Before proving Theorem 3, we shall prove an additional lemma stating that, for well- typed judgments, dom(Γ) ⊇ dom(β), that is, every x, c, or a ∈ Γ is also in β. Again,
we shall abuse the notation regarding pairs (c, a) in β.
Lemma 13. Let Γ ` hβ, σ, ei : T be derivable. Then dom(Γ) ⊇ dom(β).
Proof. Suppose, by contradiction, that ∃x ∈ dom(β) such as x /∈ dom(Γ), and that e contains such x. This means that either x, x = e0, or both appears in e. In the former case, rule VARin Section 6.3 apply to give a type to e. However, VARrequires x to be in Γ (i.e. x : T0 ∈ Γ), but it does not by hypothesis. The latter case is similar: rule ASSapplies, and it contains, as a premise, Γ ` x : T0, which in turn is handled by VAR. Hence, the type system cannot give a type to x, but this is a contradiction, since we assumed Γ ` hβ, σ, ei : T as derivable. Hence, x must be in dom(Γ).
The same reasoning applies to a and c. We can now prove Theorem 3: Theorem 3 (Progress).
If hβ, σ, ei is closed (Definition 13) and well-typed (i.e. ∃Γ such that Γ ` hβ, σ, ei : T is derivable), then eithere = v, e = revert, or ∃(β0, σ0, e0) such that hβ, σ, ei −→ hβ0, σ0, e0i.
Proof. We prove this theorem by induction on the height of the judgment Γ ` hβ, σ, ei : T .
Base cases These cases correspond to the axioms in Section 6.3. By rule CONFIGU- RATION, Γ ` hβ, σ, ei : T implies Γ ` β and Γ ` σ. These cases modify neither β nor σ, and hence we focus on the expression e (i.e. on the judgment Γ ` e : T ).
• REF. The judgment is Γ ` c : C, and c is already a value.
• VAR. The judgment is Γ ` x : T . By hypothesis, we know Γ ` x : T , which implies, by rule VAR, x : T ∈ Γ, which means x ∈ dom(Γ). By Lemma 13, x ∈ dom(Γ) ⇒ x ∈ dom(β), which makes β(x) well-defined. By rule VARin Section 5.5, ∃e0 = β(x) such that hβ, σ, xi −→ hβ, σ, β(x)i.
• TRUE. The judgment is Γ ` true : bool, and the expression true is already a value.
• FALSE, NAT, ADDRESS, and UNIT. The judgments are Γ ` false : bool, Γ ` n : uint, Γ ` a : address, or Γ ` u : unit, respectively, and the expressions false, n, a, and u are already values.
• REVERT. The judgment is Γ ` revert : T , and the expression is a revert. Inductive cases Given a judgment J such that its derivation has height k + 1, we prove the inductive cases on the last rule used to derive J . We assume the theorem for the judgments with height at most k and we prove it for those with height k + 1.
• MAPPING. The judgment is Γ ` M : mapping(T1 ⇒ T2), and the expression M is already a value.
• FUN. The judgment is Γ ` c.f : ˜T1 → T2, and the expression c.f is already a value.
• BAL. In this case J = Γ `k+1hβ, σ, balance(e)i : uint was derived from Γ `k hβ, σ, ei : address. By inductive hypothesis we know e is either a value, revert, or ∃β0, σ0, e0 such that hβ, σ, ei −→ hβ0, σ0, e0i. We distinguish the following cases:
– if e = v then, by Case 7 of Lemma 6, v is an address a. By rule BALANCE in Section 5.5, hβ, σ, balance(a)i −→ hβ, σ, ni, where β(a) = (C, s˜:v, n) is well-defined for what we said in Lemma 13: Γ ` hβ, σ, balance(a)i : uint is well typed, and then ∃c such that the pair (c, a) ∈ dom(β).
– if e = revert then, by rule REVERTin Section 5.5, hβ, σ, balance(e)i −→ hβ, σ, reverti.
– if hβ, σ, ei −→ hβ0, σ0, e0i then, by rule CONG in Section 5.5, hβ, σ, balance(e)i −→ hβ0, σ0, balance(e0)i.
• ADDR. In this case J = Γ `k+1hβ, σ, address(e)i : address was derived from Γ `k hβ, σ, ei : C. By inductive hypothesis we know e is either a value, revert, or ∃β0, σ0, e0 such that hβ, σ, ei −→ hβ0, σ0, e0i. We distinguish the following cases:
– if e = v then, by Case 5 of Lemma 6, v is a contract reference c. By rule ADDRESSin Section 5.5, hβ, σ, address(c)i −→ hβ, σ, ai, where ˆβ(c) = a. The latter equivalence is well-defined by Lemma 13.
– if e = revert then, by rule REVERTin Section 5.5, hβ, σ, address(e)i −→ hβ, σ, reverti.
– if hβ, σ, ei −→ hβ0, σ0, e0i then, by rule CONG in Section 5.5, hβ, σ, address(e)i −→ hβ0, σ0, address(e0)i.
• RETURN. In this case J = Γ `k+1 hβ, σ · a, return ei : T was derived from Γ `k hβ, σ · a, ei : T . By inductive hypothesis we know e is either a value, revert, or ∃β0, σ0, e0 such that hβ, σ · a, ei −→ hβ0, σ0, e0i. We distinguish the following cases:
– if e = v then, by rule RETURN in Section 5.5, hβ, σ · a, return vi −→ hβ, σ, vi.
– if e = revert then, by rule REVERTin Section 5.5, hβ, σ·a, return reverti −→ hβ, σ, reverti.
– if hβ, σ · a, ei −→ hβ0, σ0, e0i then, by rule CONG in Section 5.5, hβ, σ · a, return ei −→ hβ0, σ0, return e0i.
• IF. In this case J = Γ `k+1 hβ, σ, if e1then e2else e3i : T was derived from Γ `k hβ, σ, e1i : bool, Γ `k hβ, σ, e2i : T , and Γ `k hβ, σ, e3i : T . By inductive hypothesis we know e1 is either a value, a revert, or ∃β0, σ0, e01such that hβ, σ, ei −→ hβ0, σ0, e01i. We distinguish the following cases:
– if e1 = v then, by Case 1 of Lemma 6, v is either true or false. If it is true, by rule IF-TRUE in Section 5.5 hβ, σ, if true then e2 else e3i −→ hβ, σ, e2i. On the other hand, if it is false, by rule IF-FALSEin Section 5.5 hβ, σ, if false then e2else e3i −→ hβ, σ, e3i.
– if e1= revert then, by rule REVERTin Section 5.5, hβ, σ, if revert then e2else e3i −→ hβ, σ, reverti.
– if hβ, σ, e1i −→ hβ0, σ0, e0
1i then, by rule CONGin Section 5.5, hβ, σ, if e1then e2else e3i −→ hβ0, σ0, if e0
1then e2else e3i.
• SEQ. In this case J = Γ `k+1 hβ, σ, e1; e2i : T2 was derived from Γ `k hβ, σ, e1i : T1and Γ `k hβ, σ, e2i : T2. By inductive hypothesis we know e1 is either a value, revert, or ∃β0, σ0, e01 such that hβ, σ, e1i −→ hβ0, σ0, e0
1i. We distinguish the following cases:
– if e1 = v then two scenarios are possible. First, if Top(σ) = ∅, by rule SEQ-C in Section 5.5, hβ, σ, v; e2i −→ hβ, β, e2i. Secondly, if ∃a such that Top(σ) = a then, by rule SEQin Section 5.5, hβ, σ, v; e2i −→ hβ, σ, e2i.
– if e1= revert then, again, two scenarios are possible. First, if Top(σ) = ∅ (and, consequently, ∃β0such that σ = β0), by rule SEQ-R in Section 5.5, hβ, σ, revert; e2i −→ hβ0, β0, reverti. Secondly, if ∃a such that Top(σ) = a then, by ruleREVERTin Section 5.5, hβ, σ, revert; e2i −→ hβ, σ, reverti. – if hβ, σ, e1i −→ hβ0, σ0, e0
1i then, by rule CONG in Section 5.5, hβ, σ, e1; e2i −→ hβ0, σ0, e0
1; e2i.
• DECL. In this case J = Γ `k+1 hβ, σ, T1 x = e1; e2i : T2 was derived from Γ `khβ, σ, e1i : T1and ∅, x : T1`khβ, σ, e2i : T2. By inductive hypothesis, e1 is either a value, revert, or ∃β10, σ01, e01such that hβ, σ, e1i −→ hβ0
1, σ01, e01i. We distinguish the following cases:
– if e1 = v1 then, by rule DECLin Section 5.5, hβ, σ, T1x = v1; e2i −→ hβ · [x 7→ v], σ, v1; e2i. Note that the premise x /∈ dom(β) is always satisfied since variables can be renamed by α-equivalence.
– if e1 = revert then, by rule REVERT in Section 5.5, hβ, σ, T1 x = revert; e2i −→ hβ, σ, revert; e2i. Note that this case does not take into account e2at all.
– if hβ, σ, e1i −→ hβ0, σ0, e0
1i then, by rule CONG in Section 5.5, hβ, σ, T1x = e1; e2i −→ hβ0, σ0, T1x = e0
1; e2i.
• ASS. In this case J = Γ `k+1 hβ, σ, x = ei : T was derived from Γ `k hβ, σ, xi : T and Γ `k hβ, σ, ei : T . By inductive hypothesis, e is either a value, revert, or ∃β0, σ0, e0 such that hβ, σ, ei −→ hβ0, σ0, e0i. We distinguish the following cases:
– if e = v then, by rule ASS in Section 5.5, hβ, σ, x = vi −→ hβ[x 7→ v], σ, vi. Note that x ∈ dom(β) is always satisfied for what we said in Lemma 13.
– if e = revert then, by rule REVERTin Section 5.5, hβ, σ, x = reverti −→ hβ, σ, reverti.
– if hβ, σ, ei −→ hβ0, σ0, e0i then, by rule CONGin Section 5.5, hβ, σ, x = ei −→ hβ0, σ0, x = e0i.
• MAPPSEL. In this case J = Γ `k+1 hβ, σ, e1[e2]i : T2 was derived from Γ `k hβ, σ, e1i : mapping(T1 ⇒ T2) and Γ `k hβ, σ, e2i : T1. By induc- tive hypothesis we know e1 is either a value, revert, or ∃β10, σ10, e01 such that hβ, σ, e1i −→ hβ0
1, σ10, e01i. The same reasoning applies to e2, thus e2is either a value, revert, or ∃β20, σ20, e02such that hβ, σ, e2i −→ hβ20, σ02, e02i. We distinguish the following cases:
– if e1 = v1and e2= v2then, by Case 4 of Lemma 6, v1is a total function M from T1 to T2. By rule MAPPSEL in Section 5.5, hβ, σ, M [v2]i −→ hβ, σ, M (v2)i. Note that M (v2) is always well-defined because M is a total function.
– if e1 = v1 and e2 = revert then, by rule REVERT in Section 5.5, hβ, σ, v1[revert]i −→ hβ, σ, reverti.
– if e1= revert then, by rule REVERTin Section 5.5, hβ, σ, revert[e2]i −→ hβ, σ, reverti.
– if hβ, σ, e1i −→ hβ0
1, σ01, e01i then, by rule CONG in Section 5.5, hβ, σ, e1[e2]i −→ hβ01, σ01, e01[e2]i. Note we do not have to specify what e2is.
– if e1 = v1 and hβ, σ, e2i −→ hβ20, σ02, e02i then, by rule CONG in Sec- tion 5.5, hβ, σ, v1[e2]i −→ hβ20, σ20, v1[e02]i.
• STATESEL. In this case J = Γ `k+1 hβ, σ, e.sii : Ti was derived from Γ `k hβ, σ, ei : C, where C is such that sv(C) = ˜T s and si ∈ ˜s. By in- ductive hypothesis we know e is either a value, revert, or ∃β0, σ0, e0 such that hβ, σ, ei −→ hβ0, σ0, e0i. We distinguish the following cases:
– if e = v then, by Case 5 of Lemma 6, v is a contract reference c. By rule STATESEL in Section 5.5, hβ, σ, c.sii −→ hβ, σ, vii, where β(c) = (C, s˜:v, n) and c.si = vi. Note that β(c) = (C, s˜:v, n) is well-defined by Lemma 13.
– if e = revert then, by rule REVERTin Section 5.5, hβ, σ, revert.sii −→ hβ, σ, reverti.
– if hβ, σ, ei −→ hβ0, σ0, e0i then, by rule CONG in Section 5.5, hβ, σ, e.sii −→ hβ0, σ0, e0.sii.
• MAPPASS. In this case J = Γ `k+1hβ, σ, e1[e2→ e3]i : mapping(T1 ⇒ T2) was derived from Γ `k hβ, σ, e1i : mapping(T1 ⇒ T2), Γ `k hβ, σ, e2i : T1, and Γ `k hβ, σ, e3i : T2. By inductive hypothesis we know e1is either a value, revert, or ∃β10, σ01, e01such that hβ, σ, ei −→ hβ10, σ10, e01i. The same reasoning applies to e2and e3. We distinguish the following cases:
– if e1 = v1, e2 = v2, and e3 = v3 then, by Case 4 of Lemma 6, v1 is a total function M from T1 to T2. By rule MAPPASS in Section 5.5, hβ, σ, M [v2 → v3]i −→ hβ, σ, M0i, where M0 = M \{(v1, M (v1))} ∪ {(v1, v2)}.
– if either e2= revert or e3= revert, with e1= M then, by rule REVERTin Section 5.5, hβ, σ, M [revert → v3]i −→ hβ, σ, reverti or hβ, σ, M [v2→ revert]i −→ hβ, σ, reverti, respectively.
– if e1 = revert then, by rule REVERT in Section 5.5, hβ, σ, revert[e2→ e3]i −→ hβ, σ, reverti.
– if hβ, σ, e1i −→ hβ0
1, σ01, e01i then, by rule CONG in Section 5.5, hβ, σ, e1[e2→ e3]i −→ hβ10, σ01, e01[e2→ e3]i.
– if e1 = v1 and hβ, σ, e2i −→ hβ0
2, σ02, e02i then, by rule CONG in Sec- tion 5.5, hβ, σ, v1[e2→ e3]i −→ hβ0
– if e1= v1, e2= v2, and hβ, σ, e3i −→ hβ30, σ30, e03i then, by rule CONGin Section 5.5, hβ, σ, v1[v2→ e3]i −→ hβ0
3, σ03, v1[v2→ e03]i.
• STATEASS. In this case J = Γ `k+1 hβ, σ, e1.si = e2i : T was derived from Γ `khβ, σ, e1.sii : T and Γ `k hβ, σ, e2i : T . By inductive hypothesis we know e1 is either a value, revert, or ∃β10, σ10, e01 such that hβ, σ, ei −→ hβ10, σ01, e01i. The same reasoning applies to e2. We distinguish the following cases:
– if e1= v1and e2= v2then, by Case 21 of Lemma 2 we know Γ ` v1: C can be derived. Hence, by Case 5 of Lemma 6, v1 is a contract reference c. By rule STATEASS in Section 5.5, hβ, σ, c.si = v2i −→ hβ, σ, v2i, where β(c) = (C, s˜:v, n) and c.si= vi. Note that β(c) is well-defined by Lemma 13.
– if e1 = v1 and e2 = revert then, by rule REVERT in Section 5.5, hβ, σ, e1.s = reverti −→ hβ, σ, reverti.
– if e1 = revert then, by rule REVERT in Section 5.5, hβ, σ, revert.si= e2i −→ hβ, σ, reverti.
– if hβ, σ, e1i −→ hβ0
1, σ01, e01i then, by rule CONG in Section 5.5, hβ, σ, e1.si = e2i −→ hβ10, σ10, e01.si= e2i.
– if e1 = v1 and hβ, σ, e2i −→ hβ0
2, σ02, e02i then, by rule CONG in Sec- tion 5.5, hβ, σ, v1.si= e2i −→ hβ0
2, σ02, v1.si= e02i.
• NEW. In this case J = Γ `k+1hβ, σ, new C.value(e1)(˜e)i : C was derived from Γ `k hβ, σ, e1i : uint, and Γ `k hβ, σ, ˜ei : ˜T . By inductive hypothesis we know e1is either a value, revert, or ∃β10, σ10, e10 such that hβ, σ, ei −→ hβ10, σ10, e01i. The same reasoning applies to the tuple ˜e: it is either a tuple of values (˜v), a tuple of values and expressions separated by a revert (i.e. vi{0≤i<m}, revert, e{m<j≤n}j ), or it is in the form v{0≤i<m}i , e{m≤j≤n}j and ∃βi0, σi0, e0j such that hβ, σ, vi{0≤i<m}, e{m≤j≤n}j i −→ hβ0 i, σi0, v {0≤i<m} i , e 0{m≤j≤n} j i. We distin- guish the following cases:
– if e1 = v1and ˜e = ˜v then, by Case 2 of Lemma 6, v1 = n. Three sce- narios are possible here. If Top(σ) 6= ∅, then either NEW-1 or NEW-R (as defined in Section 5.5) applies. If it is NEW-1 (note the check about the length of the tuples is true since it is also a premise of the rule NEW in Section 6.3) then the balance of the contract corresponding to Top(σ) is enough to create a new contract with an initial balance of n. Hence, hβ, σ, new C.value(n)(˜v)i −→ huptbal(β, Top(σ), −n) ·
·[(c, a) 7→ (C, s˜:v, n)], σ, ci, where (c, a) is a fresh pair identifying the new contract in β. On the other hand, if NEW-R applies, then the balance of the contract corresponding to Top(σ) is not enough. Hence, hβ, σ, new C.value(n)(˜v)i −→ hβ, σ, reverti. Lastly, if Top(σ) = ∅, then NEW-2 (as defined in Section 5.5) applies. Hence, hβ, σ, new C.value(n)(˜v)i −→ hβ · [(c, a) 7→ (C, s˜:v, n)], σ, ci, where (c, a) is, as before, a fresh pair identifying the new contract in β.
– if either e1 = revert or e1 = v1 and ˜e = vi{0≤i<m}, revert, e{m<j≤n}j then, by rule REVERTin Section 5.5, hβ, σ, new C.value(revert)(˜e)i −→ hβ, σ, reverti or hβ, σ, new C.value(v1)(˜e = vi{0≤i<m}, revert, e{m<j≤n}j )i −→ hβ, σ, reverti, respectively.
– if hβ, σ, e1i −→ hβ0
1, σ01, e01i then, by rule CONG in Section 5.5, hβ, σ, new C.value(e1)(˜e)i −→ hβ10, σ01, new C.value(e01)(˜e)i.
– if e1= v1, ˜e = v{0≤i<m}i , e{m≤j≤n}j , and hβ, σ, vi{0≤i<m}, e{m≤j≤n}j i −→ hβ0
i, σ0i, v
{0≤i<m}
i , e
0{m≤j≤n}
j i then, by rule CONGin Section 5.5, hβ, σ, new C.value(v1)(v {0≤i<m} i , e {m≤j≤n} j )i −→ hβ0 i, σ0i, new C.value(v1)(v {0≤i<m} i , e 0{m≤j≤n} j )i.
• CONTRRETR. In this case J = Γ `k+1 hβ, σ, C(e)i : C was derived from Γ `k hβ, σ, ei : address. By inductive hypothesis, e is either a value, revert or ∃β0, σ0, e0 such that hβ, σ, ei −→ hβ0, σ0, e0i. We distinguish the following cases:
– if e = v then, by Case 7 of Lemma 6, v is an address a. Two are the possible scenarios. First, βC(a) = C (well-defined by Lemma 13) and rule CONTRRETRof Section 5.5 applies. a corresponds to a reference c to a contract C. Hence, hβ, σ, C(a)i −→ hβ, σ, ci. Secondly, βC(a) = C0, with C0 6= C. In this case rule CONTRRETR-R of Section 5.5 applies, and hβ, σ, C(a)i −→ hβ, σ, reverti. Again, βC(a) = C0 is well-defined by Lemma 13.
– if e = revert then, by rule REVERTin Section 5.5, hβ, σ, C(revert)i −→ hβ, σ, reverti.
– if hβ, σ, ei −→ hβ0, σ0, e0i then, by rule CONG in Section 5.5, hβ, σ, C(e)i −→ hβ0, σ0, C(e0)i.
• TRANSFER. In this case J = Γ `k+1hβ, σ, e1.transfer(e2)i : unit was derived from Γ `khβ, σ, e1i : address and Γ `k hβ, σ, e2i : uint. By inductive hypothe- sis, e1is either a value, revert or ∃β10, σ10, e01such that hβ, σ, ei −→ hβ10, σ10, e01i. The same reasoning applies to e2. We distinguish the following cases:
– if e1 = v1 and e2 = v2 then, by Case 7 and Case 2 of Lemma 6, v1 is an address a and v2is a non-negative integer n. Let β(a) = (C, s˜:v, m), well-defined by Lemma 13. Two are the possible scenarios. First, if m ≥ n rule TRANSFER in Section 5.5 applies and hβ, σ, a.transfer(n)i −→ hβ0, σ · a, e{this := c, msg.sender := Top(σ), msg.value := n}i, where β0 = uptbal(uptbal(β, a, n), Top(σ), −n), ˆβ(c) = a, and e is either the body of the callback function of C, if any, or return revert. Secondly, if m < n then TRANSFER-R applies and we obtain hβ, σ, a.transfer(n)i −→ hβ, σ, reverti.
– if either e1= revert or e1 = v1and e2 = revert then, by rule REVERTin Section 5.5, hβ, σ, revert.transfer(e2)i −→ hβ, σ, reverti or hβ, σ, v1.transfer(revert)i −→ hβ, σ, reverti, respectively.
– if hβ, σ, e1i −→ hβ0
1, σ01, e01i then, by rule CONG in Section 5.5, hβ, σ, e1.transfer(e2)i −→ hβ10, σ10, e01.transfer(e2)i.
– if e1 = v1 and hβ, σ, e2i −→ hβ20, σ02, e02i then, by rule CONG in Sec- tion 5.5, hβ, σ, v1.transfer(e2)i −→ hβ02, σ20, v1.transfer(e02)i.
Note we did not make any reasoning about Top(σ). As said, we assumed Top(σ) 6= ∅.
• CALL. In this case J = Γ `k+1 hβ, σ, e1.f.value(e2)(˜e)i : T2 was derived from Γ `k hβ, σ, e1i : C, Γ `k hβ, σ, e2i : uint, and Γ `k hβ, σ, ˜ei : ˜T1, where ftype(C, f ) = ˜T1 → T2 and |˜e| = | ˜T1|. By inductive hypothesis, e1 is either a value, revert or ∃β0, σ0, e01such that hβ, σ, e1i −→ hβ0
1, σ10, e01i. The same reasoning applies to e2 and to the tuple ˜e. The former is either a value, revert or ∃β00, σ00, e02 such that hβ, σ, e2i −→ hβ0
2, σ02, e02i. The latter is either a tuple of values (˜v), a tuple of values and expressions separated by a revert (i.e. vi{0≤i<m}, revert, e{m<j≤n}j ), or it is in the form vi{0≤i<m}, e{m≤j≤n}j and ∃βi0, σi0, e0jsuch that hβ, σ, v {0≤i<m} i , e {m≤j≤n} j i −→ hβ0 i, σ0i, v {0≤i<m} i , e 0{m≤j≤n}
j i. We distinguish the following cases:
– e1 = v1, e2 = v2, and ˜e = ˜v. By Case 5 and Case 2 of Lemma 6, v1 is a contract reference c and v2 is a non-negative integer n. Let β(c) = (C, s˜:v, m), well-defined by Lemma 13. Two are the possible scenarios. First, if m ≥ n, then rule CALLin Section 5.5 applies. It retrieves f ’s body, e, and its formal parameters x,˜ defines β0 = uptbal(uptbal(β, a, n), Top(σ), −n) · [xi 7→ vi xi∈˜x,vi∈˜v] as ex- plained in Chapter 5, and then evolves as follows: hβ, σ, c.f.value(n)(˜v)i −→ hβ0, σ · a, e{this := c, msg.sender := Top(σ), msg.value := n}i. Sec- ondly, if m < n, then rule CALL-R in Section 5.5 applies, and hβ, σ, c.f.value(n)(˜v)i −→ hβ, σ, reverti.
– if either e1 = revert, e1 = v1and e2 = revert, or e1 = v1, e2 = v2and ˜
e = vi{0≤i<m}, revert, e{m<j≤n}j then, by rule REVERTin Section 5.5, hβ, σ, revert.f.value(e2)(˜e)i −→ hβ, σ, reverti,
hβ, σ, v1.f.value(revert)(˜e)i −→ hβ, σ, reverti, or
hβ, σ, v1.f.value(v2)(˜e = v{0≤i<m}i , revert, e{m<j≤n}j )i −→ hβ, σ, reverti, respectively.
– if hβ, σ, e1i −→ hβ0
1, σ01, e01i then, by rule CONG in Section 5.5, hβ, σ, e1.f.value(e2)(˜e)i −→ hβ10, σ01, e01.f.value(e2)(˜e)i.
– if e1 = v1 and hβ, σ, e2i −→ hβ20, σ02, e02i then, by rule CONG in Sec- tion 5.5, hβ, σ, v1.f.value(e2)(˜e)i −→ hβ20, σ20, v1.f.value(e02)(˜e)i. – if e1= v1, e2= v2, ˜e = vi{0≤i<m}, e{m≤j≤n}j , and hβ, σ, v{0≤i<m}i , e{m≤j≤n}j i −→ hβ0 i, σ0i, v {0≤i<m} i , e 0{m≤j≤n} j i then, by rule CONGin Section 5.5, hβ, σ, v1.f.value(v2)(v
{0≤i<m} i , e {m≤j≤n} j )i −→ hβ0 i, σ0i, v1.f.value(v2)(v {0≤i<m} i , e 0{m≤j≤n} j )i.
• CALLTOPLEVEL. In this case J = Γ `k+1hβ, σ, e1.f.value(e2).sender(e3)(˜e)i : T2 was derived from Γ `khβ, σ, e1.f.value(e2)(˜e)i : T2and Γ `k hβ, σ, e3i : address. This case is very similar to the previous one, with the only addition of the pa- rameter e3 and considering CALLTOPLEVEL and CALLTOPLEVEL-R instead of CALLand CALL-R. What we said and proved previously applies here, too. We can apply the inductive hypothesis on e3. If it is a value, then, by Case 7 of Lemma 6, it is an address a. If also e1, e2, and ˜e are values, either CALL- TOPLEVELor CALLTOPLEVEL-R (as defined in Section 5.5) applies, accord- ing to the balance of the caller. When it is a revert, rule REVERT in Sec- tion 5.5 applies. Lastly, when e1 = v1and e2 = v2 and ∃β0, σ0, e03 such that hβ, σ, e3i −→ hβ0, σ0, e0
3i we obtain hβ, σ, v1.f.value(v2).sender(e3)(˜e)i −→ hβ0, σ0, v1.f.value(v2).sender(e0
• CALLVALUE. In this case J = Γ `k+1hβ, σ, e1.value(e2)(˜e)i : T2was derived from Γ `k hβ, σ, e1i : ˜T1 → T2, Γ `k hβ, σ, e2i : uint, and Γ `k hβ, σ, ˜ei : ˜T1, all such that the height of their derivations is k. Also this case is similar to CALL, and the same rules (CALLand CALL-R of Section 5.5) are applied. The only difference is the expression e1. By inductive hypothesis, it is either a value, revert or ∃β0, σ0, e01 such that hβ, σ, e1i −→ hβ0, σ0, e0
1i. If it is a value, by Case 6 of Lemma 6, it is a function pointer c.f . From this point on, every case is equal to those discussed for CALL, with the application of the same rules CALL and CALL-R.