How to define the specification to avoid array's value change with others

Question

method cube_0(c:array?<nat>,n:array?<nat>,k:array?<nat>,m:array?<nat>,N:nat) 
requires c!=null && c.Length>0
requires n!=null && n.Length>0
requires m!=null && m.Length>0
requires k!=null && k.Length>0
requires n[0]<N
requires c[0]==0&&n[0]==0&&k[0]==1&&m[0]==6
ensures n[0]<=N
modifies c
modifies n
modifies k
modifies m
{
    // c[0]:=c[0]+k[0];
    k[0]:=k[0]+m[0];
    m[0]:=m[0]+6;
    n[0]:=n[0]+1;
}

When i annotates the statement "c[0]:=c[0]+k[0]",the postcondition is satisfied, else not.I am confuse that I just change the value of c ,why the value of n will change with it?How to avoid this situation?

score 1 · Answer 1 · answered Jul 11 '20 at 15:20

You can fix this by adding a precondition requires c != n. Without this line, Dafny is not able to infer that the value of n[0] is not changed by the line c[0]:=c[0]+k[0];.

You might ask, why do we not also require the propositions k != n and m != n? The reason is that Dafny is already able to infer these two facts, from the fact that n[0]==0 && k[0]==1 && m[0]==6.

How to define the specification to avoid array's value change with others

1 Answers1