boogie

问题 I'd like to understand counterexamples produced by Dafny. I'm using the following code as an example: function update_map<K(!new), V>(m1: map<K, V>, m2: map<K, V>): map<K, V> ensures (forall k :: k in m1 || k in m2 ==> k in update_map(m1, m2)) && (forall k :: k in m2 ==> update_map(m1, m2)[k] == m2[k]) && (forall k :: !(k in m2) && k in m1 ==> update_map(m1, m2)[k] == m1[k]) && (forall k :: !(k in m2) && !(k in m1) ==> !(k in update_map(m1, m2))) { map k | k in (m1.Keys + m2.Keys) :: if k in