4 files changed, 23 insertions, 13 deletions
diff --git a/Test/VerifyThis2015/Problem1.dfy b/Test/VerifyThis2015/Problem1.dfy
index 2e8a5243..1b54e918 100644
--- a/Test/VerifyThis2015/Problem1.dfy
+++ b/Test/VerifyThis2015/Problem1.dfy
@@ -1,4 +1,4 @@
-// RUN: %dafny /compile:3 /print:"%t.print" /dprint:"%t.dprint" "%s" > "%t"
+// RUN: %dafny /compile:3 /autoTriggers:1 /print:"%t.print" /dprint:"%t.dprint" "%s" > "%t"
 // RUN: %diff "%s.expect" "%t"
 
 // Rustan Leino
@@ -161,18 +161,13 @@ lemma Same2<T>(pat: seq<T>, a: seq<T>)
   ensures IRP_Alt(pat, a)
 {
   if pat == [] {
-    assert pat <= a;
   } else if a != [] && pat[0] == a[0] {
-    assert IsRelaxedPrefixAux(pat[1..], a[1..], 1);
-    Same2(pat[1..], a[1..]);
     if pat[1..] <= a[1..] {
-      assert pat <= a;
     } else {
       var k :| 0 <= k < |pat[1..]| && pat[1..][..k] + pat[1..][k+1..] <= a[1..];
       assert 0 <= k+1 < |pat| && pat[..k+1] + pat[k+2..] <= a;
     }
   } else {
-    assert IsRelaxedPrefixAux(pat[1..], a, 0);
     Same2_Prefix(pat[1..], a);
     assert pat[1..] <= a;
     assert 0 <= 0 < |pat| && pat[..0] + pat[0+1..] <= a;
@@ -182,7 +177,4 @@ lemma Same2_Prefix<T>(pat: seq<T>, a: seq<T>)
   requires IsRelaxedPrefixAux(pat, a, 0)
   ensures pat <= a
 {
-  if pat != [] {
-    Same2_Prefix(pat[1..], a[1..]);
-  }
 }
diff --git a/Test/VerifyThis2015/Problem2.dfy b/Test/VerifyThis2015/Problem2.dfy
index 1c7deffd..2bb63e7b 100644
--- a/Test/VerifyThis2015/Problem2.dfy
+++ b/Test/VerifyThis2015/Problem2.dfy
@@ -114,7 +114,7 @@ method ParallelGcd(A: int, B: int) returns (gcd: int)
   var pc0, pc1 := 0, 0;  // program counter for the two processes
   var a0, b0, a1, b1;  // local variables for the two processes
   // To model fairness of scheduling, these "budget" variable give a bound on the number of times the
-  // scheduler will repeatedly schedule on process to execute its "compare a and b" test.  When a
+  // scheduler will repeatedly schedule one process to execute its "compare a and b" test.  When a
   // process executes its comparison, its budget is decreased and the budget for the other process
   // is set to some arbitrary positive amount.
   var budget0, budget1 :| budget0 > 0 && budget1 > 0;
@@ -315,7 +315,7 @@ lemma GcdDecrease(a: int, b: int)
   ensures Gcd(a, b) == Gcd(a - b, b)
 {
   var k := Gcd(a - b, b);
-  assert DividesBoth(k, a-b, b) && forall m :: DividesBoth(m, a-b, b) ==> m <= k;
+  assert DividesBoth(k, a-b, b) && forall m, mm :: mm == a - b ==> DividesBoth(m, mm, b) ==> m <= k; // WISH: auto-generate 'mm'
   var n := DividesProperty(k, a-b);
   assert n*k == a-b;
   var p := DividesProperty(k, b);
diff --git a/Test/VerifyThis2015/Problem3.dfy b/Test/VerifyThis2015/Problem3.dfy
index 4205035d..60506a33 100644
--- a/Test/VerifyThis2015/Problem3.dfy
+++ b/Test/VerifyThis2015/Problem3.dfy
@@ -1,4 +1,4 @@
-// RUN: %dafny /compile:3 /print:"%t.print" /dprint:"%t.dprint" /vcsMaxKeepGoingSplits:5 "%s" > "%t"
+// RUN: %dafny /compile:3 /print:"%t.print" /dprint:"%t.dprint" /autoTriggers:0 "%s" > "%t"
 // RUN: %diff "%s.expect" "%t"
 
 // Rustan Leino
@@ -92,6 +92,21 @@ class DoublyLinkedList {
     }
     Nodes := nodes;
   }
+
+  function PopMiddle<T>(s: seq<T>, k: nat) : seq<T>
+    requires k < |s| {
+      s[..k] + s[k+1..]
+  }
+
+  predicate Injective<T>(s: seq<T>) {
+    forall j, k :: 0 <= j < k < |s| ==> s[j] != s[k]
+  }
+
+  lemma InjectiveAfterPop<T>(s: seq<T>, k: nat)
+    requires k < |s|
+    requires Injective(s)
+    ensures  Injective(PopMiddle(s, k)) { }
+
   method Remove(x: Node) returns (ghost k: int)
     requires Valid()
     requires x in Nodes && x != Nodes[0] && x != Nodes[|Nodes|-1]  // not allowed to remove end nodes; you may think of them as a sentinel nodes
@@ -103,8 +118,11 @@ class DoublyLinkedList {
     k :| 1 <= k < |Nodes|-1 && Nodes[k] == x;
     x.R.L := x.L;
     x.L.R := x.R;
+
+    InjectiveAfterPop(Nodes, k);
     Nodes := Nodes[..k] + Nodes[k+1..];
   }
+
   // One might consider have a precondition that says there exists a "k" with the properties given here.
   // However, we want to be able to refer to "k" in the postcondition as well, so it's convenient to
   // burden the client with having to pass in "k" as a ghost parameter.  This, however, is really no
diff --git a/Test/VerifyThis2015/Problem3.dfy.expect b/Test/VerifyThis2015/Problem3.dfy.expect
index 4035605c..d3a9554b 100644
--- a/Test/VerifyThis2015/Problem3.dfy.expect
+++ b/Test/VerifyThis2015/Problem3.dfy.expect
@@ -1,5 +1,5 @@
 
-Dafny program verifier finished with 15 verified, 0 errors
+Dafny program verifier finished with 19 verified, 0 errors
 Program compiled successfully
 Running...