SE 504
The Law of Assumptions and Textual Substitution

Assume C = x.
    (C = x)(x := x+3)

=      < assumption C = x >

    (x = x)(x := x+3)

=      < textual substitution >

    x+3 = x+3

=      < reflexivity of = >

    true
Consider the Hoare triple {C = x} x := x + 3 {C = x}, where C is a "rigid variable" (or a "specification constant", as it is sometimes called). Clearly, it is not valid, as it asserts that the value of variable x remains unchanged as a consequence of executing an assignment that increases x's value by three! By the Hoare Triple Assignment Law, this Hoare Triple is equivalent to

[C = x ⟹ (C = x)(x := x+3)]

So what's wrong with the "proof" shown to the right?

The error here was to make use of the assumption C = x —by replacing an occurrence of C by xbefore applying the textual substitution. That is, we introduced into an expression an occurrence of x that was subject to being replaced later as a result of an application of textual substitution. Had we waited to make use of the assumption C = x until after the textual substitution had been applied (as we must!), we would have ended up with x = x+3, which we could not have shown to be equal to true.

Assume x-3 = y.
    (y = 11)(x := 14)

=      < assumption x-3 = y >

    (x-3 = 11)(x := 14)

=      < textual substitution >

    14-3 = 11

=      < arithmetic >

    11 = 11

=      < reflexivity of = >

    true
A similar example is {x-3 = y} x := 14 {y = 11}, which can be "proved" as shown to the right. Again, we made the mistake of using an assumption to replace a variable (y) by an expression (x-3) that contains an occurrence of a variable (x) which is subject to being replaced later by a textual substitution (x := 14).

Another kind of mistake that results from applying an assumption "too early" is illustrated in the following "proof" of the Hoare Triple {x = 5} x := 17 {x = 5}. By HTAL (as above), this is equivalent to [x = 5 ⇒ (x=5)(x:=17)], which has the following invalid proof:

Assume x = 5.
    (x = 5)(x := 17)

=      < assumption x = 5 >

    (5 = 5)(x := 17)

=      < textual substitution >

    5 = 5

=      < reflexivity of = >

    true

The mistake here is that an occurrence of a variable (x) that should have been subject to being replaced later (by an application of textual substitution (x:=17)) was instead erased as a result of using an assumption. Had we applied the textual substitution first, we would have obtained 17 = 5, which we would not have been able to show equal to true.

What we learn from these errors give rise to the following law:

Law of Assumptions and Textual Substitution: In an expression of the form A(x1,x2,...,xn := F1,F2,...,Fn), indicating that free occurrences of variables x1, x2, ... xn in expression A are to be replaced by the expressions F1, F2, ..., Fn, respectively, we must not apply an assumption that either