Open
Description
If one tries to verify the following Viper program:
function offset(start: Ref, index: Int): Ref
method test(start: Ref, l: Int)
ensures forall ii: Int :: 0 <= ii && ii < l ==> offset(start, 0 + ii) == old(offset(start, 1 + ii))
{
}
they will get the following error message:
Silicon found 1 error in 5,26s:
[0] Postcondition of test might not hold. Assertion (forall __rw_ii1: Int, __rw_ii2: Int :: { offset(start, __rw_ii1) } { offset(start, __rw_ii2) } true && __rw_ii1 - 0 == __rw_ii2 - 1 ==> 0 <= __rw_ii1 - 0 && __rw_ii1 - 0 < l ==> offset(start, __rw_ii1) == old(offset(start, __rw_ii2))) might not hold. ([email protected])
Potential incompleteness: Some((:reason-unknown "(incomplete quantifiers)"))
which shows that Viper inferred invalid triggers for the quantifier.
Z3 rejects this trigger, as witnessed by the following message in the log:
13:50:45.129 [ForkJoinPool-1-worker-3] WARN viper.silicon.decider.Z3ProverStdIO - Prover warning: WARNING: (642,21): pattern does not contain all quantified variables.
cc @marcoeilers
The credit for noticing this goes to Olivia.