When Dafny translates the `LambdaGenerator` function below:
```
datatype D = D(b:bool)
function LambdaGenerator(x:int) : D -> bool
{
(d:D) -> d.b && x > 2
}
```
the definition axioms include a universal quantifier without a Dafny-selected trigger, e.g.:
```
(forall $l#0#heap#0: Heap, $l#0#d#0: DatatypeType ::
_module.D.D_q($l#0#d#0) && (_module.D.b($l#0#d#0) ==> true))
```
We've encountered at least one concrete example where this leads to Z3 choosing a bad trigger (Type) and hence to a bad timeout situation.
This is a good reminder that we should inspect (or even better, enforce at the C# level, e.g., by changing the signature on methods that produce quantifiers) that Dafny is always explicitly selecting a trigger for each quantifier it generates.
```
datatype D = D(b:bool)
function LambdaGenerator(x:int) : D -> bool
{
(d:D) -> d.b && x > 2
}
```
the definition axioms include a universal quantifier without a Dafny-selected trigger, e.g.:
```
(forall $l#0#heap#0: Heap, $l#0#d#0: DatatypeType ::
_module.D.D_q($l#0#d#0) && (_module.D.b($l#0#d#0) ==> true))
```
We've encountered at least one concrete example where this leads to Z3 choosing a bad trigger (Type) and hence to a bad timeout situation.
This is a good reminder that we should inspect (or even better, enforce at the C# level, e.g., by changing the signature on methods that produce quantifiers) that Dafny is always explicitly selecting a trigger for each quantifier it generates.