2

I do not understand why we use ==> instead of just using && all the time to perform implication. Take this code I found online, for example:


var a: array <int> := new int[3];
a[0], a[1], a[2] := 1,1,1;

assert forall j:: 0 <= j < a.length  ==> a[j] == 1;
assert exists j:: 0 <= j < a.length  && a[j] == 1;

Why not just use && instead of implication. Because we are using implication, the left side can be false and the right side will still be true. i.e. an array index can be out of bounds, and at that index, say, a[-10], the element would be 1. a[-10] == 1

harry_2381
  • 21
  • 1

1 Answers1

0

Let's think about the formula

assert forall j:: 0 <= j < a.length && a[j] == 1;

which uses && instead of ==>, as you suggest.

If we read this formula in plain language, it says "every integer j is between 0 and a.length, and furthermore, a[j] == 1". But this is obviously false, because not every integer is between 0 and a.length (for example, a.length + 1 is an integer that is not in this range).

So using && under the forall there doesn't really make sense.

James Wilcox
  • 5,307
  • 16
  • 25
  • thank you for your response. ==> also has the caveat that if the LHS is false, say a.length + 1, then the RHS could still be true, so "a[a.length + 1] == 1" – harry_2381 Sep 01 '20 at 00:05
  • right, I saw you mentioned that in your question, but I still don't understand why you're worried about that. if the LHS is false, the implication as a whole is true regardless of the truth of the RHS, so we don't even need to look at the RHS! – James Wilcox Sep 01 '20 at 02:11
  • thanks James. you are right. Implication does make more sense. I guess the general rule is that we use implication with forall statements, and conjugates for exists statements – harry_2381 Sep 01 '20 at 02:53
  • 1
    If you are bothered by having to write `==>` for `forall` and `&&` for `exists`, there is an alternative syntactic form you can use. See the section called "range predicates" in this [Dafny Power User note](http://leino.science/papers/krml267.html). – Rustan Leino Sep 08 '20 at 23:50