When I input the following program to Inspectify (0.1.15)

{((((a > 0) && (b = 0)) && (c = 0)) && (d < 0))} d := b ; b := d ; if (d <= d) -> c := -77 fi {((((a = 0) && (b = 0)) && (c > 0)) && (d = 0))}

I will get the following as my output

((exists _f2 :: (((d <= d) & (exists _f1 :: ((exists _f0 :: (((((a > 0) && (_f1 = 0)) && (_f2 = 0)) && (_f0 < 0)) & (d = _f1))) & (b = d)))) & (c = -77))) ==> ((((a = 0) && (b = 0)) && (c > 0)) && (d = 0)))

and the following as reference output

((exists _f0 :: (((d <= d) & (exists _f1 :: ((exists _f2 :: (((((a > 0) && (_f1 = 0)) && (_f0 = 0)) && (_f2 < 0)) & (d = _f1))) & (b = d)))) & (c = -77))) ==> ((((a = 0) && (b = 0)) && (c > 0)) && (d = 0)))

The result is the same, but Inspectify says it is a mismatch. When I change my variable name from _f to _x, it says it is correct.

Thanks a lot for reporting this! It does indeed seem strange, but I'll have a look before class tomorrow. Hopefully we will have a fix out in v0.1.16 by then!

Okay, I spotted the issue! This was due to the order we did substitution during normalization.

For example, expressions like:

exists _f0 :: exists _f1 :: _f0 = _f1
exists _f1 :: exists _f0 :: _f1 = _f0

Here we would try to substitute _f1 in the last predicate with _f0 giving exists _f0 :: exists _f0 :: _f0 = _f0 and then doing the inner substitution to get exists _f0 :: exists _f1 :: _f1 = _f1.

Now instead, we do it in two passes where the first substitution constructs variables like _this is not a valid ident1 to make sure there is no strange overlap. I little inefficient, but it works!

Again, thanks for reporting this! I'll get a new version out in the next couple of hours.