The postcondition "ensures apply((i => i + 1), 5) == 6" fails verification (see code below). However, asserting the postcondition exactly ("assert apply((i => i + 1), 5) == 6;") inside the body causes the postcondition to succeed.
static function apply(f:int->int, a:int):int
reads f.reads;
requires f.requires(a);
{
f(a)
}
static lemma Test(s:int)
ensures apply((i => i + 1), 5) == 6;
{
// assert apply((i => i + 1), 5) == 6;
}
It appears that in the generated Boogie code, the assertion has an "assume ...canCall...", which helps to verify the assertion. By contrast, the postcondition has a "free ensures ...canCall...", which does not appear to help verify the postcondition.
The same issue applies to preconditions when calling a method.
Comments: Fixed in changesets f354709009a5 and 82a85d97f74a.
static function apply(f:int->int, a:int):int
reads f.reads;
requires f.requires(a);
{
f(a)
}
static lemma Test(s:int)
ensures apply((i => i + 1), 5) == 6;
{
// assert apply((i => i + 1), 5) == 6;
}
It appears that in the generated Boogie code, the assertion has an "assume ...canCall...", which helps to verify the assertion. By contrast, the postcondition has a "free ensures ...canCall...", which does not appear to help verify the postcondition.
The same issue applies to preconditions when calling a method.
Comments: Fixed in changesets f354709009a5 and 82a85d97f74a.