I wonder why Dafny requires the commented hint in http://rise4fun.com/Dafny/8sl7
to validate the assertion?
Could someone explain it?
Asked
Active
Viewed 72 times
0
Dovydas Šopa
- 2,282
- 8
- 26
- 34
jiplucap
- 155
- 7
1 Answers
1
The reason is that Dafny is only willing to unroll a function a limited number of times when constructing proofs. Proving that assertion requires unrolling applyMapSeq three times.
I suggest adding some postconditions to applyMapSeq that will help Dafny with this and with other proofs. Here's the signature I have in mind:
function applyMapSeq<U,V> (f: map<U,V>, xs:seq<U> ): (ys:seq<V>)
requires (set x | x in xs) <= domain(f)
ensures |ys| == |xs|
ensures forall i :: 0 <= i < |xs| ==> ys[i] == f[xs[i]]
You can see at http://rise4fun.com/Dafny/Vibu that, with these additional postconditions, Dafny can verify your assertion.
Jay Lorch
- 156
- 2