我在迭代器中有一个令人惊讶的断言冲突,而在常规方法中却没有发生。
predicate SubInv(x: array<bool>)
requires x.Length > 0
reads x
{
x[0]
}
predicate Inv(x: array<bool>)
requires x.Length > 0
reads x
{
SubInv(x)
}
iterator Iter(x: array<bool>)
requires x.Length > 0
requires Inv(x);
yield requires Inv(x);
{
assert Inv(x);
// This assertion fails
assert SubInv(x);
}
method m(x: array<bool>)
requires x.Length > 0
requires Inv(x);
{
assert Inv(x);
// This assertion is verified
assert SubInv(x);
}
由于Inv(x)被定义为SubInv(x),所以我希望Dafny能够在迭代器主体中对其进行验证。我有什么误会?我需要以某种方式展开Inv或SubInv的定义吗?