Commented Unassigned: An Insertion Sort verification [45]

I wonder how this program
http://rise4fun.com/Dafny/TBQ0
is verified by Dafny without the inner invariant, since the outer invariant is not preserved in the inner loop.
Best,
Paqui
Comments: If I understand correctly, at the end of the inner loop the following are facts ```0 <= j <= i``` i.e. You know this from the inner loop condition being false, and ```j``` being used for induction on the loop. It means ```j``` is within the part of the prefix of the array up to index ```i+1``` ```sorted_between(a,0,j) && sorted_between(a,j,i+1)``` i.e.The part of the array prefix below ```j``` is sorted, and part above ```j``` is sorted. You know this from the inner loop invariant, which will hold at the end of the inner loop. ```j != i ==> forall k, k' :: (0 <= k < j && j <= k' <= i) ==> a[k] <= a[k'];``` i.e.Everything in the lower part of the array prefix is less than everythig in the upper part. This is also from the inner loop invariant. After the inner loop is finished, Dafny can use these facts to restablish the invariant of the outer loop ```sorted_between(a,0,i+1)```