A very simple multiplication code:
method Product1 (m: nat, n: nat) returns (res:nat)
ensures res == m * n;
{
var m1: nat := 0;
var n1: nat := 0;
res := 0;
while (m1 < m)
{
n1 := 0;
while (n1 < n)
{
res := res + 1;
n1 := n1 + 1;
}
m1 := m1 + 1;
}
}
When I verify it with dafny, it says:
Description Line Column
1 A postcondition might not hold on this return path. 8 4
2 This is the postcondition that might not hold. 2 16
I get it says under some conditions, res != m*n, but I can't figure it out.
