Be careful!
{true} max := abs(x)+abs(y);{max >= x ? max >= y}
This predicate holds, but we don’t want it to
- The postcondition is written in a way that permits satisfying programs that don’t compute the maximum of x and y
- Side observation: (almost) every specification is satisfied by an infinite number of programs and vice versa
The right postcondition is
- {max = x ? max = y} ?{max >= x ? max >= y}