Consider the following code fragment ([http://rise4fun.com/Dafny/6lkz](http://rise4fun.com/Dafny/6lkz)):
```
function existential(mat: array2<bool>): bool
requires mat != null
{
exists i, j :: 0 <= i < mat.Length0 && 0 <= j < mat.Length1 && mat[i,j]
}
method foo(n: int) {
var mat := new bool[n,n];
forall i,j | (0 <= i < n && 0 <= j < n) {
mat[i,j] := false;
}
var i := 0;
var j := 0;
while i < n {
while j < n {
mat[i,j] := true;
j := j + 1;
}
i := i + 1;
}
assert !existential(mat);
}
```
Dafny wrongly reports the assertion in `foo` as correct. However, Dafny does detect assertion violation after some irrelevant re-arrangements of the code. For example, it reports violation as expected in *each* of the following cases:
- `var mat := new bool[n,n]` is changed to `var mat := new bool[n+1,n+1]`.
- The body of the `existential` function is inlined in the assertion.
Neither of the above changes affect the correctness of the code. Hence I believe that this behavior is a bug.
Comments: Add the check that every size of a multi-dimensional array is non-negative.
```
function existential(mat: array2<bool>): bool
requires mat != null
{
exists i, j :: 0 <= i < mat.Length0 && 0 <= j < mat.Length1 && mat[i,j]
}
method foo(n: int) {
var mat := new bool[n,n];
forall i,j | (0 <= i < n && 0 <= j < n) {
mat[i,j] := false;
}
var i := 0;
var j := 0;
while i < n {
while j < n {
mat[i,j] := true;
j := j + 1;
}
i := i + 1;
}
assert !existential(mat);
}
```
Dafny wrongly reports the assertion in `foo` as correct. However, Dafny does detect assertion violation after some irrelevant re-arrangements of the code. For example, it reports violation as expected in *each* of the following cases:
- `var mat := new bool[n,n]` is changed to `var mat := new bool[n+1,n+1]`.
- The body of the `existential` function is inlined in the assertion.
Neither of the above changes affect the correctness of the code. Hence I believe that this behavior is a bug.
Comments: Add the check that every size of a multi-dimensional array is non-negative.