The following example is tested in the latest build of Dafny and also at rise4fun:
```
lemma SetLemma1<T> (s1: set<T>, s2: set<T>)
requires s1 < s2
ensures |s1| < |s2|
{
var e :| e in s2 - s1;
// Will fail if we use s2 - s1 != {e}
if s1 != s2 - {e}
{
SetLemma1(s1, s2 - {e});
}
}
lemma SetLemma2<T> (s1: set<T>, s2: set<T>)
requires s1 < s2
ensures s2 - s1 != {}
{
var e :| e in s2 - s1;
// Will fail if we use s1 != s2 - {e}
if s2 - s1 != {e}
{
SetLemma2(s1, s2 - {e});
}
}
```
As the example shows, sometimes Dafny needs `s1 != s2 - {e}` to verify, and sometimes it needs `s2 - s1 != {e}`. What is the reason behind this difference? Is there a way to know the required form beside trial and error? Thanks in advance.
```
lemma SetLemma1<T> (s1: set<T>, s2: set<T>)
requires s1 < s2
ensures |s1| < |s2|
{
var e :| e in s2 - s1;
// Will fail if we use s2 - s1 != {e}
if s1 != s2 - {e}
{
SetLemma1(s1, s2 - {e});
}
}
lemma SetLemma2<T> (s1: set<T>, s2: set<T>)
requires s1 < s2
ensures s2 - s1 != {}
{
var e :| e in s2 - s1;
// Will fail if we use s1 != s2 - {e}
if s2 - s1 != {e}
{
SetLemma2(s1, s2 - {e});
}
}
```
As the example shows, sometimes Dafny needs `s1 != s2 - {e}` to verify, and sometimes it needs `s2 - s1 != {e}`. What is the reason behind this difference? Is there a way to know the required form beside trial and error? Thanks in advance.