The following two files (uploaded to rise4fun) are identical except for the order in which a lemma appears while the verification result is not the same.
An assertion error is produced when [the lemma is the last declaration in the file](http://rise4fun.com/Dafny/axBt); when [it is the first](http://rise4fun.com/Dafny/WPrWC), the file verifies correctly.
Tested at the command line with Dafny 1.9.7 and in rise4fun.
Comments: Thanks for the bug report (from April). There are two things going on with this example. One thing is that there was a bug in Dafny in the checking of reads clause for multi-dimensional arrays. That has now been fixed (see https://dafny.codeplex.com/workitem/146). With this bug fix, Dafny complains about missing reads clauses. After adding the missing reads clauses, the programs both verify. The other thing is that one gets different results depending on the declaration order (as the title of your report says). Sadly, this is still the case for your programs (without reads clauses) even after the bug fix of #146. (In the absence of the reads clauses--which Dafny now properly complains about--the frame axioms that Dafny uses allow you to derive false. My hunch is that the verifier doesn't always discover the proof of false in the same way, thus giving rise to different error reporting.) We are investing effort into eliminating or reducing these sorts of unpredictable results, so we appreciate your report. Thanks, Rustan
An assertion error is produced when [the lemma is the last declaration in the file](http://rise4fun.com/Dafny/axBt); when [it is the first](http://rise4fun.com/Dafny/WPrWC), the file verifies correctly.
Tested at the command line with Dafny 1.9.7 and in rise4fun.
Comments: Thanks for the bug report (from April). There are two things going on with this example. One thing is that there was a bug in Dafny in the checking of reads clause for multi-dimensional arrays. That has now been fixed (see https://dafny.codeplex.com/workitem/146). With this bug fix, Dafny complains about missing reads clauses. After adding the missing reads clauses, the programs both verify. The other thing is that one gets different results depending on the declaration order (as the title of your report says). Sadly, this is still the case for your programs (without reads clauses) even after the bug fix of #146. (In the absence of the reads clauses--which Dafny now properly complains about--the frame axioms that Dafny uses allow you to derive false. My hunch is that the verifier doesn't always discover the proof of false in the same way, thus giving rise to different error reporting.) We are investing effort into eliminating or reducing these sorts of unpredictable results, so we appreciate your report. Thanks, Rustan