1. Verification with Array Variables Book: Chapter 7.2

2. The problem Using array variables can lead to complication: {x[1]=1/\x[2]=3} x[x[1]]:=2 {x[x[1]]=2} Why? Because the assignment changes x[1] as well. Now it is also 2, and x[x[1]], which is x[2] is 3 and not 2!

3. What went wrong? Take the postcondition {x[x[1]]=2} and substitute 2 instead of x[x[1]]. We obtain {2=2} (which is equivalent to {true}). Now, (x[1]=1/\x[2]=3) 2=2. So we may wrongly conclude that the above Hoare triple is correct.

4. How to fix this? `Backward substitution should be done with arrays as complete elements. Define (x; e1: e2): an array like x, with value at the index e1 changed to e2. (x; e1: e2)[e3]=e2 if e1=e3 x[e3] otherwise (x; e1: e2)[e3]=if(e1=e3, e2, x[e3])

5. Solved the problem? How to deal with if(φ, e1, e2)? Suppose that formula ψ contains this expression. Replace if(φ, e1, e2) by new variable v in ψ. The original formula ψ is equivalent to: (φ/\ ψ[e1/v])\/(¬φ/\ ψ[e2/v])

6. Returning to our case Our postcondition is {x[x[1]]=2}. The assignment x[x[1]]:=2 causes the substitution in the postcondition of the (array) variable x by a new array, which is (x; x[1] : 2), resulting in {x[x[1]]=2} (x; x[1] : 2)[(x; x[1] : 2)[1]] = 2

7. Are we done? Not yet. It remains to Convert the array form into an if form. Get rid of the if form. Will not be done in class. All we say is that we obtain an expression that is not implied by the precondition x[1]=1/\x[2]=3.