Assume C = x.
(C = x)(x := x+3) = < assumption C = x > (x = x)(x := x+3) = < textual substitution > x+3 = x+3 = < reflexivity of = > true |
So what's wrong with the "proof" shown to the right?
The error here was to make use of the assumption C = x —by replacing an occurrence of C by x— before applying the textual substitution. That is, we introduced into an expression an occurrence of x that was subject to being replaced later as a result of an application of textual substitution. Had we waited to make use of the assumption C = x until after the textual substitution had been applied (as we must!), we would have ended up with x = x+3, which we could not have shown to be equal to true.
Assume x-3 = y.
(y = 11)(x := 14) = < assumption x-3 = y > (x-3 = 11)(x := 14) = < textual substitution > 14-3 = 11 = < arithmetic > 11 = 11 = < reflexivity of = > true |
Another kind of mistake that results from applying an assumption "too early" is illustrated in the following "proof" of the Hoare Triple {x = 5} x := 17 {x = 5}. By HTAL (as above), this is equivalent to [x = 5 ⇒ (x=5)(x:=17)], which has the following invalid proof:
Assume x = 5.
(x = 5)(x := 17) = < assumption x = 5 > (5 = 5)(x := 17) = < textual substitution > 5 = 5 = < reflexivity of = > true |
The mistake here is that an occurrence of a variable (x) that should have been subject to being replaced later (by an application of textual substitution (x:=17)) was instead erased as a result of using an assumption. Had we applied the textual substitution first, we would have obtained 17 = 5, which we would not have been able to show equal to true.
What we learn from these errors give rise to the following law:
Law of Assumptions and Textual Substitution: In an expression of the form A(x1,x2,...,xn := F1,F2,...,Fn), indicating that free occurrences of variables x1, x2, ... xn in expression A are to be replaced by the expressions F1, F2, ..., Fn, respectively, we must not apply an assumption that either