We recall Lemma 5: Lemma 5 (Substitution).
If Γ, this : C, msg.sender : address, msg.value : uint ` e : T , Γ ` c : C, Γ ` a : address, and Γ ` n : uint, then Γ ` e{this := c, msg.sender := a, msg.value := n} : T .
Proof. Let Γ0 = Γ, this : C, msg.sender : address, msg.value : uint. We prove this lemma by induction on the height of the judgment Γ0` e : T .
We shall make use of the following notation to make the proof more readable: subst(e) = e{this := c, msg.sender := a, msg.value := n}
Base cases These cases correspond to the axioms in Section 6.3. The height of these derivations is always 1.
• REF. In this case the judgment is Γ0` d : D. There are two sub-cases:
– d 6= this. By Case 9 of Lemma 2 we obtain d : D ∈ Γ0. Since d 6= msg.value, d 6= msg.sender, and d 6= this, from d : D ∈ Γ0 follows d : D ∈ Γ. Lastly, d : D ∈ Γ ⇒ Γ ` d : D by applying REF, since subst(d) = d.
– d = this. By Case 9 of Lemma 2 we obtain D = C. We are to prove Γ ` subst(this) : C, but subst(this) = c and the judgment becomes Γ ` c : C, which is true by the second hypothesis.
• VAR. In this case the judgment is Γ0 ` x : T and subst(e) = subst(x) = x, where x 6= msg.value, x 6= msg.sender, and x 6= this. By Case 10 of Lemma 2 we know x : T ∈ Γ0, and, for what we just said (x 6= msg.value, x 6= msg.sender, and x 6= this), x : T ∈ Γ, too. We are to prove Γ ` x : T , which is true by VAR, since we just noticed x : T ∈ Γ.
• TRUE. In this case the judgment is Γ0` true : bool and subst(e) = subst(true) = true. We are to prove Γ ` true : bool, which is true by TRUE.
• FALSE. In this case the judgment is Γ0 ` false : bool and subst(e) = subst(false) = false. We are to prove Γ ` false : bool, which is true by FALSE.
• NAT. In this case the judgment is Γ0 ` m : uint, where m 6= msg.value. In this case subst(m) = m and the judgment becomes Γ ` m : uint, which is true by NAT.
• UNIT. In this case the judgment is Γ0 ` u : unit and subst(e) = subst(u) = u. We are to prove Γ ` u : unit, which is true by UNIT.
• ADDRESS. In this case the judgment is Γ0` a0 : address, where a06= msg.sender. In this case subst(a0) = a0. By Case 6 of Lemma 2 we know a0: address ∈ Γ0, and thus a0 : address ∈ Γ. We are to prove Γ ` a0 : address, which is true because a0 : address ∈ Γ.
• REVERT. In this case the judgment is Γ0 ` revert : T and
subst(e) = subst(revert) = revert. We are to prove Γ ` revert : T , which is true by rule REVERT.
Inductive cases Given a judgment J such that its derivation has height k + 1, we prove the inductive cases on the last rule used to derive J . We assume the lemma for the judgments with height at most k and we prove it for those with height k + 1.
• FUN. In this case J = Γ0 `k+1 d.f : ˜T1 → T2was derived from Γ0 `k d : D. We again have two sub-cases:
– if d 6= this then, by Case 9 of Lemma 2 we obtain d : D ∈ Γ0. We supposed d 6= this, but it is also true that d 6= msg.sender and d 6= msg.value. Hence, d : D ∈ Γ0 ⇒ d : D ∈ Γ ⇒ Γ ` d : D. Furthermore, subst(d.f ) = d.f , and the judgment Γ ` d.f : ˜T1→ T2is derivable.
– id d = this then, by Case 9 of Lemma 2 we know D = C. We are to prove Γ ` subst(this.f ) : D, but subst(this.f ) = c.f and the judgment becomes Γ ` c.f : ˜T1 → T2. By the second hypothesis we know we can derive Γ ` c : C, and applying FUNwe can also derive Γ ` c.f : ˜T1→ T2, which is what we wanted to prove since subst(this.f ) = c.f .
• MAPPING. In this case J = Γ0 `k+1 M : mapping(T1 ⇒ T2) was derived from Γ0 `k k : T1˜ and Γ0 `k v : T2. Since both ˜˜ k and ˜v are tuples of values, subst(˜k) = ˜k and subst(˜v) = ˜v. By inductive hypothesis, Γ ` ˜k : T1 and Γ ` ˜v : T2, and applying MAPPINGwe derive Γ ` M : mapping(T1 ⇒ T2), as required.
• BAL. In this case J = Γ0 `
k+1 balance(e) : uint was derived from Γ0 `k e : address. By inductive hypothesis we have Γ ` subst(e) : address, and applying BAL we obtain Γ ` balance(subst(e)) : uint, which is the same as Γ ` subst(balance(e)) : uint (see Figure 4.3).
• ADDR. In this case J = Γ0 `k+1 address(e) : address was derived from Γ0 `k e : C. By inductive hypothesis we have Γ ` subst(e) : C, and ap- plying ADDRwe obtain Γ ` address(subst(e)) : address, which is the same as Γ ` subst(address(e)) : address (see Figure 4.3).
• RETURN. In this case J = Γ0 `
k+1return e : T was derived from Γ0`k e : T . By inductive hypothesis we have Γ ` subst(e) : T , and applying RETURNwe obtain Γ ` return subst(e) : T , which is the same as Γ ` subst(return e) : T (see Figure 4.3).
• IF. In this case J = Γ0 `
k+1 if e1 then e2 else e3 : T was derived from Γ0 `k e1 : bool, Γ0 `k e2 : T and Γ0 `k e3 : T . By inductive hypoth- esis, we can derive Γ ` subst(e1) : bool, Γ ` subst(e2) : T and Γ ` subst(e3) : T . We are to prove Γ ` subst(if e1 then e2 else e2) : T , which is derived applying IF to the latter judgments together with the equivalence if subst(e1) then subst(e2) else subst(e3) = subst(if e1then e2else e2). • SEQ. In this case J = Γ0 `
k+1 e1; e2 : T2 was derived from Γ0 `k e1 : T1 and Γ0 `k e2 : T2. By inductive hypothesis we obtain Γ ` subst(e1) : T1and Γ ` subst(e2) : T2; applying SEQwe derive Γ ` subst(e1); subst(e2) : T2, which is what we wanted to prove since subst(e1; e2) = subst(e1); subst(e2). • DECL. In this case J = Γ0 `
k+1 T1 x = e1; e2 : T2 was derived from Γ0 `k e1 : T1 and Γ0, x : T1 `k e2 : T2. By inductive hypothesis we can derive Γ ` subst(e1) : T1. To apply the inductive hypothesis to the lat- ter judgment we need to rearrange the context. By Lemma 3 we know that Γ, x : T1, this : C, msg.sender : address, msg.value : uint `k e2 : T2 can be derived with the same height. Furthermore, we can apply Lemma 4 to the other three hypotheses to obtain a derivation of the judgments
Γ, x : T1, this : C, msg.sender : address, msg.value : uint `k c : C,
Γ, x : T1, this : C, msg.sender : address, msg.value : uint `k a : address, and Γ, x : T1, this : C, msg.sender : address, msg.value : uint `k n : uint. Now, by inductive hypothesis, also
Γ, x : T1, this : C, msg.sender : address, msg.value : uint ` subst(e2) : T2 can be derived. Lastly, by applying DECLwe obtain a derivation of Γ ` T1x = subst(e1); subst(e2) : T2, which is the same as Γ ` subst(T1x = e1; e2) : T2 since subst(T1x = e1; e2) = subst(T1x = e1); subst(e2) =
T1x = subst(e1); subst(e2).
• MAPPSEL. In this case J = Γ0 `k+1 e1[e2] : T2 was derived from Γ0 `k e1 : mapping(T1 ⇒ T2) and Γ0 `k e2 : T1. By inductive hypothesis we derive Γ ` subst(e1) : mapping(T1 ⇒ T2) and Γ ` subst(e2) : T1; then, applying MAPPSEL, we obtain a derivation of Γ ` subst(e1)[subst(e2)] : T2, which is what we wanted to prove since subst(e1[e2] = subst(e1)[subst(e2)]).
• STATESEL. In this case J = Γ0 `k+1 e.si : Ti was derived from Γ0 `k e : C, where sv(C) = T s and si˜ ∈ ˜s. By inductive hypothesis we obtain Γ ` subst(e) : C; then, applying STATESELwe derive Γ ` subst(e).si : Ti. • ASS. In this case J = Γ0 `k+1 x = e : T was derived from Γ0 `k x : T
and Γ0 `k e : T . By inductive hypothesis we have Γ ` subst(x) : T and Γ ` subst(e) : T ; applying ASSwe obtain Γ ` subst(x) = subst(e) : T , which is the same as Γ ` subst(x = e) : T since subst(x) = x and subst(x = e) = (x = subst(e)).
• MAPPASS. In this case J = Γ0 `k+1 e1[e2 → e3] : mapping(T1 ⇒ T2) was derived from Γ0 `k e1 : mapping(T1 ⇒ T2), Γ0 `k e2 : T1, and Γ0 `k
e3 : T2. By inductive hypothesis we derive Γ ` subst(e1) : mapping(T1 ⇒ T2), Γ ` subst(e2) : T1, and Γ ` subst(e3) : T2. By MAPPASS we ob- tain Γ ` subst(e1)[subst(e2) → subst(e3)] : mapping(T1 ⇒ T2), which is what we wanted to prove since subst(e1[e2 → e3]) = subst(e1)[subst(e2) → subst(e3)].
• STATEASS. In this case J = Γ0 `
k+1 e1.s = e2 : T was derived from Γ0 `k e1.s : T and Γ0 `k e2 : T . By inductive hypothesis we obtain Γ ` subst(e1.s) : T and Γ ` subst(e2) : T ; then, applying STATEASS we derive Γ ` subst(e1).s = subst(e2) : T , which is what we wanted to prove since subst(e1.s = e2) = subst(e1).s = subst(e2).
• NEW. In this case J = Γ0 `k+1 new C.value(e1)(˜e) : C was derived from Γ0`k e : ˜˜ T and Γ0 `ke1: uint, where sv(C) = ˜T s and |˜e| = |˜s|. By inductive hypothesis we obtain Γ ` subst(˜e) : ˜T and Γ ` subst(e1) : uint; applying NEW we conclude Γ ` subst(new C.value(e1)(˜e)) : C, since subst(new C.value(e1)(˜e)) = new C.value(subst(e1))(subst(˜e)).
• CONTRRETR. In this case J = Γ0 `k+1 C(e) : C was derived from Γ0 `k e : address. By inductive hypothesis we have Γ ` subst(e) : address, and applying CONTRRETRwe obtain Γ ` C(subst(e)) : C, which is the same as Γ ` subst(C(e)) : C.
• TRANSFER. In this case J = Γ0 `k+1 e1.transfer(e2) : unit was derived from Γ0 `k e1 : address and Γ0 `k e2 : uint. By inductive hypothesis we get Γ ` subst(e1) : address and Γ ` subst(e2) : uint. Furthermore, applying TRANSFERwe derive Γ ` subst(e1).transfer(subst(e2)) : unit, which is the same as Γ ` subst(e1.transfer(e2)) : unit.
• CALL. In this case J = Γ0 `k+1 e1.f.value(e2)(˜e) : T2 was derived from Γ0 `k e1 : C, Γ0 `k e2 : uint, and Γ0 `k e : ˜˜ T1, where ftype(C, f ) =
˜
T1 → T2 and |˜e| = | ˜T1|. By inductive hypothesis we get Γ ` subst(e1) : C, Γ ` subst(e2) : uint, and Γ ` subst(˜e) : ˜T1: applying CALLwe derive Γ ` subst(e1).f.value(subst(e2))(subst(˜e)) : T2, which is what we wanted to prove since subst(e1.f.value(e2)(˜e)) = subst(e1).f.value(subst(e2))(subst(˜e)). • CALLTOPLEVEL. In this case is very similar to the previous one, with the only
addition of the judgment Γ ` e3: address checking the well-typing of the third parameter.
• CALLVALUE. In this case J = Γ0 `k+1 e1.value(e2)(˜e) : T2 was derived from Γ0 `k e1 : ˜T1 → T2, Γ0 `k e2 : uint, and Γ0 `k e : ˜˜ T1, where |˜e| = | ˜T1|. By inductive hypothesis we get Γ ` subst(e1) : T1˜ → T2, Γ ` subst(e2) : uint, and Γ ` subst(˜e) : ˜T1: applying CALLVALUEwe derive Γ ` subst(e1).value(subst(e2))(subst(˜e)) : T2, which is what we wanted to prove since subst(e1.value(e2)(˜e)) = subst(e1).value(subst(e2))(subst(˜e)).