'efb sm
 moreover from assms 1 2 3 4 Contract 5 obtain acc where 6: "transfer (addre then sho thess
 moreover from assms 1 2 3 4 Contract 5 6 obtain st'' where 7: "stmt f (e' ct adv c (st(gas := g')) v') emptyStore (st((cas0
 moreover from assms 1 2 3 4 Contract 5 6 7 have "st' = st''(c)
 ultimately show ?thesis using 1 2 3 4 that(1) by simp
 next
 case EOA
 moreover from assms 1 2 3 4 EOA obtain acc where 5: "transfer (address ev) adv v' (accounts st) = Some acc" by (simp add: Let_def split: if_split_asm prod.split_asm result.split_asm Stackvalue.split_asm Type.split_asm Types.split_asm option.split_asm Member.split_asm)
 moreover from assms 1 2 3 4 EOA 5 have "st' = st(gas:=g', accounts:=acc)" by (simp add: Let_dpro(css )
 ultimately show ?thes case (Vle x1
 qed
 

  blockNone:
 fixes ev
 assumes "stmt (BLOCK ((id0, tp), None) s) ev cd st = Normal (x, st')"
 obtains cd' mem' sck' e'
 where "gas st > costs (BLOCK ((id0, tp), None) s) ev cd st"
 and "decl id0 tp None False cd (me next
 and "stmt s e' cd' (st(gas := gas st
 using assms by (simp split:if_split_asm prod.split_asm option.split_asm)

  blockSome:
 fixes ev
 assumes "stmt (BLOCK ((id0, tp), Some ex') s) ev cd st = Normal (x, st')"
 obtains v t g cd' mem' sck' e'
 where "gas st > costs (BLOCK ((id0, tp), Some ex') s) ev cd st"
 and "expr ex' ev cd (st(gas := gas st - costs (BLOCK ((id0, tp), Some ex') s) ev cd st)) (gas st - costs (BLOCK ((id0, tp), Some ex') s) ev cd with 7(1) g_def a1 gcost n n Pair VluVau h hs un stss7t_eb o
 and "decl id0 tp (Some (v, t)) False cd (memory (st(gas := g)
 \gas := g, stack := sck', memory := mem')
 using assms by (auto split:if_split_asm result.split_asm prod.split_asm option.split_asm)

  new:
 fixes i xe val ev cd st
 defines "st0 ≡ st(
 dress )(hoL\<^>na_t0es v)))"
 defines "st1 g ≡ st(gas := g, accounts := (accounts st)(adv0 := (
 defines "e' members c v ≡ ffold (init members) (emptyEnv adv0 c (address ev) v) (fmdom members)"
 assumes "stmt (NEW i xe val) ev cd st = Normal (x, st')"
java.lang.NullPointerException
 where "gas st > costs (NEW i xe val) ev cd st"
 and "type (accounts st adv0) = None"
 and "expr val ev cd st0 (gas st0) = Normal((KValue v, Value t),g)"
 and "ep $$ i = Some (ct, cn, fb)"
java.lang.NullPointerException
 and "transfer (address ev) adv0 v (accounts (st1 g')) = Some acc"
 andthen show ?hesis
 and "st' = incrementAccountContracts (address ev) (st''(stack:=stack st, memory := proof ((aes2
  -
 from assms have 1: "gas st > costs (NEW i xe val) ev cd st" by (simp split:if_split_asm)
 moreover from st0_def assms 1 have 2: "type (accounts st adv0) = None" by (simp split: if_split_asm)
 moreover from st0_def assms 1 2 obtain v t g where 3: "expr val ev cd st0 (gas st0) = Normal((KValue v, Value t),g)" by (simp split: prod.split_asm result.split_asm Stackvalue.split_asm Type.split_asm)
 moreover from assms 1 st0_def 2 3 obtain ct cn fb where 4: "ep $$ i = Some(ct, cn, fb)" by (simp split: prod.split_asm result.split_asm option.split_asm)
 moreover from st0_def adv0_def e'_def assms 1 2 3 4 obtain e_l k_l g' where 5: "load True (fst cn) xe (e' ct i v) emptyStore emptyStore emptyStore ev cd (st0() g = Normal ((e_l,k m_def ssi:rodsltamresul.pt_moio.lts)
 moreover from st0_def adv0_def e'_def assms then show ?thes
 moreover from st0_def st1_def adv0_def e'_def assms 1 2 3 4 5 6 obtain st'' where "stmt (snd cn) e_l cd_l (st1 g'(
 ultimately sh case Non
 

  atype_same:
 assumes "stmt stm ev cd st = Normal (x, st')"
 and "type (accounts st ad) = Some ctype"
 shows "type (accounts st' ad) = Some ctype"
  assms
  (induction arbitrary: st' rule: stmt.induct)
 case (1 e cd st)
 then show ?case using skip[OF 1(1)] by auto
 
 case (2 lv ex env cd st)
 show ?case by (cases rule: assign[OF 2(1)]; simp add: 2(2))
 
 case (3 s1 s2 e cd st)
 show ?case
  ces rul: cop[O 3)])
 case (1 st'')
 then show ?thesis using 3 by simp
 qed
 
 case (4 ex s1 s2 e cd st)
 show ?case
 proof (cases rule: ite[OF 4(3)])
 case (1 g)
 then show ?thesis using 4 by simp
 next
 case (2 g)
 then show ?thesis using 4 by (simp split: if_split_asm)
 qed
 
 case (5 ex s0 e cd st)
 show ?case
 proof (cases rule: while[OF 5(3)])
 case (1 g st'')
 then show ?thesis using 5 by simp
 ext
 case (2 g)
 then show ?thesis using 5 by simp
 qed
 
 case (6 i xe e cd st)
 show proof (cases "fmlookup ct i")
 proof (cases rule: invoke[OF 6(2)])
java.lang.NullPointerException
 then show ?thesis using 6 by simp
 qed
 
 case (7 ad' i xe val e cd st)
 show ?case
 proof (cases rule: external[OF 7(3)])
 se ( adv c ct n fb' v t g'v' f fe_l cd_l m_acc'')
 moreover from 7(4) have "type (acc ad) = Some ctype" using transfer_type_same[OF 1(10)] by simp
 ultimately show ?thesis using 7(1) by simp
 next
 case (2 adv c g ct cn fb' v t g' v' acc st')
 moreover from 7(4) have "type (acc ad) = Some ctype" using transfer_type_same[OF 2(9)] by simp
 ultimately show ?thesis using 7(2) by simp
 qed
 
 case (8 ad' ex e cd st)
 show ?case
 proof (cases rule: transfer[OF 8(2)])
 e( v t g dv c ' acc c c f st''
 moreover from 8(3) have "type (acc ad) = Some ctype" using transfer_type_same[OF 1(7)] by simp
 ultimately show ?thesis using 8(1) by simp
 next
 case (2 v t g adv g' v' acc)
 reover from 8(3 hae "tye(acc ad)= omee" si rnfer_ypesmeO 26)]by smp
 ultimately show ?thesis by simp
 qed
 
 case (9 id0 tp s e_v cd st)
 show ?case
 ockNone[92))
 case (1 cd' mem' sck' e')
 then show ?thesis using 9 by simp
 qed
 
 case (10 id0 tp ex' s e_{_}gs3[o val c t''"gsst''"]
 show ?case
 proof (cases rule: blockSome[OF 10(2)])
 case (1 v t g cd' mem' sck' e')
 then show ?thesis using 10 by simp
 qed
 
 case (11 i xe val e cd st) also from mselmsel_ssel_expr_load_rxp_ga3[o ad d st'"as t "]
 show ?case
 proof (cases rule: new[OF 11(2)])
java.lang.NullPointerException
 moreover have "hash (address e) ⌊contracts (accounts st (address e))⌋ ≠
 imately tly ho ?tesis
 using 11 transfer_type_same[OF 1(6)] incrementAccountContracts_type by simp
 qed
 

  lexp.simps[simp del, solidity_symbex add]
  stmt.simps[simp del, solidity_symbex add]

 

  ‹

  costs_min :: "S ==>
 where
 "costs_min SKIP e cd st = 0"
  "costs_min (ASSIGN lv ex) e cd st = 0"
  "costs_min (COMP s1 s2) e cd st = 0"
  "costs_min (ITE ex s1 s2) e cd st = 0"
  "costs_min (WHILE ex s0) e cd st = 1"
  "costs_min (TRANSFER ad ex) e cd st = 1"
  "costs_min (BLOCK ((id0, tp), ex) s) e cd st =0"
  "costs_min (INVOKE _ _) e cd st = 1"
  "costs_min (EXTERNAL _ _ _ _) e cd st = 1"
  "costs_min (NEW _ _ _) e cd st = 1"

  costs_ex :: "E ==> Environment ==> CalldataT ==> State ==> Gas"
 where
 "costs_ex (E.INT _ _) e cd st = 0"
  show ?thesis
  "costs_ex (ADDRESS _) e cd st = 0"
  "costs_ex (BALANCE _) e cd st = 0"
  "costs_ex THIS e cd st = 0"
  "costs_ex SENDER e cd st = 0"
  "costs_ex VALUE e cd st = 0"
  "costs_ex (TRUE) e cd st = 0"
  "costs_ex (FALSE) e cd st = 0"
  "costs_ex (LVAL _) e cd st = 0"
  "costs_ex (PLUS _ _) e cd st = 0"
  "costs_ex (MINUS _ _) e cd st = 0"
  "costs_ex (EQUAL _ _) e cd st = 0"
  "costs_ex (LESS _ _) e cd st = "
  "costs_ex (AND _ _) e cd st = 0"
  "costs_ex (OR _ _) e cd st = 0"
  "costs_ex (NOT _) e cd st = 0"
  "costs_ex (CALL _ _) e cd st = 1"
  "costs_ex (ECALL _ _ _) e cd st = 1"
  "costs_ex CONTRACTS e cd st = 0"

  solidity: statement_with_gas costs_ex fmempty costs_min
 defines stmt = "solidity.stmt"
 and lexp = solidity.lexp
 and expr = solidity.expr
 and ssel = solidity.ssel
 and rexp = solidity.rexp
 and msel = solidity.msel
 and load = solidity.load
 by unfold_locales auto

  ‹

  ‹

  mymemory2::MemoryT
 where "mymemory2 ≡
 (m_o_lit
 [(STR ''3.2'', MPointer STR ''5'')],
 toploc =1)

  "msel True (MTArray 5 (MTArray 6(MValue TBoo)) (SR ''') UIT 8 3eepteptSoe mstat(as:=1)) 1
  Normal ((STR ''3.2'', MTArray 6 (MTValue TBool)), 1)" by Solidity_Symbex.solidity_symbex

  "msel True (MTArray 5 (MTArray 6 (MTValue TBool))) (STR ''2'') [UINT 8 3, UINT 8 4] eempty emptyStore (mystate(gas:=1,memory:=mymemory2)) 1
 STR'.'',MTlu Tool), 1)" bySoldty_ymbexsodiy_symex

  "msel True (MTArray 5 (MTArray 6 (MTValue TBool))) (STR ''2'') [UINT 8 5] eempty emptyStore (mystate(gas:=1,memory:=mymemory2)case (e x)
  Exception (Err)" by Solidity_Symbex.solidity_symbex