The following bubble sort algorithm
http://rise4fun.com/Dafny/p3l
can be verified if all the postconditions and invariants about the permutation property are of the form perm(a[..],old(a[..])). However, for didactic purposes I have tried to do the experiment of asserting about the exact part of the array that has been permuted. I have surprinsingly discover two issues:
1.- You should add
assert a[..a.Length] == a[..];
assert old(a[..a.Length]) == old(a[..]);
to help Dafny in the inference of the post.
For that, change assert by assume in the inner-loop assertion.
2.- The inner-loop assertion is violated, in spite that is a postcondition of the method step.
http://rise4fun.com/Dafny/p3l
can be verified if all the postconditions and invariants about the permutation property are of the form perm(a[..],old(a[..])). However, for didactic purposes I have tried to do the experiment of asserting about the exact part of the array that has been permuted. I have surprinsingly discover two issues:
1.- You should add
assert a[..a.Length] == a[..];
assert old(a[..a.Length]) == old(a[..]);
to help Dafny in the inference of the post.
For that, change assert by assume in the inner-loop assertion.
2.- The inner-loop assertion is violated, in spite that is a postcondition of the method step.