I wonder how this program
http://rise4fun.com/Dafny/TBQ0
is verified by Dafny without the inner invariant, since the outer invariant is not preserved in the inner loop.
Best,
Paqui
Comments: I think Dafny does not know directly that ```a[..i] + [a[i]] + a[i+1..] == a[..]``` so a lemma like this can be used (call it before inner loop and at end of inner loop): ``` lemma MultisetPreservedByArrayPartition(a: array<int>, i:int) requires a != null && a.Length > 1; requires 0 <= i < a.Length; ensures multiset(a[..i]) + multiset{a[i]} + multiset(a[i+1..]) == multiset(a[..]); { assert a[..i] + [a[i]] + a[i+1..] == a[..]; } ``` Or alternatively this extra invariant on the inner loop: ```invariant a[..j] + [aux] + a[j+1..] == a[..][j := aux];```
http://rise4fun.com/Dafny/TBQ0
is verified by Dafny without the inner invariant, since the outer invariant is not preserved in the inner loop.
Best,
Paqui
Comments: I think Dafny does not know directly that ```a[..i] + [a[i]] + a[i+1..] == a[..]``` so a lemma like this can be used (call it before inner loop and at end of inner loop): ``` lemma MultisetPreservedByArrayPartition(a: array<int>, i:int) requires a != null && a.Length > 1; requires 0 <= i < a.Length; ensures multiset(a[..i]) + multiset{a[i]} + multiset(a[i+1..]) == multiset(a[..]); { assert a[..i] + [a[i]] + a[i+1..] == a[..]; } ``` Or alternatively this extra invariant on the inner loop: ```invariant a[..j] + [aux] + a[j+1..] == a[..][j := aux];```