Gries's and Schneider's definition of textual substitution as applied to a quantification, (8.11), is incomplete. Here is a complete definition:
(*x | R : Q)[y:=E] = { | (*x | R : Q) | if 'x'='y' |
(1) |
(*x | R[y:=E] : Q[y:=E]) | if 'x'≠'y' ∧ ¬occurs.'x'.'E' | (2) | |
(*z | R[x:=z] : Q[x:=z])[y:=E] | otherwise | (3) |
In the case of (3), z is is chosen to be a fresh variable satisfying 'z'≠'x' ∧ ¬occurs.'z'.'E'. To be explicit, the otherwise condition of (3) is 'x'≠'y' ∧ occurs.'x'.'E'.
Notes:
By 'x'='y' is meant that x and y are the same variable, whereas 'x'≠'y' means that they are distinct variables.
By occurs.'x'.'E' is meant that there is at least one free occurrence of x in E.
Example 1:
(★x | 0 ≤ x ≤ r : (★y | 0 ≤ y < n: r·x + y))[r := y] = < (2) > (★x | (0 ≤ x ≤ r)[r := y] : (★y | 0 ≤ y < n : r·x + y)[r := y]) = < textual substitution > (★x | 0 ≤ x ≤ y : (★y | 0 ≤ y < n : r·x + y)[r := y]) = < (3), choosing z as new dummy > (★x | 0 ≤ x ≤ y : (★z | (0 ≤ y < n)[y := z] : (r·x + y)[y := z])[r := y]) = < textual substitution (twice) > (★x | 0 ≤ x ≤ y : (★z | 0 ≤ z < n : r·x + z)[r := y]) = < (2) > (★x | 0 ≤ x ≤ y : (★z | (0 ≤ z < n)[r := y] : (r·x + z)[r := y])) = < textual substitution (twice) > (★x | 0 ≤ x ≤ y : (★z | 0 ≤ z < n : y·x + z)) |
Example 2:
(★x | 0 ≤ x ≤ y : (★y | 0 ≤ y < n : x + y))[y := s] = < (2) > (★x | (0 ≤ x ≤ y)[y := s] : (★y | 0 ≤ y < n : x + y)[y := s]) = < textual substitution > (★x | 0 ≤ x ≤ s : (★y | 0 ≤ y < n : x + y)[y := s]) = < (1) > (★x | 0 ≤ x ≤ s : (★y | 0 ≤ y < n : x + y)) |