2

In a reference manual (http://www.cse.unsw.edu.au/~se2011/DafnyDocumentation/Dafny%20-%20ValueTypes.pdf), we can find: two multisets are equal if they have exactly the same count of each element. However, there is no violation if I assert:

   assert multiset({1,1}) == multiset{1};

So I am understanding something wrong.

Then, for instance, to prove this:

lemma seqSplit(s:seq<int>, c:int, p:int, f:int)
       requires 0<=c<=p<=f+1<=|s|
       ensures multiset(s[c..f+1]) == multiset(s[c..p])+multiset(s[p..f+1])

What is is necessary? I started with:

       assert forall i :: c<=i<=f ==> 
              (s[i] in multiset(s[c..f+1]) <==> (s[i] in multiset(s[c..p]) || s[i] in multiset(s[p..f+1])));

It verifies, and I would say it is the same as in the ensures, but seems not. Any help?

Theo Deep
  • 666
  • 4
  • 15

1 Answers1

1

multiset({1,1}) means "construct the set {1,1}, and then convert it to a multiset". Since the set {1,1} and the set {1} are the same, your assertion passes.

I think you want multiset{1,1}.

James Wilcox
  • 5,307
  • 16
  • 25
  • Does "construct the set {1,1}, and then convert it to a multiset" more or less mean "construct a set from {1,1}, and then convert it to a multiset"? – Theo Deep Apr 08 '21 at 10:49
  • 1
    right. the key is that `multiset{...}` is its own syntactic construct which is completely separate from `{...}` for sets. – James Wilcox Apr 08 '21 at 15:06