Consider the following complicated way of negating a boolean (which depends on short-circuit evaluation):
def negate(a: Boolean) = {
var b = true
a && { b = false; true }
b
} ensuring { res => res != a }
If I test this code in the Scala console, it works as expected.
But leon --xlang says that the postcondition is invalid.
Is this expected/specified?
Looking at the (simplified) encoding after the xlang transformation phase, we get the following:
def negate0(a0 : Boolean): Boolean = {
val b1 = true
val b2 = false
b2
} ensuring {
res19 => res19 != a0
}
The first b1 corresponds to the initialization var b = true. The second b2 is introduced to correspond to the assignment b = false. Unfortunately XLang does not do any special treatment of && and || operators meaning that it will extract all side effects in sub-expression and move them in order to the "top" level (hence why you have the val b2 = false). The final returned value is b2, the last known name of b, and obviously the expression a && ... is ignored (except for side-effect).
So basically this is a limitation in Leon, and we will be looking into fixing it.
Edit: Note that this got fixed in the most recent version of Leon: https://github.com/epfl-lara/leon/commit/2485477f4e91cba7fe6e0c137817d62f513a3c42
